manuell update translation from localazy

14 files changed, 6136 insertions, 2449 deletions

diff --git a/docs/_locale/de/LC_MESSAGES/automation.mo b/docs/_locale/de/LC_MESSAGES/automation.mo
index d215e597..2ab299af 100644
--- a/docs/_locale/de/LC_MESSAGES/automation.mo
+++ b/docs/_locale/de/LC_MESSAGES/automation.mo
diff --git a/docs/_locale/de/LC_MESSAGES/cli.mo b/docs/_locale/de/LC_MESSAGES/cli.mo
index 02f6fdee..03785a55 100644
--- a/docs/_locale/de/LC_MESSAGES/cli.mo
+++ b/docs/_locale/de/LC_MESSAGES/cli.mo
diff --git a/docs/_locale/de/LC_MESSAGES/configexamples.mo b/docs/_locale/de/LC_MESSAGES/configexamples.mo
index a4fde59a..f0c1dacb 100644
--- a/docs/_locale/de/LC_MESSAGES/configexamples.mo
+++ b/docs/_locale/de/LC_MESSAGES/configexamples.mo
diff --git a/docs/_locale/de/LC_MESSAGES/configuration.mo b/docs/_locale/de/LC_MESSAGES/configuration.mo
index 7318a633..380562db 100644
--- a/docs/_locale/de/LC_MESSAGES/configuration.mo
+++ b/docs/_locale/de/LC_MESSAGES/configuration.mo
diff --git a/docs/_locale/de/LC_MESSAGES/contributing.mo b/docs/_locale/de/LC_MESSAGES/contributing.mo
index 13fb0c19..83871aff 100644
--- a/docs/_locale/de/LC_MESSAGES/contributing.mo
+++ b/docs/_locale/de/LC_MESSAGES/contributing.mo
diff --git a/docs/_locale/de/LC_MESSAGES/index.mo b/docs/_locale/de/LC_MESSAGES/index.mo
index fdea0b20..0a4b8fa4 100644
--- a/docs/_locale/de/LC_MESSAGES/index.mo
+++ b/docs/_locale/de/LC_MESSAGES/index.mo
diff --git a/docs/_locale/de/LC_MESSAGES/installation.mo b/docs/_locale/de/LC_MESSAGES/installation.mo
index 427f08fd..3252db21 100644
--- a/docs/_locale/de/LC_MESSAGES/installation.mo
+++ b/docs/_locale/de/LC_MESSAGES/installation.mo
diff --git a/docs/_locale/de/automation.pot b/docs/_locale/de/automation.pot
index 480bfa35..e456b1ff 100644
--- a/docs/_locale/de/automation.pot
+++ b/docs/_locale/de/automation.pot
@@ -149,6 +149,10 @@ msgstr "1. Ansible doesn't connect via SSH to your AWS instance: you have to che
 msgid "1 Ansible doesn't connect via SSH to your AWS instance: you have to check that your SSH key has copied into the path /root/aws/."
 msgstr "1 Ansible doesn't connect via SSH to your AWS instance: you have to check that your SSH key has copied into the path /root/aws/."
 
+#: ../../automation/terraform/terraformAWS.rst:266
+msgid "1 Ansible doesn't connect via SSH to your AWS instance: you have to check that your SSH key has copied into the path /root/aws/. Also, increase the time in the file instance.yml from 300 sec to 500 sec or more. (It depends on your location). Make sure that you have opened access to the instance in the security group."
+msgstr "1 Ansible doesn't connect via SSH to your AWS instance: you have to check that your SSH key has copied into the path /root/aws/. Also, increase the time in the file instance.yml from 300 sec to 500 sec or more. (It depends on your location). Make sure that you have opened access to the instance in the security group."
+
 #: ../../automation/terraform/terraformvSphere.rst:23
 msgid "1 Collect all data in to file \"terraform.tfvars\" and create resources for example \"terraform\""
 msgstr "1 Collect all data in to file \"terraform.tfvars\" and create resources for example \"terraform\""
@@ -176,6 +180,10 @@ msgid "1 Create an account with Azure"
 msgstr "1 Create an account with Azure"
 
 #: ../../automation/terraform/terraformGoogle.rst:22
+msgid "1 Create an account with Google Cloud and a new project"
+msgstr "1 Create an account with Google Cloud and a new project"
+
+#: ../../automation/terraform/terraformGoogle.rst:22
 msgid "1 Create an account with google cloud and a new project"
 msgstr "1 Create an account with google cloud and a new project"
 
@@ -183,6 +191,10 @@ msgstr "1 Create an account with google cloud and a new project"
 msgid "1 Increase the time in the file instance.yml from 300 sec to 500 sec or more. (It depends on your location)."
 msgstr "1 Increase the time in the file instance.yml from 300 sec to 500 sec or more. (It depends on your location)."
 
+#: ../../automation/terraform/terraformGoogle.rst:344
+msgid "1 Increase the time in the file instance.yml from 300 sec to 500 sec or more. (It depends on your location). Make sure that you have opened access to the instance in the security group."
+msgstr "1 Increase the time in the file instance.yml from 300 sec to 500 sec or more. (It depends on your location). Make sure that you have opened access to the instance in the security group."
+
 #: ../../automation/terraform/terraformAWS.rst:86
 msgid "2.1 Create a0 UNIX or Windows instance"
 msgstr "2.1 Create a0 UNIX or Windows instance"
@@ -245,6 +257,10 @@ msgstr "2.6 Type the commands :"
 msgid "2 Create a key pair_ and download your .pem key"
 msgstr "2 Create a key pair_ and download your .pem key"
 
+#: ../../automation/terraform/terraformGoogle.rst:29
+msgid "2 Create a service aacount and download your key (.JSON)"
+msgstr "2 Create a service aacount and download your key (.JSON)"
+
 #: ../../automation/terraform/terraformAWS.rst:79
 #: ../../automation/terraform/terraformAZ.rst:56
 #: ../../automation/terraform/terraformGoogle.rst:78
@@ -306,6 +322,10 @@ msgstr "3.4 Copy all files from my folder /Ansible into your Ansible project (an
 msgid "3.4 Copy all files into your Ansible project \"/root/aws/\" (ansible.cfg, instance.yml, mykey.pem and \"all\"), more detailed see `Structure of files Ansible for AWS`_"
 msgstr "3.4 Copy all files into your Ansible project \"/root/aws/\" (ansible.cfg, instance.yml, mykey.pem and \"all\"), more detailed see `Structure of files Ansible for AWS`_"
 
+#: ../../automation/terraform/terraformAWS.rst:38
+msgid "3 Create a security group_ for the new VyOS instance and open all traffic"
+msgstr "3 Create a security group_ for the new VyOS instance and open all traffic"
+
 #: ../../automation/terraform/terraformAWS.rst:81
 msgid "3 Create the folder for example /root/aws/"
 msgstr "3 Create the folder for example /root/aws/"
@@ -351,6 +371,10 @@ msgid "4 Copy all files into your Ansible project \"/root/az/\" (ansible.cfg, in
 msgstr "4 Copy all files into your Ansible project \"/root/az/\" (ansible.cfg, instance.yml,\"all\"), more detailed see `Structure of files Ansible for Azure`_"
 
 #: ../../automation/terraform/terraformGoogle.rst:82
+msgid "4 Copy all files into your Ansible project \"/root/google/\" (ansible.cfg, instance.yml, mykey.json and \"all\"), more detailed see `Structure of files Ansible for Google Cloud`_"
+msgstr "4 Copy all files into your Ansible project \"/root/google/\" (ansible.cfg, instance.yml, mykey.json and \"all\"), more detailed see `Structure of files Ansible for Google Cloud`_"
+
+#: ../../automation/terraform/terraformGoogle.rst:82
 msgid "4 Copy all files into your Ansible project \"/root/google/\" (ansible.cfg, instance.yml, mykey.json and \"all\"), more detailed see `Structure of files Ansible for google cloud`_"
 msgstr "4 Copy all files into your Ansible project \"/root/google/\" (ansible.cfg, instance.yml, mykey.json and \"all\"), more detailed see `Structure of files Ansible for google cloud`_"
 
@@ -358,6 +382,14 @@ msgstr "4 Copy all files into your Ansible project \"/root/google/\" (ansible.cf
 msgid "4 Copy all files into your Ansible project \"/root/vsphereterraform/\" (ansible.cfg, instance.yml,\"all\"), more detailed see `Structure of files Ansible for vSphere`_"
 msgstr "4 Copy all files into your Ansible project \"/root/vsphereterraform/\" (ansible.cfg, instance.yml,\"all\"), more detailed see `Structure of files Ansible for vSphere`_"
 
+#: ../../automation/terraform/terraformGoogle.rst:62
+msgid "4 Copy all files into your Terraform project \"/root/google\" (vyos.tf, var.tf, terraform.tfvars, .JSON), more detailed see `Structure of files Terrafom for google cloud`_"
+msgstr "4 Copy all files into your Terraform project \"/root/google\" (vyos.tf, var.tf, terraform.tfvars, .JSON), more detailed see `Structure of files Terrafom for google cloud`_"
+
+#: ../../automation/terraform/terraformGoogle.rst:64
+msgid "5 Type the commands :"
+msgstr "5 Type the commands :"
+
 #: ../../automation/vyos-api.rst:41
 msgid "API Endpoints"
 msgstr "API Endpoints"
@@ -394,6 +426,10 @@ msgstr "A single-quote symbol is not allowed inside command or value."
 msgid "Accept minion key"
 msgstr "Accept minion key"
 
+#: ../../automation/terraform/terraformGoogle.rst:333
+msgid "After executing all the commands, you will have your VyOS instance on the Google Cloud with your configuration; it's a very convenient decision. If you need to delete the instance, please type the command:"
+msgstr "After executing all the commands, you will have your VyOS instance on the Google Cloud with your configuration; it's a very convenient decision. If you need to delete the instance, please type the command:"
+
 #: ../../automation/terraform/terraformAWS.rst:255
 msgid "After executing all the commands you will have your VyOS instance on the AWS cloud with your configuration, it's a very convenient desition. If you need to delete the instance please type the command:"
 msgstr "After executing all the commands you will have your VyOS instance on the AWS cloud with your configuration, it's a very convenient desition. If you need to delete the instance please type the command:"
@@ -601,6 +637,10 @@ msgid "Deploying VyOS in the Azure cloud"
 msgstr "Deploying VyOS in the Azure cloud"
 
 #: ../../automation/terraform/terraformGoogle.rst:6
+msgid "Deploying VyOS in the Google Cloud"
+msgstr "Deploying VyOS in the Google Cloud"
+
+#: ../../automation/terraform/terraformGoogle.rst:6
 msgid "Deploying VyOS in the google cloud"
 msgstr "Deploying VyOS in the google cloud"
 
@@ -661,6 +701,10 @@ msgid "File contents of Ansible for Azure"
 msgstr "File contents of Ansible for Azure"
 
 #: ../../automation/terraform/terraformGoogle.rst:651
+msgid "File contents of Ansible for Google Cloud"
+msgstr "File contents of Ansible for Google Cloud"
+
+#: ../../automation/terraform/terraformGoogle.rst:651
 msgid "File contents of Ansible for google cloud"
 msgstr "File contents of Ansible for google cloud"
 
@@ -677,6 +721,10 @@ msgid "File contents of Terrafom for Azure"
 msgstr "File contents of Terrafom for Azure"
 
 #: ../../automation/terraform/terraformGoogle.rst:375
+msgid "File contents of Terrafom for Google Cloud"
+msgstr "File contents of Terrafom for Google Cloud"
+
+#: ../../automation/terraform/terraformGoogle.rst:375
 msgid "File contents of Terrafom for google cloud"
 msgstr "File contents of Terrafom for google cloud"
 
@@ -744,6 +792,10 @@ msgstr "Generate qcow image"
 msgid "Getting Started"
 msgstr "Getting Started"
 
+#: ../../automation/terraform/terraformGoogle.rst:19
+msgid "Google Cloud"
+msgstr "Google Cloud"
+
 #: ../../automation/command-scripting.rst:82
 msgid "Here is a simple example:"
 msgstr "Here is a simple example:"
@@ -760,6 +812,10 @@ msgstr "How to create a single instance and install your configuration using Ter
 msgid "How to create a single instance and install your configuration using Terraform+Ansible+Azure Step by step:"
 msgstr "How to create a single instance and install your configuration using Terraform+Ansible+Azure Step by step:"
 
+#: ../../automation/terraform/terraformGoogle.rst:16
+msgid "How to create a single instance and install your configuration using Terraform+Ansible+Google Step by step:"
+msgstr "How to create a single instance and install your configuration using Terraform+Ansible+Google Step by step:"
+
 #: ../../automation/vyos-terraform.rst:987
 msgid "How to create a single instance and install your configuration using Terraform+Ansible+Vsphere Step by step:"
 msgstr "How to create a single instance and install your configuration using Terraform+Ansible+Vsphere Step by step:"
@@ -781,6 +837,10 @@ msgid "If command ends in a value, it must be inside single quotes."
 msgstr "If command ends in a value, it must be inside single quotes."
 
 #: ../../automation/cloud-init.rst:253
+msgid "If no networking configuration is provided, then dhcp client is going to be enabled on first interface. Bare in mind that this configuration will be inyected at an OS level, so don't expect to find dhcp client configuration on vyos cli. Because of this behavior, in next example lab we will disable dhcp-client configuration on eth0."
+msgstr "If no networking configuration is provided, then dhcp client is going to be enabled on first interface. Bare in mind that this configuration will be inyected at an OS level, so don't expect to find dhcp client configuration on vyos cli. Because of this behavior, in next example lab we will disable dhcp-client configuration on eth0."
+
+#: ../../automation/cloud-init.rst:253
 msgid "If no networking configuration is provided, then dhcp client is going to be enabled on first interface. Bear in mind that this configuration will be injected at an OS level, so don't expect to find dhcp client configuration on vyos cli. Because of this behavior, in next example lab we will disable dhcp-client configuration on eth0."
 msgstr "If no networking configuration is provided, then dhcp client is going to be enabled on first interface. Bear in mind that this configuration will be injected at an OS level, so don't expect to find dhcp client configuration on vyos cli. Because of this behavior, in next example lab we will disable dhcp-client configuration on eth0."
 
@@ -808,6 +868,10 @@ msgstr "In Proxmox server three files are going to be used for this setup:"
 msgid "In VyOS, by default, enables only two modules:"
 msgstr "In VyOS, by default, enables only two modules:"
 
+#: ../../automation/terraform/terraformGoogle.rst:11
+msgid "In this case, we'll create the necessary files for Terraform and Ansible. Next, using Terraform, we'll create a single instance on the Google Cloud and make provisioning using Ansible."
+msgstr "In this case, we'll create the necessary files for Terraform and Ansible. Next, using Terraform, we'll create a single instance on the Google Cloud and make provisioning using Ansible."
+
 #: ../../automation/terraform/terraformAWS.rst:17
 msgid "In this case, we'll create the necessary files for Terraform and Ansible next using Terraform we'll create a single instance on the AWS cloud and make provisioning using Ansible."
 msgstr "In this case, we'll create the necessary files for Terraform and Ansible next using Terraform we'll create a single instance on the AWS cloud and make provisioning using Ansible."
@@ -985,6 +1049,10 @@ msgid "Preparation steps for deploying VyOS on Azure"
 msgstr "Preparation steps for deploying VyOS on Azure"
 
 #: ../../automation/terraform/terraformGoogle.rst:14
+msgid "Preparation steps for deploying VyOS on Google"
+msgstr "Preparation steps for deploying VyOS on Google"
+
+#: ../../automation/terraform/terraformGoogle.rst:14
 msgid "Preparation steps for deploying VyOS on google"
 msgstr "Preparation steps for deploying VyOS on google"
 
@@ -1093,6 +1161,10 @@ msgid "Sourse files for Azure from GIT"
 msgstr "Sourse files for Azure from GIT"
 
 #: ../../automation/terraform/terraformGoogle.rst:703
+msgid "Sourse files for Google Cloud from GIT"
+msgstr "Sourse files for Google Cloud from GIT"
+
+#: ../../automation/terraform/terraformGoogle.rst:703
 msgid "Sourse files for google cloud from GIT"
 msgstr "Sourse files for google cloud from GIT"
 
@@ -1108,6 +1180,10 @@ msgid "Start"
 msgstr "Start"
 
 #: ../../automation/terraform/terraformGoogle.rst:101
+msgid "Start creating a Google Cloud instance and check the result."
+msgstr "Start creating a Google Cloud instance and check the result."
+
+#: ../../automation/terraform/terraformGoogle.rst:101
 msgid "Start creating a google cloud instance and check the result"
 msgstr "Start creating a google cloud instance and check the result"
 
@@ -1141,6 +1217,10 @@ msgid "Structure of files Ansible for Azure"
 msgstr "Structure of files Ansible for Azure"
 
 #: ../../automation/terraform/terraformGoogle.rst:639
+msgid "Structure of files Ansible for Google Cloud"
+msgstr "Structure of files Ansible for Google Cloud"
+
+#: ../../automation/terraform/terraformGoogle.rst:639
 msgid "Structure of files Ansible for google cloud"
 msgstr "Structure of files Ansible for google cloud"
 
@@ -1163,6 +1243,10 @@ msgid "Structure of files Terrafom for Azure"
 msgstr "Structure of files Terrafom for Azure"
 
 #: ../../automation/terraform/terraformGoogle.rst:362
+msgid "Structure of files Terrafom for Google Cloud"
+msgstr "Structure of files Terrafom for Google Cloud"
+
+#: ../../automation/terraform/terraformGoogle.rst:362
 msgid "Structure of files Terrafom for google cloud"
 msgstr "Structure of files Terrafom for google cloud"
 
@@ -1326,11 +1410,14 @@ msgstr "Troubleshooting"
 
 #: ../../automation/terraform/terraformAWS.rst:91
 #: ../../automation/terraform/terraformAZ.rst:66
-#: ../../automation/terraform/terraformGoogle.rst:90
 #: ../../automation/terraform/terraformvSphere.rst:65
 msgid "Type the commands on your Terrafom instance:"
 msgstr "Type the commands on your Terrafom instance:"
 
+#: ../../automation/terraform/terraformGoogle.rst:90
+msgid "Type the commands on your Terraform instance:"
+msgstr "Type the commands on your Terraform instance:"
+
 #: ../../automation/command-scripting.rst:39
 msgid "Unlike a normal configuration session, all operational commands must be prepended with ``run``, even if you haven't created a session with configure."
 msgstr "Unlike a normal configuration session, all operational commands must be prepended with ``run``, even if you haven't created a session with configure."
@@ -1468,6 +1555,10 @@ msgid "With the help of Terraform, you can quickly deploy VyOS-based infrastruct
 msgstr "With the help of Terraform, you can quickly deploy VyOS-based infrastructure in the Azure cloud. If necessary, the infrastructure can be removed using terraform. Also we will make provisioning using Ansible."
 
 #: ../../automation/terraform/terraformGoogle.rst:8
+msgid "With the help of Terraform, you can quickly deploy VyOS-based infrastructure in the Google Cloud. If necessary, the infrastructure can be removed using terraform. Also we will make provisioning using Ansible."
+msgstr "With the help of Terraform, you can quickly deploy VyOS-based infrastructure in the Google Cloud. If necessary, the infrastructure can be removed using terraform. Also we will make provisioning using Ansible."
+
+#: ../../automation/terraform/terraformGoogle.rst:8
 msgid "With the help of Terraform, you can quickly deploy VyOS-based infrastructure in the google cloud. If necessary, the infrastructure can be removed using terraform. Also we will make provisioning using Ansible."
 msgstr "With the help of Terraform, you can quickly deploy VyOS-based infrastructure in the google cloud. If necessary, the infrastructure can be removed using terraform. Also we will make provisioning using Ansible."
 
@@ -1615,6 +1706,10 @@ msgid "main.yml"
 msgstr "main.yml"
 
 #: ../../automation/terraform/terraformGoogle.rst:84
+msgid "mykey.json you have to get using step 2 of the Google Cloud"
+msgstr "mykey.json you have to get using step 2 of the Google Cloud"
+
+#: ../../automation/terraform/terraformGoogle.rst:84
 msgid "mykey.json you have to get using step 2 of the google cloud"
 msgstr "mykey.json you have to get using step 2 of the google cloud"
 
diff --git a/docs/_locale/de/cli.pot b/docs/_locale/de/cli.pot
index 70bb4156..b6203b8a 100644
--- a/docs/_locale/de/cli.pot
+++ b/docs/_locale/de/cli.pot
@@ -8,27 +8,55 @@ msgstr ""
 "Language: de\n"
 "Plural-Forms: nplurals=2; plural=(n==1) ? 0 : 1;\n"
 
-#: ../../cli.rst:115
+#: ../../cli.rst:90
+msgid "\"Clear\" commands are completely non-disruptive to any system operations. Generally, they can be used freely without hesitation."
+msgstr "\"Clear\" commands are completely non-disruptive to any system operations. Generally, they can be used freely without hesitation."
+
+#: ../../cli.rst:151
+msgid "\"Execute\" commands are for executing various diagnostic and auxilliary actions that the system would never perform by itself."
+msgstr "\"Execute\" commands are for executing various diagnostic and auxilliary actions that the system would never perform by itself."
+
+#: ../../cli.rst:137
+msgid "\"Force\" commands force the system to perform an action that it might perform by itself at a later point."
+msgstr "\"Force\" commands force the system to perform an action that it might perform by itself at a later point."
+
+#: ../../cli.rst:174
+msgid "\"Monitor\" commands initiate various monitoring operations that may output information continuously, until terminated with ``Ctrl-C`` or disabled."
+msgstr "\"Monitor\" commands initiate various monitoring operations that may output information continuously, until terminated with ``Ctrl-C`` or disabled."
+
+#: ../../cli.rst:106
+msgid "\"Reset\" commands can be locally-disruptive. They may, for example, terminate a single user session or a session with a dynamic routing protocol peer."
+msgstr "\"Reset\" commands can be locally-disruptive. They may, for example, terminate a single user session or a session with a dynamic routing protocol peer."
+
+#: ../../cli.rst:123
+msgid "\"Restart\" operations may disrupt an entire subsystem. Most often they initiate a restart of a server process, which causes it to be unavailable for a brief period and resets all the process state."
+msgstr "\"Restart\" operations may disrupt an entire subsystem. Most often they initiate a restart of a server process, which causes it to be unavailable for a brief period and resets all the process state."
+
+#: ../../cli.rst:162
+msgid "\"Show\" commands display various system information. They may occasionally use a pager for long outputs, that you can quit by pressing the Q button. Their output is always finite, however."
+msgstr "\"Show\" commands display various system information. They may occasionally use a pager for long outputs, that you can quit by pressing the Q button. Their output is always finite, however."
+
+#: ../../cli.rst:224
 msgid "**Active** or **running configuration** is the system configuration that is loaded  and currently active (used by VyOS). Any change in the configuration will have to be committed to belong to the active/running configuration."
 msgstr "**Active** or **running configuration** is the system configuration that is loaded  and currently active (used by VyOS). Any change in the configuration will have to be committed to belong to the active/running configuration."
 
-#: ../../cli.rst:382
+#: ../../cli.rst:491
 msgid "**Example:**"
 msgstr "**Example:**"
 
-#: ../../cli.rst:126
+#: ../../cli.rst:235
 msgid "**Saved configuration** is the one saved to a file using the :cfgcmd:`save` command. It allows you to keep safe a configuration for future uses. There can be multiple configuration files. The default or \"boot\" configuration is saved and loaded from the file ``/config/config.boot``."
 msgstr "**Saved configuration** is the one saved to a file using the :cfgcmd:`save` command. It allows you to keep safe a configuration for future uses. There can be multiple configuration files. The default or \"boot\" configuration is saved and loaded from the file ``/config/config.boot``."
 
-#: ../../cli.rst:120
+#: ../../cli.rst:229
 msgid "**Working configuration** is the one that is currently being modified in configuration mode. Changes made to the working configuration do not go into effect until the changes are committed with the :cfgcmd:`commit` command. At which time the working configuration will become the active or running configuration."
 msgstr "**Working configuration** is the one that is currently being modified in configuration mode. Changes made to the working configuration do not go into effect until the changes are committed with the :cfgcmd:`commit` command. At which time the working configuration will become the active or running configuration."
 
-#: ../../cli.rst:113
+#: ../../cli.rst:222
 msgid "A VyOS system has three major types of configurations:"
 msgstr "A VyOS system has three major types of configurations:"
 
-#: ../../cli.rst:579
+#: ../../cli.rst:688
 msgid "A reboot because you did not enter ``confirm`` will not take you necessarily to the *saved configuration*, but to the point before the unfortunate commit."
 msgstr "A reboot because you did not enter ``confirm`` will not take you necessarily to the *saved configuration*, but to the point before the unfortunate commit."
 
@@ -36,35 +64,39 @@ msgstr "A reboot because you did not enter ``confirm`` will not take you necessa
 msgid "Access opmode from config mode"
 msgstr "Access opmode from config mode"
 
-#: ../../cli.rst:700
+#: ../../cli.rst:810
 msgid "Access to these commands are possible through the use of the ``run [command]`` command. From this command you will have access to everything accessible from operational mode."
 msgstr "Access to these commands are possible through the use of the ``run [command]`` command. From this command you will have access to everything accessible from operational mode."
 
-#: ../../cli.rst:654
+#: ../../cli.rst:769
 msgid "Add comment as an annotation to a configuration node."
 msgstr "Add comment as an annotation to a configuration node."
 
-#: ../../cli.rst:542
+#: ../../cli.rst:651
 msgid "All changes in the working config will thus be lost."
 msgstr "All changes in the working config will thus be lost."
 
-#: ../../cli.rst:355
+#: ../../cli.rst:464
 msgid "All commands executed here are relative to the configuration level you have entered. You can do everything from the top level, but commands will be quite lengthy when manually typing them."
 msgstr "All commands executed here are relative to the configuration level you have entered. You can do everything from the top level, but commands will be quite lengthy when manually typing them."
 
-#: ../../cli.rst:679
+#: ../../cli.rst:794
 msgid "An important thing to note is that since the comment is added on top of the section, it will not appear if the ``show <section>`` command is used. With the above example, the `show firewall` command would return starting after the ``firewall {`` line, hiding the comment."
 msgstr "An important thing to note is that since the comment is added on top of the section, it will not appear if the ``show <section>`` command is used. With the above example, the `show firewall` command would return starting after the ``firewall {`` line, hiding the comment."
 
-#: ../../cli.rst:493
+#: ../../cli.rst:602
 msgid "Any change you do on the configuration, will not take effect until committed using the :cfgcmd:`commit` command in configuration mode."
 msgstr "Any change you do on the configuration, will not take effect until committed using the :cfgcmd:`commit` command in configuration mode."
 
-#: ../../cli.rst:221
+#: ../../cli.rst:330
 msgid "Both these ``show`` commands should be executed when in operational mode, they do not work directly in configuration mode. There is a special way on how to :ref:`run_opmode_from_config_mode`."
 msgstr "Both these ``show`` commands should be executed when in operational mode, they do not work directly in configuration mode. There is a special way on how to :ref:`run_opmode_from_config_mode`."
 
-#: ../../cli.rst:193
+#: ../../cli.rst:330
+msgid "Both these ``show`` commands should be executed when in operational mode, they do not work directly in configuration mode. There is a special way on how to :ref:run_opmode_from_config_mode."
+msgstr "Both these ``show`` commands should be executed when in operational mode, they do not work directly in configuration mode. There is a special way on how to :ref:run_opmode_from_config_mode."
+
+#: ../../cli.rst:302
 msgid "By default, the configuration is displayed in a hierarchy like the above example, this is only one of the possible ways to display the configuration. When the configuration is generated and the device is configured, changes are added through a collection of :cfgcmd:`set` and :cfgcmd:`delete` commands."
 msgstr "By default, the configuration is displayed in a hierarchy like the above example, this is only one of the possible ways to display the configuration. When the configuration is generated and the device is configured, changes are added through a collection of :cfgcmd:`set` and :cfgcmd:`delete` commands."
 
@@ -72,7 +104,7 @@ msgstr "By default, the configuration is displayed in a hierarchy like the above
 msgid "Command Line Interface"
 msgstr "Command Line Interface"
 
-#: ../../cli.rst:704
+#: ../../cli.rst:814
 msgid "Command completion and syntax help with ``?`` and ``[tab]`` will also work."
 msgstr "Command completion and syntax help with ``?`` and ``[tab]`` will also work."
 
@@ -80,23 +112,23 @@ msgstr "Command completion and syntax help with ``?`` and ``[tab]`` will also wo
 msgid "Compare configurations"
 msgstr "Compare configurations"
 
-#: ../../cli.rst:75
+#: ../../cli.rst:184
 msgid "Configuration Mode"
 msgstr "Configuration Mode"
 
-#: ../../cli.rst:102
+#: ../../cli.rst:211
 msgid "Configuration Overview"
 msgstr "Configuration Overview"
 
-#: ../../cli.rst:457
+#: ../../cli.rst:566
 msgid "Configuration commands are flattened from the tree into 'one-liner' commands shown in :opcmd:`show configuration commands` from operation mode. Commands are relative to the level where they are executed and all redundant information from the current level is removed from the command entered."
 msgstr "Configuration commands are flattened from the tree into 'one-liner' commands shown in :opcmd:`show configuration commands` from operation mode. Commands are relative to the level where they are executed and all redundant information from the current level is removed from the command entered."
 
-#: ../../cli.rst:538
+#: ../../cli.rst:647
 msgid "Configuration mode can not be exited while uncommitted changes exist. To exit configuration mode without applying changes, the :cfgcmd:`exit discard` command must be used."
 msgstr "Configuration mode can not be exited while uncommitted changes exist. To exit configuration mode without applying changes, the :cfgcmd:`exit discard` command must be used."
 
-#: ../../cli.rst:586
+#: ../../cli.rst:701
 msgid "Copy a configuration element."
 msgstr "Copy a configuration element."
 
@@ -104,7 +136,7 @@ msgstr "Copy a configuration element."
 msgid "Editing the configuration"
 msgstr "Editing the configuration"
 
-#: ../../cli.rst:665
+#: ../../cli.rst:780
 msgid "Example:"
 msgstr "Example:"
 
@@ -112,7 +144,15 @@ msgstr "Example:"
 msgid "Example showing possible show commands:"
 msgstr "Example showing possible show commands:"
 
-#: ../../cli.rst:433
+#: ../../cli.rst:96
+#: ../../cli.rst:140
+#: ../../cli.rst:154
+#: ../../cli.rst:166
+#: ../../cli.rst:178
+msgid "Examples:"
+msgstr "Examples:"
+
+#: ../../cli.rst:542
 msgid "Exiting from the configuration mode is done via the :cfgcmd:`exit` command from the top level, executing :cfgcmd:`exit` from within a sub-level takes you back to the top level."
 msgstr "Exiting from the configuration mode is done via the :cfgcmd:`exit` command from the top level, executing :cfgcmd:`exit` from within a sub-level takes you back to the top level."
 
@@ -120,19 +160,19 @@ msgstr "Exiting from the configuration mode is done via the :cfgcmd:`exit` comma
 msgid "For example typing ``sh`` followed by the ``TAB`` key will complete to ``show``. Pressing ``TAB`` a second time will display the possible sub-commands of the ``show`` command."
 msgstr "For example typing ``sh`` followed by the ``TAB`` key will complete to ``show``. Pressing ``TAB`` a second time will display the possible sub-commands of the ``show`` command."
 
-#: ../../cli.rst:201
+#: ../../cli.rst:310
 msgid "Get a collection of all the set commands required which led to the running configuration."
 msgstr "Get a collection of all the set commands required which led to the running configuration."
 
-#: ../../cli.rst:936
+#: ../../cli.rst:1052
 msgid "If you are remotely connected, you will lose your connection. You may want to copy first the config, edit it to ensure connectivity, and load the edited config."
 msgstr "If you are remotely connected, you will lose your connection. You may want to copy first the config, edit it to ensure connectivity, and load the edited config."
 
-#: ../../cli.rst:922
+#: ../../cli.rst:1038
 msgid "In the case you want to completely delete your configuration and restore the default one, you can enter the following command in configuration mode:"
 msgstr "In the case you want to completely delete your configuration and restore the default one, you can enter the following command in configuration mode:"
 
-#: ../../cli.rst:413
+#: ../../cli.rst:522
 msgid "It is also possible to display all :cfgcmd:`set` commands within configuration mode using :cfgcmd:`show | commands`"
 msgstr "It is also possible to display all :cfgcmd:`set` commands within configuration mode using :cfgcmd:`show | commands`"
 
@@ -148,10 +188,26 @@ msgstr "Local Archive"
 msgid "Managing configurations"
 msgstr "Managing configurations"
 
-#: ../../cli.rst:630
+#: ../../cli.rst:77
+msgid "Many operational mode commands in VyOS are placed in families such as ``show``, ``clear``, or ``reset``. Every such family has a specific meaning to allow the user to guess how the command is going to behave — in particular, whether it will be disruptive to the system or not."
+msgstr "Many operational mode commands in VyOS are placed in families such as ``show``, ``clear``, or ``reset``. Every such family has a specific meaning to allow the user to guess how the command is going to behave — in particular, whether it will be disruptive to the system or not."
+
+#: ../../cli.rst:93
+msgid "Most often their purpose is to remove or reset various debug and diagnostic information such as system logs and packet counters."
+msgstr "Most often their purpose is to remove or reset various debug and diagnostic information such as system logs and packet counters."
+
+#: ../../cli.rst:679
+msgid "Note that 'reload' loads the most recent completed configuration and does not require a reboot."
+msgstr "Note that 'reload' loads the most recent completed configuration and does not require a reboot."
+
+#: ../../cli.rst:745
 msgid "Note that ``show`` command respects your edit level and from this level you can view the modified firewall ruleset with just ``show`` with no parameters."
 msgstr "Note that ``show`` command respects your edit level and from this level you can view the modified firewall ruleset with just ``show`` with no parameters."
 
+#: ../../cli.rst:82
+msgid "Note that this convention was not always followed with perfect consistency and some commands may still be in wrong families, so you should always check the command help and documentation if you are not sure what exactly it does."
+msgstr "Note that this convention was not always followed with perfect consistency and some commands may still be in wrong families, so you should always check the command help and documentation if you are not sure what exactly it does."
+
 #: ../../cli.rst:11
 msgid "Operational Mode"
 msgstr "Operational Mode"
@@ -160,7 +216,11 @@ msgstr "Operational Mode"
 msgid "Operational mode allows for commands to perform operational system tasks and view system and service status, while configuration mode allows for the modification of system configuration."
 msgstr "Operational mode allows for commands to perform operational system tasks and view system and service status, while configuration mode allows for the modification of system configuration."
 
-#: ../../cli.rst:85
+#: ../../cli.rst:75
+msgid "Operational mode command families"
+msgstr "Operational mode command families"
+
+#: ../../cli.rst:194
 msgid "Prompt changes from ``$`` to ``#``. To exit configuration mode, type ``exit``."
 msgstr "Prompt changes from ``$`` to ``#``. To exit configuration mode, type ``exit``."
 
@@ -168,15 +228,15 @@ msgstr "Prompt changes from ``$`` to ``#``. To exit configuration mode, type ``e
 msgid "Remote Archive"
 msgstr "Remote Archive"
 
-#: ../../cli.rst:619
+#: ../../cli.rst:734
 msgid "Rename a configuration element."
 msgstr "Rename a configuration element."
 
-#: ../../cli.rst:920
+#: ../../cli.rst:926
 msgid "Restore Default"
 msgstr "Restore Default"
 
-#: ../../cli.rst:728
+#: ../../cli.rst:838
 msgid "Revisions are stored on disk. You can view, compare and rollback them to any previous revisions if something goes wrong."
 msgstr "Revisions are stored on disk. You can view, compare and rollback them to any previous revisions if something goes wrong."
 
@@ -184,15 +244,15 @@ msgstr "Revisions are stored on disk. You can view, compare and rollback them to
 msgid "Rollback Changes"
 msgstr "Rollback Changes"
 
-#: ../../cli.rst:838
+#: ../../cli.rst:948
 msgid "Rollback to revision N (currently requires reboot)"
 msgstr "Rollback to revision N (currently requires reboot)"
 
-#: ../../cli.rst:887
+#: ../../cli.rst:893
 msgid "Saving and loading manually"
 msgstr "Saving and loading manually"
 
-#: ../../cli.rst:94
+#: ../../cli.rst:203
 msgid "See the configuration section of this document for more information on configuration mode."
 msgstr "See the configuration section of this document for more information on configuration mode."
 
@@ -200,15 +260,19 @@ msgstr "See the configuration section of this document for more information on c
 msgid "Seeing and navigating the configuration"
 msgstr "Seeing and navigating the configuration"
 
-#: ../../cli.rst:813
+#: ../../cli.rst:923
 msgid "Show commit revision difference."
 msgstr "Show commit revision difference."
 
-#: ../../cli.rst:864
+#: ../../cli.rst:985
+msgid "Since username and password are part of the URI, they need to be properly url encoded if containing special characters."
+msgstr "Since username and password are part of the URI, they need to be properly url encoded if containing special characters."
+
+#: ../../cli.rst:974
 msgid "Specify remote location of commit archive as any of the below :abbr:`URI (Uniform Resource Identifier)`"
 msgstr "Specify remote location of commit archive as any of the below :abbr:`URI (Uniform Resource Identifier)`"
 
-#: ../../cli.rst:111
+#: ../../cli.rst:220
 msgid "Terminology"
 msgstr "Terminology"
 
@@ -220,7 +284,7 @@ msgstr "The CLI provides a built-in help system. In the CLI the ``?`` key may be
 msgid "The VyOS :abbr:`CLI (Command-Line Interface)` comprises an operational and a configuration mode."
 msgstr "The VyOS :abbr:`CLI (Command-Line Interface)` comprises an operational and a configuration mode."
 
-#: ../../cli.rst:378
+#: ../../cli.rst:487
 msgid "The :cfgcmd:`show` command within configuration mode will show the working configuration indicating line changes with ``+`` for additions, ``>`` for replacements and ``-`` for deletions."
 msgstr "The :cfgcmd:`show` command within configuration mode will show the working configuration indicating line changes with ``+`` for additions, ``>`` for replacements and ``-`` for deletions."
 
@@ -228,15 +292,15 @@ msgstr "The :cfgcmd:`show` command within configuration mode will show the worki
 msgid "The ``comment`` command allows you to insert a comment above the ``<config node>`` configuration section. When shown, comments are enclosed with ``/*`` and ``*/`` as open/close delimiters. Comments need to be commited, just like other config changes."
 msgstr "The ``comment`` command allows you to insert a comment above the ``<config node>`` configuration section. When shown, comments are enclosed with ``/*`` and ``*/`` as open/close delimiters. Comments need to be commited, just like other config changes."
 
-#: ../../cli.rst:656
+#: ../../cli.rst:771
 msgid "The ``comment`` command allows you to insert a comment above the ``<config node>`` configuration section. When shown, comments are enclosed with ``/*`` and ``*/`` as open/close delimiters. Comments need to be committed, just like other config changes."
 msgstr "The ``comment`` command allows you to insert a comment above the ``<config node>`` configuration section. When shown, comments are enclosed with ``/*`` and ``*/`` as open/close delimiters. Comments need to be committed, just like other config changes."
 
-#: ../../cli.rst:787
+#: ../../cli.rst:897
 msgid "The command :cfgcmd:`compare` allows you to compare different type of configurations. It also lets you compare different revisions through the :cfgcmd:`compare N M` command, where N and M are revision numbers. The output will describe how the configuration N is when compared to M indicating with a plus sign (``+``) the additional parts N has when compared to M, and indicating with a minus sign (``-``) the lacking parts N misses when compared to M."
 msgstr "The command :cfgcmd:`compare` allows you to compare different type of configurations. It also lets you compare different revisions through the :cfgcmd:`compare N M` command, where N and M are revision numbers. The output will describe how the configuration N is when compared to M indicating with a plus sign (``+``) the additional parts N has when compared to M, and indicating with a minus sign (``-``) the lacking parts N misses when compared to M."
 
-#: ../../cli.rst:816
+#: ../../cli.rst:926
 msgid "The command above also lets you see the difference between two commits. By default the difference with the running config is shown."
 msgstr "The command above also lets you see the difference between two commits. By default the difference with the running config is shown."
 
@@ -244,87 +308,103 @@ msgstr "The command above also lets you see the difference between two commits.
 msgid "The config mode"
 msgstr "The config mode"
 
-#: ../../cli.rst:449
+#: ../../cli.rst:558
 msgid "The configuration can be edited by the use of :cfgcmd:`set` and :cfgcmd:`delete` commands from within configuration mode."
 msgstr "The configuration can be edited by the use of :cfgcmd:`set` and :cfgcmd:`delete` commands from within configuration mode."
 
-#: ../../cli.rst:359
+#: ../../cli.rst:468
 msgid "The current hierarchy level can be changed by the :cfgcmd:`edit` command."
 msgstr "The current hierarchy level can be changed by the :cfgcmd:`edit` command."
 
-#: ../../cli.rst:875
+#: ../../cli.rst:669
+msgid "The definition of 'revert' and 'a previous configuration' depends on the setting:"
+msgstr "The definition of 'revert' and 'a previous configuration' depends on the setting:"
+
+#: ../../cli.rst:988
 msgid "The number of revisions don't affect the commit-archive."
 msgstr "The number of revisions don't affect the commit-archive."
 
-#: ../../cli.rst:933
+#: ../../cli.rst:1049
 msgid "Then you may want to :cfgcmd:`save` in order to delete the saved configuration too."
 msgstr "Then you may want to :cfgcmd:`save` in order to delete the saved configuration too."
 
-#: ../../cli.rst:422
+#: ../../cli.rst:531
 msgid "These commands are also relative to the level you are inside and only relevant configuration blocks will be displayed when entering a sub-level."
 msgstr "These commands are also relative to the level you are inside and only relevant configuration blocks will be displayed when entering a sub-level."
 
-#: ../../cli.rst:475
+#: ../../cli.rst:584
 msgid "These two commands above are essentially the same, just executed from different levels in the hierarchy."
 msgstr "These two commands above are essentially the same, just executed from different levels in the hierarchy."
 
-#: ../../cli.rst:827
+#: ../../cli.rst:110
+msgid "They should be used with caution since they may have a significant impact on a particular users in the network."
+msgstr "They should be used with caution since they may have a significant impact on a particular users in the network."
+
+#: ../../cli.rst:127
+msgid "They should be used with extreme caution."
+msgstr "They should be used with extreme caution."
+
+#: ../../cli.rst:937
 msgid "This means four commits ago we did ``set system ipv6 disable-forwarding``."
 msgstr "This means four commits ago we did ``set system ipv6 disable-forwarding``."
 
-#: ../../cli.rst:480
+#: ../../cli.rst:589
 msgid "To delete a configuration entry use the :cfgcmd:`delete` command, this also deletes all sub-levels under the current level you've specified in the :cfgcmd:`delete` command. Deleting an entry will also result in the element reverting back to its default value if one exists."
 msgstr "To delete a configuration entry use the :cfgcmd:`delete` command, this also deletes all sub-levels under the current level you've specified in the :cfgcmd:`delete` command. Deleting an entry will also result in the element reverting back to its default value if one exists."
 
-#: ../../cli.rst:77
+#: ../../cli.rst:186
 msgid "To enter configuration mode use the ``configure`` command:"
 msgstr "To enter configuration mode use the ``configure`` command:"
 
-#: ../../cli.rst:661
+#: ../../cli.rst:776
 msgid "To remove an existing comment from your current configuration, specify an empty string enclosed in double quote marks (``\"\"``) as the comment text."
 msgstr "To remove an existing comment from your current configuration, specify an empty string enclosed in double quote marks (``\"\"``) as the comment text."
 
-#: ../../cli.rst:225
+#: ../../cli.rst:334
 msgid "Use the ``show configuration commands | strip-private`` command when you want to hide private data. You may want to do so if you want to share your configuration on the `forum`_."
 msgstr "Use the ``show configuration commands | strip-private`` command when you want to hide private data. You may want to do so if you want to share your configuration on the `forum`_."
 
-#: ../../cli.rst:898
+#: ../../cli.rst:1014
 msgid "Use this command to load a configuration which will replace the running configuration. Define the location of the configuration file to be loaded. You can use a path to a local file, an SCP address, an SFTP address, an FTP address, an HTTP address, an HTTPS address or a TFTP address."
 msgstr "Use this command to load a configuration which will replace the running configuration. Define the location of the configuration file to be loaded. You can use a path to a local file, an SCP address, an SFTP address, an FTP address, an HTTP address, an HTTPS address or a TFTP address."
 
-#: ../../cli.rst:511
+#: ../../cli.rst:620
 msgid "Use this command to preserve configuration changes upon reboot. By default it is stored at */config/config.boot*. In the case you want to store the configuration file somewhere else, you can add a local path, a SCP address, a FTP address or a TFTP address."
 msgstr "Use this command to preserve configuration changes upon reboot. By default it is stored at */config/config.boot*. In the case you want to store the configuration file somewhere else, you can add a local path, a SCP address, a FTP address or a TFTP address."
 
-#: ../../cli.rst:454
+#: ../../cli.rst:563
 msgid "Use this command to set the value of a parameter or to create a new element."
 msgstr "Use this command to set the value of a parameter or to create a new element."
 
-#: ../../cli.rst:763
+#: ../../cli.rst:873
 msgid "Use this command to spot what the differences are between different configurations."
 msgstr "Use this command to spot what the differences are between different configurations."
 
-#: ../../cli.rst:555
+#: ../../cli.rst:664
+msgid "Use this command to temporarily commit your changes and set the number of minutes available for confirmation. ``confirm`` must be entered within those minutes, otherwise the system will revert into a previous configuration. The default value is 10 minutes."
+msgstr "Use this command to temporarily commit your changes and set the number of minutes available for confirmation. ``confirm`` must be entered within those minutes, otherwise the system will revert into a previous configuration. The default value is 10 minutes."
+
+#: ../../cli.rst:664
 msgid "Use this command to temporarily commit your changes and set the number of minutes available for validation. ``confirm`` must be entered within those minutes, otherwise the system will reboot into the previous configuration. The default value is 10 minutes."
 msgstr "Use this command to temporarily commit your changes and set the number of minutes available for validation. ``confirm`` must be entered within those minutes, otherwise the system will reboot into the previous configuration. The default value is 10 minutes."
 
-#: ../../cli.rst:733
+#: ../../cli.rst:843
 msgid "View all existing revisions on the local system."
 msgstr "View all existing revisions on the local system."
 
-#: ../../cli.rst:137
+#: ../../cli.rst:246
 msgid "View the current active configuration, also known as the running configuration, from the operational mode."
 msgstr "View the current active configuration, also known as the running configuration, from the operational mode."
 
-#: ../../cli.rst:233
+#: ../../cli.rst:342
 msgid "View the current active configuration in JSON format."
 msgstr "View the current active configuration in JSON format."
 
-#: ../../cli.rst:241
+#: ../../cli.rst:350
 msgid "View the current active configuration in readable JSON format."
 msgstr "View the current active configuration in readable JSON format."
 
-#: ../../cli.rst:855
+#: ../../cli.rst:965
 msgid "VyOS can upload the configuration to a remote location after each call to :cfgcmd:`commit`. You will have to set the commit-archive location. TFTP, FTP, SCP and SFTP servers are supported. Every time a :cfgcmd:`commit` is successful the ``config.boot`` file will be copied to the defined destination(s). The filename used on the remote host will be ``config.boot-hostname.YYYYMMDD_HHMMSS``."
 msgstr "VyOS can upload the configuration to a remote location after each call to :cfgcmd:`commit`. You will have to set the commit-archive location. TFTP, FTP, SCP and SFTP servers are supported. Every time a :cfgcmd:`commit` is successful the ``config.boot`` file will be copied to the defined destination(s). The filename used on the remote host will be ``config.boot-hostname.YYYYMMDD_HHMMSS``."
 
@@ -332,15 +412,15 @@ msgstr "VyOS can upload the configuration to a remote location after each call t
 msgid "VyOS can upload the configuration to a remote location after each call to :cfgcmd:`commit`. You will have to set the commit-archive location. TFTP, FTP, SCP and SFTP servers are supported. Every time a :cfgcmd:`commit` is successfull the ``config.boot`` file will be copied to the defined destination(s). The filename used on the remote host will be ``config.boot-hostname.YYYYMMDD_HHMMSS``."
 msgstr "VyOS can upload the configuration to a remote location after each call to :cfgcmd:`commit`. You will have to set the commit-archive location. TFTP, FTP, SCP and SFTP servers are supported. Every time a :cfgcmd:`commit` is successfull the ``config.boot`` file will be copied to the defined destination(s). The filename used on the remote host will be ``config.boot-hostname.YYYYMMDD_HHMMSS``."
 
-#: ../../cli.rst:719
+#: ../../cli.rst:829
 msgid "VyOS comes with an integrated versioning system for the system configuration. It automatically maintains a backup of every previous configuration which has been committed to the system. The configurations are versioned locally for rollback but they can also be stored on a remote host for archiving/backup reasons."
 msgstr "VyOS comes with an integrated versioning system for the system configuration. It automatically maintains a backup of every previous configuration which has been committed to the system. The configurations are versioned locally for rollback but they can also be stored on a remote host for archiving/backup reasons."
 
-#: ../../cli.rst:759
+#: ../../cli.rst:869
 msgid "VyOS lets you compare different configurations."
 msgstr "VyOS lets you compare different configurations."
 
-#: ../../cli.rst:104
+#: ../../cli.rst:213
 msgid "VyOS makes use of a unified configuration file for the entire system's configuration: ``/config/config.boot``. This allows easy template creation, backup, and replication of system configuration. A system can thus also be easily cloned by simply copying the required configuration files."
 msgstr "VyOS makes use of a unified configuration file for the entire system's configuration: ``/config/config.boot``. This allows easy template creation, backup, and replication of system configuration. A system can thus also be easily cloned by simply copying the required configuration files."
 
@@ -348,19 +428,19 @@ msgstr "VyOS makes use of a unified configuration file for the entire system's c
 msgid "What if you are doing something dangerous? Suppose you want to setup a firewall, and you are not sure there are no mistakes that will lock you out of your system. You can use confirmed commit. If you issue the ``commit-confirm`` command, your changes will be commited, and if you don't issue  the ``confirm`` command in 10 minutes, your system will reboot into previous config revision."
 msgstr "What if you are doing something dangerous? Suppose you want to setup a firewall, and you are not sure there are no mistakes that will lock you out of your system. You can use confirmed commit. If you issue the ``commit-confirm`` command, your changes will be commited, and if you don't issue  the ``confirm`` command in 10 minutes, your system will reboot into previous config revision."
 
-#: ../../cli.rst:561
+#: ../../cli.rst:682
 msgid "What if you are doing something dangerous? Suppose you want to setup a firewall, and you are not sure there are no mistakes that will lock you out of your system. You can use confirmed commit. If you issue the ``commit-confirm`` command, your changes will be committed, and if you don't issue  the ``confirm`` command in 10 minutes, your system will reboot into previous config revision."
 msgstr "What if you are doing something dangerous? Suppose you want to setup a firewall, and you are not sure there are no mistakes that will lock you out of your system. You can use confirmed commit. If you issue the ``commit-confirm`` command, your changes will be committed, and if you don't issue  the ``confirm`` command in 10 minutes, your system will reboot into previous config revision."
 
-#: ../../cli.rst:340
+#: ../../cli.rst:449
 msgid "When entering the configuration mode you are navigating inside a tree structure, to enter configuration mode enter the command :opcmd:`configure` when in operational mode."
 msgstr "When entering the configuration mode you are navigating inside a tree structure, to enter configuration mode enter the command :opcmd:`configure` when in operational mode."
 
-#: ../../cli.rst:351
+#: ../../cli.rst:460
 msgid "When going into configuration mode, prompt changes from ``$`` to ``#``."
 msgstr "When going into configuration mode, prompt changes from ``$`` to ``#``."
 
-#: ../../cli.rst:695
+#: ../../cli.rst:805
 msgid "When inside configuration mode you are not directly able to execute operational commands."
 msgstr "When inside configuration mode you are not directly able to execute operational commands."
 
@@ -368,7 +448,11 @@ msgstr "When inside configuration mode you are not directly able to execute oper
 msgid "When the output of a command results in more lines than can be displayed on the terminal screen the output is paginated as indicated by a ``:`` prompt."
 msgstr "When the output of a command results in more lines than can be displayed on the terminal screen the output is paginated as indicated by a ``:`` prompt."
 
-#: ../../cli.rst:892
+#: ../../cli.rst:990
+msgid "When using Git as destination for the commit archive the ``source-address`` CLI option has no effect."
+msgstr "When using Git as destination for the commit archive the ``source-address`` CLI option has no effect."
+
+#: ../../cli.rst:1008
 msgid "When using the save_ command, you can add a specific location where to store your configuration file. And, when needed it, you will be able to load it with the ``load`` command:"
 msgstr "When using the save_ command, you can add a specific location where to store your configuration file. And, when needed it, you will be able to load it with the ``load`` command:"
 
@@ -380,19 +464,19 @@ msgstr "When viewing in page mode the following commands are available:"
 msgid "You are now in a sublevel relative to ``interfaces ethernet eth0``, all commands executed from this point on are relative to this sublevel. Use eithe the :cfgcmd:`top` or :cfgcmd:`exit` command to go back to the top of the hierarchy. You can also use the :cfgcmd:`up` command to move only one level up at a time."
 msgstr "You are now in a sublevel relative to ``interfaces ethernet eth0``, all commands executed from this point on are relative to this sublevel. Use eithe the :cfgcmd:`top` or :cfgcmd:`exit` command to go back to the top of the hierarchy. You can also use the :cfgcmd:`up` command to move only one level up at a time."
 
-#: ../../cli.rst:370
+#: ../../cli.rst:479
 msgid "You are now in a sublevel relative to ``interfaces ethernet eth0``, all commands executed from this point on are relative to this sublevel. Use either the :cfgcmd:`top` or :cfgcmd:`exit` command to go back to the top of the hierarchy. You can also use the :cfgcmd:`up` command to move only one level up at a time."
 msgstr "You are now in a sublevel relative to ``interfaces ethernet eth0``, all commands executed from this point on are relative to this sublevel. Use either the :cfgcmd:`top` or :cfgcmd:`exit` command to go back to the top of the hierarchy. You can also use the :cfgcmd:`up` command to move only one level up at a time."
 
-#: ../../cli.rst:621
+#: ../../cli.rst:736
 msgid "You can also rename config subtrees:"
 msgstr "You can also rename config subtrees:"
 
-#: ../../cli.rst:588
+#: ../../cli.rst:703
 msgid "You can copy and remove configuration subtrees. Suppose you set up a firewall ruleset ``FromWorld`` with one rule that allows traffic from specific subnet. Now you want to setup a similar rule, but for different subnet. Change your edit level to ``firewall name FromWorld`` and use ``copy rule 10 to rule 20``, then modify rule 20."
 msgstr "You can copy and remove configuration subtrees. Suppose you set up a firewall ruleset ``FromWorld`` with one rule that allows traffic from specific subnet. Now you want to setup a similar rule, but for different subnet. Change your edit level to ``firewall name FromWorld`` and use ``copy rule 10 to rule 20``, then modify rule 20."
 
-#: ../../cli.rst:833
+#: ../../cli.rst:943
 msgid "You can rollback configuration changes using the rollback command. This will apply the selected revision and trigger a system reboot."
 msgstr "You can rollback configuration changes using the rollback command. This will apply the selected revision and trigger a system reboot."
 
@@ -400,23 +484,23 @@ msgstr "You can rollback configuration changes using the rollback command. This
 msgid "You can scroll up with the keys ``[Shift]+[PageUp]`` and scroll down with ``[Shift]+[PageDown]``."
 msgstr "You can scroll up with the keys ``[Shift]+[PageUp]`` and scroll down with ``[Shift]+[PageDown]``."
 
-#: ../../cli.rst:504
+#: ../../cli.rst:613
 msgid "You can specify a commit message with :cfgcmd:`commit comment <message>`."
 msgstr "You can specify a commit message with :cfgcmd:`commit comment <message>`."
 
-#: ../../cli.rst:750
+#: ../../cli.rst:860
 msgid "You can specify the number of revisions stored on disk. N can be in the range of 0 - 65535. When the number of revisions exceeds the configured value, the oldest revision is removed. The default setting for this value is to store 100 revisions locally."
 msgstr "You can specify the number of revisions stored on disk. N can be in the range of 0 - 65535. When the number of revisions exceeds the configured value, the oldest revision is removed. The default setting for this value is to store 100 revisions locally."
 
-#: ../../cli.rst:889
+#: ../../cli.rst:1005
 msgid "You can use the ``save`` and ``load`` commands if you want to manually manage specific configuration files."
 msgstr "You can use the ``save`` and ``load`` commands if you want to manually manage specific configuration files."
 
-#: ../../cli.rst:877
+#: ../../cli.rst:993
 msgid "You may find VyOS not allowing the secure connection because it cannot verify the legitimacy of the remote server. You can use the workaround below to quickly add the remote host's SSH fingerprint to your ``~/.ssh/known_hosts`` file:"
 msgstr "You may find VyOS not allowing the secure connection because it cannot verify the legitimacy of the remote server. You can use the workaround below to quickly add the remote host's SSH fingerprint to your ``~/.ssh/known_hosts`` file:"
 
-#: ../../cli.rst:930
+#: ../../cli.rst:1046
 msgid "You will be asked if you want to continue. If you accept, you will have to use :cfgcmd:`commit` if you want to make the changes active."
 msgstr "You will be asked if you want to continue. If you accept, you will have to use :cfgcmd:`commit` if you want to make the changes active."
 
@@ -424,19 +508,43 @@ msgstr "You will be asked if you want to continue. If you accept, you will have
 msgid "``b`` will scroll back one page"
 msgstr "``b`` will scroll back one page"
 
-#: ../../cli.rst:869
+#: ../../cli.rst:98
+msgid "``clear console`` — clears the screen."
+msgstr "``clear console`` — clears the screen."
+
+#: ../../cli.rst:99
+msgid "``clear interfaces ethernet eth0 counters`` — zeroes packet counters on ``eth0``."
+msgstr "``clear interfaces ethernet eth0 counters`` — zeroes packet counters on ``eth0``."
+
+#: ../../cli.rst:101
+msgid "``clear log`` — deletes all system log entries."
+msgstr "``clear log`` — deletes all system log entries."
+
+#: ../../cli.rst:156
+msgid "``execute wake-on-lan interface <intf> host <MAC>`` — send a Wake-On-LAN packet to a host."
+msgstr "``execute wake-on-lan interface <intf> host <MAC>`` — send a Wake-On-LAN packet to a host."
+
+#: ../../cli.rst:142
+msgid "``force arp request interface eth1 address 10.3.0.2`` — send a gratuitious ARP request."
+msgstr "``force arp request interface eth1 address 10.3.0.2`` — send a gratuitious ARP request."
+
+#: ../../cli.rst:144
+msgid "``force root-partition-auto-resize`` — grow the root filesystem to the size of the system partition (this is also done on startup, but this command can do it without a reboot)."
+msgstr "``force root-partition-auto-resize`` — grow the root filesystem to the size of the system partition (this is also done on startup, but this command can do it without a reboot)."
+
+#: ../../cli.rst:979
 msgid "``ftp://<user>:<passwd>@<host>/<dir>``"
 msgstr "``ftp://<user>:<passwd>@<host>/<dir>``"
 
-#: ../../cli.rst:873
+#: ../../cli.rst:983
 msgid "``git+https://<user>:<passwd>@<host>/<path>``"
 msgstr "``git+https://<user>:<passwd>@<host>/<path>``"
 
-#: ../../cli.rst:867
+#: ../../cli.rst:977
 msgid "``http://<user>:<passwd>@<host>:/<dir>``"
 msgstr "``http://<user>:<passwd>@<host>:/<dir>``"
 
-#: ../../cli.rst:868
+#: ../../cli.rst:978
 msgid "``https://<user>:<passwd>@<host>:/<dir>``"
 msgstr "``https://<user>:<passwd>@<host>:/<dir>``"
 
@@ -444,30 +552,90 @@ msgstr "``https://<user>:<passwd>@<host>:/<dir>``"
 msgid "``left-arrow`` and ``right-arrow`` can be used to scroll left or right in the event that the output has lines which exceed the terminal size."
 msgstr "``left-arrow`` and ``right-arrow`` can be used to scroll left or right in the event that the output has lines which exceed the terminal size."
 
+#: ../../cli.rst:180
+msgid "``monitor log`` — continuously outputs latest system logs."
+msgstr "``monitor log`` — continuously outputs latest system logs."
+
 #: ../../cli.rst:65
 msgid "``q`` key can be used to cancel output"
 msgstr "``q`` key can be used to cancel output"
 
+#: ../../cli.rst:115
+msgid "``reset bgp 192.0.2.54`` — terminates the BGP session with neighbor 192.0.2.54."
+msgstr "``reset bgp 192.0.2.54`` — terminates the BGP session with neighbor 192.0.2.54."
+
+#: ../../cli.rst:113
+msgid "``reset pppoe-server username jsmith`` — terminate all PPPoE sessions from user ``jsmith``."
+msgstr "``reset pppoe-server username jsmith`` — terminate all PPPoE sessions from user ``jsmith``."
+
+#: ../../cli.rst:117
+msgid "``reset vpn ipsec site-to-site peer vpn.example.com`` — terminates IPsec tunnels to ``vpn.example.com``."
+msgstr "``reset vpn ipsec site-to-site peer vpn.example.com`` — terminates IPsec tunnels to ``vpn.example.com``."
+
+#: ../../cli.rst:129
+msgid "``restart dhcp server`` — restarts the IPv4 DHCP server process (DHCP requests are not served while it is restarting)."
+msgstr "``restart dhcp server`` — restarts the IPv4 DHCP server process (DHCP requests are not served while it is restarting)."
+
+#: ../../cli.rst:131
+msgid "``restart ipsec`` — restarts the IPsec process (which forces all sessions and all IPsec process state to reset)."
+msgstr "``restart ipsec`` — restarts the IPsec process (which forces all sessions and all IPsec process state to reset)."
+
 #: ../../cli.rst:68
 msgid "``return`` will scroll down one line"
 msgstr "``return`` will scroll down one line"
 
-#: ../../cli.rst:871
+#: ../../cli.rst:981
 msgid "``scp://<user>:<passwd>@<host>:/<dir>``"
 msgstr "``scp://<user>:<passwd>@<host>:/<dir>``"
 
-#: ../../cli.rst:870
+#: ../../cli.rst:980
 msgid "``sftp://<user>:<passwd>@<host>/<dir>``"
 msgstr "``sftp://<user>:<passwd>@<host>/<dir>``"
 
+#: ../../cli.rst:169
+msgid "``show ip route`` — displays the IPv4 routing table."
+msgstr "``show ip route`` — displays the IPv4 routing table."
+
+#: ../../cli.rst:168
+msgid "``show system login`` — displays current system users."
+msgstr "``show system login`` — displays current system users."
+
 #: ../../cli.rst:66
 msgid "``space`` will scroll down one page"
 msgstr "``space`` will scroll down one page"
 
-#: ../../cli.rst:872
+#: ../../cli.rst:982
 msgid "``tftp://<host>/<dir>``"
 msgstr "``tftp://<host>/<dir>``"
 
 #: ../../cli.rst:69
 msgid "``up-arrow`` and ``down-arrow`` will scroll up or down one line at a time respectively"
 msgstr "``up-arrow`` and ``down-arrow`` will scroll up or down one line at a time respectively"
+
+#: ../../cli.rst:88
+msgid "clear"
+msgstr "clear"
+
+#: ../../cli.rst:149
+msgid "execute"
+msgstr "execute"
+
+#: ../../cli.rst:135
+msgid "force"
+msgstr "force"
+
+#: ../../cli.rst:172
+msgid "monitor"
+msgstr "monitor"
+
+#: ../../cli.rst:104
+msgid "reset"
+msgstr "reset"
+
+#: ../../cli.rst:121
+msgid "restart"
+msgstr "restart"
+
+#: ../../cli.rst:160
+msgid "show"
+msgstr "show"
diff --git a/docs/_locale/de/configexamples.pot b/docs/_locale/de/configexamples.pot
index 94068912..c617e522 100644
--- a/docs/_locale/de/configexamples.pot
+++ b/docs/_locale/de/configexamples.pot
@@ -8,7 +8,7 @@ msgstr ""
 "Language: de\n"
 "Plural-Forms: nplurals=2; plural=(n==1) ? 0 : 1;\n"
 
-#: ../../configexamples/zone-policy.rst:162
+#: ../../configexamples/zone-policy.rst:152
 msgid "''It is important to note, that you do not want to add logging to the established state rule as you will be logging both the inbound and outbound packets for each session instead of just the initiation of the session. Your logs will be massive in a very short period of time.''"
 msgstr "''It is important to note, that you do not want to add logging to the established state rule as you will be logging both the inbound and outbound packets for each session instead of just the initiation of the session. Your logs will be massive in a very short period of time.''"
 
@@ -36,7 +36,7 @@ msgstr "**NOTE:** VyOS Router (tested with VyOS 1.4-rolling-202110310317) –  T
 msgid "**Note:** At the moment, trace mpls doesn’t show labels/paths. So we’ll see * * *  for the transit routers of the mpls backbone."
 msgstr "**Note:** At the moment, trace mpls doesn’t show labels/paths. So we’ll see * * *  for the transit routers of the mpls backbone."
 
-#: ../../configexamples/zone-policy.rst:34
+#: ../../configexamples/zone-policy.rst:24
 msgid "**This specific example is for a router on a stick, but is very easily adapted for however many NICs you have**:"
 msgstr "**This specific example is for a router on a stick, but is very easily adapted for however many NICs you have**:"
 
@@ -140,11 +140,11 @@ msgstr "172.17.1.40 CS0 by default"
 msgid "172.17.1.4 CS0 -> CS6"
 msgstr "172.17.1.4 CS0 -> CS6"
 
-#: ../../configexamples/zone-policy.rst:45
+#: ../../configexamples/zone-policy.rst:35
 msgid "192.168.100.10/2001:0DB8:0:AAAA::10 is the administrator's console. It can SSH to VyOS."
 msgstr "192.168.100.10/2001:0DB8:0:AAAA::10 is the administrator's console. It can SSH to VyOS."
 
-#: ../../configexamples/zone-policy.rst:43
+#: ../../configexamples/zone-policy.rst:33
 msgid "192.168.200.200/2001:0DB8:0:BBBB::200 is an internal/external DNS, web and mail (SMTP/IMAP) server."
 msgstr "192.168.200.200/2001:0DB8:0:BBBB::200 is an internal/external DNS, web and mail (SMTP/IMAP) server."
 
@@ -306,6 +306,35 @@ msgstr "A rule order for prioritizing traffic is useful in scenarios where the s
 msgid "A simple solution could be using different routing tables, or VRFs for all the networks so we can keep the routing restrictions. But for us to route between the different VRFs we would need a cable or a logical connection between each other:"
 msgstr "A simple solution could be using different routing tables, or VRFs for all the networks so we can keep the routing restrictions. But for us to route between the different VRFs we would need a cable or a logical connection between each other:"
 
+#: ../../configexamples/fwall-and-bridge.rst:25
+msgid "Accept access to router itself."
+msgstr "Accept access to router itself."
+
+#: ../../configexamples/fwall-and-bridge.rst:21
+#: ../../configexamples/fwall-and-bridge.rst:32
+msgid "Accept all ARP packets."
+msgstr "Accept all ARP packets."
+
+#: ../../configexamples/fwall-and-bridge.rst:30
+msgid "Accept all DHCP discover packets."
+msgstr "Accept all DHCP discover packets."
+
+#: ../../configexamples/fwall-and-bridge.rst:33
+msgid "Accept all IPv4 connections."
+msgstr "Accept all IPv4 connections."
+
+#: ../../configexamples/fwall-and-bridge.rst:31
+msgid "Accept only DHCP offers from valid server and|or trusted bridge port."
+msgstr "Accept only DHCP offers from valid server and|or trusted bridge port."
+
+#: ../../configexamples/fwall-and-bridge.rst:17
+msgid "Accept only IPv6 communication whithin the bridge."
+msgstr "Accept only IPv6 communication whithin the bridge."
+
+#: ../../configexamples/fwall-and-bridge.rst:270
+msgid "Access to the router itself is controlled by the base chain ``input``, and rules to accomplish all the requirements are:"
+msgstr "Access to the router itself is controlled by the base chain ``input``, and rules to accomplish all the requirements are:"
+
 #: ../../configexamples/autotest/tunnelbroker/tunnelbroker.rst:19
 msgid "Account at https://www.tunnelbroker.net/"
 msgstr "Account at https://www.tunnelbroker.net/"
@@ -414,10 +443,46 @@ msgstr "Allow all icmpv6 packets for router and LAN"
 msgid "Allow all new connections from local subnets."
 msgstr "Allow all new connections from local subnets."
 
+#: ../../configexamples/fwall-and-vrf.rst:29
+msgid "Allow connection to PROD."
+msgstr "Allow connection to PROD."
+
+#: ../../configexamples/policy-based-ipsec-and-firewall.rst:40
+msgid "Allow connections from LANs to LANs through the tunnel."
+msgstr "Allow connections from LANs to LANs through the tunnel."
+
 #: ../../configexamples/policy-based-ipsec-and-firewall.rst:40
 msgid "Allow connections from LANs to LANs throught the tunnel."
 msgstr "Allow connections from LANs to LANs throught the tunnel."
 
+#: ../../configexamples/fwall-and-vrf.rst:20
+msgid "Allow connections to LAN and PROD."
+msgstr "Allow connections to LAN and PROD."
+
+#: ../../configexamples/fwall-and-vrf.rst:24
+msgid "Allow connections to PROD."
+msgstr "Allow connections to PROD."
+
+#: ../../configexamples/fwall-and-bridge.rst:37
+msgid "Allow connections to bridge br1."
+msgstr "Allow connections to bridge br1."
+
+#: ../../configexamples/fwall-and-bridge.rst:26
+msgid "Allow connections to internet"
+msgstr "Allow connections to internet"
+
+#: ../../configexamples/fwall-and-vrf.rst:25
+msgid "Allow connections to internet(WAN)."
+msgstr "Allow connections to internet(WAN)."
+
+#: ../../configexamples/fwall-and-bridge.rst:36
+msgid "Allow connections to internet."
+msgstr "Allow connections to internet."
+
+#: ../../configexamples/fwall-and-vrf.rst:22
+msgid "Allow connections to the router."
+msgstr "Allow connections to the router."
+
 #: ../../configexamples/policy-based-ipsec-and-firewall.rst:34
 msgid "Allow dns requests only only for local networks."
 msgstr "Allow dns requests only only for local networks."
@@ -426,6 +491,14 @@ msgstr "Allow dns requests only only for local networks."
 msgid "Allow icmp on all interfaces."
 msgstr "Allow icmp on all interfaces."
 
+#: ../../configexamples/fwall-and-vrf.rst:103
+msgid "Also, we are adding global state policies, in order to allow established and related traffic, in order not to drop valid responses:"
+msgstr "Also, we are adding global state policies, in order to allow established and related traffic, in order not to drop valid responses:"
+
+#: ../../configexamples/fwall-and-bridge.rst:84
+msgid "Also, we are going to use firewall interface groups in order to simplify the firewall configuration."
+msgstr "Also, we are going to use firewall interface groups in order to simplify the firewall configuration."
+
 #: ../../configexamples/policy-based-ipsec-and-firewall.rst:220
 msgid "Also, we can check firewall counters:"
 msgstr "Also, we can check firewall counters:"
@@ -442,6 +515,18 @@ msgstr "An L3VPN consists of multiple access links, multiple VPN routing and for
 msgid "And NAT Configuration:"
 msgstr "And NAT Configuration:"
 
+#: ../../configexamples/fwall-and-vrf.rst:70
+msgid "And before firewall rules are shown, we need to pay attention how to configure and match interfaces and VRFs. In case where an interface is assigned to a non-default VRF, if we want to use inbound-interface or outbound-interface in firewall rules, we need to:"
+msgstr "And before firewall rules are shown, we need to pay attention how to configure and match interfaces and VRFs. In case where an interface is assigned to a non-default VRF, if we want to use inbound-interface or outbound-interface in firewall rules, we need to:"
+
+#: ../../configexamples/fwall-and-vrf.rst:112
+msgid "And finally, we need to allow input connections to the router itself only from vrf MGMT:"
+msgstr "And finally, we need to allow input connections to the router itself only from vrf MGMT:"
+
+#: ../../configexamples/fwall-and-bridge.rst:292
+msgid "And for traffic that is going to other local networks, and to he Internet, we need to use the base chain ``forward``. As in the bridge firewall, we are going to use custom rulesets for each bridge, that would be used in the ``forward`` chain. Those rulesets are ``ip-br1-fwd`` and ``ip-br2-fwd``:"
+msgstr "And for traffic that is going to other local networks, and to he Internet, we need to use the base chain ``forward``. As in the bridge firewall, we are going to use custom rulesets for each bridge, that would be used in the ``forward`` chain. Those rulesets are ``ip-br1-fwd`` and ``ip-br2-fwd``:"
+
 #: ../../configexamples/autotest/Wireguard/Wireguard.rst:99
 msgid "And ping the Branch PC from your central router to check the response."
 msgstr "And ping the Branch PC from your central router to check the response."
@@ -450,10 +535,23 @@ msgstr "And ping the Branch PC from your central router to check the response."
 msgid "And show all DHCP Leases"
 msgstr "And show all DHCP Leases"
 
-#: ../../configexamples/autotest/tunnelbroker/tunnelbroker.rst:132
+#: ../../configexamples/autotest/tunnelbroker/tunnelbroker.rst:140
 msgid "And the ``client`` to receive an IPv6 address with stateless autoconfig."
 msgstr "And the ``client`` to receive an IPv6 address with stateless autoconfig."
 
+#: ../../configexamples/fwall-and-bridge.rst:202
+#: ../../configexamples/fwall-and-bridge.rst:321
+msgid "And the content of the custom rulesets:"
+msgstr "And the content of the custom rulesets:"
+
+#: ../../configexamples/fwall-and-bridge.rst:132
+msgid "And then create the custom rulesets:"
+msgstr "And then create the custom rulesets:"
+
+#: ../../configexamples/fwall-and-bridge.rst:364
+msgid "And with operational mode commands, we can check rules matchers, actions, and counters."
+msgstr "And with operational mode commands, we can check rules matchers, actions, and counters."
+
 #: ../../configexamples/autotest/DHCPRelay_through_GRE/DHCPRelay_through_GRE.rst:-1
 #: ../../configexamples/autotest/Wireguard/Wireguard.rst:-1
 msgid "Ansible Example topology image"
@@ -475,10 +573,22 @@ msgstr "Appendix-A"
 msgid "Appendix-B"
 msgstr "Appendix-B"
 
+#: ../../configexamples/fwall-and-bridge.rst:265
+msgid "As a reminder, here's a link to the :doc:`firewall documentation </configuration/firewall/index>`, where you can find more information about the packet flow for traffic that comes from bridge layer and should be analized by the IP firewall."
+msgstr "As a reminder, here's a link to the :doc:`firewall documentation </configuration/firewall/index>`, where you can find more information about the packet flow for traffic that comes from bridge layer and should be analized by the IP firewall."
+
 #: ../../configexamples/ha.rst:500
 msgid "As a reminder, only advertise routes that you are the default router for. This is why we are NOT announcing the 192.0.2.0/24 network, because if that was announced into OSPF, the other routers would try to connect to that network over a tunnel that connects to that network!"
 msgstr "As a reminder, only advertise routes that you are the default router for. This is why we are NOT announcing the 192.0.2.0/24 network, because if that was announced into OSPF, the other routers would try to connect to that network over a tunnel that connects to that network!"
 
+#: ../../configexamples/fwall-and-vrf.rst:16
+msgid "As exposed in the diagram, there are four VRFs. These VRFs are ``MGMT``, ``WAN``, ``LAN`` and ``PROD``, and their requirements are:"
+msgstr "As exposed in the diagram, there are four VRFs. These VRFs are ``MGMT``, ``WAN``, ``LAN`` and ``PROD``, and their requirements are:"
+
+#: ../../configexamples/fwall-and-bridge.rst:107
+msgid "As said before, we are going to create custom firewall rulesets for each bridge, that will be used in the ``prerouting`` chain, in order to drop as much unwanted traffic as early as possible. So, custom rulesets used in ``prerouting`` chain are going to be ``br0-pre``, ``br1-pre``, and ``br2-pre``:"
+msgstr "As said before, we are going to create custom firewall rulesets for each bridge, that will be used in the ``prerouting`` chain, in order to drop as much unwanted traffic as early as possible. So, custom rulesets used in ``prerouting`` chain are going to be ``br0-pre``, ``br1-pre``, and ``br2-pre``:"
+
 #: ../../configexamples/inter-vrf-routing-vrf-lite.rst:853
 msgid "As we can see even if both VRF LAN1 and LAN2 has the same import RTs we are able to select which routes are effectively imported and installed."
 msgstr "As we can see even if both VRF LAN1 and LAN2 has the same import RTs we are able to select which routes are effectively imported and installed."
@@ -503,7 +613,7 @@ msgstr "As we see shaper is working and the traffic will not work over 5 Mbit/s.
 msgid "Assign external IP addresses"
 msgstr "Assign external IP addresses"
 
-#: ../../configexamples/autotest/tunnelbroker/tunnelbroker.rst:74
+#: ../../configexamples/autotest/tunnelbroker/tunnelbroker.rst:82
 msgid "Assuming the pings are successful, you need to add some DNS servers. Some options:"
 msgstr "Assuming the pings are successful, you need to add some DNS servers. Some options:"
 
@@ -523,7 +633,7 @@ msgstr "At this point, you should be able to SSH into both of them, and will no
 msgid "At this point, you should be able to see both IP addresses when you run ``show interfaces``\\ , and ``show vrrp`` should show both interfaces in MASTER state (and SLAVE state on router2)."
 msgstr "At this point, you should be able to see both IP addresses when you run ``show interfaces``\\ , and ``show vrrp`` should show both interfaces in MASTER state (and SLAVE state on router2)."
 
-#: ../../configexamples/autotest/tunnelbroker/tunnelbroker.rst:102
+#: ../../configexamples/autotest/tunnelbroker/tunnelbroker.rst:110
 msgid "At this point, your VyOS install should have full IPv6, but now your LAN devices need access."
 msgstr "At this point, your VyOS install should have full IPv6, but now your LAN devices need access."
 
@@ -617,7 +727,35 @@ msgstr "Both LANs have to be able to route between each other, both will have ma
 msgid "Branch"
 msgstr "Branch"
 
-#: ../../configexamples/zone-policy.rst:151
+#: ../../configexamples/fwall-and-bridge.rst:4
+msgid "Bridge and firewall example"
+msgstr "Bridge and firewall example"
+
+#: ../../configexamples/fwall-and-bridge.rst:17
+msgid "Bridge br0:"
+msgstr "Bridge br0:"
+
+#: ../../configexamples/fwall-and-bridge.rst:27
+msgid "Bridge br1:"
+msgstr "Bridge br1:"
+
+#: ../../configexamples/fwall-and-bridge.rst:37
+msgid "Bridge br2:"
+msgstr "Bridge br2:"
+
+#: ../../configexamples/fwall-and-bridge.rst:75
+msgid "Bridge firewall configuration"
+msgstr "Bridge firewall configuration"
+
+#: ../../configexamples/fwall-and-bridge.rst:367
+msgid "Bridge firewall rulset:"
+msgstr "Bridge firewall rulset:"
+
+#: ../../configexamples/fwall-and-bridge.rst:43
+msgid "Bridges and interfaces configuration"
+msgstr "Bridges and interfaces configuration"
+
+#: ../../configexamples/zone-policy.rst:141
 msgid "By default, iptables does not allow traffic for established sessions to return, so you must explicitly allow this. I do this by adding two rules to every ruleset. 1 allows established and related state packets through and rule 2 drops and logs invalid state packets. We place the established/related rule at the top because the vast majority of traffic on a network is established and the invalid rule to prevent invalid state packets from mistakenly being matched against other rules. Having the most matched rule listed first reduces CPU load in high volume environments. Note: I have filed a bug to have this added as a default action as well."
 msgstr "By default, iptables does not allow traffic for established sessions to return, so you must explicitly allow this. I do this by adding two rules to every ruleset. 1 allows established and related state packets through and rule 2 drops and logs invalid state packets. We place the established/related rule at the top because the vast majority of traffic on a network is established and the invalid rule to prevent invalid state packets from mistakenly being matched against other rules. Having the most matched rule listed first reduces CPU load in high volume environments. Note: I have filed a bug to have this added as a default action as well."
 
@@ -704,6 +842,8 @@ msgstr "Conclusions"
 #: ../../configexamples/autotest/Wireguard/Wireguard.rst:25
 #: ../../configexamples/autotest/tunnelbroker/tunnelbroker.rst:37
 #: ../../configexamples/bgp-ipv6-unnumbered.rst:12
+#: ../../configexamples/fwall-and-bridge.rst:40
+#: ../../configexamples/fwall-and-vrf.rst:32
 #: ../../configexamples/inter-vrf-routing-vrf-lite.rst:139
 #: ../../configexamples/inter-vrf-routing-vrf-lite.rst:231
 #: ../../configexamples/inter-vrf-routing-vrf-lite.rst:290
@@ -754,6 +894,14 @@ msgstr "Configuration of basic firewall in one site, in order to:"
 msgid "Configurations"
 msgstr "Configurations"
 
+#: ../../configexamples/autotest/OpenVPN_with_LDAP/OpenVPN_with_LDAP.rst:40
+msgid "Configure VyOS as OpenVPN Server"
+msgstr "Configure VyOS as OpenVPN Server"
+
+#: ../../configexamples/autotest/OpenVPN_with_LDAP/OpenVPN_with_LDAP.rst:253
+msgid "Configure VyOS as client"
+msgstr "Configure VyOS as client"
+
 #: ../../configexamples/ha.rst:358
 msgid "Configure Wireguard"
 msgstr "Configure Wireguard"
@@ -882,14 +1030,22 @@ msgstr "DHCP Relay trough GRE-Bridge"
 msgid "DHCPv6-PD Setup"
 msgstr "DHCPv6-PD Setup"
 
-#: ../../configexamples/zone-policy.rst:374
+#: ../../configexamples/zone-policy.rst:364
 msgid "DMZ-LAN policy is LAN-DMZ. You can get a rhythm to it when you build out a bunch at one time."
 msgstr "DMZ-LAN policy is LAN-DMZ. You can get a rhythm to it when you build out a bunch at one time."
 
-#: ../../configexamples/zone-policy.rst:49
+#: ../../configexamples/zone-policy.rst:39
 msgid "DMZ cannot access LAN resources."
 msgstr "DMZ cannot access LAN resources."
 
+#: ../../configexamples/fwall-and-bridge.rst:35
+msgid "Deny access to the router."
+msgstr "Deny access to the router."
+
+#: ../../configexamples/fwall-and-vrf.rst:21
+msgid "Deny connections to internet(WAN)."
+msgstr "Deny connections to internet(WAN)."
+
 #: ../../configexamples/ha.rst:18
 msgid "Design"
 msgstr "Design"
@@ -902,6 +1058,27 @@ msgstr "Device-A"
 msgid "Device-B"
 msgstr "Device-B"
 
+#: ../../configexamples/fwall-and-vrf.rst:9
+msgid "Diagram used in this example:"
+msgstr "Diagram used in this example:"
+
+#: ../../configexamples/fwall-and-bridge.rst:20
+msgid "Drop all DHCP discover packets."
+msgstr "Drop all DHCP discover packets."
+
+#: ../../configexamples/fwall-and-bridge.rst:24
+#: ../../configexamples/fwall-and-bridge.rst:34
+msgid "Drop all IPv6 connections."
+msgstr "Drop all IPv6 connections."
+
+#: ../../configexamples/fwall-and-bridge.rst:23
+msgid "Drop all other IPv4 connections."
+msgstr "Drop all other IPv4 connections."
+
+#: ../../configexamples/fwall-and-bridge.rst:27
+msgid "Drop connections to other LANs."
+msgstr "Drop connections to other LANs."
+
 #: ../../configexamples/ha.rst:514
 msgid "Duplicate configuration"
 msgstr "Duplicate configuration"
@@ -914,7 +1091,7 @@ msgstr "During address configuration, in addition to assigning an address to the
 msgid "Dynamic routing used between CE and PE nodes and eBGP peering established for the route exchanging between them. All routes received by PEs are then exported to L3VPN and delivered from Spoke sites to Hub and vise-versa based on previously configured L3VPN parameters."
 msgstr "Dynamic routing used between CE and PE nodes and eBGP peering established for the route exchanging between them. All routes received by PEs are then exported to L3VPN and delivered from Spoke sites to Hub and vise-versa based on previously configured L3VPN parameters."
 
-#: ../../configexamples/zone-policy.rst:91
+#: ../../configexamples/zone-policy.rst:81
 msgid "Each interface is assigned to a zone. The interface can be physical or virtual such as tunnels (VPN, PPTP, GRE, etc) and are treated exactly the same."
 msgstr "Each interface is assigned to a zone. The interface can be physical or virtual such as tunnels (VPN, PPTP, GRE, etc) and are treated exactly the same."
 
@@ -939,10 +1116,14 @@ msgstr "Enable SSH"
 msgid "Enable SSH so you can now SSH into the routers, rather than using the console."
 msgstr "Enable SSH so you can now SSH into the routers, rather than using the console."
 
-#: ../../configexamples/autotest/tunnelbroker/tunnelbroker.rst:140
+#: ../../configexamples/autotest/tunnelbroker/tunnelbroker.rst:148
 msgid "Enables router advertisements. This is an IPv6 alternative for DHCP (though DHCPv6 can still be used). With RAs, Your devices will automatically find the information they need for routing and DNS."
 msgstr "Enables router advertisements. This is an IPv6 alternative for DHCP (though DHCPv6 can still be used). With RAs, Your devices will automatically find the information they need for routing and DNS."
 
+#: ../../configexamples/zone-policy.rst:243
+msgid "Even if the two zones will never communicate, it is a good idea to create the zone-pair-direction rulesets and set default-log. This will allow you to log attempts to access the networks. Without it, you will never see the connection attempts."
+msgstr "Even if the two zones will never communicate, it is a good idea to create the zone-pair-direction rulesets and set default-log. This will allow you to log attempts to access the networks. Without it, you will never see the connection attempts."
+
 #: ../../configexamples/zone-policy.rst:253
 msgid "Even if the two zones will never communicate, it is a good idea to create the zone-pair-direction rulesets and set enable-default-log. This will allow you to log attempts to access the networks. Without it, you will never see the connection attempts."
 msgstr "Even if the two zones will never communicate, it is a good idea to create the zone-pair-direction rulesets and set enable-default-log. This will allow you to log attempts to access the networks. Without it, you will never see the connection attempts."
@@ -992,7 +1173,11 @@ msgstr "Example Network"
 msgid "Fill ``password`` and ``user`` with the credential provided by your ISP."
 msgstr "Fill ``password`` and ``user`` with the credential provided by your ISP."
 
-#: ../../configexamples/autotest/tunnelbroker/tunnelbroker.rst:202
+#: ../../configexamples/autotest/tunnelbroker/tunnelbroker.rst:210
+msgid "Finally, don't forget the :ref:`Firewall<configuration/firewall/index:Firewall>`. The usage is identical, except for instead of `set firewall name NAME`, you would use `set firewall ipv6-name NAME`."
+msgstr "Finally, don't forget the :ref:`Firewall<configuration/firewall/index:Firewall>`. The usage is identical, except for instead of `set firewall name NAME`, you would use `set firewall ipv6-name NAME`."
+
+#: ../../configexamples/autotest/tunnelbroker/tunnelbroker.rst:210
 msgid "Finally, don't forget the :ref:`firewall`. The usage is identical, except for instead of `set firewall name NAME`, you would use `set firewall ipv6-name NAME`."
 msgstr "Finally, don't forget the :ref:`firewall`. The usage is identical, except for instead of `set firewall name NAME`, you would use `set firewall ipv6-name NAME`."
 
@@ -1000,7 +1185,7 @@ msgstr "Finally, don't forget the :ref:`firewall`. The usage is identical, excep
 msgid "Finally, let’s check the reachability between CEs:"
 msgstr "Finally, let’s check the reachability between CEs:"
 
-#: ../../configexamples/autotest/tunnelbroker/tunnelbroker.rst:200
+#: ../../configexamples/autotest/tunnelbroker/tunnelbroker.rst:208
 msgid "Firewall"
 msgstr "Firewall"
 
@@ -1008,6 +1193,10 @@ msgstr "Firewall"
 msgid "Firewall Configuration:"
 msgstr "Firewall Configuration:"
 
+#: ../../configexamples/firewall.rst:4
+msgid "Firewall Examples"
+msgstr "Firewall Examples"
+
 #: ../../configexamples/autotest/tunnelbroker/tunnelbroker.rst:39
 msgid "First, we configure the ``vyos-wan`` interface to get a DHCP address."
 msgstr "First, we configure the ``vyos-wan`` interface to get a DHCP address."
@@ -1016,6 +1205,14 @@ msgstr "First, we configure the ``vyos-wan`` interface to get a DHCP address."
 msgid "First, we configure the transport network and the Tunnel interface."
 msgstr "First, we configure the transport network and the Tunnel interface."
 
+#: ../../configexamples/fwall-and-vrf.rst:34
+msgid "First, we need to configure the interfaces and VRFs:"
+msgstr "First, we need to configure the interfaces and VRFs:"
+
+#: ../../configexamples/fwall-and-bridge.rst:45
+msgid "First, we need to configure the interfaces and bridges:"
+msgstr "First, we need to configure the interfaces and bridges:"
+
 #: ../../configexamples/autotest/OpenVPN_with_LDAP/OpenVPN_with_LDAP.rst:44
 msgid "First a CA, a signed server and client ceftificate and a Diffie-Hellman parameter musst be generated and installed. Please look :ref:`here <configuration/pki/index:pki>` for more information."
 msgstr "First a CA, a signed server and client ceftificate and a Diffie-Hellman parameter musst be generated and installed. Please look :ref:`here <configuration/pki/index:pki>` for more information."
@@ -1024,14 +1221,30 @@ msgstr "First a CA, a signed server and client ceftificate and a Diffie-Hellman
 msgid "First prepare our VyOS router for connection to NMP. We have to set up the SNMP protocol and connectivity between the router and NMP."
 msgstr "First prepare our VyOS router for connection to NMP. We have to set up the SNMP protocol and connectivity between the router and NMP."
 
+#: ../../configexamples/autotest/OpenVPN_with_LDAP/OpenVPN_with_LDAP.rst:56
+msgid "First the CA"
+msgstr "First the CA"
+
 #: ../../configexamples/site-2-site-cisco.rst:9
 msgid "FlexVPN is a newer \"solution\" for deployment of VPNs and it utilizes IKEv2 as the key exchange protocol. The result is a flexible and scalable VPN solution that can be easily adapted to fit various network needs. It can also support a variety of encryption methods, including AES and 3DES."
 msgstr "FlexVPN is a newer \"solution\" for deployment of VPNs and it utilizes IKEv2 as the key exchange protocol. The result is a flexible and scalable VPN solution that can be easily adapted to fit various network needs. It can also support a variety of encryption methods, including AES and 3DES."
 
+#: ../../configexamples/fwall-and-vrf.rst:75
+msgid "For **inbound-interface**: use the interface name with the VRF name, like ``MGMT`` or ``LAN``."
+msgstr "For **inbound-interface**: use the interface name with the VRF name, like ``MGMT`` or ``LAN``."
+
+#: ../../configexamples/fwall-and-vrf.rst:77
+msgid "For **outbound-interface**: use the interface name, like ``eth0``, ``vtun0``, ``eth2*`` or similar."
+msgstr "For **outbound-interface**: use the interface name, like ``eth0``, ``vtun0``, ``eth2*`` or similar."
+
 #: ../../configexamples/ha.rst:60
 msgid "For connection between sites, we are running a WireGuard link to two REMOTE routers and using OSPF over those links to distribute routes. That remote site is expected to send traffic from anything in 10.201.0.0/16"
 msgstr "For connection between sites, we are running a WireGuard link to two REMOTE routers and using OSPF over those links to distribute routes. That remote site is expected to send traffic from anything in 10.201.0.0/16"
 
+#: ../../configexamples/fwall-and-bridge.rst:352
+msgid "For example, while a host tries to get an IP address from a DHCP server in br1 all DHCP discover are dropped, and in br2, we can see that DHCP offers from untrusted servers are dropped:"
+msgstr "For example, while a host tries to get an IP address from a DHCP server in br1 all DHCP discover are dropped, and in br2, we can see that DHCP offers from untrusted servers are dropped:"
+
 #: ../../configexamples/pppoe-ipv6-basic.rst:56
 msgid "For home network users, most of time ISP only provides /64 prefix, hence there is no need to set SLA ID and prefix length. See :ref:`pppoe-interface` for more information."
 msgstr "For home network users, most of time ISP only provides /64 prefix, hence there is no need to set SLA ID and prefix length. See :ref:`pppoe-interface` for more information."
@@ -1096,7 +1309,7 @@ msgstr "Hardware"
 msgid "Hardware Router - Port 8 of each switch"
 msgstr "Hardware Router - Port 8 of each switch"
 
-#: ../../configexamples/zone-policy.rst:282
+#: ../../configexamples/zone-policy.rst:272
 msgid "Here is an example of an IPv6 DMZ-WAN ruleset."
 msgstr "Here is an example of an IPv6 DMZ-WAN ruleset."
 
@@ -1136,6 +1349,10 @@ msgstr "IPSec configuration:"
 msgid "IP Schema"
 msgstr "IP Schema"
 
+#: ../../configexamples/fwall-and-bridge.rst:258
+msgid "IP firewall configuration"
+msgstr "IP firewall configuration"
+
 #: ../../configexamples/site-2-site-cisco.rst:34
 msgid "IPsec:"
 msgstr "IPsec:"
@@ -1144,11 +1361,15 @@ msgstr "IPsec:"
 msgid "IPv4 Network"
 msgstr "IPv4 Network"
 
+#: ../../configexamples/fwall-and-bridge.rst:451
+msgid "IPv4 firewall rulset:"
+msgstr "IPv4 firewall rulset:"
+
 #: ../../configexamples/inter-vrf-routing-vrf-lite.rst:85
 msgid "IPv6 Network"
 msgstr "IPv6 Network"
 
-#: ../../configexamples/zone-policy.rst:383
+#: ../../configexamples/zone-policy.rst:373
 msgid "IPv6 Tunnel"
 msgstr "IPv6 Tunnel"
 
@@ -1169,11 +1390,11 @@ msgstr "ISP"
 msgid "I chose to run OSPF as the IGP (Interior Gateway Protocol). All required BGP sessions are established via a dummy interfaces (similar to the loopback, but in Linux you can have only one loopback, while there can be many dummy interfaces) on the PE routers. In case of a link failure, traffic is diverted in the other direction in this triangle setup and BGP sessions will not go down. One could even enable BFD (Bidirectional Forwarding Detection) on the links for a faster failover and resilience in the network."
 msgstr "I chose to run OSPF as the IGP (Interior Gateway Protocol). All required BGP sessions are established via a dummy interfaces (similar to the loopback, but in Linux you can have only one loopback, while there can be many dummy interfaces) on the PE routers. In case of a link failure, traffic is diverted in the other direction in this triangle setup and BGP sessions will not go down. One could even enable BFD (Bidirectional Forwarding Detection) on the links for a faster failover and resilience in the network."
 
-#: ../../configexamples/zone-policy.rst:171
+#: ../../configexamples/zone-policy.rst:161
 msgid "I create/configure the interfaces first. Build out the rulesets for each zone-pair-direction which includes at least the three state rules. Then I setup the zone-policies."
 msgstr "I create/configure the interfaces first. Build out the rulesets for each zone-pair-direction which includes at least the three state rules. Then I setup the zone-policies."
 
-#: ../../configexamples/zone-policy.rst:100
+#: ../../configexamples/zone-policy.rst:90
 msgid "I name rule sets to indicate which zone-pair-direction they represent. eg. ZoneA-ZoneB or ZoneB-ZoneA. LAN-DMZ, DMZ-LAN."
 msgstr "I name rule sets to indicate which zone-pair-direction they represent. eg. ZoneA-ZoneB or ZoneB-ZoneA. LAN-DMZ, DMZ-LAN."
 
@@ -1185,10 +1406,18 @@ msgstr "I named the customers blue, red and green which is common practice in VR
 msgid "I spun up a new lab in EVE-NG, which represents this as the \"Foo Bar - Service Provider Inc.\" that has 3 points of presence (PoP) in random datacenters/sites named PE1, PE2, and PE3. Each PoP aggregates at least two customers."
 msgstr "I spun up a new lab in EVE-NG, which represents this as the \"Foo Bar - Service Provider Inc.\" that has 3 points of presence (PoP) in random datacenters/sites named PE1, PE2, and PE3. Each PoP aggregates at least two customers."
 
+#: ../../configexamples/autotest/tunnelbroker/tunnelbroker.rst:54
+msgid "If `source-address` is  dynamic, the tunnel will cease working once the address changes. To avoid having to manually update `source-address` each time the dynamic IP changes, an address of '0.0.0.0' can be specified."
+msgstr "If `source-address` is  dynamic, the tunnel will cease working once the address changes. To avoid having to manually update `source-address` each time the dynamic IP changes, an address of '0.0.0.0' can be specified."
+
 #: ../../configexamples/autotest/OpenVPN_with_LDAP/OpenVPN_with_LDAP.rst:256
 msgid "If the client is connect successfully you can check the output with"
 msgstr "If the client is connect successfully you can check the output with"
 
+#: ../../configexamples/autotest/OpenVPN_with_LDAP/OpenVPN_with_LDAP.rst:272
+msgid "If the client is connected successfully you can check the status"
+msgstr "If the client is connected successfully you can check the status"
+
 #: ../../configexamples/autotest/L3VPN_EVPN/L3VPN_EVPN.rst:236
 msgid "If we need to retrieve information about a specific host/network inside the EVPN network we need to run"
 msgstr "If we need to retrieve information about a specific host/network inside the EVPN network we need to run"
@@ -1197,7 +1426,7 @@ msgstr "If we need to retrieve information about a specific host/network inside
 msgid "If you are following through this document, it is strongly suggested you complete the entire document, ONLY doing the virtual router1 steps, and then come back and walk through it AGAIN on the backup hardware router."
 msgstr "If you are following through this document, it is strongly suggested you complete the entire document, ONLY doing the virtual router1 steps, and then come back and walk through it AGAIN on the backup hardware router."
 
-#: ../../configexamples/zone-policy.rst:385
+#: ../../configexamples/zone-policy.rst:375
 msgid "If you are using a IPv6 tunnel from HE.net or someone else, the basis is the same except you have two WAN interfaces. One for v4 and one for v6."
 msgstr "If you are using a IPv6 tunnel from HE.net or someone else, the basis is the same except you have two WAN interfaces. One for v4 and one for v6."
 
@@ -1205,7 +1434,7 @@ msgstr "If you are using a IPv6 tunnel from HE.net or someone else, the basis is
 msgid "If you use a routing protocol itself, you solve two problems at once. This is only a basic example, and is provided as a starting point."
 msgstr "If you use a routing protocol itself, you solve two problems at once. This is only a basic example, and is provided as a starting point."
 
-#: ../../configexamples/zone-policy.rst:110
+#: ../../configexamples/zone-policy.rst:100
 msgid "If your computer is on the LAN and you need to SSH into your VyOS box, you would need a rule to allow it in the LAN-Local ruleset. If you want to access a webpage from your VyOS box, you need a rule to allow it in the Local-LAN ruleset."
 msgstr "If your computer is on the LAN and you need to SSH into your VyOS box, you would need a rule to allow it in the LAN-Local ruleset. If you want to access a webpage from your VyOS box, you need a rule to allow it in the Local-LAN ruleset."
 
@@ -1213,23 +1442,23 @@ msgstr "If your computer is on the LAN and you need to SSH into your VyOS box, y
 msgid "Image name: vyos-1.4-rolling-202110310317-amd64.iso"
 msgstr "Image name: vyos-1.4-rolling-202110310317-amd64.iso"
 
-#: ../../configexamples/zone-policy.rst:103
+#: ../../configexamples/zone-policy.rst:93
 msgid "In VyOS, you have to have unique Ruleset names. In the event of overlap, I add a \"-6\" to the end of v6 rulesets. eg. LAN-DMZ, LAN-DMZ-6. This allows for each auto-completion and uniqueness."
 msgstr "In VyOS, you have to have unique Ruleset names. In the event of overlap, I add a \"-6\" to the end of v6 rulesets. eg. LAN-DMZ, LAN-DMZ-6. This allows for each auto-completion and uniqueness."
 
-#: ../../configexamples/zone-policy.rst:167
+#: ../../configexamples/zone-policy.rst:157
 msgid "In VyOS you must have the interfaces created before you can apply it to the zone and the rulesets must be created prior to applying it to a zone-policy."
 msgstr "In VyOS you must have the interfaces created before you can apply it to the zone and the rulesets must be created prior to applying it to a zone-policy."
 
-#: ../../configexamples/zone-policy.rst:18
+#: ../../configexamples/zone-policy.rst:8
 msgid "In :vytask:`T2199` the syntax of the zone configuration was changed. The zone configuration moved from ``zone-policy zone <name>`` to ``firewall zone <name>``."
 msgstr "In :vytask:`T2199` the syntax of the zone configuration was changed. The zone configuration moved from ``zone-policy zone <name>`` to ``firewall zone <name>``."
 
-#: ../../configexamples/zone-policy.rst:115
+#: ../../configexamples/zone-policy.rst:105
 msgid "In rules, it is good to keep them named consistently. As the number of rules you have grows, the more consistency you have, the easier your life will be."
 msgstr "In rules, it is good to keep them named consistently. As the number of rules you have grows, the more consistency you have, the easier your life will be."
 
-#: ../../configexamples/autotest/tunnelbroker/tunnelbroker.rst:176
+#: ../../configexamples/autotest/tunnelbroker/tunnelbroker.rst:184
 msgid "In the above examples, 1,2,ffff are all chosen by you. You can use 1-ffff (1-65535)."
 msgstr "In the above examples, 1,2,ffff are all chosen by you. You can use 1-ffff (1-65535)."
 
@@ -1245,7 +1474,7 @@ msgstr "In the end, we will configure the traffic shaper using QoS mechanisms on
 msgid "In the end, you'll get a powerful instrument for monitoring the VyOS systems."
 msgstr "In the end, you'll get a powerful instrument for monitoring the VyOS systems."
 
-#: ../../configexamples/zone-policy.rst:377
+#: ../../configexamples/zone-policy.rst:367
 msgid "In the end, you will end up with something like this config. I took out everything but the Firewall, Interfaces, and zone-policy sections. It is long enough as is."
 msgstr "In the end, you will end up with something like this config. I took out everything but the Firewall, Interfaces, and zone-policy sections. It is long enough as is."
 
@@ -1265,7 +1494,7 @@ msgstr "In this case, the hardware router has a different IP, so it would be"
 msgid "In this case, we'll try to make a simple lab using QoS and the general ability of the VyOS system. We recommend you to go through the main article about `QoS <https://docs.vyos.io/en/latest/configuration/trafficpolicy/index.html>`_ first."
 msgstr "In this case, we'll try to make a simple lab using QoS and the general ability of the VyOS system. We recommend you to go through the main article about `QoS <https://docs.vyos.io/en/latest/configuration/trafficpolicy/index.html>`_ first."
 
-#: ../../configexamples/zone-policy.rst:365
+#: ../../configexamples/zone-policy.rst:355
 msgid "In this case, we are setting the v6 ruleset that represents traffic sourced from the LAN, destined for the DMZ. Because the zone-policy firewall syntax is a little awkward, I keep it straight by thinking of it backwards."
 msgstr "In this case, we are setting the v6 ruleset that represents traffic sourced from the LAN, destined for the DMZ. Because the zone-policy firewall syntax is a little awkward, I keep it straight by thinking of it backwards."
 
@@ -1289,7 +1518,7 @@ msgstr "In this example OpenVPN will be setup with a client certificate and user
 msgid "In this example two LAN interfaces exist in different subnets instead of one like in the previous examples:"
 msgstr "In this example two LAN interfaces exist in different subnets instead of one like in the previous examples:"
 
-#: ../../configexamples/zone-policy.rst:107
+#: ../../configexamples/zone-policy.rst:97
 msgid "In this example we have 4 zones. LAN, WAN, DMZ, Local. The local zone is the firewall itself."
 msgstr "In this example we have 4 zones. LAN, WAN, DMZ, Local. The local zone is the firewall itself."
 
@@ -1301,7 +1530,11 @@ msgstr "In this example we use VyOS 1.5 as LNS and Cisco IOS as LAC. All users w
 msgid "In this lab we use Windows PPPoE client."
 msgstr "In this lab we use Windows PPPoE client."
 
-#: ../../configexamples/zone-policy.rst:50
+#: ../../configexamples/fwall-and-bridge.rst:77
+msgid "In this section, we are going to configure the firewall rules that will be used in bridge firewall, and will control the traffic within each bridge."
+msgstr "In this section, we are going to configure the firewall rules that will be used in bridge firewall, and will control the traffic within each bridge."
+
+#: ../../configexamples/zone-policy.rst:40
 msgid "Inbound WAN connect to DMZ host."
 msgstr "Inbound WAN connect to DMZ host."
 
@@ -1350,22 +1583,26 @@ msgstr "Internal Network"
 msgid "Internet"
 msgstr "Internet"
 
-#: ../../configexamples/zone-policy.rst:40
+#: ../../configexamples/zone-policy.rst:30
 msgid "Internet - 192.168.200.100 - TCP/25"
 msgstr "Internet - 192.168.200.100 - TCP/25"
 
-#: ../../configexamples/zone-policy.rst:39
+#: ../../configexamples/zone-policy.rst:29
 msgid "Internet - 192.168.200.100 - TCP/443"
 msgstr "Internet - 192.168.200.100 - TCP/443"
 
-#: ../../configexamples/zone-policy.rst:41
+#: ../../configexamples/zone-policy.rst:31
 msgid "Internet - 192.168.200.100 - TCP/53"
 msgstr "Internet - 192.168.200.100 - TCP/53"
 
-#: ../../configexamples/zone-policy.rst:38
+#: ../../configexamples/zone-policy.rst:28
 msgid "Internet - 192.168.200.100 - TCP/80"
 msgstr "Internet - 192.168.200.100 - TCP/80"
 
+#: ../../configexamples/fwall-and-bridge.rst:16
+msgid "Isolated layer 2 bridge."
+msgstr "Isolated layer 2 bridge."
+
 #: ../../configexamples/autotest/L3VPN_EVPN/L3VPN_EVPN.rst:79
 msgid "It's important to note that all your existing configurations will be migrated automatically on image upgrade. Nothing to do on your side."
 msgstr "It's important to note that all your existing configurations will be migrated automatically on image upgrade. Nothing to do on your side."
@@ -1374,11 +1611,11 @@ msgstr "It's important to note that all your existing configurations will be mig
 msgid "It is assumed that the routers provided by upstream are capable of acting as a default router, add that as a static route."
 msgstr "It is assumed that the routers provided by upstream are capable of acting as a default router, add that as a static route."
 
-#: ../../configexamples/zone-policy.rst:140
+#: ../../configexamples/zone-policy.rst:130
 msgid "It is good practice to log both accepted and denied traffic. It can save you significant headaches when trying to troubleshoot a connectivity issue."
 msgstr "It is good practice to log both accepted and denied traffic. It can save you significant headaches when trying to troubleshoot a connectivity issue."
 
-#: ../../configexamples/zone-policy.rst:60
+#: ../../configexamples/zone-policy.rst:50
 msgid "It will look something like this:"
 msgstr "It will look something like this:"
 
@@ -1406,7 +1643,7 @@ msgstr "L3VPN for Hub-and-Spoke connectivity with VyOS"
 msgid "LAC"
 msgstr "LAC"
 
-#: ../../configexamples/zone-policy.rst:392
+#: ../../configexamples/zone-policy.rst:382
 msgid "LAN, WAN, DMZ, local and TUN (tunnel)"
 msgstr "LAN, WAN, DMZ, local and TUN (tunnel)"
 
@@ -1438,15 +1675,15 @@ msgstr "LAN 1"
 msgid "LAN 2"
 msgstr "LAN 2"
 
-#: ../../configexamples/autotest/tunnelbroker/tunnelbroker.rst:100
+#: ../../configexamples/autotest/tunnelbroker/tunnelbroker.rst:108
 msgid "LAN Configuration"
 msgstr "LAN Configuration"
 
-#: ../../configexamples/zone-policy.rst:47
+#: ../../configexamples/zone-policy.rst:37
 msgid "LAN and DMZ hosts have basic outbound access: Web, FTP, SSH."
 msgstr "LAN and DMZ hosts have basic outbound access: Web, FTP, SSH."
 
-#: ../../configexamples/zone-policy.rst:48
+#: ../../configexamples/zone-policy.rst:38
 msgid "LAN can access DMZ resources."
 msgstr "LAN can access DMZ resources."
 
@@ -1501,7 +1738,7 @@ msgstr "Many other Hypervisors do this, and I'm hoping that this document will b
 msgid "Masquerade Traffic originating from 10.200.201.0/24 that is heading out the public interface."
 msgstr "Masquerade Traffic originating from 10.200.201.0/24 that is heading out the public interface."
 
-#: ../../configexamples/autotest/OpenVPN_with_LDAP/OpenVPN_with_LDAP.rst:254
+#: ../../configexamples/autotest/OpenVPN_with_LDAP/OpenVPN_with_LDAP.rst:270
 #: ../../configexamples/lac-lns.rst:106
 msgid "Monitoring"
 msgstr "Monitoring"
@@ -1518,7 +1755,7 @@ msgstr "Monitoring on LNS side"
 msgid "Monitoring on RADIUS Server side"
 msgstr "Monitoring on RADIUS Server side"
 
-#: ../../configexamples/autotest/tunnelbroker/tunnelbroker.rst:162
+#: ../../configexamples/autotest/tunnelbroker/tunnelbroker.rst:170
 msgid "Multiple LAN/DMZ Setup"
 msgstr "Multiple LAN/DMZ Setup"
 
@@ -1530,7 +1767,7 @@ msgstr "NAT and conntrack-sync"
 msgid "NMP example"
 msgstr "NMP example"
 
-#: ../../configexamples/zone-policy.rst:23
+#: ../../configexamples/zone-policy.rst:13
 msgid "Native IPv4 and IPv6"
 msgstr "Native IPv4 and IPv6"
 
@@ -1544,6 +1781,7 @@ msgid "Network Topology"
 msgstr "Network Topology"
 
 #: ../../configexamples/ansible.rst:-1
+#: ../../configexamples/fwall-and-vrf.rst:-1
 #: ../../configexamples/inter-vrf-routing-vrf-lite.rst:-1
 #: ../../configexamples/l3vpn-hub-and-spoke.rst:-1
 #: ../../configexamples/lac-lns.rst:-1
@@ -1559,6 +1797,10 @@ msgstr "Network Topology Diagram"
 msgid "Network Topology and requirements"
 msgstr "Network Topology and requirements"
 
+#: ../../configexamples/fwall-and-vrf.rst:80
+msgid "Next, we need to configure the firewall rules. First we will define all rules for transit traffic between VRFs."
+msgstr "Next, we need to configure the firewall rules. First we will define all rules for transit traffic between VRFs."
+
 #: ../../configexamples/qos.rst:31
 msgid "Next, we will replace only all CS4 labels on the “VyOS2” router."
 msgstr "Next, we will replace only all CS4 labels on the “VyOS2” router."
@@ -1587,10 +1829,14 @@ msgstr "Note that router1 is a VM that runs on one of the compute nodes."
 msgid "Note to allow the router to receive DHCPv6 response from ISP. We need to allow packets with source port 547 (server) and destination port 546 (client)."
 msgstr "Note to allow the router to receive DHCPv6 response from ISP. We need to allow packets with source port 547 (server) and destination port 546 (client)."
 
-#: ../../configexamples/zone-policy.rst:411
+#: ../../configexamples/zone-policy.rst:401
 msgid "Notice, none go to WAN since WAN wouldn't have a v6 address on it."
 msgstr "Notice, none go to WAN since WAN wouldn't have a v6 address on it."
 
+#: ../../configexamples/fwall-and-bridge.rst:168
+msgid "Now, in the ``forward`` chain, we are going to define state policies, and custom rulesets for each bridge that would be used in the ``forward`` chain. These rulesets are ``br0-fwd``, ``br1-fwd``, and ``br2-fwd``:"
+msgstr "Now, in the ``forward`` chain, we are going to define state policies, and custom rulesets for each bridge that would be used in the ``forward`` chain. These rulesets are ``br0-fwd``, ``br1-fwd``, and ``br2-fwd``:"
+
 #: ../../configexamples/l3vpn-hub-and-spoke.rst:831
 msgid "Now, let’s check routing information on out Hub PE:"
 msgstr "Now, let’s check routing information on out Hub PE:"
@@ -1603,7 +1849,7 @@ msgstr "Now enable replication between nodes. Replace eth0.201 with bond0.201 on
 msgid "Now generate all required certificates on the ovpn-server:"
 msgstr "Now generate all required certificates on the ovpn-server:"
 
-#: ../../configexamples/autotest/tunnelbroker/tunnelbroker.rst:144
+#: ../../configexamples/autotest/tunnelbroker/tunnelbroker.rst:152
 msgid "Now the Client is able to ping a public IPv6 address"
 msgstr "Now the Client is able to ping a public IPv6 address"
 
@@ -1619,7 +1865,7 @@ msgstr "Now we perform some end-to-end testing"
 msgid "Now we’re checking iBGP status and routes from route-reflector nodes to other devices:"
 msgstr "Now we’re checking iBGP status and routes from route-reflector nodes to other devices:"
 
-#: ../../configexamples/autotest/tunnelbroker/tunnelbroker.rst:57
+#: ../../configexamples/autotest/tunnelbroker/tunnelbroker.rst:65
 msgid "Now you should be able to ping a public IPv6 Address"
 msgstr "Now you should be able to ping a public IPv6 Address"
 
@@ -1648,7 +1894,7 @@ msgstr "Once all routers can be safely remotely managed and the core network is
 msgid "Once all the required certificates and keys are installed, the remaining OpenVPN Server configuration can be carried out."
 msgstr "Once all the required certificates and keys are installed, the remaining OpenVPN Server configuration can be carried out."
 
-#: ../../configexamples/zone-policy.rst:355
+#: ../../configexamples/zone-policy.rst:345
 msgid "Once you have all of your rulesets built, then you need to create your zone-policy."
 msgstr "Once you have all of your rulesets built, then you need to create your zone-policy."
 
@@ -1676,6 +1922,10 @@ msgstr "One cable/logical connection between LAN2 and Internet"
 msgid "One cable/logical connection between LAN2 and Management"
 msgstr "One cable/logical connection between LAN2 and Management"
 
+#: ../../configexamples/fwall-and-vrf.rst:27
+msgid "Only accepts connections."
+msgstr "Only accepts connections."
+
 #: ../../configexamples/autotest/OpenVPN_with_LDAP/OpenVPN_with_LDAP.rst:5
 msgid "OpenVPN with LDAP"
 msgstr "OpenVPN with LDAP"
@@ -1755,8 +2005,8 @@ msgstr "Ping the Client from the DHCP Server."
 msgid "Pings will be sent to four targets for health testing (33.44.55.66, 44.55.66.77, 55.66.77.88 and 66.77.88.99)."
 msgstr "Pings will be sent to four targets for health testing (33.44.55.66, 44.55.66.77, 55.66.77.88 and 66.77.88.99)."
 
-#: ../../configexamples/autotest/tunnelbroker/tunnelbroker.rst:128
-#: ../../configexamples/autotest/tunnelbroker/tunnelbroker.rst:195
+#: ../../configexamples/autotest/tunnelbroker/tunnelbroker.rst:136
+#: ../../configexamples/autotest/tunnelbroker/tunnelbroker.rst:203
 msgid "Please note, 'autonomous-flag' and 'on-link-flag' are enabled by default, 'valid-lifetime' and 'preferred-lifetime' are set to default values of 30 days and 4 hours respectively."
 msgstr "Please note, 'autonomous-flag' and 'on-link-flag' are enabled by default, 'valid-lifetime' and 'preferred-lifetime' are set to default values of 30 days and 4 hours respectively."
 
@@ -1853,11 +2103,11 @@ msgstr "Route-Based Site-to-Site VPN to Azure (BGP over IKEv2/IPsec)"
 msgid "Route-Filtering"
 msgstr "Route-Filtering"
 
-#: ../../configexamples/autotest/tunnelbroker/tunnelbroker.rst:110
+#: ../../configexamples/autotest/tunnelbroker/tunnelbroker.rst:118
 msgid "Routed /48. This is something you can request by clicking the \"Assign /48\" link in the Tunnelbroker.net tunnel config. It allows you to have up to 65k"
 msgstr "Routed /48. This is something you can request by clicking the \"Assign /48\" link in the Tunnelbroker.net tunnel config. It allows you to have up to 65k"
 
-#: ../../configexamples/autotest/tunnelbroker/tunnelbroker.rst:107
+#: ../../configexamples/autotest/tunnelbroker/tunnelbroker.rst:115
 msgid "Routed /64. This is the default assignment. In IPv6-land, it's good for a single \"LAN\", and is somewhat equivalent to a /24."
 msgstr "Routed /64. This is the default assignment. In IPv6-land, it's good for a single \"LAN\", and is somewhat equivalent to a /24."
 
@@ -1883,10 +2133,15 @@ msgstr "Router B:"
 msgid "Router id's must be unique."
 msgstr "Router id's must be unique."
 
-#: ../../configexamples/zone-policy.rst:98
+#: ../../configexamples/zone-policy.rst:88
 msgid "Ruleset are created per zone-pair-direction."
 msgstr "Ruleset are created per zone-pair-direction."
 
+#: ../../configexamples/fwall-and-bridge.rst:7
+#: ../../configexamples/fwall-and-vrf.rst:5
+msgid "Scenario and requirements"
+msgstr "Scenario and requirements"
+
 #: ../../configexamples/segment-routing-isis.rst:7
 msgid "Segment-routing IS-IS example"
 msgstr "Segment-routing IS-IS example"
@@ -1919,7 +2174,7 @@ msgstr "Set the local subnet on eth2 and the public ip address eth1 on each site
 msgid "Set up bandwidth limits on the eth2 interface of the router “VyOS2”."
 msgstr "Set up bandwidth limits on the eth2 interface of the router “VyOS2”."
 
-#: ../../configexamples/autotest/tunnelbroker/tunnelbroker.rst:139
+#: ../../configexamples/autotest/tunnelbroker/tunnelbroker.rst:147
 msgid "Sets your LAN interface's IP address"
 msgstr "Sets your LAN interface's IP address"
 
@@ -1931,6 +2186,10 @@ msgstr "Setting BGP global local-as as well inside the VRF. Redistribute static
 msgid "Setting up Ansible on a server running the Debian operating system."
 msgstr "Setting up Ansible on a server running the Debian operating system."
 
+#: ../../configexamples/autotest/tunnelbroker/tunnelbroker.rst:59
+msgid "Setup the IPv6 default route to the tunnel interface"
+msgstr "Setup the IPv6 default route to the tunnel interface"
+
 #: ../../configexamples/autotest/tunnelbroker/tunnelbroker.rst:51
 msgid "Setup the ipv6 default route to the tunnel interface"
 msgstr "Setup the ipv6 default route to the tunnel interface"
@@ -1943,23 +2202,31 @@ msgstr "Show routes for all VRFs"
 msgid "Similarly, to attach the firewall, you would use `set interfaces ethernet eth0 firewall in ipv6-name` or `et firewall zone LOCAL from WAN firewall ipv6-name`."
 msgstr "Similarly, to attach the firewall, you would use `set interfaces ethernet eth0 firewall in ipv6-name` or `et firewall zone LOCAL from WAN firewall ipv6-name`."
 
+#: ../../configexamples/autotest/tunnelbroker/tunnelbroker.rst:214
+msgid "Similarly, to attach the firewall, you would use `set interfaces ethernet eth0 firewall in ipv6-name` or `set firewall zone LOCAL from WAN firewall ipv6-name`."
+msgstr "Similarly, to attach the firewall, you would use `set interfaces ethernet eth0 firewall in ipv6-name` or `set firewall zone LOCAL from WAN firewall ipv6-name`."
+
 #: ../../configexamples/pppoe-ipv6-basic.rst:78
 msgid "Since some ISPs disconnects continuous connection for every 2~3 days, we set ``valid-lifetime`` to 2 days to allow PC for phasing out old address."
 msgstr "Since some ISPs disconnects continuous connection for every 2~3 days, we set ``valid-lifetime`` to 2 days to allow PC for phasing out old address."
 
+#: ../../configexamples/fwall-and-bridge.rst:260
+msgid "Since some of the requirements listed above exceed the capabilities of the bridge firewall, we need to use the IP firewall to implement them. For bridge br1 and br2, we need to control the traffic that is going to the router itself, to other local networks, and to the Internet."
+msgstr "Since some of the requirements listed above exceed the capabilities of the bridge firewall, we need to use the IP firewall to implement them. For bridge br1 and br2, we need to control the traffic that is going to the router itself, to other local networks, and to the Internet."
+
 #: ../../configexamples/site-2-site-cisco.rst:128
 msgid "Since the tunnel is a point-to-point GRE tunnel, it behaves like any other point-to-point interface (for example: serial, dialer), and it is possible to run any Interior Gateway Protocol (IGP)/Exterior Gateway Protocol (EGP) over the link in order to exchange routing information"
 msgstr "Since the tunnel is a point-to-point GRE tunnel, it behaves like any other point-to-point interface (for example: serial, dialer), and it is possible to run any Interior Gateway Protocol (IGP)/Exterior Gateway Protocol (EGP) over the link in order to exchange routing information"
 
-#: ../../configexamples/zone-policy.rst:236
+#: ../../configexamples/zone-policy.rst:226
 msgid "Since we have 4 zones, we need to setup the following rulesets."
 msgstr "Since we have 4 zones, we need to setup the following rulesets."
 
-#: ../../configexamples/autotest/tunnelbroker/tunnelbroker.rst:119
+#: ../../configexamples/autotest/tunnelbroker/tunnelbroker.rst:127
 msgid "Single LAN Setup"
 msgstr "Single LAN Setup"
 
-#: ../../configexamples/autotest/tunnelbroker/tunnelbroker.rst:121
+#: ../../configexamples/autotest/tunnelbroker/tunnelbroker.rst:129
 msgid "Single LAN setup where eth2 is your LAN interface. Use the Tunnelbroker Routed /64 prefix:"
 msgstr "Single LAN setup where eth2 is your LAN interface. Use the Tunnelbroker Routed /64 prefix:"
 
@@ -1967,11 +2234,15 @@ msgstr "Single LAN setup where eth2 is your LAN interface. Use the Tunnelbroker
 msgid "Site-to-Site IPSec VPN to Cisco using FlexVPN"
 msgstr "Site-to-Site IPSec VPN to Cisco using FlexVPN"
 
-#: ../../configexamples/autotest/tunnelbroker/tunnelbroker.rst:179
+#: ../../configexamples/autotest/tunnelbroker/tunnelbroker.rst:187
 msgid "So, when your LAN is eth1, your DMZ is eth2, your cameras are on eth3, etc:"
 msgstr "So, when your LAN is eth1, your DMZ is eth2, your cameras are on eth3, etc:"
 
-#: ../../configexamples/zone-policy.rst:416
+#: ../../configexamples/fwall-and-bridge.rst:87
+msgid "So first, let's create the required firewall interface groups:"
+msgstr "So first, let's create the required firewall interface groups:"
+
+#: ../../configexamples/zone-policy.rst:406
 msgid "Something like:"
 msgstr "Something like:"
 
@@ -1980,7 +2251,7 @@ msgstr "Something like:"
 msgid "Spoke"
 msgstr "Spoke"
 
-#: ../../configexamples/zone-policy.rst:358
+#: ../../configexamples/zone-policy.rst:348
 msgid "Start by setting the interface and default action for each zone."
 msgstr "Start by setting the interface and default action for each zone."
 
@@ -1992,6 +2263,10 @@ msgstr "Start the playbook:"
 msgid "Starting from VyOS 1.4-rolling-202308040557, a new firewall structure can be found on all vyos instalations, and zone based firewall is no longer supported. Documentation for most of the new firewall CLI can be found in the `firewall <https://docs.vyos.io/en/latest/configuration/firewall/general.html>`_ chapter. The legacy firewall is still available for versions before 1.4-rolling-202308040557 and can be found in the :ref:`firewall-legacy` chapter. The examples in this section use the legacy firewall configuration commands, since this feature has been removed in earlier releases."
 msgstr "Starting from VyOS 1.4-rolling-202308040557, a new firewall structure can be found on all vyos instalations, and zone based firewall is no longer supported. Documentation for most of the new firewall CLI can be found in the `firewall <https://docs.vyos.io/en/latest/configuration/firewall/general.html>`_ chapter. The legacy firewall is still available for versions before 1.4-rolling-202308040557 and can be found in the :ref:`firewall-legacy` chapter. The examples in this section use the legacy firewall configuration commands, since this feature has been removed in earlier releases."
 
+#: ../../configexamples/zone-policy.rst:8
+msgid "Starting from VyOS 1.4-rolling-202308040557, a new firewall structure can be found on all vyos installations, and zone based firewall is no longer supported. Documentation for most of the new firewall CLI can be found in the `firewall <https://docs.vyos.io/en/latest/configuration/firewall/general.html>`_ chapter. The legacy firewall is still available for versions before 1.4-rolling-202308040557 and can be found in the :ref:`firewall-legacy` chapter. The examples in this section use the legacy firewall configuration commands, since this feature has been removed in earlier releases."
+msgstr "Starting from VyOS 1.4-rolling-202308040557, a new firewall structure can be found on all vyos installations, and zone based firewall is no longer supported. Documentation for most of the new firewall CLI can be found in the `firewall <https://docs.vyos.io/en/latest/configuration/firewall/general.html>`_ chapter. The legacy firewall is still available for versions before 1.4-rolling-202308040557 and can be found in the :ref:`firewall-legacy` chapter. The examples in this section use the legacy firewall configuration commands, since this feature has been removed in earlier releases."
+
 #: ../../configexamples/l3vpn-hub-and-spoke.rst:105
 msgid "Step-1: Configuring IGP and enabling MPLS LDP"
 msgstr "Step-1: Configuring IGP and enabling MPLS LDP"
@@ -2074,7 +2349,7 @@ msgstr "Testing"
 msgid "Testing and debugging"
 msgstr "Testing and debugging"
 
-#: ../../configexamples/autotest/tunnelbroker/tunnelbroker.rst:164
+#: ../../configexamples/autotest/tunnelbroker/tunnelbroker.rst:172
 msgid "That's how you can expand the example above. Use the `Routed /48` information. This allows you to assign a different /64 to every interface, LAN, or even device. Or you could break your network into smaller chunks like /56 or /60."
 msgstr "That's how you can expand the example above. Use the `Routed /48` information. This allows you to assign a different /64 to every interface, LAN, or even device. Or you could break your network into smaller chunks like /56 or /60."
 
@@ -2086,7 +2361,7 @@ msgstr "The Lab asume a full running Active Directory on the Windows Server. Her
 msgid "The Topology are consists of:"
 msgstr "The Topology are consists of:"
 
-#: ../../configexamples/zone-policy.rst:57
+#: ../../configexamples/zone-policy.rst:47
 msgid "The VyOS interface is assigned the .1/:1 address of their respective networks. WAN is on VLAN 10, LAN on VLAN 20, and DMZ on VLAN 30."
 msgstr "The VyOS interface is assigned the .1/:1 address of their respective networks. WAN is on VLAN 10, LAN on VLAN 20, and DMZ on VLAN 30."
 
@@ -2098,6 +2373,10 @@ msgstr "The ``commit`` command is implied after every section. If you make an er
 msgid "The ``redistribute ospf`` command is there purely as an example of how this can be expanded. In this walkthrough, it will be filtered by BGPOUT rule 10000, as it is not 203.0.113.0/24."
 msgstr "The ``redistribute ospf`` command is there purely as an example of how this can be expanded. In this walkthrough, it will be filtered by BGPOUT rule 10000, as it is not 203.0.113.0/24."
 
+#: ../../configexamples/autotest/tunnelbroker/tunnelbroker.rst:51
+msgid "The `source-address` is the Tunnelbroker client IPv4 address or if there is NAT the current WAN interface address."
+msgstr "The `source-address` is the Tunnelbroker client IPv4 address or if there is NAT the current WAN interface address."
+
 #: ../../configexamples/segment-routing-isis.rst:19
 msgid "The below configuration is used as example where we keep focus on VyOS-P1/VyOS-P2/XRv-P3 which we share the settings."
 msgstr "The below configuration is used as example where we keep focus on VyOS-P1/VyOS-P2/XRv-P3 which we share the settings."
@@ -2110,11 +2389,11 @@ msgstr "The configuration steps are the same as in the previous example, except
 msgid "The example topology has 2 VyOS routers. One as The WAN Router and on as a Client, to test a single LAN setup"
 msgstr "The example topology has 2 VyOS routers. One as The WAN Router and on as a Client, to test a single LAN setup"
 
-#: ../../configexamples/zone-policy.rst:133
+#: ../../configexamples/zone-policy.rst:123
 msgid "The first two rules are to deal with the idiosyncrasies of VyOS and iptables."
 msgstr "The first two rules are to deal with the idiosyncrasies of VyOS and iptables."
 
-#: ../../configexamples/zone-policy.rst:182
+#: ../../configexamples/zone-policy.rst:172
 msgid "The following are the rules that were created for this example (may not be complete), both in IPv4 and IPv6. If there is no IP specified, then the source/destination address is not explicit."
 msgstr "The following are the rules that were created for this example (may not be complete), both in IPv4 and IPv6. If there is no IP specified, then the source/destination address is not explicit."
 
@@ -2126,7 +2405,7 @@ msgstr "The following software was used in the creation of this document:"
 msgid "The following template configuration can be used in each remote router based in our topology."
 msgstr "The following template configuration can be used in each remote router based in our topology."
 
-#: ../../configexamples/autotest/tunnelbroker/tunnelbroker.rst:169
+#: ../../configexamples/autotest/tunnelbroker/tunnelbroker.rst:177
 msgid "The format of these addresses:"
 msgstr "The format of these addresses:"
 
@@ -2134,6 +2413,10 @@ msgstr "The format of these addresses:"
 msgid "The lab I built is using a VRF (called **mgmt**) to provide out-of-band SSH access to the PE (Provider Edge) routers."
 msgstr "The lab I built is using a VRF (called **mgmt**) to provide out-of-band SSH access to the PE (Provider Edge) routers."
 
+#: ../../configexamples/autotest/OpenVPN_with_LDAP/OpenVPN_with_LDAP.rst:23
+msgid "The lab assumes a full running Active Directory on the Windows Server. Here are some PowerShell commands to quickly add a Test Active Directory."
+msgstr "The lab assumes a full running Active Directory on the Windows Server. Here are some PowerShell commands to quickly add a Test Active Directory."
+
 #: ../../configexamples/site-2-site-cisco.rst:14
 msgid "The lab was built using EVE-NG."
 msgstr "The lab was built using EVE-NG."
@@ -2206,7 +2489,11 @@ msgstr "They want us to establish a BGP session to their routers on 192.0.2.11 a
 msgid "This LAB show how to uwe OpenVPN with a Active Directory authentication backend."
 msgstr "This LAB show how to uwe OpenVPN with a Active Directory authentication backend."
 
-#: ../../configexamples/autotest/tunnelbroker/tunnelbroker.rst:137
+#: ../../configexamples/autotest/OpenVPN_with_LDAP/OpenVPN_with_LDAP.rst:10
+msgid "This LAB shows how to use OpenVPN with a Active Directory authentication method."
+msgstr "This LAB shows how to use OpenVPN with a Active Directory authentication method."
+
+#: ../../configexamples/autotest/tunnelbroker/tunnelbroker.rst:145
 msgid "This accomplishes a few things:"
 msgstr "This accomplishes a few things:"
 
@@ -2215,6 +2502,10 @@ msgid "This chapter contains various configuration examples:"
 msgstr "This chapter contains various configuration examples:"
 
 #: ../../configexamples/policy-based-ipsec-and-firewall.rst:16
+msgid "This configuration example and the requirements consists of:"
+msgstr "This configuration example and the requirements consists of:"
+
+#: ../../configexamples/policy-based-ipsec-and-firewall.rst:16
 msgid "This configuration example and the requirments consists of:"
 msgstr "This configuration example and the requirments consists of:"
 
@@ -2242,6 +2533,14 @@ msgstr "This document walks you through a complete HA setup of two VyOS machines
 msgid "This ensures you don't go too fast or miss a step. However, it will make your life easier to configure the fixed IP address and default route now on the hardware router."
 msgstr "This ensures you don't go too fast or miss a step. However, it will make your life easier to configure the fixed IP address and default route now on the hardware router."
 
+#: ../../configexamples/fwall-and-vrf.rst:7
+msgid "This example shows how to configure a VyOS router with VRFs and firewall rules."
+msgstr "This example shows how to configure a VyOS router with VRFs and firewall rules."
+
+#: ../../configexamples/fwall-and-bridge.rst:9
+msgid "This example shows how to configure a VyOS router with bridge interfaces and firewall rules."
+msgstr "This example shows how to configure a VyOS router with bridge interfaces and firewall rules."
+
 #: ../../configexamples/wan-load-balancing.rst:70
 msgid "This example uses the failover mode."
 msgstr "This example uses the failover mode."
@@ -2282,7 +2581,7 @@ msgstr "This has a floating IP address of 10.200.201.1/24, using virtual router
 msgid "This has a floating IP address of 203.0.113.1/24, using virtual router ID 113. The virtual router ID is just a random number between 1 and 254, and can be set to whatever you want. Best practices suggest you try to keep them unique enterprise-wide."
 msgstr "This has a floating IP address of 203.0.113.1/24, using virtual router ID 113. The virtual router ID is just a random number between 1 and 254, and can be set to whatever you want. Best practices suggest you try to keep them unique enterprise-wide."
 
-#: ../../configexamples/zone-policy.rst:258
+#: ../../configexamples/zone-policy.rst:248
 msgid "This is an example of the three base rules."
 msgstr "This is an example of the three base rules."
 
@@ -2306,6 +2605,10 @@ msgstr "This is ignoring the extra Out-of-band management networking, which shou
 msgid "This scenario could be a nightmare applying regular routing and might need filtering in multiple interfaces."
 msgstr "This scenario could be a nightmare applying regular routing and might need filtering in multiple interfaces."
 
+#: ../../configexamples/firewall.rst:6
+msgid "This section contains examples of firewall configurations for various deployments."
+msgstr "This section contains examples of firewall configurations for various deployments."
+
 #: ../../configexamples/l3vpn-hub-and-spoke.rst:547
 msgid "This section describes verification commands for MPLS/BGP/LDP protocols and L3VPN related routes as well as diagnosis and reachability checks between CE nodes."
 msgstr "This section describes verification commands for MPLS/BGP/LDP protocols and L3VPN related routes as well as diagnosis and reachability checks between CE nodes."
@@ -2330,6 +2633,10 @@ msgstr "This simple structure shows how to configure a DHCP Relay over a GRE Bri
 msgid "This will be visible in 'show ip route'."
 msgstr "This will be visible in 'show ip route'."
 
+#: ../../configexamples/fwall-and-bridge.rst:12
+msgid "Three non VLAN-aware bridges are going to be configured, and each one has its own requirements."
+msgstr "Three non VLAN-aware bridges are going to be configured, and each one has its own requirements."
+
 #: ../../configexamples/autotest/L3VPN_EVPN/L3VPN_EVPN.rst:112
 msgid "Thus you can easily match it to one of the devices/networks below."
 msgstr "Thus you can easily match it to one of the devices/networks below."
@@ -2338,7 +2645,7 @@ msgstr "Thus you can easily match it to one of the devices/networks below."
 msgid "To achieve this, your ISP is required to support DHCPv6-PD. If you're not sure, please contact your ISP for more information."
 msgstr "To achieve this, your ISP is required to support DHCPv6-PD. If you're not sure, please contact your ISP for more information."
 
-#: ../../configexamples/zone-policy.rst:144
+#: ../../configexamples/zone-policy.rst:134
 msgid "To add logging to the default rule, do:"
 msgstr "To add logging to the default rule, do:"
 
@@ -2367,7 +2674,11 @@ msgstr "To reach the network, a route must be set on each VyOS host. In this str
 msgid "Topology"
 msgstr "Topology"
 
-#: ../../configexamples/zone-policy.rst:95
+#: ../../configexamples/autotest/OpenVPN_with_LDAP/OpenVPN_with_LDAP.rst:15
+msgid "Topology consists of:"
+msgstr "Topology consists of:"
+
+#: ../../configexamples/zone-policy.rst:85
 msgid "Traffic flows from zone A to zone B. That flow is what I refer to as a zone-pair-direction. eg. A->B and B->A are two zone-pair-destinations."
 msgstr "Traffic flows from zone A to zone B. That flow is what I refer to as a zone-pair-direction. eg. A->B and B->A are two zone-pair-destinations."
 
@@ -2391,7 +2702,7 @@ msgstr "Two VyOS routers with public IP address."
 msgid "Two rules will be created, the first rule directs traffic coming in from eth2 to eth0 and the second rule directs the traffic to eth1. If eth0 fails the first rule is bypassed and the second rule matches, directing traffic to eth1."
 msgstr "Two rules will be created, the first rule directs traffic coming in from eth2 to eth0 and the second rule directs the traffic to eth1. If eth0 fails the first rule is bypassed and the second rule matches, directing traffic to eth1."
 
-#: ../../configexamples/autotest/tunnelbroker/tunnelbroker.rst:113
+#: ../../configexamples/autotest/tunnelbroker/tunnelbroker.rst:121
 msgid "Unlike IPv4, IPv6 is really not designed to be broken up smaller than /64. So if you ever want to have multiple LANs, VLANs, DMZ, etc, you'll want to ignore the assigned /64, and request the /48 and use that."
 msgstr "Unlike IPv4, IPv6 is really not designed to be broken up smaller than /64. So if you ever want to have multiple LANs, VLANs, DMZ, etc, you'll want to ignore the assigned /64, and request the /48 and use that."
 
@@ -2421,10 +2732,34 @@ msgstr "VMware: You must DISABLE SECURITY on this Port group. Make sure that ``P
 msgid "VRF"
 msgstr "VRF"
 
+#: ../../configexamples/fwall-and-vrf.rst:24
+msgid "VRF LAN:"
+msgstr "VRF LAN:"
+
+#: ../../configexamples/fwall-and-vrf.rst:21
+msgid "VRF MGMT:"
+msgstr "VRF MGMT:"
+
+#: ../../configexamples/fwall-and-vrf.rst:26
+msgid "VRF PROD:"
+msgstr "VRF PROD:"
+
+#: ../../configexamples/fwall-and-vrf.rst:29
+msgid "VRF WAN:"
+msgstr "VRF WAN:"
+
+#: ../../configexamples/fwall-and-vrf.rst:2
+msgid "VRF and firewall example"
+msgstr "VRF and firewall example"
+
 #: ../../configexamples/ha.rst:189
 msgid "VRRP Configuration"
 msgstr "VRRP Configuration"
 
+#: ../../configexamples/fwall-and-bridge.rst:347
+msgid "Validation"
+msgstr "Validation"
+
 #: ../../configexamples/inter-vrf-routing-vrf-lite.rst:160
 #: ../../configexamples/inter-vrf-routing-vrf-lite.rst:248
 #: ../../configexamples/inter-vrf-routing-vrf-lite.rst:320
@@ -2555,7 +2890,7 @@ msgstr "VyOS-RR2:"
 msgid "VyOS 1.3 added initial support for VRFs (including IPv4/IPv6 static routing) and VyOS 1.4 now enables full dynamic routing protocol support for OSPF, IS-IS, and BGP for individual VRFs."
 msgstr "VyOS 1.3 added initial support for VRFs (including IPv4/IPv6 static routing) and VyOS 1.4 now enables full dynamic routing protocol support for OSPF, IS-IS, and BGP for individual VRFs."
 
-#: ../../configexamples/zone-policy.rst:42
+#: ../../configexamples/zone-policy.rst:32
 msgid "VyOS acts as DHCP, DNS forwarder, NAT, router and firewall."
 msgstr "VyOS acts as DHCP, DNS forwarder, NAT, router and firewall."
 
@@ -2608,6 +2943,10 @@ msgstr "Walkthrough suggestion"
 msgid "We are going to use 10.200.201.0/24 for an 'internal' network on VLAN201."
 msgstr "We are going to use 10.200.201.0/24 for an 'internal' network on VLAN201."
 
+#: ../../configexamples/fwall-and-bridge.rst:80
+msgid "We are going to use custom firewall rulesets, one for each bridge that will be used in ``prerouting``, and one for each bridge that will be used in the ``forward`` chain."
+msgstr "We are going to use custom firewall rulesets, one for each bridge that will be used in ``prerouting``, and one for each bridge that will be used in the ``forward`` chain."
+
 #: ../../configexamples/ha.rst:191
 msgid "We are setting up VRRP so that it does NOT fail back when a machine returns into service, and it prioritizes router1 over router2."
 msgstr "We are setting up VRRP so that it does NOT fail back when a machine returns into service, and it prioritizes router1 over router2."
@@ -2632,7 +2971,7 @@ msgstr "We have four hosts on the local network 172.17.1.0/24. All hosts are lab
 msgid "We have four pre-configured routers with this configuration:"
 msgstr "We have four pre-configured routers with this configuration:"
 
-#: ../../configexamples/zone-policy.rst:25
+#: ../../configexamples/zone-policy.rst:15
 msgid "We have three networks."
 msgstr "We have three networks."
 
@@ -2688,6 +3027,10 @@ msgstr "When you have both routers up, you should be able to establish a connect
 msgid "When you have enabled OSPF on both routers, you should be able to see each other with the command ``show ip ospf neighbour``. The state must be 'Full' or '2-Way'. If it is not, then there is a network connectivity issue between the hosts. This is often caused by NAT or MTU issues. You should not see any new routes (unless this is the second pass) in the output of ``show ip route``"
 msgstr "When you have enabled OSPF on both routers, you should be able to see each other with the command ``show ip ospf neighbour``. The state must be 'Full' or '2-Way'. If it is not, then there is a network connectivity issue between the hosts. This is often caused by NAT or MTU issues. You should not see any new routes (unless this is the second pass) in the output of ``show ip route``"
 
+#: ../../configexamples/fwall-and-bridge.rst:349
+msgid "While testing the configuration, we can check logs in order to ensure that we are accepting and/or blocking the correct traffic."
+msgstr "While testing the configuration, we can check logs in order to ensure that we are accepting and/or blocking the correct traffic."
+
 #: ../../configexamples/lac-lns.rst:-1
 msgid "Window PPPoE Client Configuration"
 msgstr "Window PPPoE Client Configuration"
@@ -2704,7 +3047,7 @@ msgstr "Wireguard"
 msgid "Wireguard doesn't have the concept of an up or down link, due to its design. This complicates AND simplifies using it for network transport, as for reliable state detection you need to use SOMETHING to detect when the link is down."
 msgstr "Wireguard doesn't have the concept of an up or down link, due to its design. This complicates AND simplifies using it for network transport, as for reliable state detection you need to use SOMETHING to detect when the link is down."
 
-#: ../../configexamples/autotest/tunnelbroker/tunnelbroker.rst:105
+#: ../../configexamples/autotest/tunnelbroker/tunnelbroker.rst:113
 msgid "With Tunnelbroker.net, you have two options:"
 msgstr "With Tunnelbroker.net, you have two options:"
 
@@ -2716,6 +3059,10 @@ msgstr "With this command we are able to check the transport and customer label
 msgid "Within the VRF we set the Route-Distinguisher (RD) and Route-Targets (RT), then we enable the export/import VPN."
 msgstr "Within the VRF we set the Route-Distinguisher (RD) and Route-Targets (RT), then we enable the export/import VPN."
 
+#: ../../configexamples/fwall-and-bridge.rst:22
+msgid "Within the bridge, accept only new IPv4 connections from host 10.1.1.102"
+msgstr "Within the bridge, accept only new IPv4 connections from host 10.1.1.102"
+
 #: ../../configexamples/segment-routing-isis.rst:48
 msgid "XRv-P3:"
 msgstr "XRv-P3:"
@@ -2728,7 +3075,7 @@ msgstr "You managed to come this far, now we want to see the network and routing
 msgid "You should be able to ping to and from all the IPs you have allocated."
 msgstr "You should be able to ping to and from all the IPs you have allocated."
 
-#: ../../configexamples/autotest/tunnelbroker/tunnelbroker.rst:81
+#: ../../configexamples/autotest/tunnelbroker/tunnelbroker.rst:89
 msgid "You should now be able to ping something by IPv6 DNS name:"
 msgstr "You should now be able to ping something by IPv6 DNS name:"
 
@@ -2736,11 +3083,11 @@ msgstr "You should now be able to ping something by IPv6 DNS name:"
 msgid "You should now be able to see the advertised network on the other host."
 msgstr "You should now be able to see the advertised network on the other host."
 
-#: ../../configexamples/zone-policy.rst:388
+#: ../../configexamples/zone-policy.rst:378
 msgid "You would have 5 zones instead of just 4 and you would configure your v6 ruleset between your tunnel interface and your LAN/DMZ zones instead of to the WAN."
 msgstr "You would have 5 zones instead of just 4 and you would configure your v6 ruleset between your tunnel interface and your LAN/DMZ zones instead of to the WAN."
 
-#: ../../configexamples/zone-policy.rst:413
+#: ../../configexamples/zone-policy.rst:403
 msgid "You would have to add a couple of rules on your wan-local ruleset to allow protocol 41 in."
 msgstr "You would have to add a couple of rules on your wan-local ruleset to allow protocol 41 in."
 
@@ -2748,31 +3095,31 @@ msgstr "You would have to add a couple of rules on your wan-local ruleset to all
 msgid "Zone-Policy example"
 msgstr "Zone-Policy example"
 
-#: ../../configexamples/zone-policy.rst:89
+#: ../../configexamples/zone-policy.rst:79
 msgid "Zones Basics"
 msgstr "Zones Basics"
 
-#: ../../configexamples/zone-policy.rst:136
+#: ../../configexamples/zone-policy.rst:126
 msgid "Zones and Rulesets both have a default action statement. When using Zone-Policies, the default action is set by the zone-policy statement and is represented by rule 10000."
 msgstr "Zones and Rulesets both have a default action statement. When using Zone-Policies, the default action is set by the zone-policy statement and is represented by rule 10000."
 
-#: ../../configexamples/zone-policy.rst:175
+#: ../../configexamples/zone-policy.rst:165
 msgid "Zones do not allow for a default action of accept; either drop or reject. It is important to remember this because if you apply an interface to a zone and commit, any active connections will be dropped. Specifically, if you are SSH’d into VyOS and add local or the interface you are connecting through to a zone and do not have rulesets in place to allow SSH and established sessions, you will not be able to connect."
 msgstr "Zones do not allow for a default action of accept; either drop or reject. It is important to remember this because if you apply an interface to a zone and commit, any active connections will be dropped. Specifically, if you are SSH’d into VyOS and add local or the interface you are connecting through to a zone and do not have rulesets in place to allow SSH and established sessions, you will not be able to connect."
 
-#: ../../configexamples/autotest/tunnelbroker/tunnelbroker.rst:172
+#: ../../configexamples/autotest/tunnelbroker/tunnelbroker.rst:180
 msgid "`2001:470:xxxx:1::/64`: A subnet suitable for a LAN"
 msgstr "`2001:470:xxxx:1::/64`: A subnet suitable for a LAN"
 
-#: ../../configexamples/autotest/tunnelbroker/tunnelbroker.rst:173
+#: ../../configexamples/autotest/tunnelbroker/tunnelbroker.rst:181
 msgid "`2001:470:xxxx:2::/64`: Another subnet"
 msgstr "`2001:470:xxxx:2::/64`: Another subnet"
 
-#: ../../configexamples/autotest/tunnelbroker/tunnelbroker.rst:171
+#: ../../configexamples/autotest/tunnelbroker/tunnelbroker.rst:179
 msgid "`2001:470:xxxx::/48`: The whole subnet. xxxx should come from Tunnelbroker."
 msgstr "`2001:470:xxxx::/48`: The whole subnet. xxxx should come from Tunnelbroker."
 
-#: ../../configexamples/autotest/tunnelbroker/tunnelbroker.rst:174
+#: ../../configexamples/autotest/tunnelbroker/tunnelbroker.rst:182
 msgid "`2001:470:xxxx:ffff:/64`: The last usable /64 subnet."
 msgstr "`2001:470:xxxx:ffff:/64`: The last usable /64 subnet."
 
@@ -2898,7 +3245,7 @@ msgstr "switch1 (Nexus 10gb Switch)"
 msgid "switch2 (Nexus 10gb Switch)"
 msgstr "switch2 (Nexus 10gb Switch)"
 
-#: ../../configexamples/zone-policy.rst:394
+#: ../../configexamples/zone-policy.rst:384
 msgid "v6 pairs would be:"
 msgstr "v6 pairs would be:"
 
diff --git a/docs/_locale/de/configuration.pot b/docs/_locale/de/configuration.pot
index dc70be5a..fd3396c0 100644
--- a/docs/_locale/de/configuration.pot
+++ b/docs/_locale/de/configuration.pot
@@ -48,7 +48,7 @@ msgstr "###################ä############# Flowtables Firewall Configuration ###
 msgid "**1-254** – interfaces with a channel number interfere with interfering interfaces and interfaces with the same channel number. **interfering** – interfering interfaces are assumed to interfere with all other channels except noninterfering channels. **noninterfering** – noninterfering interfaces are assumed to only interfere with themselves."
 msgstr "**1-254** – interfaces with a channel number interfere with interfering interfaces and interfaces with the same channel number. **interfering** – interfering interfaces are assumed to interfere with all other channels except noninterfering channels. **noninterfering** – noninterfering interfaces are assumed to only interfere with themselves."
 
-#: ../../configuration/system/flow-accounting.rst:102
+#: ../../configuration/system/flow-accounting.rst:106
 msgid "**10** - :abbr:`IPFIX (IP Flow Information Export)` as per :rfc:`3917`"
 msgstr "**10** - :abbr:`IPFIX (IP Flow Information Export)` as per :rfc:`3917`"
 
@@ -64,11 +64,11 @@ msgstr "**2. Confirm the link type has been set to GRE:**"
 msgid "**3. Confirm IP connectivity across the tunnel:**"
 msgstr "**3. Confirm IP connectivity across the tunnel:**"
 
-#: ../../configuration/system/flow-accounting.rst:100
+#: ../../configuration/system/flow-accounting.rst:104
 msgid "**5** - Most common version, but restricted to IPv4 flows only"
 msgstr "**5** - Most common version, but restricted to IPv4 flows only"
 
-#: ../../configuration/system/flow-accounting.rst:101
+#: ../../configuration/system/flow-accounting.rst:105
 msgid "**9** - NetFlow version 9 (default)"
 msgstr "**9** - NetFlow version 9 (default)"
 
@@ -88,24 +88,28 @@ msgstr "**Active-passive**: only ``primary`` server will respond to DHCP request
 msgid "**Already-selected external check**"
 msgstr "**Already-selected external check**"
 
-#: ../../configuration/trafficpolicy/index.rst:547
-#: ../../configuration/trafficpolicy/index.rst:1249
+#: ../../configuration/nat/cgnat.rst:47
+msgid "**Application Compatibility**: Some applications and protocols may not work well with CGNAT due to their reliance on unique public IP addresses."
+msgstr "**Application Compatibility**: Some applications and protocols may not work well with CGNAT due to their reliance on unique public IP addresses."
+
+#: ../../configuration/trafficpolicy/index.rst:597
+#: ../../configuration/trafficpolicy/index.rst:1299
 msgid "**Applies to:** Inbound traffic."
 msgstr "**Applies to:** Inbound traffic."
 
-#: ../../configuration/trafficpolicy/index.rst:444
+#: ../../configuration/trafficpolicy/index.rst:494
 msgid "**Applies to:** Outbound Traffic."
 msgstr "**Applies to:** Outbound Traffic."
 
-#: ../../configuration/trafficpolicy/index.rst:355
-#: ../../configuration/trafficpolicy/index.rst:387
-#: ../../configuration/trafficpolicy/index.rst:622
-#: ../../configuration/trafficpolicy/index.rst:691
-#: ../../configuration/trafficpolicy/index.rst:767
-#: ../../configuration/trafficpolicy/index.rst:916
-#: ../../configuration/trafficpolicy/index.rst:961
-#: ../../configuration/trafficpolicy/index.rst:1020
-#: ../../configuration/trafficpolicy/index.rst:1154
+#: ../../configuration/trafficpolicy/index.rst:405
+#: ../../configuration/trafficpolicy/index.rst:437
+#: ../../configuration/trafficpolicy/index.rst:672
+#: ../../configuration/trafficpolicy/index.rst:741
+#: ../../configuration/trafficpolicy/index.rst:817
+#: ../../configuration/trafficpolicy/index.rst:966
+#: ../../configuration/trafficpolicy/index.rst:1011
+#: ../../configuration/trafficpolicy/index.rst:1070
+#: ../../configuration/trafficpolicy/index.rst:1204
 msgid "**Applies to:** Outbound traffic."
 msgstr "**Applies to:** Outbound traffic."
 
@@ -117,10 +121,14 @@ msgstr "**Apply the traffic policy to an interface ingress or egress**."
 msgid "**Bridge Port?**: choose appropiate path based on if interface were the packet was received is part of a bridge, or not."
 msgstr "**Bridge Port?**: choose appropiate path based on if interface were the packet was received is part of a bridge, or not."
 
-#: ../../configuration/firewall/index.rst:23
+#: ../../configuration/firewall/index.rst:28
 msgid "**Bridge Port?**: choose appropriate path based on whether interface where the packet was received is part of a bridge, or not."
 msgstr "**Bridge Port?**: choose appropriate path based on whether interface where the packet was received is part of a bridge, or not."
 
+#: ../../configuration/nat/cgnat.rst:66
+msgid "**Calculate the Number of Subscribers per Public IP**:"
+msgstr "**Calculate the Number of Subscribers per Public IP**:"
+
 #: ../../configuration/interfaces/tunnel.rst:137
 msgid "**Cisco IOS Router:**"
 msgstr "**Cisco IOS Router:**"
@@ -141,6 +149,14 @@ msgstr "**Cluster-List length check**"
 msgid "**Conntrack Ignore**: rules defined under ``set system conntrack ignore [ipv4 | ipv6] ...``."
 msgstr "**Conntrack Ignore**: rules defined under ``set system conntrack ignore [ipv4 | ipv6] ...``."
 
+#: ../../configuration/firewall/index.rst:46
+msgid "**Conntrack Ignore**: rules defined under ``set system conntrack ignore [ipv4 | ipv6] ...``. Starting from vyos-1.5-rolling-202406120020, configuration done in this section can be done in ``firewall [ipv4 | ipv6] prerouting ...``. For compatibility reasons, this feature is still present, but it will be removed in the future."
+msgstr "**Conntrack Ignore**: rules defined under ``set system conntrack ignore [ipv4 | ipv6] ...``. Starting from vyos-1.5-rolling-202406120020, configuration done in this section can be done in ``firewall [ipv4 | ipv6] prerouting ...``. For compatibility reasons, this feature is still present, but it will be removed in the future."
+
+#: ../../configuration/nat/cgnat.rst:40
+msgid "**Cost-Effective**: Reduces the cost associated with acquiring additional public IPv4 addresses."
+msgstr "**Cost-Effective**: Reduces the cost associated with acquiring additional public IPv4 addresses."
+
 #: ../../configuration/trafficpolicy/index.rst:30
 msgid "**Create a traffic policy**."
 msgstr "**Create a traffic policy**."
@@ -156,23 +172,30 @@ msgstr "**DHCP(v6)**"
 msgid "**DHCPv6 Prefix Delegation (PD)**"
 msgstr "**DHCPv6 Prefix Delegation (PD)**"
 
-#: ../../configuration/firewall/index.rst:41
+#: ../../configuration/firewall/index.rst:55
 msgid "**Destination NAT**: rules defined under ``set [nat | nat66] destination...``."
 msgstr "**Destination NAT**: rules defined under ``set [nat | nat66] destination...``."
 
+#: ../../configuration/firewall/index.rst:58
+msgid "**Destination is the router?**: choose an appropriate path based on destination IP address. Transit forward continues to **forward**, while traffic where the destination IP address is configured on the router continues to **input**."
+msgstr "**Destination is the router?**: choose an appropriate path based on destination IP address. Transit forward continues to **forward**, while traffic where the destination IP address is configured on the router continues to **input**."
+
 #: ../../configuration/firewall/index.rst:43
 msgid "**Destination is the router?**: choose appropiate path based on destination IP address. Transit forward continunes to **forward**, while traffic that destination IP address is configured on the router continues to **input**."
 msgstr "**Destination is the router?**: choose appropiate path based on destination IP address. Transit forward continunes to **forward**, while traffic that destination IP address is configured on the router continues to **input**."
 
-#: ../../configuration/firewall/index.rst:44
+#: ../../configuration/firewall/index.rst:53
 msgid "**Destination is the router?**: choose appropriate path based on destination IP address. Transit forward continues to **forward**, while traffic that destination IP address is configured on the router continues to **input**."
 msgstr "**Destination is the router?**: choose appropriate path based on destination IP address. Transit forward continues to **forward**, while traffic that destination IP address is configured on the router continues to **input**."
 
-#: ../../configuration/firewall/bridge.rst:9
 #: ../../configuration/firewall/flowtables.rst:9
 msgid "**Documentation under development**"
 msgstr "**Documentation under development**"
 
+#: ../../configuration/nat/cgnat.rst:62
+msgid "**Estimate Ports Needed per Subscriber**:"
+msgstr "**Estimate Ports Needed per Subscriber**:"
+
 #: ../../configuration/trafficpolicy/index.rst:169
 msgid "**Ethernet (protocol, destination address or source address)**"
 msgstr "**Ethernet (protocol, destination address or source address)**"
@@ -180,8 +203,9 @@ msgstr "**Ethernet (protocol, destination address or source address)**"
 #: ../../configuration/service/dhcp-server.rst:63
 #: ../../configuration/service/dhcp-server.rst:158
 #: ../../configuration/service/dhcp-server.rst:256
-#: ../../configuration/service/dhcp-server.rst:646
-#: ../../configuration/service/dhcp-server.rst:687
+#: ../../configuration/service/dhcp-server.rst:652
+#: ../../configuration/service/dhcp-server.rst:675
+#: ../../configuration/service/dhcp-server.rst:717
 msgid "**Example:**"
 msgstr "**Example:**"
 
@@ -189,19 +213,31 @@ msgstr "**Example:**"
 msgid "**External check**"
 msgstr "**External check**"
 
+#: ../../configuration/firewall/ipv4.rst:45
+msgid "**Firewall Prerouting**: commands found under ``set firewall ipv4 prerouting raw ...``"
+msgstr "**Firewall Prerouting**: commands found under ``set firewall ipv4 prerouting raw ...``"
+
+#: ../../configuration/firewall/ipv6.rst:45
+msgid "**Firewall Prerouting**: commands found under ``set firewall ipv6 prerouting raw ...``"
+msgstr "**Firewall Prerouting**: commands found under ``set firewall ipv6 prerouting raw ...``"
+
 #: ../../configuration/trafficpolicy/index.rst:175
 msgid "**Firewall mark**"
 msgstr "**Firewall mark**"
 
-#: ../../configuration/firewall/flowtables.rst:51
+#: ../../configuration/firewall/index.rst:42
+msgid "**Firewall prerouting**: rules defined under ``set firewall [ipv4 | ipv6] prerouting raw...``. All rules defined in this section are processed before connection tracking subsystem."
+msgstr "**Firewall prerouting**: rules defined under ``set firewall [ipv4 | ipv6] prerouting raw...``. All rules defined in this section are processed before connection tracking subsystem."
+
+#: ../../configuration/firewall/flowtables.rst:52
 msgid "**Flowtable Reference:** https://docs.kernel.org/networking/nf_flowtable.html"
 msgstr "**Flowtable Reference:** https://docs.kernel.org/networking/nf_flowtable.html"
 
-#: ../../configuration/firewall/index.rst:152
+#: ../../configuration/firewall/index.rst:199
 msgid "**For more information** of Netfilter hooks and Linux networking packet flows can be found in `Netfilter-Hooks <https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks>`_"
 msgstr "**For more information** of Netfilter hooks and Linux networking packet flows can be found in `Netfilter-Hooks <https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks>`_"
 
-#: ../../configuration/firewall/index.rst:58
+#: ../../configuration/firewall/index.rst:72
 msgid "**Forward**: stage where transit traffic can be filtered and controlled. This includes ipv4 and ipv6 filtering rules, defined in:"
 msgstr "**Forward**: stage where transit traffic can be filtered and controlled. This includes ipv4 and ipv6 filtering rules, defined in:"
 
@@ -213,7 +249,11 @@ msgstr "**Forward (Bridge)**: stage where traffic that is trasspasing through th
 msgid "**Forward (Bridge)**: stage where traffic that is trespasing through the bridge is filtered and controlled:"
 msgstr "**Forward (Bridge)**: stage where traffic that is trespasing through the bridge is filtered and controlled:"
 
-#: ../../configuration/firewall/flowtables.rst:83
+#: ../../configuration/firewall/index.rst:110
+msgid "**Forward (Bridge)**: stage where traffic that is trespassing through the bridge is filtered and controlled:"
+msgstr "**Forward (Bridge)**: stage where traffic that is trespassing through the bridge is filtered and controlled:"
+
+#: ../../configuration/firewall/flowtables.rst:84
 msgid "**Hardware offload:** should be supported by the NICs used."
 msgstr "**Hardware offload:** should be supported by the NICs used."
 
@@ -221,6 +261,10 @@ msgstr "**Hardware offload:** should be supported by the NICs used."
 msgid "**IGP cost check**"
 msgstr "**IGP cost check**"
 
+#: ../../configuration/nat/cgnat.rst:38
+msgid "**IPv4 Address Conservation**: CGNAT helps mitigate the exhaustion of IPv4 addresses by allowing multiple customers to share a single public IP address."
+msgstr "**IPv4 Address Conservation**: CGNAT helps mitigate the exhaustion of IPv4 addresses by allowing multiple customers to share a single public IP address."
+
 #: ../../configuration/trafficpolicy/index.rst:171
 msgid "**IPv4 (DSCP value, maximum packet length, protocol, source address,** **destination address, source port, destination port or TCP flags)**"
 msgstr "**IPv4 (DSCP value, maximum packet length, protocol, source address,** **destination address, source port, destination port or TCP flags)**"
@@ -229,7 +273,7 @@ msgstr "**IPv4 (DSCP value, maximum packet length, protocol, source address,** *
 msgid "**IPv6 (DSCP value, maximum payload length, protocol, source address,** **destination address, source port, destination port or TCP flags)**"
 msgstr "**IPv6 (DSCP value, maximum payload length, protocol, source address,** **destination address, source port, destination port or TCP flags)**"
 
-#: ../../configuration/trafficpolicy/index.rst:345
+#: ../../configuration/trafficpolicy/index.rst:395
 msgid "**If you are looking for a policy for your outbound traffic** but you don't know which one you need and you don't want to go through every possible policy shown here, **our bet is that highly likely you are looking for a** Shaper_ **policy and you want to** :ref:`set its queues <embed>` **as FQ-CoDel**."
 msgstr "**If you are looking for a policy for your outbound traffic** but you don't know which one you need and you don't want to go through every possible policy shown here, **our bet is that highly likely you are looking for a** Shaper_ **policy and you want to** :ref:`set its queues <embed>` **as FQ-CoDel**."
 
@@ -241,14 +285,23 @@ msgstr "**Important note:** This documentation is valid only for VyOS Sagitta pr
 msgid "**Important note:** This documentation is valid only for VyOS Sagitta prior to 1.4-rolling-YYYYMMDDHHmm"
 msgstr "**Wichtiger Hinweis: ** Diese Dokumentation ist nur für VyOS Sagitta vor 1.4-Rolling-YYYYMMDDHHMM gültig"
 
-#: ../../configuration/firewall/ipv4.rst:60
-#: ../../configuration/firewall/ipv6.rst:60
+#: ../../configuration/system/conntrack.rst:148
+msgid "**Important note about conntrack ignore rules:** Starting from vyos-1.5-rolling-202406120020, ignore rules can be defined in ``set firewall [ipv4 | ipv6] prerouting raw ...``. It's expected that in the future the conntrack ignore rules will be removed."
+msgstr "**Important note about conntrack ignore rules:** Starting from vyos-1.5-rolling-202406120020, ignore rules can be defined in ``set firewall [ipv4 | ipv6] prerouting raw ...``. It's expected that in the future the conntrack ignore rules will be removed."
+
+#: ../../configuration/firewall/ipv4.rst:84
+#: ../../configuration/firewall/ipv6.rst:84
+msgid "**Important note about default-actions:** If a default action for any base chain is not defined, then the default action is set to **accept** for that chain. For custom chains, if the default action is not defined, then the default-action is set to **drop**"
+msgstr "**Important note about default-actions:** If a default action for any base chain is not defined, then the default action is set to **accept** for that chain. For custom chains, if the default action is not defined, then the default-action is set to **drop**"
+
+#: ../../configuration/firewall/ipv4.rst:84
+#: ../../configuration/firewall/ipv6.rst:84
 msgid "**Important note about default-actions:** If default action for any base chain is not defined, then the default action is set to **accept** for that chain. For custom chains, if default action is not defined, then the default-action is set to **drop**"
 msgstr "**Important note about default-actions:** If default action for any base chain is not defined, then the default action is set to **accept** for that chain. For custom chains, if default action is not defined, then the default-action is set to **drop**"
 
 #: ../../configuration/firewall/bridge.rst:143
-#: ../../configuration/firewall/ipv4.rst:190
-#: ../../configuration/firewall/ipv6.rst:190
+#: ../../configuration/firewall/ipv4.rst:214
+#: ../../configuration/firewall/ipv6.rst:214
 msgid "**Important note about default-actions:** If default action for any base chain is not defined, then the default action is set to **accept** for that chain. For custom chains, if default action is not defined, then the default-action is set to **drop**."
 msgstr "**Important note about default-actions:** If default action for any base chain is not defined, then the default action is set to **accept** for that chain. For custom chains, if default action is not defined, then the default-action is set to **drop**."
 
@@ -260,6 +313,15 @@ msgstr "**Wichtiger Hinweis zu Standardaktionen: ** Wenn die Standardaktion für
 msgid "**Important note about default-actions:** If default action for any chain is not defined, then the default action is set to **drop** for that chain."
 msgstr "**Important note about default-actions:** If default action for any chain is not defined, then the default action is set to **drop** for that chain."
 
+#: ../../configuration/firewall/bridge.rst:197
+msgid "**Important note about default-actions:** If the default action for any base chain is not defined, then the default action is set to **accept** for that chain. For custom chains, if the default action is not defined, then the default-action is set to **drop**."
+msgstr "**Important note about default-actions:** If the default action for any base chain is not defined, then the default action is set to **accept** for that chain. For custom chains, if the default action is not defined, then the default-action is set to **drop**."
+
+#: ../../configuration/firewall/ipv4.rst:214
+#: ../../configuration/firewall/ipv6.rst:214
+msgid "**Important note about default-actions:** If the default action for any base chain is not defined, then the default action is set to **accept** for that chain. For custom chains if a default action is not defined then the default-action is set to **drop**."
+msgstr "**Important note about default-actions:** If the default action for any base chain is not defined, then the default action is set to **accept** for that chain. For custom chains if a default action is not defined then the default-action is set to **drop**."
+
 #: ../../configuration/firewall/general.rst:20
 msgid "**Important note on usage of terms:** The firewall makes use of the terms `forward`, `input`, and `output` for firewall policy. More information of Netfilter hooks and Linux networking packet flows can be found in `Netfilter-Hooks <https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks>`_"
 msgstr "**Important note on usage of terms:** The firewall makes use of the terms `forward`, `input`, and `output` for firewall policy. More information of Netfilter hooks and Linux networking packet flows can be found in `Netfilter-Hooks <https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks>`_"
@@ -272,10 +334,14 @@ msgstr "**Important note on usage of terms:** The firewall makes use of the term
 msgid "**Input**: stage where traffic destinated to the router itself can be filtered and controlled. This is where all rules for securing the router should take place. This includes ipv4 and ipv6 filtering rules, defined in:"
 msgstr "**Input**: stage where traffic destinated to the router itself can be filtered and controlled. This is where all rules for securing the router should take place. This includes ipv4 and ipv6 filtering rules, defined in:"
 
-#: ../../configuration/firewall/index.rst:49
+#: ../../configuration/firewall/index.rst:63
 msgid "**Input**: stage where traffic destined for the router itself can be filtered and controlled. This is where all rules for securing the router should take place. This includes ipv4 and ipv6 filtering rules, defined in:"
 msgstr "**Input**: stage where traffic destined for the router itself can be filtered and controlled. This is where all rules for securing the router should take place. This includes ipv4 and ipv6 filtering rules, defined in:"
 
+#: ../../configuration/firewall/index.rst:115
+msgid "**Input (Bridge)**: stage where traffic destined for the bridge itself can be filtered and controlled:"
+msgstr "**Input (Bridge)**: stage where traffic destined for the bridge itself can be filtered and controlled:"
+
 #: ../../configuration/trafficpolicy/index.rst:170
 msgid "**Interface name**"
 msgstr "**Interface name**"
@@ -345,6 +411,7 @@ msgstr "**Node 1**"
 #: ../../configuration/protocols/isis.rst:416
 #: ../../configuration/protocols/isis.rst:457
 #: ../../configuration/protocols/isis.rst:495
+#: ../../configuration/protocols/openfabric.rst:170
 #: ../../configuration/protocols/ospf.rst:948
 #: ../../configuration/protocols/ospf.rst:1320
 #: ../../configuration/protocols/rip.rst:243
@@ -368,6 +435,7 @@ msgstr "**Node 2**"
 #: ../../configuration/protocols/isis.rst:352
 #: ../../configuration/protocols/isis.rst:432
 #: ../../configuration/protocols/isis.rst:511
+#: ../../configuration/protocols/openfabric.rst:181
 #: ../../configuration/protocols/ospf.rst:1329
 #: ../../configuration/protocols/rip.rst:251
 #: ../../configuration/protocols/segment-routing.rst:211
@@ -391,8 +459,16 @@ msgid "**Origin check**"
 msgstr "**Origin check**"
 
 #: ../../configuration/firewall/index.rst:64
-msgid "**Output**: stage where traffic that is originated by the router itself can be filtered and controlled. Bear in mind that this traffic can be a new connection originted by a internal process running on VyOS router, such as NTP, or can be a response to traffic received externaly through **inputt** (for example response to an ssh login attempt to the router). This includes ipv4 and ipv6 filtering rules, defined in:"
-msgstr "**Output**: stage where traffic that is originated by the router itself can be filtered and controlled. Bear in mind that this traffic can be a new connection originted by a internal process running on VyOS router, such as NTP, or can be a response to traffic received externaly through **inputt** (for example response to an ssh login attempt to the router). This includes ipv4 and ipv6 filtering rules, defined in:"
+msgid "**Output**: stage where traffic that is originated by the router itself can be filtered and controlled. Bare in mind that this traffic can be a new connection originted by a internal process running on VyOS router, such as NTP, or can be a response to traffic received externaly through **inputt** (for example response to an ssh login attempt to the router). This includes ipv4 and ipv6 filtering rules, defined in:"
+msgstr "**Output**: stage where traffic that is originated by the router itself can be filtered and controlled. Bare in mind that this traffic can be a new connection originted by a internal process running on VyOS router, such as NTP, or can be a response to traffic received externaly through **inputt** (for example response to an ssh login attempt to the router). This includes ipv4 and ipv6 filtering rules, defined in:"
+
+#: ../../configuration/firewall/index.rst:65
+msgid "**Output**: stage where traffic that originates from the router itself can be filtered and controlled. Bear in mind that this traffic can be a new connection originated by a internal process running on VyOS router, such as NTP, or a response to traffic received externally through **input** (for example response to an ssh login attempt to the router). This includes ipv4 and ipv6 filtering rules, defined in:"
+msgstr "**Output**: stage where traffic that originates from the router itself can be filtered and controlled. Bear in mind that this traffic can be a new connection originated by a internal process running on VyOS router, such as NTP, or a response to traffic received externally through **input** (for example response to an ssh login attempt to the router). This includes ipv4 and ipv6 filtering rules, defined in:"
+
+#: ../../configuration/firewall/index.rst:74
+msgid "**Output**: stage where traffic that originates from the router itself can be filtered and controlled. Bear in mind that this traffic can be a new connection originated by a internal process running on VyOS router, such as NTP, or a response to traffic received externally through **input** (for example response to an ssh login attempt to the router). This includes ipv4 and ipv6 rules, and two different sections are present:"
+msgstr "**Output**: stage where traffic that originates from the router itself can be filtered and controlled. Bear in mind that this traffic can be a new connection originated by a internal process running on VyOS router, such as NTP, or a response to traffic received externally through **input** (for example response to an ssh login attempt to the router). This includes ipv4 and ipv6 rules, and two different sections are present:"
 
 #: ../../configuration/firewall/index.rst:65
 msgid "**Output**: stage where traffic that originates from the router itself can be filtered and controlled. Bear in mind that this traffic can be a new connection originated by a internal process running on VyOS router, such as NTP, or a response to traffic received externaly through **input** (for example response to an ssh login attempt to the router). This includes ipv4 and ipv6 filtering rules, defined in:"
@@ -402,11 +478,47 @@ msgstr "**Output**: stage where traffic that originates from the router itself c
 msgid "**Output**: stage where traffic that originates from the router itself can be filtered and controlled. Bear in mind that this traffic can be a new connection originated by a internal process running on VyOS router, such as NTP, or a response to traffic received externaly through **inputt** (for example response to an ssh login attempt to the router). This includes ipv4 and ipv6 filtering rules, defined in:"
 msgstr "**Output**: stage where traffic that originates from the router itself can be filtered and controlled. Bear in mind that this traffic can be a new connection originated by a internal process running on VyOS router, such as NTP, or a response to traffic received externaly through **inputt** (for example response to an ssh login attempt to the router). This includes ipv4 and ipv6 filtering rules, defined in:"
 
+#: ../../configuration/firewall/index.rst:79
+msgid "**Output**: stage where traffic that originates from the router itself can be filtered and controlled. Bear in mind that this traffic can be a new connection originated by a internal process running on the VyOS router such as NTP, or a response to traffic received externally through **input** (for example response to an ssh login attempt to the router). This includes ipv4 and ipv6 rules, and two different sections are present:"
+msgstr "**Output**: stage where traffic that originates from the router itself can be filtered and controlled. Bear in mind that this traffic can be a new connection originated by a internal process running on the VyOS router such as NTP, or a response to traffic received externally through **input** (for example response to an ssh login attempt to the router). This includes ipv4 and ipv6 rules, and two different sections are present:"
+
+#: ../../configuration/firewall/index.rst:90
+msgid "**Output Filter**: ``set firewall [ipv4 | ipv6] output filter ...``."
+msgstr "**Output Filter**: ``set firewall [ipv4 | ipv6] output filter ...``."
+
+#: ../../configuration/firewall/ipv4.rst:81
+msgid "**Output Filter**: ``set firewall ipv4 output filter ...``. Rules defined in this section are processed after connection tracking subsystem."
+msgstr "**Output Filter**: ``set firewall ipv4 output filter ...``. Rules defined in this section are processed after connection tracking subsystem."
+
+#: ../../configuration/firewall/ipv6.rst:81
+msgid "**Output Filter**: ``set firewall ipv6 output filter ...``. Rules defined in this section are processed after connection tracking subsystem."
+msgstr "**Output Filter**: ``set firewall ipv6 output filter ...``. Rules defined in this section are processed after connection tracking subsystem."
+
+#: ../../configuration/firewall/index.rst:86
+msgid "**Output Prerouting**: ``set firewall [ipv4 | ipv6] output filter ...``. As described in **Prerouting**, rules defined in this section are processed before connection tracking subsystem."
+msgstr "**Output Prerouting**: ``set firewall [ipv4 | ipv6] output filter ...``. As described in **Prerouting**, rules defined in this section are processed before connection tracking subsystem."
+
+#: ../../configuration/firewall/ipv4.rst:78
+msgid "**Output Prerouting**: ``set firewall ipv4 output raw ...``. As described in **Prerouting**, rules defined in this section are processed before connection tracking subsystem."
+msgstr "**Output Prerouting**: ``set firewall ipv4 output raw ...``. As described in **Prerouting**, rules defined in this section are processed before connection tracking subsystem."
+
+#: ../../configuration/firewall/ipv6.rst:78
+msgid "**Output Prerouting**: ``set firewall ipv6 output raw ...``. As described in **Prerouting**, rules defined in this section are processed before connection tracking subsystem."
+msgstr "**Output Prerouting**: ``set firewall ipv6 output raw ...``. As described in **Prerouting**, rules defined in this section are processed before connection tracking subsystem."
+
+#: ../../configuration/firewall/index.rst:120
+msgid "**Output (Bridge)**: stage where traffic that originates from the bridge itself can be filtered and controlled:"
+msgstr "**Output (Bridge)**: stage where traffic that originates from the bridge itself can be filtered and controlled:"
+
 #: ../../configuration/protocols/bgp.rst:125
 msgid "**Peer address**"
 msgstr "**Peer address**"
 
-#: ../../configuration/firewall/index.rst:38
+#: ../../configuration/nat/cgnat.rst:46
+msgid "**Performance Overheads**: The translation process can introduce latency and potential performance bottlenecks, especially under high load."
+msgstr "**Performance Overheads**: The translation process can introduce latency and potential performance bottlenecks, especially under high load."
+
+#: ../../configuration/firewall/index.rst:52
 msgid "**Policy Route**: rules defined under ``set policy [route | route6] ...``."
 msgstr "**Policy Route**: rules defined under ``set policy [route | route6] ...``."
 
@@ -414,11 +526,27 @@ msgstr "**Policy Route**: rules defined under ``set policy [route | route6] ...`
 msgid "**Policy definition:**"
 msgstr "**Policy definition:**"
 
-#: ../../configuration/firewall/index.rst:76
+#: ../../configuration/nat/cgnat.rst:48
+msgid "**Port Allocation Limits**: Each public IP address has a limited number of ports, which can be exhausted, affecting the ability to establish new connections."
+msgstr "**Port Allocation Limits**: Each public IP address has a limited number of ports, which can be exhausted, affecting the ability to establish new connections."
+
+#: ../../configuration/nat/cgnat.rst:49
+msgid "**Port Control Protocol**: PCP is not implemented."
+msgstr "**Port Control Protocol**: PCP is not implemented."
+
+#: ../../configuration/firewall/index.rst:92
 msgid "**Postrouting**: as in **Prerouting**, several actions defined in different parts of VyOS configuration are performed in this stage. This includes:"
 msgstr "**Postrouting**: as in **Prerouting**, several actions defined in different parts of VyOS configuration are performed in this stage. This includes:"
 
 #: ../../configuration/firewall/index.rst:29
+msgid "**Prerouting**: All packets that are received by the router are processed in this stage, regardless of the destination of the packet. Starting from vyos-1.5-rolling-202406120020, a new section was added to firewall configuration. There are several actions that can be done in this stage, and currently these actions are also defined in different parts in VyOS configuration. Order is important, and relevant configuration that acts in this stage are:"
+msgstr "**Prerouting**: All packets that are received by the router are processed in this stage, regardless of the destination of the packet. Starting from vyos-1.5-rolling-202406120020, a new section was added to firewall configuration. There are several actions that can be done in this stage, and currently these actions are also defined in different parts in VyOS configuration. Order is important, and relevant configuration that acts in this stage are:"
+
+#: ../../configuration/firewall/index.rst:34
+msgid "**Prerouting**: All packets that are received by the router are processed in this stage, regardless of the destination of the packet. Starting from vyos-1.5-rolling-202406120020, a new section was added to the firewall configuration. There are several actions that can be done in this stage, and currently these actions are also defined in different parts of the VyOS configuration. Order is important, and the relevant configuration that acts in this stage are:"
+msgstr "**Prerouting**: All packets that are received by the router are processed in this stage, regardless of the destination of the packet. Starting from vyos-1.5-rolling-202406120020, a new section was added to the firewall configuration. There are several actions that can be done in this stage, and currently these actions are also defined in different parts of the VyOS configuration. Order is important, and the relevant configuration that acts in this stage are:"
+
+#: ../../configuration/firewall/index.rst:29
 msgid "**Prerouting**: several actions can be done in this stage, and currently these actions are defined in different parts in VyOS configuration. Order is important, and all these actions are performed before any actions defined under ``firewall`` section. Relevant configuration that acts in this stage are:"
 msgstr "**Prerouting**: several actions can be done in this stage, and currently these actions are defined in different parts in VyOS configuration. Order is important, and all these actions are performed before any actions defined under ``firewall`` section. Relevant configuration that acts in this stage are:"
 
@@ -426,43 +554,51 @@ msgstr "**Prerouting**: several actions can be done in this stage, and currently
 msgid "**Prerouting**: several actions can be done in this stage, and currently these actions are defined in different parts in vyos configuration. Order is important, and all these actions are performed before any actions define under ``firewall`` section. Relevant configuration that acts in this stage are:"
 msgstr "**Prerouting**: several actions can be done in this stage, and currently these actions are defined in different parts in vyos configuration. Order is important, and all these actions are performed before any actions define under ``firewall`` section. Relevant configuration that acts in this stage are:"
 
+#: ../../configuration/firewall/index.rst:97
+msgid "**Prerouting (Bridge)**: all packets that are received by the bridge are processed in this stage, regardless of the destination of the packet. First filters can be applied here, and/or also configure rules for ignoring connection tracking system, and also apply policy routing using ``set`` option while defining the rule. The relevant configuration that acts in:"
+msgstr "**Prerouting (Bridge)**: all packets that are received by the bridge are processed in this stage, regardless of the destination of the packet. First filters can be applied here, and/or also configure rules for ignoring connection tracking system, and also apply policy routing using ``set`` option while defining the rule. The relevant configuration that acts in:"
+
+#: ../../configuration/firewall/index.rst:102
+msgid "**Prerouting (Bridge)**: all packets that are received by the bridge are processed in this stage, regardless of the destination of the packet. First filters can be applied here, and/or also configure rules for ignoring connection tracking system. The relevant configuration that acts in:"
+msgstr "**Prerouting (Bridge)**: all packets that are received by the bridge are processed in this stage, regardless of the destination of the packet. First filters can be applied here, and/or also configure rules for ignoring connection tracking system. The relevant configuration that acts in:"
+
 #: ../../configuration/service/dhcp-server.rst:448
 msgid "**Primary**"
 msgstr "**Primary**"
 
-#: ../../configuration/trafficpolicy/index.rst:443
+#: ../../configuration/trafficpolicy/index.rst:493
 msgid "**Queueing discipline** Fair/Flow Queue CoDel."
 msgstr "**Queueing discipline** Fair/Flow Queue CoDel."
 
-#: ../../configuration/trafficpolicy/index.rst:960
+#: ../../configuration/trafficpolicy/index.rst:1010
 msgid "**Queueing discipline:** Deficit Round Robin."
 msgstr "**Queueing discipline:** Deficit Round Robin."
 
-#: ../../configuration/trafficpolicy/index.rst:1153
+#: ../../configuration/trafficpolicy/index.rst:1203
 msgid "**Queueing discipline:** Deficit mode."
 msgstr "**Queueing discipline:** Deficit mode."
 
-#: ../../configuration/trafficpolicy/index.rst:766
+#: ../../configuration/trafficpolicy/index.rst:816
 msgid "**Queueing discipline:** Generalized Random Early Drop."
 msgstr "**Queueing discipline:** Generalized Random Early Drop."
 
-#: ../../configuration/trafficpolicy/index.rst:1019
+#: ../../configuration/trafficpolicy/index.rst:1069
 msgid "**Queueing discipline:** Hierarchical Token Bucket."
 msgstr "**Queueing discipline:** Hierarchical Token Bucket."
 
-#: ../../configuration/trafficpolicy/index.rst:546
+#: ../../configuration/trafficpolicy/index.rst:596
 msgid "**Queueing discipline:** Ingress policer."
 msgstr "**Queueing discipline:** Ingress policer."
 
-#: ../../configuration/trafficpolicy/index.rst:354
+#: ../../configuration/trafficpolicy/index.rst:404
 msgid "**Queueing discipline:** PFIFO (Packet First In First Out)."
 msgstr "**Queueing discipline:** PFIFO (Packet First In First Out)."
 
-#: ../../configuration/trafficpolicy/index.rst:690
+#: ../../configuration/trafficpolicy/index.rst:740
 msgid "**Queueing discipline:** PRIO."
 msgstr "**Queueing discipline:** PRIO."
 
-#: ../../configuration/trafficpolicy/index.rst:386
+#: ../../configuration/trafficpolicy/index.rst:436
 msgid "**Queueing discipline:** SFQ (Stochastic Fairness Queuing)."
 msgstr "**Queueing discipline:** SFQ (Stochastic Fairness Queuing)."
 
@@ -470,24 +606,36 @@ msgstr "**Queueing discipline:** SFQ (Stochastic Fairness Queuing)."
 msgid "**Queueing discipline:** Tocken Bucket Filter."
 msgstr "**Queueing discipline:** Tocken Bucket Filter."
 
-#: ../../configuration/trafficpolicy/index.rst:621
+#: ../../configuration/trafficpolicy/index.rst:965
+msgid "**Queueing discipline:** Token Bucket Filter."
+msgstr "**Queueing discipline:** Token Bucket Filter."
+
+#: ../../configuration/trafficpolicy/index.rst:671
 msgid "**Queueing discipline:** netem (Network Emulator) + TBF (Token Bucket Filter)."
 msgstr "**Queueing discipline:** netem (Network Emulator) + TBF (Token Bucket Filter)."
 
-#: ../../configuration/interfaces/bonding.rst:407
+#: ../../configuration/interfaces/bonding.rst:460
 #: ../../configuration/interfaces/macsec.rst:159
 msgid "**R1**"
 msgstr "**R1**"
 
+#: ../../configuration/interfaces/macsec.rst:251
+msgid "**R1 MACsec01**"
+msgstr "**R1 MACsec01**"
+
 #: ../../configuration/interfaces/macsec.rst:215
 msgid "**R1 Static Key**"
 msgstr "**R1 Static Key**"
 
-#: ../../configuration/interfaces/bonding.rst:425
+#: ../../configuration/interfaces/bonding.rst:478
 #: ../../configuration/interfaces/macsec.rst:171
 msgid "**R2**"
 msgstr "**R2**"
 
+#: ../../configuration/interfaces/macsec.rst:269
+msgid "**R2 MACsec02**"
+msgstr "**R2 MACsec02**"
+
 #: ../../configuration/interfaces/macsec.rst:228
 msgid "**R2 Static Key**"
 msgstr "**R2 Static Key**"
@@ -532,27 +680,31 @@ msgstr "**Routes learned after routing policy applied:**"
 msgid "**Routes learned before routing policy applied:**"
 msgstr "**Routes learned before routing policy applied:**"
 
-#: ../../configuration/interfaces/bonding.rst:443
+#: ../../configuration/interfaces/bonding.rst:496
 msgid "**SW1**"
 msgstr "**SW1**"
 
-#: ../../configuration/interfaces/bonding.rst:474
+#: ../../configuration/interfaces/bonding.rst:527
 msgid "**SW2**"
 msgstr "**SW2**"
 
+#: ../../configuration/nat/cgnat.rst:39
+msgid "**Scalability**: ISPs can support more customers without needing a proportional increase in public IP addresses."
+msgstr "**Scalability**: ISPs can support more customers without needing a proportional increase in public IP addresses."
+
 #: ../../configuration/service/dhcp-server.rst:458
 msgid "**Secondary**"
 msgstr "**Secondary**"
 
-#: ../../configuration/vpn/ipsec.rst:265
+#: ../../configuration/vpn/ipsec.rst:285
 msgid "**Setting up IPSec**"
 msgstr "**Setting up IPSec**"
 
-#: ../../configuration/vpn/ipsec.rst:241
+#: ../../configuration/vpn/ipsec.rst:261
 msgid "**Setting up the GRE tunnel**"
 msgstr "**Setting up the GRE tunnel**"
 
-#: ../../configuration/firewall/index.rst:80
+#: ../../configuration/firewall/index.rst:96
 msgid "**Source NAT**: rules defined under ``set [nat | nat66] destination...``."
 msgstr "**Source NAT**: rules defined under ``set [nat | nat66] destination...``."
 
@@ -568,6 +720,14 @@ msgstr "**Status**"
 msgid "**To see the redistributed routes:**"
 msgstr "**To see the redistributed routes:**"
 
+#: ../../configuration/nat/cgnat.rst:56
+msgid "**Total Ports Available**:"
+msgstr "**Total Ports Available**:"
+
+#: ../../configuration/nat/cgnat.rst:45
+msgid "**Traceability Issues**: Since multiple users share the same public IP address, tracking individual users for security and legal purposes can be challenging."
+msgstr "**Traceability Issues**: Since multiple users share the same public IP address, tracking individual users for security and legal purposes can be challenging."
+
 #: ../../configuration/protocols/failover.rst:85
 msgid "**Two gateways and different metrics:**"
 msgstr "**Two gateways and different metrics:**"
@@ -585,7 +745,7 @@ msgstr "**VyOS Router:**"
 msgid "**Weight check**"
 msgstr "**Weight check**"
 
-#: ../../configuration/trafficpolicy/index.rst:1208
+#: ../../configuration/trafficpolicy/index.rst:1258
 msgid "**(Default)** Flows are defined by the 5-tuple, fairness is applied over source and destination addresses and also over individual flows."
 msgstr "**(Default)** Flows are defined by the 5-tuple, fairness is applied over source and destination addresses and also over individual flows."
 
@@ -598,25 +758,25 @@ msgstr "**address** can be specified multiple times, e.g. 192.168.100.1 and/or 1
 msgid "**address** can be specified multiple times as IPv4 and/or IPv6 address, e.g. 192.0.2.1/24 and/or 2001:db8::1/64"
 msgstr "**address** can be specified multiple times as IPv4 and/or IPv6 address, e.g. 192.0.2.1/24 and/or 2001:db8::1/64"
 
-#: ../../configuration/service/pppoe-server.rst:474
-#: ../../configuration/vpn/l2tp.rst:428
+#: ../../configuration/service/pppoe-server.rst:499
+#: ../../configuration/vpn/l2tp.rst:431
 #: ../../configuration/vpn/pptp.rst:352
-#: ../../configuration/vpn/sstp.rst:386
+#: ../../configuration/vpn/sstp.rst:389
 msgid "**allow** - Negotiate IPv4 only if client requests (Default value)"
 msgstr "**allow** - Negotiate IPv4 only if client requests (Default value)"
 
-#: ../../configuration/service/pppoe-server.rst:349
-#: ../../configuration/vpn/l2tp.rst:293
+#: ../../configuration/service/pppoe-server.rst:369
+#: ../../configuration/vpn/l2tp.rst:296
 #: ../../configuration/vpn/pptp.rst:217
-#: ../../configuration/vpn/sstp.rst:251
+#: ../../configuration/vpn/sstp.rst:254
 msgid "**allow** - Negotiate IPv6 only if client requests"
 msgstr "**allow** - Negotiate IPv6 only if client requests"
 
-#: ../../configuration/container/index.rst:38
+#: ../../configuration/container/index.rst:62
 msgid "**allow-host-networks** cannot be used with **network**"
 msgstr "**allow-host-networks** cannot be used with **network**"
 
-#: ../../configuration/container/index.rst:107
+#: ../../configuration/container/index.rst:133
 msgid "**always**: Restart containers when they exit, regardless of status, retrying indefinitely"
 msgstr "**always**: Restart containers when they exit, regardless of status, retrying indefinitely"
 
@@ -644,10 +804,10 @@ msgstr "**broadcast** – broadcast IP addresses distribution. **non-broadcast**
 msgid "**broadcast** – broadcast IP addresses distribution. **point-to-point** – address distribution in point-to-point networks."
 msgstr "**broadcast** – broadcast IP addresses distribution. **point-to-point** – address distribution in point-to-point networks."
 
-#: ../../configuration/service/pppoe-server.rst:401
-#: ../../configuration/vpn/l2tp.rst:345
+#: ../../configuration/service/pppoe-server.rst:423
+#: ../../configuration/vpn/l2tp.rst:348
 #: ../../configuration/vpn/pptp.rst:269
-#: ../../configuration/vpn/sstp.rst:303
+#: ../../configuration/vpn/sstp.rst:306
 msgid "**calling-sid** - Calculate interface identifier from calling-station-id."
 msgstr "**calling-sid** - Calculate interface identifier from calling-station-id."
 
@@ -667,28 +827,28 @@ msgstr "**default** –  this area will be used for shortcutting only if ABR doe
 msgid "**default** – enable split-horizon on wired interfaces, and disable split-horizon on wireless interfaces. **enable** – enable split-horizon on this interfaces. **disable** – disable split-horizon on this interfaces."
 msgstr "**default** – enable split-horizon on wired interfaces, and disable split-horizon on wireless interfaces. **enable** – enable split-horizon on this interfaces. **disable** – disable split-horizon on this interfaces."
 
-#: ../../configuration/service/pppoe-server.rst:566
+#: ../../configuration/service/pppoe-server.rst:591
 msgid "**deny**: Deny second session authorization."
 msgstr "**deny**: Deny second session authorization."
 
-#: ../../configuration/service/pppoe-server.rst:475
-#: ../../configuration/vpn/l2tp.rst:429
+#: ../../configuration/service/pppoe-server.rst:500
+#: ../../configuration/vpn/l2tp.rst:432
 #: ../../configuration/vpn/pptp.rst:353
-#: ../../configuration/vpn/sstp.rst:387
+#: ../../configuration/vpn/sstp.rst:390
 msgid "**deny** - Do not negotiate IPv4"
 msgstr "**deny** - Do not negotiate IPv4"
 
-#: ../../configuration/service/pppoe-server.rst:350
-#: ../../configuration/vpn/l2tp.rst:294
+#: ../../configuration/service/pppoe-server.rst:370
+#: ../../configuration/vpn/l2tp.rst:297
 #: ../../configuration/vpn/pptp.rst:218
-#: ../../configuration/vpn/sstp.rst:252
+#: ../../configuration/vpn/sstp.rst:255
 msgid "**deny** - Do not negotiate IPv6 (default value)"
 msgstr "**deny** - Do not negotiate IPv6 (default value)"
 
-#: ../../configuration/service/pppoe-server.rst:507
-#: ../../configuration/vpn/l2tp.rst:461
+#: ../../configuration/service/pppoe-server.rst:532
+#: ../../configuration/vpn/l2tp.rst:465
 #: ../../configuration/vpn/pptp.rst:385
-#: ../../configuration/vpn/sstp.rst:419
+#: ../../configuration/vpn/sstp.rst:423
 msgid "**deny** - deny mppe"
 msgstr "**deny** - deny mppe"
 
@@ -704,7 +864,7 @@ msgstr "**dhcp** interface address is received by DHCP from a DHCP server on thi
 msgid "**dhcpv6** interface address is received by DHCPv6 from a DHCPv6 server on this segment."
 msgstr "**dhcpv6** interface address is received by DHCPv6 from a DHCPv6 server on this segment."
 
-#: ../../configuration/service/pppoe-server.rst:565
+#: ../../configuration/service/pppoe-server.rst:590
 msgid "**disable**: Disables session control."
 msgstr "**disable**: Disables session control."
 
@@ -740,26 +900,30 @@ msgstr "**inbound-interface** - applicable only to :ref:`destination-nat`. It co
 msgid "**inbound-interface** - applicable only to :ref:`destination-nat`. It configures the interface which is used for the inside traffic the translation rule applies to. Interface groups, inverted selection and wildcard, are also supported."
 msgstr "**inbound-interface** - applicable only to :ref:`destination-nat`. It configures the interface which is used for the inside traffic the translation rule applies to. Interface groups, inverted selection and wildcard, are also supported."
 
-#: ../../configuration/service/pppoe-server.rst:400
-#: ../../configuration/vpn/l2tp.rst:344
+#: ../../configuration/service/pppoe-server.rst:422
+#: ../../configuration/vpn/l2tp.rst:347
 #: ../../configuration/vpn/pptp.rst:268
-#: ../../configuration/vpn/sstp.rst:302
+#: ../../configuration/vpn/sstp.rst:305
 msgid "**ipv4-addr** - Calculate interface identifier from IPv4 address."
 msgstr "**ipv4-addr** - Calculate interface identifier from IPv4 address."
 
-#: ../../configuration/service/ipoe-server.rst:91
+#: ../../configuration/service/ipoe-server.rst:90
 msgid "**l2**: It means that clients are on same network where interface is.**(default)**"
 msgstr "**l2**: It means that clients are on same network where interface is.**(default)**"
 
-#: ../../configuration/interfaces/bonding.rst:161
+#: ../../configuration/service/ipoe-server.rst:92
+msgid "**l3**: It means that client are behind some router."
+msgstr "**l3**: It means that client are behind some router."
+
+#: ../../configuration/interfaces/bonding.rst:166
 msgid "**layer2** - Uses XOR of hardware MAC addresses and packet type ID field to generate the hash. The formula is"
 msgstr "**layer2** - Uses XOR of hardware MAC addresses and packet type ID field to generate the hash. The formula is"
 
-#: ../../configuration/interfaces/bonding.rst:174
+#: ../../configuration/interfaces/bonding.rst:179
 msgid "**layer2+3** - This policy uses a combination of layer2 and layer3 protocol information to generate the hash. Uses XOR of hardware MAC addresses and IP addresses to generate the hash. The formula is:"
 msgstr "**layer2+3** - This policy uses a combination of layer2 and layer3 protocol information to generate the hash. Uses XOR of hardware MAC addresses and IP addresses to generate the hash. The formula is:"
 
-#: ../../configuration/interfaces/bonding.rst:200
+#: ../../configuration/interfaces/bonding.rst:205
 msgid "**layer3+4** - This policy uses upper layer protocol information, when available, to generate the hash. This allows for traffic to a particular network peer to span multiple slaves, although a single connection will not span multiple slaves."
 msgstr "**layer3+4** - This policy uses upper layer protocol information, when available, to generate the hash. This allows for traffic to a particular network peer to span multiple slaves, although a single connection will not span multiple slaves."
 
@@ -792,7 +956,7 @@ msgid "**level-2-only** - Level-2 only adjacencies are formed"
 msgstr "**level-2-only** - Level-2 only adjacencies are formed"
 
 #: ../../configuration/service/ipoe-server.rst:65
-#: ../../configuration/service/pppoe-server.rst:43
+#: ../../configuration/service/pppoe-server.rst:42
 #: ../../configuration/vpn/l2tp.rst:31
 #: ../../configuration/vpn/pptp.rst:32
 #: ../../configuration/vpn/sstp.rst:58
@@ -823,19 +987,19 @@ msgstr "**lookup-srv** S flag."
 msgid "**narrow** - Use old style of TLVs with narrow metric."
 msgstr "**narrow** - Use old style of TLVs with narrow metric."
 
-#: ../../configuration/container/index.rst:124
+#: ../../configuration/container/index.rst:162
 msgid "**net-admin**: Network operations (interface, firewall, routing tables)"
 msgstr "**net-admin**: Network operations (interface, firewall, routing tables)"
 
-#: ../../configuration/container/index.rst:125
+#: ../../configuration/container/index.rst:163
 msgid "**net-bind-service**: Bind a socket to privileged ports (port numbers less than 1024)"
 msgstr "**net-bind-service**: Bind a socket to privileged ports (port numbers less than 1024)"
 
-#: ../../configuration/container/index.rst:126
+#: ../../configuration/container/index.rst:165
 msgid "**net-raw**: Permission to create raw network sockets"
 msgstr "**net-raw**: Permission to create raw network sockets"
 
-#: ../../configuration/container/index.rst:105
+#: ../../configuration/container/index.rst:130
 msgid "**no**: Do not restart containers on exit"
 msgstr "**no**: Do not restart containers on exit"
 
@@ -843,7 +1007,7 @@ msgstr "**no**: Do not restart containers on exit"
 msgid "**noauth**: Authentication disabled"
 msgstr "**noauth**: Authentication disabled"
 
-#: ../../configuration/service/pppoe-server.rst:44
+#: ../../configuration/service/pppoe-server.rst:43
 #: ../../configuration/vpn/pptp.rst:33
 msgid "**noauth**: Authentication disabled."
 msgstr "**noauth**: Authentication disabled."
@@ -852,7 +1016,7 @@ msgstr "**noauth**: Authentication disabled."
 msgid "**off** In this mode, no DNSSEC processing takes place. The recursor will not set the DNSSEC OK (DO) bit in the outgoing queries and will ignore the DO and AD bits in queries."
 msgstr "**off** In this mode, no DNSSEC processing takes place. The recursor will not set the DNSSEC OK (DO) bit in the outgoing queries and will ignore the DO and AD bits in queries."
 
-#: ../../configuration/container/index.rst:106
+#: ../../configuration/container/index.rst:131
 msgid "**on-failure**: Restart containers when they exit with a non-zero exit code, retrying indefinitely (default)"
 msgstr "**on-failure**: Restart containers when they exit with a non-zero exit code, retrying indefinitely (default)"
 
@@ -868,17 +1032,17 @@ msgstr "**outbound-interface** - applicable only to :ref:`source-nat`. It config
 msgid "**outbound-interface** - applicable only to :ref:`source-nat`. It configures the interface which is used for the outside traffic that this translation rule applies to. Interface groups, inverted selection and wildcard, are also supported."
 msgstr "**outbound-interface** - applicable only to :ref:`source-nat`. It configures the interface which is used for the outside traffic that this translation rule applies to. Interface groups, inverted selection and wildcard, are also supported."
 
-#: ../../configuration/service/pppoe-server.rst:473
-#: ../../configuration/vpn/l2tp.rst:427
+#: ../../configuration/service/pppoe-server.rst:498
+#: ../../configuration/vpn/l2tp.rst:430
 #: ../../configuration/vpn/pptp.rst:351
-#: ../../configuration/vpn/sstp.rst:385
+#: ../../configuration/vpn/sstp.rst:388
 msgid "**prefer** - Ask client for IPv4 negotiation, do not fail if it rejects"
 msgstr "**prefer** - Ask client for IPv4 negotiation, do not fail if it rejects"
 
-#: ../../configuration/service/pppoe-server.rst:348
-#: ../../configuration/vpn/l2tp.rst:292
+#: ../../configuration/service/pppoe-server.rst:368
+#: ../../configuration/vpn/l2tp.rst:295
 #: ../../configuration/vpn/pptp.rst:216
-#: ../../configuration/vpn/sstp.rst:250
+#: ../../configuration/vpn/sstp.rst:253
 msgid "**prefer** - Ask client for IPv6 negotiation, do not fail if it rejects"
 msgstr "**prefer** - Ask client for IPv6 negotiation, do not fail if it rejects"
 
@@ -886,10 +1050,10 @@ msgstr "**prefer** - Ask client for IPv6 negotiation, do not fail if it rejects"
 msgid "**prefer** - ask client for mppe, if it rejects don't fail"
 msgstr "**prefer** - ask client for mppe, if it rejects don't fail"
 
-#: ../../configuration/service/pppoe-server.rst:506
-#: ../../configuration/vpn/l2tp.rst:460
+#: ../../configuration/service/pppoe-server.rst:531
+#: ../../configuration/vpn/l2tp.rst:464
 #: ../../configuration/vpn/pptp.rst:384
-#: ../../configuration/vpn/sstp.rst:418
+#: ../../configuration/vpn/sstp.rst:422
 msgid "**prefer** - ask client for mppe, if it rejects don't fail. (Default value)"
 msgstr "**prefer** - ask client for mppe, if it rejects don't fail. (Default value)"
 
@@ -914,21 +1078,21 @@ msgid "**protocol-specific** P flag."
 msgstr "**protocol-specific** P flag."
 
 #: ../../configuration/service/ipoe-server.rst:63
-#: ../../configuration/service/pppoe-server.rst:41
+#: ../../configuration/service/pppoe-server.rst:40
 #: ../../configuration/vpn/l2tp.rst:29
 #: ../../configuration/vpn/pptp.rst:30
 #: ../../configuration/vpn/sstp.rst:56
 msgid "**radius**: All authentication queries are handled by a configured RADIUS server."
 msgstr "**radius**: All authentication queries are handled by a configured RADIUS server."
 
-#: ../../configuration/service/pppoe-server.rst:391
-#: ../../configuration/service/pppoe-server.rst:398
-#: ../../configuration/vpn/l2tp.rst:335
-#: ../../configuration/vpn/l2tp.rst:342
+#: ../../configuration/service/pppoe-server.rst:412
+#: ../../configuration/service/pppoe-server.rst:420
+#: ../../configuration/vpn/l2tp.rst:338
+#: ../../configuration/vpn/l2tp.rst:345
 #: ../../configuration/vpn/pptp.rst:259
 #: ../../configuration/vpn/pptp.rst:266
-#: ../../configuration/vpn/sstp.rst:293
-#: ../../configuration/vpn/sstp.rst:300
+#: ../../configuration/vpn/sstp.rst:296
+#: ../../configuration/vpn/sstp.rst:303
 msgid "**random** - Random interface identifier for IPv6"
 msgstr "**random** - Random interface identifier for IPv6"
 
@@ -940,7 +1104,7 @@ msgstr "**regexp** Regular expression. Requires `<value>`."
 msgid "**remote side - commands**"
 msgstr "**remote side - commands**"
 
-#: ../../configuration/service/pppoe-server.rst:567
+#: ../../configuration/service/pppoe-server.rst:592
 msgid "**replace**: Terminate first session when second is authorized **(default)**"
 msgstr "**replace**: Terminate first session when second is authorized **(default)**"
 
@@ -952,24 +1116,24 @@ msgstr "**replace:** Relay information already present in a packet is stripped a
 msgid "**replacement** Replacement DNS name."
 msgstr "**replacement** Replacement DNS name."
 
-#: ../../configuration/service/pppoe-server.rst:472
-#: ../../configuration/vpn/l2tp.rst:426
+#: ../../configuration/service/pppoe-server.rst:497
+#: ../../configuration/vpn/l2tp.rst:429
 #: ../../configuration/vpn/pptp.rst:350
-#: ../../configuration/vpn/sstp.rst:384
+#: ../../configuration/vpn/sstp.rst:387
 msgid "**require** - Require IPv4 negotiation"
 msgstr "**require** - Require IPv4 negotiation"
 
-#: ../../configuration/service/pppoe-server.rst:347
-#: ../../configuration/vpn/l2tp.rst:291
+#: ../../configuration/service/pppoe-server.rst:367
+#: ../../configuration/vpn/l2tp.rst:294
 #: ../../configuration/vpn/pptp.rst:215
-#: ../../configuration/vpn/sstp.rst:249
+#: ../../configuration/vpn/sstp.rst:252
 msgid "**require** - Require IPv6 negotiation"
 msgstr "**require** - Require IPv6 negotiation"
 
-#: ../../configuration/service/pppoe-server.rst:505
-#: ../../configuration/vpn/l2tp.rst:459
+#: ../../configuration/service/pppoe-server.rst:530
+#: ../../configuration/vpn/l2tp.rst:463
 #: ../../configuration/vpn/pptp.rst:383
-#: ../../configuration/vpn/sstp.rst:417
+#: ../../configuration/vpn/sstp.rst:421
 msgid "**require** - ask client for mppe, if it rejects drop connection"
 msgstr "**require** - ask client for mppe, if it rejects drop connection"
 
@@ -985,11 +1149,11 @@ msgstr "**right**"
 msgid "**service** Service type. Requires `<value>`."
 msgstr "**service** Service type. Requires `<value>`."
 
-#: ../../configuration/container/index.rst:127
+#: ../../configuration/container/index.rst:166
 msgid "**setpcap**: Capability sets (from bounded or inherited set)"
 msgstr "**setpcap**: Capability sets (from bounded or inherited set)"
 
-#: ../../configuration/service/ipoe-server.rst:99
+#: ../../configuration/service/ipoe-server.rst:98
 msgid "**shared**: Multiple clients share the same network. **(default)**"
 msgstr "**shared**: Multiple clients share the same network. **(default)**"
 
@@ -1001,7 +1165,11 @@ msgstr "**source** - specifies which packets the NAT translation rule applies to
 msgid "**sys-admin**: Administation operations (quotactl, mount, sethostname, setdomainame)"
 msgstr "**sys-admin**: Administation operations (quotactl, mount, sethostname, setdomainame)"
 
-#: ../../configuration/container/index.rst:129
+#: ../../configuration/container/index.rst:167
+msgid "**sys-admin**: Administration operations (quotactl, mount, sethostname, setdomainame)"
+msgstr "**sys-admin**: Administration operations (quotactl, mount, sethostname, setdomainame)"
+
+#: ../../configuration/container/index.rst:169
 msgid "**sys-time**: Permission to set system clock"
 msgstr "**sys-time**: Permission to set system clock"
 
@@ -1017,7 +1185,7 @@ msgstr "**upstream:** The upstream network interface is the outgoing interface w
 msgid "**validate** The highest mode of DNSSEC processing. In this mode, all queries will be validated and will be answered with a SERVFAIL in case of bogus data, regardless of the client's request."
 msgstr "**validate** The highest mode of DNSSEC processing. In this mode, all queries will be validated and will be answered with a SERVFAIL in case of bogus data, regardless of the client's request."
 
-#: ../../configuration/service/ipoe-server.rst:100
+#: ../../configuration/service/ipoe-server.rst:99
 msgid "**vlan**: One VLAN per client."
 msgstr "**vlan**: One VLAN per client."
 
@@ -1025,14 +1193,14 @@ msgstr "**vlan**: One VLAN per client."
 msgid "**wide** - Use new style of TLVs to carry wider metric."
 msgstr "**wide** - Use new style of TLVs to carry wider metric."
 
-#: ../../configuration/service/pppoe-server.rst:392
-#: ../../configuration/service/pppoe-server.rst:399
-#: ../../configuration/vpn/l2tp.rst:336
-#: ../../configuration/vpn/l2tp.rst:343
+#: ../../configuration/service/pppoe-server.rst:413
+#: ../../configuration/service/pppoe-server.rst:421
+#: ../../configuration/vpn/l2tp.rst:339
+#: ../../configuration/vpn/l2tp.rst:346
 #: ../../configuration/vpn/pptp.rst:260
 #: ../../configuration/vpn/pptp.rst:267
-#: ../../configuration/vpn/sstp.rst:294
-#: ../../configuration/vpn/sstp.rst:301
+#: ../../configuration/vpn/sstp.rst:297
+#: ../../configuration/vpn/sstp.rst:304
 msgid "**x:x:x:x** - Specify interface identifier for IPv6"
 msgstr "**x:x:x:x** - Specify interface identifier for IPv6"
 
@@ -1040,51 +1208,51 @@ msgstr "**x:x:x:x** - Specify interface identifier for IPv6"
 msgid "*bgpd* supports Multiprotocol Extension for BGP. So if a remote peer supports the protocol, *bgpd* can exchange IPv6 and/or multicast routing information."
 msgstr "*bgpd* supports Multiprotocol Extension for BGP. So if a remote peer supports the protocol, *bgpd* can exchange IPv6 and/or multicast routing information."
 
-#: ../../configuration/system/syslog.rst:112
-#: ../../configuration/system/syslog.rst:171
-#: ../../configuration/trafficpolicy/index.rst:267
-#: ../../configuration/trafficpolicy/index.rst:803
-#: ../../configuration/trafficpolicy/index.rst:878
+#: ../../configuration/system/syslog.rst:130
+#: ../../configuration/system/syslog.rst:189
+#: ../../configuration/trafficpolicy/index.rst:317
+#: ../../configuration/trafficpolicy/index.rst:853
+#: ../../configuration/trafficpolicy/index.rst:928
 msgid "0"
 msgstr "0"
 
-#: ../../configuration/trafficpolicy/index.rst:267
+#: ../../configuration/trafficpolicy/index.rst:317
 msgid "000000"
 msgstr "000000"
 
-#: ../../configuration/trafficpolicy/index.rst:269
+#: ../../configuration/trafficpolicy/index.rst:319
 msgid "001010"
 msgstr "001010"
 
-#: ../../configuration/trafficpolicy/index.rst:271
+#: ../../configuration/trafficpolicy/index.rst:321
 msgid "001100"
 msgstr "001100"
 
-#: ../../configuration/trafficpolicy/index.rst:273
+#: ../../configuration/trafficpolicy/index.rst:323
 msgid "001110"
 msgstr "001110"
 
-#: ../../configuration/trafficpolicy/index.rst:275
+#: ../../configuration/trafficpolicy/index.rst:325
 msgid "010010"
 msgstr "010010"
 
-#: ../../configuration/trafficpolicy/index.rst:277
+#: ../../configuration/trafficpolicy/index.rst:327
 msgid "010100"
 msgstr "010100"
 
-#: ../../configuration/trafficpolicy/index.rst:279
+#: ../../configuration/trafficpolicy/index.rst:329
 msgid "010110"
 msgstr "010110"
 
-#: ../../configuration/trafficpolicy/index.rst:281
+#: ../../configuration/trafficpolicy/index.rst:331
 msgid "011010"
 msgstr "011010"
 
-#: ../../configuration/trafficpolicy/index.rst:283
+#: ../../configuration/trafficpolicy/index.rst:333
 msgid "011100"
 msgstr "011100"
 
-#: ../../configuration/trafficpolicy/index.rst:285
+#: ../../configuration/trafficpolicy/index.rst:335
 msgid "011110"
 msgstr "011110"
 
@@ -1092,19 +1260,19 @@ msgstr "011110"
 msgid "0: Disable DAD"
 msgstr "0: Disable DAD"
 
-#: ../../configuration/highavailability/index.rst:267
+#: ../../configuration/highavailability/index.rst:271
 msgid "0 if not defined, which means no refreshing."
 msgstr "0 if not defined, which means no refreshing."
 
-#: ../../configuration/highavailability/index.rst:249
+#: ../../configuration/highavailability/index.rst:253
 msgid "0 if not defined."
 msgstr "0 if not defined."
 
 #: ../../configuration/service/dhcp-server.rst:293
-#: ../../configuration/system/syslog.rst:114
-#: ../../configuration/system/syslog.rst:173
-#: ../../configuration/trafficpolicy/index.rst:801
-#: ../../configuration/trafficpolicy/index.rst:876
+#: ../../configuration/system/syslog.rst:132
+#: ../../configuration/system/syslog.rst:191
+#: ../../configuration/trafficpolicy/index.rst:851
+#: ../../configuration/trafficpolicy/index.rst:926
 msgid "1"
 msgstr "1"
 
@@ -1112,9 +1280,9 @@ msgstr "1"
 msgid "1-to-1 NAT"
 msgstr "1-to-1 NAT"
 
-#: ../../configuration/system/syslog.rst:132
-#: ../../configuration/trafficpolicy/index.rst:269
-#: ../../configuration/trafficpolicy/index.rst:876
+#: ../../configuration/system/syslog.rst:150
+#: ../../configuration/trafficpolicy/index.rst:319
+#: ../../configuration/trafficpolicy/index.rst:926
 msgid "10"
 msgstr "10"
 
@@ -1126,7 +1294,7 @@ msgstr "100000 - 100 GBit/s"
 msgid "10000 - 10 GBit/s"
 msgstr "10000 - 10 GBit/s"
 
-#: ../../configuration/trafficpolicy/index.rst:287
+#: ../../configuration/trafficpolicy/index.rst:337
 msgid "100010"
 msgstr "100010"
 
@@ -1134,11 +1302,11 @@ msgstr "100010"
 msgid "1000 - 1 GBit/s"
 msgstr "1000 - 1 GBit/s"
 
-#: ../../configuration/trafficpolicy/index.rst:289
+#: ../../configuration/trafficpolicy/index.rst:339
 msgid "100100"
 msgstr "100100"
 
-#: ../../configuration/trafficpolicy/index.rst:291
+#: ../../configuration/trafficpolicy/index.rst:341
 msgid "100110"
 msgstr "100110"
 
@@ -1146,7 +1314,7 @@ msgstr "100110"
 msgid "100 - 100 MBit/s"
 msgstr "100 - 100 MBit/s"
 
-#: ../../configuration/trafficpolicy/index.rst:265
+#: ../../configuration/trafficpolicy/index.rst:315
 msgid "101110"
 msgstr "101110"
 
@@ -1158,8 +1326,8 @@ msgstr "10.0.0.0 to 10.255.255.255 (CIDR: 10.0.0.0/8)"
 msgid "10 - 10 MBit/s"
 msgstr "10 - 10 MBit/s"
 
-#: ../../configuration/system/syslog.rst:134
-#: ../../configuration/trafficpolicy/index.rst:874
+#: ../../configuration/system/syslog.rst:152
+#: ../../configuration/trafficpolicy/index.rst:924
 msgid "11"
 msgstr "11"
 
@@ -1167,9 +1335,9 @@ msgstr "11"
 msgid "119"
 msgstr "119"
 
-#: ../../configuration/system/syslog.rst:136
-#: ../../configuration/trafficpolicy/index.rst:271
-#: ../../configuration/trafficpolicy/index.rst:872
+#: ../../configuration/system/syslog.rst:154
+#: ../../configuration/trafficpolicy/index.rst:321
+#: ../../configuration/trafficpolicy/index.rst:922
 msgid "12"
 msgstr "12"
 
@@ -1178,29 +1346,29 @@ msgid "121, 249"
 msgstr "121, 249"
 
 #: ../../configuration/service/dhcp-server.rst:360
-#: ../../configuration/system/syslog.rst:138
-#: ../../configuration/trafficpolicy/index.rst:870
+#: ../../configuration/system/syslog.rst:156
+#: ../../configuration/trafficpolicy/index.rst:920
 msgid "13"
 msgstr "13"
 
-#: ../../configuration/system/syslog.rst:140
-#: ../../configuration/trafficpolicy/index.rst:273
-#: ../../configuration/trafficpolicy/index.rst:868
+#: ../../configuration/system/syslog.rst:158
+#: ../../configuration/trafficpolicy/index.rst:323
+#: ../../configuration/trafficpolicy/index.rst:918
 msgid "14"
 msgstr "14"
 
 #: ../../configuration/service/dhcp-server.rst:320
-#: ../../configuration/system/syslog.rst:142
-#: ../../configuration/trafficpolicy/index.rst:866
+#: ../../configuration/system/syslog.rst:160
+#: ../../configuration/trafficpolicy/index.rst:916
 msgid "15"
 msgstr "15"
 
-#: ../../configuration/system/syslog.rst:144
-#: ../../configuration/trafficpolicy/index.rst:864
+#: ../../configuration/system/syslog.rst:162
+#: ../../configuration/trafficpolicy/index.rst:914
 msgid "16"
 msgstr "16"
 
-#: ../../configuration/system/syslog.rst:146
+#: ../../configuration/system/syslog.rst:164
 msgid "17"
 msgstr "17"
 
@@ -1208,13 +1376,13 @@ msgstr "17"
 msgid "172.16.0.0 to 172.31.255.255 (CIDR: 172.16.0.0/12)"
 msgstr "172.16.0.0 to 172.31.255.255 (CIDR: 172.16.0.0/12)"
 
-#: ../../configuration/system/syslog.rst:148
-#: ../../configuration/trafficpolicy/index.rst:275
+#: ../../configuration/system/syslog.rst:166
+#: ../../configuration/trafficpolicy/index.rst:325
 msgid "18"
 msgstr "18"
 
 #: ../../configuration/service/dhcp-server.rst:325
-#: ../../configuration/system/syslog.rst:150
+#: ../../configuration/system/syslog.rst:168
 msgid "19"
 msgstr "19"
 
@@ -1226,41 +1394,53 @@ msgstr "192.168.0.0 to 192.168.255.255 (CIDR: 192.168.0.0/16)"
 msgid "1. Create an event handler"
 msgstr "1. Create an event handler"
 
-#: ../../configuration/firewall/flowtables.rst:144
+#: ../../configuration/firewall/flowtables.rst:145
 msgid "1. First packet is received on eht0, with destination address 192.0.2.100, protocol tcp and destination port 1122. Assume such destination address is reachable through interface eth1."
 msgstr "1. First packet is received on eht0, with destination address 192.0.2.100, protocol tcp and destination port 1122. Assume such destination address is reachable through interface eth1."
 
+#: ../../configuration/firewall/flowtables.rst:145
+msgid "1. First packet is received on eth0, with destination address 192.0.2.100, protocol tcp and destination port 1122. Assume such destination address is reachable through interface eth1."
+msgstr "1. First packet is received on eth0, with destination address 192.0.2.100, protocol tcp and destination port 1122. Assume such destination address is reachable through interface eth1."
+
+#: ../../configuration/firewall/flowtables.rst:145
+msgid "1. Firstly, a packet is received on eth0, with destination address 192.0.2.100, protocol tcp and destination port 1122. Assume such destination address is reachable through interface eth1."
+msgstr "1. Firstly, a packet is received on eth0, with destination address 192.0.2.100, protocol tcp and destination port 1122. Assume such destination address is reachable through interface eth1."
+
+#: ../../configuration/firewall/groups.rst:345
+msgid "1. Generate a new TCP connection with destination port 9990. As shown next, a new entry was added to dynamic firewall group **PN_01**"
+msgstr "1. Generate a new TCP connection with destination port 9990. As shown next, a new entry was added to dynamic firewall group **PN_01**"
+
 #: ../../_include/interface-ipv6.txt:80
 msgid "1: Enable DAD (default)"
 msgstr "1: Enable DAD (default)"
 
-#: ../../configuration/highavailability/index.rst:277
+#: ../../configuration/highavailability/index.rst:281
 msgid "1 if not defined."
 msgstr "1 if not defined."
 
 #: ../../configuration/service/dhcp-server.rst:299
-#: ../../configuration/system/syslog.rst:116
-#: ../../configuration/system/syslog.rst:178
-#: ../../configuration/trafficpolicy/index.rst:799
-#: ../../configuration/trafficpolicy/index.rst:874
+#: ../../configuration/system/syslog.rst:134
+#: ../../configuration/system/syslog.rst:196
+#: ../../configuration/trafficpolicy/index.rst:849
+#: ../../configuration/trafficpolicy/index.rst:924
 msgid "2"
 msgstr "2"
 
-#: ../../configuration/system/syslog.rst:152
-#: ../../configuration/trafficpolicy/index.rst:277
+#: ../../configuration/system/syslog.rst:170
+#: ../../configuration/trafficpolicy/index.rst:327
 msgid "20"
 msgstr "20"
 
-#: ../../configuration/system/syslog.rst:154
+#: ../../configuration/system/syslog.rst:172
 msgid "21"
 msgstr "21"
 
-#: ../../configuration/system/syslog.rst:156
-#: ../../configuration/trafficpolicy/index.rst:279
+#: ../../configuration/system/syslog.rst:174
+#: ../../configuration/trafficpolicy/index.rst:329
 msgid "22"
 msgstr "22"
 
-#: ../../configuration/system/syslog.rst:158
+#: ../../configuration/system/syslog.rst:176
 msgid "23"
 msgstr "23"
 
@@ -1276,11 +1456,11 @@ msgstr "2500 - 2.5 GBit/s"
 msgid "252"
 msgstr "252"
 
-#: ../../configuration/trafficpolicy/index.rst:281
+#: ../../configuration/trafficpolicy/index.rst:331
 msgid "26"
 msgstr "26"
 
-#: ../../configuration/trafficpolicy/index.rst:283
+#: ../../configuration/trafficpolicy/index.rst:333
 msgid "28"
 msgstr "28"
 
@@ -1292,7 +1472,11 @@ msgstr "2FA OTP support"
 msgid "2. Add regex to the script"
 msgstr "2. Add regex to the script"
 
-#: ../../configuration/firewall/flowtables.rst:148
+#: ../../configuration/firewall/groups.rst:361
+msgid "2. Generate a new TCP connection with destination port 9991. As shown next, a new entry was added to dynamic firewall group **PN_02**"
+msgstr "2. Generate a new TCP connection with destination port 9991. As shown next, a new entry was added to dynamic firewall group **PN_02**"
+
+#: ../../configuration/firewall/flowtables.rst:149
 msgid "2. Since this is the first packet, connection status of this connection, so far is **new**. So neither rule 10 nor 20 are valid."
 msgstr "2. Since this is the first packet, connection status of this connection, so far is **new**. So neither rule 10 nor 20 are valid."
 
@@ -1301,26 +1485,26 @@ msgid "2: Enable DAD, and disable IPv6 operation if MAC-based duplicate link-loc
 msgstr "2: Enable DAD, and disable IPv6 operation if MAC-based duplicate link-local address has been found."
 
 #: ../../configuration/service/dhcp-server.rst:305
-#: ../../configuration/system/syslog.rst:118
-#: ../../configuration/system/syslog.rst:181
-#: ../../configuration/trafficpolicy/index.rst:797
-#: ../../configuration/trafficpolicy/index.rst:872
+#: ../../configuration/system/syslog.rst:136
+#: ../../configuration/system/syslog.rst:199
+#: ../../configuration/trafficpolicy/index.rst:847
+#: ../../configuration/trafficpolicy/index.rst:922
 msgid "3"
 msgstr "3"
 
-#: ../../configuration/trafficpolicy/index.rst:285
+#: ../../configuration/trafficpolicy/index.rst:335
 msgid "30"
 msgstr "30"
 
-#: ../../configuration/trafficpolicy/index.rst:287
+#: ../../configuration/trafficpolicy/index.rst:337
 msgid "34"
 msgstr "34"
 
-#: ../../configuration/trafficpolicy/index.rst:289
+#: ../../configuration/trafficpolicy/index.rst:339
 msgid "36"
 msgstr "36"
 
-#: ../../configuration/trafficpolicy/index.rst:291
+#: ../../configuration/trafficpolicy/index.rst:341
 msgid "38"
 msgstr "38"
 
@@ -1328,11 +1512,15 @@ msgstr "38"
 msgid "3. Add a full path to the script"
 msgstr "3. Add a full path to the script"
 
+#: ../../configuration/firewall/groups.rst:377
+msgid "3. Generate a new TCP connection with destination port 9992. As shown next, a new entry was added to dynamic firewall group **ALLOWED**"
+msgstr "3. Generate a new TCP connection with destination port 9992. As shown next, a new entry was added to dynamic firewall group **ALLOWED**"
+
 #: ../../configuration/service/dhcp-server.rst:310
-#: ../../configuration/system/syslog.rst:120
-#: ../../configuration/system/syslog.rst:183
-#: ../../configuration/trafficpolicy/index.rst:795
-#: ../../configuration/trafficpolicy/index.rst:870
+#: ../../configuration/system/syslog.rst:138
+#: ../../configuration/system/syslog.rst:201
+#: ../../configuration/trafficpolicy/index.rst:845
+#: ../../configuration/trafficpolicy/index.rst:920
 msgid "4"
 msgstr "4"
 
@@ -1340,7 +1528,7 @@ msgstr "4"
 msgid "40000 - 40 GBit/s"
 msgstr "40000 - 40 GBit/s"
 
-#: ../../configuration/interfaces/wireless.rst:170
+#: ../../configuration/interfaces/wireless.rst:201
 msgid "40 MHz channels may switch their primary and secondary channels if needed or creation of 40 MHz channel maybe rejected based on overlapping BSSes. These changes are done automatically when hostapd is setting up the 40 MHz channel."
 msgstr "40 MHz channels may switch their primary and secondary channels if needed or creation of 40 MHz channel maybe rejected based on overlapping BSSes. These changes are done automatically when hostapd is setting up the 40 MHz channel."
 
@@ -1352,7 +1540,7 @@ msgstr "42"
 msgid "44"
 msgstr "44"
 
-#: ../../configuration/trafficpolicy/index.rst:265
+#: ../../configuration/trafficpolicy/index.rst:315
 msgid "46"
 msgstr "46"
 
@@ -1360,14 +1548,22 @@ msgstr "46"
 msgid "4. Add optional parameters"
 msgstr "4. Add optional parameters"
 
+#: ../../configuration/firewall/flowtables.rst:154
+msgid "4. Once an answer from server 192.0.2.100 is seen in opposite direction, connection state will be triggered to **established**, so this reply is accepted in rule 20."
+msgstr "4. Once an answer from server 192.0.2.100 is seen in opposite direction, connection state will be triggered to **established**, so this reply is accepted in rule 20."
+
 #: ../../configuration/firewall/flowtables.rst:153
 msgid "4. Once answer from server 192.0.2.100 is seen in opposite direction, connection state will be triggered to **established**, so this reply is accepted in rule 10."
 msgstr "4. Once answer from server 192.0.2.100 is seen in opposite direction, connection state will be triggered to **established**, so this reply is accepted in rule 10."
 
-#: ../../configuration/system/syslog.rst:122
-#: ../../configuration/system/syslog.rst:185
-#: ../../configuration/trafficpolicy/index.rst:793
-#: ../../configuration/trafficpolicy/index.rst:868
+#: ../../configuration/firewall/flowtables.rst:154
+msgid "4. Once answer from server 192.0.2.100 is seen in opposite direction, connection state will be triggered to **established**, so this reply is accepted in rule 20."
+msgstr "4. Once answer from server 192.0.2.100 is seen in opposite direction, connection state will be triggered to **established**, so this reply is accepted in rule 20."
+
+#: ../../configuration/system/syslog.rst:140
+#: ../../configuration/system/syslog.rst:203
+#: ../../configuration/trafficpolicy/index.rst:843
+#: ../../configuration/trafficpolicy/index.rst:918
 msgid "5"
 msgstr "5"
 
@@ -1383,23 +1579,31 @@ msgstr "5000 - 5 GBit/s"
 msgid "54"
 msgstr "54"
 
-#: ../../configuration/firewall/flowtables.rst:157
+#: ../../configuration/firewall/flowtables.rst:158
 msgid "5. Second packet for this connection is received by the router. Since connection state is **established**, then rule 10 is hit, and a new entry in the flowtable FT01 is added for this connection."
 msgstr "5. Second packet for this connection is received by the router. Since connection state is **established**, then rule 10 is hit, and a new entry in the flowtable FT01 is added for this connection."
 
-#: ../../configuration/highavailability/index.rst:257
-#: ../../configuration/highavailability/index.rst:288
+#: ../../configuration/firewall/flowtables.rst:158
+msgid "5. The second packet for this connection is received by the router. Since connection state is **established**, then rule 10 is hit, and a new entry in the flowtable FT01 is added for this connection."
+msgstr "5. The second packet for this connection is received by the router. Since connection state is **established**, then rule 10 is hit, and a new entry in the flowtable FT01 is added for this connection."
+
+#: ../../configuration/highavailability/index.rst:261
+#: ../../configuration/highavailability/index.rst:292
 msgid "5 if not defined."
 msgstr "5 if not defined."
 
 #: ../../configuration/service/dhcp-server.rst:315
-#: ../../configuration/system/syslog.rst:124
-#: ../../configuration/system/syslog.rst:189
-#: ../../configuration/trafficpolicy/index.rst:791
-#: ../../configuration/trafficpolicy/index.rst:866
+#: ../../configuration/system/syslog.rst:142
+#: ../../configuration/system/syslog.rst:207
+#: ../../configuration/trafficpolicy/index.rst:841
+#: ../../configuration/trafficpolicy/index.rst:916
 msgid "6"
 msgstr "6"
 
+#: ../../configuration/nat/cgnat.rst:69
+msgid "64512 / 1000 ≈ 64 subscribers per public IP"
+msgstr "64512 / 1000 ≈ 64 subscribers per public IP"
+
 #: ../../configuration/service/dhcp-server.rst:350
 msgid "66"
 msgstr "66"
@@ -1416,10 +1620,18 @@ msgstr "67"
 msgid "69"
 msgstr "69"
 
-#: ../../configuration/firewall/flowtables.rst:161
+#: ../../configuration/firewall/flowtables.rst:162
 msgid "6. All subsecuent packets will skip traditional path, and will be offloaded and will use the **Fast Path**."
 msgstr "6. All subsecuent packets will skip traditional path, and will be offloaded and will use the **Fast Path**."
 
+#: ../../configuration/firewall/flowtables.rst:162
+msgid "6. All the following packets will skip the traditional path, will be offloaded and use the **Fast Path**."
+msgstr "6. All the following packets will skip the traditional path, will be offloaded and use the **Fast Path**."
+
+#: ../../configuration/firewall/flowtables.rst:162
+msgid "6. All the following packets will skip traditional path, and will be offloaded and will use the **Fast Path**."
+msgstr "6. All the following packets will skip traditional path, and will be offloaded and will use the **Fast Path**."
+
 #: ../../configuration/interfaces/tunnel.rst:81
 msgid "6in4 (SIT)"
 msgstr "6in4 (SIT)"
@@ -1428,10 +1640,10 @@ msgstr "6in4 (SIT)"
 msgid "6in4 uses tunneling to encapsulate IPv6 traffic over IPv4 links as defined in :rfc:`4213`. The 6in4 traffic is sent over IPv4 inside IPv4 packets whose IP headers have the IP protocol number set to 41. This protocol number is specifically designated for IPv6 encapsulation, the IPv4 packet header is immediately followed by the IPv6 packet being carried. The encapsulation overhead is the size of the IPv4 header of 20 bytes, therefore with an MTU of 1500 bytes, IPv6 packets of 1480 bytes can be sent without fragmentation. This tunneling technique is frequently used by IPv6 tunnel brokers like `Hurricane Electric`_."
 msgstr "6in4 uses tunneling to encapsulate IPv6 traffic over IPv4 links as defined in :rfc:`4213`. The 6in4 traffic is sent over IPv4 inside IPv4 packets whose IP headers have the IP protocol number set to 41. This protocol number is specifically designated for IPv6 encapsulation, the IPv4 packet header is immediately followed by the IPv6 packet being carried. The encapsulation overhead is the size of the IPv4 header of 20 bytes, therefore with an MTU of 1500 bytes, IPv6 packets of 1480 bytes can be sent without fragmentation. This tunneling technique is frequently used by IPv6 tunnel brokers like `Hurricane Electric`_."
 
-#: ../../configuration/system/syslog.rst:126
-#: ../../configuration/system/syslog.rst:191
-#: ../../configuration/trafficpolicy/index.rst:789
-#: ../../configuration/trafficpolicy/index.rst:864
+#: ../../configuration/system/syslog.rst:144
+#: ../../configuration/system/syslog.rst:209
+#: ../../configuration/trafficpolicy/index.rst:839
+#: ../../configuration/trafficpolicy/index.rst:914
 msgid "7"
 msgstr "7"
 
@@ -1439,7 +1651,7 @@ msgstr "7"
 msgid "70"
 msgstr "70"
 
-#: ../../configuration/system/syslog.rst:128
+#: ../../configuration/system/syslog.rst:146
 msgid "8"
 msgstr "8"
 
@@ -1447,8 +1659,8 @@ msgstr "8"
 msgid "802.1q VLAN interfaces are represented as virtual sub-interfaces in VyOS. The term used for this is ``vif``."
 msgstr "802.1q VLAN interfaces are represented as virtual sub-interfaces in VyOS. The term used for this is ``vif``."
 
-#: ../../configuration/system/syslog.rst:130
-#: ../../configuration/trafficpolicy/index.rst:878
+#: ../../configuration/system/syslog.rst:148
+#: ../../configuration/trafficpolicy/index.rst:928
 msgid "9"
 msgstr "9"
 
@@ -1472,14 +1684,23 @@ msgstr "<h:h:h:h:h:h:h:h>-<h:h:h:h:h:h:h:h>: IPv6 range to match."
 msgid "<h:h:h:h:h:h:h:h>: IPv6 address to match."
 msgstr "<h:h:h:h:h:h:h:h>: IPv6 address to match."
 
-#: ../../configuration/system/syslog.rst:230
+#: ../../configuration/system/syslog.rst:248
 msgid "<lines>"
 msgstr "<lines>"
 
-#: ../../configuration/interfaces/wireless.rst:251
+#: ../../configuration/interfaces/wireless.rst:286
 msgid "<number> must be from 34 - 173. For 80 MHz channels it should be channel + 6."
 msgstr "<number> must be from 34 - 173. For 80 MHz channels it should be channel + 6."
 
+#: ../../configuration/interfaces/wireless.rst:381
+#: ../../configuration/interfaces/wireless.rst:401
+msgid "<number> must be one of:"
+msgstr "<number> must be one of:"
+
+#: ../../configuration/interfaces/wireless.rst:375
+msgid "<number> must be within 1..233. For 80 MHz channels it should be channel + 6 and for 160 MHz channels, it should be channel + 14."
+msgstr "<number> must be within 1..233. For 80 MHz channels it should be channel + 6 and for 160 MHz channels, it should be channel + 14."
+
 #: ../../configuration/protocols/ospf.rst:346
 msgid "<number> – area identifier through which a virtual link goes. <A.B.C.D> – ABR router-id with which a virtual link is established. Virtual link must be configured on both routers."
 msgstr "<number> – area identifier through which a virtual link goes. <A.B.C.D> – ABR router-id with which a virtual link is established. Virtual link must be configured on both routers."
@@ -1528,15 +1749,15 @@ msgstr "API"
 msgid "ARP"
 msgstr "ARP"
 
-#: ../../configuration/firewall/groups.rst:129
+#: ../../configuration/firewall/groups.rst:128
 msgid "A **domain group** represents a collection of domains."
 msgstr "A **domain group** represents a collection of domains."
 
-#: ../../configuration/firewall/groups.rst:111
+#: ../../configuration/firewall/groups.rst:110
 msgid "A **mac group** represents a collection of mac addresses."
 msgstr "A **mac group** represents a collection of mac addresses."
 
-#: ../../configuration/firewall/groups.rst:86
+#: ../../configuration/firewall/groups.rst:85
 msgid "A **port group** represents only port numbers, not the protocol. Port groups can be referenced for either TCP or UDP. It is recommended that TCP and UDP groups are created separately to avoid accidentally filtering unnecessary ports. Ranges of ports can be specified by using `-`."
 msgstr "A **port group** represents only port numbers, not the protocol. Port groups can be referenced for either TCP or UDP. It is recommended that TCP and UDP groups are created separately to avoid accidentally filtering unnecessary ports. Ranges of ports can be specified by using `-`."
 
@@ -1544,6 +1765,10 @@ msgstr "A **port group** represents only port numbers, not the protocol. Port gr
 msgid "A *bit* is written as **bit**,"
 msgstr "A *bit* is written as **bit**,"
 
+#: ../../configuration/firewall/groups.rst:288
+msgid "A 4 step port knocking example is shown next:"
+msgstr "A 4 step port knocking example is shown next:"
+
 #: ../../configuration/protocols/rpki.rst:21
 msgid "A BGP-speaking router like VyOS can retrieve ROA information from RPKI \"Relying Party software\" (often just called an \"RPKI server\" or \"RPKI validator\") by using :abbr:`RTR (RPKI to Router)` protocol. There are several open source implementations to choose from, such as NLNetLabs' Routinator_ (written in Rust), Cloudflare's GoRTR_ and OctoRPKI_ (written in Go), and RIPE NCC's RPKI Validator_ (written in Java). The RTR protocol is described in :rfc:`8210`."
 msgstr "A BGP-speaking router like VyOS can retrieve ROA information from RPKI \"Relying Party software\" (often just called an \"RPKI server\" or \"RPKI validator\") by using :abbr:`RTR (RPKI to Router)` protocol. There are several open source implementations to choose from, such as NLNetLabs' Routinator_ (written in Rust), Cloudflare's GoRTR_ and OctoRPKI_ (written in Go), and RIPE NCC's RPKI Validator_ (written in Java). The RTR protocol is described in :rfc:`8210`."
@@ -1592,16 +1817,16 @@ msgstr "A :abbr:`NIS (Network Information Service)` domain can be set to be used
 msgid "A basic configuration requires a tunnel source (source-address), a tunnel destination (remote), an encapsulation type (gre), and an address (ipv4/ipv6). Below is a basic IPv4 only configuration example taken from a VyOS router and a Cisco IOS router. The main difference between these two configurations is that VyOS requires you explicitly configure the encapsulation type. The Cisco router defaults to GRE IP otherwise it would have to be configured as well."
 msgstr "A basic configuration requires a tunnel source (source-address), a tunnel destination (remote), an encapsulation type (gre), and an address (ipv4/ipv6). Below is a basic IPv4 only configuration example taken from a VyOS router and a Cisco IOS router. The main difference between these two configurations is that VyOS requires you explicitly configure the encapsulation type. The Cisco router defaults to GRE IP otherwise it would have to be configured as well."
 
-#: ../../configuration/firewall/zone.rst:73
+#: ../../configuration/firewall/zone.rst:70
 msgid "A basic introduction to zone-based firewalls can be found `here <https://support.vyos.io/en/kb/articles/a-primer-to-zone-based-firewall>`_, and an example at :ref:`examples-zone-policy`."
 msgstr "A basic introduction to zone-based firewalls can be found `here <https://support.vyos.io/en/kb/articles/a-primer-to-zone-based-firewall>`_, and an example at :ref:`examples-zone-policy`."
 
-#: ../../configuration/interfaces/bridge.rst:204
-#: ../../configuration/interfaces/bridge.rst:238
+#: ../../configuration/interfaces/bridge.rst:203
+#: ../../configuration/interfaces/bridge.rst:237
 msgid "A bridge named `br100`"
 msgstr "A bridge named `br100`"
 
-#: ../../configuration/container/index.rst:144
+#: ../../configuration/container/index.rst:199
 msgid "A brief description what this network is all about."
 msgstr "A brief description what this network is all about."
 
@@ -1609,11 +1834,11 @@ msgstr "A brief description what this network is all about."
 msgid "A class can have multiple match filters:"
 msgstr "A class can have multiple match filters:"
 
-#: ../../configuration/trafficpolicy/index.rst:307
+#: ../../configuration/trafficpolicy/index.rst:357
 msgid "A common example is the case of some policies which, in order to be effective, they need to be applied to an interface that is directly connected where the bottleneck is. If your router is not directly connected to the bottleneck, but some hop before it, you can emulate the bottleneck by embedding your non-shaping policy into a classful shaping one so that it takes effect."
 msgstr "A common example is the case of some policies which, in order to be effective, they need to be applied to an interface that is directly connected where the bottleneck is. If your router is not directly connected to the bottleneck, but some hop before it, you can emulate the bottleneck by embedding your non-shaping policy into a classful shaping one so that it takes effect."
 
-#: ../../configuration/interfaces/openvpn.rst:538
+#: ../../configuration/interfaces/openvpn.rst:542
 msgid "A complete LDAP auth OpenVPN configuration could look like the following example:"
 msgstr "A complete LDAP auth OpenVPN configuration could look like the following example:"
 
@@ -1621,7 +1846,7 @@ msgstr "A complete LDAP auth OpenVPN configuration could look like the following
 msgid "A configuration example can be found in this section. In this simplified scenario, main things to be considered are:"
 msgstr "A configuration example can be found in this section. In this simplified scenario, main things to be considered are:"
 
-#: ../../configuration/vpn/sstp.rst:508
+#: ../../configuration/vpn/sstp.rst:518
 msgid "A connection attempt will be shown as:"
 msgstr "A connection attempt will be shown as:"
 
@@ -1633,6 +1858,10 @@ msgstr "A default route is automatically installed once the interface is up. To
 msgid "A description can be added for each and every unique relay ID. This is useful to distinguish between multiple different ports/appliactions."
 msgstr "A description can be added for each and every unique relay ID. This is useful to distinguish between multiple different ports/appliactions."
 
+#: ../../configuration/service/broadcast-relay.rst:22
+msgid "A description can be added for each and every unique relay ID. This is useful to distinguish between multiple different ports/applications."
+msgstr "A description can be added for each and every unique relay ID. This is useful to distinguish between multiple different ports/applications."
+
 #: ../../configuration/highavailability/index.rst:78
 msgid "A disabled group will be removed from the VRRP process and your router will not participate in VRRP for that VRID. It will disappear from operational mode commands output, rather than enter the backup state."
 msgstr "A disabled group will be removed from the VRRP process and your router will not participate in VRRP for that VRID. It will disappear from operational mode commands output, rather than enter the backup state."
@@ -1645,7 +1874,7 @@ msgstr "A domain name is the label (name) assigned to a computer network and is
 msgid "A dummy interface for the provider-assigned IP;"
 msgstr "A dummy interface for the provider-assigned IP;"
 
-#: ../../configuration/highavailability/index.rst:436
+#: ../../configuration/highavailability/index.rst:440
 msgid "A firewall mark ``fwmark`` allows using multiple ports for high-availability virtual-server. It uses fwmark value."
 msgstr "A firewall mark ``fwmark`` allows using multiple ports for high-availability virtual-server. It uses fwmark value."
 
@@ -1669,6 +1898,10 @@ msgstr "A human readable description what this CA is about."
 msgid "A human readable description what this certificate is about."
 msgstr "A human readable description what this certificate is about."
 
+#: ../../_include/interface-evpn-uplink.txt:7
+msgid "A link can be setup for uplink tracking via the following example:"
+msgstr "A link can be setup for uplink tracking via the following example:"
+
 #: ../../configuration/interfaces/loopback.rst:17
 msgid "A lookback interface is always up, thus it could be used for management traffic or as source/destination for and :abbr:`IGP (Interior Gateway Protocol)` like :ref:`routing-bgp` so your internal BGP link is not dependent on physical link states and multiple routes can be chosen to the destination. A :ref:`dummy-interface` Interface should always be preferred over a :ref:`loopback-interface` interface."
 msgstr "A lookback interface is always up, thus it could be used for management traffic or as source/destination for and :abbr:`IGP (Interior Gateway Protocol)` like :ref:`routing-bgp` so your internal BGP link is not dependent on physical link states and multiple routes can be chosen to the destination. A :ref:`dummy-interface` Interface should always be preferred over a :ref:`loopback-interface` interface."
@@ -1685,6 +1918,10 @@ msgstr "A managed device is a network node that implements an SNMP interface tha
 msgid "A match filter can contain multiple criteria and will match traffic if all those criteria are true."
 msgstr "A match filter can contain multiple criteria and will match traffic if all those criteria are true."
 
+#: ../../configuration/trafficpolicy/index.rst:238
+msgid "A match group can contain multiple criteria and inherit them in the same policy."
+msgstr "A match group can contain multiple criteria and inherit them in the same policy."
+
 #: ../../configuration/protocols/bfd.rst:145
 msgid "A monitored static route conditions the installation to the RIB on the BFD session running state: when BFD session is up the route is installed to RIB, but when the BFD session is down it is removed from the RIB."
 msgstr "A monitored static route conditions the installation to the RIB on the BFD session running state: when BFD session is up the route is installed to RIB, but when the BFD session is down it is removed from the RIB."
@@ -1693,7 +1930,7 @@ msgstr "A monitored static route conditions the installation to the RIB on the B
 msgid "A network management station executes applications that monitor and control managed devices. NMSs provide the bulk of the processing and memory resources required for network management. One or more NMSs may exist on any managed network."
 msgstr "A network management station executes applications that monitor and control managed devices. NMSs provide the bulk of the processing and memory resources required for network management. One or more NMSs may exist on any managed network."
 
-#: ../../configuration/interfaces/bonding.rst:337
+#: ../../configuration/interfaces/bonding.rst:390
 msgid "A new interface becomes present ``Port-channel1``, all configuration like allowed VLAN interfaces, STP will happen here."
 msgstr "A new interface becomes present ``Port-channel1``, all configuration like allowed VLAN interfaces, STP will happen here."
 
@@ -1701,7 +1938,7 @@ msgstr "A new interface becomes present ``Port-channel1``, all configuration lik
 msgid "A packet rate limit can be set for a rule to apply the rule to traffic above or below a specified threshold. To configure the rate limiting use:"
 msgstr "A packet rate limit can be set for a rule to apply the rule to traffic above or below a specified threshold. To configure the rate limiting use:"
 
-#: ../../configuration/firewall/flowtables.rst:44
+#: ../../configuration/firewall/flowtables.rst:45
 msgid "A packet that finds a matching entry in the flowtable (flowtable hit) is transmitted to the output netdevice, hence, packets bypass the classic IP forwarding path and uses the **Fast Path** (orange circles path). The visible effect is that you do not see these packets from any of the Netfilter hooks coming after ingress. In case that there is no matching entry in the flowtable (flowtable miss), the packet follows the classic IP forwarding path."
 msgstr "A packet that finds a matching entry in the flowtable (flowtable hit) is transmitted to the output netdevice, hence, packets bypass the classic IP forwarding path and uses the **Fast Path** (orange circles path). The visible effect is that you do not see these packets from any of the Netfilter hooks coming after ingress. In case that there is no matching entry in the flowtable (flowtable miss), the packet follows the classic IP forwarding path."
 
@@ -1717,8 +1954,13 @@ msgstr "A physical interface is required to connect this MACsec instance to. Tra
 msgid "A pool of addresses can be defined by using a hyphen between two IP addresses:"
 msgstr "A pool of addresses can be defined by using a hyphen between two IP addresses:"
 
-#: ../../configuration/firewall/ipv4.rst:508
-#: ../../configuration/firewall/ipv6.rst:491
+#: ../../configuration/firewall/ipv4.rst:532
+#: ../../configuration/firewall/ipv6.rst:519
+msgid "A port can be set by number or name as defined in ``/etc/services``."
+msgstr "A port can be set by number or name as defined in ``/etc/services``."
+
+#: ../../configuration/firewall/ipv4.rst:532
+#: ../../configuration/firewall/ipv6.rst:519
 msgid "A port can be set with a port number or a name which is here defined: ``/etc/services``."
 msgstr "A port can be set with a port number or a name which is here defined: ``/etc/services``."
 
@@ -1730,7 +1972,7 @@ msgstr "A query for which there is authoritatively no answer is cached to quickl
 msgid "A received NHRP Traffic Indication will trigger the resolution and establishment of a shortcut route."
 msgstr "A received NHRP Traffic Indication will trigger the resolution and establishment of a shortcut route."
 
-#: ../../configuration/vrf/index.rst:30
+#: ../../configuration/vrf/index.rst:26
 msgid "A routing table ID can not be modified once it is assigned. It can only be changed by deleting and re-adding the VRF instance."
 msgstr "A routing table ID can not be modified once it is assigned. It can only be changed by deleting and re-adding the VRF instance."
 
@@ -1755,15 +1997,19 @@ msgstr "A segment ID that contains an IP address prefix calculated by an IGP in
 msgid "A sending station (computer or network switch) may be transmitting data faster than the other end of the link can accept it. Using flow control, the receiving station can signal the sender requesting suspension of transmissions until the receiver catches up."
 msgstr "A sending station (computer or network switch) may be transmitting data faster than the other end of the link can accept it. Using flow control, the receiving station can signal the sender requesting suspension of transmissions until the receiver catches up."
 
-#: ../../configuration/service/dhcp-server.rst:648
+#: ../../configuration/service/dhcp-server.rst:677
 msgid "A shared network named ``NET1`` serves subnet ``2001:db8::/64``"
 msgstr "A shared network named ``NET1`` serves subnet ``2001:db8::/64``"
 
+#: ../../configuration/service/dhcp-server.rst:654
+msgid "A shared network named ``PD-NET`` serves subnet ``2001:db8::/64``."
+msgstr "A shared network named ``PD-NET`` serves subnet ``2001:db8::/64``."
+
 #: ../../configuration/protocols/bgp.rst:1168
 msgid "A simple BGP configuration via IPv6."
 msgstr "A simple BGP configuration via IPv6."
 
-#: ../../configuration/trafficpolicy/index.rst:769
+#: ../../configuration/trafficpolicy/index.rst:819
 msgid "A simple Random Early Detection (RED) policy would start randomly dropping packets from a queue before it reaches its queue limit thus avoiding congestion. That is good for TCP connections as the gradual dropping of packets acts as a signal for the sender to decrease its transmission rate."
 msgstr "A simple Random Early Detection (RED) policy would start randomly dropping packets from a queue before it reaches its queue limit thus avoiding congestion. That is good for TCP connections as the gradual dropping of packets acts as a signal for the sender to decrease its transmission rate."
 
@@ -1771,11 +2017,11 @@ msgstr "A simple Random Early Detection (RED) policy would start randomly droppi
 msgid "A simple eBGP configuration:"
 msgstr "A simple eBGP configuration:"
 
-#: ../../configuration/trafficpolicy/index.rst:1124
+#: ../../configuration/trafficpolicy/index.rst:1174
 msgid "A simple example of Shaper using priorities."
 msgstr "A simple example of Shaper using priorities."
 
-#: ../../configuration/trafficpolicy/index.rst:532
+#: ../../configuration/trafficpolicy/index.rst:582
 msgid "A simple example of an FQ-CoDel policy working inside a Shaper one."
 msgstr "A simple example of an FQ-CoDel policy working inside a Shaper one."
 
@@ -1783,7 +2029,7 @@ msgstr "A simple example of an FQ-CoDel policy working inside a Shaper one."
 msgid "A simplified traffic flow, based on Netfilter packet flow, is shown next, in order to have a full view and understanding of how packets are processed, and what possible paths can take."
 msgstr "A simplified traffic flow, based on Netfilter packet flow, is shown next, in order to have a full view and understanding of how packets are processed, and what possible paths can take."
 
-#: ../../configuration/firewall/index.rst:14
+#: ../../configuration/firewall/index.rst:19
 msgid "A simplified traffic flow diagram, based on Netfilter packet flow, is shown next, in order to have a full view and understanding of how packets are processed, and what possible paths traffic can take."
 msgstr "A simplified traffic flow diagram, based on Netfilter packet flow, is shown next, in order to have a full view and understanding of how packets are processed, and what possible paths traffic can take."
 
@@ -1815,7 +2061,7 @@ msgstr "A user friendly alias for this connection. Can be used instead of the de
 msgid "A user friendly description identifying the connected peripheral."
 msgstr "A user friendly description identifying the connected peripheral."
 
-#: ../../configuration/interfaces/bonding.rst:260
+#: ../../configuration/interfaces/bonding.rst:265
 msgid "A value of 0 disables ARP monitoring. The default value is 0."
 msgstr "A value of 0 disables ARP monitoring. The default value is 0."
 
@@ -1823,11 +2069,11 @@ msgstr "A value of 0 disables ARP monitoring. The default value is 0."
 msgid "A value of 296 works well on very slow links (40 bytes for TCP/IP header + 256 bytes of data)."
 msgstr "A value of 296 works well on very slow links (40 bytes for TCP/IP header + 256 bytes of data)."
 
-#: ../../configuration/trafficpolicy/index.rst:943
+#: ../../configuration/trafficpolicy/index.rst:993
 msgid "A very small buffer will soon start dropping packets."
 msgstr "A very small buffer will soon start dropping packets."
 
-#: ../../configuration/firewall/zone.rst:52
+#: ../../configuration/firewall/zone.rst:49
 msgid "A zone must be configured before an interface is assigned to it and an interface can be assigned to only a single zone."
 msgstr "A zone must be configured before an interface is assigned to it and an interface can be assigned to only a single zone."
 
@@ -1851,18 +2097,19 @@ msgstr "Accept SSH connections for the given `<device>` on TCP port `<port>`. Af
 msgid "Accept only certain protocols: You may want to replicate the state of flows depending on their layer 4 protocol."
 msgstr "Accept only certain protocols: You may want to replicate the state of flows depending on their layer 4 protocol."
 
-#: ../../configuration/service/pppoe-server.rst:384
-#: ../../configuration/vpn/l2tp.rst:328
+#: ../../configuration/service/pppoe-server.rst:404
 #: ../../configuration/vpn/pptp.rst:252
-#: ../../configuration/vpn/sstp.rst:286
 msgid "Accept peer interface identifier. By default is not defined."
 msgstr "Accept peer interface identifier. By default is not defined."
 
-#: ../../configuration/service/ipoe-server.rst:364
-#: ../../configuration/service/pppoe-server.rst:530
-#: ../../configuration/vpn/l2tp.rst:484
+#: ../../configuration/vpn/l2tp.rst:331
+#: ../../configuration/vpn/sstp.rst:289
+msgid "Accept peer interface identifier. By default this is not defined."
+msgstr "Accept peer interface identifier. By default this is not defined."
+
+#: ../../configuration/service/ipoe-server.rst:363
+#: ../../configuration/service/pppoe-server.rst:555
 #: ../../configuration/vpn/pptp.rst:408
-#: ../../configuration/vpn/sstp.rst:442
 msgid "Acceptable rate of connections (e.g. 1/min, 60/sec)"
 msgstr "Acceptable rate of connections (e.g. 1/min, 60/sec)"
 
@@ -1874,7 +2121,7 @@ msgstr "Access List Policy"
 msgid "Access Lists"
 msgstr "Access Lists"
 
-#: ../../configuration/system/syslog.rst:173
+#: ../../configuration/system/syslog.rst:191
 msgid "Action must be taken immediately - A condition that should be corrected immediately, such as a corrupted system database."
 msgstr "Action must be taken immediately - A condition that should be corrected immediately, such as a corrupted system database."
 
@@ -1882,18 +2129,18 @@ msgstr "Action must be taken immediately - A condition that should be corrected
 msgid "Action which will be run once the ctrl-alt-del keystroke is received."
 msgstr "Action which will be run once the ctrl-alt-del keystroke is received."
 
-#: ../../configuration/firewall/bridge.rst:65
-#: ../../configuration/firewall/ipv4.rst:81
-#: ../../configuration/firewall/ipv6.rst:81
+#: ../../configuration/firewall/bridge.rst:84
+#: ../../configuration/firewall/ipv4.rst:105
+#: ../../configuration/firewall/ipv6.rst:105
 #: ../../configuration/policy/route.rst:238
 msgid "Actions"
 msgstr "Actions"
 
-#: ../../configuration/interfaces/openvpn.rst:483
+#: ../../configuration/interfaces/openvpn.rst:487
 msgid "Active Directory"
 msgstr "Active Directory"
 
-#: ../../configuration/loadbalancing/reverse-proxy.rst:135
+#: ../../configuration/loadbalancing/haproxy.rst:142
 msgid "Active health check backend server"
 msgstr "Active health check backend server"
 
@@ -1901,7 +2148,7 @@ msgstr "Active health check backend server"
 msgid "Add NTA (negative trust anchor) for this domain. This must be set if the domain does not support DNSSEC."
 msgstr "Add NTA (negative trust anchor) for this domain. This must be set if the domain does not support DNSSEC."
 
-#: ../../configuration/interfaces/wireless.rst:105
+#: ../../configuration/interfaces/wireless.rst:129
 msgid "Add Power Constraint element to Beacon and Probe Response frames."
 msgstr "Add Power Constraint element to Beacon and Probe Response frames."
 
@@ -1909,15 +2156,15 @@ msgstr "Add Power Constraint element to Beacon and Probe Response frames."
 msgid "Add a forwarding rule matching UDP port on your internet router."
 msgstr "Add a forwarding rule matching UDP port on your internet router."
 
-#: ../../configuration/container/index.rst:118
+#: ../../configuration/container/index.rst:156
 msgid "Add a host device to the container."
 msgstr "Add a host device to the container."
 
-#: ../../configuration/service/ssh.rst:84
+#: ../../configuration/service/ssh.rst:85
 msgid "Add access-control directive to allow or deny users and groups. Directives are processed in the following order of precedence: ``deny-users``, ``allow-users``, ``deny-groups`` and ``allow-groups``."
 msgstr "Add access-control directive to allow or deny users and groups. Directives are processed in the following order of precedence: ``deny-users``, ``allow-users``, ``deny-groups`` and ``allow-groups``."
 
-#: ../../configuration/container/index.rst:58
+#: ../../configuration/container/index.rst:83
 msgid "Add custom environment variables. Multiple environment variables are allowed. The following commands translate to \"-e key=value\" when the container is created."
 msgstr "Add custom environment variables. Multiple environment variables are allowed. The following commands translate to \"-e key=value\" when the container is created."
 
@@ -1925,6 +2172,18 @@ msgstr "Add custom environment variables. Multiple environment variables are all
 msgid "Add default routes for routing ``table 10`` and ``table 11``"
 msgstr "Add default routes for routing ``table 10`` and ``table 11``"
 
+#: ../../configuration/firewall/groups.rst:162
+msgid "Add description to firewall groups:"
+msgstr "Add description to firewall groups:"
+
+#: ../../configuration/firewall/groups.rst:177
+msgid "Add destination IP address of the connection to a dynamic address group:"
+msgstr "Add destination IP address of the connection to a dynamic address group:"
+
+#: ../../configuration/container/index.rst:184
+msgid "Add metadata label for this container."
+msgstr "Add metadata label for this container."
+
 #: ../../configuration/policy/examples.rst:176
 msgid "Add multiple source IP in one rule with same priority"
 msgstr "Add multiple source IP in one rule with same priority"
@@ -1953,6 +2212,10 @@ msgstr "Add policy route matching VLAN source addresses"
 msgid "Add public key portion for the certificate named `name` to the VyOS CLI."
 msgstr "Add public key portion for the certificate named `name` to the VyOS CLI."
 
+#: ../../configuration/firewall/groups.rst:188
+msgid "Add source IP address of the connection to a dynamic address group:"
+msgstr "Add source IP address of the connection to a dynamic address group:"
+
 #: ../../configuration/pki/index.rst:195
 msgid "Add the CAs private key to the VyOS CLI. This should never leave the system, and is only required if you use VyOS as your certificate generator as mentioned above."
 msgstr "Add the CAs private key to the VyOS CLI. This should never leave the system, and is only required if you use VyOS as your certificate generator as mentioned above."
@@ -1973,7 +2236,11 @@ msgstr "Add the public CA certificate for the CA named `name` to the VyOS CLI."
 msgid "Adding a 2FA with an OTP-key"
 msgstr "Adding a 2FA with an OTP-key"
 
-#: ../../configuration/loadbalancing/reverse-proxy.rst:301
+#: ../../configuration/firewall/groups.rst:170
+msgid "Adding elements to Dynamic Firewall Groups"
+msgstr "Adding elements to Dynamic Firewall Groups"
+
+#: ../../configuration/loadbalancing/haproxy.rst:354
 msgid "Additional global parameters are set, including the maximum number connection limit of 4000 and a minimum TLS version of 1.3."
 msgstr "Additional global parameters are set, including the maximum number connection limit of 4000 and a minimum TLS version of 1.3."
 
@@ -1985,6 +2252,10 @@ msgstr "Additional option to run TFTP server in the :abbr:`VRF (Virtual Routing
 msgid "Additionally, each client needs a copy of ca cert and its own client key and cert files. The files are plaintext so they may be copied either manually from the CLI. Client key and cert files should be signed with the proper ca cert and generated on the server side."
 msgstr "Additionally, each client needs a copy of ca cert and its own client key and cert files. The files are plaintext so they may be copied either manually from the CLI. Client key and cert files should be signed with the proper ca cert and generated on the server side."
 
+#: ../../configuration/interfaces/openvpn.rst:419
+msgid "Additionally, each client needs a copy of ca cert and its own client key and cert files. The files are plaintext so they may be copied manually from the CLI. Client key and cert files should be signed with the proper ca cert and generated on the server side."
+msgstr "Additionally, each client needs a copy of ca cert and its own client key and cert files. The files are plaintext so they may be copied manually from the CLI. Client key and cert files should be signed with the proper ca cert and generated on the server side."
+
 #: ../../configuration/nat/nat44.rst:760
 msgid "Additionally, we want to use VPNs only on our eth1 interface (the external interface in the image above)"
 msgstr "Additionally, we want to use VPNs only on our eth1 interface (the external interface in the image above)"
@@ -2009,11 +2280,16 @@ msgstr "Address Families"
 msgid "Address Groups"
 msgstr "Address Groups"
 
-#: ../../configuration/service/dhcp-server.rst:651
+#: ../../configuration/service/suricata.rst:42
+msgid "Address groups are useful when you need to create rules that apply to specific IP addresses. For example, if you want to create a rule that monitors traffic going to or from a specific IP address, you can use the group name instead of the actual IP address. This simplifies rule management and makes the configuration more flexible."
+msgstr "Address groups are useful when you need to create rules that apply to specific IP addresses. For example, if you want to create a rule that monitors traffic going to or from a specific IP address, you can use the group name instead of the actual IP address. This simplifies rule management and makes the configuration more flexible."
+
+#: ../../configuration/service/dhcp-server.rst:656
+#: ../../configuration/service/dhcp-server.rst:680
 msgid "Address pool shall be ``2001:db8::100`` through ``2001:db8::199``."
 msgstr "Address pool shall be ``2001:db8::100`` through ``2001:db8::199``."
 
-#: ../../configuration/service/dhcp-server.rst:641
+#: ../../configuration/service/dhcp-server.rst:670
 msgid "Address pools"
 msgstr "Address pools"
 
@@ -2021,7 +2297,7 @@ msgstr "Address pools"
 msgid "Address to listen for HTTPS requests"
 msgstr "Address to listen for HTTPS requests"
 
-#: ../../configuration/container/index.rst:160
+#: ../../configuration/container/index.rst:215
 msgid "Adds registry to list of unqualified-search-registries. By default, for any image that does not include the registry in the image name, VyOS will use docker.io and quay.io as the container registry."
 msgstr "Adds registry to list of unqualified-search-registries. By default, for any image that does not include the registry in the image name, VyOS will use docker.io and quay.io as the container registry."
 
@@ -2029,19 +2305,23 @@ msgstr "Adds registry to list of unqualified-search-registries. By default, for
 msgid "Adds registry to list of unqualified-search-registries. By default, for any image that does not include the registry in the image name, Vyos will use docker.io as the container registry."
 msgstr "Adds registry to list of unqualified-search-registries. By default, for any image that does not include the registry in the image name, Vyos will use docker.io as the container registry."
 
+#: ../../configuration/interfaces/wireless.rst:129
+msgid "Adds the Power Constraint information element to Beacon and Probe Response frames."
+msgstr "Adds the Power Constraint information element to Beacon and Probe Response frames."
+
 #: ../../configuration/protocols/bgp.rst:669
 msgid "Administrative Distance"
 msgstr "Administrative Distance"
 
-#: ../../configuration/service/ipoe-server.rst:335
+#: ../../configuration/service/ipoe-server.rst:334
 msgid "Advanced Interface Options"
 msgstr "Advanced Interface Options"
 
-#: ../../configuration/service/ipoe-server.rst:307
-#: ../../configuration/service/pppoe-server.rst:425
-#: ../../configuration/vpn/l2tp.rst:369
+#: ../../configuration/service/ipoe-server.rst:306
+#: ../../configuration/service/pppoe-server.rst:447
+#: ../../configuration/vpn/l2tp.rst:372
 #: ../../configuration/vpn/pptp.rst:293
-#: ../../configuration/vpn/sstp.rst:327
+#: ../../configuration/vpn/sstp.rst:330
 msgid "Advanced Options"
 msgstr "Advanced Options"
 
@@ -2049,6 +2329,10 @@ msgstr "Advanced Options"
 msgid "Advanced configuration can be used in order to apply source or destination NAT, and within a single rule, be able to define multiple translated addresses, so NAT balances the translations among them."
 msgstr "Advanced configuration can be used in order to apply source or destination NAT, and within a single rule, be able to define multiple translated addresses, so NAT balances the translations among them."
 
+#: ../../configuration/nat/cgnat.rst:36
+msgid "Advantages of CGNAT"
+msgstr "Advantages of CGNAT"
+
 #: ../../configuration/interfaces/openvpn.rst:16
 msgid "Advantages of OpenVPN are:"
 msgstr "Advantages of OpenVPN are:"
@@ -2057,6 +2341,10 @@ msgstr "Advantages of OpenVPN are:"
 msgid "Advertise DNS server per https://tools.ietf.org/html/rfc6106"
 msgstr "Advertise DNS server per https://tools.ietf.org/html/rfc6106"
 
+#: ../../configuration/service/router-advert.rst:110
+msgid "Advertisement Interval Option (specified by Mobile IPv6) is always included in Router Advertisements unless this option is set."
+msgstr "Advertisement Interval Option (specified by Mobile IPv6) is always included in Router Advertisements unless this option is set."
+
 #: ../../configuration/service/router-advert.rst:78
 msgid "Advertising a NAT64 Prefix"
 msgstr "Advertising a NAT64 Prefix"
@@ -2069,15 +2357,19 @@ msgstr "Advertising a Prefix"
 msgid "After commit the plaintext passwords will be hashed and stored in your configuration. The resulting CLI config will look like:"
 msgstr "After commit the plaintext passwords will be hashed and stored in your configuration. The resulting CLI config will look like:"
 
-#: ../../configuration/vrf/index.rst:344
+#: ../../configuration/vrf/index.rst:340
 msgid "After committing the configuration we can verify all leaked routes are installed, and try to ICMP ping PC1 from PC3."
 msgstr "After committing the configuration we can verify all leaked routes are installed, and try to ICMP ping PC1 from PC3."
 
+#: ../../configuration/service/suricata.rst:32
+msgid "After completing the service configuration in configuration mode, the main configuration file suricata.yaml is created, into which all specified parameters are added. Then, to ensure proper operation, the command :opcmd:`update suricata` must be run from operational mode, waiting for Suricata to update all its rules, which are used for analyzing traffic for threats and attacks."
+msgstr "After completing the service configuration in configuration mode, the main configuration file suricata.yaml is created, into which all specified parameters are added. Then, to ensure proper operation, the command :opcmd:`update suricata` must be run from operational mode, waiting for Suricata to update all its rules, which are used for analyzing traffic for threats and attacks."
+
 #: ../../configuration/vpn/remoteaccess_ipsec.rst:80
 msgid "After the PKI certs are all set up we can start configuring our IPSec/IKE proposals used for key-exchange end data encryption. The used encryption ciphers and integrity algorithms vary from operating system to operating system. The ones used in this example are validated to work on Windows 10."
 msgstr "After the PKI certs are all set up we can start configuring our IPSec/IKE proposals used for key-exchange end data encryption. The used encryption ciphers and integrity algorithms vary from operating system to operating system. The ones used in this example are validated to work on Windows 10."
 
-#: ../../configuration/vpn/ipsec.rst:418
+#: ../../configuration/vpn/ipsec.rst:438
 msgid "After the PKI certs are all set up we can start configuring our IPSec/IKE proposals used for key-exchange end data encryption. The used encryption ciphers and integrity algorithms vary from operating system to operating system. The ones used in this post are validated to work on both Windows 10 and iOS/iPadOS 14 to 17."
 msgstr "After the PKI certs are all set up we can start configuring our IPSec/IKE proposals used for key-exchange end data encryption. The used encryption ciphers and integrity algorithms vary from operating system to operating system. The ones used in this post are validated to work on both Windows 10 and iOS/iPadOS 14 to 17."
 
@@ -2085,6 +2377,10 @@ msgstr "After the PKI certs are all set up we can start configuring our IPSec/IK
 msgid "After we have imported the CA certificate(s) we can now import and add certificates used by services on this router."
 msgstr "After we have imported the CA certificate(s) we can now import and add certificates used by services on this router."
 
+#: ../../configuration/vpn/ipsec.rst:419
+msgid "After you obtain your server certificate you can import it from a file on the local filesystem, or paste it into the CLI. Please note that when entering the certificate manually you need to strip the ``-----BEGIN KEY-----`` and ``-----END KEY-----`` tags. Also, the certificate or key needs to be presented in a single line without line breaks (``\\n``)."
+msgstr "After you obtain your server certificate you can import it from a file on the local filesystem, or paste it into the CLI. Please note that when entering the certificate manually you need to strip the ``-----BEGIN KEY-----`` and ``-----END KEY-----`` tags. Also, the certificate or key needs to be presented in a single line without line breaks (``\\n``)."
+
 #: ../../configuration/vpn/ipsec.rst:399
 msgid "After you obtained your server certificate you can import it from a file on the local filesystem, or paste it into the CLI. Please note that when entering the certificate manually you need to strip the ``-----BEGIN KEY-----`` and ``-----END KEY-----`` tags. Also, the certificate or key needs to be presented in a single line without line breaks (``\\n``)."
 msgstr "After you obtained your server certificate you can import it from a file on the local filesystem, or paste it into the CLI. Please note that when entering the certificate manually you need to strip the ``-----BEGIN KEY-----`` and ``-----END KEY-----`` tags. Also, the certificate or key needs to be presented in a single line without line breaks (``\\n``)."
@@ -2093,11 +2389,11 @@ msgstr "After you obtained your server certificate you can import it from a file
 msgid "Agent - software which runs on managed devices"
 msgstr "Agent - software which runs on managed devices"
 
-#: ../../configuration/system/syslog.rst:173
+#: ../../configuration/system/syslog.rst:191
 msgid "Alert"
 msgstr "Alert"
 
-#: ../../configuration/highavailability/index.rst:356
+#: ../../configuration/highavailability/index.rst:360
 msgid "Algorithm"
 msgstr "Algorithm"
 
@@ -2105,6 +2401,10 @@ msgstr "Algorithm"
 msgid "Aliases"
 msgstr "Aliases"
 
+#: ../../configuration/interfaces/bonding.rst:297
+msgid "All-Active Multihoming is used for redundancy and load sharing. Servers are attached to two or more PEs and the links are bonded (link-aggregation). This group of server links is referred to as an :abbr:`ES (Ethernet Segment)`."
+msgstr "All-Active Multihoming is used for redundancy and load sharing. Servers are attached to two or more PEs and the links are bonded (link-aggregation). This group of server links is referred to as an :abbr:`ES (Ethernet Segment)`."
+
 #: ../../configuration/service/dns.rst:248
 msgid "All DNS requests for example.com must be forwarded to a DNS server at 192.0.2.254 and 2001:db8:cafe::1"
 msgstr "All DNS requests for example.com must be forwarded to a DNS server at 192.0.2.254 and 2001:db8:cafe::1"
@@ -2117,11 +2417,15 @@ msgstr "All SNMP MIBs are located in each image of VyOS here: ``/usr/share/snmp/
 msgid "All available WWAN cards have a build in, reprogrammable firmware. Most of the vendors provide a regular update to the firmware used in the baseband chip."
 msgstr "All available WWAN cards have a build in, reprogrammable firmware. Most of the vendors provide a regular update to the firmware used in the baseband chip."
 
+#: ../../configuration/interfaces/wwan.rst:324
+msgid "All available WWAN cards have a built-in, reprogrammable firmware. Most vendors provide regular updates to firmware used in the baseband chip."
+msgstr "All available WWAN cards have a built-in, reprogrammable firmware. Most vendors provide regular updates to firmware used in the baseband chip."
+
 #: ../../configuration/vpn/sstp.rst:22
 msgid "All certificates should be stored on VyOS under ``/config/auth``. If certificates are not stored in the ``/config`` directory they will not be migrated during a software update."
 msgstr "All certificates should be stored on VyOS under ``/config/auth``. If certificates are not stored in the ``/config`` directory they will not be migrated during a software update."
 
-#: ../../configuration/system/syslog.rst:110
+#: ../../configuration/system/syslog.rst:128
 msgid "All facilities"
 msgstr "All facilities"
 
@@ -2149,6 +2453,10 @@ msgstr "All routers in the PIM network must agree on these values."
 msgid "All scripts excecuted this way are executed as root user - this may be dangerous. Together with :ref:`command-scripting` this can be used for automating (re-)configuration."
 msgstr "All scripts excecuted this way are executed as root user - this may be dangerous. Together with :ref:`command-scripting` this can be used for automating (re-)configuration."
 
+#: ../../configuration/system/task-scheduler.rst:10
+msgid "All scripts executed this way are executed as root user - this may be dangerous. Together with :ref:`command-scripting` this can be used for automating (re-)configuration."
+msgstr "All scripts executed this way are executed as root user - this may be dangerous. Together with :ref:`command-scripting` this can be used for automating (re-)configuration."
+
 #: ../../configuration/protocols/bgp.rst:241
 msgid "All these rules with OTC will help to detect and mitigate route leaks and happen automatically if local-role is set."
 msgstr "All these rules with OTC will help to detect and mitigate route leaks and happen automatically if local-role is set."
@@ -2157,11 +2465,11 @@ msgstr "All these rules with OTC will help to detect and mitigate route leaks an
 msgid "All those protocols are grouped under ``interfaces tunnel`` in VyOS. Let's take a closer look at the protocols and options currently supported by VyOS."
 msgstr "All those protocols are grouped under ``interfaces tunnel`` in VyOS. Let's take a closer look at the protocols and options currently supported by VyOS."
 
-#: ../../configuration/firewall/zone.rst:55
+#: ../../configuration/firewall/zone.rst:52
 msgid "All traffic between zones is affected by existing policies"
 msgstr "All traffic between zones is affected by existing policies"
 
-#: ../../configuration/firewall/zone.rst:54
+#: ../../configuration/firewall/zone.rst:51
 msgid "All traffic to and from an interface within a zone is permitted."
 msgstr "All traffic to and from an interface within a zone is permitted."
 
@@ -2169,15 +2477,15 @@ msgstr "All traffic to and from an interface within a zone is permitted."
 msgid "All tunnel sessions can be checked via:"
 msgstr "All tunnel sessions can be checked via:"
 
-#: ../../configuration/service/ipoe-server.rst:231
-#: ../../configuration/service/pppoe-server.rst:193
+#: ../../configuration/service/ipoe-server.rst:230
+#: ../../configuration/service/pppoe-server.rst:210
 #: ../../configuration/vpn/l2tp.rst:236
 #: ../../configuration/vpn/pptp.rst:176
 #: ../../configuration/vpn/sstp.rst:209
 msgid "Allocation clients ip addresses by RADIUS"
 msgstr "Allocation clients ip addresses by RADIUS"
 
-#: ../../configuration/service/ssh.rst:121
+#: ../../configuration/service/ssh.rst:141
 msgid "Allow ``ssh`` dynamic-protection."
 msgstr "Allow ``ssh`` dynamic-protection."
 
@@ -2189,7 +2497,7 @@ msgstr "Allow access to sites in a domain without retrieving them from the Proxy
 msgid "Allow bgp to negotiate the extended-nexthop capability with it’s peer. If you are peering over a IPv6 Link-Local address then this capability is turned on automatically. If you are peering over a IPv6 Global Address then turning on this command will allow BGP to install IPv4 routes with IPv6 nexthops if you do not have IPv4 configured on interfaces."
 msgstr "Allow bgp to negotiate the extended-nexthop capability with it’s peer. If you are peering over a IPv6 Link-Local address then this capability is turned on automatically. If you are peering over a IPv6 Global Address then turning on this command will allow BGP to install IPv4 routes with IPv6 nexthops if you do not have IPv4 configured on interfaces."
 
-#: ../../configuration/service/https.rst:81
+#: ../../configuration/service/https.rst:113
 msgid "Allow cross-origin requests from `<origin>`."
 msgstr "Allow cross-origin requests from `<origin>`."
 
@@ -2197,7 +2505,7 @@ msgstr "Allow cross-origin requests from `<origin>`."
 msgid "Allow explicit IPv6 address for the interface."
 msgstr "Allow explicit IPv6 address for the interface."
 
-#: ../../configuration/container/index.rst:32
+#: ../../configuration/container/index.rst:57
 msgid "Allow host networking in a container. The network stack of the container is not isolated from the host and will use the host IP."
 msgstr "Allow host networking in a container. The network stack of the container is not isolated from the host and will use the host IP."
 
@@ -2213,17 +2521,17 @@ msgstr "Allow this BFD peer to not be directly connected"
 msgid "Allowed values fpr TCP flags: ``SYN``, ``ACK``, ``FIN``, ``RST``, ``URG``, ``PSH``, ``ALL`` When specifying more than one flag, flags should be comma separated. The ``!`` negate the selected protocol."
 msgstr "Allowed values fpr TCP flags: ``SYN``, ``ACK``, ``FIN``, ``RST``, ``URG``, ``PSH``, ``ALL`` When specifying more than one flag, flags should be comma separated. The ``!`` negate the selected protocol."
 
-#: ../../configuration/firewall/ipv4.rst:835
-#: ../../configuration/firewall/ipv6.rst:821
-#: ../../configuration/system/conntrack.rst:199
+#: ../../configuration/firewall/ipv4.rst:886
+#: ../../configuration/firewall/ipv6.rst:876
+#: ../../configuration/system/conntrack.rst:172
 msgid "Allowed values fpr TCP flags: ``ack``, ``cwr``, ``ecn``, ``fin``, ``psh``, ``rst``, ``syn`` and ``urg``. Multiple values are supported, and for inverted selection use ``not``, as shown in the example."
 msgstr "Allowed values fpr TCP flags: ``ack``, ``cwr``, ``ecn``, ``fin``, ``psh``, ``rst``, ``syn`` and ``urg``. Multiple values are supported, and for inverted selection use ``not``, as shown in the example."
 
-#: ../../configuration/interfaces/bridge.rst:171
+#: ../../configuration/interfaces/bridge.rst:170
 msgid "Allows specific VLAN IDs to pass through the bridge member interface. This can either be an individual VLAN id or a range of VLAN ids delimited by a hyphen."
 msgstr "Allows specific VLAN IDs to pass through the bridge member interface. This can either be an individual VLAN id or a range of VLAN ids delimited by a hyphen."
 
-#: ../../configuration/loadbalancing/reverse-proxy.rst:73
+#: ../../configuration/loadbalancing/haproxy.rst:85
 msgid "Allows to define URL path matching rules for a specific service."
 msgstr "Allows to define URL path matching rules for a specific service."
 
@@ -2235,16 +2543,19 @@ msgstr "Allows you to configure the next-hop interface for an interface-based IP
 msgid "Allows you to configure the next-hop interface for an interface-based IPv6 static route. `<interface>` will be the next-hop interface where traffic is routed for the given `<subnet>`."
 msgstr "Allows you to configure the next-hop interface for an interface-based IPv6 static route. `<interface>` will be the next-hop interface where traffic is routed for the given `<subnet>`."
 
-#: ../../configuration/service/ssh.rst:157
+#: ../../configuration/service/ssh.rst:177
 msgid "Already learned known_hosts files of clients need an update as the public key will change."
 msgstr "Already learned known_hosts files of clients need an update as the public key will change."
 
-#: ../../configuration/firewall/bridge.rst:123
-#: ../../configuration/firewall/ipv4.rst:166
-#: ../../configuration/firewall/ipv6.rst:166
+#: ../../configuration/firewall/ipv4.rst:190
+#: ../../configuration/firewall/ipv6.rst:190
 msgid "Also, **default-action** is an action that takes place whenever a packet does not match any rule in it's chain. For base chains, possible options for **default-action** are **accept** or **drop**."
 msgstr "Also, **default-action** is an action that takes place whenever a packet does not match any rule in it's chain. For base chains, possible options for **default-action** are **accept** or **drop**."
 
+#: ../../configuration/firewall/bridge.rst:171
+msgid "Also, **default-action** is an action that takes place whenever a packet does not match any rule in its' chain. For base chains, possible options for **default-action** are **accept** or **drop**."
+msgstr "Also, **default-action** is an action that takes place whenever a packet does not match any rule in its' chain. For base chains, possible options for **default-action** are **accept** or **drop**."
+
 #: ../../configuration/service/dhcp-relay.rst:110
 msgid "Also, for backwards compatibility this configuration, which uses generic interface definition, is still valid:"
 msgstr "Also, for backwards compatibility this configuration, which uses generic interface definition, is still valid:"
@@ -2253,10 +2564,22 @@ msgstr "Also, for backwards compatibility this configuration, which uses generic
 msgid "Also, for those who haven't updated to newer version, legacy documentation is still present and valid for all sagitta version prior to VyOS 1.4-rolling-202308040557:"
 msgstr "Also, for those who haven't updated to newer version, legacy documentation is still present and valid for all sagitta version prior to VyOS 1.4-rolling-202308040557:"
 
+#: ../../configuration/firewall/bridge.rst:146
+msgid "Also, if action is set to ``queue``, use next command to specify the queue options. Possible options are ``bypass`` and ``fanout``:"
+msgstr "Also, if action is set to ``queue``, use next command to specify the queue options. Possible options are ``bypass`` and ``fanout``:"
+
 #: ../../configuration/nat/nat44.rst:288
 msgid "Also, in :ref:`destination-nat`, redirection to localhost is supported. The redirect statement is a special form of dnat which always translates the destination address to the local host’s one."
 msgstr "Also, in :ref:`destination-nat`, redirection to localhost is supported. The redirect statement is a special form of dnat which always translates the destination address to the local host’s one."
 
+#: ../../configuration/firewall/groups.rst:200
+msgid "Also, specific timeout can be defined per rule. In case rule gets a hit, source or destinatination address will be added to the group, and this element will remain in the group until timeout expires. If no timeout is defined, then the element will remain in the group until next reboot, or until a new commit that changes firewall configuration is done."
+msgstr "Also, specific timeout can be defined per rule. In case rule gets a hit, source or destinatination address will be added to the group, and this element will remain in the group until timeout expires. If no timeout is defined, then the element will remain in the group until next reboot, or until a new commit that changes firewall configuration is done."
+
+#: ../../configuration/firewall/groups.rst:199
+msgid "Also, specific timeouts can be defined per rule. In case rule gets a hit, a source or destinatination address will be added to the group, and this element will remain in the group until the timeout expires. If no timeout is defined, then the element will remain in the group until next reboot, or until a new commit that changes firewall configuration is done."
+msgstr "Also, specific timeouts can be defined per rule. In case rule gets a hit, a source or destinatination address will be added to the group, and this element will remain in the group until the timeout expires. If no timeout is defined, then the element will remain in the group until next reboot, or until a new commit that changes firewall configuration is done."
+
 #: ../../configuration/protocols/static.rst:171
 msgid "Alternate Routing Tables"
 msgstr "Alternate Routing Tables"
@@ -2269,11 +2592,15 @@ msgstr "Alternate routing tables are used with policy based routing by utilizing
 msgid "Alternative to multicast, the remote IPv4 address of the VXLAN tunnel can be set directly. Let's change the Multicast example from above:"
 msgstr "Alternative to multicast, the remote IPv4 address of the VXLAN tunnel can be set directly. Let's change the Multicast example from above:"
 
+#: ../../configuration/interfaces/vxlan.rst:342
+msgid "Alternatively to multicast, the remote IPv4 address of the VXLAN tunnel can be set directly. Let's change the Multicast example from above:"
+msgstr "Alternatively to multicast, the remote IPv4 address of the VXLAN tunnel can be set directly. Let's change the Multicast example from above:"
+
 #: ../../configuration/service/dhcp-server.rst:132
 msgid "Always exclude this address from any defined range. This address will never be assigned by the DHCP server."
 msgstr "Always exclude this address from any defined range. This address will never be assigned by the DHCP server."
 
-#: ../../configuration/firewall/groups.rst:68
+#: ../../configuration/firewall/groups.rst:67
 msgid "An **interface group** represents a collection of interfaces."
 msgstr "An **interface group** represents a collection of interfaces."
 
@@ -2281,6 +2608,10 @@ msgstr "An **interface group** represents a collection of interfaces."
 msgid "An AS is a connected group of one or more IP prefixes run by one or more network operators which has a SINGLE and CLEARLY DEFINED routing policy."
 msgstr "An AS is a connected group of one or more IP prefixes run by one or more network operators which has a SINGLE and CLEARLY DEFINED routing policy."
 
+#: ../../configuration/interfaces/bonding.rst:301
+msgid "An Ethernet Segment can be configured by specifying a system-MAC and a local discriminator or a complete ESINAME against the bond interface on the PE."
+msgstr "An Ethernet Segment can be configured by specifying a system-MAC and a local discriminator or a complete ESINAME against the bond interface on the PE."
+
 #: ../../configuration/trafficpolicy/index.rst:208
 msgid "An IPv4 TCP filter will only match packets with an IPv4 header length of 20 bytes (which is the majority of IPv4 packets anyway)."
 msgstr "An IPv4 TCP filter will only match packets with an IPv4 header length of 20 bytes (which is the majority of IPv4 packets anyway)."
@@ -2289,7 +2620,7 @@ msgstr "An IPv4 TCP filter will only match packets with an IPv4 header length of
 msgid "An SNMP-managed network consists of three key components:"
 msgstr "An SNMP-managed network consists of three key components:"
 
-#: ../../configuration/interfaces/bonding.rst:234
+#: ../../configuration/interfaces/bonding.rst:239
 msgid "An `<interface>` specifying which slave is the primary device. The specified device will always be the active slave while it is available. Only when the primary is off-line will alternate devices be used. This is useful when one slave is preferred over another, e.g., when one slave has higher throughput than another."
 msgstr "An `<interface>` specifying which slave is the primary device. The specified device will always be the active slave while it is available. Only when the primary is off-line will alternate devices be used. This is useful when one slave is preferred over another, e.g., when one slave has higher throughput than another."
 
@@ -2301,11 +2632,19 @@ msgstr "An additional layer of symmetric-key crypto can be used on top of the as
 msgid "An additional layer of symmetric-key crypto can be used on top of the asymmetric crypto. This command automatically creates for you the required CLI command to install this PSK for a given peer."
 msgstr "An additional layer of symmetric-key crypto can be used on top of the asymmetric crypto. This command automatically creates for you the required CLI command to install this PSK for a given peer."
 
+#: ../../configuration/interfaces/wireguard.rst:103
+msgid "An additional layer of symmetric-key crypto can be used on top of the asymmetric crypto. This command automatically creates the required CLI command to install this PSK for a given peer."
+msgstr "An additional layer of symmetric-key crypto can be used on top of the asymmetric crypto. This command automatically creates the required CLI command to install this PSK for a given peer."
+
 #: ../../configuration/interfaces/wireguard.rst:247
 msgid "An additional layer of symmetric-key crypto can be used on top of the asymmetric crypto. This is optional."
 msgstr "An additional layer of symmetric-key crypto can be used on top of the asymmetric crypto. This is optional."
 
 #: ../../configuration/vpn/ipsec.rst:11
+msgid "An advantage of this scheme is that you get a real interface with its own address, which makes it easier to setup static routes or use dynamic routing protocols without having to modify IPsec policies. The other advantage is that it greatly simplifies router to router communication, which can be tricky with plain IPsec because the external outgoing address of the router usually doesn't match the IPsec policy of a typical site-to-site setup and you would need to add special configuration for it, or adjust the source address of the outgoing traffic of your applications. GRE/IPsec has no such problem and is completely transparent for applications."
+msgstr "An advantage of this scheme is that you get a real interface with its own address, which makes it easier to setup static routes or use dynamic routing protocols without having to modify IPsec policies. The other advantage is that it greatly simplifies router to router communication, which can be tricky with plain IPsec because the external outgoing address of the router usually doesn't match the IPsec policy of a typical site-to-site setup and you would need to add special configuration for it, or adjust the source address of the outgoing traffic of your applications. GRE/IPsec has no such problem and is completely transparent for applications."
+
+#: ../../configuration/vpn/ipsec.rst:11
 msgid "An advantage of this scheme is that you get a real interface with its own address, which makes it easier to setup static routes or use dynamic routing protocols without having to modify IPsec policies. The other advantage is that it greatly simplifies router to router communication, which can be tricky with plain IPsec because the external outgoing address of the router usually doesn't match the IPsec policy of typical site-to-site setup and you need to add special configuration for it, or adjust the source address for outgoing traffic of your applications. GRE/IPsec has no such problem and is completely transparent for the applications."
 msgstr "An advantage of this scheme is that you get a real interface with its own address, which makes it easier to setup static routes or use dynamic routing protocols without having to modify IPsec policies. The other advantage is that it greatly simplifies router to router communication, which can be tricky with plain IPsec because the external outgoing address of the router usually doesn't match the IPsec policy of typical site-to-site setup and you need to add special configuration for it, or adjust the source address for outgoing traffic of your applications. GRE/IPsec has no such problem and is completely transparent for the applications."
 
@@ -2317,7 +2656,7 @@ msgstr "An agent is a network-management software module that resides on a manag
 msgid "An alternate command could be \"mpls-te on\" (Traffic Engineering)"
 msgstr "An alternate command could be \"mpls-te on\" (Traffic Engineering)"
 
-#: ../../configuration/firewall/ipv4.rst:396
+#: ../../configuration/firewall/ipv4.rst:421
 msgid "An arbitrary netmask can be applied to mask addresses to only match against a specific portion."
 msgstr "An arbitrary netmask can be applied to mask addresses to only match against a specific portion."
 
@@ -2333,10 +2672,15 @@ msgstr "An arbitrary netmask can be applied to mask addresses to only match agai
 msgid "An arbitrary netmask can be applied to mask addresses to only match against a specific portion. This is particularly useful with IPv6 as rules will remain valid if the IPv6 prefix changes and the host portion of systems IPv6 address is static (for example, with SLAAC or `tokenised IPv6 addresses <https://datatracker.ietf.org/doc/id/draft-chown-6man-tokenised-ipv6-identifiers-02.txt>`_)"
 msgstr "An arbitrary netmask can be applied to mask addresses to only match against a specific portion. This is particularly useful with IPv6 as rules will remain valid if the IPv6 prefix changes and the host portion of systems IPv6 address is static (for example, with SLAAC or `tokenised IPv6 addresses <https://datatracker.ietf.org/doc/id/draft-chown-6man-tokenised-ipv6-identifiers-02.txt>`_)"
 
+#: ../../configuration/firewall/ipv6.rst:395
+msgid "An arbitrary netmask can be applied to mask addresses to only match against a specific portion. This is particularly useful with IPv6 as rules will remain valid if the IPv6 prefix changes and the host portion of systems IPv6 address is static (for example, with SLAAC or `tokenised IPv6 addresses <https://datatracker.ietf.org /doc/id/draft-chown-6man-tokenised-ipv6-identifiers-02.txt>`_)"
+msgstr "An arbitrary netmask can be applied to mask addresses to only match against a specific portion. This is particularly useful with IPv6 as rules will remain valid if the IPv6 prefix changes and the host portion of systems IPv6 address is static (for example, with SLAAC or `tokenised IPv6 addresses <https://datatracker.ietf.org /doc/id/draft-chown-6man-tokenised-ipv6-identifiers-02.txt>`_)"
+
 #: ../../configuration/firewall/zone.rst:43
 msgid "An basic introduction to zone-based firewalls can be found `here <https://support.vyos.io/en/kb/articles/a-primer-to-zone-based-firewall>`_, and an example at :ref:`examples-zone-policy`."
 msgstr "An basic introduction to zone-based firewalls can be found `here <https://support.vyos.io/en/kb/articles/a-primer-to-zone-based-firewall>`_, and an example at :ref:`examples-zone-policy`."
 
+#: ../../configuration/interfaces/openvpn.rst:768
 #: ../../configuration/interfaces/tunnel.rst:36
 #: ../../configuration/interfaces/tunnel.rst:54
 #: ../../configuration/interfaces/tunnel.rst:71
@@ -2346,11 +2690,11 @@ msgstr "An basic introduction to zone-based firewalls can be found `here <https:
 msgid "An example:"
 msgstr "An example:"
 
-#: ../../configuration/service/monitoring.rst:136
+#: ../../configuration/service/monitoring.rst:166
 msgid "An example of a configuration that sends ``telegraf`` metrics to remote ``InfluxDB 2``"
 msgstr "An example of a configuration that sends ``telegraf`` metrics to remote ``InfluxDB 2``"
 
-#: ../../configuration/interfaces/bridge.rst:236
+#: ../../configuration/interfaces/bridge.rst:235
 msgid "An example of creating a VLAN-aware bridge is as follows:"
 msgstr "An example of creating a VLAN-aware bridge is as follows:"
 
@@ -2366,22 +2710,30 @@ msgstr "An example of the data captured by a FREERADIUS server with sql accounti
 msgid "An option that takes a quoted string is set by replacing all quote characters with the string ``&quot;`` inside the static-mapping-parameters value. The resulting line in dhcpd.conf will be ``option pxelinux.configfile \"pxelinux.cfg/01-00-15-17-44-2d-aa\";``."
 msgstr "An option that takes a quoted string is set by replacing all quote characters with the string ``&quot;`` inside the static-mapping-parameters value. The resulting line in dhcpd.conf will be ``option pxelinux.configfile \"pxelinux.cfg/01-00-15-17-44-2d-aa\";``."
 
-#: ../../configuration/firewall/flowtables.rst:142
+#: ../../configuration/firewall/flowtables.rst:143
 msgid "Analysis on what happens for desired connection:"
 msgstr "Analysis on what happens for desired connection:"
 
-#: ../../configuration/firewall/bridge.rst:297
+#: ../../configuration/firewall/bridge.rst:462
 msgid "And, to print only bridge firewall information:"
 msgstr "And, to print only bridge firewall information:"
 
-#: ../../configuration/firewall/ipv4.rst:57
+#: ../../configuration/firewall/ipv4.rst:75
+msgid "And base chain for traffic generated by the router is ``set firewall ipv4 output ...``, where two sub-chains are available: **filter** and **raw**:"
+msgstr "And base chain for traffic generated by the router is ``set firewall ipv4 output ...``, where two sub-chains are available: **filter** and **raw**:"
+
+#: ../../configuration/firewall/ipv4.rst:58
 msgid "And base chain for traffic generated by the router is ``set firewall ipv4 output filter ...``"
 msgstr "And base chain for traffic generated by the router is ``set firewall ipv4 output filter ...``"
 
-#: ../../configuration/firewall/ipv6.rst:57
+#: ../../configuration/firewall/ipv6.rst:58
 msgid "And base chain for traffic generated by the router is ``set firewall ipv6 output filter ...``"
 msgstr "And base chain for traffic generated by the router is ``set firewall ipv6 output filter ...``"
 
+#: ../../configuration/firewall/ipv6.rst:75
+msgid "And base chain for traffic generated by the router is ``set firewall ipv6 output filter ...``, where two sub-chains are available: **filter** and **raw**:"
+msgstr "And base chain for traffic generated by the router is ``set firewall ipv6 output filter ...``, where two sub-chains are available: **filter** and **raw**:"
+
 #: ../../configuration/service/ids.rst:138
 msgid "And content of the script:"
 msgstr "And content of the script:"
@@ -2390,20 +2742,32 @@ msgstr "And content of the script:"
 msgid "And for ipv6:"
 msgstr "And for ipv6:"
 
-#: ../../configuration/firewall/groups.rst:165
+#: ../../configuration/firewall/bridge.rst:63
+msgid "And for traffic that originates from the bridge itself, the base chain is **output**, base command is ``set firewall bridge output filter ...``, and the path is:"
+msgstr "And for traffic that originates from the bridge itself, the base chain is **output**, base command is ``set firewall bridge output filter ...``, and the path is:"
+
+#: ../../configuration/firewall/groups.rst:263
 msgid "And next, some configuration example where groups are used:"
 msgstr "And next, some configuration example where groups are used:"
 
-#: ../../configuration/firewall/bridge.rst:349
+#: ../../configuration/firewall/bridge.rst:514
 msgid "And op-mode commands:"
 msgstr "And op-mode commands:"
 
+#: ../../configuration/firewall/ipv4.rst:75
+msgid "And the base chain for traffic generated by the router is ``set firewall ipv4 output ...``, where two sub-chains are available: **filter** and **raw**:"
+msgstr "And the base chain for traffic generated by the router is ``set firewall ipv4 output ...``, where two sub-chains are available: **filter** and **raw**:"
+
+#: ../../configuration/firewall/ipv6.rst:75
+msgid "And the base chain for traffic generated by the router is ``set firewall ipv6 output ...``, where two sub-chains are available: **filter** and **raw**:"
+msgstr "And the base chain for traffic generated by the router is ``set firewall ipv6 output ...``, where two sub-chains are available: **filter** and **raw**:"
+
 #: ../../configuration/system/ip.rst:97
 msgid "And the different IPv4 **reset** commands available:"
 msgstr "And the different IPv4 **reset** commands available:"
 
-#: ../../configuration/interfaces/bonding.rst:185
-#: ../../configuration/interfaces/bonding.rst:214
+#: ../../configuration/interfaces/bonding.rst:190
+#: ../../configuration/interfaces/bonding.rst:219
 msgid "And then hash is reduced modulo slave count."
 msgstr "And then hash is reduced modulo slave count."
 
@@ -2415,12 +2779,16 @@ msgstr "Another term often used for DNAT is **1-to-1 NAT**. For a 1-to-1 NAT con
 msgid "Another thing to keep in mind with LDP is that much like BGP, it is a protocol that runs on top of TCP. It however does not have an ability to do something like a refresh capability like BGPs route refresh capability. Therefore one might have to reset the neighbor for a capability change or a configuration change to work."
 msgstr "Another thing to keep in mind with LDP is that much like BGP, it is a protocol that runs on top of TCP. It however does not have an ability to do something like a refresh capability like BGPs route refresh capability. Therefore one might have to reset the neighbor for a capability change or a configuration change to work."
 
-#: ../../configuration/vpn/ipsec.rst:549
+#: ../../configuration/vpn/ipsec.rst:553
+msgid "Apple iOS/iPadOS (14.2+)"
+msgstr "Apple iOS/iPadOS (14.2+)"
+
+#: ../../configuration/vpn/ipsec.rst:569
 msgid "Apple iOS/iPadOS expects the server name to be also used in the server's certificate common name, so it's best to use this DNS name for your VPN connection."
 msgstr "Apple iOS/iPadOS expects the server name to be also used in the server's certificate common name, so it's best to use this DNS name for your VPN connection."
 
-#: ../../configuration/vrf/index.rst:52
-#: ../../configuration/vrf/index.rst:62
+#: ../../configuration/vrf/index.rst:48
+#: ../../configuration/vrf/index.rst:58
 msgid "Apply a route-map filter to routes for the specified protocol."
 msgstr "Apply a route-map filter to routes for the specified protocol."
 
@@ -2436,7 +2804,7 @@ msgstr "Apply a route-map filter to routes for the specified protocol. The follo
 msgid "Apply routing policy to **inbound** direction of out VLAN interfaces"
 msgstr "Apply routing policy to **inbound** direction of out VLAN interfaces"
 
-#: ../../configuration/firewall/zone.rst:101
+#: ../../configuration/firewall/zone.rst:98
 msgid "Applying a Rule-Set to a Zone"
 msgstr "Applying a Rule-Set to a Zone"
 
@@ -2444,7 +2812,7 @@ msgstr "Applying a Rule-Set to a Zone"
 msgid "Applying a Rule-Set to an Interface"
 msgstr "Applying a Rule-Set to an Interface"
 
-#: ../../configuration/trafficpolicy/index.rst:1218
+#: ../../configuration/trafficpolicy/index.rst:1268
 msgid "Applying a traffic policy"
 msgstr "Applying a traffic policy"
 
@@ -2457,15 +2825,23 @@ msgstr "Area Configuration"
 msgid "Area identifier: ``0001`` IS-IS area number (numberical area ``1``)"
 msgstr "Area identifier: ``0001`` IS-IS area number (numberical area ``1``)"
 
+#: ../../configuration/protocols/isis.rst:55
+msgid "Area identifier: ``0001`` IS-IS area number (numerical area ``1``)"
+msgstr "Area identifier: ``0001`` IS-IS area number (numerical area ``1``)"
+
+#: ../../configuration/protocols/openfabric.rst:45
+msgid "Area identifier: ``0001`` OpenFabric area number (numerical area ``1``)"
+msgstr "Area identifier: ``0001`` OpenFabric area number (numerical area ``1``)"
+
 #: ../../configuration/system/task-scheduler.rst:38
 msgid "Arguments which will be passed to the executable."
 msgstr "Arguments which will be passed to the executable."
 
-#: ../../configuration/interfaces/bonding.rst:396
+#: ../../configuration/interfaces/bonding.rst:449
 msgid "Arista EOS"
 msgstr "Arista EOS"
 
-#: ../../configuration/interfaces/bonding.rst:381
+#: ../../configuration/interfaces/bonding.rst:434
 msgid "Aruba/HP"
 msgstr "Aruba/HP"
 
@@ -2481,6 +2857,10 @@ msgstr "As Internet wide PMTU discovery rarely works, we sometimes need to clamp
 msgid "As SSTP provides PPP via a SSL/TLS channel the use of either publically signed certificates as well as a private PKI is required."
 msgstr "As SSTP provides PPP via a SSL/TLS channel the use of either publically signed certificates as well as a private PKI is required."
 
+#: ../../configuration/vpn/sstp.rst:19
+msgid "As SSTP provides PPP via a SSL/TLS channel the use of either publicly signed certificates or private PKI is required."
+msgstr "As SSTP provides PPP via a SSL/TLS channel the use of either publicly signed certificates or private PKI is required."
+
 #: ../../configuration/interfaces/vxlan.rst:61
 msgid "As VyOS is Linux based the default port used is not using 4789 as the default IANA-assigned destination UDP port number. Instead VyOS uses the Linux default port of 8472."
 msgstr "As VyOS is Linux based the default port used is not using 4789 as the default IANA-assigned destination UDP port number. Instead VyOS uses the Linux default port of 8472."
@@ -2489,7 +2869,7 @@ msgstr "As VyOS is Linux based the default port used is not using 4789 as the de
 msgid "As VyOS is based on Linux and there was no official IANA port assigned for VXLAN, VyOS uses a default port of 8472. You can change the port on a per VXLAN interface basis to get it working across multiple vendors."
 msgstr "As VyOS is based on Linux and there was no official IANA port assigned for VXLAN, VyOS uses a default port of 8472. You can change the port on a per VXLAN interface basis to get it working across multiple vendors."
 
-#: ../../configuration/firewall/index.rst:7
+#: ../../configuration/firewall/index.rst:12
 msgid "As VyOS is based on Linux it leverages its firewall. The Netfilter project created iptables and its successor nftables for the Linux kernel to work directly on packet data flows. This now extends the concept of zone-based security to allow for manipulating the data at multiple stages once accepted by the network interface and the driver before being handed off to the destination (e.g., a web server OR another device)."
 msgstr "As VyOS is based on Linux it leverages its firewall. The Netfilter project created iptables and its successor nftables for the Linux kernel to work directly on packet data flows. This now extends the concept of zone-based security to allow for manipulating the data at multiple stages once accepted by the network interface and the driver before being handed off to the destination (e.g., a web server OR another device)."
 
@@ -2497,19 +2877,27 @@ msgstr "As VyOS is based on Linux it leverages its firewall. The Netfilter proje
 msgid "As VyOS makes use of the QMI interface to connect to the WWAN modem cards, also the firmware can be reprogrammed."
 msgstr "As VyOS makes use of the QMI interface to connect to the WWAN modem cards, also the firmware can be reprogrammed."
 
-#: ../../configuration/trafficpolicy/index.rst:940
+#: ../../configuration/interfaces/wwan.rst:327
+msgid "As VyOS makes use of the QMI interface to connect to the WWAN modem cards, the firmware can be reprogrammed."
+msgstr "As VyOS makes use of the QMI interface to connect to the WWAN modem cards, the firmware can be reprogrammed."
+
+#: ../../configuration/trafficpolicy/index.rst:990
 msgid "As a reference: for 10mbit/s on Intel, you might need at least 10kbyte buffer if you want to reach your configured rate."
 msgstr "As a reference: for 10mbit/s on Intel, you might need at least 10kbyte buffer if you want to reach your configured rate."
 
-#: ../../configuration/interfaces/openvpn.rst:666
+#: ../../configuration/interfaces/openvpn.rst:807
 msgid "As a result, the processing of each packet becomes more efficient, potentially leveraging hardware encryption offloading support available in the kernel."
 msgstr "As a result, the processing of each packet becomes more efficient, potentially leveraging hardware encryption offloading support available in the kernel."
 
-#: ../../configuration/firewall/zone.rst:68
+#: ../../configuration/firewall/zone.rst:65
 msgid "As an alternative to applying policy to an interface directly, a zone-based firewall can be created to simplify configuration when multiple interfaces belong to the same security zone. Instead of applying rule-sets to interfaces, they are applied to source zone-destination zone pairs."
 msgstr "As an alternative to applying policy to an interface directly, a zone-based firewall can be created to simplify configuration when multiple interfaces belong to the same security zone. Instead of applying rule-sets to interfaces, they are applied to source zone-destination zone pairs."
 
-#: ../../configuration/vpn/ipsec.rst:523
+#: ../../configuration/firewall/groups.rst:230
+msgid "As any other firewall group, dynamic firewall groups can be used in firewall rules as matching options. For example:"
+msgstr "As any other firewall group, dynamic firewall groups can be used in firewall rules as matching options. For example:"
+
+#: ../../configuration/vpn/ipsec.rst:543
 msgid "As both Microsoft Windows and Apple iOS/iPadOS only support a certain set of encryption ciphers and integrity algorithms we will validate the configured IKE/ESP proposals and only list the compatible ones to the user — if multiple are defined. If there are no matching proposals found — we can not generate a profile for you."
 msgstr "As both Microsoft Windows and Apple iOS/iPadOS only support a certain set of encryption ciphers and integrity algorithms we will validate the configured IKE/ESP proposals and only list the compatible ones to the user — if multiple are defined. If there are no matching proposals found — we can not generate a profile for you."
 
@@ -2517,7 +2905,15 @@ msgstr "As both Microsoft Windows and Apple iOS/iPadOS only support a certain se
 msgid "As described, first packet will be evaluated by all the firewall path, so desired connection should be explicitely accepted. Same thing should be taken into account for traffic in reverse order. In most cases state policies are used in order to accept connection in reverse patch."
 msgstr "As described, first packet will be evaluated by all the firewall path, so desired connection should be explicitely accepted. Same thing should be taken into account for traffic in reverse order. In most cases state policies are used in order to accept connection in reverse patch."
 
-#: ../../configuration/system/option.rst:110
+#: ../../configuration/firewall/flowtables.rst:110
+msgid "As described, first packet will be evaluated by all the firewall path, so desired connection should be explicitly accepted. Same thing should be taken into account for traffic in reverse order. In most cases state policies are used in order to accept connection in reverse patch."
+msgstr "As described, first packet will be evaluated by all the firewall path, so desired connection should be explicitly accepted. Same thing should be taken into account for traffic in reverse order. In most cases state policies are used in order to accept connection in reverse patch."
+
+#: ../../configuration/firewall/flowtables.rst:110
+msgid "As described, the first packet will be evaluated by the firewall path, so a desired connection should be explicitly accepted. Same thing should be taken into account for traffic in reverse order. In most cases state policies are used in order to accept a connection in the reverse path."
+msgstr "As described, the first packet will be evaluated by the firewall path, so a desired connection should be explicitly accepted. Same thing should be taken into account for traffic in reverse order. In most cases state policies are used in order to accept a connection in the reverse path."
+
+#: ../../configuration/system/option.rst:130
 msgid "As more and more routers run on Hypervisors, expecially with a :abbr:`NOS (Network Operating System)` as VyOS, it makes fewer and fewer sense to use static resource bindings like ``smp-affinity`` as present in VyOS 1.2 and earlier to pin certain interrupt handlers to specific CPUs."
 msgstr "As more and more routers run on Hypervisors, expecially with a :abbr:`NOS (Network Operating System)` as VyOS, it makes fewer and fewer sense to use static resource bindings like ``smp-affinity`` as present in VyOS 1.2 and earlier to pin certain interrupt handlers to specific CPUs."
 
@@ -2533,7 +2929,7 @@ msgstr "As of VyOS 1.4, OpenVPN site-to-site mode can use either pre-shared keys
 msgid "As per default and if not otherwise defined, mschap-v2 is being used for authentication and mppe 128-bit (stateless) for encryption. If no gateway-address is set within the configuration, the lowest IP out of the /24 client-ip-pool is being used. For instance, in the example below it would be 192.168.0.1."
 msgstr "As per default and if not otherwise defined, mschap-v2 is being used for authentication and mppe 128-bit (stateless) for encryption. If no gateway-address is set within the configuration, the lowest IP out of the /24 client-ip-pool is being used. For instance, in the example below it would be 192.168.0.1."
 
-#: ../../configuration/firewall/groups.rst:147
+#: ../../configuration/firewall/groups.rst:245
 msgid "As said before, once firewall groups are created, they can be referenced either in firewall, nat, nat66 and/or policy-route rules."
 msgstr "As said before, once firewall groups are created, they can be referenced either in firewall, nat, nat66 and/or policy-route rules."
 
@@ -2541,11 +2937,11 @@ msgstr "As said before, once firewall groups are created, they can be referenced
 msgid "As shown in the example above, one of the possibilities to match packets is based on marks done by the firewall, `that can give you a great deal of flexibility`_."
 msgstr "As shown in the example above, one of the possibilities to match packets is based on marks done by the firewall, `that can give you a great deal of flexibility`_."
 
-#: ../../configuration/trafficpolicy/index.rst:323
+#: ../../configuration/trafficpolicy/index.rst:373
 msgid "As shown in the last command of the example above, the `queue-type` setting allows these combinations. You will be able to use it in many policies."
 msgstr "As shown in the last command of the example above, the `queue-type` setting allows these combinations. You will be able to use it in many policies."
 
-#: ../../configuration/firewall/index.rst:176
+#: ../../configuration/firewall/index.rst:223
 msgid "As the example image below shows, the device now needs rules to allow/block traffic to or from the services running on the device that have open connections on that interface."
 msgstr "As the example image below shows, the device now needs rules to allow/block traffic to or from the services running on the device that have open connections on that interface."
 
@@ -2561,19 +2957,19 @@ msgstr "As the name implies, it's IPv4 encapsulated in IPv6, as simple as that."
 msgid "As well as the below to allow NAT-traversal (when NAT is detected by the VPN client, ESP is encapsulated in UDP for NAT-traversal):"
 msgstr "As well as the below to allow NAT-traversal (when NAT is detected by the VPN client, ESP is encapsulated in UDP for NAT-traversal):"
 
-#: ../../configuration/trafficpolicy/index.rst:997
+#: ../../configuration/trafficpolicy/index.rst:1047
 msgid "As with other policies, Round-Robin can embed_ another policy into a class through the ``queue-type`` setting."
 msgstr "As with other policies, Round-Robin can embed_ another policy into a class through the ``queue-type`` setting."
 
-#: ../../configuration/trafficpolicy/index.rst:1076
+#: ../../configuration/trafficpolicy/index.rst:1126
 msgid "As with other policies, Shaper can embed_ other policies into its classes through the ``queue-type`` setting and then configure their parameters."
 msgstr "As with other policies, Shaper can embed_ other policies into its classes through the ``queue-type`` setting and then configure their parameters."
 
-#: ../../configuration/trafficpolicy/index.rst:718
+#: ../../configuration/trafficpolicy/index.rst:768
 msgid "As with other policies, you can define different type of matching rules for your classes:"
 msgstr "As with other policies, you can define different type of matching rules for your classes:"
 
-#: ../../configuration/trafficpolicy/index.rst:734
+#: ../../configuration/trafficpolicy/index.rst:784
 msgid "As with other policies, you can embed_ other policies into the classes (and default) of your Priority Queue policy through the ``queue-type`` setting:"
 msgstr "As with other policies, you can embed_ other policies into the classes (and default) of your Priority Queue policy through the ``queue-type`` setting:"
 
@@ -2581,6 +2977,10 @@ msgstr "As with other policies, you can embed_ other policies into the classes (
 msgid "As you can see, Leaf2 and Leaf3 configuration is almost identical. There are lots of commands above, I'll try to into more detail below, command descriptions are placed under the command boxes:"
 msgstr "As you can see, Leaf2 and Leaf3 configuration is almost identical. There are lots of commands above, I'll try to into more detail below, command descriptions are placed under the command boxes:"
 
+#: ../../configuration/interfaces/vxlan.rst:285
+msgid "As you can see, the Leaf2 and Leaf3 configurations are almost identical. There are lots of commands above, I'll try to go into more detail below. Command descriptions are placed under the command boxes:"
+msgstr "As you can see, the Leaf2 and Leaf3 configurations are almost identical. There are lots of commands above, I'll try to go into more detail below. Command descriptions are placed under the command boxes:"
+
 #: ../../configuration/firewall/general-legacy.rst:770
 msgid "As you can see in the example here, you can assign the same rule-set to several interfaces. An interface can only have one rule-set per chain."
 msgstr "As you can see in the example here, you can assign the same rule-set to several interfaces. An interface can only have one rule-set per chain."
@@ -2589,22 +2989,25 @@ msgstr "As you can see in the example here, you can assign the same rule-set to
 msgid "Assign `<member>` interface to bridge `<interface>`. A completion helper will help you with all allowed interfaces which can be bridged. This includes :ref:`ethernet-interface`, :ref:`bond-interface`, :ref:`l2tpv3-interface`, :ref:`openvpn`, :ref:`vxlan-interface`, :ref:`wireless-interface`, :ref:`tunnel-interface` and :ref:`geneve-interface`."
 msgstr "Assign `<member>` interface to bridge `<interface>`. A completion helper will help you with all allowed interfaces which can be bridged. This includes :ref:`ethernet-interface`, :ref:`bond-interface`, :ref:`l2tpv3-interface`, :ref:`openvpn`, :ref:`vxlan-interface`, :ref:`wireless-interface`, :ref:`tunnel-interface` and :ref:`geneve-interface`."
 
-#: ../../configuration/loadbalancing/reverse-proxy.rst:86
+#: ../../configuration/loadbalancing/haproxy.rst:98
 msgid "Assign a specific backend to a rule"
 msgstr "Assign a specific backend to a rule"
 
-#: ../../configuration/vrf/index.rst:98
+#: ../../configuration/vpn/l2tp.rst:384
+#: ../../configuration/vpn/sstp.rst:342
+msgid "Assign a static IP address to `<user>` account."
+msgstr "Assign a static IP address to `<user>` account."
+
+#: ../../configuration/vrf/index.rst:94
 msgid "Assign interface identified by `<interface>` to VRF named `<name>`."
 msgstr "Assign interface identified by `<interface>` to VRF named `<name>`."
 
-#: ../../configuration/interfaces/bonding.rst:324
+#: ../../configuration/interfaces/bonding.rst:377
 msgid "Assign member interfaces to PortChannel"
 msgstr "Assign member interfaces to PortChannel"
 
-#: ../../configuration/service/pppoe-server.rst:437
-#: ../../configuration/vpn/l2tp.rst:381
+#: ../../configuration/service/pppoe-server.rst:460
 #: ../../configuration/vpn/pptp.rst:305
-#: ../../configuration/vpn/sstp.rst:339
 msgid "Assign static IP address to `<user>` account."
 msgstr "Assign static IP address to `<user>` account."
 
@@ -2624,55 +3027,55 @@ msgstr "Associates the previously generated private key to a specific WireGuard
 msgid "Assure that your firewall rules allow the traffic, in which case you have a working VPN using WireGuard."
 msgstr "Assure that your firewall rules allow the traffic, in which case you have a working VPN using WireGuard."
 
-#: ../../configuration/trafficpolicy/index.rst:269
+#: ../../configuration/trafficpolicy/index.rst:319
 msgid "Assured Forwarding(AF) 11"
 msgstr "Assured Forwarding(AF) 11"
 
-#: ../../configuration/trafficpolicy/index.rst:271
+#: ../../configuration/trafficpolicy/index.rst:321
 msgid "Assured Forwarding(AF) 12"
 msgstr "Assured Forwarding(AF) 12"
 
-#: ../../configuration/trafficpolicy/index.rst:273
+#: ../../configuration/trafficpolicy/index.rst:323
 msgid "Assured Forwarding(AF) 13"
 msgstr "Assured Forwarding(AF) 13"
 
-#: ../../configuration/trafficpolicy/index.rst:275
+#: ../../configuration/trafficpolicy/index.rst:325
 msgid "Assured Forwarding(AF) 21"
 msgstr "Assured Forwarding(AF) 21"
 
-#: ../../configuration/trafficpolicy/index.rst:277
+#: ../../configuration/trafficpolicy/index.rst:327
 msgid "Assured Forwarding(AF) 22"
 msgstr "Assured Forwarding(AF) 22"
 
-#: ../../configuration/trafficpolicy/index.rst:279
+#: ../../configuration/trafficpolicy/index.rst:329
 msgid "Assured Forwarding(AF) 23"
 msgstr "Assured Forwarding(AF) 23"
 
-#: ../../configuration/trafficpolicy/index.rst:281
+#: ../../configuration/trafficpolicy/index.rst:331
 msgid "Assured Forwarding(AF) 31"
 msgstr "Assured Forwarding(AF) 31"
 
-#: ../../configuration/trafficpolicy/index.rst:283
+#: ../../configuration/trafficpolicy/index.rst:333
 msgid "Assured Forwarding(AF) 32"
 msgstr "Assured Forwarding(AF) 32"
 
-#: ../../configuration/trafficpolicy/index.rst:285
+#: ../../configuration/trafficpolicy/index.rst:335
 msgid "Assured Forwarding(AF) 33"
 msgstr "Assured Forwarding(AF) 33"
 
-#: ../../configuration/trafficpolicy/index.rst:287
+#: ../../configuration/trafficpolicy/index.rst:337
 msgid "Assured Forwarding(AF) 41"
 msgstr "Assured Forwarding(AF) 41"
 
-#: ../../configuration/trafficpolicy/index.rst:289
+#: ../../configuration/trafficpolicy/index.rst:339
 msgid "Assured Forwarding(AF) 42"
 msgstr "Assured Forwarding(AF) 42"
 
-#: ../../configuration/trafficpolicy/index.rst:291
+#: ../../configuration/trafficpolicy/index.rst:341
 msgid "Assured Forwarding(AF) 43"
 msgstr "Assured Forwarding(AF) 43"
 
-#: ../../configuration/trafficpolicy/index.rst:980
+#: ../../configuration/trafficpolicy/index.rst:1030
 msgid "At every round, the deficit counter adds the quantum so that even large packets will have their opportunity to be dequeued."
 msgstr "At every round, the deficit counter adds the quantum so that even large packets will have their opportunity to be dequeued."
 
@@ -2684,11 +3087,11 @@ msgstr "At the moment it not possible to look at the whole firewall log with VyO
 msgid "At the time of this writing the following displays are supported:"
 msgstr "At the time of this writing the following displays are supported:"
 
-#: ../../configuration/trafficpolicy/index.rst:490
+#: ../../configuration/trafficpolicy/index.rst:540
 msgid "At very low rates (below 3Mbit), besides tuning `quantum` (300 keeps being ok) you may also want to increase `target` to something like 15ms and increase `interval` to something around 150 ms."
 msgstr "At very low rates (below 3Mbit), besides tuning `quantum` (300 keeps being ok) you may also want to increase `target` to something like 15ms and increase `interval` to something around 150 ms."
 
-#: ../../configuration/container/index.rst:42
+#: ../../configuration/container/index.rst:66
 msgid "Attaches user-defined network to a container. Only one network must be specified and must already exist."
 msgstr "Attaches user-defined network to a container. Only one network must be specified and must already exist."
 
@@ -2696,15 +3099,15 @@ msgstr "Attaches user-defined network to a container. Only one network must be s
 msgid "Authentication"
 msgstr "Authentication"
 
-#: ../../configuration/service/ipoe-server.rst:310
-#: ../../configuration/service/pppoe-server.rst:428
-#: ../../configuration/vpn/l2tp.rst:372
+#: ../../configuration/service/ipoe-server.rst:309
+#: ../../configuration/service/pppoe-server.rst:450
+#: ../../configuration/vpn/l2tp.rst:375
 #: ../../configuration/vpn/pptp.rst:296
-#: ../../configuration/vpn/sstp.rst:330
+#: ../../configuration/vpn/sstp.rst:333
 msgid "Authentication Advanced Options"
 msgstr "Authentication Advanced Options"
 
-#: ../../configuration/interfaces/ethernet.rst:115
+#: ../../configuration/interfaces/ethernet.rst:123
 msgid "Authentication (EAPoL)"
 msgstr "Authentication (EAPoL)"
 
@@ -2720,7 +3123,7 @@ msgstr "Authentication application client-secret."
 msgid "Authentication application tenant-id"
 msgstr "Authentication application tenant-id"
 
-#: ../../configuration/interfaces/openvpn.rst:449
+#: ../../configuration/interfaces/openvpn.rst:453
 msgid "Authentication is done by using the ``openvpn-auth-ldap.so`` plugin which is shipped with every VyOS installation. A dedicated configuration file is required. It is best practise to store it in ``/config`` to survive image updates"
 msgstr "Authentication is done by using the ``openvpn-auth-ldap.so`` plugin which is shipped with every VyOS installation. A dedicated configuration file is required. It is best practise to store it in ``/config`` to survive image updates"
 
@@ -2744,7 +3147,7 @@ msgstr "Authoritative zones"
 msgid "Authorization token"
 msgstr "Authorization token"
 
-#: ../../configuration/service/pppoe-server.rst:228
+#: ../../configuration/service/pppoe-server.rst:247
 msgid "Automatic VLAN Creation"
 msgstr "Automatic VLAN Creation"
 
@@ -2764,6 +3167,10 @@ msgstr "Automatically reboot system on kernel panic after 60 seconds."
 msgid "Autonomous Systems"
 msgstr "Autonomous Systems"
 
+#: ../../configuration/loadbalancing/haproxy.rst:253
+msgid "Available health check protocols:"
+msgstr "Available health check protocols:"
+
 #: ../../configuration/nat/nat44.rst:384
 msgid "Avoiding \"leaky\" NAT"
 msgstr "Avoiding \"leaky\" NAT"
@@ -2844,10 +3251,18 @@ msgstr "BGP roles are defined in RFC :rfc:`9234` and provide an easy way to add
 msgid "BGP routers connected inside the same AS through BGP belong to an internal BGP session, or IBGP. In order to prevent routing table loops, IBGP speaker does not advertise IBGP-learned routes to other IBGP speaker (Split Horizon mechanism). As such, IBGP requires a full mesh of all peers. For large networks, this quickly becomes unscalable."
 msgstr "BGP routers connected inside the same AS through BGP belong to an internal BGP session, or IBGP. In order to prevent routing table loops, IBGP speaker does not advertise IBGP-learned routes to other IBGP speaker (Split Horizon mechanism). As such, IBGP requires a full mesh of all peers. For large networks, this quickly becomes unscalable."
 
-#: ../../configuration/vrf/index.rst:432
+#: ../../configuration/vrf/index.rst:428
 msgid "BGP routes may be leaked (i.e. copied) between a unicast VRF RIB and the VPN SAFI RIB of the default VRF for use in MPLS-based L3VPNs. Unicast routes may also be leaked between any VRFs (including the unicast RIB of the default BGP instance). A shortcut syntax is also available for specifying leaking from one VRF to another VRF using the default instance’s VPN RIB as the intemediary . A common application of the VRF-VRF feature is to connect a customer’s private routing domain to a provider’s VPN service. Leaking is configured from the point of view of an individual VRF: import refers to routes leaked from VPN to a unicast VRF, whereas export refers to routes leaked from a unicast VRF to VPN."
 msgstr "BGP routes may be leaked (i.e. copied) between a unicast VRF RIB and the VPN SAFI RIB of the default VRF for use in MPLS-based L3VPNs. Unicast routes may also be leaked between any VRFs (including the unicast RIB of the default BGP instance). A shortcut syntax is also available for specifying leaking from one VRF to another VRF using the default instance’s VPN RIB as the intemediary . A common application of the VRF-VRF feature is to connect a customer’s private routing domain to a provider’s VPN service. Leaking is configured from the point of view of an individual VRF: import refers to routes leaked from VPN to a unicast VRF, whereas export refers to routes leaked from a unicast VRF to VPN."
 
+#: ../../configuration/interfaces/wireless.rst:361
+msgid "BSS coloring helps to prevent channel jamming when multiple APs use the same channels."
+msgstr "BSS coloring helps to prevent channel jamming when multiple APs use the same channels."
+
+#: ../../configuration/interfaces/bonding.rst:330
+msgid "BUM traffic is rxed via the overlay by all PEs attached to a server but only the DF can forward the de-capsulated traffic to the access port. To accommodate that non-DF filters are installed in the dataplane to drop the traffic."
+msgstr "BUM traffic is rxed via the overlay by all PEs attached to a server but only the DF can forward the de-capsulated traffic to the access port. To accommodate that non-DF filters are installed in the dataplane to drop the traffic."
+
 #: ../../configuration/protocols/babel.rst:5
 msgid "Babel"
 msgstr "Babel"
@@ -2860,15 +3275,15 @@ msgstr "Babel a dual stack protocol. A single Babel instance is able to perform
 msgid "Babel is a modern routing protocol designed to be robust and efficient both in ordinary wired networks and in wireless mesh networks. By default, it uses hop-count on wired networks and a variant of ETX on wireless links, It can be configured to take radio diversity into account and to automatically compute a link's latency and include it in the metric. It is defined in :rfc:`8966`."
 msgstr "Babel is a modern routing protocol designed to be robust and efficient both in ordinary wired networks and in wireless mesh networks. By default, it uses hop-count on wired networks and a variant of ETX on wireless links, It can be configured to take radio diversity into account and to automatically compute a link's latency and include it in the metric. It is defined in :rfc:`8966`."
 
-#: ../../configuration/loadbalancing/reverse-proxy.rst:95
+#: ../../configuration/loadbalancing/haproxy.rst:107
 msgid "Backend"
 msgstr "Backend"
 
-#: ../../configuration/loadbalancing/reverse-proxy.rst:339
+#: ../../configuration/loadbalancing/haproxy.rst:393
 msgid "Backend service certificates are checked against the certificate authority specified in the configuration, which could be an internal CA."
 msgstr "Backend service certificates are checked against the certificate authority specified in the configuration, which could be an internal CA."
 
-#: ../../configuration/loadbalancing/reverse-proxy.rst:108
+#: ../../configuration/loadbalancing/haproxy.rst:120
 msgid "Balance algorithms:"
 msgstr "Balance algorithms:"
 
@@ -2876,15 +3291,15 @@ msgstr "Balance algorithms:"
 msgid "Balancing Rules"
 msgstr "Balancing Rules"
 
-#: ../../configuration/loadbalancing/reverse-proxy.rst:252
+#: ../../configuration/loadbalancing/haproxy.rst:304
 msgid "Balancing based on domain name"
 msgstr "Balancing based on domain name"
 
-#: ../../configuration/loadbalancing/reverse-proxy.rst:365
+#: ../../configuration/loadbalancing/haproxy.rst:419
 msgid "Balancing with HTTP health checks"
 msgstr "Balancing with HTTP health checks"
 
-#: ../../configuration/service/pppoe-server.rst:251
+#: ../../configuration/service/pppoe-server.rst:270
 msgid "Bandwidth Shaping"
 msgstr "Bandwidth Shaping"
 
@@ -2893,7 +3308,7 @@ msgstr "Bandwidth Shaping"
 msgid "Bandwidth Shaping for local users"
 msgstr "Bandwidth Shaping for local users"
 
-#: ../../configuration/service/pppoe-server.rst:253
+#: ../../configuration/service/pppoe-server.rst:272
 msgid "Bandwidth rate limits can be set for local users or RADIUS based attributes."
 msgstr "Bandwidth rate limits can be set for local users or RADIUS based attributes."
 
@@ -2905,11 +3320,19 @@ msgstr "Bandwidth rate limits can be set for local users or via RADIUS based att
 msgid "Bandwidth rate limits can be set for local users within the configuration or via RADIUS based attributes."
 msgstr "Bandwidth rate limits can be set for local users within the configuration or via RADIUS based attributes."
 
-#: ../../configuration/firewall/ipv4.rst:54
+#: ../../configuration/firewall/ipv4.rst:72
+msgid "Base chain for traffic towards the router is ``set firewall ipv4 input filter ...``"
+msgstr "Base chain for traffic towards the router is ``set firewall ipv4 input filter ...``"
+
+#: ../../configuration/firewall/ipv6.rst:72
+msgid "Base chain for traffic towards the router is ``set firewall ipv6 input filter ...``"
+msgstr "Base chain for traffic towards the router is ``set firewall ipv6 input filter ...``"
+
+#: ../../configuration/firewall/ipv4.rst:55
 msgid "Base chain is for traffic toward the router is ``set firewall ipv4 input filter ...``"
 msgstr "Base chain is for traffic toward the router is ``set firewall ipv4 input filter ...``"
 
-#: ../../configuration/firewall/ipv6.rst:54
+#: ../../configuration/firewall/ipv6.rst:55
 msgid "Base chain is for traffic toward the router is ``set firewall ipv6 input filter ...``"
 msgstr "Base chain is for traffic toward the router is ``set firewall ipv6 input filter ...``"
 
@@ -2941,7 +3364,12 @@ msgstr "Basic setup"
 msgid "Be sure to set a sane default config in the default config file, this will be loaded in the case that a user is authenticated and no file is found in the configured directory matching the users username/group."
 msgstr "Be sure to set a sane default config in the default config file, this will be loaded in the case that a user is authenticated and no file is found in the configured directory matching the users username/group."
 
-#: ../../configuration/interfaces/wireless.rst:235
+#: ../../configuration/interfaces/wireless.rst:103
+msgid "Beacon Protection: management frame protection for Beacon frames."
+msgstr "Beacon Protection: management frame protection for Beacon frames."
+
+#: ../../configuration/interfaces/wireless.rst:266
+#: ../../configuration/interfaces/wireless.rst:349
 msgid "Beamforming capabilities:"
 msgstr "Beamforming capabilities:"
 
@@ -2953,11 +3381,19 @@ msgstr "Because an aggregator cannot be active without at least one available li
 msgid "Because existing sessions do not automatically fail over to a new path, the session table can be flushed on each connection state change:"
 msgstr "Because existing sessions do not automatically fail over to a new path, the session table can be flushed on each connection state change:"
 
-#: ../../configuration/interfaces/ethernet.rst:86
+#: ../../configuration/interfaces/ethernet.rst:94
 msgid "Before enabling any hardware segmentation offload a corresponding software offload is required in GSO. Otherwise it becomes possible for a frame to be re-routed between devices and end up being unable to be transmitted."
 msgstr "Before enabling any hardware segmentation offload a corresponding software offload is required in GSO. Otherwise it becomes possible for a frame to be re-routed between devices and end up being unable to be transmitted."
 
-#: ../../configuration/firewall/zone.rst:103
+#: ../../configuration/firewall/groups.rst:327
+msgid "Before testing, we can check members of firewall groups:"
+msgstr "Before testing, we can check members of firewall groups:"
+
+#: ../../configuration/firewall/groups.rst:327
+msgid "Before testing, we can check the members of firewall groups:"
+msgstr "Before testing, we can check the members of firewall groups:"
+
+#: ../../configuration/firewall/zone.rst:100
 msgid "Before you are able to apply a rule-set to a zone you have to create the zones first."
 msgstr "Before you are able to apply a rule-set to a zone you have to create the zones first."
 
@@ -2973,7 +3409,7 @@ msgstr "Below flow-chart could be a quick reference for the close-action combina
 msgid "Below is an example to configure a LNS:"
 msgstr "Below is an example to configure a LNS:"
 
-#: ../../configuration/trafficpolicy/index.rst:267
+#: ../../configuration/trafficpolicy/index.rst:317
 msgid "Best effort traffic, default"
 msgstr "Best effort traffic, default"
 
@@ -2985,11 +3421,11 @@ msgstr "Between computers, the most common configuration used was \"8N1\": eight
 msgid "Bidirectional NAT"
 msgstr "Bidirectional NAT"
 
-#: ../../configuration/trafficpolicy/index.rst:262
+#: ../../configuration/trafficpolicy/index.rst:312
 msgid "Binary value"
 msgstr "Binary value"
 
-#: ../../configuration/container/index.rst:153
+#: ../../configuration/container/index.rst:208
 msgid "Bind container network to a given VRF instance."
 msgstr "Bind container network to a given VRF instance."
 
@@ -3005,11 +3441,11 @@ msgstr "Binds eth1.241 and vxlan241 to each other by making them both member int
 msgid "Blackhole"
 msgstr "Blackhole"
 
-#: ../../configuration/service/ssh.rst:130
+#: ../../configuration/service/ssh.rst:150
 msgid "Block source IP in seconds. Subsequent blocks increase by a factor of 1.5 The default is 120."
 msgstr "Block source IP in seconds. Subsequent blocks increase by a factor of 1.5 The default is 120."
 
-#: ../../configuration/service/ssh.rst:139
+#: ../../configuration/service/ssh.rst:159
 msgid "Block source IP when their cumulative attack score exceeds threshold. The default is 30."
 msgstr "Block source IP when their cumulative attack score exceeds threshold. The default is 30."
 
@@ -3049,7 +3485,7 @@ msgstr "Both local administered and remote administered :abbr:`RADIUS (Remote Au
 msgid "Both replies and requests type gratuitous arp will trigger the ARP table to be updated, if this setting is on."
 msgstr "Both replies and requests type gratuitous arp will trigger the ARP table to be updated, if this setting is on."
 
-#: ../../configuration/interfaces/openvpn.rst:428
+#: ../../configuration/interfaces/openvpn.rst:432
 msgid "Branch 1's router might have the following lines:"
 msgstr "Branch 1's router might have the following lines:"
 
@@ -3069,12 +3505,12 @@ msgstr "Bridge Firewall Configuration"
 msgid "Bridge Options"
 msgstr "Bridge Options"
 
-#: ../../configuration/firewall/bridge.rst:56
+#: ../../configuration/firewall/bridge.rst:75
 msgid "Bridge Rules"
 msgstr "Bridge Rules"
 
-#: ../../configuration/interfaces/bridge.rst:207
-#: ../../configuration/interfaces/bridge.rst:242
+#: ../../configuration/interfaces/bridge.rst:206
+#: ../../configuration/interfaces/bridge.rst:241
 msgid "Bridge answers on IP address 192.0.2.1/24 and 2001:db8::ffff/64"
 msgstr "Bridge answers on IP address 192.0.2.1/24 and 2001:db8::ffff/64"
 
@@ -3082,11 +3518,11 @@ msgstr "Bridge answers on IP address 192.0.2.1/24 and 2001:db8::ffff/64"
 msgid "Bridge maximum aging `<time>` in seconds (default: 20)."
 msgstr "Bridge maximum aging `<time>` in seconds (default: 20)."
 
-#: ../../configuration/service/ipoe-server.rst:360
-#: ../../configuration/service/pppoe-server.rst:526
-#: ../../configuration/vpn/l2tp.rst:480
+#: ../../configuration/service/ipoe-server.rst:359
+#: ../../configuration/service/pppoe-server.rst:551
+#: ../../configuration/vpn/l2tp.rst:485
 #: ../../configuration/vpn/pptp.rst:404
-#: ../../configuration/vpn/sstp.rst:438
+#: ../../configuration/vpn/sstp.rst:443
 msgid "Burst count"
 msgstr "Burst count"
 
@@ -3118,6 +3554,10 @@ msgstr "By default, ddclient_ will update a dynamic dns record using the IP addr
 msgid "By default, enabling RPKI does not change best path selection. In particular, invalid prefixes will still be considered during best path selection. However, the router can be configured to ignore all invalid prefixes."
 msgstr "By default, enabling RPKI does not change best path selection. In particular, invalid prefixes will still be considered during best path selection. However, the router can be configured to ignore all invalid prefixes."
 
+#: ../../configuration/firewall/bridge.rst:430
+msgid "By default, for switched traffic, only the rules defined under ``set firewall bridge`` are applied. There are two global-options that can be configured in order to force deeper analysis of the packet on the IP layer. These options are:"
+msgstr "By default, for switched traffic, only the rules defined under ``set firewall bridge`` are applied. There are two global-options that can be configured in order to force deeper analysis of the packet on the IP layer. These options are:"
+
 #: ../../configuration/protocols/ospf.rst:534
 #: ../../configuration/protocols/ospf.rst:1246
 msgid "By default, it supports both planned and unplanned outages."
@@ -3131,7 +3571,7 @@ msgstr "By default, locally advertised prefixes use the implicit-null label to e
 msgid "By default, nginx exposes the local API on all virtual servers. Use this to restrict nginx to one or more virtual hosts."
 msgstr "By default, nginx exposes the local API on all virtual servers. Use this to restrict nginx to one or more virtual hosts."
 
-#: ../../configuration/system/flow-accounting.rst:60
+#: ../../configuration/system/flow-accounting.rst:64
 msgid "By default, recorded flows will be saved internally and can be listed with the CLI command. You may disable using the local in-memory table with the command:"
 msgstr "By default, recorded flows will be saved internally and can be listed with the CLI command. You may disable using the local in-memory table with the command:"
 
@@ -3139,7 +3579,7 @@ msgstr "By default, recorded flows will be saved internally and can be listed wi
 msgid "By default, the BGP prefix is advertised even if it's not present in the routing table. This behaviour differs from the implementation of some vendors."
 msgstr "By default, the BGP prefix is advertised even if it's not present in the routing table. This behaviour differs from the implementation of some vendors."
 
-#: ../../configuration/interfaces/wireless.rst:73
+#: ../../configuration/interfaces/wireless.rst:85
 msgid "By default, this bridging is allowed."
 msgstr "By default, this bridging is allowed."
 
@@ -3147,6 +3587,10 @@ msgstr "By default, this bridging is allowed."
 msgid "By default, when VyOS receives an ICMP echo request packet destined for itself, it will answer with an ICMP echo reply, unless you avoid it through its firewall."
 msgstr "By default, when VyOS receives an ICMP echo request packet destined for itself, it will answer with an ICMP echo reply, unless you avoid it through its firewall."
 
+#: ../../configuration/firewall/global-options.rst:27
+msgid "By default, when VyOS receives an ICMP echo request packet destined for itself, it will answer with an ICMP echo reply, unless you prevent it through its firewall."
+msgstr "By default, when VyOS receives an ICMP echo request packet destined for itself, it will answer with an ICMP echo reply, unless you prevent it through its firewall."
+
 #: ../../configuration/highavailability/index.rst:190
 msgid "By default VRRP uses multicast packets. If your network does not support multicast for whatever reason, you can make VRRP use unicast communication instead."
 msgstr "By default VRRP uses multicast packets. If your network does not support multicast for whatever reason, you can make VRRP use unicast communication instead."
@@ -3160,7 +3604,7 @@ msgstr "By default VRRP uses preemption. You can disable it with the \"no-preemp
 msgid "By default `strict-lsa-checking` is configured then the helper will abort the Graceful Restart when a LSA change occurs which affects the restarting router."
 msgstr "By default `strict-lsa-checking` is configured then the helper will abort the Graceful Restart when a LSA change occurs which affects the restarting router."
 
-#: ../../configuration/vrf/index.rst:35
+#: ../../configuration/vrf/index.rst:31
 msgid "By default the scope of the port bindings for unbound sockets is limited to the default VRF. That is, it will not be matched by packets arriving on interfaces enslaved to a VRF and processes may bind to the same port if they bind to a VRF."
 msgstr "By default the scope of the port bindings for unbound sockets is limited to the default VRF. That is, it will not be matched by packets arriving on interfaces enslaved to a VRF and processes may bind to the same port if they bind to a VRF."
 
@@ -3172,7 +3616,7 @@ msgstr "By using Pseudo-Ethernet interfaces there will be less system overhead c
 msgid "Bypassing the webproxy"
 msgstr "Bypassing the webproxy"
 
-#: ../../configuration/trafficpolicy/index.rst:1151
+#: ../../configuration/trafficpolicy/index.rst:1201
 msgid "CAKE"
 msgstr "CAKE"
 
@@ -3180,7 +3624,15 @@ msgstr "CAKE"
 msgid "CA (Certificate Authority)"
 msgstr "CA (Certificate Authority)"
 
-#: ../../configuration/trafficpolicy/index.rst:793
+#: ../../configuration/nat/cgnat.rst:5
+msgid "CGNAT"
+msgstr "CGNAT"
+
+#: ../../configuration/nat/cgnat.rst:17
+msgid "CGNAT works by placing a NAT device within the ISP's network. This device translates private IP addresses from customer networks to a limited pool of public IP addresses assigned to the ISP. This allows many customers to share a smaller number of public IP addresses."
+msgstr "CGNAT works by placing a NAT device within the ISP's network. This device translates private IP addresses from customer networks to a limited pool of public IP addresses assigned to the ISP. This allows many customers to share a smaller number of public IP addresses."
+
+#: ../../configuration/trafficpolicy/index.rst:843
 msgid "CRITIC/ECP"
 msgstr "CRITIC/ECP"
 
@@ -3210,11 +3662,11 @@ msgstr "Certificate revocation list in PEM format."
 msgid "Certificates"
 msgstr "Certificates"
 
-#: ../../configuration/system/option.rst:96
+#: ../../configuration/system/option.rst:116
 msgid "Change system keyboard layout to given language."
 msgstr "Change system keyboard layout to given language."
 
-#: ../../configuration/firewall/zone.rst:94
+#: ../../configuration/firewall/zone.rst:91
 msgid "Change the default-action with this setting."
 msgstr "Change the default-action with this setting."
 
@@ -3226,14 +3678,22 @@ msgstr "Changes in BGP policies require the BGP session to be cleared. Clearing
 msgid "Changes to the NAT system only affect newly established connections. Already established connections are not affected."
 msgstr "Changes to the NAT system only affect newly established connections. Already established connections are not affected."
 
-#: ../../configuration/system/option.rst:100
+#: ../../configuration/system/option.rst:120
 msgid "Changing the keymap only has an effect on the system console, using SSH or Serial remote access to the device is not affected as the keyboard layout here corresponds to your access system."
 msgstr "Changing the keymap only has an effect on the system console, using SSH or Serial remote access to the device is not affected as the keyboard layout here corresponds to your access system."
 
-#: ../../configuration/interfaces/wireless.rst:44
+#: ../../configuration/interfaces/wireless.rst:63
+msgid "Channel number (IEEE 802.11), for 2.4Ghz (802.11 b/g/n/ax) channels range from 1-14. On 5Ghz (802.11 a/h/j/n/ac) channels available are 0, 34 to 177. On 6GHz (802.11 ax) channels range from 1 to 233."
+msgstr "Channel number (IEEE 802.11), for 2.4Ghz (802.11 b/g/n/ax) channels range from 1-14. On 5Ghz (802.11 a/h/j/n/ac) channels available are 0, 34 to 177. On 6GHz (802.11 ax) channels range from 1 to 233."
+
+#: ../../configuration/interfaces/wireless.rst:55
 msgid "Channel number (IEEE 802.11), for 2.4Ghz (802.11 b/g/n) channels range from 1-14. On 5Ghz (802.11 a/h/j/n/ac) channels available are 0, 34 to 173"
 msgstr "Channel number (IEEE 802.11), for 2.4Ghz (802.11 b/g/n) channels range from 1-14. On 5Ghz (802.11 a/h/j/n/ac) channels available are 0, 34 to 173"
 
+#: ../../configuration/interfaces/wireless.rst:63
+msgid "Channel number (IEEE 802.11), for 2.4Ghz (802.11 b/g/n) channels range from 1-14. On 5Ghz (802.11 a/h/j/n/ac) channels available are 0, 34 to 173. On 6GHz (802.11 ax) channels range from 1 to 233."
+msgstr "Channel number (IEEE 802.11), for 2.4Ghz (802.11 b/g/n) channels range from 1-14. On 5Ghz (802.11 a/h/j/n/ac) channels available are 0, 34 to 173. On 6GHz (802.11 ax) channels range from 1 to 233."
+
 #: ../../configuration/system/updates.rst:28
 msgid "Check:"
 msgstr "Check:"
@@ -3242,7 +3702,7 @@ msgstr "Check:"
 msgid "Check if the Intel® QAT device is up and ready to do the job."
 msgstr "Check if the Intel® QAT device is up and ready to do the job."
 
-#: ../../configuration/interfaces/openvpn.rst:706
+#: ../../configuration/interfaces/openvpn.rst:847
 msgid "Check status"
 msgstr "Check status"
 
@@ -3254,15 +3714,19 @@ msgstr "Check the many parameters available for the `show ipv6 route` command:"
 msgid "Checking connections"
 msgstr "Checking connections"
 
-#: ../../configuration/firewall/flowtables.rst:165
+#: ../../configuration/firewall/flowtables.rst:166
 msgid "Checks"
 msgstr "Checks"
 
+#: ../../configuration/service/suricata.rst:82
+msgid "Checks for the existence of the Suricata configuration file, updates the service, and then restarts it. If the configuration file is not found, a message indicates that Suricata is not configured."
+msgstr "Checks for the existence of the Suricata configuration file, updates the service, and then restarts it. If the configuration file is not found, a message indicates that Suricata is not configured."
+
 #: ../../configuration/service/tftp-server.rst:21
 msgid "Choose your ``directory`` location carefully or you will loose the content on image upgrades. Any directory under ``/config`` is save at this will be migrated."
 msgstr "Choose your ``directory`` location carefully or you will loose the content on image upgrades. Any directory under ``/config`` is save at this will be migrated."
 
-#: ../../configuration/interfaces/bonding.rst:322
+#: ../../configuration/interfaces/bonding.rst:375
 msgid "Cisco Catalyst"
 msgstr "Cisco Catalyst"
 
@@ -3274,7 +3738,7 @@ msgstr "Cisco and Allied Telesyn call it Private VLAN"
 msgid "Clamp MSS for a specific IP"
 msgstr "Clamp MSS for a specific IP"
 
-#: ../../configuration/trafficpolicy/index.rst:227
+#: ../../configuration/trafficpolicy/index.rst:277
 msgid "Class treatment"
 msgstr "Class treatment"
 
@@ -3290,7 +3754,7 @@ msgstr "Classless static route"
 msgid "Clear all BGP extcommunities."
 msgstr "Clear all BGP extcommunities."
 
-#: ../../configuration/interfaces/openvpn.rst:571
+#: ../../configuration/interfaces/openvpn.rst:575
 msgid "Client"
 msgstr "Client"
 
@@ -3302,19 +3766,20 @@ msgstr "Client:"
 msgid "Client Address Pools"
 msgstr "Client Address Pools"
 
-#: ../../configuration/interfaces/openvpn.rst:440
+#: ../../configuration/interfaces/openvpn.rst:444
 msgid "Client Authentication"
 msgstr "Client Authentication"
 
+#: ../../configuration/vpn/ipsec.rst:512
 #: ../../configuration/vpn/remoteaccess_ipsec.rst:137
 msgid "Client Configuration"
 msgstr "Client Configuration"
 
-#: ../../configuration/service/ipoe-server.rst:328
-#: ../../configuration/service/pppoe-server.rst:446
-#: ../../configuration/vpn/l2tp.rst:400
+#: ../../configuration/service/ipoe-server.rst:327
+#: ../../configuration/service/pppoe-server.rst:469
+#: ../../configuration/vpn/l2tp.rst:403
 #: ../../configuration/vpn/pptp.rst:324
-#: ../../configuration/vpn/sstp.rst:358
+#: ../../configuration/vpn/sstp.rst:361
 msgid "Client IP Pool Advanced Options"
 msgstr "Client IP Pool Advanced Options"
 
@@ -3322,10 +3787,14 @@ msgstr "Client IP Pool Advanced Options"
 msgid "Client IP addresses will be provided from pool `192.0.2.0/25`"
 msgstr "Client IP addresses will be provided from pool `192.0.2.0/25`"
 
-#: ../../configuration/interfaces/openvpn.rst:614
+#: ../../configuration/interfaces/openvpn.rst:618
 msgid "Client Side"
 msgstr "Client Side"
 
+#: ../../configuration/interfaces/openvpn.rst:700
+msgid "Client Side :"
+msgstr "Client Side :"
+
 #: ../../configuration/service/ipoe-server.rst:186
 msgid "Client configuration"
 msgstr "Client configuration"
@@ -3338,11 +3807,11 @@ msgstr "Client domain name"
 msgid "Client domain search"
 msgstr "Client domain search"
 
-#: ../../configuration/interfaces/wireless.rst:70
+#: ../../configuration/interfaces/wireless.rst:82
 msgid "Client isolation can be used to prevent low-level bridging of frames between associated stations in the BSS."
 msgstr "Client isolation can be used to prevent low-level bridging of frames between associated stations in the BSS."
 
-#: ../../configuration/interfaces/openvpn.rst:399
+#: ../../configuration/interfaces/openvpn.rst:403
 msgid "Clients are identified by the CN field of their x.509 certificates, in this example the CN is ``client0``:"
 msgstr "Clients are identified by the CN field of their x.509 certificates, in this example the CN is ``client0``:"
 
@@ -3350,7 +3819,7 @@ msgstr "Clients are identified by the CN field of their x.509 certificates, in t
 msgid "Clients receiving advertise messages from multiple servers choose the server with the highest preference value. The range for this value is ``0...255``."
 msgstr "Clients receiving advertise messages from multiple servers choose the server with the highest preference value. The range for this value is ``0...255``."
 
-#: ../../configuration/system/syslog.rst:130
+#: ../../configuration/system/syslog.rst:148
 msgid "Clock daemon"
 msgstr "Clock daemon"
 
@@ -3358,25 +3827,29 @@ msgstr "Clock daemon"
 msgid "Command completion can be used to list available time zones. The adjustment for daylight time will take place automatically based on the time of year."
 msgstr "Command completion can be used to list available time zones. The adjustment for daylight time will take place automatically based on the time of year."
 
-#: ../../configuration/firewall/bridge.rst:216
-#: ../../configuration/firewall/ipv4.rst:298
-#: ../../configuration/firewall/ipv6.rst:298
+#: ../../configuration/firewall/bridge.rst:321
+#: ../../configuration/firewall/ipv4.rst:323
+#: ../../configuration/firewall/ipv6.rst:323
 msgid "Command for disabling a rule but keep it in the configuration."
 msgstr "Command for disabling a rule but keep it in the configuration."
 
-#: ../../configuration/vrf/index.rst:147
+#: ../../configuration/vrf/index.rst:143
 msgid "Command should probably be extended to list also the real interfaces assigned to this one VRF to get a better overview."
 msgstr "Command should probably be extended to list also the real interfaces assigned to this one VRF to get a better overview."
 
-#: ../../configuration/firewall/ipv4.rst:1202
-#: ../../configuration/firewall/ipv6.rst:1195
+#: ../../configuration/firewall/ipv4.rst:1306
+#: ../../configuration/firewall/ipv6.rst:1305
 msgid "Command used to update GeoIP database and firewall sets."
 msgstr "Command used to update GeoIP database and firewall sets."
 
-#: ../../configuration/firewall/flowtables.rst:119
+#: ../../configuration/firewall/flowtables.rst:120
 msgid "Commands"
 msgstr "Commands"
 
+#: ../../configuration/firewall/groups.rst:175
+msgid "Commands used for this task are:"
+msgstr "Commands used for this task are:"
+
 #: ../../configuration/service/dhcp-server.rst:436
 msgid "Common configuration, valid for both primary and secondary node."
 msgstr "Common configuration, valid for both primary and secondary node."
@@ -3404,6 +3877,14 @@ msgstr "Common interface configuration"
 msgid "Common parameters"
 msgstr "Common parameters"
 
+#: ../../configuration/interfaces/openvpn.rst:634
+msgid "Compression is generally not recommended. VPN tunnels which use compression are susceptible to the VORALCE attack vector. Enable compression if needed."
+msgstr "Compression is generally not recommended. VPN tunnels which use compression are susceptible to the VORALCE attack vector. Enable compression if needed."
+
+#: ../../configuration/service/suricata.rst:92
+msgid "Conclusion"
+msgstr "Conclusion"
+
 #: ../../configuration/protocols/bgp.rst:949
 msgid "Confederation Configuration"
 msgstr "Confederation Configuration"
@@ -3412,10 +3893,14 @@ msgstr "Confederation Configuration"
 msgid "Confidentiality – Encryption of packets to prevent snooping by an unauthorized source."
 msgstr "Confidentiality – Encryption of packets to prevent snooping by an unauthorized source."
 
+#: ../../configuration/service/config-sync.rst:5
+msgid "Config Sync"
+msgstr "Config Sync"
+
 #: ../../configuration/container/index.rst:12
 #: ../../configuration/firewall/global-options.rst:23
 #: ../../configuration/firewall/groups.rst:11
-#: ../../configuration/firewall/zone.rst:66
+#: ../../configuration/firewall/zone.rst:63
 #: ../../configuration/interfaces/bonding.rst:17
 #: ../../configuration/interfaces/bridge.rst:21
 #: ../../configuration/interfaces/dummy.rst:28
@@ -3424,7 +3909,7 @@ msgstr "Confidentiality – Encryption of packets to prevent snooping by an unau
 #: ../../configuration/interfaces/l2tpv3.rst:31
 #: ../../configuration/interfaces/loopback.rst:26
 #: ../../configuration/interfaces/macsec.rst:20
-#: ../../configuration/interfaces/openvpn.rst:585
+#: ../../configuration/interfaces/openvpn.rst:589
 #: ../../configuration/interfaces/pppoe.rst:59
 #: ../../configuration/interfaces/pseudo-ethernet.rst:45
 #: ../../configuration/interfaces/sstp-client.rst:20
@@ -3433,7 +3918,8 @@ msgstr "Confidentiality – Encryption of packets to prevent snooping by an unau
 #: ../../configuration/interfaces/vxlan.rst:39
 #: ../../configuration/interfaces/wireless.rst:30
 #: ../../configuration/interfaces/wwan.rst:16
-#: ../../configuration/loadbalancing/reverse-proxy.rst:13
+#: ../../configuration/loadbalancing/haproxy.rst:13
+#: ../../configuration/nat/cgnat.rst:73
 #: ../../configuration/nat/nat44.rst:705
 #: ../../configuration/policy/access-list.rst:13
 #: ../../configuration/policy/as-path-list.rst:10
@@ -3447,10 +3933,12 @@ msgstr "Confidentiality – Encryption of packets to prevent snooping by an unau
 #: ../../configuration/protocols/bgp.rst:164
 #: ../../configuration/protocols/igmp-proxy.rst:14
 #: ../../configuration/protocols/isis.rst:28
+#: ../../configuration/protocols/openfabric.rst:20
 #: ../../configuration/protocols/ospf.rst:22
 #: ../../configuration/protocols/ospf.rst:1076
 #: ../../configuration/protocols/rpki.rst:102
 #: ../../configuration/service/broadcast-relay.rst:18
+#: ../../configuration/service/config-sync.rst:24
 #: ../../configuration/service/conntrack-sync.rst:38
 #: ../../configuration/service/console-server.rst:21
 #: ../../configuration/service/dhcp-relay.rst:19
@@ -3467,13 +3955,14 @@ msgstr "Confidentiality – Encryption of packets to prevent snooping by an unau
 #: ../../configuration/service/router-advert.rst:28
 #: ../../configuration/service/salt-minion.rst:25
 #: ../../configuration/service/ssh.rst:36
+#: ../../configuration/service/suricata.rst:38
 #: ../../configuration/service/tftp-server.rst:14
 #: ../../configuration/service/webproxy.rst:21
 #: ../../configuration/system/default-route.rst:12
 #: ../../configuration/system/flow-accounting.rst:43
 #: ../../configuration/system/lcd.rst:17
-#: ../../configuration/system/login.rst:245
-#: ../../configuration/system/login.rst:314
+#: ../../configuration/system/login.rst:251
+#: ../../configuration/system/login.rst:320
 #: ../../configuration/system/sflow.rst:12
 #: ../../configuration/system/updates.rst:8
 #: ../../configuration/vpn/dmvpn.rst:38
@@ -3481,26 +3970,27 @@ msgstr "Confidentiality – Encryption of packets to prevent snooping by an unau
 #: ../../configuration/vpn/openconnect.rst:21
 #: ../../configuration/vpn/sstp.rst:40
 #: ../../configuration/vrf/index.rst:16
-#: ../../configuration/vrf/index.rst:272
-#: ../../configuration/vrf/index.rst:307
-#: ../../configuration/vrf/index.rst:455
+#: ../../configuration/vrf/index.rst:268
+#: ../../configuration/vrf/index.rst:303
+#: ../../configuration/vrf/index.rst:451
 msgid "Configuration"
 msgstr "Configuration"
 
-#: ../../configuration/firewall/flowtables.rst:100
+#: ../../configuration/firewall/flowtables.rst:101
 #: ../../configuration/protocols/babel.rst:188
 #: ../../configuration/protocols/ospf.rst:1316
 #: ../../configuration/protocols/pim6.rst:78
 #: ../../configuration/protocols/rip.rst:239
 #: ../../configuration/protocols/segment-routing.rst:187
-#: ../../configuration/system/login.rst:283
-#: ../../configuration/system/login.rst:354
+#: ../../configuration/system/login.rst:289
+#: ../../configuration/system/login.rst:360
 msgid "Configuration Example"
 msgstr "Configuration Example"
 
+#: ../../configuration/nat/cgnat.rst:108
 #: ../../configuration/nat/nat44.rst:325
 #: ../../configuration/nat/nat64.rst:38
-#: ../../configuration/nat/nat66.rst:109
+#: ../../configuration/nat/nat66.rst:121
 msgid "Configuration Examples"
 msgstr "Configuration Examples"
 
@@ -3516,7 +4006,7 @@ msgstr "Configuration Options"
 msgid "Configuration commands covered in this section:"
 msgstr "Configuration commands covered in this section:"
 
-#: ../../configuration/vpn/ipsec.rst:288
+#: ../../configuration/vpn/ipsec.rst:308
 msgid "Configuration commands for the private and public key will be displayed on the screen which needs to be set on the router first. Note the command with the public key (set pki key-pair ipsec-LEFT public key 'MIIBIjANBgkqh...'). Then do the same on the opposite router:"
 msgstr "Configuration commands for the private and public key will be displayed on the screen which needs to be set on the router first. Note the command with the public key (set pki key-pair ipsec-LEFT public key 'MIIBIjANBgkqh...'). Then do the same on the opposite router:"
 
@@ -3524,11 +4014,11 @@ msgstr "Configuration commands for the private and public key will be displayed
 msgid "Configuration commands will display. Note the command with the public key (set pki key-pair ipsec-LEFT public key 'MIIBIjANBgkqh...'). Then do the same on the opposite router:"
 msgstr "Configuration commands will display. Note the command with the public key (set pki key-pair ipsec-LEFT public key 'MIIBIjANBgkqh...'). Then do the same on the opposite router:"
 
-#: ../../configuration/firewall/bridge.rst:323
+#: ../../configuration/firewall/bridge.rst:488
 msgid "Configuration example:"
 msgstr "Configuration example:"
 
-#: ../../configuration/vrf/index.rst:449
+#: ../../configuration/vrf/index.rst:445
 msgid "Configuration for these exported routes must, at a minimum, specify these two parameters."
 msgstr "Configuration for these exported routes must, at a minimum, specify these two parameters."
 
@@ -3544,10 +4034,22 @@ msgstr "Configuration of a DHCP HA pair:"
 msgid "Configuration of a DHCP failover pair"
 msgstr "Configuration of a DHCP failover pair"
 
-#: ../../configuration/vrf/index.rst:457
+#: ../../configuration/vrf/index.rst:453
 msgid "Configuration of route leaking between a unicast VRF RIB and the VPN SAFI RIB of the default VRF is accomplished via commands in the context of a VRF address-family."
 msgstr "Configuration of route leaking between a unicast VRF RIB and the VPN SAFI RIB of the default VRF is accomplished via commands in the context of a VRF address-family."
 
+#: ../../configuration/service/suricata.rst:69
+msgid "Configuration of the logging file."
+msgstr "Configuration of the logging file."
+
+#: ../../configuration/service/config-sync.rst:113
+msgid "Configuration resynchronization. With the current implementation of `service config-sync`, the secondary node must be online."
+msgstr "Configuration resynchronization. With the current implementation of `service config-sync`, the secondary node must be online."
+
+#: ../../configuration/service/config-sync.rst:7
+msgid "Configuration synchronization (config sync) is a feature of VyOS that permits synchronization of the configuration of one VyOS router to another in a network."
+msgstr "Configuration synchronization (config sync) is a feature of VyOS that permits synchronization of the configuration of one VyOS router to another in a network."
+
 #: ../../configuration/protocols/static.rst:199
 #: ../../configuration/system/conntrack.rst:12
 msgid "Configure"
@@ -3565,7 +4067,7 @@ msgstr "Configure DNS `<record>` which should be updated. This can be set multip
 msgid "Configure DNS `<zone>` to be updated."
 msgstr "Configure DNS `<zone>` to be updated."
 
-#: ../../configuration/interfaces/geneve.rst:53
+#: ../../configuration/interfaces/geneve.rst:77
 msgid "Configure GENEVE tunnel far end/remote tunnel endpoint."
 msgstr "Configure GENEVE tunnel far end/remote tunnel endpoint."
 
@@ -3587,16 +4089,16 @@ msgstr "Configure ICMP threshold parameters."
 msgid "Configure IP address of the DHCP `<server>` which will handle the relayed packets."
 msgstr "Configure IP address of the DHCP `<server>` which will handle the relayed packets."
 
-#: ../../configuration/service/ipoe-server.rst:162
-#: ../../configuration/service/pppoe-server.rst:124
+#: ../../configuration/service/ipoe-server.rst:161
+#: ../../configuration/service/pppoe-server.rst:127
 #: ../../configuration/vpn/l2tp.rst:167
 #: ../../configuration/vpn/pptp.rst:107
 #: ../../configuration/vpn/sstp.rst:140
 msgid "Configure RADIUS `<server>` and its required port for authentication requests."
 msgstr "Configure RADIUS `<server>` and its required port for authentication requests."
 
-#: ../../configuration/service/ipoe-server.rst:128
-#: ../../configuration/service/pppoe-server.rst:90
+#: ../../configuration/service/ipoe-server.rst:127
+#: ../../configuration/service/pppoe-server.rst:91
 #: ../../configuration/vpn/l2tp.rst:133
 #: ../../configuration/vpn/pptp.rst:73
 #: ../../configuration/vpn/sstp.rst:106
@@ -3619,11 +4121,11 @@ msgstr "Configure UDP threshold parameters"
 msgid "Configure :abbr:`MTU (Maximum Transmission Unit)` on given `<interface>`. It is the size (in bytes) of the largest ethernet frame sent on this link."
 msgstr "Configure :abbr:`MTU (Maximum Transmission Unit)` on given `<interface>`. It is the size (in bytes) of the largest ethernet frame sent on this link."
 
-#: ../../configuration/system/login.rst:379
+#: ../../configuration/system/login.rst:385
 msgid "Configure `<message>` which is shown after user has logged in to the system."
 msgstr "Configure `<message>` which is shown after user has logged in to the system."
 
-#: ../../configuration/system/login.rst:374
+#: ../../configuration/system/login.rst:380
 msgid "Configure `<message>` which is shown during SSH connect and before a user is logged in."
 msgstr "Configure `<message>` which is shown during SSH connect and before a user is logged in."
 
@@ -3647,7 +4149,7 @@ msgstr "Configure `<username>` used when authenticating the update request for D
 msgid "Configure a URL that contains information about images."
 msgstr "Configure a URL that contains information about images."
 
-#: ../../configuration/system/flow-accounting.rst:158
+#: ../../configuration/system/flow-accounting.rst:162
 msgid "Configure a sFlow agent address. It can be IPv4 or IPv6 address, but you must set the same protocol, which is used for sFlow collector addresses. By default, using router-id from BGP or OSPF protocol, or the primary IP address from the first interface."
 msgstr "Configure a sFlow agent address. It can be IPv4 or IPv6 address, but you must set the same protocol, which is used for sFlow collector addresses. By default, using router-id from BGP or OSPF protocol, or the primary IP address from the first interface."
 
@@ -3661,7 +4163,7 @@ msgstr "Configure a static route for <subnet> using gateway <address> , use sour
 msgid "Configure a static route for <subnet> using gateway <address> and use the gateway address as BFD peer destination address."
 msgstr "Configure a static route for <subnet> using gateway <address> and use the gateway address as BFD peer destination address."
 
-#: ../../configuration/system/flow-accounting.rst:106
+#: ../../configuration/system/flow-accounting.rst:110
 msgid "Configure address of NetFlow collector. NetFlow server at `<address>` can be both listening on an IPv4 or IPv6 address."
 msgstr "Configure address of NetFlow collector. NetFlow server at `<address>` can be both listening on an IPv4 or IPv6 address."
 
@@ -3669,7 +4171,7 @@ msgstr "Configure address of NetFlow collector. NetFlow server at `<address>` ca
 msgid "Configure address of sFlow collector. sFlow server at <address> can be both listening on an IPv4 or IPv6 address."
 msgstr "Configure address of sFlow collector. sFlow server at <address> can be both listening on an IPv4 or IPv6 address."
 
-#: ../../configuration/system/flow-accounting.rst:148
+#: ../../configuration/system/flow-accounting.rst:152
 msgid "Configure address of sFlow collector. sFlow server at `<address>` can be an IPv4 or IPv6 address. But you cannot export to both IPv4 and IPv6 collectors at the same time!"
 msgstr "Configure address of sFlow collector. sFlow server at `<address>` can be an IPv4 or IPv6 address. But you cannot export to both IPv4 and IPv6 collectors at the same time!"
 
@@ -3693,7 +4195,7 @@ msgstr "Configure an accounting server and enable accounting with:"
 msgid "Configure and enable collection of flow information for the interface identified by <interface>."
 msgstr "Configure and enable collection of flow information for the interface identified by <interface>."
 
-#: ../../configuration/system/flow-accounting.rst:50
+#: ../../configuration/system/flow-accounting.rst:54
 msgid "Configure and enable collection of flow information for the interface identified by `<interface>`."
 msgstr "Configure and enable collection of flow information for the interface identified by `<interface>`."
 
@@ -3701,11 +4203,11 @@ msgstr "Configure and enable collection of flow information for the interface id
 msgid "Configure auto-checking for new images"
 msgstr "Configure auto-checking for new images"
 
-#: ../../configuration/loadbalancing/reverse-proxy.rst:114
+#: ../../configuration/loadbalancing/haproxy.rst:126
 msgid "Configure backend `<name>` mode TCP or HTTP"
 msgstr "Configure backend `<name>` mode TCP or HTTP"
 
-#: ../../configuration/nat/nat66.rst:148
+#: ../../configuration/nat/nat66.rst:160
 msgid "Configure both routers (a and b) for DHCPv6-PD via dummy interface:"
 msgstr "Configure both routers (a and b) for DHCPv6-PD via dummy interface:"
 
@@ -3754,6 +4256,10 @@ msgstr "Configure listen interface for mirroring traffic."
 msgid "Configure local IPv4 address to listen for sflow."
 msgstr "Configure local IPv4 address to listen for sflow."
 
+#: ../../configuration/interfaces/openvpn.rst:740
+msgid "Configure maximum allowed clock slop in seconds (default: 180)"
+msgstr "Configure maximum allowed clock slop in seconds (default: 180)"
+
 #: ../../configuration/service/snmp.rst:148
 msgid "Configure new SNMP user named \"vyos\" with password \"vyos12345678\""
 msgstr "Configure new SNMP user named \"vyos\" with password \"vyos12345678\""
@@ -3770,7 +4276,11 @@ msgstr "Configure next-hop `<address>` for an IPv4 static route. Multiple static
 msgid "Configure next-hop `<address>` for an IPv6 static route. Multiple static routes can be created."
 msgstr "Configure next-hop `<address>` for an IPv6 static route. Multiple static routes can be created."
 
-#: ../../configuration/system/option.rst:125
+#: ../../configuration/interfaces/openvpn.rst:732
+msgid "Configure number of digits to use for totp hash (default: 6)"
+msgstr "Configure number of digits to use for totp hash (default: 6)"
+
+#: ../../configuration/system/option.rst:145
 msgid "Configure one of the predefined system performance profiles."
 msgstr "Configure one of the predefined system performance profiles."
 
@@ -3810,7 +4320,11 @@ msgstr "Configure port number of remote VXLAN endpoint."
 msgid "Configure port number to be used for sflow conection. Default port is 6343."
 msgstr "Configure port number to be used for sflow conection. Default port is 6343."
 
-#: ../../configuration/system/syslog.rst:73
+#: ../../configuration/service/ids.rst:59
+msgid "Configure port number to be used for sflow connection. Default port is 6343."
+msgstr "Configure port number to be used for sflow connection. Default port is 6343."
+
+#: ../../configuration/system/syslog.rst:91
 msgid "Configure protocol used for communication to remote syslog host. This can be either UDP or TCP."
 msgstr "Configure protocol used for communication to remote syslog host. This can be either UDP or TCP."
 
@@ -3818,11 +4332,11 @@ msgstr "Configure protocol used for communication to remote syslog host. This ca
 msgid "Configure proxy port if it does not listen to the default port 80."
 msgstr "Configure proxy port if it does not listen to the default port 80."
 
-#: ../../configuration/loadbalancing/reverse-proxy.rst:150
+#: ../../configuration/loadbalancing/haproxy.rst:157
 msgid "Configure requests to the backend server to use SSL encryption and authenticate backend against <ca-certificate>"
 msgstr "Configure requests to the backend server to use SSL encryption and authenticate backend against <ca-certificate>"
 
-#: ../../configuration/loadbalancing/reverse-proxy.rst:155
+#: ../../configuration/loadbalancing/haproxy.rst:162
 msgid "Configure requests to the backend server to use SSL encryption without validating server certificate"
 msgstr "Configure requests to the backend server to use SSL encryption without validating server certificate"
 
@@ -3834,27 +4348,31 @@ msgstr "Configure sFlow agent IPv4 or IPv6 address"
 msgid "Configure schedule counter-polling in seconds (default: 30)"
 msgstr "Configure schedule counter-polling in seconds (default: 30)"
 
-#: ../../configuration/loadbalancing/reverse-proxy.rst:36
+#: ../../configuration/loadbalancing/haproxy.rst:36
 msgid "Configure service `<name>` mode TCP or HTTP"
 msgstr "Configure service `<name>` mode TCP or HTTP"
 
-#: ../../configuration/loadbalancing/reverse-proxy.rst:41
+#: ../../configuration/loadbalancing/haproxy.rst:41
 msgid "Configure service `<name>` to use the backend <name>"
 msgstr "Configure service `<name>` to use the backend <name>"
 
-#: ../../configuration/system/login.rst:398
+#: ../../configuration/system/login.rst:404
 msgid "Configure session timeout after which the user will be logged out."
 msgstr "Configure session timeout after which the user will be logged out."
 
+#: ../../configuration/interfaces/openvpn.rst:744
+msgid "Configure step value for totp in seconds (default: 30)"
+msgstr "Configure step value for totp in seconds (default: 30)"
+
 #: ../../configuration/system/host-name.rst:41
 msgid "Configure system domain name. A domain name must start and end with a letter or digit, and have as interior characters only letters, digits, or a hyphen."
 msgstr "Configure system domain name. A domain name must start and end with a letter or digit, and have as interior characters only letters, digits, or a hyphen."
 
-#: ../../configuration/nat/nat66.rst:182
+#: ../../configuration/nat/nat66.rst:194
 msgid "Configure the A-side router for NPTv6 using the prefixes above:"
 msgstr "Configure the A-side router for NPTv6 using the prefixes above:"
 
-#: ../../configuration/nat/nat66.rst:204
+#: ../../configuration/nat/nat66.rst:216
 msgid "Configure the B-side router for NPTv6 using the prefixes above:"
 msgstr "Configure the B-side router for NPTv6 using the prefixes above:"
 
@@ -3862,26 +4380,46 @@ msgstr "Configure the B-side router for NPTv6 using the prefixes above:"
 msgid "Configure the DNS `<server>` IP/FQDN used when updating this dynamic assignment."
 msgstr "Configure the DNS `<server>` IP/FQDN used when updating this dynamic assignment."
 
+#: ../../configuration/service/config-sync.rst:66
+msgid "Configure the HTTP API service on Router B"
+msgstr "Configure the HTTP API service on Router B"
+
 #: ../../configuration/service/tftp-server.rst:27
 msgid "Configure the IPv4 or IPv6 listen address of the TFTP server. Multiple IPv4 and IPv6 addresses can be given. There will be one TFTP server instances listening on each IP address."
 msgstr "Configure the IPv4 or IPv6 listen address of the TFTP server. Multiple IPv4 and IPv6 addresses can be given. There will be one TFTP server instances listening on each IP address."
 
+#: ../../configuration/service/config-sync.rst:74
+msgid "Configure the config-sync service on Router A"
+msgstr "Configure the config-sync service on Router A"
+
 #: ../../configuration/system/conntrack.rst:43
 msgid "Configure the connection tracking protocol helper modules. All modules are enable by default."
 msgstr "Configure the connection tracking protocol helper modules. All modules are enable by default."
 
-#: ../../configuration/system/login.rst:256
+#: ../../configuration/system/login.rst:262
 msgid "Configure the discrete port under which the RADIUS server can be reached."
 msgstr "Configure the discrete port under which the RADIUS server can be reached."
 
-#: ../../configuration/system/login.rst:325
+#: ../../configuration/system/login.rst:331
 msgid "Configure the discrete port under which the TACACS server can be reached."
 msgstr "Configure the discrete port under which the TACACS server can be reached."
 
-#: ../../configuration/loadbalancing/reverse-proxy.rst:212
+#: ../../configuration/loadbalancing/haproxy.rst:264
+msgid "Configure the load-balancing haproxy service for HTTP."
+msgstr "Configure the load-balancing haproxy service for HTTP."
+
+#: ../../configuration/loadbalancing/reverse-proxy.rst:264
 msgid "Configure the load-balancing reverse-proxy service for HTTP."
 msgstr "Configure the load-balancing reverse-proxy service for HTTP."
 
+#: ../../configuration/service/ntp.rst:150
+msgid "Configure the timestamping behavior with the following option:"
+msgstr "Configure the timestamping behavior with the following option:"
+
+#: ../../configuration/interfaces/openvpn.rst:736
+msgid "Configure time drift in seconds (default: 0)"
+msgstr "Configure time drift in seconds (default: 0)"
+
 #: ../../configuration/service/ids.rst:46
 msgid "Configure traffic capture mode."
 msgstr "Configure traffic capture mode."
@@ -3898,14 +4436,30 @@ msgstr "Configure watermark warning generation for an IGMP group limit. Generate
 msgid "Configured routing table `<id>` is used by VRF `<name>`."
 msgstr "Configured routing table `<id>` is used by VRF `<name>`."
 
-#: ../../configuration/trafficpolicy/index.rst:262
+#: ../../configuration/trafficpolicy/index.rst:312
 msgid "Configured value"
 msgstr "Configured value"
 
+#: ../../configuration/service/ntp.rst:146
+msgid "Configures hardware timestamping on the interface <interface>. The special value `all` can also be specified to enable timestamping on all interfaces that support it."
+msgstr "Configures hardware timestamping on the interface <interface>. The special value `all` can also be specified to enable timestamping on all interfaces that support it."
+
 #: ../../configuration/protocols/bgp.rst:455
 msgid "Configures the BGP speaker so that it only accepts inbound connections from, but does not initiate outbound connections to the peer or peer group."
 msgstr "Configures the BGP speaker so that it only accepts inbound connections from, but does not initiate outbound connections to the peer or peer group."
 
+#: ../../configuration/service/ntp.rst:196
+msgid "Configures the PTP port. By default, the standard port 319 is used."
+msgstr "Configures the PTP port. By default, the standard port 319 is used."
+
+#: ../../configuration/interfaces/ethernet.rst:58
+msgid "Configures the ring buffer size of the interface."
+msgstr "Configures the ring buffer size of the interface."
+
+#: ../../configuration/interfaces/wireless.rst:167
+msgid "Configuring HT mode options is required when using 802.11n or 802.11ax at 2.4GHz."
+msgstr "Configuring HT mode options is required when using 802.11n or 802.11ax at 2.4GHz."
+
 #: ../../configuration/service/ipoe-server.rst:27
 msgid "Configuring IPoE Server"
 msgstr "Configuring IPoE Server"
@@ -3918,7 +4472,7 @@ msgstr "Configuring IPsec"
 msgid "Configuring L2TP Server"
 msgstr "Configuring L2TP Server"
 
-#: ../../configuration/vpn/l2tp.rst:270
+#: ../../configuration/vpn/l2tp.rst:273
 msgid "Configuring LNS (L2TP Network Server)"
 msgstr "Configuring LNS (L2TP Network Server)"
 
@@ -3934,7 +4488,7 @@ msgstr "Configuring PPTP Server"
 msgid "Configuring RADIUS accounting"
 msgstr "Configuring RADIUS accounting"
 
-#: ../../configuration/service/ipoe-server.rst:114
+#: ../../configuration/service/ipoe-server.rst:113
 #: ../../configuration/service/pppoe-server.rst:76
 #: ../../configuration/vpn/l2tp.rst:119
 #: ../../configuration/vpn/pptp.rst:59
@@ -3946,11 +4500,11 @@ msgstr "Configuring RADIUS authentication"
 msgid "Configuring SSTP Server"
 msgstr "Configuring SSTP Server"
 
-#: ../../configuration/vpn/sstp.rst:476
+#: ../../configuration/vpn/sstp.rst:486
 msgid "Configuring SSTP client"
 msgstr "Configuring SSTP client"
 
-#: ../../configuration/vpn/ipsec.rst:494
+#: ../../configuration/vpn/ipsec.rst:514
 msgid "Configuring VyOS to act as your IPSec access concentrator is one thing, but you probably need to setup your client connecting to the server so they can talk to the IPSec gateway."
 msgstr "Configuring VyOS to act as your IPSec access concentrator is one thing, but you probably need to setup your client connecting to the server so they can talk to the IPSec gateway."
 
@@ -3963,14 +4517,17 @@ msgstr "Configuring a listen-address is essential for the service to work."
 msgid "Connect/Disconnect"
 msgstr "Connect/Disconnect"
 
-#: ../../configuration/service/ipoe-server.rst:376
-#: ../../configuration/service/pppoe-server.rst:546
-#: ../../configuration/vpn/l2tp.rst:500
+#: ../../configuration/service/ipoe-server.rst:375
+#: ../../configuration/service/pppoe-server.rst:571
 #: ../../configuration/vpn/pptp.rst:424
-#: ../../configuration/vpn/sstp.rst:458
 msgid "Connected client should use `<address>` as their DNS server. This command accepts both IPv4 and IPv6 addresses. Up to two nameservers can be configured for IPv4, up to three for IPv6."
 msgstr "Connected client should use `<address>` as their DNS server. This command accepts both IPv4 and IPv6 addresses. Up to two nameservers can be configured for IPv4, up to three for IPv6."
 
+#: ../../configuration/vpn/l2tp.rst:505
+#: ../../configuration/vpn/sstp.rst:463
+msgid "Connected clients should use `<address>` as their DNS server. This command accepts both IPv4 and IPv6 addresses. Up to two nameservers can be configured for IPv4, up to three for IPv6."
+msgstr "Connected clients should use `<address>` as their DNS server. This command accepts both IPv4 and IPv6 addresses. Up to two nameservers can be configured for IPv4, up to three for IPv6."
+
 #: ../../configuration/protocols/rpki.rst:143
 msgid "Connections to the RPKI caching server can not only be established by HTTP/TLS but you can also rely on a secure SSH session to the server. To enable SSH, first you need to create an SSH client keypair using ``generate ssh client-key /config/auth/id_rsa_rpki``. Once your key is created you can setup the connection."
 msgstr "Connections to the RPKI caching server can not only be established by HTTP/TLS but you can also rely on a secure SSH session to the server. To enable SSH, first you need to create an SSH client keypair using ``generate ssh client-key /config/auth/id_rsa_rpki``. Once your key is created you can setup the connection."
@@ -3995,15 +4552,19 @@ msgstr "Conntrack Sync"
 msgid "Conntrack Sync Example"
 msgstr "Conntrack Sync Example"
 
-#: ../../configuration/system/conntrack.rst:178
+#: ../../configuration/system/conntrack.rst:146
 msgid "Conntrack ignore rules"
 msgstr "Conntrack ignore rules"
 
-#: ../../configuration/system/conntrack.rst:204
+#: ../../configuration/system/conntrack.rst:177
 msgid "Conntrack log"
 msgstr "Conntrack log"
 
-#: ../../configuration/system/syslog.rst:21
+#: ../../configuration/nat/cgnat.rst:43
+msgid "Considerations"
+msgstr "Considerations"
+
+#: ../../configuration/system/syslog.rst:39
 msgid "Console"
 msgstr "Console"
 
@@ -4011,7 +4572,7 @@ msgstr "Console"
 msgid "Console Server"
 msgstr "Console Server"
 
-#: ../../configuration/container/index.rst:111
+#: ../../configuration/container/index.rst:149
 msgid "Constrain the memory available to the container."
 msgstr "Constrain the memory available to the container."
 
@@ -4019,11 +4580,11 @@ msgstr "Constrain the memory available to the container."
 msgid "Container"
 msgstr "Container"
 
-#: ../../configuration/container/index.rst:136
+#: ../../configuration/container/index.rst:191
 msgid "Container Networks"
 msgstr "Container Networks"
 
-#: ../../configuration/container/index.rst:156
+#: ../../configuration/container/index.rst:211
 msgid "Container Registry"
 msgstr "Container Registry"
 
@@ -4043,10 +4604,14 @@ msgstr "Convert the address prefix of a single `fc01::/64` network to `fc00::/64
 msgid "Copy the key, as it is not stored on the local filesystem. Because it is a symmetric key, only you and your peer should have knowledge of its content. Make sure you distribute the key in a safe manner,"
 msgstr "Copy the key, as it is not stored on the local filesystem. Because it is a symmetric key, only you and your peer should have knowledge of its content. Make sure you distribute the key in a safe manner,"
 
-#: ../../configuration/interfaces/wireless.rst:49
+#: ../../configuration/interfaces/wireless.rst:44
 msgid "Country code (ISO/IEC 3166-1). Used to set regulatory domain. Set as needed to indicate country in which device is operating. This can limit available channels and transmit power."
 msgstr "Country code (ISO/IEC 3166-1). Used to set regulatory domain. Set as needed to indicate country in which device is operating. This can limit available channels and transmit power."
 
+#: ../../configuration/interfaces/wireless.rst:55
+msgid "Country code (ISO/IEC 3166-1). Used to set regulatory domain. Set as needed to indicate country in which the box is operating. This can limit available channels and transmit power."
+msgstr "Country code (ISO/IEC 3166-1). Used to set regulatory domain. Set as needed to indicate country in which the box is operating. This can limit available channels and transmit power."
+
 #: ../../configuration/policy/community-list.rst:17
 msgid "Creat community-list policy identified by name <text>."
 msgstr "Creat community-list policy identified by name <text>."
@@ -4067,7 +4632,7 @@ msgstr "Create DHCP address range with a range id of `<n>`. DHCP leases are take
 msgid "Create DNS record per client lease, by adding clients to /etc/hosts file. Entry will have format: `<shared-network-name>_<hostname>.<domain-name>`"
 msgstr "Create DNS record per client lease, by adding clients to /etc/hosts file. Entry will have format: `<shared-network-name>_<hostname>.<domain-name>`"
 
-#: ../../configuration/service/pppoe-server.rst:49
+#: ../../configuration/service/pppoe-server.rst:48
 #: ../../configuration/vpn/l2tp.rst:36
 #: ../../configuration/vpn/pptp.rst:38
 #: ../../configuration/vpn/sstp.rst:63
@@ -4082,7 +4647,7 @@ msgstr "Create ``172.18.201.0/24`` as a subnet within ``NET1`` and pass address
 msgid "Create a CA chain and leaf certificates"
 msgstr "Create a CA chain and leaf certificates"
 
-#: ../../configuration/interfaces/bridge.rst:199
+#: ../../configuration/interfaces/bridge.rst:198
 msgid "Create a basic bridge"
 msgstr "Create a basic bridge"
 
@@ -4106,6 +4671,10 @@ msgstr "Create a new DHCP static mapping named `<description>` which is valid fo
 msgid "Create a new VLAN interface on interface `<interface>` using the VLAN number provided via `<vlan-id>`."
 msgstr "Create a new VLAN interface on interface `<interface>` using the VLAN number provided via `<vlan-id>`."
 
+#: ../../configuration/vrf/index.rst:23
+msgid "Create a new VRF instance with `<name>` and `<id>`. The name is used when placing individual interfaces into the VRF."
+msgstr "Create a new VRF instance with `<name>` and `<id>`. The name is used when placing individual interfaces into the VRF."
+
 #: ../../configuration/pki/index.rst:42
 #: ../../configuration/pki/index.rst:47
 msgid "Create a new :abbr:`CA (Certificate Authority)` and output the CAs public and private key on the console."
@@ -4150,19 +4719,19 @@ msgstr "Create a static hostname mapping which will always resolve the name `<ho
 msgid "Create as-path-policy identified by name <text>."
 msgstr "Create as-path-policy identified by name <text>."
 
-#: ../../configuration/firewall/flowtables.rst:64
+#: ../../configuration/firewall/flowtables.rst:65
 msgid "Create firewall rule: create a firewall rule, setting action to ``offload`` and using desired flowtable for ``offload-target``."
 msgstr "Create firewall rule: create a firewall rule, setting action to ``offload`` and using desired flowtable for ``offload-target``."
 
-#: ../../configuration/firewall/flowtables.rst:95
+#: ../../configuration/firewall/flowtables.rst:96
 msgid "Create firewall rule in forward chain, and define which flowtbale should be used. Only applicable if action is ``offload``."
 msgstr "Create firewall rule in forward chain, and define which flowtbale should be used. Only applicable if action is ``offload``."
 
-#: ../../configuration/firewall/flowtables.rst:90
+#: ../../configuration/firewall/flowtables.rst:91
 msgid "Create firewall rule in forward chain, and set action to ``offload``."
 msgstr "Create firewall rule in forward chain, and set action to ``offload``."
 
-#: ../../configuration/firewall/flowtables.rst:61
+#: ../../configuration/firewall/flowtables.rst:62
 msgid "Create flowtable: create flowtable, which includes the interfaces that are going to be used by the flowtable."
 msgstr "Create flowtable: create flowtable, which includes the interfaces that are going to be used by the flowtable."
 
@@ -4191,11 +4760,11 @@ msgstr "Create new dynamic DNS update configuration which will update the IP add
 msgid "Create new system user with username `<name>` and real-name specified by `<string>`."
 msgstr "Create new system user with username `<name>` and real-name specified by `<string>`."
 
-#: ../../configuration/loadbalancing/reverse-proxy.rst:31
+#: ../../configuration/loadbalancing/haproxy.rst:31
 msgid "Create service `<name>` to listen on <port>"
 msgstr "Create service `<name>` to listen on <port>"
 
-#: ../../configuration/container/index.rst:140
+#: ../../configuration/container/index.rst:195
 msgid "Creates a named container network"
 msgstr "Creates a named container network"
 
@@ -4207,31 +4776,31 @@ msgstr "Creates local IPoE user with username=**<interface>** and password=**<MA
 msgid "Creates static peer mapping of protocol-address to :abbr:`NBMA (Non-broadcast multiple-access network)` address."
 msgstr "Creates static peer mapping of protocol-address to :abbr:`NBMA (Non-broadcast multiple-access network)` address."
 
-#: ../../configuration/interfaces/bridge.rst:201
+#: ../../configuration/interfaces/bridge.rst:200
 msgid "Creating a bridge interface is very simple. In this example, we will have:"
 msgstr "Creating a bridge interface is very simple. In this example, we will have:"
 
-#: ../../configuration/firewall/flowtables.rst:67
+#: ../../configuration/firewall/flowtables.rst:68
 msgid "Creating a flow table:"
 msgstr "Creating a flow table:"
 
-#: ../../configuration/trafficpolicy/index.rst:335
+#: ../../configuration/trafficpolicy/index.rst:385
 msgid "Creating a traffic policy"
 msgstr "Creating a traffic policy"
 
-#: ../../configuration/firewall/flowtables.rst:85
+#: ../../configuration/firewall/flowtables.rst:86
 msgid "Creating rules for using flow tables:"
 msgstr "Creating rules for using flow tables:"
 
-#: ../../configuration/container/index.rst:173
+#: ../../configuration/container/index.rst:228
 msgid "Credentials can be defined here and will only be used when adding a container image to the system."
 msgstr "Credentials can be defined here and will only be used when adding a container image to the system."
 
-#: ../../configuration/system/syslog.rst:178
+#: ../../configuration/system/syslog.rst:196
 msgid "Critical"
 msgstr "Critical"
 
-#: ../../configuration/system/syslog.rst:178
+#: ../../configuration/system/syslog.rst:196
 msgid "Critical conditions - e.g. hard drive errors."
 msgstr "Critical conditions - e.g. hard drive errors."
 
@@ -4259,11 +4828,11 @@ msgstr "Cur Hop Limit"
 msgid "Currently does not do much as caching is not implemented."
 msgstr "Currently does not do much as caching is not implemented."
 
-#: ../../configuration/vrf/index.rst:105
+#: ../../configuration/vrf/index.rst:101
 msgid "Currently dynamic routing is supported for the following protocols:"
 msgstr "Currently dynamic routing is supported for the following protocols:"
 
-#: ../../configuration/system/syslog.rst:32
+#: ../../configuration/system/syslog.rst:50
 msgid "Custom File"
 msgstr "Custom File"
 
@@ -4271,6 +4840,14 @@ msgstr "Custom File"
 msgid "Custom bridge firewall chains can be create with command ``set firewall bridge name <name> ...``. In order to use such custom chain, a rule with action jump, and the appropiate target should be defined in a base chain."
 msgstr "Custom bridge firewall chains can be create with command ``set firewall bridge name <name> ...``. In order to use such custom chain, a rule with action jump, and the appropiate target should be defined in a base chain."
 
+#: ../../configuration/firewall/bridge.rst:44
+msgid "Custom bridge firewall chains can be create with command ``set firewall bridge name <name> ...``. In order to use such custom chain, a rule with action jump, and the appropriate target should be defined in a base chain."
+msgstr "Custom bridge firewall chains can be create with command ``set firewall bridge name <name> ...``. In order to use such custom chain, a rule with action jump, and the appropriate target should be defined in a base chain."
+
+#: ../../configuration/firewall/bridge.rst:69
+msgid "Custom bridge firewall chains can be created with the command ``set firewall bridge name <name> ...``. In order to use such custom chain, a rule with action jump, and the appropriate target should be defined in a base chain."
+msgstr "Custom bridge firewall chains can be created with the command ``set firewall bridge name <name> ...``. In order to use such custom chain, a rule with action jump, and the appropriate target should be defined in a base chain."
+
 #: ../../configuration/firewall/general.rst:77
 msgid "Custom firewall chains can be created, with commands ``set firewall [ipv4 | ipv6] [name | ipv6-name] <name> ...``. In order to use such custom chain, a rule with **action jump**, and the appropiate **target** should be defined in a base chain."
 msgstr "Custom firewall chains can be created, with commands ``set firewall [ipv4 | ipv6] [name | ipv6-name] <name> ...``. In order to use such custom chain, a rule with **action jump**, and the appropiate **target** should be defined in a base chain."
@@ -4279,23 +4856,35 @@ msgstr "Custom firewall chains can be created, with commands ``set firewall [ipv
 msgid "Custom firewall chains can be created, with commands ``set firewall ipv4 name <name> ...``. In order to use such custom chain, a rule with **action jump**, and the appropiate **target** should be defined in a base chain."
 msgstr "Custom firewall chains can be created, with commands ``set firewall ipv4 name <name> ...``. In order to use such custom chain, a rule with **action jump**, and the appropiate **target** should be defined in a base chain."
 
+#: ../../configuration/firewall/ipv4.rst:89
+msgid "Custom firewall chains can be created, with commands ``set firewall ipv4 name <name> ...``. In order to use such custom chain, a rule with **action jump**, and the appropriate **target** should be defined in a base chain."
+msgstr "Custom firewall chains can be created, with commands ``set firewall ipv4 name <name> ...``. In order to use such custom chain, a rule with **action jump**, and the appropriate **target** should be defined in a base chain."
+
 #: ../../configuration/firewall/ipv6.rst:65
 msgid "Custom firewall chains can be created, with commands ``set firewall ipv6 name <name> ...``. In order to use such custom chain, a rule with **action jump**, and the appropiate **target** should be defined in a base chain."
 msgstr "Custom firewall chains can be created, with commands ``set firewall ipv6 name <name> ...``. In order to use such custom chain, a rule with **action jump**, and the appropiate **target** should be defined in a base chain."
 
-#: ../../configuration/highavailability/index.rst:383
+#: ../../configuration/firewall/ipv6.rst:89
+msgid "Custom firewall chains can be created, with commands ``set firewall ipv6 name <name> ...``. In order to use such custom chain, a rule with **action jump**, and the appropriate **target** should be defined in a base chain."
+msgstr "Custom firewall chains can be created, with commands ``set firewall ipv6 name <name> ...``. In order to use such custom chain, a rule with **action jump**, and the appropriate **target** should be defined in a base chain."
+
+#: ../../configuration/highavailability/index.rst:387
 msgid "Custom health-check script allows checking real-server availability"
 msgstr "Custom health-check script allows checking real-server availability"
 
-#: ../../configuration/system/conntrack.rst:180
+#: ../../configuration/system/conntrack.rst:153
 msgid "Customized ignore rules, based on a packet and flow selector."
 msgstr "Customized ignore rules, based on a packet and flow selector."
 
-#: ../../configuration/interfaces/openvpn.rst:685
+#: ../../configuration/interfaces/openvpn.rst:773
 msgid "DCO can be enabled for both new and existing tunnels,VyOS adds an option in each tunnel configuration where we can enable this function  .The current best practice is to create a new tunnel with DCO to minimize the chance of problems with existing clients."
 msgstr "DCO can be enabled for both new and existing tunnels,VyOS adds an option in each tunnel configuration where we can enable this function  .The current best practice is to create a new tunnel with DCO to minimize the chance of problems with existing clients."
 
-#: ../../configuration/interfaces/openvpn.rst:681
+#: ../../configuration/interfaces/openvpn.rst:826
+msgid "DCO can be enabled for both new and existing tunnels. VyOS adds an option in each tunnel configuration where we can enable this function. The current best practice is to create a new tunnel with DCO to minimize the chance of problems with existing clients."
+msgstr "DCO can be enabled for both new and existing tunnels. VyOS adds an option in each tunnel configuration where we can enable this function. The current best practice is to create a new tunnel with DCO to minimize the chance of problems with existing clients."
+
+#: ../../configuration/interfaces/openvpn.rst:822
 msgid "DCO support is a per-tunnel option and it is not automatically enabled by default for new or upgraded tunnels. Existing tunnels will continue to function as they have in the past."
 msgstr "DCO support is a per-tunnel option and it is not automatically enabled by default for new or upgraded tunnels. Existing tunnels will continue to function as they have in the past."
 
@@ -4335,7 +4924,7 @@ msgstr "DHCP relay example"
 msgid "DHCP server is located at IPv4 address 10.0.1.4 on ``eth2``."
 msgstr "DHCP server is located at IPv4 address 10.0.1.4 on ``eth2``."
 
-#: ../../configuration/service/dhcp-server.rst:643
+#: ../../configuration/service/dhcp-server.rst:672
 msgid "DHCPv6 address pools must be configured for the system to act as a DHCPv6 server. The following example describes a common scenario."
 msgstr "DHCPv6 address pools must be configured for the system to act as a DHCPv6 server. The following example describes a common scenario."
 
@@ -4404,32 +4993,32 @@ msgstr "DNS search list to advertise"
 msgid "DNS server IPv4 address"
 msgstr "DNS server IPv4 address"
 
-#: ../../configuration/service/dhcp-server.rst:650
+#: ../../configuration/service/dhcp-server.rst:679
 msgid "DNS server is located at ``2001:db8::ffff``"
 msgstr "DNS server is located at ``2001:db8::ffff``"
 
-#: ../../configuration/trafficpolicy/index.rst:259
+#: ../../configuration/trafficpolicy/index.rst:309
 msgid "DSCP values as per :rfc:`2474` and :rfc:`4595`:"
 msgstr "DSCP values as per :rfc:`2474` and :rfc:`4595`:"
 
-#: ../../configuration/interfaces/wireless.rst:182
+#: ../../configuration/interfaces/wireless.rst:213
 msgid "DSSS/CCK Mode in 40 MHz, this sets ``[DSSS_CCK-40]``"
 msgstr "DSSS/CCK Mode in 40 MHz, this sets ``[DSSS_CCK-40]``"
 
-#: ../../configuration/firewall/ipv4.rst:467
-#: ../../configuration/firewall/ipv6.rst:451
+#: ../../configuration/firewall/ipv4.rst:492
+#: ../../configuration/firewall/ipv6.rst:479
 msgid "Data is provided by DB-IP.com under CC-BY-4.0 license. Attribution required, permits redistribution so we can include a database in images(~3MB compressed). Includes cron script (manually callable by op-mode update geoip) to keep database and rules updated."
 msgstr "Data is provided by DB-IP.com under CC-BY-4.0 license. Attribution required, permits redistribution so we can include a database in images(~3MB compressed). Includes cron script (manually callable by op-mode update geoip) to keep database and rules updated."
 
-#: ../../configuration/system/syslog.rst:191
+#: ../../configuration/system/syslog.rst:209
 msgid "Debug"
 msgstr "Debug"
 
-#: ../../configuration/system/syslog.rst:191
+#: ../../configuration/system/syslog.rst:209
 msgid "Debug-level messages - Messages that contain information normally of use only when debugging a program."
 msgstr "Debug-level messages - Messages that contain information normally of use only when debugging a program."
 
-#: ../../configuration/trafficpolicy/index.rst:217
+#: ../../configuration/trafficpolicy/index.rst:267
 msgid "Default"
 msgstr "Default"
 
@@ -4453,18 +5042,32 @@ msgstr "Default Gateway/Route"
 msgid "Default Router Preference"
 msgstr "Default Router Preference"
 
-#: ../../configuration/service/pppoe-server.rst:509
-#: ../../configuration/vpn/l2tp.rst:463
+#: ../../configuration/service/pppoe-server.rst:534
 #: ../../configuration/vpn/pptp.rst:387
-#: ../../configuration/vpn/sstp.rst:421
 msgid "Default behavior - don't ask client for mppe, but allow it if client wants. Please note that RADIUS may override this option by MS-MPPE-Encryption-Policy attribute."
 msgstr "Default behavior - don't ask client for mppe, but allow it if client wants. Please note that RADIUS may override this option by MS-MPPE-Encryption-Policy attribute."
 
+#: ../../configuration/vpn/sstp.rst:425
+msgid "Default behavior - don't ask the client for mppe, but allow it if the client wants. Please note that RADIUS may override this option by MS-MPPE-Encryption-Policy attribute."
+msgstr "Default behavior - don't ask the client for mppe, but allow it if the client wants. Please note that RADIUS may override this option by MS-MPPE-Encryption-Policy attribute."
+
+#: ../../configuration/vpn/l2tp.rst:467
+msgid "Default behavior - don't ask the client for mppe, but allow it if the client wants. Please note that RADIUS may override this option with the MS-MPPE-Encryption-Policy attribute."
+msgstr "Default behavior - don't ask the client for mppe, but allow it if the client wants. Please note that RADIUS may override this option with the MS-MPPE-Encryption-Policy attribute."
+
 #: ../../configuration/service/dhcp-server.rst:431
 msgid "Default gateway and DNS server is at `192.0.2.254`"
 msgstr "Default gateway and DNS server is at `192.0.2.254`"
 
-#: ../../configuration/container/index.rst:113
+#: ../../configuration/container/index.rst:140
+msgid "Default is 0 for unlimited. For example, 1.25 limits the container to use up to 1.25 cores worth of CPU time. This can be a decimal number with up to three decimal places."
+msgstr "Default is 0 for unlimited. For example, 1.25 limits the container to use up to 1.25 cores worth of CPU time. This can be a decimal number with up to three decimal places."
+
+#: ../../configuration/service/monitoring.rst:142
+msgid "Default is 3100"
+msgstr "Default is 3100"
+
+#: ../../configuration/container/index.rst:151
 msgid "Default is 512 MB. Use 0 MB for unlimited memory."
 msgstr "Default is 512 MB. Use 0 MB for unlimited memory."
 
@@ -4492,7 +5095,7 @@ msgstr "Defaults to 'uid'"
 msgid "Defaults to 225.0.0.50."
 msgstr "Defaults to 225.0.0.50."
 
-#: ../../configuration/system/option.rst:98
+#: ../../configuration/system/option.rst:118
 msgid "Defaults to ``us``."
 msgstr "Defaults to ``us``."
 
@@ -4504,19 +5107,23 @@ msgstr "Define Conection Timeouts"
 msgid "Define IPv4/IPv6 management address transmitted via LLDP. Multiple addresses can be defined. Only addresses connected to the system will be transmitted."
 msgstr "Define IPv4/IPv6 management address transmitted via LLDP. Multiple addresses can be defined. Only addresses connected to the system will be transmitted."
 
+#: ../../configuration/container/index.rst:203
+msgid "Define IPv4 and/or IPv6 prefix for a given network name. Both IPv4 and IPv6 can be used in parallel."
+msgstr "Define IPv4 and/or IPv6 prefix for a given network name. Both IPv4 and IPv6 can be used in parallel."
+
 #: ../../configuration/container/index.rst:148
 msgid "Define IPv4 or IPv6 prefix for a given network name. Only one IPv4 and one IPv6 prefix can be used per network name."
 msgstr "Define IPv4 or IPv6 prefix for a given network name. Only one IPv4 and one IPv6 prefix can be used per network name."
 
-#: ../../configuration/firewall/groups.rst:52
+#: ../../configuration/firewall/groups.rst:51
 msgid "Define a IPv4 or IPv6 Network group."
 msgstr "Define a IPv4 or IPv6 Network group."
 
-#: ../../configuration/firewall/groups.rst:28
+#: ../../configuration/firewall/groups.rst:27
 msgid "Define a IPv4 or a IPv6 address group"
 msgstr "Define a IPv4 or a IPv6 address group"
 
-#: ../../configuration/firewall/zone.rst:78
+#: ../../configuration/firewall/zone.rst:75
 msgid "Define a Zone"
 msgstr "Define a Zone"
 
@@ -4524,15 +5131,15 @@ msgstr "Define a Zone"
 msgid "Define a discrete source IP address of 100.64.0.1 for SNAT rule 20"
 msgstr "Define a discrete source IP address of 100.64.0.1 for SNAT rule 20"
 
-#: ../../configuration/firewall/groups.rst:133
+#: ../../configuration/firewall/groups.rst:132
 msgid "Define a domain group."
 msgstr "Define a domain group."
 
-#: ../../configuration/firewall/groups.rst:115
+#: ../../configuration/firewall/groups.rst:114
 msgid "Define a mac group."
 msgstr "Define a mac group."
 
-#: ../../configuration/firewall/groups.rst:95
+#: ../../configuration/firewall/groups.rst:94
 msgid "Define a port group. A port name can be any name defined in /etc/services. e.g.: http"
 msgstr "Define a port group. A port name can be any name defined in /etc/services. e.g.: http"
 
@@ -4540,7 +5147,7 @@ msgstr "Define a port group. A port name can be any name defined in /etc/service
 msgid "Define allowed ciphers used for the SSH connection. A number of allowed ciphers can be specified, use multiple occurrences to allow multiple ciphers."
 msgstr "Define allowed ciphers used for the SSH connection. A number of allowed ciphers can be specified, use multiple occurrences to allow multiple ciphers."
 
-#: ../../configuration/firewall/groups.rst:72
+#: ../../configuration/firewall/groups.rst:71
 msgid "Define an interface group. Wildcard are accepted too."
 msgstr "Define an interface group. Wildcard are accepted too."
 
@@ -4548,6 +5155,10 @@ msgstr "Define an interface group. Wildcard are accepted too."
 msgid "Define behavior for gratuitous ARP frames who's IP is not already present in the ARP table. If configured create new entries in the ARP table."
 msgstr "Define behavior for gratuitous ARP frames who's IP is not already present in the ARP table. If configured create new entries in the ARP table."
 
+#: ../../_include/interface-ip.txt:85
+msgid "Define behavior for gratuitous ARP frames whose IP is not already present in the ARP table. If configured create new entries in the ARP table."
+msgstr "Define behavior for gratuitous ARP frames whose IP is not already present in the ARP table. If configured create new entries in the ARP table."
+
 #: ../../_include/interface-ip.txt:69
 msgid "Define different modes for IP directed broadcast forwarding as described in :rfc:`1812` and :rfc:`2644`."
 msgstr "Define different modes for IP directed broadcast forwarding as described in :rfc:`1812` and :rfc:`2644`."
@@ -4564,31 +5175,49 @@ msgstr "Define different restriction levels for announcing the local source IP a
 msgid "Define how to handle leaf-seonds."
 msgstr "Define how to handle leaf-seonds."
 
-#: ../../configuration/firewall/flowtables.rst:71
+#: ../../configuration/service/ntp.rst:95
+msgid "Define how to handle leap-seconds."
+msgstr "Define how to handle leap-seconds."
+
+#: ../../configuration/firewall/flowtables.rst:72
 msgid "Define interfaces to be used in the flowtable."
 msgstr "Define interfaces to be used in the flowtable."
 
+#: ../../configuration/service/dhcp-server.rst:650
+msgid "Define lenght of exclude prefix in `<pd-prefix>`."
+msgstr "Define lenght of exclude prefix in `<pd-prefix>`."
+
 #: ../../configuration/firewall/bridge.rst:187
-#: ../../configuration/firewall/ipv4.rst:252
-#: ../../configuration/firewall/ipv6.rst:252
+#: ../../configuration/firewall/ipv4.rst:276
+#: ../../configuration/firewall/ipv6.rst:276
 msgid "Define length of packet payload to include in netlink message. Only applicable if rule log is enable and log group is defined."
 msgstr "Define length of packet payload to include in netlink message. Only applicable if rule log is enable and log group is defined."
 
+#: ../../configuration/firewall/bridge.rst:269
+msgid "Define length of packet payload to include in netlink message. Only applicable if rule log is enabled and the log group is defined."
+msgstr "Define length of packet payload to include in netlink message. Only applicable if rule log is enabled and the log group is defined."
+
 #: ../../configuration/firewall/bridge.rst:173
-#: ../../configuration/firewall/ipv4.rst:230
-#: ../../configuration/firewall/ipv6.rst:230
+#: ../../configuration/firewall/ipv4.rst:254
+#: ../../configuration/firewall/ipv6.rst:254
 msgid "Define log-level. Only applicable if rule log is enable."
 msgstr "Define log-level. Only applicable if rule log is enable."
 
+#: ../../configuration/firewall/bridge.rst:242
+#: ../../configuration/firewall/ipv4.rst:254
+#: ../../configuration/firewall/ipv6.rst:254
+msgid "Define log-level. Only applicable if rule log is enabled."
+msgstr "Define log-level. Only applicable if rule log is enabled."
+
 #: ../../configuration/firewall/bridge.rst:180
-#: ../../configuration/firewall/ipv4.rst:241
-#: ../../configuration/firewall/ipv6.rst:241
+#: ../../configuration/firewall/ipv4.rst:265
+#: ../../configuration/firewall/ipv6.rst:265
 msgid "Define log group to send message to. Only applicable if rule log is enable."
 msgstr "Define log group to send message to. Only applicable if rule log is enable."
 
 #: ../../configuration/firewall/bridge.rst:195
-#: ../../configuration/firewall/ipv4.rst:264
-#: ../../configuration/firewall/ipv6.rst:264
+#: ../../configuration/firewall/ipv4.rst:288
+#: ../../configuration/firewall/ipv6.rst:288
 msgid "Define number of packets to queue inside the kernel before sending them to userspace. Only applicable if rule log is enable and log group is defined."
 msgstr "Define number of packets to queue inside the kernel before sending them to userspace. Only applicable if rule log is enable and log group is defined."
 
@@ -4596,15 +5225,35 @@ msgstr "Define number of packets to queue inside the kernel before sending them
 msgid "Define operation mode of High Availability feature. Default value if command is not specified is `active-active`"
 msgstr "Define operation mode of High Availability feature. Default value if command is not specified is `active-active`"
 
+#: ../../configuration/firewall/ipv4.rst:277
+#: ../../configuration/firewall/ipv6.rst:277
+msgid "Define the length of packet payload to include in a netlink message. Only applicable if rule log is enabled and log group is defined."
+msgstr "Define the length of packet payload to include in a netlink message. Only applicable if rule log is enabled and log group is defined."
+
+#: ../../configuration/firewall/bridge.rst:255
+#: ../../configuration/firewall/ipv4.rst:265
+#: ../../configuration/firewall/ipv6.rst:265
+msgid "Define the log group to send messages to. Only applicable if rule log is enabled."
+msgstr "Define the log group to send messages to. Only applicable if rule log is enabled."
+
+#: ../../configuration/firewall/ipv4.rst:289
+#: ../../configuration/firewall/ipv6.rst:289
+msgid "Define the number of packets to queue inside the kernel before sending them to userspace. Only applicable if rule log is enabled and log group is defined."
+msgstr "Define the number of packets to queue inside the kernel before sending them to userspace. Only applicable if rule log is enabled and log group is defined."
+
+#: ../../configuration/firewall/bridge.rst:283
+msgid "Define the number of packets to queue inside the kernel before sending them to userspace. Only applicable if rule log is enabled and the log group is defined."
+msgstr "Define the number of packets to queue inside the kernel before sending them to userspace. Only applicable if rule log is enabled and the log group is defined."
+
 #: ../../configuration/protocols/rpki.rst:106
 msgid "Define the time interval to update the local cache"
 msgstr "Define the time interval to update the local cache"
 
-#: ../../configuration/firewall/zone.rst:89
+#: ../../configuration/firewall/zone.rst:86
 msgid "Define the zone as a local zone. A local zone has no interfaces and will be applied to the router itself."
 msgstr "Define the zone as a local zone. A local zone has no interfaces and will be applied to the router itself."
 
-#: ../../configuration/firewall/flowtables.rst:80
+#: ../../configuration/firewall/flowtables.rst:81
 msgid "Define type of offload to be used by the flowtable: ``hardware`` or ``software``. By default, ``software`` offload is used."
 msgstr "Define type of offload to be used by the flowtable: ``hardware`` or ``software``. By default, ``software`` offload is used."
 
@@ -4629,10 +5278,8 @@ msgstr "Defines an off-NBMA network prefix for which the GRE interface will act
 msgid "Defines blackhole distance for this route, routes with smaller administrative distance are elected prior to those with a higher distance."
 msgstr "Defines blackhole distance for this route, routes with smaller administrative distance are elected prior to those with a higher distance."
 
-#: ../../configuration/service/pppoe-server.rst:496
-#: ../../configuration/vpn/l2tp.rst:450
+#: ../../configuration/service/pppoe-server.rst:521
 #: ../../configuration/vpn/pptp.rst:374
-#: ../../configuration/vpn/sstp.rst:408
 msgid "Defines minimum acceptable MTU. If client will try to negotiate less then specified MTU then it will be NAKed or disconnected if rejects greater MTU. Default value is **100**."
 msgstr "Defines minimum acceptable MTU. If client will try to negotiate less then specified MTU then it will be NAKed or disconnected if rejects greater MTU. Default value is **100**."
 
@@ -4643,10 +5290,10 @@ msgstr "Defines minimum acceptable MTU. If client will try to negotiate less the
 msgid "Defines next-hop distance for this route, routes with smaller administrative distance are elected prior to those with a higher distance."
 msgstr "Defines next-hop distance for this route, routes with smaller administrative distance are elected prior to those with a higher distance."
 
-#: ../../configuration/service/pppoe-server.rst:515
-#: ../../configuration/vpn/l2tp.rst:469
+#: ../../configuration/service/pppoe-server.rst:540
+#: ../../configuration/vpn/l2tp.rst:474
 #: ../../configuration/vpn/pptp.rst:393
-#: ../../configuration/vpn/sstp.rst:427
+#: ../../configuration/vpn/sstp.rst:432
 msgid "Defines preferred MRU. By default is not defined."
 msgstr "Defines preferred MRU. By default is not defined."
 
@@ -4658,14 +5305,19 @@ msgstr "Defines protocols for checking ARP, ICMP, TCP"
 msgid "Defines the maximum `<number>` of unanswered echo requests. Upon reaching the value `<number>`, the session will be reset."
 msgstr "Defines the maximum `<number>` of unanswered echo requests. Upon reaching the value `<number>`, the session will be reset."
 
-#: ../../configuration/service/pppoe-server.rst:479
-#: ../../configuration/vpn/l2tp.rst:433
+#: ../../configuration/service/pppoe-server.rst:504
+#: ../../configuration/vpn/l2tp.rst:436
 #: ../../configuration/vpn/pptp.rst:357
-#: ../../configuration/vpn/sstp.rst:391
+#: ../../configuration/vpn/sstp.rst:394
 msgid "Defines the maximum `<number>` of unanswered echo requests. Upon reaching the value `<number>`, the session will be reset. Default value is **3**."
 msgstr "Defines the maximum `<number>` of unanswered echo requests. Upon reaching the value `<number>`, the session will be reset. Default value is **3**."
 
-#: ../../configuration/trafficpolicy/index.rst:1213
+#: ../../configuration/vpn/l2tp.rst:453
+#: ../../configuration/vpn/sstp.rst:411
+msgid "Defines the minimum acceptable MTU. If a client tries to negotiate an MTU lower than this it will be NAKed, and disconnected if it rejects a greater MTU. Default value is **100**."
+msgstr "Defines the minimum acceptable MTU. If a client tries to negotiate an MTU lower than this it will be NAKed, and disconnected if it rejects a greater MTU. Default value is **100**."
+
+#: ../../configuration/trafficpolicy/index.rst:1263
 msgid "Defines the round-trip time used for active queue management (AQM) in milliseconds. The default value is 100."
 msgstr "Defines the round-trip time used for active queue management (AQM) in milliseconds. The default value is 100."
 
@@ -4673,10 +5325,18 @@ msgstr "Defines the round-trip time used for active queue management (AQM) in mi
 msgid "Defines the specified device as a system console. Available console devices can be (see completion helper):"
 msgstr "Defines the specified device as a system console. Available console devices can be (see completion helper):"
 
+#: ../../configuration/firewall/groups.rst:154
+msgid "Defining Dynamic Address Groups"
+msgstr "Defining Dynamic Address Groups"
+
 #: ../../configuration/protocols/bgp.rst:186
 msgid "Defining Peers"
 msgstr "Defining Peers"
 
+#: ../../configuration/service/dhcp-server.rst:632
+msgid "Delegate prefixes from `<pd-prefix>` to clients in subnet `<prefix>`. Range is defined by `<lenght>` in bits, 32 to 64."
+msgstr "Delegate prefixes from `<pd-prefix>` to clients in subnet `<prefix>`. Range is defined by `<lenght>` in bits, 32 to 64."
+
 #: ../../configuration/service/dhcp-server.rst:638
 msgid "Delegate prefixes from the range indicated by the start and stop qualifier."
 msgstr "Delegate prefixes from the range indicated by the start and stop qualifier."
@@ -4689,11 +5349,11 @@ msgstr "Delete BGP communities matching the community-list."
 msgid "Delete BGP communities matching the large-community-list."
 msgstr "Delete BGP communities matching the large-community-list."
 
-#: ../../configuration/system/syslog.rst:240
+#: ../../configuration/system/syslog.rst:258
 msgid "Delete Logs"
 msgstr "Delete Logs"
 
-#: ../../configuration/container/index.rst:211
+#: ../../configuration/container/index.rst:266
 msgid "Delete a particular container image based on it's image ID. You can also delete all container images at once."
 msgstr "Delete a particular container image based on it's image ID. You can also delete all container images at once."
 
@@ -4709,26 +5369,26 @@ msgstr "Delete all BGP large-communities"
 msgid "Delete default route from the system."
 msgstr "Delete default route from the system."
 
-#: ../../configuration/system/syslog.rst:244
+#: ../../configuration/system/syslog.rst:262
 msgid "Deletes the specified user-defined file <text> in the /var/log/user directory"
 msgstr "Deletes the specified user-defined file <text> in the /var/log/user directory"
 
-#: ../../configuration/interfaces/wireless.rst:161
+#: ../../configuration/interfaces/wireless.rst:192
 msgid "Depending on the location, not all of these channels may be available for use!"
 msgstr "Depending on the location, not all of these channels may be available for use!"
 
 #: ../../configuration/service/router-advert.rst:1
-#: ../../configuration/system/syslog.rst:107
-#: ../../configuration/system/syslog.rst:167
-#: ../../configuration/trafficpolicy/index.rst:262
+#: ../../configuration/system/syslog.rst:125
+#: ../../configuration/system/syslog.rst:185
+#: ../../configuration/trafficpolicy/index.rst:312
 msgid "Description"
 msgstr "Description"
 
-#: ../../configuration/trafficpolicy/index.rst:366
+#: ../../configuration/trafficpolicy/index.rst:416
 msgid "Despite the Drop-Tail policy does not slow down packets, if many packets are to be sent, they could get dropped when trying to get enqueued at the tail. This can happen if the queue has still not been able to release enough packets from its head."
 msgstr "Despite the Drop-Tail policy does not slow down packets, if many packets are to be sent, they could get dropped when trying to get enqueued at the tail. This can happen if the queue has still not been able to release enough packets from its head."
 
-#: ../../configuration/interfaces/openvpn.rst:485
+#: ../../configuration/interfaces/openvpn.rst:489
 msgid "Despite the fact that AD is a superset of LDAP"
 msgstr "Despite the fact that AD is a superset of LDAP"
 
@@ -4752,7 +5412,7 @@ msgstr "Detailed information about \"cisco\" and \"ibm\" models differences can
 msgid "Determines how opennhrp daemon should soft switch the multicast traffic. Currently, multicast traffic is captured by opennhrp daemon using a packet socket, and resent back to proper destinations. This means that multicast packet sending is CPU intensive."
 msgstr "Determines how opennhrp daemon should soft switch the multicast traffic. Currently, multicast traffic is captured by opennhrp daemon using a packet socket, and resent back to proper destinations. This means that multicast packet sending is CPU intensive."
 
-#: ../../configuration/interfaces/wireless.rst:141
+#: ../../configuration/interfaces/wireless.rst:171
 msgid "Device is incapable of 40 MHz, do not advertise. This sets ``[40-INTOLERANT]``"
 msgstr "Device is incapable of 40 MHz, do not advertise. This sets ``[40-INTOLERANT]``"
 
@@ -4778,10 +5438,10 @@ msgstr "Direction: **in** and **out**. Protect public network from external atta
 msgid "Disable CPU power saving mechanisms also known as C states."
 msgstr "Disable CPU power saving mechanisms also known as C states."
 
-#: ../../configuration/service/pppoe-server.rst:457
-#: ../../configuration/vpn/l2tp.rst:411
+#: ../../configuration/service/pppoe-server.rst:481
+#: ../../configuration/vpn/l2tp.rst:414
 #: ../../configuration/vpn/pptp.rst:335
-#: ../../configuration/vpn/sstp.rst:369
+#: ../../configuration/vpn/sstp.rst:372
 msgid "Disable Compression Control Protocol (CCP). CCP is enabled by default."
 msgstr "Disable Compression Control Protocol (CCP). CCP is enabled by default."
 
@@ -4793,10 +5453,10 @@ msgstr "Disable MLD reports and query on the interface."
 msgid "Disable (lock) account. User will not be able to log in."
 msgstr "Disable (lock) account. User will not be able to log in."
 
-#: ../../configuration/service/pppoe-server.rst:432
-#: ../../configuration/vpn/l2tp.rst:376
+#: ../../configuration/service/pppoe-server.rst:455
+#: ../../configuration/vpn/l2tp.rst:379
 #: ../../configuration/vpn/pptp.rst:300
-#: ../../configuration/vpn/sstp.rst:334
+#: ../../configuration/vpn/sstp.rst:337
 msgid "Disable `<user>` account."
 msgstr "Disable `<user>` account."
 
@@ -4804,11 +5464,11 @@ msgstr "Disable `<user>` account."
 msgid "Disable a BFD peer"
 msgstr "Disable a BFD peer"
 
-#: ../../configuration/container/index.rst:133
+#: ../../configuration/container/index.rst:188
 msgid "Disable a container."
 msgstr "Disable a container."
 
-#: ../../configuration/container/index.rst:166
+#: ../../configuration/container/index.rst:221
 msgid "Disable a given container registry"
 msgstr "Disable a given container registry"
 
@@ -4820,8 +5480,8 @@ msgstr "Disable all optional CPU mitigations. This improves system performance,
 msgid "Disable connection logging via Syslog."
 msgstr "Disable connection logging via Syslog."
 
-#: ../../configuration/firewall/ipv4.rst:953
-#: ../../configuration/firewall/ipv6.rst:939
+#: ../../configuration/firewall/ipv4.rst:1058
+#: ../../configuration/firewall/ipv6.rst:1048
 msgid "Disable conntrack loose track option"
 msgstr "Disable conntrack loose track option"
 
@@ -4881,7 +5541,7 @@ msgstr "Disable this service."
 msgid "Disable transmit of LLDP frames on given `<interface>`. Useful to exclude certain interfaces from LLDP when ``all`` have been enabled."
 msgstr "Disable transmit of LLDP frames on given `<interface>`. Useful to exclude certain interfaces from LLDP when ``all`` have been enabled."
 
-#: ../../configuration/interfaces/openvpn.rst:695
+#: ../../configuration/interfaces/openvpn.rst:836
 msgid "Disabled by default - no kernel module loaded."
 msgstr "Disabled by default - no kernel module loaded."
 
@@ -4889,7 +5549,7 @@ msgstr "Disabled by default - no kernel module loaded."
 msgid "Disables caching of peer information from forwarded NHRP Resolution Reply packets. This can be used to reduce memory consumption on big NBMA subnets."
 msgstr "Disables caching of peer information from forwarded NHRP Resolution Reply packets. This can be used to reduce memory consumption on big NBMA subnets."
 
-#: ../../configuration/trafficpolicy/index.rst:1173
+#: ../../configuration/trafficpolicy/index.rst:1223
 msgid "Disables flow isolation, all traffic passes through a single queue."
 msgstr "Disables flow isolation, all traffic passes through a single queue."
 
@@ -4929,19 +5589,19 @@ msgstr "Disabling the encryption on the link by removing ``security encrypt`` wi
 msgid "Disadvantages are:"
 msgstr "Disadvantages are:"
 
-#: ../../configuration/interfaces/wireless.rst:62
+#: ../../configuration/interfaces/wireless.rst:74
 msgid "Disassociate stations based on excessive transmission failures or other indications of connection loss."
 msgstr "Disassociate stations based on excessive transmission failures or other indications of connection loss."
 
-#: ../../configuration/vrf/index.rst:161
+#: ../../configuration/vrf/index.rst:157
 msgid "Display IPv4 routing table for VRF identified by `<name>`."
 msgstr "Display IPv4 routing table for VRF identified by `<name>`."
 
-#: ../../configuration/vrf/index.rst:180
+#: ../../configuration/vrf/index.rst:176
 msgid "Display IPv6 routing table for VRF identified by `<name>`."
 msgstr "Display IPv6 routing table for VRF identified by `<name>`."
 
-#: ../../configuration/system/syslog.rst:198
+#: ../../configuration/system/syslog.rst:216
 msgid "Display Logs"
 msgstr "Display Logs"
 
@@ -4949,7 +5609,7 @@ msgstr "Display Logs"
 msgid "Display OTP key for user"
 msgstr "Display OTP key for user"
 
-#: ../../configuration/system/syslog.rst:222
+#: ../../configuration/system/syslog.rst:240
 msgid "Display all authorization attempts of the specified image"
 msgstr "Display all authorization attempts of the specified image"
 
@@ -4961,19 +5621,19 @@ msgstr "Display all known ARP table entries on a given interface only (`eth1`):"
 msgid "Display all known ARP table entries spanning across all interfaces"
 msgstr "Display all known ARP table entries spanning across all interfaces"
 
-#: ../../configuration/system/syslog.rst:226
+#: ../../configuration/system/syslog.rst:244
 msgid "Display contents of a specified user-defined log file of the specified image"
 msgstr "Display contents of a specified user-defined log file of the specified image"
 
-#: ../../configuration/system/syslog.rst:220
+#: ../../configuration/system/syslog.rst:238
 msgid "Display contents of all master log files of the specified image"
 msgstr "Display contents of all master log files of the specified image"
 
-#: ../../configuration/system/syslog.rst:229
+#: ../../configuration/system/syslog.rst:247
 msgid "Display last lines of the system log of the specified image"
 msgstr "Display last lines of the system log of the specified image"
 
-#: ../../configuration/system/syslog.rst:224
+#: ../../configuration/system/syslog.rst:242
 msgid "Display list of all user-defined log files of the specified image"
 msgstr "Display list of all user-defined log files of the specified image"
 
@@ -4981,6 +5641,10 @@ msgstr "Display list of all user-defined log files of the specified image"
 msgid "Display log files of given category on the console. Use tab completion to get a list of available categories. Thos categories could be: all, authorization, cluster, conntrack-sync, dhcp, directory, dns, file, firewall, https, image lldp, nat, openvpn, snmp, tail, vpn, vrrp"
 msgstr "Display log files of given category on the console. Use tab completion to get a list of available categories. Thos categories could be: all, authorization, cluster, conntrack-sync, dhcp, directory, dns, file, firewall, https, image lldp, nat, openvpn, snmp, tail, vpn, vrrp"
 
+#: ../../configuration/system/syslog.rst:220
+msgid "Display log files of given category on the console. Use tab completion to get a list of available categories. Those categories could be: all, authorization, cluster, conntrack-sync, dhcp, directory, dns, file, firewall, https, image lldp, nat, openvpn, snmp, tail, vpn, vrrp"
+msgstr "Display log files of given category on the console. Use tab completion to get a list of available categories. Those categories could be: all, authorization, cluster, conntrack-sync, dhcp, directory, dns, file, firewall, https, image lldp, nat, openvpn, snmp, tail, vpn, vrrp"
+
 #: ../../configuration/service/lldp.rst:75
 msgid "Displays information about all neighbors discovered via LLDP."
 msgstr "Displays information about all neighbors discovered via LLDP."
@@ -4989,7 +5653,7 @@ msgstr "Displays information about all neighbors discovered via LLDP."
 msgid "Displays queue information for a PPPoE interface."
 msgstr "Displays queue information for a PPPoE interface."
 
-#: ../../configuration/vrf/index.rst:232
+#: ../../configuration/vrf/index.rst:228
 msgid "Displays the route packets taken to a network host utilizing VRF instance identified by `<name>`. When using the IPv4 or IPv6 option, displays the route packets taken to the given hosts IP address family. This option is useful when the host is specified as a hostname rather than an IP address."
 msgstr "Displays the route packets taken to a network host utilizing VRF instance identified by `<name>`. When using the IPv4 or IPv6 option, displays the route packets taken to the given hosts IP address family. This option is useful when the host is specified as a hostname rather than an IP address."
 
@@ -4998,8 +5662,8 @@ msgid "Do *not* manually edit `/etc/hosts`. This file will automatically be rege
 msgstr "Do *not* manually edit `/etc/hosts`. This file will automatically be regenerated on boot based on the settings in this section, which means you'll lose all your manual edits. Instead, configure static host mappings as follows."
 
 #: ../../configuration/system/ip.rst:55
-#: ../../configuration/vrf/index.rst:79
-#: ../../configuration/vrf/index.rst:85
+#: ../../configuration/vrf/index.rst:75
+#: ../../configuration/vrf/index.rst:81
 msgid "Do not allow IPv4 nexthop tracking to resolve via the default route. This parameter is configured per-VRF, so the command is also available in the VRF subnode."
 msgstr "Do not allow IPv4 nexthop tracking to resolve via the default route. This parameter is configured per-VRF, so the command is also available in the VRF subnode."
 
@@ -5011,11 +5675,11 @@ msgstr "Do not allow IPv6 nexthop tracking to resolve via the default route. Thi
 msgid "Do not assign a link-local IPv6 address to this interface."
 msgstr "Do not assign a link-local IPv6 address to this interface."
 
-#: ../../configuration/trafficpolicy/index.rst:1278
+#: ../../configuration/trafficpolicy/index.rst:1328
 msgid "Do not configure IFB as the first step. First create everything else of your traffic-policy, and then you can configure IFB. Otherwise you might get the ``RTNETLINK answer: File exists`` error, which can be solved with ``sudo ip link delete ifb0``."
 msgstr "Do not configure IFB as the first step. First create everything else of your traffic-policy, and then you can configure IFB. Otherwise you might get the ``RTNETLINK answer: File exists`` error, which can be solved with ``sudo ip link delete ifb0``."
 
-#: ../../configuration/service/https.rst:90
+#: ../../configuration/service/https.rst:93
 msgid "Do not leave introspection enabled in production, it is a security risk."
 msgstr "Do not leave introspection enabled in production, it is a security risk."
 
@@ -5035,7 +5699,7 @@ msgstr "Does not need to be used together with proxy_arp."
 msgid "Domain"
 msgstr "Domain"
 
-#: ../../configuration/firewall/groups.rst:127
+#: ../../configuration/firewall/groups.rst:126
 msgid "Domain Groups"
 msgstr "Domain Groups"
 
@@ -5084,14 +5748,12 @@ msgstr "Download/Update complete blacklist"
 msgid "Download/Update partial blacklist."
 msgstr "Download/Update partial blacklist."
 
-#: ../../configuration/service/pppoe-server.rst:262
-#: ../../configuration/vpn/l2tp.rst:386
+#: ../../configuration/service/pppoe-server.rst:281
 #: ../../configuration/vpn/pptp.rst:310
-#: ../../configuration/vpn/sstp.rst:344
 msgid "Download bandwidth limit in kbit/s for `<user>`."
 msgstr "Download bandwidth limit in kbit/s for `<user>`."
 
-#: ../../configuration/service/ipoe-server.rst:320
+#: ../../configuration/service/ipoe-server.rst:319
 msgid "Download bandwidth limit in kbit/s for user on interface `<interface>`."
 msgstr "Download bandwidth limit in kbit/s for user on interface `<interface>`."
 
@@ -5099,11 +5761,11 @@ msgstr "Download bandwidth limit in kbit/s for user on interface `<interface>`."
 msgid "Drop AS-NUMBER from the BGP AS path."
 msgstr "Drop AS-NUMBER from the BGP AS path."
 
-#: ../../configuration/trafficpolicy/index.rst:352
+#: ../../configuration/trafficpolicy/index.rst:402
 msgid "Drop Tail"
 msgstr "Drop Tail"
 
-#: ../../configuration/trafficpolicy/index.rst:262
+#: ../../configuration/trafficpolicy/index.rst:312
 msgid "Drop rate"
 msgstr "Drop rate"
 
@@ -5111,10 +5773,14 @@ msgstr "Drop rate"
 msgid "Dropped packets reported on DROPMON Netlink channel by Linux kernel are exported via the standard sFlow v5 extension for reporting dropped packets"
 msgstr "Dropped packets reported on DROPMON Netlink channel by Linux kernel are exported via the standard sFlow v5 extension for reporting dropped packets"
 
-#: ../../configuration/service/pppoe-server.rst:625
+#: ../../configuration/service/pppoe-server.rst:650
 msgid "Dual-Stack IPv4/IPv6 provisioning with Prefix Delegation"
 msgstr "Dual-Stack IPv4/IPv6 provisioning with Prefix Delegation"
 
+#: ../../configuration/firewall/index.rst:7
+msgid "Due to a race condition that can lead to a failure during boot process, all interfaces are initialized before firewall is configured. This leads to a situation where the system is open to all traffic, and can be considered as a security risk."
+msgstr "Due to a race condition that can lead to a failure during boot process, all interfaces are initialized before firewall is configured. This leads to a situation where the system is open to all traffic, and can be considered as a security risk."
+
 #: ../../configuration/interfaces/dummy.rst:7
 msgid "Dummy"
 msgstr "Dummy"
@@ -5127,7 +5793,7 @@ msgstr "Dummy interface"
 msgid "Dummy interfaces can be used as interfaces that always stay up (in the same fashion to loopbacks in Cisco IOS), or for testing purposes."
 msgstr "Dummy interfaces can be used as interfaces that always stay up (in the same fashion to loopbacks in Cisco IOS), or for testing purposes."
 
-#: ../../configuration/vrf/index.rst:212
+#: ../../configuration/vrf/index.rst:208
 msgid "Duplicate packets are not included in the packet loss calculation, although the round-trip time of these packets is used in calculating the minimum/ average/maximum round-trip time numbers."
 msgstr "Duplicate packets are not included in the packet loss calculation, although the round-trip time of these packets is used in calculating the minimum/ average/maximum round-trip time numbers."
 
@@ -5135,11 +5801,11 @@ msgstr "Duplicate packets are not included in the packet loss calculation, altho
 msgid "During initial deployment we recommend using the staging API of LetsEncrypt to prevent and blacklisting of your system. The API endpoint is https://acme-staging-v02.api.letsencrypt.org/directory"
 msgstr "During initial deployment we recommend using the staging API of LetsEncrypt to prevent and blacklisting of your system. The API endpoint is https://acme-staging-v02.api.letsencrypt.org/directory"
 
-#: ../../configuration/vpn/ipsec.rst:568
+#: ../../configuration/vpn/ipsec.rst:588
 msgid "During profile import, the user is asked to enter its IPSec credentials (username and password) which is stored on the mobile."
 msgstr "During profile import, the user is asked to enter its IPSec credentials (username and password) which is stored on the mobile."
 
-#: ../../configuration/service/ssh.rst:113
+#: ../../configuration/service/ssh.rst:133
 msgid "Dynamic-protection"
 msgstr "Dynamic-protection"
 
@@ -5147,6 +5813,14 @@ msgstr "Dynamic-protection"
 msgid "Dynamic DNS"
 msgstr "Dynamic DNS"
 
+#: ../../configuration/firewall/groups.rst:143
+msgid "Dynamic Groups"
+msgstr "Dynamic Groups"
+
+#: ../../configuration/firewall/groups.rst:156
+msgid "Dynamic address group is supported by both IPv4 and IPv6 families. Commands used to define dynamic IPv4|IPv6 address groups are:"
+msgstr "Dynamic address group is supported by both IPv4 and IPv6 families. Commands used to define dynamic IPv4|IPv6 address groups are:"
+
 #: ../../_include/interface-eapol.txt:6
 msgid "EAPoL comes with an identify option. We automatically use the interface MAC address as identity parameter."
 msgstr "EAPoL comes with an identify option. We automatically use the interface MAC address as identity parameter."
@@ -5155,14 +5829,23 @@ msgstr "EAPoL comes with an identify option. We automatically use the interface
 msgid "ESP Phase:"
 msgstr "ESP Phase:"
 
-#: ../../configuration/vpn/ipsec.rst:113
+#: ../../configuration/vpn/ipsec.rst:114
 msgid "ESP (Encapsulating Security Payload) Attributes"
 msgstr "ESP (Encapsulating Security Payload) Attributes"
 
-#: ../../configuration/vpn/ipsec.rst:115
+#: ../../configuration/vpn/ipsec.rst:116
 msgid "ESP is used to provide confidentiality, data origin authentication, connectionless integrity, an anti-replay service (a form of partial sequence integrity), and limited traffic flow confidentiality. https://datatracker.ietf.org/doc/html/rfc4303"
 msgstr "ESP is used to provide confidentiality, data origin authentication, connectionless integrity, an anti-replay service (a form of partial sequence integrity), and limited traffic flow confidentiality. https://datatracker.ietf.org/doc/html/rfc4303"
 
+#: ../../configuration/interfaces/bonding.rst:316
+msgid "EVPN-MH is intended as a replacement for MLAG or Anycast VTEPs. In multihoming each PE has an unique VTEP address which requires the introduction of a new dataplane construct, MAC-ECMP. Here a MAC/FDB entry can point to a list of remote PEs/VTEPs."
+msgstr "EVPN-MH is intended as a replacement for MLAG or Anycast VTEPs. In multihoming each PE has an unique VTEP address which requires the introduction of a new dataplane construct, MAC-ECMP. Here a MAC/FDB entry can point to a list of remote PEs/VTEPs."
+
+#: ../../configuration/interfaces/bonding.rst:295
+#: ../../configuration/interfaces/ethernet.rst:130
+msgid "EVPN Multihoming"
+msgstr "EVPN Multihoming"
+
 #: ../../configuration/service/conntrack-sync.rst:23
 msgid "Each Netfilter connection is uniquely identified by a (layer-3 protocol, source address, destination address, layer-4 protocol, layer-4 key) tuple. The layer-4 key depends on the transport protocol; for TCP/UDP it is the port numbers, for tunnels it can be their tunnel ID, but otherwise is just zero, as if it were not part of the tuple. To be able to inspect the TCP port in all cases, packets will be mandatorily defragmented."
 msgstr "Each Netfilter connection is uniquely identified by a (layer-3 protocol, source address, destination address, layer-4 protocol, layer-4 key) tuple. The layer-4 key depends on the transport protocol; for TCP/UDP it is the port numbers, for tunnels it can be their tunnel ID, but otherwise is just zero, as if it were not part of the tuple. To be able to inspect the TCP port in all cases, packets will be mandatorily defragmented."
@@ -5183,11 +5866,11 @@ msgstr "Each bridge has a relative priority and cost. Each interface is associat
 msgid "Each broadcast relay instance can be individually disabled without deleting the configured node by using the following command:"
 msgstr "Each broadcast relay instance can be individually disabled without deleting the configured node by using the following command:"
 
-#: ../../configuration/trafficpolicy/index.rst:1027
+#: ../../configuration/trafficpolicy/index.rst:1077
 msgid "Each class can have a guaranteed part of the total bandwidth defined for the whole policy, so all those shares together should not be higher than the policy's whole bandwidth."
 msgstr "Each class can have a guaranteed part of the total bandwidth defined for the whole policy, so all those shares together should not be higher than the policy's whole bandwidth."
 
-#: ../../configuration/trafficpolicy/index.rst:967
+#: ../../configuration/trafficpolicy/index.rst:1017
 msgid "Each class is assigned a deficit counter (the number of bytes that a flow is allowed to transmit when it is its turn) initialized to quantum. Quantum is a parameter you configure which acts like a credit of fix bytes the counter receives on each round. Then the Round-Robin policy starts moving its Round Robin pointer through the queues. If the deficit counter is greater than the packet's size at the head of the queue, this packet will be sent and the value of the counter will be decremented by the packet size. Then, the size of the next packet will be compared to the counter value again, repeating the process. Once the queue is empty or the value of the counter is insufficient, the Round-Robin pointer will move to the next queue. If the queue is empty, the value of the deficit counter is reset to 0."
 msgstr "Each class is assigned a deficit counter (the number of bytes that a flow is allowed to transmit when it is its turn) initialized to quantum. Quantum is a parameter you configure which acts like a credit of fix bytes the counter receives on each round. Then the Round-Robin policy starts moving its Round Robin pointer through the queues. If the deficit counter is greater than the packet's size at the head of the queue, this packet will be sent and the value of the counter will be decremented by the packet size. Then, the size of the next packet will be compared to the counter value again, repeating the process. Once the queue is empty or the value of the counter is insufficient, the Round-Robin pointer will move to the next queue. If the queue is empty, the value of the deficit counter is reset to 0."
 
@@ -5215,6 +5898,10 @@ msgstr "Each of the install command should be applied to the configuration and c
 msgid "Each site-to-site peer has the next options:"
 msgstr "Each site-to-site peer has the next options:"
 
+#: ../../configuration/nat/cgnat.rst:117
+msgid "Each subscriber will be allocated a maximum of 2000 ports from the external pool."
+msgstr "Each subscriber will be allocated a maximum of 2000 ports from the external pool."
+
 #: ../../configuration/interfaces/vxlan.rst:77
 msgid "Eenables the Generic Protocol extension (VXLAN-GPE). Currently, this is only supported together with the external keyword."
 msgstr "Eenables the Generic Protocol extension (VXLAN-GPE). Currently, this is only supported together with the external keyword."
@@ -5227,11 +5914,11 @@ msgstr "Email address to associate with certificate"
 msgid "Email used for registration and recovery contact."
 msgstr "Email used for registration and recovery contact."
 
-#: ../../configuration/trafficpolicy/index.rst:300
+#: ../../configuration/trafficpolicy/index.rst:350
 msgid "Embedding one policy into another one"
 msgstr "Embedding one policy into another one"
 
-#: ../../configuration/system/syslog.rst:171
+#: ../../configuration/system/syslog.rst:189
 msgid "Emergency"
 msgstr "Emergency"
 
@@ -5271,11 +5958,11 @@ msgstr "Enable BFD on a single BGP neighbor"
 msgid "Enable DHCP failover configuration for this address pool."
 msgstr "Enable DHCP failover configuration for this address pool."
 
-#: ../../configuration/service/https.rst:88
+#: ../../configuration/service/https.rst:91
 msgid "Enable GraphQL Schema introspection."
 msgstr "Enable GraphQL Schema introspection."
 
-#: ../../configuration/interfaces/wireless.rst:178
+#: ../../configuration/interfaces/wireless.rst:209
 msgid "Enable HT-delayed Block Ack ``[DELAYED-BA]``"
 msgstr "Enable HT-delayed Block Ack ``[DELAYED-BA]``"
 
@@ -5312,15 +5999,15 @@ msgstr "Enable IS-IS and redistribute routes not natively in IS-IS"
 msgid "Enable IS-IS with Segment Routing (Experimental)"
 msgstr "Enable IS-IS with Segment Routing (Experimental)"
 
-#: ../../configuration/interfaces/wireless.rst:194
+#: ../../configuration/interfaces/wireless.rst:225
 msgid "Enable L-SIG TXOP protection capability"
 msgstr "Enable L-SIG TXOP protection capability"
 
-#: ../../configuration/interfaces/wireless.rst:263
+#: ../../configuration/interfaces/wireless.rst:298
 msgid "Enable LDPC (Low Density Parity Check) coding capability"
 msgstr "Enable LDPC (Low Density Parity Check) coding capability"
 
-#: ../../configuration/interfaces/wireless.rst:190
+#: ../../configuration/interfaces/wireless.rst:221
 msgid "Enable LDPC coding capability"
 msgstr "Enable LDPC coding capability"
 
@@ -5349,7 +6036,11 @@ msgstr "Enable OSPF with route redistribution of the loopback and default origin
 msgid "Enable OTP 2FA for user `username` with default settings, using the BASE32 encoded 2FA/MFA key specified by `<key>`."
 msgstr "Enable OTP 2FA for user `username` with default settings, using the BASE32 encoded 2FA/MFA key specified by `<key>`."
 
-#: ../../configuration/interfaces/openvpn.rst:692
+#: ../../configuration/protocols/openfabric.rst:168
+msgid "Enable OpenFabric"
+msgstr "Enable OpenFabric"
+
+#: ../../configuration/interfaces/openvpn.rst:833
 msgid "Enable OpenVPN Data Channel Offload feature by loading the appropriate kernel module."
 msgstr "Enable OpenVPN Data Channel Offload feature by loading the appropriate kernel module."
 
@@ -5357,11 +6048,15 @@ msgstr "Enable OpenVPN Data Channel Offload feature by loading the appropriate k
 msgid "Enable PREF64 option as outlined in :rfc:`8781`."
 msgstr "Enable PREF64 option as outlined in :rfc:`8781`."
 
-#: ../../configuration/service/ipoe-server.rst:386
-#: ../../configuration/service/pppoe-server.rst:575
-#: ../../configuration/vpn/l2tp.rst:510
+#: ../../configuration/service/https.rst:75
+msgid "Enable REST API"
+msgstr "Enable REST API"
+
+#: ../../configuration/service/ipoe-server.rst:385
+#: ../../configuration/service/pppoe-server.rst:600
+#: ../../configuration/vpn/l2tp.rst:515
 #: ../../configuration/vpn/pptp.rst:434
-#: ../../configuration/vpn/sstp.rst:468
+#: ../../configuration/vpn/sstp.rst:473
 msgid "Enable SNMP"
 msgstr "Enable SNMP"
 
@@ -5373,8 +6068,8 @@ msgstr "Enable SNMP queries of the LLDP database"
 msgid "Enable SNMP support for an individual routing daemon."
 msgstr "Enable SNMP support for an individual routing daemon."
 
-#: ../../configuration/interfaces/bridge.rst:206
-#: ../../configuration/interfaces/bridge.rst:241
+#: ../../configuration/interfaces/bridge.rst:205
+#: ../../configuration/interfaces/bridge.rst:240
 msgid "Enable STP"
 msgstr "Enable STP"
 
@@ -5382,7 +6077,7 @@ msgstr "Enable STP"
 msgid "Enable TFTP service by specifying the `<directory>` which will be used to serve files."
 msgstr "Enable TFTP service by specifying the `<directory>` which will be used to serve files."
 
-#: ../../configuration/interfaces/wireless.rst:294
+#: ../../configuration/interfaces/wireless.rst:331
 msgid "Enable VHT TXOP Power Save Mode"
 msgstr "Enable VHT TXOP Power Save Mode"
 
@@ -5402,7 +6097,7 @@ msgstr "Enable automatic redirect from http to https."
 msgid "Enable creation of shortcut routes."
 msgstr "Enable creation of shortcut routes."
 
-#: ../../configuration/interfaces/ethernet.rst:62
+#: ../../configuration/interfaces/ethernet.rst:70
 msgid "Enable different types of hardware offloading on the given NIC."
 msgstr "Enable different types of hardware offloading on the given NIC."
 
@@ -5415,24 +6110,54 @@ msgid "Enable layer 7 HTTP health check"
 msgstr "Enable layer 7 HTTP health check"
 
 #: ../../configuration/firewall/bridge.rst:157
-#: ../../configuration/firewall/ipv4.rst:206
-#: ../../configuration/firewall/ipv6.rst:206
+#: ../../configuration/firewall/ipv4.rst:230
+#: ../../configuration/firewall/ipv6.rst:230
 msgid "Enable logging for the matched packet. If this configuration command is not present, then log is not enabled."
 msgstr "Enable logging for the matched packet. If this configuration command is not present, then log is not enabled."
 
+#: ../../configuration/firewall/bridge.rst:214
+#: ../../configuration/firewall/ipv4.rst:230
+#: ../../configuration/firewall/ipv6.rst:230
+msgid "Enable logging for the matched packet. If this configuration command is not present, then the log is not enabled."
+msgstr "Enable logging for the matched packet. If this configuration command is not present, then the log is not enabled."
+
+#: ../../configuration/nat/cgnat.rst:104
+msgid "Enable logging of IP address and ports allocations."
+msgstr "Enable logging of IP address and ports allocations."
+
 #: ../../configuration/firewall/global-options.rst:114
 msgid "Enable or Disable VyOS to be :rfc:`1337` conform. The following system parameter will be altered:"
 msgstr "Enable or Disable VyOS to be :rfc:`1337` conform. The following system parameter will be altered:"
 
+#: ../../configuration/firewall/global-options.rst:119
+msgid "Enable or Disable VyOS to be :rfc:`1337` conformant. The following system parameter will be altered:"
+msgstr "Enable or Disable VyOS to be :rfc:`1337` conformant. The following system parameter will be altered:"
+
 #: ../../configuration/firewall/global-options.rst:106
 msgid "Enable or Disable if VyOS use IPv4 TCP SYN Cookies. The following system parameter will be altered:"
 msgstr "Enable or Disable if VyOS use IPv4 TCP SYN Cookies. The following system parameter will be altered:"
 
+#: ../../configuration/firewall/global-options.rst:81
+msgid "Enable or disable ICMPv4 or ICMPv6 redirect messages being accepted by VyOS. The following system parameters will be altered:"
+msgstr "Enable or disable ICMPv4 or ICMPv6 redirect messages being accepted by VyOS. The following system parameters will be altered:"
+
+#: ../../configuration/firewall/global-options.rst:89
+msgid "Enable or disable ICMPv4 redirect messages being sent by VyOS The following system parameter will be altered:"
+msgstr "Enable or disable ICMPv4 redirect messages being sent by VyOS The following system parameter will be altered:"
+
+#: ../../configuration/firewall/global-options.rst:111
+msgid "Enable or disable if VyOS uses IPv4 TCP SYN Cookies. The following system parameter will be altered:"
+msgstr "Enable or disable if VyOS uses IPv4 TCP SYN Cookies. The following system parameter will be altered:"
+
 #: ../../configuration/firewall/ipv4.rst:173
 #: ../../configuration/firewall/ipv6.rst:173
 msgid "Enable or disable logging for the matched packet."
 msgstr "Enable or disable logging for the matched packet."
 
+#: ../../configuration/firewall/global-options.rst:96
+msgid "Enable or disable the logging of martian IPv4 packets. The following system parameter will be altered:"
+msgstr "Enable or disable the logging of martian IPv4 packets. The following system parameter will be altered:"
+
 #: ../../configuration/protocols/ospf.rst:360
 msgid "Enable ospf on an interface and set associated area."
 msgstr "Enable ospf on an interface and set associated area."
@@ -5443,17 +6168,17 @@ msgstr "Enable ospf on an interface and set associated area."
 msgid "Enable policy for source validation by reversed path, as specified in :rfc:`3704`. Current recommended practice in :rfc:`3704` is to enable strict mode to prevent IP spoofing from DDos attacks. If using asymmetric routing or other complicated routing, then loose mode is recommended."
 msgstr "Enable policy for source validation by reversed path, as specified in :rfc:`3704`. Current recommended practice in :rfc:`3704` is to enable strict mode to prevent IP spoofing from DDos attacks. If using asymmetric routing or other complicated routing, then loose mode is recommended."
 
-#: ../../configuration/interfaces/wireless.rst:213
-#: ../../configuration/interfaces/wireless.rst:286
+#: ../../configuration/interfaces/wireless.rst:244
+#: ../../configuration/interfaces/wireless.rst:323
 msgid "Enable receiving PPDU using STBC (Space Time Block Coding)"
 msgstr "Enable receiving PPDU using STBC (Space Time Block Coding)"
 
-#: ../../configuration/system/flow-accounting.rst:154
+#: ../../configuration/system/flow-accounting.rst:158
 msgid "Enable sampling of packets, which will be transmitted to sFlow collectors."
 msgstr "Enable sampling of packets, which will be transmitted to sFlow collectors."
 
-#: ../../configuration/interfaces/wireless.rst:217
-#: ../../configuration/interfaces/wireless.rst:290
+#: ../../configuration/interfaces/wireless.rst:248
+#: ../../configuration/interfaces/wireless.rst:327
 msgid "Enable sending PPDU using STBC (Space Time Block Coding)"
 msgstr "Enable sending PPDU using STBC (Space Time Block Coding)"
 
@@ -5469,7 +6194,7 @@ msgstr "Enable spanning tree protocol. STP is disabled by default."
 msgid "Enable the Opaque-LSA capability (rfc2370), necessary to transport label on IGP"
 msgstr "Enable the Opaque-LSA capability (rfc2370), necessary to transport label on IGP"
 
-#: ../../configuration/interfaces/openvpn.rst:697
+#: ../../configuration/interfaces/openvpn.rst:838
 msgid "Enable this feature causes an interface reset."
 msgstr "Enable this feature causes an interface reset."
 
@@ -5485,23 +6210,27 @@ msgstr "Enabled on-demand PPPoE connections bring up the link only when traffic
 msgid "Enables Cisco style authentication on NHRP packets. This embeds the secret plaintext password to the outgoing NHRP packets. Incoming NHRP packets on this interface are discarded unless the secret password is present. Maximum length of the secret is 8 characters."
 msgstr "Enables Cisco style authentication on NHRP packets. This embeds the secret plaintext password to the outgoing NHRP packets. Incoming NHRP packets on this interface are discarded unless the secret password is present. Maximum length of the secret is 8 characters."
 
-#: ../../configuration/loadbalancing/reverse-proxy.rst:166
+#: ../../configuration/loadbalancing/haproxy.rst:217
 msgid "Enables HTTP health checks using OPTION HTTP requests against '/' and expecting a successful response code in the 200-399 range."
 msgstr "Enables HTTP health checks using OPTION HTTP requests against '/' and expecting a successful response code in the 200-399 range."
 
-#: ../../configuration/vrf/index.rst:480
+#: ../../configuration/vrf/index.rst:476
 msgid "Enables an MPLS label to be attached to a route exported from the current unicast VRF to VPN. If the value specified is auto, the label value is automatically assigned from a pool maintained."
 msgstr "Enables an MPLS label to be attached to a route exported from the current unicast VRF to VPN. If the value specified is auto, the label value is automatically assigned from a pool maintained."
 
-#: ../../configuration/service/ipoe-server.rst:220
-#: ../../configuration/service/pppoe-server.rst:182
+#: ../../configuration/system/option.rst:55
+msgid "Enables and configures p-state driver for modern AMD Ryzen and Epyc CPUs."
+msgstr "Enables and configures p-state driver for modern AMD Ryzen and Epyc CPUs."
+
+#: ../../configuration/service/ipoe-server.rst:219
+#: ../../configuration/service/pppoe-server.rst:198
 #: ../../configuration/vpn/l2tp.rst:225
 #: ../../configuration/vpn/pptp.rst:165
 #: ../../configuration/vpn/sstp.rst:198
 msgid "Enables bandwidth shaping via RADIUS."
 msgstr "Enables bandwidth shaping via RADIUS."
 
-#: ../../configuration/vrf/index.rst:502
+#: ../../configuration/vrf/index.rst:498
 msgid "Enables import or export of routes between the current unicast VRF and VPN."
 msgstr "Enables import or export of routes between the current unicast VRF and VPN."
 
@@ -5509,6 +6238,10 @@ msgstr "Enables import or export of routes between the current unicast VRF and V
 msgid "Enables the Generic Protocol extension (VXLAN-GPE). Currently, this is only supported together with the external keyword."
 msgstr "Enables the Generic Protocol extension (VXLAN-GPE). Currently, this is only supported together with the external keyword."
 
+#: ../../configuration/service/ntp.rst:190
+msgid "Enables the NTP daemon PTP transport. The NTP daemon will listen on the configured PTP port. Note that one or more servers must be individually enabled for PTP before the daemon will synchronize over the transport."
+msgstr "Enables the NTP daemon PTP transport. The NTP daemon will listen on the configured PTP port. Note that one or more servers must be individually enabled for PTP before the daemon will synchronize over the transport."
+
 #: ../../configuration/protocols/bfd.rst:30
 msgid "Enables the echo transmission mode"
 msgstr "Enables the echo transmission mode"
@@ -5521,7 +6254,7 @@ msgstr "Enables the root partition auto-extension and resizes to the maximum ava
 msgid "Enabling Advertisments"
 msgstr "Enabling Advertisments"
 
-#: ../../configuration/interfaces/openvpn.rst:679
+#: ../../configuration/interfaces/openvpn.rst:820
 msgid "Enabling OpenVPN DCO"
 msgstr "Enabling OpenVPN DCO"
 
@@ -5537,7 +6270,7 @@ msgstr "Enabling this function increases the risk of bandwidth saturation."
 msgid "Enforce strict path checking"
 msgstr "Enforce strict path checking"
 
-#: ../../configuration/service/https.rst:77
+#: ../../configuration/service/https.rst:84
 msgid "Enforce strict path checking."
 msgstr "Enforce strict path checking."
 
@@ -5549,7 +6282,7 @@ msgstr "Enslave `<member>` interface to bond `<interface>`."
 msgid "Ensure that when comparing routes where both are equal on most metrics, including local-pref, AS_PATH length, IGP cost, MED, that the tie is broken based on router-ID."
 msgstr "Ensure that when comparing routes where both are equal on most metrics, including local-pref, AS_PATH length, IGP cost, MED, that the tie is broken based on router-ID."
 
-#: ../../configuration/interfaces/openvpn.rst:445
+#: ../../configuration/interfaces/openvpn.rst:449
 msgid "Enterprise installations usually ship a kind of directory service which is used to have a single password store for all employees. VyOS and OpenVPN support using LDAP/AD as single user backend."
 msgstr "Enterprise installations usually ship a kind of directory service which is used to have a single password store for all employees. VyOS and OpenVPN support using LDAP/AD as single user backend."
 
@@ -5557,11 +6290,11 @@ msgstr "Enterprise installations usually ship a kind of directory service which
 msgid "Ericsson call it MAC-Forced Forwarding (RFC Draft)"
 msgstr "Ericsson call it MAC-Forced Forwarding (RFC Draft)"
 
-#: ../../configuration/system/syslog.rst:181
+#: ../../configuration/system/syslog.rst:199
 msgid "Error"
 msgstr "Error"
 
-#: ../../configuration/system/syslog.rst:181
+#: ../../configuration/system/syslog.rst:199
 msgid "Error conditions"
 msgstr "Error conditions"
 
@@ -5637,6 +6370,10 @@ msgstr "Every Virtual Ethernet interfaces behaves like a real Ethernet interface
 msgid "Every WWAN connection requires an :abbr:`APN (Access Point Name)` which is used by the client to dial into the ISPs network. This is a mandatory parameter. Contact your Service Provider for correct APN."
 msgstr "Every WWAN connection requires an :abbr:`APN (Access Point Name)` which is used by the client to dial into the ISPs network. This is a mandatory parameter. Contact your Service Provider for correct APN."
 
+#: ../../configuration/vpn/ipsec.rst:459
+msgid "Every connection/remote-access pool we configure also needs a pool where we can draw our client IP addresses from. We provide one IPv4 and IPv6 pool. Authorized clients will receive an IPv4 address from the 192.0.2.128/25 prefix and an IPv6 address from the 2001:db8:2000::/64 prefix. We can also send some DNS nameservers down for our clients to use with their connection."
+msgstr "Every connection/remote-access pool we configure also needs a pool where we can draw our client IP addresses from. We provide one IPv4 and IPv6 pool. Authorized clients will receive an IPv4 address from the 192.0.2.128/25 prefix and an IPv6 address from the 2001:db8:2000::/64 prefix. We can also send some DNS nameservers down for our clients to use with their connection."
+
 #: ../../configuration/vpn/ipsec.rst:439
 msgid "Every connection/remote-access pool we configure also needs a pool where we can draw our client IP addresses from. We provide one IPv4 and IPv6 pool. Authorized clients will receive an IPv4 address from the 192.0.2.128/25 prefix and an IPv6 address from the 2001:db8:2000::/64 prefix. We can also send some DNS nameservers down to our clients used on their connection."
 msgstr "Every connection/remote-access pool we configure also needs a pool where we can draw our client IP addresses from. We provide one IPv4 and IPv6 pool. Authorized clients will receive an IPv4 address from the 192.0.2.128/25 prefix and an IPv6 address from the 2001:db8:2000::/64 prefix. We can also send some DNS nameservers down to our clients used on their connection."
@@ -5645,10 +6382,11 @@ msgstr "Every connection/remote-access pool we configure also needs a pool where
 msgid "Every connection/remote-access pool we configure also needs a pool where we can draw our client IP addresses from. We provide one IPv4 and IPv6 pool. Authorized clients will receive an IPv4 address from the configured IPv4 prefix and an IPv6 address from the IPv6 prefix. We can also send some DNS nameservers down to our clients used on their connection."
 msgstr "Every connection/remote-access pool we configure also needs a pool where we can draw our client IP addresses from. We provide one IPv4 and IPv6 pool. Authorized clients will receive an IPv4 address from the configured IPv4 prefix and an IPv6 address from the IPv6 prefix. We can also send some DNS nameservers down to our clients used on their connection."
 
-#: ../../configuration/firewall/bridge.rst:321
-#: ../../configuration/highavailability/index.rst:407
-#: ../../configuration/interfaces/bonding.rst:291
+#: ../../configuration/firewall/bridge.rst:486
+#: ../../configuration/highavailability/index.rst:411
+#: ../../configuration/interfaces/bonding.rst:344
 #: ../../configuration/interfaces/l2tpv3.rst:86
+#: ../../configuration/interfaces/openvpn.rst:747
 #: ../../configuration/interfaces/pppoe.rst:323
 #: ../../configuration/interfaces/virtual-ethernet.rst:92
 #: ../../configuration/interfaces/vxlan.rst:187
@@ -5658,6 +6396,7 @@ msgstr "Every connection/remote-access pool we configure also needs a pool where
 #: ../../configuration/protocols/pim.rst:217
 #: ../../configuration/protocols/rpki.rst:166
 #: ../../configuration/service/broadcast-relay.rst:55
+#: ../../configuration/service/config-sync.rst:62
 #: ../../configuration/service/conntrack-sync.rst:195
 #: ../../configuration/service/dhcp-relay.rst:85
 #: ../../configuration/service/dhcp-relay.rst:174
@@ -5667,23 +6406,24 @@ msgstr "Every connection/remote-access pool we configure also needs a pool where
 #: ../../configuration/service/eventhandler.rst:83
 #: ../../configuration/service/ids.rst:82
 #: ../../configuration/service/mdns.rst:50
-#: ../../configuration/service/monitoring.rst:134
-#: ../../configuration/service/router-advert.rst:108
+#: ../../configuration/service/monitoring.rst:164
+#: ../../configuration/service/router-advert.rst:115
 #: ../../configuration/service/snmp.rst:94
 #: ../../configuration/service/snmp.rst:145
 #: ../../configuration/service/tftp-server.rst:47
 #: ../../configuration/system/acceleration.rst:58
-#: ../../configuration/system/login.rst:401
+#: ../../configuration/system/login.rst:407
 #: ../../configuration/system/name-server.rst:28
 #: ../../configuration/system/name-server.rst:63
 #: ../../configuration/system/sflow.rst:49
 #: ../../configuration/system/updates.rst:21
-#: ../../configuration/trafficpolicy/index.rst:530
-#: ../../configuration/trafficpolicy/index.rst:1122
+#: ../../configuration/trafficpolicy/index.rst:580
+#: ../../configuration/trafficpolicy/index.rst:1172
 #: ../../configuration/vpn/dmvpn.rst:161
+#: ../../configuration/vpn/ipsec.rst:410
 #: ../../configuration/vpn/openconnect.rst:97
-#: ../../configuration/vrf/index.rst:118
-#: ../../configuration/vrf/index.rst:251
+#: ../../configuration/vrf/index.rst:114
+#: ../../configuration/vrf/index.rst:247
 msgid "Example"
 msgstr "Example"
 
@@ -5704,15 +6444,16 @@ msgstr "Example, from radius-server send command for disconnect client with user
 #: ../../configuration/nat/nat44.rst:425
 #: ../../configuration/nat/nat66.rst:78
 #: ../../configuration/nat/nat66.rst:96
+#: ../../configuration/nat/nat66.rst:110
 #: ../../configuration/protocols/static.rst:67
 #: ../../configuration/protocols/static.rst:135
 #: ../../configuration/protocols/static.rst:207
 #: ../../configuration/service/dns.rst:460
 #: ../../configuration/service/monitoring.rst:69
 #: ../../configuration/service/monitoring.rst:98
-#: ../../configuration/service/ssh.rst:165
-#: ../../configuration/service/ssh.rst:200
-#: ../../configuration/system/flow-accounting.rst:164
+#: ../../configuration/service/ssh.rst:185
+#: ../../configuration/service/ssh.rst:220
+#: ../../configuration/system/flow-accounting.rst:168
 #: ../../configuration/vpn/l2tp.rst:91
 #: ../../configuration/vpn/site2site_ipsec.rst:165
 #: ../../configuration/vpn/site2site_ipsec.rst:276
@@ -5747,6 +6488,10 @@ msgstr "Example, from radius-server send command for disconnect client with user
 msgid "Example:"
 msgstr "Example:"
 
+#: ../../configuration/nat/cgnat.rst:64
+msgid "Example: A household might need 1000 ports to ensure smooth operation for multiple devices and applications."
+msgstr "Example: A household might need 1000 ports to ensure smooth operation for multiple devices and applications."
+
 #: ../../_include/interface-dhcpv6-prefix-delegation.txt:36
 msgid "Example: Delegate a /64 prefix to interface eth8 which will use a local address on this router of ``<prefix>::ffff``, as the address 65534 will correspond to ``ffff`` in hexadecimal notation."
 msgstr "Example: Delegate a /64 prefix to interface eth8 which will use a local address on this router of ``<prefix>::ffff``, as the address 65534 will correspond to ``ffff`` in hexadecimal notation."
@@ -5783,15 +6528,19 @@ msgstr "Example: Mirror the outbound traffic of `br1` port to `eth3`"
 msgid "Example: Mirror the outbound traffic of `eth1` port to `eth3`"
 msgstr "Example: Mirror the outbound traffic of `eth1` port to `eth3`"
 
-#: ../../configuration/interfaces/bridge.rst:175
+#: ../../configuration/policy/prefix-list.rst:50
+msgid "Example: Prefix Lists"
+msgstr "Example: Prefix Lists"
+
+#: ../../configuration/interfaces/bridge.rst:174
 msgid "Example: Set `eth0` member port to be allowed VLAN 4"
 msgstr "Example: Set `eth0` member port to be allowed VLAN 4"
 
-#: ../../configuration/interfaces/bridge.rst:181
+#: ../../configuration/interfaces/bridge.rst:180
 msgid "Example: Set `eth0` member port to be allowed VLAN 6-8"
 msgstr "Example: Set `eth0` member port to be allowed VLAN 6-8"
 
-#: ../../configuration/interfaces/bridge.rst:162
+#: ../../configuration/interfaces/bridge.rst:161
 msgid "Example: Set `eth0` member port to be native VLAN 2"
 msgstr "Example: Set `eth0` member port to be native VLAN 2"
 
@@ -5799,11 +6548,19 @@ msgstr "Example: Set `eth0` member port to be native VLAN 2"
 msgid "Example: to be appended is set to ``vyos.net`` and the URL received is ``www/foo.html``, the system will use the generated, final URL of ``www.vyos.net/foo.html``."
 msgstr "Example: to be appended is set to ``vyos.net`` and the URL received is ``www/foo.html``, the system will use the generated, final URL of ``www.vyos.net/foo.html``."
 
-#: ../../configuration/container/index.rst:216
-#: ../../configuration/service/https.rst:110
+#: ../../configuration/container/index.rst:271
+#: ../../configuration/service/https.rst:117
 msgid "Example Configuration"
 msgstr "Example Configuration"
 
+#: ../../configuration/interfaces/wireless.rst:737
+msgid "Example Configuration: WiFi-6 at 2.4GHz"
+msgstr "Example Configuration: WiFi-6 at 2.4GHz"
+
+#: ../../configuration/interfaces/wireless.rst:828
+msgid "Example Configuration: WiFi-6e at 6GHz"
+msgstr "Example Configuration: WiFi-6e at 6GHz"
+
 #: ../../configuration/service/dns.rst:478
 msgid "Example IPv6 only:"
 msgstr "Example IPv6 only:"
@@ -5812,8 +6569,8 @@ msgstr "Example IPv6 only:"
 msgid "Example Network"
 msgstr "Example Network"
 
-#: ../../configuration/firewall/ipv4.rst:1153
-#: ../../configuration/firewall/ipv6.rst:1153
+#: ../../configuration/firewall/ipv4.rst:1257
+#: ../../configuration/firewall/ipv6.rst:1263
 msgid "Example Partial Config"
 msgstr "Example Partial Config"
 
@@ -5833,22 +6590,27 @@ msgstr "Example for configuring a simple L2TP over IPsec VPN for remote access (
 msgid "Example of redirection:"
 msgstr "Example of redirection:"
 
-#: ../../configuration/firewall/ipv4.rst:948
-#: ../../configuration/firewall/ipv6.rst:934
+#: ../../configuration/nat/cgnat.rst:113
+msgid "Example of setting up a basic CGNAT configuration: In the following example, we define an external pool named `ext-1` with one external IP address"
+msgstr "Example of setting up a basic CGNAT configuration: In the following example, we define an external pool named `ext-1` with one external IP address"
+
+#: ../../configuration/firewall/ipv4.rst:1053
+#: ../../configuration/firewall/ipv6.rst:1043
 msgid "Example synproxy"
 msgstr "Example synproxy"
 
-#: ../../configuration/firewall/groups.rst:145
-#: ../../configuration/interfaces/bridge.rst:196
+#: ../../configuration/firewall/groups.rst:240
+#: ../../configuration/interfaces/bridge.rst:195
 #: ../../configuration/interfaces/macsec.rst:153
-#: ../../configuration/interfaces/wireless.rst:541
-#: ../../configuration/loadbalancing/reverse-proxy.rst:227
+#: ../../configuration/interfaces/wireless.rst:665
+#: ../../configuration/loadbalancing/haproxy.rst:279
 #: ../../configuration/pki/index.rst:370
 #: ../../configuration/policy/index.rst:46
 #: ../../configuration/protocols/bgp.rst:1118
 #: ../../configuration/protocols/isis.rst:336
+#: ../../configuration/protocols/openfabric.rst:165
 #: ../../configuration/protocols/ospf.rst:834
-#: ../../configuration/service/pppoe-server.rst:601
+#: ../../configuration/service/pppoe-server.rst:626
 #: ../../configuration/service/webproxy.rst:419
 msgid "Examples"
 msgstr "Examples"
@@ -5866,6 +6628,10 @@ msgstr "Examples of policies usage:"
 msgid "Exclude IP addresses from ``VRRP packets``. This option ``excluded-address`` is used when you want to set IPv4 + IPv6 addresses on the same virtual interface or when used more than 20 IP addresses."
 msgstr "Exclude IP addresses from ``VRRP packets``. This option ``excluded-address`` is used when you want to set IPv4 + IPv6 addresses on the same virtual interface or when used more than 20 IP addresses."
 
+#: ../../configuration/service/dhcp-server.rst:644
+msgid "Exclude `<exclude-prefix>` from `<pd-prefix>`."
+msgstr "Exclude `<exclude-prefix>` from `<pd-prefix>`."
+
 #: ../../configuration/highavailability/index.rst:83
 msgid "Exclude address"
 msgstr "Exclude address"
@@ -5882,11 +6648,11 @@ msgstr "Exit policy on match: go to next sequence number."
 msgid "Exit policy on match: go to rule <1-65535>"
 msgstr "Exit policy on match: go to rule <1-65535>"
 
-#: ../../configuration/trafficpolicy/index.rst:265
+#: ../../configuration/trafficpolicy/index.rst:315
 msgid "Expedited forwarding (EF)"
 msgstr "Expedited forwarding (EF)"
 
-#: ../../configuration/firewall/flowtables.rst:140
+#: ../../configuration/firewall/flowtables.rst:141
 msgid "Explanation"
 msgstr "Explanation"
 
@@ -5902,27 +6668,31 @@ msgstr "External DHCPv6 server is at 2001:db8::4"
 msgid "External Route Summarisation"
 msgstr "External Route Summarisation"
 
+#: ../../configuration/nat/cgnat.rst:142
+msgid "External address sequences"
+msgstr "External address sequences"
+
 #: ../../configuration/service/ids.rst:101
 msgid "External attack: an attack from the internet towards an internal IP is identify. In this case, all connections towards such IP will be blocked"
 msgstr "External attack: an attack from the internet towards an internal IP is identify. In this case, all connections towards such IP will be blocked"
 
-#: ../../configuration/trafficpolicy/index.rst:441
+#: ../../configuration/trafficpolicy/index.rst:491
 msgid "FQ-CoDel"
 msgstr "FQ-CoDel"
 
-#: ../../configuration/trafficpolicy/index.rst:450
+#: ../../configuration/trafficpolicy/index.rst:500
 msgid "FQ-CoDel fights bufferbloat and reduces latency without the need of complex configurations. It has become the new default Queueing Discipline for the interfaces of some GNU/Linux distributions."
 msgstr "FQ-CoDel fights bufferbloat and reduces latency without the need of complex configurations. It has become the new default Queueing Discipline for the interfaces of some GNU/Linux distributions."
 
-#: ../../configuration/trafficpolicy/index.rst:460
+#: ../../configuration/trafficpolicy/index.rst:510
 msgid "FQ-CoDel is based on a modified Deficit Round Robin (DRR_) queue scheduler with the CoDel Active Queue Management (AQM) algorithm operating on each queue."
 msgstr "FQ-CoDel is based on a modified Deficit Round Robin (DRR_) queue scheduler with the CoDel Active Queue Management (AQM) algorithm operating on each queue."
 
-#: ../../configuration/trafficpolicy/index.rst:474
+#: ../../configuration/trafficpolicy/index.rst:524
 msgid "FQ-CoDel is tuned to run ok with its default parameters at 10Gbit speeds. It might work ok too at other speeds without configuring anything, but here we will explain some cases when you might want to tune its parameters."
 msgstr "FQ-CoDel is tuned to run ok with its default parameters at 10Gbit speeds. It might work ok too at other speeds without configuring anything, but here we will explain some cases when you might want to tune its parameters."
 
-#: ../../configuration/trafficpolicy/index.rst:465
+#: ../../configuration/trafficpolicy/index.rst:515
 msgid "FQ-Codel is a non-shaping (work-conserving) policy, so it will only be useful if your outgoing interface is really full. If it is not, VyOS will not own the queue and FQ-Codel will have no effect. If there is bandwidth available on the physical link, you can embed_ FQ-Codel into a classful shaping policy to make sure it owns the queue. If you are not sure if you need to embed your FQ-CoDel policy into a Shaper, do it."
 msgstr "FQ-Codel is a non-shaping (work-conserving) policy, so it will only be useful if your outgoing interface is really full. If it is not, VyOS will not own the queue and FQ-Codel will have no effect. If there is bandwidth available on the physical link, you can embed_ FQ-Codel into a classful shaping policy to make sure it owns the queue. If you are not sure if you need to embed your FQ-CoDel policy into a Shaper, do it."
 
@@ -5938,19 +6708,19 @@ msgstr "FRR offers only partial support for some of the routing protocol extensi
 msgid "FRR supports a new way of configuring VLAN-to-VNI mappings for EVPN-VXLAN, when working with the Linux kernel. In this new way, the mapping of a VLAN to a :abbr:`VNI (VXLAN Network Identifier (or VXLAN Segment ID))` is configured against a container VXLAN interface which is referred to as a :abbr:`SVD (Single VXLAN device)`."
 msgstr "FRR supports a new way of configuring VLAN-to-VNI mappings for EVPN-VXLAN, when working with the Linux kernel. In this new way, the mapping of a VLAN to a :abbr:`VNI (VXLAN Network Identifier (or VXLAN Segment ID))` is configured against a container VXLAN interface which is referred to as a :abbr:`SVD (Single VXLAN device)`."
 
-#: ../../configuration/system/syslog.rst:134
+#: ../../configuration/system/syslog.rst:152
 msgid "FTP daemon"
 msgstr "FTP daemon"
 
-#: ../../configuration/system/syslog.rst:96
+#: ../../configuration/system/syslog.rst:114
 msgid "Facilities"
 msgstr "Facilities"
 
-#: ../../configuration/system/syslog.rst:104
+#: ../../configuration/system/syslog.rst:122
 msgid "Facilities can be adjusted to meet the needs of the user:"
 msgstr "Facilities can be adjusted to meet the needs of the user:"
 
-#: ../../configuration/system/syslog.rst:107
+#: ../../configuration/system/syslog.rst:125
 msgid "Facility Code"
 msgstr "Facility Code"
 
@@ -5975,15 +6745,15 @@ msgstr "Failover routes are manually configured routes, but they install to the
 msgid "Failover routes are manually configured routes, but they only install to the routing table if the health-check target is alive. If the target is not alive the route is removed from the routing table until the target becomes available."
 msgstr "Failover routes are manually configured routes, but they only install to the routing table if the health-check target is alive. If the target is not alive the route is removed from the routing table until the target becomes available."
 
-#: ../../configuration/trafficpolicy/index.rst:384
+#: ../../configuration/trafficpolicy/index.rst:434
 msgid "Fair Queue"
 msgstr "Fair Queue"
 
-#: ../../configuration/trafficpolicy/index.rst:429
+#: ../../configuration/trafficpolicy/index.rst:479
 msgid "Fair Queue is a non-shaping (work-conserving) policy, so it will only be useful if your outgoing interface is really full. If it is not, VyOS will not own the queue and Fair Queue will have no effect. If there is bandwidth available on the physical link, you can embed_ Fair-Queue into a classful shaping policy to make sure it owns the queue."
 msgstr "Fair Queue is a non-shaping (work-conserving) policy, so it will only be useful if your outgoing interface is really full. If it is not, VyOS will not own the queue and Fair Queue will have no effect. If there is bandwidth available on the physical link, you can embed_ Fair-Queue into a classful shaping policy to make sure it owns the queue."
 
-#: ../../configuration/trafficpolicy/index.rst:389
+#: ../../configuration/trafficpolicy/index.rst:439
 msgid "Fair Queue is a work-conserving scheduler which schedules the transmission of packets based on flows, that is, it balances traffic distributing it through different sub-queues in order to ensure fairness so that each flow is able to send data in turn, preventing any single one from drowning out the rest."
 msgstr "Fair Queue is a work-conserving scheduler which schedules the transmission of packets based on flows, that is, it balances traffic distributing it through different sub-queues in order to ensure fairness so that each flow is able to send data in turn, preventing any single one from drowning out the rest."
 
@@ -6011,7 +6781,7 @@ msgstr "File identified by `<filename>` containing the TSIG authentication key f
 msgid "File identified by `<keyfile>` containing the secret RNDC key shared with remote DNS server."
 msgstr "File identified by `<keyfile>` containing the secret RNDC key shared with remote DNS server."
 
-#: ../../configuration/service/pppoe-server.rst:302
+#: ../../configuration/service/pppoe-server.rst:321
 msgid "Filter-Id=2000/3000 (means 2000Kbit down-stream rate and 3000Kbit up-stream rate)"
 msgstr "Filter-Id=2000/3000 (means 2000Kbit down-stream rate and 3000Kbit up-stream rate)"
 
@@ -6023,6 +6793,10 @@ msgstr "Filter-Id=5000/4000 (means 5000Kbit down-stream rate and 4000Kbit up-str
 msgid "Filter Type-3 summary-LSAs announced to other areas originated from intra- area paths from specified area. This command makes sense in ABR only."
 msgstr "Filter Type-3 summary-LSAs announced to other areas originated from intra- area paths from specified area. This command makes sense in ABR only."
 
+#: ../../configuration/system/syslog.rst:35
+msgid "Filter syslog messages based on facility and level."
+msgstr "Filter syslog messages based on facility and level."
+
 #: ../../configuration/policy/index.rst:16
 msgid "Filter traffic based on source/destination address."
 msgstr "Filter traffic based on source/destination address."
@@ -6047,11 +6821,11 @@ msgstr "Firewall"
 msgid "Firewall-Legacy"
 msgstr "Firewall-Legacy"
 
-#: ../../configuration/firewall/ipv4.rst:72
+#: ../../configuration/firewall/ipv4.rst:96
 msgid "Firewall - IPv4 Rules"
 msgstr "Firewall - IPv4 Rules"
 
-#: ../../configuration/firewall/ipv6.rst:72
+#: ../../configuration/firewall/ipv6.rst:96
 msgid "Firewall - IPv6 Rules"
 msgstr "Firewall - IPv6 Rules"
 
@@ -6063,20 +6837,20 @@ msgstr "Firewall Configuration"
 msgid "Firewall Configuration (Deprecated)"
 msgstr "Firewall Configuration (Deprecated)"
 
-#: ../../configuration/firewall/bridge.rst:199
-#: ../../configuration/firewall/ipv4.rst:268
-#: ../../configuration/firewall/ipv6.rst:268
+#: ../../configuration/firewall/bridge.rst:288
+#: ../../configuration/firewall/ipv4.rst:293
+#: ../../configuration/firewall/ipv6.rst:293
 msgid "Firewall Description"
 msgstr "Firewall Description"
 
-#: ../../configuration/interfaces/openvpn.rst:209
+#: ../../configuration/interfaces/openvpn.rst:211
 #: ../../configuration/interfaces/wireguard.rst:207
 msgid "Firewall Exceptions"
 msgstr "Firewall Exceptions"
 
-#: ../../configuration/firewall/bridge.rst:149
-#: ../../configuration/firewall/ipv4.rst:196
-#: ../../configuration/firewall/ipv6.rst:196
+#: ../../configuration/firewall/bridge.rst:203
+#: ../../configuration/firewall/ipv4.rst:220
+#: ../../configuration/firewall/ipv6.rst:220
 msgid "Firewall Logs"
 msgstr "Firewall Logs"
 
@@ -6084,6 +6858,18 @@ msgstr "Firewall Logs"
 msgid "Firewall Rules"
 msgstr "Firewall Rules"
 
+#: ../../configuration/firewall/ipv4.rst:60
+msgid "Firewall base chain to configure firewall filtering rules for transit traffic is ``set firewall ipv4 forward filter ...``, which happens in stage 5, highlighted with red color."
+msgstr "Firewall base chain to configure firewall filtering rules for transit traffic is ``set firewall ipv4 forward filter ...``, which happens in stage 5, highlighted with red color."
+
+#: ../../configuration/firewall/ipv6.rst:60
+msgid "Firewall base chain to configure firewall filtering rules for transit traffic is ``set firewall ipv6 forward filter ...``, which happens in stage 5, highlighted with red color."
+msgstr "Firewall base chain to configure firewall filtering rules for transit traffic is ``set firewall ipv6 forward filter ...``, which happens in stage 5, highlighted with red color."
+
+#: ../../configuration/firewall/groups.rst:145
+msgid "Firewall dynamic groups are different from all the groups defined previously because, not only they can be used as source/destination in firewall rules, but members of these groups are not defined statically using vyos configuration."
+msgstr "Firewall dynamic groups are different from all the groups defined previously because, not only they can be used as source/destination in firewall rules, but members of these groups are not defined statically using vyos configuration."
+
 #: ../../configuration/firewall/groups.rst:7
 msgid "Firewall groups"
 msgstr "Firewall groups"
@@ -6100,11 +6886,11 @@ msgstr "Firewall groups represent collections of IP addresses, networks, ports,
 msgid "Firewall groups represent collections of IP addresses, networks, ports, mac addresses or domains. Once created, a group can be referenced by firewall, nat and policy route rules as either a source or destination matcher. Members can be added or removed from a group without changes to, or the need to reload, individual firewall rules."
 msgstr "Firewall groups represent collections of IP addresses, networks, ports, mac addresses or domains. Once created, a group can be referenced by firewall, nat and policy route rules as either a source or destination matcher. Members can be added or removed from a group without changes to, or the need to reload, individual firewall rules."
 
-#: ../../configuration/highavailability/index.rst:391
+#: ../../configuration/highavailability/index.rst:395
 msgid "Firewall mark. It possible to loadbalancing traffic based on ``fwmark`` value"
 msgstr "Firewall mark. It possible to loadbalancing traffic based on ``fwmark`` value"
 
-#: ../../configuration/interfaces/openvpn.rst:311
+#: ../../configuration/interfaces/openvpn.rst:315
 msgid "Firewall policy can also be applied to the tunnel interface for `local`, `in`, and `out` directions and functions identically to ethernet interfaces."
 msgstr "Firewall policy can also be applied to the tunnel interface for `local`, `in`, and `out` directions and functions identically to ethernet interfaces."
 
@@ -6116,15 +6902,20 @@ msgstr "Firewall rules are written as normal, using the internal IP address as t
 msgid "Firewall rules for Destination NAT"
 msgstr "Firewall rules for Destination NAT"
 
-#: ../../configuration/interfaces/wwan.rst:321
+#: ../../configuration/interfaces/wwan.rst:322
 msgid "Firmware Update"
 msgstr "Firmware Update"
 
+#: ../../configuration/firewall/ipv4.rst:40
+#: ../../configuration/firewall/ipv6.rst:40
+msgid "First, all traffic is received by the router, and it is processed in the **prerouting** section."
+msgstr "First, all traffic is received by the router, and it is processed in the **prerouting** section."
+
 #: ../../configuration/vpn/rsa-keys.rst:9
 msgid "First, on both routers run the operational command \"generate pki key-pair install <key-pair nam>>\". You may choose different length than 2048 of course."
 msgstr "First, on both routers run the operational command \"generate pki key-pair install <key-pair nam>>\". You may choose different length than 2048 of course."
 
-#: ../../configuration/vpn/ipsec.rst:271
+#: ../../configuration/vpn/ipsec.rst:291
 msgid "First, on both routers run the operational command \"generate pki key-pair install <key-pair name>\". You may choose different length than 2048 of course."
 msgstr "First, on both routers run the operational command \"generate pki key-pair install <key-pair name>\". You may choose different length than 2048 of course."
 
@@ -6136,7 +6927,7 @@ msgstr "First, one of the systems generate the key using the :ref:`generate pki
 msgid "First, we create the root certificate authority."
 msgstr "First, we create the root certificate authority."
 
-#: ../../configuration/interfaces/openvpn.rst:176
+#: ../../configuration/interfaces/openvpn.rst:178
 msgid "First, you need to generate a key by running ``run generate pki openvpn shared-secret install <name>`` from configuration mode. You can use any name, we will use ``s2s``."
 msgstr "First, you need to generate a key by running ``run generate pki openvpn shared-secret install <name>`` from configuration mode. You can use any name, we will use ``s2s``."
 
@@ -6164,6 +6955,10 @@ msgstr "First steps"
 msgid "First the OTP keys must be generated and sent to the user and to the configuration:"
 msgstr "First the OTP keys must be generated and sent to the user and to the configuration:"
 
+#: ../../configuration/interfaces/openvpn.rst:346
+msgid "First we need to specify the basic settings. 1194/UDP is the default. The ``persistent-tunnel`` option is recommended, as it prevents the TUN/TAP device from closing on connection resets or daemon reloads."
+msgstr "First we need to specify the basic settings. 1194/UDP is the default. The ``persistent-tunnel`` option is recommended, as it prevents the TUN/TAP device from closing on connection resets or daemon reloads."
+
 #: ../../configuration/interfaces/openvpn.rst:342
 msgid "First we need to specify the basic settings. 1194/UDP is the default. The ``persistent-tunnel`` option is recommended, it prevents the TUN/TAP device from closing on connection resets or daemon reloads."
 msgstr "First we need to specify the basic settings. 1194/UDP is the default. The ``persistent-tunnel`` option is recommended, it prevents the TUN/TAP device from closing on connection resets or daemon reloads."
@@ -6176,19 +6971,23 @@ msgstr "First you will need to deploy an RPKI validator for your routers to use.
 msgid "First you will need to deploy an RPKI validator for your routers to use. The RIPE NCC helpfully provide `some instructions`_ to get you started with several different options.  Once your server is running you can start validating announcements."
 msgstr "First you will need to deploy an RPKI validator for your routers to use. The RIPE NCC helpfully provide `some instructions`_ to get you started with several different options.  Once your server is running you can start validating announcements."
 
-#: ../../configuration/trafficpolicy/index.rst:797
+#: ../../configuration/trafficpolicy/index.rst:847
 msgid "Flash"
 msgstr "Flash"
 
-#: ../../configuration/trafficpolicy/index.rst:795
+#: ../../configuration/trafficpolicy/index.rst:845
 msgid "Flash Override"
 msgstr "Flash Override"
 
+#: ../../configuration/vpn/ipsec.rst:174
+msgid "FlexVPN vendor ID payload (IKEv2 only), which is required in order to make Cisco brand devices allow negotiating a local traffic selector (from strongSwan's point of view) that is not the assigned virtual IP address if such an address is requested by strongSwan. Sending the Cisco FlexVPN vendor ID prevents the peer from narrowing the initiator's local traffic selector and allows it to e.g. negotiate a TS of 0.0.0.0/0 == 0.0.0.0/0 instead. This has been tested with a \"tunnel mode ipsec ipv4\" Cisco template but should also work for GRE encapsulation;"
+msgstr "FlexVPN vendor ID payload (IKEv2 only), which is required in order to make Cisco brand devices allow negotiating a local traffic selector (from strongSwan's point of view) that is not the assigned virtual IP address if such an address is requested by strongSwan. Sending the Cisco FlexVPN vendor ID prevents the peer from narrowing the initiator's local traffic selector and allows it to e.g. negotiate a TS of 0.0.0.0/0 == 0.0.0.0/0 instead. This has been tested with a \"tunnel mode ipsec ipv4\" Cisco template but should also work for GRE encapsulation;"
+
 #: ../../configuration/system/flow-accounting.rst:5
 msgid "Flow Accounting"
 msgstr "Flow Accounting"
 
-#: ../../configuration/system/flow-accounting.rst:86
+#: ../../configuration/system/flow-accounting.rst:90
 msgid "Flow Export"
 msgstr "Flow Export"
 
@@ -6196,27 +6995,27 @@ msgstr "Flow Export"
 msgid "Flow and packet-based balancing"
 msgstr "Flow and packet-based balancing"
 
-#: ../../configuration/trafficpolicy/index.rst:1196
+#: ../../configuration/trafficpolicy/index.rst:1246
 msgid "Flows are defined by source-destination host pairs."
 msgstr "Flows are defined by source-destination host pairs."
 
-#: ../../configuration/trafficpolicy/index.rst:1181
+#: ../../configuration/trafficpolicy/index.rst:1231
 msgid "Flows are defined by the 5-tuple. Fairness is applied first over destination addresses, then over individual flows."
 msgstr "Flows are defined by the 5-tuple. Fairness is applied first over destination addresses, then over individual flows."
 
-#: ../../configuration/trafficpolicy/index.rst:1186
+#: ../../configuration/trafficpolicy/index.rst:1236
 msgid "Flows are defined by the 5-tuple. Fairness is applied first over source addresses, then over individual flows."
 msgstr "Flows are defined by the 5-tuple. Fairness is applied first over source addresses, then over individual flows."
 
-#: ../../configuration/trafficpolicy/index.rst:1191
+#: ../../configuration/trafficpolicy/index.rst:1241
 msgid "Flows are defined by the entire 5-tuple (source IP address, source port, destination IP address, destination port, transport protocol)."
 msgstr "Flows are defined by the entire 5-tuple (source IP address, source port, destination IP address, destination port, transport protocol)."
 
-#: ../../configuration/trafficpolicy/index.rst:1177
+#: ../../configuration/trafficpolicy/index.rst:1227
 msgid "Flows are defined only by destination address."
 msgstr "Flows are defined only by destination address."
 
-#: ../../configuration/trafficpolicy/index.rst:1204
+#: ../../configuration/trafficpolicy/index.rst:1254
 msgid "Flows are defined only by source address."
 msgstr "Flows are defined only by source address."
 
@@ -6224,7 +7023,7 @@ msgstr "Flows are defined only by source address."
 msgid "Flows can be exported via two different protocols: NetFlow (versions 5, 9 and 10/IPFIX) and sFlow. Additionally, you may save flows to an in-memory table internally in a router."
 msgstr "Flows can be exported via two different protocols: NetFlow (versions 5, 9 and 10/IPFIX) and sFlow. Additionally, you may save flows to an in-memory table internally in a router."
 
-#: ../../configuration/firewall/flowtables.rst:57
+#: ../../configuration/firewall/flowtables.rst:58
 msgid "Flowtable Configuration"
 msgstr "Flowtable Configuration"
 
@@ -6232,19 +7031,23 @@ msgstr "Flowtable Configuration"
 msgid "Flowtables Firewall Configuration"
 msgstr "Flowtables Firewall Configuration"
 
-#: ../../configuration/firewall/flowtables.rst:32
+#: ../../configuration/firewall/flowtables.rst:33
 msgid "Flowtables  allows you to define a fastpath through the flowtable datapath. The flowtable supports for the layer 3 IPv4 and IPv6 and the layer 4 TCP and UDP protocols."
 msgstr "Flowtables  allows you to define a fastpath through the flowtable datapath. The flowtable supports for the layer 3 IPv4 and IPv6 and the layer 4 TCP and UDP protocols."
 
+#: ../../configuration/firewall/flowtables.rst:33
+msgid "Flowtables allow you to define a fastpath through the flowtable datapath. The flowtable supports for the layer 3 IPv4 and IPv6 and the layer 4 TCP and UDP protocols."
+msgstr "Flowtables allow you to define a fastpath through the flowtable datapath. The flowtable supports for the layer 3 IPv4 and IPv6 and the layer 4 TCP and UDP protocols."
+
 #: ../../configuration/loadbalancing/wan.rst:244
 msgid "Flushing the session table will cause other connections to fall back from flow-based to packet-based balancing until each flow is reestablished."
 msgstr "Flushing the session table will cause other connections to fall back from flow-based to packet-based balancing until each flow is reestablished."
 
-#: ../../configuration/service/ssh.rst:236
+#: ../../configuration/service/ssh.rst:256
 msgid "Follow the SSH dynamic-protection log."
 msgstr "Follow the SSH dynamic-protection log."
 
-#: ../../configuration/service/ssh.rst:228
+#: ../../configuration/service/ssh.rst:248
 msgid "Follow the SSH server log."
 msgstr "Follow the SSH server log."
 
@@ -6260,11 +7063,11 @@ msgstr "Follow the instructions to generate server cert (in configuration mode):
 msgid "Follow the logs for mDNS repeater service."
 msgstr "Follow the logs for mDNS repeater service."
 
-#: ../../configuration/interfaces/openvpn.rst:258
+#: ../../configuration/interfaces/openvpn.rst:260
 msgid "For Encryption:"
 msgstr "For Encryption:"
 
-#: ../../configuration/interfaces/openvpn.rst:295
+#: ../../configuration/interfaces/openvpn.rst:299
 msgid "For Hashing:"
 msgstr "For Hashing:"
 
@@ -6276,11 +7079,15 @@ msgstr "For IS-IS top operate correctly, one must do the equivalent of a Router
 msgid "For Incoming and Import Route-maps if we receive a v6 global and v6 LL address for the route, then prefer to use the global address as the nexthop."
 msgstr "For Incoming and Import Route-maps if we receive a v6 global and v6 LL address for the route, then prefer to use the global address as the nexthop."
 
-#: ../../configuration/service/pppoe-server.rst:257
+#: ../../configuration/service/pppoe-server.rst:276
 msgid "For Local Users"
 msgstr "For Local Users"
 
-#: ../../configuration/service/pppoe-server.rst:297
+#: ../../configuration/protocols/openfabric.rst:25
+msgid "For OpenFabric to operate correctly, one must do the equivalent of a Router ID in Connectionless Network Service (CLNS). This Router ID is called the :abbr:`NET (Network Entity Title)`. The system identifier must be unique within the network"
+msgstr "For OpenFabric to operate correctly, one must do the equivalent of a Router ID in Connectionless Network Service (CLNS). This Router ID is called the :abbr:`NET (Network Entity Title)`. The system identifier must be unique within the network"
+
+#: ../../configuration/service/pppoe-server.rst:316
 msgid "For RADIUS users"
 msgstr "For RADIUS users"
 
@@ -6300,11 +7107,11 @@ msgstr "For :ref:`destination-nat` rules the packets destination address will be
 msgid "For :ref:`source-nat` rules the packets source address will be replaced with the address specified in the translation command. A port translation can also be specified and is part of the translation address."
 msgstr "For :ref:`source-nat` rules the packets source address will be replaced with the address specified in the translation command. A port translation can also be specified and is part of the translation address."
 
-#: ../../configuration/interfaces/bonding.rst:383
+#: ../../configuration/interfaces/bonding.rst:436
 msgid "For a headstart you can use the below example on how to build a bond,port-channel with two interfaces from VyOS to a Aruba/HP 2510G switch."
 msgstr "For a headstart you can use the below example on how to build a bond,port-channel with two interfaces from VyOS to a Aruba/HP 2510G switch."
 
-#: ../../configuration/interfaces/bonding.rst:354
+#: ../../configuration/interfaces/bonding.rst:407
 msgid "For a headstart you can use the below example on how to build a bond with two interfaces from VyOS to a Juniper EX Switch system."
 msgstr "For a headstart you can use the below example on how to build a bond with two interfaces from VyOS to a Juniper EX Switch system."
 
@@ -6320,11 +7127,16 @@ msgstr "For a simple home network using just the ISP's equipment, this is usuall
 msgid "For connectionless protocols as like ICMP and UDP, a flow is considered complete once no more packets for this flow appear after configurable timeout."
 msgstr "For connectionless protocols as like ICMP and UDP, a flow is considered complete once no more packets for this flow appear after configurable timeout."
 
+#: ../../configuration/interfaces/openvpn.rst:763
+msgid "For every client in the openvpn server configuration a totp secret is created. To display the authentication information, use the command:"
+msgstr "For every client in the openvpn server configuration a totp secret is created. To display the authentication information, use the command:"
+
 #: ../../configuration/system/login.rst:136
 msgid "For example, if problems with poor time synchronization are experienced, the window can be increased from its default size of 3 permitted codes (one previous code, the current code, the next code) to 17 permitted codes (the 8 previous codes, the current code, and the 8 next codes). This will permit for a time skew of up to 4 minutes between client and server."
 msgstr "For example, if problems with poor time synchronization are experienced, the window can be increased from its default size of 3 permitted codes (one previous code, the current code, the next code) to 17 permitted codes (the 8 previous codes, the current code, and the 8 next codes). This will permit for a time skew of up to 4 minutes between client and server."
 
 #: ../../configuration/trafficpolicy/index.rst:157
+#: ../../configuration/trafficpolicy/index.rst:240
 msgid "For example:"
 msgstr "For example:"
 
@@ -6332,13 +7144,19 @@ msgstr "For example:"
 msgid "For firewall filtering, configuration should be done in ``set firewall [ipv4 | ipv6] ...``"
 msgstr "For firewall filtering, configuration should be done in ``set firewall [ipv4 | ipv6] ...``"
 
+#: ../../configuration/firewall/bridge.rst:77
+#: ../../configuration/firewall/ipv4.rst:98
+#: ../../configuration/firewall/ipv6.rst:98
+msgid "For firewall filtering, firewall rules need to be created. Each rule is numbered, has an action to apply if the rule is matched, and the ability to specify multiple matching criteria. Data packets go through the rules from 1 - 999999, so order is crucial. At the first match the action of the rule will be executed."
+msgstr "For firewall filtering, firewall rules need to be created. Each rule is numbered, has an action to apply if the rule is matched, and the ability to specify multiple matching criteria. Data packets go through the rules from 1 - 999999, so order is crucial. At the first match the action of the rule will be executed."
+
 #: ../../configuration/firewall/bridge.rst:58
-#: ../../configuration/firewall/ipv4.rst:74
-#: ../../configuration/firewall/ipv6.rst:74
+#: ../../configuration/firewall/ipv4.rst:98
+#: ../../configuration/firewall/ipv6.rst:98
 msgid "For firewall filtering, firewall rules needs to be created. Each rule is numbered, has an action to apply if the rule is matched, and the ability to specify multiple criteria matchers. Data packets go through the rules from 1 - 999999, so order is crucial. At the first match the action of the rule will be executed."
 msgstr "For firewall filtering, firewall rules needs to be created. Each rule is numbered, has an action to apply if the rule is matched, and the ability to specify multiple criteria matchers. Data packets go through the rules from 1 - 999999, so order is crucial. At the first match the action of the rule will be executed."
 
-#: ../../configuration/interfaces/bonding.rst:219
+#: ../../configuration/interfaces/bonding.rst:224
 msgid "For fragmented TCP or UDP packets and all other IPv4 and IPv6 protocol traffic, the source and destination port information is omitted. For non-IP traffic, the formula is the same as for the layer2 transmit hash policy."
 msgstr "For fragmented TCP or UDP packets and all other IPv4 and IPv6 protocol traffic, the source and destination port information is omitted. For non-IP traffic, the formula is the same as for the layer2 transmit hash policy."
 
@@ -6350,7 +7168,7 @@ msgstr "For generating an OTP key in VyOS, you can use the CLI command (operatio
 msgid "For inbound updates the order of preference is:"
 msgstr "For inbound updates the order of preference is:"
 
-#: ../../configuration/trafficpolicy/index.rst:254
+#: ../../configuration/trafficpolicy/index.rst:304
 msgid "For instance, with :code:`set qos policy shaper MY-SHAPER class 30 set-dscp EF` you would be modifying the DSCP field value of packets in that class to Expedite Forwarding."
 msgstr "For instance, with :code:`set qos policy shaper MY-SHAPER class 30 set-dscp EF` you would be modifying the DSCP field value of packets in that class to Expedite Forwarding."
 
@@ -6378,6 +7196,10 @@ msgstr "For multi hop sessions only. Configure the minimum expected TTL for an i
 msgid "For network maintenance, it's a good idea to direct users to a backup server so that the primary server can be safely taken out of service. It's possible to switch your PPPoE server to maintenance mode where it maintains already established connections, but refuses new connection attempts."
 msgstr "For network maintenance, it's a good idea to direct users to a backup server so that the primary server can be safely taken out of service. It's possible to switch your PPPoE server to maintenance mode where it maintains already established connections, but refuses new connection attempts."
 
+#: ../../configuration/service/ntp.rst:182
+msgid "For networks consisting of VyOS and other Linux systems running relatively recent versions of the chrony daemon, NTP packets can be \"tunneled\" over PTP. NTP over PTP provides the best of both worlds, leveraging hardware support for timestamping PTP packets while retaining the configuration flexibility and fault tolerance of NTP."
+msgstr "For networks consisting of VyOS and other Linux systems running relatively recent versions of the chrony daemon, NTP packets can be \"tunneled\" over PTP. NTP over PTP provides the best of both worlds, leveraging hardware support for timestamping PTP packets while retaining the configuration flexibility and fault tolerance of NTP."
+
 #: ../../configuration/interfaces/vxlan.rst:152
 msgid "For optimal scalability, Multicast shouldn't be used at all, but instead use BGP to signal all connected devices between leaves. Unfortunately, VyOS does not yet support this."
 msgstr "For optimal scalability, Multicast shouldn't be used at all, but instead use BGP to signal all connected devices between leaves. Unfortunately, VyOS does not yet support this."
@@ -6386,12 +7208,12 @@ msgstr "For optimal scalability, Multicast shouldn't be used at all, but instead
 msgid "For outbound updates the order of preference is:"
 msgstr "For outbound updates the order of preference is:"
 
-#: ../../configuration/firewall/bridge.rst:201
+#: ../../configuration/firewall/bridge.rst:290
 msgid "For reference, a description can be defined for every defined custom chain."
 msgstr "For reference, a description can be defined for every defined custom chain."
 
-#: ../../configuration/firewall/ipv4.rst:270
-#: ../../configuration/firewall/ipv6.rst:270
+#: ../../configuration/firewall/ipv4.rst:295
+#: ../../configuration/firewall/ipv6.rst:295
 msgid "For reference, a description can be defined for every single rule, and for every defined custom chain."
 msgstr "For reference, a description can be defined for every single rule, and for every defined custom chain."
 
@@ -6407,7 +7229,7 @@ msgstr "For serial via USB port information please refor to: :ref:`hardware_usb`
 msgid "For simplicity we'll assume that the protocol is GRE, it's not hard to guess what needs to be changed to make it work with a different protocol. We assume that IPsec will use pre-shared secret authentication and will use AES128/SHA1 for the cipher and hash. Adjust this as necessary."
 msgstr "For simplicity we'll assume that the protocol is GRE, it's not hard to guess what needs to be changed to make it work with a different protocol. We assume that IPsec will use pre-shared secret authentication and will use AES128/SHA1 for the cipher and hash. Adjust this as necessary."
 
-#: ../../configuration/interfaces/openvpn.rst:211
+#: ../../configuration/interfaces/openvpn.rst:213
 msgid "For the OpenVPN traffic to pass through the WAN interface, you must create a firewall exception."
 msgstr "For the OpenVPN traffic to pass through the WAN interface, you must create a firewall exception."
 
@@ -6423,19 +7245,35 @@ msgstr "For the :ref:`destination-nat66` rule, the destination address of the pa
 msgid "For the average user a serial console has no advantage over a console offered by a directly attached keyboard and screen. Serial consoles are much slower, taking up to a second to fill a 80 column by 24 line screen. Serial consoles generally only support non-proportional ASCII text, with limited support for languages other than English."
 msgstr "For the average user a serial console has no advantage over a console offered by a directly attached keyboard and screen. Serial consoles are much slower, taking up to a second to fill a 80 column by 24 line screen. Serial consoles generally only support non-proportional ASCII text, with limited support for languages other than English."
 
-#: ../../configuration/trafficpolicy/index.rst:1251
+#: ../../configuration/nat/nat66.rst:108
+msgid "For the destination, groups can also be used instead of an address."
+msgstr "For the destination, groups can also be used instead of an address."
+
+#: ../../configuration/trafficpolicy/index.rst:1301
 msgid "For the ingress traffic of an interface, there is only one policy you can directly apply, a **Limiter** policy. You cannot apply a shaping policy directly to the ingress traffic of any interface because shaping only works for outbound traffic."
 msgstr "For the ingress traffic of an interface, there is only one policy you can directly apply, a **Limiter** policy. You cannot apply a shaping policy directly to the ingress traffic of any interface because shaping only works for outbound traffic."
 
+#: ../../configuration/container/index.rst:273
+msgid "For the sake of demonstration, `example #1 in the official documentation <https://www.zabbix.com/documentation/current/manual/ installation/containers>`_ to the declarative VyOS CLI syntax."
+msgstr "For the sake of demonstration, `example #1 in the official documentation <https://www.zabbix.com/documentation/current/manual/ installation/containers>`_ to the declarative VyOS CLI syntax."
+
 #: ../../configuration/container/index.rst:218
 msgid "For the sake of demonstration, `example #1 in the official documentation <https://www.zabbix.com/documentation/current/manual/installation/containers>`_ to the declarative VyOS CLI syntax."
 msgstr "For the sake of demonstration, `example #1 in the official documentation <https://www.zabbix.com/documentation/current/manual/installation/containers>`_ to the declarative VyOS CLI syntax."
 
+#: ../../configuration/firewall/bridge.rst:52
+msgid "For traffic destined to the router itself, or that needs to be routed (assuming a layer3 bridge is configured), the base chain is **input**, the base command is ``set firewall bridge input filter ...`` and the path is:"
+msgstr "For traffic destined to the router itself, or that needs to be routed (assuming a layer3 bridge is configured), the base chain is **input**, the base command is ``set firewall bridge input filter ...`` and the path is:"
+
 #: ../../configuration/firewall/general.rst:66
 msgid "For traffic originated by the router, base chain is **output filter**: ``set firewall [ipv4 | ipv6] output filter ...``"
 msgstr "For traffic originated by the router, base chain is **output filter**: ``set firewall [ipv4 | ipv6] output filter ...``"
 
 #: ../../configuration/firewall/bridge.rst:40
+msgid "For traffic that needs to be forwarded internally by the bridge, base chain is is **forward**, and it's base command for filtering is ``set firewall bridge forward filter ...``, which happens in stage 4, highlighted with red color."
+msgstr "For traffic that needs to be forwarded internally by the bridge, base chain is is **forward**, and it's base command for filtering is ``set firewall bridge forward filter ...``, which happens in stage 4, highlighted with red color."
+
+#: ../../configuration/firewall/bridge.rst:40
 msgid "For traffic that needs to be forwared internally by the bridge, base chain is is **forward**, and it's base command for filtering is ``set firewall bridge forward filter ...``"
 msgstr "For traffic that needs to be forwared internally by the bridge, base chain is is **forward**, and it's base command for filtering is ``set firewall bridge forward filter ...``"
 
@@ -6443,17 +7281,31 @@ msgstr "For traffic that needs to be forwared internally by the bridge, base cha
 msgid "For traffic that needs to be forwared internally by the bridge, base chain is is **forward**, and it's base command for filtering is ``set firewall bridge forward filter ...``, which happens in stage 4, highlightened with red color."
 msgstr "For traffic that needs to be forwared internally by the bridge, base chain is is **forward**, and it's base command for filtering is ``set firewall bridge forward filter ...``, which happens in stage 4, highlightened with red color."
 
+#: ../../configuration/firewall/bridge.rst:46
+msgid "For traffic that needs to be switched internally by the bridge, base chain is **forward**, and it's base command for filtering is ``set firewall bridge forward filter ...``, which happens in stage 4, highlighted with red color."
+msgstr "For traffic that needs to be switched internally by the bridge, base chain is **forward**, and it's base command for filtering is ``set firewall bridge forward filter ...``, which happens in stage 4, highlighted with red color."
+
 #: ../../configuration/firewall/ipv4.rst:46
 #: ../../configuration/firewall/ipv6.rst:46
 msgid "For traffic towards the router itself, base chain is **input**, while traffic originated by the router, base chain is **output**. A new simplified packet flow diagram is shown next, which shows the path for traffic destinated to the router itself, and traffic generated by the router (starting from circle number 6):"
 msgstr "For traffic towards the router itself, base chain is **input**, while traffic originated by the router, base chain is **output**. A new simplified packet flow diagram is shown next, which shows the path for traffic destinated to the router itself, and traffic generated by the router (starting from circle number 6):"
 
+#: ../../configuration/firewall/ipv4.rst:64
+#: ../../configuration/firewall/ipv6.rst:64
+msgid "For traffic towards the router itself, base chain is **input**, while traffic originated by the router, base chain is **output**. A new simplified packet flow diagram is shown next, which shows the path for traffic destined to the router itself, and traffic generated by the router (starting from circle number 6):"
+msgstr "For traffic towards the router itself, base chain is **input**, while traffic originated by the router, base chain is **output**. A new simplified packet flow diagram is shown next, which shows the path for traffic destined to the router itself, and traffic generated by the router (starting from circle number 6):"
+
 #: ../../configuration/firewall/general.rst:69
 msgid "For traffic towards the router itself, base chain is **input filter**: ``set firewall [ipv4 | ipv6] input filter ...``"
 msgstr "For traffic towards the router itself, base chain is **input filter**: ``set firewall [ipv4 | ipv6] input filter ...``"
 
-#: ../../configuration/firewall/ipv4.rst:36
-#: ../../configuration/firewall/ipv6.rst:36
+#: ../../configuration/firewall/ipv4.rst:64
+#: ../../configuration/firewall/ipv6.rst:64
+msgid "For traffic towards the router itself, the base chain is **input**, while traffic originated by the router has the base chain **output**. A new simplified packet flow diagram is shown next, which shows the path for traffic destined to the router itself, and traffic generated by the router (starting from circle number 6):"
+msgstr "For traffic towards the router itself, the base chain is **input**, while traffic originated by the router has the base chain **output**. A new simplified packet flow diagram is shown next, which shows the path for traffic destined to the router itself, and traffic generated by the router (starting from circle number 6):"
+
+#: ../../configuration/firewall/ipv4.rst:54
+#: ../../configuration/firewall/ipv6.rst:54
 msgid "For transit traffic, which is received by the router and forwarded, base chain is **forward**. A simplified packet flow diagram for transit traffic is shown next:"
 msgstr "For transit traffic, which is received by the router and forwarded, base chain is **forward**. A simplified packet flow diagram for transit traffic is shown next:"
 
@@ -6461,7 +7313,12 @@ msgstr "For transit traffic, which is received by the router and forwarded, base
 msgid "For transit traffic, which is received by the router and forwarded, base chain is **forward filter**: ``set firewall [ipv4 | ipv6] forward filter ...``"
 msgstr "For transit traffic, which is received by the router and forwarded, base chain is **forward filter**: ``set firewall [ipv4 | ipv6] forward filter ...``"
 
-#: ../../configuration/loadbalancing/reverse-proxy.rst:161
+#: ../../configuration/firewall/ipv4.rst:54
+#: ../../configuration/firewall/ipv6.rst:54
+msgid "For transit traffic, which is received by the router and forwarded, the base chain is **forward**. A simplified packet flow diagram for transit traffic is shown next:"
+msgstr "For transit traffic, which is received by the router and forwarded, the base chain is **forward**. A simplified packet flow diagram for transit traffic is shown next:"
+
+#: ../../configuration/loadbalancing/haproxy.rst:212
 msgid "For web application providing information about their state HTTP health checks can be used to determine their availability."
 msgstr "For web application providing information about their state HTTP health checks can be used to determine their availability."
 
@@ -6473,7 +7330,7 @@ msgstr "Formally, a virtual link looks like a point-to-point network connecting
 msgid "Forward incoming DNS queries to the DNS servers configured under the ``system name-server`` nodes."
 msgstr "Forward incoming DNS queries to the DNS servers configured under the ``system name-server`` nodes."
 
-#: ../../configuration/highavailability/index.rst:372
+#: ../../configuration/highavailability/index.rst:376
 msgid "Forward method"
 msgstr "Forward method"
 
@@ -6501,7 +7358,19 @@ msgstr "From a security perspective, it is not recommended to let a third party
 msgid "From main structure defined in :doc:`Firewall Overview</configuration/firewall/index>` in this section you can find detailed information only for the next part of the general structure:"
 msgstr "From main structure defined in :doc:`Firewall Overview</configuration/firewall/index>` in this section you can find detailed information only for the next part of the general structure:"
 
-#: ../../configuration/highavailability/index.rst:390
+#: ../../configuration/firewall/bridge.rst:19
+#: ../../configuration/firewall/flowtables.rst:20
+#: ../../configuration/firewall/ipv4.rst:19
+#: ../../configuration/firewall/ipv6.rst:19
+#: ../../configuration/firewall/zone.rst:28
+msgid "From the main structure defined in :doc:`Firewall Overview</configuration/firewall/index>` in this section you can find detailed information only for the next part of the general structure:"
+msgstr "From the main structure defined in :doc:`Firewall Overview</configuration/firewall/index>` in this section you can find detailed information only for the next part of the general structure:"
+
+#: ../../configuration/nat/cgnat.rst:193
+msgid "Further Reading"
+msgstr "Further Reading"
+
+#: ../../configuration/highavailability/index.rst:394
 msgid "Fwmark"
 msgstr "Fwmark"
 
@@ -6513,7 +7382,11 @@ msgstr "GENEVE"
 msgid "GENEVE is designed to support network virtualization use cases, where tunnels are typically established to act as a backplane between the virtual switches residing in hypervisors, physical switches, or middleboxes or other appliances. An arbitrary IP network can be used as an underlay although Clos networks - A technique for composing network fabrics larger than a single switch while maintaining non-blocking bandwidth across connection points. ECMP is used to divide traffic across the multiple links and switches that constitute the fabric. Sometimes termed \"leaf and spine\" or \"fat tree\" topologies."
 msgstr "GENEVE is designed to support network virtualization use cases, where tunnels are typically established to act as a backplane between the virtual switches residing in hypervisors, physical switches, or middleboxes or other appliances. An arbitrary IP network can be used as an underlay although Clos networks - A technique for composing network fabrics larger than a single switch while maintaining non-blocking bandwidth across connection points. ECMP is used to divide traffic across the multiple links and switches that constitute the fabric. Sometimes termed \"leaf and spine\" or \"fat tree\" topologies."
 
-#: ../../configuration/interfaces/geneve.rst:49
+#: ../../configuration/interfaces/geneve.rst:16
+msgid "GENEVE is designed to support network virtualization use cases, where tunnels are typically established to act as a backplane between the virtual switches residing in hypervisors, physical switches, or middleboxes or other appliances. An arbitrary IP network can be used as an underlay through Clos networks - A technique for composing network fabrics larger than a single switch while maintaining non-blocking bandwidth across connection points. ECMP is used to divide traffic across the multiple links and switches that constitute the fabric. Sometimes termed \"leaf and spine\" or \"fat tree\" topologies."
+msgstr "GENEVE is designed to support network virtualization use cases, where tunnels are typically established to act as a backplane between the virtual switches residing in hypervisors, physical switches, or middleboxes or other appliances. An arbitrary IP network can be used as an underlay through Clos networks - A technique for composing network fabrics larger than a single switch while maintaining non-blocking bandwidth across connection points. ECMP is used to divide traffic across the multiple links and switches that constitute the fabric. Sometimes termed \"leaf and spine\" or \"fat tree\" topologies."
+
+#: ../../configuration/interfaces/geneve.rst:73
 msgid "GENEVE options"
 msgstr "GENEVE options"
 
@@ -6548,6 +7421,7 @@ msgid "Genearate a new OpenVPN shared secret. The generated secret is the output
 msgstr "Genearate a new OpenVPN shared secret. The generated secret is the output to the console."
 
 #: ../../configuration/protocols/isis.rst:25
+#: ../../configuration/protocols/openfabric.rst:17
 #: ../../configuration/protocols/ospf.rst:25
 #: ../../configuration/protocols/ospf.rst:1081
 #: ../../configuration/system/option.rst:11
@@ -6564,6 +7438,14 @@ msgstr "General Configuration"
 msgid "General commands for firewall configuration, counter and statiscits:"
 msgstr "General commands for firewall configuration, counter and statiscits:"
 
+#: ../../configuration/firewall/bridge.rst:456
+msgid "General commands for firewall configuration, counter and statistics:"
+msgstr "General commands for firewall configuration, counter and statistics:"
+
+#: ../../configuration/firewall/groups.rst:243
+msgid "General example"
+msgstr "General example"
+
 #: ../../configuration/interfaces/wireguard.rst:29
 msgid "Generate Keypair"
 msgstr "Generate Keypair"
@@ -6581,6 +7463,11 @@ msgstr "Generate :abbr:`MKA (MACsec Key Agreement protocol)` CAK key 128 or 256
 msgid "Generate a WireGuard pre-shared secret used for peers to communicate."
 msgstr "Generate a WireGuard pre-shared secret used for peers to communicate."
 
+#: ../../configuration/pki/index.rst:123
+#: ../../configuration/pki/index.rst:128
+msgid "Generate a new OpenVPN shared secret. The generated secret is the output to the console."
+msgstr "Generate a new OpenVPN shared secret. The generated secret is the output to the console."
+
 #: ../../configuration/pki/index.rst:138
 #: ../../configuration/pki/index.rst:143
 msgid "Generate a new WireGuard public/private key portion and output the result to the console."
@@ -6591,7 +7478,7 @@ msgstr "Generate a new WireGuard public/private key portion and output the resul
 msgid "Generate a new set of :abbr:`DH (Diffie-Hellman)` parameters. The key size is requested by the CLI and defaults to 2048 bit."
 msgstr "Generate a new set of :abbr:`DH (Diffie-Hellman)` parameters. The key size is requested by the CLI and defaults to 2048 bit."
 
-#: ../../configuration/service/ssh.rst:194
+#: ../../configuration/service/ssh.rst:214
 msgid "Generate the configuration mode commands to add a public key for :ref:`ssh_key_based_authentication`. ``<location>`` can be a local path or a URL pointing at a remote file."
 msgstr "Generate the configuration mode commands to add a public key for :ref:`ssh_key_based_authentication`. ``<location>`` can be a local path or a URL pointing at a remote file."
 
@@ -6599,6 +7486,14 @@ msgstr "Generate the configuration mode commands to add a public key for :ref:`s
 msgid "Generates a keypair, which includes the public and private parts, and build a configuration command to install this key to ``interface``."
 msgstr "Generates a keypair, which includes the public and private parts, and build a configuration command to install this key to ``interface``."
 
+#: ../../configuration/interfaces/wireguard.rst:44
+msgid "Generates a keypair, which includes the public and private parts, and builds a configuration command to install this key to ``interface``."
+msgstr "Generates a keypair, which includes the public and private parts, and builds a configuration command to install this key to ``interface``."
+
+#: ../../configuration/interfaces/wireguard.rst:33
+msgid "Generates the keypair, which includes the public and private parts. The key is not stored on the system - only a keypair is generated."
+msgstr "Generates the keypair, which includes the public and private parts. The key is not stored on the system - only a keypair is generated."
+
 #: ../../configuration/interfaces/tunnel.rst:106
 msgid "Generic Routing Encapsulation (GRE)"
 msgstr "Generic Routing Encapsulation (GRE)"
@@ -6619,7 +7514,7 @@ msgstr "Get an overview over the encryption counters."
 msgid "Get detailed information about LLDP neighbors."
 msgstr "Get detailed information about LLDP neighbors."
 
-#: ../../configuration/nat/nat66.rst:160
+#: ../../configuration/nat/nat66.rst:172
 msgid "Get the DHCPv6-PD prefixes from both routers:"
 msgstr "Get the DHCPv6-PD prefixes from both routers:"
 
@@ -6635,19 +7530,24 @@ msgstr "Given the fact that open DNS recursors could be used on DDoS amplificati
 msgid "Given the following example we have one VyOS router acting as OpenVPN server and another VyOS router acting as OpenVPN client. The server also pushes a static client IP address to the OpenVPN client. Remember, clients are identified using their CN attribute in the SSL certificate."
 msgstr "Given the following example we have one VyOS router acting as OpenVPN server and another VyOS router acting as OpenVPN client. The server also pushes a static client IP address to the OpenVPN client. Remember, clients are identified using their CN attribute in the SSL certificate."
 
+#: ../../configuration/interfaces/openvpn.rst:581
+msgid "Given the following example we have one VyOS router acting as an OpenVPN server and another VyOS router acting as an OpenVPN client. The server also pushes a static client IP address to the OpenVPN client. Remember, clients are identified using their CN attribute in the SSL certificate."
+msgstr "Given the following example we have one VyOS router acting as an OpenVPN server and another VyOS router acting as an OpenVPN client. The server also pushes a static client IP address to the OpenVPN client. Remember, clients are identified using their CN attribute in the SSL certificate."
+
 #: ../../configuration/loadbalancing/reverse-proxy.rst:150
 msgid "Gloabal"
 msgstr "Gloabal"
 
-#: ../../configuration/loadbalancing/reverse-proxy.rst:190
+#: ../../configuration/loadbalancing/haproxy.rst:179
+#: ../../configuration/system/syslog.rst:21
 msgid "Global"
 msgstr "Global"
 
-#: ../../configuration/service/ipoe-server.rst:352
-#: ../../configuration/service/pppoe-server.rst:518
-#: ../../configuration/vpn/l2tp.rst:472
+#: ../../configuration/service/ipoe-server.rst:351
+#: ../../configuration/service/pppoe-server.rst:543
+#: ../../configuration/vpn/l2tp.rst:477
 #: ../../configuration/vpn/pptp.rst:396
-#: ../../configuration/vpn/sstp.rst:430
+#: ../../configuration/vpn/sstp.rst:435
 msgid "Global Advanced options"
 msgstr "Global Advanced options"
 
@@ -6659,11 +7559,11 @@ msgstr "Global Options"
 msgid "Global Options Firewall Configuration"
 msgstr "Global Options Firewall Configuration"
 
-#: ../../configuration/highavailability/index.rst:224
+#: ../../configuration/highavailability/index.rst:228
 msgid "Global options"
 msgstr "Global options"
 
-#: ../../configuration/loadbalancing/reverse-proxy.rst:192
+#: ../../configuration/loadbalancing/haproxy.rst:181
 msgid "Global parameters"
 msgstr "Global parameters"
 
@@ -6676,11 +7576,11 @@ msgstr "Global settings"
 msgid "Graceful Restart"
 msgstr "Graceful Restart"
 
-#: ../../configuration/service/https.rst:84
+#: ../../configuration/service/https.rst:87
 msgid "GraphQL"
 msgstr "GraphQL"
 
-#: ../../configuration/highavailability/index.rst:236
+#: ../../configuration/highavailability/index.rst:240
 msgid "Gratuitous ARP"
 msgstr "Gratuitous ARP"
 
@@ -6692,7 +7592,23 @@ msgstr "Groups"
 msgid "Groups need to have unique names. Even though some contain IPv4 addresses and others contain IPv6 addresses, they still need to have unique names, so you may want to append \"-v4\" or \"-v6\" to your group names."
 msgstr "Groups need to have unique names. Even though some contain IPv4 addresses and others contain IPv6 addresses, they still need to have unique names, so you may want to append \"-v4\" or \"-v6\" to your group names."
 
-#: ../../configuration/interfaces/openvpn.rst:420
+#: ../../configuration/interfaces/wireless.rst:338
+msgid "HE (High Efficiency) capabilities (802.11ax)"
+msgstr "HE (High Efficiency) capabilities (802.11ax)"
+
+#: ../../configuration/interfaces/wireless.rst:369
+msgid "HE operating channel center frequency - center freq 1 (for use with 80, 80+80 and 160 modes)"
+msgstr "HE operating channel center frequency - center freq 1 (for use with 80, 80+80 and 160 modes)"
+
+#: ../../configuration/interfaces/wireless.rst:372
+msgid "HE operating channel center frequency - center freq 2 (for use with the 80+80 mode)"
+msgstr "HE operating channel center frequency - center freq 2 (for use with the 80+80 mode)"
+
+#: ../../configuration/interfaces/wwan.rst:318
+msgid "HP LT4120 Snapdragon X5 LTE"
+msgstr "HP LT4120 Snapdragon X5 LTE"
+
+#: ../../configuration/interfaces/openvpn.rst:424
 msgid "HQ's router requires the following steps to generate crypto materials for the Branch 1:"
 msgstr "HQ's router requires the following steps to generate crypto materials for the Branch 1:"
 
@@ -6708,20 +7624,28 @@ msgstr "HTTP API"
 msgid "HTTP based services"
 msgstr "HTTP based services"
 
+#: ../../configuration/service/monitoring.rst:151
+msgid "HTTP basic authentication."
+msgstr "HTTP basic authentication."
+
 #: ../../configuration/service/monitoring.rst:51
 #: ../../configuration/service/monitoring.rst:55
 msgid "HTTP basic authentication username"
 msgstr "HTTP basic authentication username"
 
-#: ../../configuration/system/option.rst:57
+#: ../../configuration/loadbalancing/haproxy.rst:210
+msgid "HTTP checks"
+msgstr "HTTP checks"
+
+#: ../../configuration/system/option.rst:77
 msgid "HTTP client"
 msgstr "HTTP client"
 
-#: ../../configuration/loadbalancing/reverse-proxy.rst:160
+#: ../../configuration/loadbalancing/reverse-proxy.rst:165
 msgid "HTTP health check"
 msgstr "HTTP health check"
 
-#: ../../configuration/interfaces/wireless.rst:137
+#: ../../configuration/interfaces/wireless.rst:165
 msgid "HT (High Throughput) capabilities (802.11n)"
 msgstr "HT (High Throughput) capabilities (802.11n)"
 
@@ -6729,6 +7653,10 @@ msgstr "HT (High Throughput) capabilities (802.11n)"
 msgid "Hairpin NAT/NAT Reflection"
 msgstr "Hairpin NAT/NAT Reflection"
 
+#: ../../configuration/service/dhcp-server.rst:638
+msgid "Hand out prefixes of size `<length>` in bits from `<pd-prefix>` to clients in subnet `<prefix>` when the request for prefix delegation."
+msgstr "Hand out prefixes of size `<length>` in bits from `<pd-prefix>` to clients in subnet `<prefix>` when the request for prefix delegation."
+
 #: ../../configuration/service/dhcp-server.rst:632
 msgid "Hand out prefixes of size `<length>` to clients in subnet `<prefix>` when they request for prefix delegation."
 msgstr "Hand out prefixes of size `<length>` to clients in subnet `<prefix>` when they request for prefix delegation."
@@ -6737,22 +7665,43 @@ msgstr "Hand out prefixes of size `<length>` to clients in subnet `<prefix>` whe
 msgid "Handling and monitoring"
 msgstr "Handling and monitoring"
 
+#: ../../configuration/loadbalancing/haproxy.rst:4
+msgid "Haproxy"
+msgstr "Haproxy"
+
+#: ../../configuration/loadbalancing/haproxy.rst:8
+msgid "Haproxy is a balancer and proxy server that provides high-availability, load balancing and proxying for TCP (level 4) and HTTP-based (level 7) applications."
+msgstr "Haproxy is a balancer and proxy server that provides high-availability, load balancing and proxying for TCP (level 4) and HTTP-based (level 7) applications."
+
+#: ../../configuration/service/ntp.rst:124
+msgid "Hardware Timestamping of NTP Packets"
+msgstr "Hardware Timestamping of NTP Packets"
+
+#: ../../configuration/service/ntp.rst:133
+msgid "Hardware timestamping depends on NIC support. Some NICs can be configured to apply timestamps to any incoming packet, while others only support applying timestamps to specific protocols (e.g. PTP)."
+msgstr "Hardware timestamping depends on NIC support. Some NICs can be configured to apply timestamps to any incoming packet, while others only support applying timestamps to specific protocols (e.g. PTP)."
+
 #: ../../configuration/nat/nat44.rst:403
 msgid "Having control over the matching of INVALID state traffic, e.g. the ability to selectively log, is an important troubleshooting tool for observing broken protocol behavior. For this reason, VyOS does not globally drop invalid state traffic, instead allowing the operator to make the determination on how the traffic is handled."
 msgstr "Having control over the matching of INVALID state traffic, e.g. the ability to selectively log, is an important troubleshooting tool for observing broken protocol behavior. For this reason, VyOS does not globally drop invalid state traffic, instead allowing the operator to make the determination on how the traffic is handled."
 
-#: ../../configuration/highavailability/index.rst:382
+#: ../../configuration/highavailability/index.rst:386
 msgid "Health-check"
 msgstr "Health-check"
 
-#: ../../configuration/highavailability/index.rst:308
+#: ../../configuration/highavailability/index.rst:312
 msgid "Health check scripts"
 msgstr "Health check scripts"
 
+#: ../../configuration/loadbalancing/haproxy.rst:206
 #: ../../configuration/loadbalancing/wan.rst:124
 msgid "Health checks"
 msgstr "Health checks"
 
+#: ../../configuration/loadbalancing/haproxy.rst:244
+msgid "Health checks can also be configured for TCP mode backends. You can configure protocol aware checks for a range of Layer 7 protocols:"
+msgstr "Health checks can also be configured for TCP mode backends. You can configure protocol aware checks for a range of Layer 7 protocols:"
+
 #: ../../configuration/nat/nat44.rst:626
 msgid "Here's an extract of a simple 1-to-1 NAT configuration with one internal and one external interface:"
 msgstr "Here's an extract of a simple 1-to-1 NAT configuration with one internal and one external interface:"
@@ -6765,6 +7714,10 @@ msgstr "Here's one example of a network environment for an ASP. The ASP requests
 msgid "Here's the IP routes that are populated. Just the loopback:"
 msgstr "Here's the IP routes that are populated. Just the loopback:"
 
+#: ../../configuration/protocols/openfabric.rst:211
+msgid "Here's the IP routes that are populated:"
+msgstr "Here's the IP routes that are populated:"
+
 #: ../../configuration/protocols/ospf.rst:862
 msgid "Here's the neighbors up:"
 msgstr "Here's the neighbors up:"
@@ -6782,14 +7735,19 @@ msgid "Here is a second example of a dual-stack tunnel over IPv6 between a VyOS
 msgstr "Here is a second example of a dual-stack tunnel over IPv6 between a VyOS router and a Linux host using systemd-networkd."
 
 #: ../../configuration/protocols/isis.rst:44
+#: ../../configuration/protocols/openfabric.rst:34
 msgid "Here is an example :abbr:`NET (Network Entity Title)` value:"
 msgstr "Here is an example :abbr:`NET (Network Entity Title)` value:"
 
+#: ../../configuration/firewall/groups.rst:406
+msgid "Here is an example of such command:"
+msgstr "Here is an example of such command:"
+
 #: ../../configuration/protocols/rpki.rst:177
 msgid "Here is an example route-map to apply to routes learned at import. In this filter we reject prefixes with the state `invalid`, and set a higher `local-preference` if the prefix is RPKI `valid` rather than merely `notfound`."
 msgstr "Here is an example route-map to apply to routes learned at import. In this filter we reject prefixes with the state `invalid`, and set a higher `local-preference` if the prefix is RPKI `valid` rather than merely `notfound`."
 
-#: ../../configuration/firewall/groups.rst:150
+#: ../../configuration/firewall/groups.rst:248
 msgid "Here is an example were multiple groups are created:"
 msgstr "Here is an example were multiple groups are created:"
 
@@ -6808,10 +7766,10 @@ msgstr "Here we provide two examples on how to apply NAT Load Balance."
 msgid "Hewlett-Packard call it Source-Port filtering or port-isolation"
 msgstr "Hewlett-Packard call it Source-Port filtering or port-isolation"
 
-#: ../../configuration/trafficpolicy/index.rst:273
-#: ../../configuration/trafficpolicy/index.rst:279
-#: ../../configuration/trafficpolicy/index.rst:285
-#: ../../configuration/trafficpolicy/index.rst:291
+#: ../../configuration/trafficpolicy/index.rst:323
+#: ../../configuration/trafficpolicy/index.rst:329
+#: ../../configuration/trafficpolicy/index.rst:335
+#: ../../configuration/trafficpolicy/index.rst:341
 msgid "High"
 msgstr "High"
 
@@ -6840,7 +7798,7 @@ msgstr "Host Information"
 msgid "Host name"
 msgstr "Host name"
 
-#: ../../configuration/service/dhcp-server.rst:691
+#: ../../configuration/service/dhcp-server.rst:721
 msgid "Host specific mapping shall be named ``client1``"
 msgstr "Host specific mapping shall be named ``client1``"
 
@@ -6860,11 +7818,11 @@ msgstr "How to configure Event Handler"
 msgid "How to make it work"
 msgstr "How to make it work"
 
-#: ../../configuration/vpn/ipsec.rst:267
+#: ../../configuration/vpn/ipsec.rst:287
 msgid "However, now you need to make IPsec work with dynamic address on one side. The tricky part is that pre-shared secret authentication doesn't work with dynamic address, so we'll have to use RSA keys."
 msgstr "However, now you need to make IPsec work with dynamic address on one side. The tricky part is that pre-shared secret authentication doesn't work with dynamic address, so we'll have to use RSA keys."
 
-#: ../../configuration/interfaces/openvpn.rst:80
+#: ../../configuration/interfaces/openvpn.rst:81
 msgid "However, since VyOS 1.4, it is possible to verify self-signed certificates using certificate fingerprints."
 msgstr "However, since VyOS 1.4, it is possible to verify self-signed certificates using certificate fingerprints."
 
@@ -6920,7 +7878,7 @@ msgstr "IKE Phase:"
 msgid "IKE (Internet Key Exchange) Attributes"
 msgstr "IKE (Internet Key Exchange) Attributes"
 
-#: ../../configuration/vpn/ipsec.rst:35
+#: ../../configuration/vpn/ipsec.rst:36
 msgid "IKE performs mutual authentication between two parties and establishes an IKE security association (SA) that includes shared secret information that can be used to efficiently establish SAs for Encapsulating Security Payload (ESP) or Authentication Header (AH) and a set of cryptographic algorithms to be used by the SAs to protect the traffic that they carry. https://datatracker.ietf.org/doc/html/rfc5996"
 msgstr "IKE performs mutual authentication between two parties and establishes an IKE security association (SA) that includes shared secret information that can be used to efficiently establish SAs for Encapsulating Security Payload (ESP) or Authentication Header (AH) and a set of cryptographic algorithms to be used by the SAs to protect the traffic that they carry. https://datatracker.ietf.org/doc/html/rfc5996"
 
@@ -6932,7 +7890,7 @@ msgstr "IKEv1"
 msgid "IKEv2"
 msgstr "IKEv2"
 
-#: ../../configuration/vpn/ipsec.rst:372
+#: ../../configuration/vpn/ipsec.rst:392
 msgid "IKEv2 IPSec road-warriors remote-access VPN"
 msgstr "IKEv2 IPSec road-warriors remote-access VPN"
 
@@ -6992,8 +7950,8 @@ msgstr "IP address"
 msgid "IP address ``192.168.1.100`` shall be statically mapped to client named ``client1``"
 msgstr "IP address ``192.168.1.100`` shall be statically mapped to client named ``client1``"
 
-#: ../../configuration/interfaces/wireless.rst:349
-#: ../../configuration/interfaces/wireless.rst:549
+#: ../../configuration/interfaces/wireless.rst:460
+#: ../../configuration/interfaces/wireless.rst:673
 msgid "IP address ``192.168.2.1/24``"
 msgstr "IP address ``192.168.2.1/24``"
 
@@ -7061,7 +8019,7 @@ msgstr "IP next-hop of route to match, based on prefix length."
 msgid "IP next-hop of route to match, based on type."
 msgstr "IP next-hop of route to match, based on type."
 
-#: ../../configuration/trafficpolicy/index.rst:784
+#: ../../configuration/trafficpolicy/index.rst:834
 msgid "IP precedence as defined in :rfc:`791`:"
 msgstr "IP precedence as defined in :rfc:`791`:"
 
@@ -7085,6 +8043,10 @@ msgstr "IPoE Server"
 msgid "IPoE can be configure on different interfaces, it will depend on each specific situation which interface will provide IPoE to clients. The clients mac address and the incoming interface is being used as control parameter, to authenticate a client."
 msgstr "IPoE can be configure on different interfaces, it will depend on each specific situation which interface will provide IPoE to clients. The clients mac address and the incoming interface is being used as control parameter, to authenticate a client."
 
+#: ../../configuration/service/ipoe-server.rst:29
+msgid "IPoE can be configured on different interfaces, it will depend on each specific situation which interface will provide IPoE to clients. The client's mac address and the incoming interface is being used as control parameter, to authenticate a client."
+msgstr "IPoE can be configured on different interfaces, it will depend on each specific situation which interface will provide IPoE to clients. The client's mac address and the incoming interface is being used as control parameter, to authenticate a client."
+
 #: ../../configuration/service/ipoe-server.rst:11
 msgid "IPoE is a method of delivering an IP payload over an Ethernet-based access network or an access network using bridged Ethernet over Asynchronous Transfer Mode (ATM) without using PPPoE. It directly encapsulates the IP datagrams in Ethernet frames, using the standard :rfc:`894` encapsulation."
 msgstr "IPoE is a method of delivering an IP payload over an Ethernet-based access network or an access network using bridged Ethernet over Asynchronous Transfer Mode (ATM) without using PPPoE. It directly encapsulates the IP datagrams in Ethernet frames, using the standard :rfc:`894` encapsulation."
@@ -7097,11 +8059,11 @@ msgstr "IPoE server will listen on interfaces eth1.50 and eth1.51"
 msgid "IPsec"
 msgstr "IPsec"
 
-#: ../../configuration/vpn/ipsec.rst:176
+#: ../../configuration/vpn/ipsec.rst:196
 msgid "IPsec policy matching GRE"
 msgstr "IPsec policy matching GRE"
 
-#: ../../configuration/service/pppoe-server.rst:604
+#: ../../configuration/service/pppoe-server.rst:629
 msgid "IPv4"
 msgstr "IPv4"
 
@@ -7109,6 +8071,10 @@ msgstr "IPv4"
 msgid "IPv4/IPv6 remote address of the VXLAN tunnel. Alternative to multicast, the remote IPv4/IPv6 address can set directly."
 msgstr "IPv4/IPv6 remote address of the VXLAN tunnel. Alternative to multicast, the remote IPv4/IPv6 address can set directly."
 
+#: ../../configuration/interfaces/vxlan.rst:106
+msgid "IPv4/IPv6 remote address of the VXLAN tunnel. An alternative to multicast, the remote IPv4/IPv6 address can be set directly."
+msgstr "IPv4/IPv6 remote address of the VXLAN tunnel. An alternative to multicast, the remote IPv4/IPv6 address can be set directly."
+
 #: ../../configuration/firewall/ipv4.rst:7
 msgid "IPv4 Firewall Configuration"
 msgstr "IPv4 Firewall Configuration"
@@ -7121,7 +8087,7 @@ msgstr "IPv4 address of next bootstrap server"
 msgid "IPv4 address of router on the client's subnet"
 msgstr "IPv4 address of router on the client's subnet"
 
-#: ../../configuration/system/flow-accounting.rst:111
+#: ../../configuration/system/flow-accounting.rst:115
 msgid "IPv4 or IPv6 source address of NetFlow packets"
 msgstr "IPv4 or IPv6 source address of NetFlow packets"
 
@@ -7146,12 +8112,12 @@ msgid "IPv4 server"
 msgstr "IPv4 server"
 
 #: ../../configuration/interfaces/pppoe.rst:244
-#: ../../configuration/service/ipoe-server.rst:256
-#: ../../configuration/service/pppoe-server.rst:341
+#: ../../configuration/service/ipoe-server.rst:255
+#: ../../configuration/service/pppoe-server.rst:360
 #: ../../configuration/system/ipv6.rst:3
-#: ../../configuration/vpn/l2tp.rst:286
+#: ../../configuration/vpn/l2tp.rst:289
 #: ../../configuration/vpn/pptp.rst:210
-#: ../../configuration/vpn/sstp.rst:244
+#: ../../configuration/vpn/sstp.rst:247
 msgid "IPv6"
 msgstr "IPv6"
 
@@ -7159,10 +8125,10 @@ msgstr "IPv6"
 msgid "IPv6 Access List"
 msgstr "IPv6 Access List"
 
-#: ../../configuration/service/pppoe-server.rst:381
-#: ../../configuration/vpn/l2tp.rst:325
+#: ../../configuration/service/pppoe-server.rst:401
+#: ../../configuration/vpn/l2tp.rst:328
 #: ../../configuration/vpn/pptp.rst:249
-#: ../../configuration/vpn/sstp.rst:283
+#: ../../configuration/vpn/sstp.rst:286
 msgid "IPv6 Advanced Options"
 msgstr "IPv6 Advanced Options"
 
@@ -7186,7 +8152,7 @@ msgstr "IPv6 Multicast"
 msgid "IPv6 Prefix Delegation"
 msgstr "IPv6 Prefix Delegation"
 
-#: ../../configuration/policy/prefix-list.rst:50
+#: ../../configuration/policy/prefix-list.rst:66
 msgid "IPv6 Prefix Lists"
 msgstr "IPv6 Prefix Lists"
 
@@ -7198,7 +8164,7 @@ msgstr "IPv6 SLAAC and IA-PD"
 msgid "IPv6 TCP filters will only match IPv6 packets with no header extension, see https://en.wikipedia.org/wiki/IPv6_packet#Extension_headers"
 msgstr "IPv6 TCP filters will only match IPv6 packets with no header extension, see https://en.wikipedia.org/wiki/IPv6_packet#Extension_headers"
 
-#: ../../configuration/service/dhcp-server.rst:689
+#: ../../configuration/service/dhcp-server.rst:719
 msgid "IPv6 address ``2001:db8::101`` shall be statically mapped"
 msgstr "IPv6 address ``2001:db8::101`` shall be statically mapped"
 
@@ -7230,11 +8196,11 @@ msgstr "IPv6 default client's pool assignment"
 msgid "IPv6 peering"
 msgstr "IPv6 peering"
 
-#: ../../configuration/policy/prefix-list.rst:72
+#: ../../configuration/policy/prefix-list.rst:88
 msgid "IPv6 prefix."
 msgstr "IPv6 prefix."
 
-#: ../../configuration/service/dhcp-server.rst:690
+#: ../../configuration/service/dhcp-server.rst:720
 msgid "IPv6 prefix ``2001:db8:0:101::/64`` shall be statically mapped"
 msgstr "IPv6 prefix ``2001:db8:0:101::/64`` shall be statically mapped"
 
@@ -7274,11 +8240,11 @@ msgstr "ISC-DHCP Option name"
 msgid "Identity Based Configuration"
 msgstr "Identity Based Configuration"
 
-#: ../../configuration/trafficpolicy/index.rst:903
+#: ../../configuration/trafficpolicy/index.rst:953
 msgid "If **max-threshold** is set but **min-threshold is not, then **min-threshold** is scaled to 50% of **max-threshold**."
 msgstr "If **max-threshold** is set but **min-threshold is not, then **min-threshold** is scaled to 50% of **max-threshold**."
 
-#: ../../configuration/interfaces/bonding.rst:253
+#: ../../configuration/interfaces/bonding.rst:258
 msgid "If ARP monitoring is used in an etherchannel compatible mode (modes round-robin and xor-hash), the switch should be configured in a mode that evenly distributes packets across all links. If the switch is configured to distribute the packets in an XOR fashion, all replies from the ARP targets will be received on the same link which could cause the other team members to fail."
 msgstr "If ARP monitoring is used in an etherchannel compatible mode (modes round-robin and xor-hash), the switch should be configured in a mode that evenly distributes packets across all links. If the switch is configured to distribute the packets in an XOR fashion, all replies from the ARP targets will be received on the same link which could cause the other team members to fail."
 
@@ -7328,15 +8294,28 @@ msgid "If a route has an ORIGINATOR_ID attribute because it has been reflected,
 msgstr "If a route has an ORIGINATOR_ID attribute because it has been reflected, that ORIGINATOR_ID will be used. Otherwise, the router-ID of the peer the route was received from will be used."
 
 #: ../../configuration/firewall/bridge.rst:67
-#: ../../configuration/firewall/ipv4.rst:83
-#: ../../configuration/firewall/ipv6.rst:83
+#: ../../configuration/firewall/ipv4.rst:107
+#: ../../configuration/firewall/ipv6.rst:107
 msgid "If a rule is defined, then an action must be defined for it. This tells the firewall what to do if all criteria matchers defined for such rule do match."
 msgstr "If a rule is defined, then an action must be defined for it. This tells the firewall what to do if all criteria matchers defined for such rule do match."
 
+#: ../../configuration/firewall/bridge.rst:86
+msgid "If a rule is defined, then an action must be defined for it. This tells the firewall what to do if all matching criterea in the rule are met."
+msgstr "If a rule is defined, then an action must be defined for it. This tells the firewall what to do if all matching criterea in the rule are met."
+
+#: ../../configuration/firewall/ipv4.rst:107
+#: ../../configuration/firewall/ipv6.rst:107
+msgid "If a rule is defined, then an action must be defined for it. This tells the firewall what to do if all of the criteria defined for that rule match."
+msgstr "If a rule is defined, then an action must be defined for it. This tells the firewall what to do if all of the criteria defined for that rule match."
+
 #: ../../configuration/service/dhcp-server.rst:161
 msgid "If a there are no free addresses but there are abandoned IP addresses, the DHCP server will attempt to reclaim an abandoned IP address regardless of the value of abandon-lease-time."
 msgstr "If a there are no free addresses but there are abandoned IP addresses, the DHCP server will attempt to reclaim an abandoned IP address regardless of the value of abandon-lease-time."
 
+#: ../../configuration/firewall/bridge.rst:132
+msgid "If action is set to ``queue``, use next command to specify the queue target. Range is also supported:"
+msgstr "If action is set to ``queue``, use next command to specify the queue target. Range is also supported:"
+
 #: ../../configuration/nat/nat44.rst:43
 msgid "If an ISP deploys a :abbr:`CGN (Carrier-grade NAT)`, and uses :rfc:`1918` address space to number customer gateways, the risk of address collision, and therefore routing failures, arises when the customer network already uses an :rfc:`1918` address space."
 msgstr "If an ISP deploys a :abbr:`CGN (Carrier-grade NAT)`, and uses :rfc:`1918` address space to number customer gateways, the risk of address collision, and therefore routing failures, arises when the customer network already uses an :rfc:`1918` address space."
@@ -7345,6 +8324,38 @@ msgstr "If an ISP deploys a :abbr:`CGN (Carrier-grade NAT)`, and uses :rfc:`1918
 msgid "If an another bridge in the spanning tree does not send out a hello packet for a long period of time, it is assumed to be dead."
 msgstr "If an another bridge in the spanning tree does not send out a hello packet for a long period of time, it is assumed to be dead."
 
+#: ../../configuration/firewall/ipv4.rst:734
+msgid "If an interface is attached to a non-default vrf, when using **inbound-interface**, the vrf name must be used. For example ``set firewall ipv4 forward filter rule 10 inbound-interface name MGMT``"
+msgstr "If an interface is attached to a non-default vrf, when using **inbound-interface**, the vrf name must be used. For example ``set firewall ipv4 forward filter rule 10 inbound-interface name MGMT``"
+
+#: ../../configuration/firewall/ipv6.rst:725
+msgid "If an interface is attached to a non-default vrf, when using **inbound-interface**, the vrf name must be used. For example ``set firewall ipv6 forward filter rule 10 inbound-interface name MGMT``"
+msgstr "If an interface is attached to a non-default vrf, when using **inbound-interface**, the vrf name must be used. For example ``set firewall ipv6 forward filter rule 10 inbound-interface name MGMT``"
+
+#: ../../configuration/firewall/ipv4.rst:735
+msgid "If an interface is attached to a non-default vrf, when using **inbound-interface**, vrf name must be used. For example ``set firewall ipv4 forward filter rule 10 inbound-interface name MGMT``"
+msgstr "If an interface is attached to a non-default vrf, when using **inbound-interface**, vrf name must be used. For example ``set firewall ipv4 forward filter rule 10 inbound-interface name MGMT``"
+
+#: ../../configuration/firewall/ipv6.rst:726
+msgid "If an interface is attached to a non-default vrf, when using **inbound-interface**, vrf name must be used. For example ``set firewall ipv6 forward filter rule 10 inbound-interface name MGMT``"
+msgstr "If an interface is attached to a non-default vrf, when using **inbound-interface**, vrf name must be used. For example ``set firewall ipv6 forward filter rule 10 inbound-interface name MGMT``"
+
+#: ../../configuration/firewall/ipv4.rst:760
+msgid "If an interface is attached to a non-default vrf, when using **outbound-interface**, real interface name must be used. For example ``set firewall ipv4 forward filter rule 10 outbound-interface name eth0``"
+msgstr "If an interface is attached to a non-default vrf, when using **outbound-interface**, real interface name must be used. For example ``set firewall ipv4 forward filter rule 10 outbound-interface name eth0``"
+
+#: ../../configuration/firewall/ipv6.rst:751
+msgid "If an interface is attached to a non-default vrf, when using **outbound-interface**, real interface name must be used. For example ``set firewall ipv6 forward filter rule 10 outbound-interface name eth0``"
+msgstr "If an interface is attached to a non-default vrf, when using **outbound-interface**, real interface name must be used. For example ``set firewall ipv6 forward filter rule 10 outbound-interface name eth0``"
+
+#: ../../configuration/firewall/ipv4.rst:759
+msgid "If an interface is attached to a non-default vrf, when using **outbound-interface**, the real interface name must be used. For example ``set firewall ipv4 forward filter rule 10 outbound-interface name eth0``"
+msgstr "If an interface is attached to a non-default vrf, when using **outbound-interface**, the real interface name must be used. For example ``set firewall ipv4 forward filter rule 10 outbound-interface name eth0``"
+
+#: ../../configuration/firewall/ipv6.rst:750
+msgid "If an interface is attached to a non-default vrf, when using **outbound-interface**, the real interface name must be used. For example ``set firewall ipv6 forward filter rule 10 outbound-interface name eth0``"
+msgstr "If an interface is attached to a non-default vrf, when using **outbound-interface**, the real interface name must be used. For example ``set firewall ipv6 forward filter rule 10 outbound-interface name eth0``"
+
 #: ../../configuration/protocols/pim.rst:106
 msgid "If choosing a value below 31 seconds be aware that some hardware platforms cannot see data flowing in better than 30 second chunks."
 msgstr "If choosing a value below 31 seconds be aware that some hardware platforms cannot see data flowing in better than 30 second chunks."
@@ -7365,11 +8376,15 @@ msgstr "If configured, try to avoid local addresses that are not in the target's
 msgid "If configuring VXLAN in a VyOS virtual machine, ensure that MAC spoofing (Hyper-V) or Forged Transmits (ESX) are permitted, otherwise forwarded frames may be blocked by the hypervisor."
 msgstr "If configuring VXLAN in a VyOS virtual machine, ensure that MAC spoofing (Hyper-V) or Forged Transmits (ESX) are permitted, otherwise forwarded frames may be blocked by the hypervisor."
 
+#: ../../configuration/service/monitoring.rst:153
+msgid "If either is set both must be set."
+msgstr "If either is set both must be set."
+
 #: ../../configuration/nat/nat44.rst:564
 msgid "If forwarding traffic to a different port than it is arriving on, you may also configure the translation port using `set nat destination rule [n] translation port`."
 msgstr "If forwarding traffic to a different port than it is arriving on, you may also configure the translation port using `set nat destination rule [n] translation port`."
 
-#: ../../configuration/trafficpolicy/index.rst:1031
+#: ../../configuration/trafficpolicy/index.rst:1081
 msgid "If guaranteed traffic for a class is met and there is room for more traffic, the ceiling parameter can be used to set how much more bandwidth could be used. If guaranteed traffic is met and there are several classes willing to use their ceilings, the priority parameter will establish the order in which that additional traffic will be allocated. Priority can be any number from 0 to 7. The lower the number, the higher the priority."
 msgstr "If guaranteed traffic for a class is met and there is room for more traffic, the ceiling parameter can be used to set how much more bandwidth could be used. If guaranteed traffic is met and there are several classes willing to use their ceilings, the priority parameter will establish the order in which that additional traffic will be allocated. Priority can be any number from 0 to 7. The lower the number, the higher the priority."
 
@@ -7381,15 +8396,19 @@ msgstr "If interface were the packet was received is part of a bridge, then pack
 msgid "If interface were the packet was received isn't part of a bridge, then packet is processed at the **IP Layer**:"
 msgstr "If interface were the packet was received isn't part of a bridge, then packet is processed at the **IP Layer**:"
 
+#: ../../configuration/firewall/bridge.rst:58
+msgid "If it's not dropped, then the packet is sent to **IP Layer**, and will be processed by the **IP Layer** firewall: IPv4 or IPv6 ruleset. Check once again the :doc:`general packet flow diagram</configuration/firewall/index>` if needed."
+msgstr "If it's not dropped, then the packet is sent to **IP Layer**, and will be processed by the **IP Layer** firewall: IPv4 or IPv6 ruleset. Check once again the :doc:`general packet flow diagram</configuration/firewall/index>` if needed."
+
 #: ../../configuration/protocols/igmp-proxy.rst:49
 msgid "If it's vital that the daemon should act exactly like a real multicast client on the upstream interface, this function should be enabled."
 msgstr "If it's vital that the daemon should act exactly like a real multicast client on the upstream interface, this function should be enabled."
 
-#: ../../configuration/interfaces/openvpn.rst:69
+#: ../../configuration/interfaces/openvpn.rst:70
 msgid "If known, the IP of the remote router can be configured using the ``remote-host`` directive; if unknown, it can be omitted. We will assume a dynamic IP for our remote router."
 msgstr "If known, the IP of the remote router can be configured using the ``remote-host`` directive; if unknown, it can be omitted. We will assume a dynamic IP for our remote router."
 
-#: ../../configuration/system/syslog.rst:87
+#: ../../configuration/system/syslog.rst:105
 msgid "If logging to a local user account is configured, all defined log messages are display on the console if the local user is logged in, if the user is not logged in, no messages are being displayed. For an explanation on :ref:`syslog_facilities` keywords and :ref:`syslog_severity_level` keywords see tables below."
 msgstr "If logging to a local user account is configured, all defined log messages are display on the console if the local user is logged in, if the user is not logged in, no messages are being displayed. For an explanation on :ref:`syslog_facilities` keywords and :ref:`syslog_severity_level` keywords see tables below."
 
@@ -7413,7 +8432,7 @@ msgstr "If no destination is specified the rule will match on any destination ad
 msgid "If no ip prefix list is specified, it acts as permit. If ip prefix list is defined, and no match is found, default deny is applied."
 msgstr "If no ip prefix list is specified, it acts as permit. If ip prefix list is defined, and no match is found, default deny is applied."
 
-#: ../../configuration/system/syslog.rst:207
+#: ../../configuration/system/syslog.rst:225
 msgid "If no option is specified, this defaults to `all`."
 msgstr "If no option is specified, this defaults to `all`."
 
@@ -7429,10 +8448,26 @@ msgstr "If optional profile parameter is used, select a BFD profile for the BFD
 msgid "If set, IPv4 directed broadcast forwarding will be completely disabled regardless of whether per-interface directed broadcast forwarding is enabled or not."
 msgstr "If set, IPv4 directed broadcast forwarding will be completely disabled regardless of whether per-interface directed broadcast forwarding is enabled or not."
 
+#: ../../configuration/system/syslog.rst:30
+msgid "If set, the domain part of the hostname is always sent, even within the same domain as the receiving system."
+msgstr "If set, the domain part of the hostname is always sent, even within the same domain as the receiving system."
+
+#: ../../configuration/service/router-advert.rst:105
+msgid "If set, the router will no longer send periodic router advertisements and will not respond to router solicitations."
+msgstr "If set, the router will no longer send periodic router advertisements and will not respond to router solicitations."
+
 #: ../../_include/interface-ip.txt:36
 msgid "If set the kernel can respond to arp requests with addresses from other interfaces. This may seem wrong but it usually makes sense, because it increases the chance of successful communication. IP addresses are owned by the complete host on Linux, not by particular interfaces. Only for more complex setups like load-balancing, does this behaviour cause problems."
 msgstr "If set the kernel can respond to arp requests with addresses from other interfaces. This may seem wrong but it usually makes sense, because it increases the chance of successful communication. IP addresses are owned by the complete host on Linux, not by particular interfaces. Only for more complex setups like load-balancing, does this behaviour cause problems."
 
+#: ../../configuration/service/monitoring.rst:159
+msgid "If set to an empty string, the label will not be added. This is NOT recommended, as it makes it impossible to differentiate between multiple metrics."
+msgstr "If set to an empty string, the label will not be added. This is NOT recommended, as it makes it impossible to differentiate between multiple metrics."
+
+#: ../../configuration/interfaces/openvpn.rst:727
+msgid "If set to enable, openvpn-otp will expect password as result of challenge/ response protocol."
+msgstr "If set to enable, openvpn-otp will expect password as result of challenge/ response protocol."
+
 #: ../../configuration/system/task-scheduler.rst:24
 msgid "If suffix is omitted, minutes are implied."
 msgstr "If suffix is omitted, minutes are implied."
@@ -7453,46 +8488,61 @@ msgstr "If the AS-Path for the route has only private ASNs, the private ASNs are
 msgid "If the IP prefix mask is present, it directs opennhrp to use this peer as a next hop server when sending Resolution Requests matching this subnet."
 msgstr "If the IP prefix mask is present, it directs opennhrp to use this peer as a next hop server when sending Resolution Requests matching this subnet."
 
-#: ../../configuration/service/ipoe-server.rst:243
-#: ../../configuration/service/pppoe-server.rst:205
-#: ../../configuration/vpn/l2tp.rst:248
+#: ../../configuration/service/ipoe-server.rst:242
+#: ../../configuration/service/pppoe-server.rst:223
 #: ../../configuration/vpn/pptp.rst:188
-#: ../../configuration/vpn/sstp.rst:221
 msgid "If the RADIUS server sends the attribute ``Delegated-IPv6-Prefix-Pool``, IPv6 delegation pefix will be allocated from a predefined IPv6 pool ``delegate`` whose name equals the attribute value."
 msgstr "If the RADIUS server sends the attribute ``Delegated-IPv6-Prefix-Pool``, IPv6 delegation pefix will be allocated from a predefined IPv6 pool ``delegate`` whose name equals the attribute value."
 
-#: ../../configuration/service/ipoe-server.rst:233
-#: ../../configuration/service/pppoe-server.rst:195
-#: ../../configuration/vpn/l2tp.rst:238
+#: ../../configuration/vpn/l2tp.rst:250
+#: ../../configuration/vpn/sstp.rst:223
+msgid "If the RADIUS server sends the attribute ``Delegated-IPv6-Prefix-Pool``, an IPv6 delegation prefix will be allocated from a predefined IPv6 pool ``delegate`` whose name equals the attribute value."
+msgstr "If the RADIUS server sends the attribute ``Delegated-IPv6-Prefix-Pool``, an IPv6 delegation prefix will be allocated from a predefined IPv6 pool ``delegate`` whose name equals the attribute value."
+
+#: ../../configuration/service/ipoe-server.rst:232
+#: ../../configuration/service/pppoe-server.rst:212
 #: ../../configuration/vpn/pptp.rst:178
-#: ../../configuration/vpn/sstp.rst:211
 msgid "If the RADIUS server sends the attribute ``Framed-IP-Address`` then this IP address will be allocated to the client and the option ``default-pool`` within the CLI config is being ignored."
 msgstr "If the RADIUS server sends the attribute ``Framed-IP-Address`` then this IP address will be allocated to the client and the option ``default-pool`` within the CLI config is being ignored."
 
+#: ../../configuration/vpn/l2tp.rst:238
+msgid "If the RADIUS server sends the attribute ``Framed-IP-Address`` then this IP address will be allocated to the client and the option ``default-pool`` within the CLI config will be ignored."
+msgstr "If the RADIUS server sends the attribute ``Framed-IP-Address`` then this IP address will be allocated to the client and the option ``default-pool`` within the CLI config will be ignored."
+
+#: ../../configuration/vpn/sstp.rst:211
+msgid "If the RADIUS server sends the attribute ``Framed-IP-Address`` then this IP address will be allocated to the client and the option ``default-pool`` within the CLI config will being ignored."
+msgstr "If the RADIUS server sends the attribute ``Framed-IP-Address`` then this IP address will be allocated to the client and the option ``default-pool`` within the CLI config will being ignored."
+
 #: ../../configuration/vpn/l2tp.rst:211
 msgid "If the RADIUS server sends the attribute ``Framed-IP-Address`` then this IP address will be allocated to the client and the option ip-pool within the CLI config is being ignored."
 msgstr "If the RADIUS server sends the attribute ``Framed-IP-Address`` then this IP address will be allocated to the client and the option ip-pool within the CLI config is being ignored."
 
-#: ../../configuration/service/ipoe-server.rst:237
-#: ../../configuration/service/pppoe-server.rst:199
-#: ../../configuration/vpn/l2tp.rst:242
+#: ../../configuration/service/ipoe-server.rst:236
+#: ../../configuration/service/pppoe-server.rst:216
 #: ../../configuration/vpn/pptp.rst:182
-#: ../../configuration/vpn/sstp.rst:215
 msgid "If the RADIUS server sends the attribute ``Framed-Pool``, IP address will be allocated from a predefined IP pool whose name equals the attribute value."
 msgstr "If the RADIUS server sends the attribute ``Framed-Pool``, IP address will be allocated from a predefined IP pool whose name equals the attribute value."
 
-#: ../../configuration/service/ipoe-server.rst:240
-#: ../../configuration/service/pppoe-server.rst:202
-#: ../../configuration/vpn/l2tp.rst:245
+#: ../../configuration/vpn/l2tp.rst:242
+#: ../../configuration/vpn/sstp.rst:215
+msgid "If the RADIUS server sends the attribute ``Framed-Pool``, then the IP address will be allocated from a predefined IP pool whose name equals the attribute value."
+msgstr "If the RADIUS server sends the attribute ``Framed-Pool``, then the IP address will be allocated from a predefined IP pool whose name equals the attribute value."
+
+#: ../../configuration/service/ipoe-server.rst:239
+#: ../../configuration/service/pppoe-server.rst:219
 #: ../../configuration/vpn/pptp.rst:185
-#: ../../configuration/vpn/sstp.rst:218
 msgid "If the RADIUS server sends the attribute ``Stateful-IPv6-Address-Pool``, IPv6 address will be allocated from a predefined IPv6 pool ``prefix`` whose name equals the attribute value."
 msgstr "If the RADIUS server sends the attribute ``Stateful-IPv6-Address-Pool``, IPv6 address will be allocated from a predefined IPv6 pool ``prefix`` whose name equals the attribute value."
 
-#: ../../configuration/service/pppoe-server.rst:219
-#: ../../configuration/vpn/l2tp.rst:262
+#: ../../configuration/vpn/l2tp.rst:246
+#: ../../configuration/vpn/sstp.rst:219
+msgid "If the RADIUS server sends the attribute ``Stateful-IPv6-Address-Pool``, the IPv6 address will be allocated from a predefined IPv6 pool ``prefix`` whose name equals the attribute value."
+msgstr "If the RADIUS server sends the attribute ``Stateful-IPv6-Address-Pool``, the IPv6 address will be allocated from a predefined IPv6 pool ``prefix`` whose name equals the attribute value."
+
+#: ../../configuration/service/pppoe-server.rst:238
+#: ../../configuration/vpn/l2tp.rst:265
 #: ../../configuration/vpn/pptp.rst:202
-#: ../../configuration/vpn/sstp.rst:235
+#: ../../configuration/vpn/sstp.rst:238
 msgid "If the RADIUS server uses the attribute ``NAS-Port-Id``, ppp tunnels will be renamed."
 msgstr "If the RADIUS server uses the attribute ``NAS-Port-Id``, ppp tunnels will be renamed."
 
@@ -7504,11 +8554,11 @@ msgstr "If the :cfgcmd:`no-prepend` attribute is specified, then the supplied lo
 msgid "If the :cfgcmd:`replace-as` attribute is specified, then only the supplied local-as is prepended to the AS_PATH when transmitting local-route updates to this peer."
 msgstr "If the :cfgcmd:`replace-as` attribute is specified, then only the supplied local-as is prepended to the AS_PATH when transmitting local-route updates to this peer."
 
-#: ../../configuration/trafficpolicy/index.rst:892
+#: ../../configuration/trafficpolicy/index.rst:942
 msgid "If the average queue size is lower than the **min-threshold**, an arriving packet will be placed in the queue."
 msgstr "If the average queue size is lower than the **min-threshold**, an arriving packet will be placed in the queue."
 
-#: ../../configuration/trafficpolicy/index.rst:899
+#: ../../configuration/trafficpolicy/index.rst:949
 msgid "If the current queue size is larger than **queue-limit**, then packets will be dropped. The average queue size depends on its former average size and its current one."
 msgstr "If the current queue size is larger than **queue-limit**, then packets will be dropped. The average queue size depends on its former average size and its current one."
 
@@ -7516,16 +8566,24 @@ msgstr "If the current queue size is larger than **queue-limit**, then packets w
 msgid "If the interface where the packet was received is part of a bridge, then packetis processed at the **Bridge Layer**, which contains a basic setup for bridge filtering:"
 msgstr "If the interface where the packet was received is part of a bridge, then packetis processed at the **Bridge Layer**, which contains a basic setup for bridge filtering:"
 
-#: ../../configuration/firewall/index.rst:83
+#: ../../configuration/firewall/index.rst:94
 msgid "If the interface where the packet was received is part of a bridge, then the packet is processed at the **Bridge Layer**, which contains a basic setup for bridge filtering:"
 msgstr "If the interface where the packet was received is part of a bridge, then the packet is processed at the **Bridge Layer**, which contains a basic setup for bridge filtering:"
 
+#: ../../configuration/firewall/index.rst:99
+msgid "If the interface where the packet was received is part of a bridge, then the packet is processed at the **Bridge Layer**:"
+msgstr "If the interface where the packet was received is part of a bridge, then the packet is processed at the **Bridge Layer**:"
+
+#: ../../configuration/firewall/index.rst:31
+msgid "If the interface where the packet was received isn't part of a bridge, then packet is processed at the **IP Layer**:"
+msgstr "If the interface where the packet was received isn't part of a bridge, then packet is processed at the **IP Layer**:"
+
 #: ../../configuration/firewall/index.rst:26
 msgid "If the interface where the packet was received isn't part of a bridge, then packetis processed at the **IP Layer**:"
 msgstr "If the interface where the packet was received isn't part of a bridge, then packetis processed at the **IP Layer**:"
 
-#: ../../configuration/interfaces/bonding.rst:187
-#: ../../configuration/interfaces/bonding.rst:216
+#: ../../configuration/interfaces/bonding.rst:192
+#: ../../configuration/interfaces/bonding.rst:221
 msgid "If the protocol is IPv6 then the source and destination addresses are first hashed using ipv6_addr_hash."
 msgstr "If the protocol is IPv6 then the source and destination addresses are first hashed using ipv6_addr_hash."
 
@@ -7562,14 +8620,21 @@ msgstr "If this is set the relay agent will insert the interface ID. This option
 msgid "If this option is enabled, then the already-selected check, where already selected eBGP routes are preferred, is skipped."
 msgstr "If this option is enabled, then the already-selected check, where already selected eBGP routes are preferred, is skipped."
 
+#: ../../configuration/vpn/sstp.rst:481
+msgid "If this option is given, only SSTP connections to the specified host and with the same TLS SNI will be allowed."
+msgstr "If this option is given, only SSTP connections to the specified host and with the same TLS SNI will be allowed."
+
+#: ../../configuration/vpn/l2tp.rst:441
+#: ../../configuration/vpn/sstp.rst:399
+msgid "If this option is specified and is greater than 0, then the PPP module will send LCP echo requests every `<interval>` seconds. Default value is **30**."
+msgstr "If this option is specified and is greater than 0, then the PPP module will send LCP echo requests every `<interval>` seconds. Default value is **30**."
+
 #: ../../configuration/vpn/sstp.rst:189
 msgid "If this option is specified and is greater than 0, then the PPP module will send LCP pings of the echo request every `<interval>` seconds."
 msgstr "If this option is specified and is greater than 0, then the PPP module will send LCP pings of the echo request every `<interval>` seconds."
 
-#: ../../configuration/service/pppoe-server.rst:484
-#: ../../configuration/vpn/l2tp.rst:438
+#: ../../configuration/service/pppoe-server.rst:509
 #: ../../configuration/vpn/pptp.rst:362
-#: ../../configuration/vpn/sstp.rst:396
 msgid "If this option is specified and is greater than 0, then the PPP module will send LCP pings of the echo request every `<interval>` seconds. Default value is **30**."
 msgstr "If this option is specified and is greater than 0, then the PPP module will send LCP pings of the echo request every `<interval>` seconds. Default value is **30**."
 
@@ -7589,14 +8654,18 @@ msgstr "If this parameter is not set, the default holdoff time is 30 seconds."
 msgid "If this parameter is not set or 0, an on-demand link will not be taken down when it is idle and after the initial establishment of the connection. It will stay up forever."
 msgstr "If this parameter is not set or 0, an on-demand link will not be taken down when it is idle and after the initial establishment of the connection. It will stay up forever."
 
-#: ../../configuration/system/login.rst:274
+#: ../../configuration/system/login.rst:280
 msgid "If unset, incoming connections to the RADIUS server will use the nearest interface address pointing towards the server - making it error prone on e.g. OSPF networks when a link fails and a backup route is taken."
 msgstr "If unset, incoming connections to the RADIUS server will use the nearest interface address pointing towards the server - making it error prone on e.g. OSPF networks when a link fails and a backup route is taken."
 
-#: ../../configuration/system/login.rst:343
+#: ../../configuration/system/login.rst:349
 msgid "If unset, incoming connections to the TACACS server will use the nearest interface address pointing towards the server - making it error prone on e.g. OSPF networks when a link fails and a backup route is taken."
 msgstr "If unset, incoming connections to the TACACS server will use the nearest interface address pointing towards the server - making it error prone on e.g. OSPF networks when a link fails and a backup route is taken."
 
+#: ../../configuration/interfaces/openvpn.rst:318
+msgid "If you're making use of multiple tunnels, OpenVPN must have a way to distinguish between different tunnels aside from the pre-shared-key. This is done either by referencing IP addresses or port numbers. One option is to dedicate a public IP to each tunnel. Another option is to dedicate a port number to each tunnel (e.g. 1195,1196,1197...)."
+msgstr "If you're making use of multiple tunnels, OpenVPN must have a way to distinguish between different tunnels aside from the pre-shared-key. This is done either by referencing IP addresses or port numbers. One option is to dedicate a public IP to each tunnel. Another option is to dedicate a port number to each tunnel (e.g. 1195,1196,1197...)."
+
 #: ../../configuration/nat/nat44.rst:810
 msgid "If you've completed all the above steps you no doubt want to see if it's all working."
 msgstr "If you've completed all the above steps you no doubt want to see if it's all working."
@@ -7605,7 +8674,7 @@ msgstr "If you've completed all the above steps you no doubt want to see if it's
 msgid "If you apply a parameter to an individual neighbor IP address, you override the action defined for a peer group that includes that IP address."
 msgstr "If you apply a parameter to an individual neighbor IP address, you override the action defined for a peer group that includes that IP address."
 
-#: ../../configuration/interfaces/openvpn.rst:637
+#: ../../configuration/interfaces/openvpn.rst:645
 msgid "If you are a hacker or want to try on your own we support passing raw OpenVPN options to OpenVPN."
 msgstr "If you are a hacker or want to try on your own we support passing raw OpenVPN options to OpenVPN."
 
@@ -7625,33 +8694,36 @@ msgstr "If you are responsible for the global addresses assigned to your network
 msgid "If you are responsible for the global addresses assigned to your network, please make sure that your prefixes have ROAs associated with them to avoid being `notfound` by RPKI. For most ASNs this will involve publishing ROAs via your :abbr:`RIR (Regional Internet Registry)` (RIPE NCC, APNIC, ARIN, LACNIC or AFRINIC), and is something you are encouraged to do whenever you plan to announce addresses into the DFZ."
 msgstr "If you are responsible for the global addresses assigned to your network, please make sure that your prefixes have ROAs associated with them to avoid being `notfound` by RPKI. For most ASNs this will involve publishing ROAs via your :abbr:`RIR (Regional Internet Registry)` (RIPE NCC, APNIC, ARIN, LACNIC or AFRINIC), and is something you are encouraged to do whenever you plan to announce addresses into the DFZ."
 
-#: ../../configuration/trafficpolicy/index.rst:483
+#: ../../configuration/trafficpolicy/index.rst:533
 msgid "If you are using FQ-CoDel embedded into Shaper_ and you have large rates (100Mbit and above), you may consider increasing `quantum` to 8000 or higher so that the scheduler saves CPU."
 msgstr "If you are using FQ-CoDel embedded into Shaper_ and you have large rates (100Mbit and above), you may consider increasing `quantum` to 8000 or higher so that the scheduler saves CPU."
 
-#: ../../configuration/service/ipoe-server.rst:146
-#: ../../configuration/service/pppoe-server.rst:108
-#: ../../configuration/vpn/l2tp.rst:151
+#: ../../configuration/service/ipoe-server.rst:145
+#: ../../configuration/service/pppoe-server.rst:109
 msgid "If you are using OSPF as IGP, always the closest interface connected to the RADIUS server is used. With VyOS 1.2 you can bind all outgoing RADIUS requests to a single source IP e.g. the loopback interface."
 msgstr "If you are using OSPF as IGP, always the closest interface connected to the RADIUS server is used. With VyOS 1.2 you can bind all outgoing RADIUS requests to a single source IP e.g. the loopback interface."
 
 #: ../../configuration/vpn/pptp.rst:91
-#: ../../configuration/vpn/sstp.rst:124
 msgid "If you are using OSPF as IGP, always the closest interface connected to the RADIUS server is used. You can bind all outgoing RADIUS requests to a single source IP e.g. the loopback interface."
 msgstr "If you are using OSPF as IGP, always the closest interface connected to the RADIUS server is used. You can bind all outgoing RADIUS requests to a single source IP e.g. the loopback interface."
 
-#: ../../configuration/interfaces/openvpn.rst:306
+#: ../../configuration/vpn/l2tp.rst:151
+#: ../../configuration/vpn/sstp.rst:124
+msgid "If you are using OSPF as your IGP, use the interface connected closest to the RADIUS server. You can bind all outgoing RADIUS requests to a single source IP e.g. the loopback interface."
+msgstr "If you are using OSPF as your IGP, use the interface connected closest to the RADIUS server. You can bind all outgoing RADIUS requests to a single source IP e.g. the loopback interface."
+
+#: ../../configuration/interfaces/openvpn.rst:310
 msgid "If you change the default encryption and hashing algorithms, be sure that the local and remote ends have matching configurations, otherwise the tunnel will not come up."
 msgstr "If you change the default encryption and hashing algorithms, be sure that the local and remote ends have matching configurations, otherwise the tunnel will not come up."
 
 #: ../../configuration/system/ip.rst:43
 #: ../../configuration/system/ipv6.rst:39
-#: ../../configuration/vrf/index.rst:57
-#: ../../configuration/vrf/index.rst:67
+#: ../../configuration/vrf/index.rst:53
+#: ../../configuration/vrf/index.rst:63
 msgid "If you choose any as the option that will cause all protocols that are sending routes to zebra."
 msgstr "If you choose any as the option that will cause all protocols that are sending routes to zebra."
 
-#: ../../configuration/trafficpolicy/index.rst:1114
+#: ../../configuration/trafficpolicy/index.rst:1164
 msgid "If you configure a class for **VoIP traffic**, don't give it any *ceiling*, otherwise new VoIP calls could start when the link is available and get suddenly dropped when other classes start using their assigned *bandwidth* share."
 msgstr "If you configure a class for **VoIP traffic**, don't give it any *ceiling*, otherwise new VoIP calls could start when the link is available and get suddenly dropped when other classes start using their assigned *bandwidth* share."
 
@@ -7663,11 +8735,11 @@ msgstr "If you enable this, you will probably want to set diversity-factor and c
 msgid "If you enter a value smaller than 60 seconds be aware that this can and will affect convergence at scale."
 msgstr "If you enter a value smaller than 60 seconds be aware that this can and will affect convergence at scale."
 
-#: ../../configuration/vpn/ipsec.rst:483
+#: ../../configuration/vpn/ipsec.rst:503
 msgid "If you feel better forwarding all authentication requests to your enterprises RADIUS server, use the commands below."
 msgstr "If you feel better forwarding all authentication requests to your enterprises RADIUS server, use the commands below."
 
-#: ../../configuration/interfaces/bonding.rst:312
+#: ../../configuration/interfaces/bonding.rst:365
 msgid "If you happen to run this in a virtual environment like by EVE-NG you need to ensure your VyOS NIC is set to use the e1000 driver. Using the default ``virtio-net-pci`` or the ``vmxnet3`` driver will not work. ICMP messages will not be properly processed. They are visible on the virtual wire but will not make it fully up the networking stack."
 msgstr "If you happen to run this in a virtual environment like by EVE-NG you need to ensure your VyOS NIC is set to use the e1000 driver. Using the default ``virtio-net-pci`` or the ``vmxnet3`` driver will not work. ICMP messages will not be properly processed. They are visible on the virtual wire but will not make it fully up the networking stack."
 
@@ -7691,11 +8763,11 @@ msgstr "If you have configured the `INSIDE-OUT` policy, you will need to add add
 msgid "If you have multiple addresses configured on a particular interface and would like PIM to use a specific source address associated with that interface."
 msgstr "If you have multiple addresses configured on a particular interface and would like PIM to use a specific source address associated with that interface."
 
-#: ../../configuration/system/flow-accounting.rst:65
+#: ../../configuration/system/flow-accounting.rst:69
 msgid "If you need to sample also egress traffic, you may want to configure egress flow-accounting:"
 msgstr "If you need to sample also egress traffic, you may want to configure egress flow-accounting:"
 
-#: ../../configuration/interfaces/openvpn.rst:518
+#: ../../configuration/interfaces/openvpn.rst:522
 msgid "If you only want to check if the user account is enabled and can authenticate (against the primary group) the following snipped is sufficient:"
 msgstr "If you only want to check if the user account is enabled and can authenticate (against the primary group) the following snipped is sufficient:"
 
@@ -7703,27 +8775,34 @@ msgstr "If you only want to check if the user account is enabled and can authent
 msgid "If you set a custom RADIUS attribute you must define it on both dictionaries at RADIUS server and client, which is the vyos router in our example."
 msgstr "If you set a custom RADIUS attribute you must define it on both dictionaries at RADIUS server and client, which is the vyos router in our example."
 
-#: ../../configuration/service/ipoe-server.rst:215
-#: ../../configuration/service/pppoe-server.rst:177
-#: ../../configuration/vpn/l2tp.rst:220
+#: ../../configuration/service/ipoe-server.rst:214
+#: ../../configuration/service/pppoe-server.rst:192
 #: ../../configuration/vpn/pptp.rst:160
-#: ../../configuration/vpn/sstp.rst:193
 msgid "If you set a custom RADIUS attribute you must define it on both dictionaries at RADIUS server and client."
 msgstr "If you set a custom RADIUS attribute you must define it on both dictionaries at RADIUS server and client."
 
+#: ../../configuration/vpn/l2tp.rst:220
+#: ../../configuration/vpn/sstp.rst:193
+msgid "If you set a custom RADIUS attribute you must define it on both dictionaries on the RADIUS server and client."
+msgstr "If you set a custom RADIUS attribute you must define it on both dictionaries on the RADIUS server and client."
+
+#: ../../configuration/loadbalancing/haproxy.rst:256
+msgid "If you specify a server to be checked but do not configure a protocol, a basic TCP health check will be attempted. A server shall be deemed online if it responses to a connection attempt with a valid ``SYN/ACK`` packet."
+msgstr "If you specify a server to be checked but do not configure a protocol, a basic TCP health check will be attempted. A server shall be deemed online if it responses to a connection attempt with a valid ``SYN/ACK`` packet."
+
 #: ../../configuration/system/console.rst:41
 msgid "If you use USB to serial converters for connecting to your VyOS appliance please note that most of them use software emulation without flow control. This means you should start with a common baud rate (most likely 9600 baud) as otherwise you probably can not connect to the device using high speed baud rates as your serial converter simply can not process this data rate."
 msgstr "If you use USB to serial converters for connecting to your VyOS appliance please note that most of them use software emulation without flow control. This means you should start with a common baud rate (most likely 9600 baud) as otherwise you probably can not connect to the device using high speed baud rates as your serial converter simply can not process this data rate."
 
-#: ../../configuration/vpn/sstp.rst:482
+#: ../../configuration/vpn/sstp.rst:492
 msgid "If you use a self-signed certificate, do not forget to install CA on the client side."
 msgstr "If you use a self-signed certificate, do not forget to install CA on the client side."
 
-#: ../../configuration/vpn/ipsec.rst:538
+#: ../../configuration/vpn/ipsec.rst:558
 msgid "If you want, need, and should use more advanced encryption ciphers (default is still 3DES) you need to provision your device using a so-called \"Device Profile\". A profile is a simple text file containing XML nodes with a ``.mobileconfig`` file extension that can be sent and opened on any device from an E-Mail."
 msgstr "If you want, need, and should use more advanced encryption ciphers (default is still 3DES) you need to provision your device using a so-called \"Device Profile\". A profile is a simple text file containing XML nodes with a ``.mobileconfig`` file extension that can be sent and opened on any device from an E-Mail."
 
-#: ../../configuration/system/flow-accounting.rst:140
+#: ../../configuration/system/flow-accounting.rst:144
 msgid "If you want to change the maximum number of flows, which are tracking simultaneously, you may do this with this command (default 8192)."
 msgstr "If you want to change the maximum number of flows, which are tracking simultaneously, you may do this with this command (default 8192)."
 
@@ -7731,7 +8810,7 @@ msgstr "If you want to change the maximum number of flows, which are tracking si
 msgid "If you want to disable a rule but let it in the configuration."
 msgstr "If you want to disable a rule but let it in the configuration."
 
-#: ../../configuration/system/login.rst:298
+#: ../../configuration/system/login.rst:304
 msgid "If you want to have admin users to authenticate via RADIUS it is essential to sent the ``Cisco-AV-Pair shell:priv-lvl=15`` attribute. Without the attribute you will only get regular, non privilegued, system users."
 msgstr "If you want to have admin users to authenticate via RADIUS it is essential to sent the ``Cisco-AV-Pair shell:priv-lvl=15`` attribute. Without the attribute you will only get regular, non privilegued, system users."
 
@@ -7759,10 +8838,14 @@ msgstr "Image thankfully borrowed from https://en.wikipedia.org/wiki/File:SNMP_c
 msgid "Imagine the following topology"
 msgstr "Imagine the following topology"
 
-#: ../../configuration/trafficpolicy/index.rst:799
+#: ../../configuration/trafficpolicy/index.rst:849
 msgid "Immediate"
 msgstr "Immediate"
 
+#: ../../configuration/nat/cgnat.rst:24
+msgid "Implemented the following :rfc:`6888`  requirements:"
+msgstr "Implemented the following :rfc:`6888`  requirements:"
+
 #: ../../configuration/pki/index.rst:254
 msgid "Import files to PKI format"
 msgstr "Import files to PKI format"
@@ -7791,6 +8874,10 @@ msgstr "Import the public CA certificate from the defined file to VyOS CLI."
 msgid "Imported prefixes during the validation may have values:"
 msgstr "Imported prefixes during the validation may have values:"
 
+#: ../../configuration/interfaces/openvpn.rst:672
+msgid "In Ethernet bridging configurations, OpenVPN's server mode can be set as a 'bridge' where the VPN tunnel encapsulates entire Ethernet frames (up to 1514 bytes) instead of just IP packets (up to 1500 bytes). This setup allows clients to transmit Layer 2 frames through the OpenVPN tunnel. Below, we outline a basic configuration to achieve this:"
+msgstr "In Ethernet bridging configurations, OpenVPN's server mode can be set as a 'bridge' where the VPN tunnel encapsulates entire Ethernet frames (up to 1514 bytes) instead of just IP packets (up to 1500 bytes). This setup allows clients to transmit Layer 2 frames through the OpenVPN tunnel. Below, we outline a basic configuration to achieve this:"
+
 #: ../../configuration/protocols/static.rst:191
 msgid "In Internet Protocol Version 6 (IPv6) networks, the functionality of ARP is provided by the Neighbor Discovery Protocol (NDP)."
 msgstr "In Internet Protocol Version 6 (IPv6) networks, the functionality of ARP is provided by the Neighbor Discovery Protocol (NDP)."
@@ -7799,11 +8886,23 @@ msgstr "In Internet Protocol Version 6 (IPv6) networks, the functionality of ARP
 msgid "In Priority Queue we do not define clases with a meaningless class ID number but with a class priority number (1-7). The lower the number, the higher the priority."
 msgstr "In Priority Queue we do not define clases with a meaningless class ID number but with a class priority number (1-7). The lower the number, the higher the priority."
 
-#: ../../configuration/vpn/ipsec.rst:120
+#: ../../configuration/trafficpolicy/index.rst:763
+msgid "In Priority Queue we do not define classes with a meaningless class ID number but with a class priority number (1-7). The lower the number, the higher the priority."
+msgstr "In Priority Queue we do not define classes with a meaningless class ID number but with a class priority number (1-7). The lower the number, the higher the priority."
+
+#: ../../configuration/interfaces/wireless.rst:119
+msgid "In VyOS, 802.11ax is only implemented for 2.4GHz and 6GHz."
+msgstr "In VyOS, 802.11ax is only implemented for 2.4GHz and 6GHz."
+
+#: ../../configuration/interfaces/wireless.rst:119
+msgid "In VyOS, 802.11ax is only implemented for 6GHz as of yet."
+msgstr "In VyOS, 802.11ax is only implemented for 6GHz as of yet."
+
+#: ../../configuration/vpn/ipsec.rst:121
 msgid "In VyOS, ESP attributes are specified through ESP groups. Multiple proposals can be specified in a single group."
 msgstr "In VyOS, ESP attributes are specified through ESP groups. Multiple proposals can be specified in a single group."
 
-#: ../../configuration/vpn/ipsec.rst:42
+#: ../../configuration/vpn/ipsec.rst:43
 msgid "In VyOS, IKE attributes are specified through IKE groups. Multiple proposals can be specified in a single group."
 msgstr "In VyOS, IKE attributes are specified through IKE groups. Multiple proposals can be specified in a single group."
 
@@ -7819,7 +8918,7 @@ msgstr "In VyOS the terms ``vif-s`` and ``vif-c`` stand for the ethertype tags t
 msgid "In :rfc:`3069` it is called VLAN Aggregation"
 msgstr "In :rfc:`3069` it is called VLAN Aggregation"
 
-#: ../../configuration/firewall/zone.rst:60
+#: ../../configuration/firewall/zone.rst:57
 msgid "In :vytask:`T2199` the syntax of the zone configuration was changed. The zone configuration moved from ``zone-policy zone <name>`` to ``firewall zone <name>``."
 msgstr "In :vytask:`T2199` the syntax of the zone configuration was changed. The zone configuration moved from ``zone-policy zone <name>`` to ``firewall zone <name>``."
 
@@ -7839,11 +8938,11 @@ msgstr "In a nutshell, the current implementation provides the following feature
 msgid "In addition, you can specify many other parameters to get BGP information:"
 msgstr "In addition, you can specify many other parameters to get BGP information:"
 
-#: ../../configuration/system/login.rst:305
+#: ../../configuration/system/login.rst:311
 msgid "In addition to :abbr:`RADIUS (Remote Authentication Dial-In User Service)`, :abbr:`TACACS (Terminal Access Controller Access Control System)` can also be found in large deployments."
 msgstr "In addition to :abbr:`RADIUS (Remote Authentication Dial-In User Service)`, :abbr:`TACACS (Terminal Access Controller Access Control System)` can also be found in large deployments."
 
-#: ../../configuration/system/flow-accounting.rst:88
+#: ../../configuration/system/flow-accounting.rst:92
 msgid "In addition to displaying flow accounting information locally, one can also exported them to a collection server."
 msgstr "In addition to displaying flow accounting information locally, one can also exported them to a collection server."
 
@@ -7870,14 +8969,18 @@ msgid "In addition you will specify the IP address or FQDN for the client where
 msgstr "In addition you will specify the IP address or FQDN for the client where it will connect to. The address parameter can be used up to two times and is used to assign the clients specific IPv4 (/32) or IPv6 (/128) address."
 
 #: ../../configuration/firewall/groups.rst:21
+msgid "In an **address group** a single IP address or IP address range is defined."
+msgstr "In an **address group** a single IP address or IP address range is defined."
+
+#: ../../configuration/firewall/groups.rst:21
 msgid "In an **address group** a single IP address or IP address ranges are defined."
 msgstr "In an **address group** a single IP address or IP address ranges are defined."
 
-#: ../../configuration/interfaces/openvpn.rst:57
+#: ../../configuration/interfaces/openvpn.rst:58
 msgid "In both cases, we will use the following settings:"
 msgstr "In both cases, we will use the following settings:"
 
-#: ../../configuration/system/flow-accounting.rst:78
+#: ../../configuration/system/flow-accounting.rst:82
 msgid "In case, if you need to catch some logs from flow-accounting daemon, you may configure logging facility:"
 msgstr "In case, if you need to catch some logs from flow-accounting daemon, you may configure logging facility:"
 
@@ -7885,7 +8988,7 @@ msgstr "In case, if you need to catch some logs from flow-accounting daemon, you
 msgid "In case of peer-peer relationship routes can be received only if OTC value is equal to your neighbor AS number."
 msgstr "In case of peer-peer relationship routes can be received only if OTC value is equal to your neighbor AS number."
 
-#: ../../configuration/trafficpolicy/index.rst:775
+#: ../../configuration/trafficpolicy/index.rst:825
 msgid "In contrast to simple RED, VyOS' Random-Detect uses a Generalized Random Early Detect policy that provides different virtual queues based on the IP Precedence value so that some virtual queues can drop more packets than others."
 msgstr "In contrast to simple RED, VyOS' Random-Detect uses a Generalized Random Early Detect policy that provides different virtual queues based on the IP Precedence value so that some virtual queues can drop more packets than others."
 
@@ -7893,7 +8996,7 @@ msgstr "In contrast to simple RED, VyOS' Random-Detect uses a Generalized Random
 msgid "In failover mode, one interface is set to be the primary interface and other interfaces are secondary or spare. Instead of balancing traffic across all healthy interfaces, only the primary interface is used and in case of failure, a secondary interface selected from the pool of available interfaces takes over. The primary interface is selected based on its weight and health, others become secondary interfaces. Secondary interfaces to take over a failed primary interface are chosen from the load balancer's interface pool, depending on their weight and health. Interface roles can also be selected based on rule order by including interfaces in balancing rules and ordering those rules accordingly. To put the load balancer in failover mode, create a failover rule:"
 msgstr "In failover mode, one interface is set to be the primary interface and other interfaces are secondary or spare. Instead of balancing traffic across all healthy interfaces, only the primary interface is used and in case of failure, a secondary interface selected from the pool of available interfaces takes over. The primary interface is selected based on its weight and health, others become secondary interfaces. Secondary interfaces to take over a failed primary interface are chosen from the load balancer's interface pool, depending on their weight and health. Interface roles can also be selected based on rule order by including interfaces in balancing rules and ordering those rules accordingly. To put the load balancer in failover mode, create a failover rule:"
 
-#: ../../configuration/firewall/bridge.rst:70
+#: ../../configuration/firewall/bridge.rst:89
 msgid "In firewall bridge rules, the action can be:"
 msgstr "In firewall bridge rules, the action can be:"
 
@@ -7901,11 +9004,11 @@ msgstr "In firewall bridge rules, the action can be:"
 msgid "In general, OSPF protocol requires a backbone area (area 0) to be coherent and fully connected. I.e. any backbone area router must have a route to any other backbone area router. Moreover, every ABR must have a link to backbone area. However, it is not always possible to have a physical link to a backbone area. In this case between two ABR (one of them has a link to the backbone area) in the area (not stub area) a virtual link is organized."
 msgstr "In general, OSPF protocol requires a backbone area (area 0) to be coherent and fully connected. I.e. any backbone area router must have a route to any other backbone area router. Moreover, every ABR must have a link to backbone area. However, it is not always possible to have a physical link to a backbone area. In this case between two ABR (one of them has a link to the backbone area) in the area (not stub area) a virtual link is organized."
 
-#: ../../configuration/system/login.rst:240
+#: ../../configuration/system/login.rst:246
 msgid "In large deployments it is not reasonable to configure each user individually on every system. VyOS supports using :abbr:`RADIUS (Remote Authentication Dial-In User Service)` servers as backend for user authentication."
 msgstr "In large deployments it is not reasonable to configure each user individually on every system. VyOS supports using :abbr:`RADIUS (Remote Authentication Dial-In User Service)` servers as backend for user authentication."
 
-#: ../../configuration/system/flow-accounting.rst:45
+#: ../../configuration/system/flow-accounting.rst:49
 msgid "In order for flow accounting information to be collected and displayed for an interface, the interface must be configured for flow accounting."
 msgstr "In order for flow accounting information to be collected and displayed for an interface, the interface must be configured for flow accounting."
 
@@ -7937,7 +9040,7 @@ msgstr "In order to have VyOS Traffic Control working you need to follow 2 steps
 msgid "In order to have full control and make use of multiple static public IP addresses, your VyOS will have to initiate the PPPoE connection and control it. In order for this method to work, you will have to figure out how to make your DSL Modem/Router switch into a Bridged Mode so it only acts as a DSL Transceiver device to connect between the Ethernet link of your VyOS and the phone cable. Once your DSL Transceiver is in Bridge Mode, you should get no IP address from it. Please make sure you connect to the Ethernet Port 1 if your DSL Transceiver has a switch, as some of them only work this way."
 msgstr "In order to have full control and make use of multiple static public IP addresses, your VyOS will have to initiate the PPPoE connection and control it. In order for this method to work, you will have to figure out how to make your DSL Modem/Router switch into a Bridged Mode so it only acts as a DSL Transceiver device to connect between the Ethernet link of your VyOS and the phone cable. Once your DSL Transceiver is in Bridge Mode, you should get no IP address from it. Please make sure you connect to the Ethernet Port 1 if your DSL Transceiver has a switch, as some of them only work this way."
 
-#: ../../configuration/service/dhcp-server.rst:684
+#: ../../configuration/service/dhcp-server.rst:714
 msgid "In order to map specific IPv6 addresses to specific hosts static mappings can be created. The following example explains the process."
 msgstr "In order to map specific IPv6 addresses to specific hosts static mappings can be created. The following example explains the process."
 
@@ -7945,7 +9048,7 @@ msgstr "In order to map specific IPv6 addresses to specific hosts static mapping
 msgid "In order to minimize the flooding of ARP and ND messages in the VXLAN network, EVPN includes provisions :rfc:`7432#section-10` that allow participating VTEPs to suppress such messages in case they know the MAC-IP binding and can reply on behalf of the remote host."
 msgstr "In order to minimize the flooding of ARP and ND messages in the VXLAN network, EVPN includes provisions :rfc:`7432#section-10` that allow participating VTEPs to suppress such messages in case they know the MAC-IP binding and can reply on behalf of the remote host."
 
-#: ../../configuration/trafficpolicy/index.rst:402
+#: ../../configuration/trafficpolicy/index.rst:452
 msgid "In order to separate traffic, Fair Queue uses a classifier based on source address, destination address and source port. The algorithm enqueues packets to hash buckets based on those tree parameters. Each of these buckets should represent a unique flow. Because multiple flows may get hashed to the same bucket, the hashing algorithm is perturbed at configurable intervals so that the unfairness lasts only for a short while. Perturbation may however cause some inadvertent packet reordering to occur. An advisable value could be 10 seconds."
 msgstr "In order to separate traffic, Fair Queue uses a classifier based on source address, destination address and source port. The algorithm enqueues packets to hash buckets based on those tree parameters. Each of these buckets should represent a unique flow. Because multiple flows may get hashed to the same bucket, the hashing algorithm is perturbed at configurable intervals so that the unfairness lasts only for a short while. Perturbation may however cause some inadvertent packet reordering to occur. An advisable value could be 10 seconds."
 
@@ -7953,7 +9056,7 @@ msgstr "In order to separate traffic, Fair Queue uses a classifier based on sour
 msgid "In order to use PIM, it is necessary to configure a :abbr:`RP (Rendezvous Point)` for join messages to be sent to. Currently the only methodology to do this is via static rendezvous point commands."
 msgstr "In order to use PIM, it is necessary to configure a :abbr:`RP (Rendezvous Point)` for join messages to be sent to. Currently the only methodology to do this is via static rendezvous point commands."
 
-#: ../../configuration/interfaces/ethernet.rst:111
+#: ../../configuration/interfaces/ethernet.rst:119
 msgid "In order to use TSO/LRO with VMXNET3 adapters, the SG offloading option must also be enabled."
 msgstr "In order to use TSO/LRO with VMXNET3 adapters, the SG offloading option must also be enabled."
 
@@ -7961,7 +9064,7 @@ msgstr "In order to use TSO/LRO with VMXNET3 adapters, the SG offloading option
 msgid "In order to use TSO/LRO with VMXNET3 adaters one must also enable the SG offloading option."
 msgstr "In order to use TSO/LRO with VMXNET3 adaters one must also enable the SG offloading option."
 
-#: ../../configuration/firewall/flowtables.rst:59
+#: ../../configuration/firewall/flowtables.rst:60
 msgid "In order to use flowtables, the minimal configuration needed includes:"
 msgstr "In order to use flowtables, the minimal configuration needed includes:"
 
@@ -7981,11 +9084,11 @@ msgstr "In our example, we used the key name ``openvpn-1`` which we will referen
 msgid "In our example, we will be forwarding web server traffic to an internal web server on 192.168.0.100. HTTP traffic makes use of the TCP protocol on port 80. For other common port numbers, see: https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers"
 msgstr "In our example, we will be forwarding web server traffic to an internal web server on 192.168.0.100. HTTP traffic makes use of the TCP protocol on port 80. For other common port numbers, see: https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers"
 
-#: ../../configuration/vpn/ipsec.rst:411
+#: ../../configuration/vpn/ipsec.rst:431
 msgid "In our example the certificate name is called vyos:"
 msgstr "In our example the certificate name is called vyos:"
 
-#: ../../configuration/trafficpolicy/index.rst:906
+#: ../../configuration/trafficpolicy/index.rst:956
 msgid "In principle, values must be :code:`min-threshold` < :code:`max-threshold` < :code:`queue-limit`."
 msgstr "In principle, values must be :code:`min-threshold` < :code:`max-threshold` < :code:`queue-limit`."
 
@@ -7993,6 +9096,10 @@ msgstr "In principle, values must be :code:`min-threshold` < :code:`max-threshol
 msgid "In short, DMVPN provides the capability for creating a dynamic-mesh VPN network without having to pre-configure (static) all possible tunnel end-point peers."
 msgstr "In short, DMVPN provides the capability for creating a dynamic-mesh VPN network without having to pre-configure (static) all possible tunnel end-point peers."
 
+#: ../../configuration/trafficpolicy/index.rst:217
+msgid "In some case where we need to have an organization of our matching selection, in order to be more flexible and organize with our filter definition. We can apply traffic match groups, allowing us to create distinct filter groups within our policy and define various parameters for each group:"
+msgstr "In some case where we need to have an organization of our matching selection, in order to be more flexible and organize with our filter definition. We can apply traffic match groups, allowing us to create distinct filter groups within our policy and define various parameters for each group:"
+
 #: ../../configuration/protocols/ospf.rst:46
 msgid "In some cases it may be more convenient to enable OSPF on a per interface/subnet basis :cfgcmd:`set protocols ospf interface <interface> area <x.x.x.x | x>`"
 msgstr "In some cases it may be more convenient to enable OSPF on a per interface/subnet basis :cfgcmd:`set protocols ospf interface <interface> area <x.x.x.x | x>`"
@@ -8017,11 +9124,11 @@ msgstr "In the age of very fast networks, a second of unreachability may equal m
 msgid "In the case of L2TPv3, the features lost are teletraffic engineering features considered important in MPLS. However, there is no reason these features could not be re-engineered in or on top of L2TPv3 in later products."
 msgstr "In the case of L2TPv3, the features lost are teletraffic engineering features considered important in MPLS. However, there is no reason these features could not be re-engineered in or on top of L2TPv3 in later products."
 
-#: ../../configuration/trafficpolicy/index.rst:895
+#: ../../configuration/trafficpolicy/index.rst:945
 msgid "In the case the average queue size is between **min-threshold** and **max-threshold**, then an arriving packet would be either dropped or placed in the queue, it will depend on the defined **mark-probability**."
 msgstr "In the case the average queue size is between **min-threshold** and **max-threshold**, then an arriving packet would be either dropped or placed in the queue, it will depend on the defined **mark-probability**."
 
-#: ../../configuration/trafficpolicy/index.rst:564
+#: ../../configuration/trafficpolicy/index.rst:614
 msgid "In the case you want to apply some kind of **shaping** to your **inbound** traffic, check the ingress-shaping_ section."
 msgstr "In the case you want to apply some kind of **shaping** to your **inbound** traffic, check the ingress-shaping_ section."
 
@@ -8029,11 +9136,11 @@ msgstr "In the case you want to apply some kind of **shaping** to your **inbound
 msgid "In the command above, we set the type of policy we are going to work with and the name we choose for it; a class (so that we can differentiate some traffic) and an identifiable number for that class; then we configure a matching rule (or filter) and a name for it."
 msgstr "In the command above, we set the type of policy we are going to work with and the name we choose for it; a class (so that we can differentiate some traffic) and an identifiable number for that class; then we configure a matching rule (or filter) and a name for it."
 
-#: ../../configuration/vpn/ipsec.rst:564
+#: ../../configuration/vpn/ipsec.rst:584
 msgid "In the end, an XML structure is generated which can be saved as ``vyos.mobileconfig`` and sent to the device by E-Mail where it later can be imported."
 msgstr "In the end, an XML structure is generated which can be saved as ``vyos.mobileconfig`` and sent to the device by E-Mail where it later can be imported."
 
-#: ../../configuration/service/pppoe-server.rst:333
+#: ../../configuration/service/pppoe-server.rst:352
 msgid "In the example above, the first 499 sessions connect without delay. PADO packets will be delayed 50 ms for connection from 500 to 999, this trick allows other PPPoE servers send PADO faster and clients will connect to other servers. Last command says that this PPPoE server can serve only 3000 clients."
 msgstr "In the example above, the first 499 sessions connect without delay. PADO packets will be delayed 50 ms for connection from 500 to 999, this trick allows other PPPoE servers send PADO faster and clients will connect to other servers. Last command says that this PPPoE server can serve only 3000 clients."
 
@@ -8041,7 +9148,7 @@ msgstr "In the example above, the first 499 sessions connect without delay. PADO
 msgid "In the example used for the Quick Start configuration above, we demonstrate the following configuration:"
 msgstr "In the example used for the Quick Start configuration above, we demonstrate the following configuration:"
 
-#: ../../configuration/system/login.rst:403
+#: ../../configuration/system/login.rst:409
 msgid "In the following example, both `User1` and `User2` will be able to SSH into VyOS as user ``vyos`` using their very own keys. `User1` is restricted to only be able to connect from a single IP address. In addition if password base login is wanted for the ``vyos`` user a 2FA/MFA keycode is required in addition to the password."
 msgstr "In the following example, both `User1` and `User2` will be able to SSH into VyOS as user ``vyos`` using their very own keys. `User1` is restricted to only be able to connect from a single IP address. In addition if password base login is wanted for the ``vyos`` user a 2FA/MFA keycode is required in addition to the password."
 
@@ -8061,7 +9168,7 @@ msgstr "In the following example we can see a basic multicast setup:"
 msgid "In the future this is expected to be a very useful protocol (though there are `other proposals`_)."
 msgstr "In the future this is expected to be a very useful protocol (though there are `other proposals`_)."
 
-#: ../../configuration/highavailability/index.rst:410
+#: ../../configuration/highavailability/index.rst:414
 msgid "In the next example all traffic destined to ``203.0.113.1`` and port ``8280`` protocol TCP is balanced between 2 real servers ``192.0.2.11`` and ``192.0.2.12`` to port ``80``"
 msgstr "In the next example all traffic destined to ``203.0.113.1`` and port ``8280`` protocol TCP is balanced between 2 real servers ``192.0.2.11`` and ``192.0.2.12`` to port ``80``"
 
@@ -8077,6 +9184,10 @@ msgstr "In this command tree, all hardware acceleration options will be handled.
 msgid "In this example, some *OpenNIC* servers are used, two IPv4 addresses and two IPv6 addresses:"
 msgstr "In this example, some *OpenNIC* servers are used, two IPv4 addresses and two IPv6 addresses:"
 
+#: ../../configuration/trafficpolicy/index.rst:263
+msgid "In this example, we can observe that different DSCP criteria are defined based on our QoS configuration within the same policy group."
+msgstr "In this example, we can observe that different DSCP criteria are defined based on our QoS configuration within the same policy group."
+
 #: ../../configuration/nat/nat44.rst:358
 msgid "In this example, we use **masquerade** as the translation address instead of an IP address. The **masquerade** target is effectively an alias to say \"use whatever IP address is on the outgoing interface\", rather than a statically configured IP address. This is useful if you use DHCP for your outgoing interface and do not know what the external address will be."
 msgstr "In this example, we use **masquerade** as the translation address instead of an IP address. The **masquerade** target is effectively an alias to say \"use whatever IP address is on the outgoing interface\", rather than a statically configured IP address. This is useful if you use DHCP for your outgoing interface and do not know what the external address will be."
@@ -8085,7 +9196,7 @@ msgstr "In this example, we use **masquerade** as the translation address instea
 msgid "In this example, we will be using the example Quick Start configuration above as a starting point."
 msgstr "In this example, we will be using the example Quick Start configuration above as a starting point."
 
-#: ../../configuration/highavailability/index.rst:440
+#: ../../configuration/highavailability/index.rst:444
 msgid "In this example all traffic destined to ports \"80, 2222, 8888\" protocol TCP marks to fwmark \"111\" and balanced between 2 real servers. Port \"0\" is required if multiple ports are used."
 msgstr "In this example all traffic destined to ports \"80, 2222, 8888\" protocol TCP marks to fwmark \"111\" and balanced between 2 real servers. Port \"0\" is required if multiple ports are used."
 
@@ -8093,7 +9204,7 @@ msgstr "In this example all traffic destined to ports \"80, 2222, 8888\" protoco
 msgid "In this example image, a simplifed traffic flow is shown to help provide context to the terms of `forward`, `input`, and `output` for the new firewall CLI format."
 msgstr "In this example image, a simplifed traffic flow is shown to help provide context to the terms of `forward`, `input`, and `output` for the new firewall CLI format."
 
-#: ../../configuration/interfaces/openvpn.rst:334
+#: ../../configuration/interfaces/openvpn.rst:338
 msgid "In this example we will use the most complicated case: a setup where each client is a router that has its own subnet (think HQ and branch offices), since simpler setups are subsets of it."
 msgstr "In this example we will use the most complicated case: a setup where each client is a router that has its own subnet (think HQ and branch offices), since simpler setups are subsets of it."
 
@@ -8109,14 +9220,26 @@ msgstr "In this scenario:"
 msgid "In this section there's useful information of all firewall configuration that can be done regarding IPv4, and appropiate op-mode commands. Configuration commands covered in this section:"
 msgstr "In this section there's useful information of all firewall configuration that can be done regarding IPv4, and appropiate op-mode commands. Configuration commands covered in this section:"
 
+#: ../../configuration/firewall/ipv4.rst:13
+msgid "In this section there's useful information of all firewall configuration that can be done regarding IPv4, and appropriate op-mode commands. Configuration commands covered in this section:"
+msgstr "In this section there's useful information of all firewall configuration that can be done regarding IPv4, and appropriate op-mode commands. Configuration commands covered in this section:"
+
 #: ../../configuration/firewall/ipv6.rst:13
 msgid "In this section there's useful information of all firewall configuration that can be done regarding IPv6, and appropiate op-mode commands. Configuration commands covered in this section:"
 msgstr "In this section there's useful information of all firewall configuration that can be done regarding IPv6, and appropiate op-mode commands. Configuration commands covered in this section:"
 
+#: ../../configuration/firewall/ipv6.rst:13
+msgid "In this section there's useful information of all firewall configuration that can be done regarding IPv6, and appropriate op-mode commands. Configuration commands covered in this section:"
+msgstr "In this section there's useful information of all firewall configuration that can be done regarding IPv6, and appropriate op-mode commands. Configuration commands covered in this section:"
+
 #: ../../configuration/firewall/bridge.rst:15
 msgid "In this section there's useful information of all firewall configuration that can be done regarding bridge, and appropiate op-mode commands. Configuration commands covered in this section:"
 msgstr "In this section there's useful information of all firewall configuration that can be done regarding bridge, and appropiate op-mode commands. Configuration commands covered in this section:"
 
+#: ../../configuration/firewall/bridge.rst:15
+msgid "In this section there's useful information of all firewall configuration that can be done regarding bridge, and appropriate op-mode commands. Configuration commands covered in this section:"
+msgstr "In this section there's useful information of all firewall configuration that can be done regarding bridge, and appropriate op-mode commands. Configuration commands covered in this section:"
+
 #: ../../configuration/firewall/flowtables.rst:15
 msgid "In this section there's useful information of all firewall configuration that can be done regarding flowtables"
 msgstr "In this section there's useful information of all firewall configuration that can be done regarding flowtables"
@@ -8129,7 +9252,27 @@ msgstr "In this section there's useful information of all firewall configuration
 msgid "In this section there's useful information of all firewall configuration that is needed for zone-based firewall. Configuration commands covered in this section:"
 msgstr "In this section there's useful information of all firewall configuration that is needed for zone-based firewall. Configuration commands covered in this section:"
 
-#: ../../configuration/firewall/bridge.rst:289
+#: ../../configuration/firewall/ipv4.rst:13
+msgid "In this section there's useful information on all firewall configuration that can be done regarding IPv4, and appropriate op-mode commands. Configuration commands covered in this section:"
+msgstr "In this section there's useful information on all firewall configuration that can be done regarding IPv4, and appropriate op-mode commands. Configuration commands covered in this section:"
+
+#: ../../configuration/firewall/ipv6.rst:13
+msgid "In this section there's useful information on all firewall configuration that can be done regarding IPv6, and appropriate op-mode commands. Configuration commands covered in this section:"
+msgstr "In this section there's useful information on all firewall configuration that can be done regarding IPv6, and appropriate op-mode commands. Configuration commands covered in this section:"
+
+#: ../../configuration/firewall/bridge.rst:13
+msgid "In this section there's useful information on all firewall configuration that can be done regarding bridges, and appropriate op-mode commands. Configuration commands covered in this section:"
+msgstr "In this section there's useful information on all firewall configuration that can be done regarding bridges, and appropriate op-mode commands. Configuration commands covered in this section:"
+
+#: ../../configuration/firewall/flowtables.rst:15
+msgid "In this section there's useful information on all firewall configuration that can be done regarding flowtables."
+msgstr "In this section there's useful information on all firewall configuration that can be done regarding flowtables."
+
+#: ../../configuration/firewall/zone.rst:22
+msgid "In this section there's useful information on all firewall configuration that is needed for the zone-based firewall. Configuration commands covered in this section:"
+msgstr "In this section there's useful information on all firewall configuration that is needed for the zone-based firewall. Configuration commands covered in this section:"
+
+#: ../../configuration/firewall/bridge.rst:454
 msgid "In this section you can find all useful firewall op-mode commands."
 msgstr "In this section you can find all useful firewall op-mode commands."
 
@@ -8145,7 +9288,7 @@ msgstr "In typical uses of SNMP, one or more administrative computers called man
 msgid "In zone-based policy, interfaces are assigned to zones, and inspection policy is applied to traffic moving between the zones and acted on according to firewall rules. A Zone is a group of interfaces that have similar functions or features. It establishes the security borders of a network. A zone defines a boundary where traffic is subjected to policy restrictions as it crosses to another region of a network."
 msgstr "In zone-based policy, interfaces are assigned to zones, and inspection policy is applied to traffic moving between the zones and acted on according to firewall rules. A Zone is a group of interfaces that have similar functions or features. It establishes the security borders of a network. A zone defines a boundary where traffic is subjected to policy restrictions as it crosses to another region of a network."
 
-#: ../../configuration/firewall/zone.rst:43
+#: ../../configuration/firewall/zone.rst:40
 msgid "In zone-based policy, interfaces are assigned to zones, and inspection policy is applied to traffic moving between the zones and acted on according to firewall rules. A zone is a group of interfaces that have similar functions or features. It establishes the security borders of a network. A zone defines a boundary where traffic is subjected to policy restrictions as it crosses to another region of a network."
 msgstr "In zone-based policy, interfaces are assigned to zones, and inspection policy is applied to traffic moving between the zones and acted on according to firewall rules. A zone is a group of interfaces that have similar functions or features. It establishes the security borders of a network. A zone defines a boundary where traffic is subjected to policy restrictions as it crosses to another region of a network."
 
@@ -8157,11 +9300,11 @@ msgstr "Inbound connections to a WAN interface can be improperly handled when th
 msgid "Incoming traffic is received by the current slave. If the receiving slave fails, another slave takes over the MAC address of the failed receiving slave."
 msgstr "Incoming traffic is received by the current slave. If the receiving slave fails, another slave takes over the MAC address of the failed receiving slave."
 
-#: ../../configuration/interfaces/wireless.rst:272
+#: ../../configuration/interfaces/wireless.rst:308
 msgid "Increase Maximum MPDU length to 7991 or 11454 octets (default 3895 octets)"
 msgstr "Increase Maximum MPDU length to 7991 or 11454 octets (default 3895 octets)"
 
-#: ../../configuration/loadbalancing/reverse-proxy.rst:68
+#: ../../configuration/loadbalancing/haproxy.rst:80
 msgid "Indication"
 msgstr "Indication"
 
@@ -8177,11 +9320,11 @@ msgstr "Inform client that the DNS server can be found at `<address>`."
 msgid "Information gathered with LLDP is stored in the device as a :abbr:`MIB (Management Information Database)` and can be queried with :abbr:`SNMP (Simple Network Management Protocol)` as specified in :rfc:`2922`. The topology of an LLDP-enabled network can be discovered by crawling the hosts and querying this database. Information that may be retrieved include:"
 msgstr "Information gathered with LLDP is stored in the device as a :abbr:`MIB (Management Information Database)` and can be queried with :abbr:`SNMP (Simple Network Management Protocol)` as specified in :rfc:`2922`. The topology of an LLDP-enabled network can be discovered by crawling the hosts and querying this database. Information that may be retrieved include:"
 
-#: ../../configuration/system/syslog.rst:189
+#: ../../configuration/system/syslog.rst:207
 msgid "Informational"
 msgstr "Informational"
 
-#: ../../configuration/system/syslog.rst:189
+#: ../../configuration/system/syslog.rst:207
 msgid "Informational messages"
 msgstr "Informational messages"
 
@@ -8189,7 +9332,7 @@ msgstr "Informational messages"
 msgid "Input from `eth0` network interface"
 msgstr "Input from `eth0` network interface"
 
-#: ../../configuration/firewall/bridge.rst:390
+#: ../../configuration/firewall/bridge.rst:555
 msgid "Inspect logs:"
 msgstr "Inspect logs:"
 
@@ -8197,6 +9340,10 @@ msgstr "Inspect logs:"
 msgid "Install the client software via apt and execute pptpsetup to generate the configuration."
 msgstr "Install the client software via apt and execute pptpsetup to generate the configuration."
 
+#: ../../configuration/firewall/groups.rst:150
+msgid "Instead, members of these groups are added dynamically using firewall rules."
+msgstr "Instead, members of these groups are added dynamically using firewall rules."
+
 #: ../../configuration/interfaces/pppoe.rst:218
 #: ../../configuration/interfaces/pppoe.rst:264
 #: ../../configuration/interfaces/sstp-client.rst:90
@@ -8217,7 +9364,7 @@ msgstr "Instead of sending the real system hostname to the DHCP server, overwrit
 msgid "Integrity – Message integrity to ensure that a packet has not been tampered while in transit including an optional packet replay protection mechanism."
 msgstr "Integrity – Message integrity to ensure that a packet has not been tampered while in transit including an optional packet replay protection mechanism."
 
-#: ../../configuration/interfaces/wireless.rst:602
+#: ../../configuration/interfaces/wireless.rst:914
 msgid "Intel AX200"
 msgstr "Intel AX200"
 
@@ -8234,12 +9381,13 @@ msgid "Interface **eth0** used to connect to upstream."
 msgstr "Interface **eth0** used to connect to upstream."
 
 #: ../../configuration/protocols/isis.rst:146
+#: ../../configuration/protocols/openfabric.rst:93
 #: ../../configuration/protocols/ospf.rst:356
 #: ../../configuration/protocols/ospf.rst:1139
 msgid "Interface Configuration"
 msgstr "Interface Configuration"
 
-#: ../../configuration/firewall/groups.rst:66
+#: ../../configuration/firewall/groups.rst:65
 msgid "Interface Groups"
 msgstr "Interface Groups"
 
@@ -8281,7 +9429,7 @@ msgid "Interface weight"
 msgstr "Interface weight"
 
 #: ../../configuration/interfaces/index.rst:3
-#: ../../configuration/vrf/index.rst:90
+#: ../../configuration/vrf/index.rst:86
 msgid "Interfaces"
 msgstr "Interfaces"
 
@@ -8306,11 +9454,11 @@ msgstr "Interfaces whose DHCP client nameservers to forward requests to."
 msgid "Internal attack: an attack from the internal network (generated by a customer) towards the internet is identify. In this case, all connections from this particular IP/Customer will be blocked."
 msgstr "Internal attack: an attack from the internal network (generated by a customer) towards the internet is identify. In this case, all connections from this particular IP/Customer will be blocked."
 
-#: ../../configuration/system/flow-accounting.rst:70
+#: ../../configuration/system/flow-accounting.rst:74
 msgid "Internally, in flow-accounting processes exist a buffer for data exchanging between core process and plugins (each export target is a separated plugin). If you have high traffic levels or noted some problems with missed records or stopping exporting, you may try to increase a default buffer size (10 MiB) with the next command:"
 msgstr "Internally, in flow-accounting processes exist a buffer for data exchanging between core process and plugins (each export target is a separated plugin). If you have high traffic levels or noted some problems with missed records or stopping exporting, you may try to increase a default buffer size (10 MiB) with the next command:"
 
-#: ../../configuration/vpn/ipsec.rst:374
+#: ../../configuration/vpn/ipsec.rst:394
 msgid "Internet Key Exchange version 2, IKEv2 for short, is a request/response protocol developed by both Cisco and Microsoft. It is used to establish and secure IPv4/IPv6 connections, be it a site-to-site VPN or from a road-warrior connecting to a hub site. IKEv2, when run in point-to-multipoint, or remote-access/road-warrior mode, secures the server-side with another layer by using an x509 signed server certificate."
 msgstr "Internet Key Exchange version 2, IKEv2 for short, is a request/response protocol developed by both Cisco and Microsoft. It is used to establish and secure IPv4/IPv6 connections, be it a site-to-site VPN or from a road-warrior connecting to a hub site. IKEv2, when run in point-to-multipoint, or remote-access/road-warrior mode, secures the server-side with another layer by using an x509 signed server certificate."
 
@@ -8318,7 +9466,7 @@ msgstr "Internet Key Exchange version 2, IKEv2 for short, is a request/response
 msgid "Internet Key Exchange version 2 (IKEv2) is a tunneling protocol, based on IPsec, that establishes a secure VPN communication between VPN devices,  and defines negotiation and authentication processes for IPsec security associations (SAs). It is often known as IKEv2/IPSec or IPSec IKEv2 remote-access — or road-warriors as others call it."
 msgstr "Internet Key Exchange version 2 (IKEv2) is a tunneling protocol, based on IPsec, that establishes a secure VPN communication between VPN devices,  and defines negotiation and authentication processes for IPsec security associations (SAs). It is often known as IKEv2/IPSec or IPSec IKEv2 remote-access — or road-warriors as others call it."
 
-#: ../../configuration/trafficpolicy/index.rst:791
+#: ../../configuration/trafficpolicy/index.rst:841
 msgid "Internetwork Control"
 msgstr "Internetwork Control"
 
@@ -8326,6 +9474,10 @@ msgstr "Internetwork Control"
 msgid "Interval"
 msgstr "Interval"
 
+#: ../../configuration/system/syslog.rst:25
+msgid "Interval (in seconds) for sending mark messages to the syslog input to indicate that the logging system is functioning."
+msgstr "Interval (in seconds) for sending mark messages to the syslog input to indicate that the logging system is functioning."
+
 #: ../../configuration/protocols/bfd.rst:53
 msgid "Interval in milliseconds"
 msgstr "Interval in milliseconds"
@@ -8338,6 +9490,10 @@ msgstr "Interval in minutes between updates (default: 60)"
 msgid "Introducing route reflectors removes the need for the full-mesh. When you configure a route reflector you have to tell the router whether the other IBGP router is a client or non-client. A client is an IBGP router that the route reflector will “reflect” routes to, the non-client is just a regular IBGP neighbor. Route reflectors mechanism is described in :rfc:`4456` and updated by :rfc:`7606`."
 msgstr "Introducing route reflectors removes the need for the full-mesh. When you configure a route reflector you have to tell the router whether the other IBGP router is a client or non-client. A client is an IBGP router that the route reflector will “reflect” routes to, the non-client is just a regular IBGP neighbor. Route reflectors mechanism is described in :rfc:`4456` and updated by :rfc:`7606`."
 
+#: ../../configuration/service/suricata.rst:14
+msgid "Intrusion Detection (IDS): Analyzes network traffic and detects suspicious activities, attacks, and malicious traffic. Intrusion Prevention (IPS): Blocks or modifies suspicious traffic in real-time, preventing attacks before they penetrate the network. Network Security Monitoring (NSM): Collects and analyzes network data to detect anomalies and identify threats. Multi-Protocol Support: Suricata supports analysis of various network protocols such as HTTP, FTP, SMB, and many others. In configuration mode, the commands are as follows:"
+msgstr "Intrusion Detection (IDS): Analyzes network traffic and detects suspicious activities, attacks, and malicious traffic. Intrusion Prevention (IPS): Blocks or modifies suspicious traffic in real-time, preventing attacks before they penetrate the network. Network Security Monitoring (NSM): Collects and analyzes network data to detect anomalies and identify threats. Multi-Protocol Support: Suricata supports analysis of various network protocols such as HTTP, FTP, SMB, and many others. In configuration mode, the commands are as follows:"
+
 #: ../../configuration/interfaces/openvpn.rst:22
 msgid "It's easy to setup and offers very flexible split tunneling"
 msgstr "It's easy to setup and offers very flexible split tunneling"
@@ -8350,15 +9506,19 @@ msgstr "It's not likely that anyone will need it any time soon, but it does exis
 msgid "It's slower than IPsec due to higher protocol overhead and the fact it runs in user mode while IPsec, on Linux, is in kernel mode"
 msgstr "It's slower than IPsec due to higher protocol overhead and the fact it runs in user mode while IPsec, on Linux, is in kernel mode"
 
-#: ../../configuration/firewall/flowtables.rst:167
+#: ../../configuration/firewall/flowtables.rst:168
 msgid "It's time to check conntrack table, to see if any connection was accepted, and if was properly offloaded"
 msgstr "It's time to check conntrack table, to see if any connection was accepted, and if was properly offloaded"
 
-#: ../../configuration/system/option.rst:141
+#: ../../configuration/firewall/flowtables.rst:168
+msgid "It's time to check the conntrack table, to see if any connections were accepted, and if it was properly offloaded"
+msgstr "It's time to check the conntrack table, to see if any connections were accepted, and if it was properly offloaded"
+
+#: ../../configuration/system/option.rst:161
 msgid "It disables transparent huge pages, and automatic NUMA balancing. It also uses cpupower to set the performance cpufreq governor, and requests a cpu_dma_latency value of 1. It also sets busy_read and busy_poll times to 50 us, and tcp_fastopen to 3."
 msgstr "It disables transparent huge pages, and automatic NUMA balancing. It also uses cpupower to set the performance cpufreq governor, and requests a cpu_dma_latency value of 1. It also sets busy_read and busy_poll times to 50 us, and tcp_fastopen to 3."
 
-#: ../../configuration/system/option.rst:132
+#: ../../configuration/system/option.rst:152
 msgid "It enables transparent huge pages, and uses cpupower to set the performance cpufreq governor. It also sets ``kernel.sched_min_granularity_ns`` to 10 us, ``kernel.sched_wakeup_granularity_ns`` to 15 uss, and ``vm.dirty_ratio`` to 40%."
 msgstr "It enables transparent huge pages, and uses cpupower to set the performance cpufreq governor. It also sets ``kernel.sched_min_granularity_ns`` to 10 us, ``kernel.sched_wakeup_granularity_ns`` to 15 uss, and ``vm.dirty_ratio`` to 40%."
 
@@ -8366,12 +9526,16 @@ msgstr "It enables transparent huge pages, and uses cpupower to set the performa
 msgid "It generates the keypair, which includes the public and private parts. The key is not stored on the system - only a keypair is generated."
 msgstr "It generates the keypair, which includes the public and private parts. The key is not stored on the system - only a keypair is generated."
 
+#: ../../configuration/service/dhcp-server.rst:657
+msgid "It hands out prefixes ``2001:db8:0:10::/64`` through ``2001:db8:0:1f::/64``."
+msgstr "It hands out prefixes ``2001:db8:0:10::/64`` through ``2001:db8:0:1f::/64``."
+
 #: ../../configuration/protocols/ospf.rst:532
 #: ../../configuration/protocols/ospf.rst:1244
 msgid "It helps to support as HELPER only for planned restarts."
 msgstr "It helps to support as HELPER only for planned restarts."
 
-#: ../../configuration/firewall/zone.rst:106
+#: ../../configuration/firewall/zone.rst:103
 msgid "It helps to think of the syntax as: (see below). The 'rule-set' should be written from the perspective of: *Source Zone*-to->*Destination Zone*"
 msgstr "It helps to think of the syntax as: (see below). The 'rule-set' should be written from the perspective of: *Source Zone*-to->*Destination Zone*"
 
@@ -8379,10 +9543,14 @@ msgstr "It helps to think of the syntax as: (see below). The 'rule-set' should b
 msgid "It is compatible with Cisco (R) AnyConnect (R) clients."
 msgstr "It is compatible with Cisco (R) AnyConnect (R) clients."
 
-#: ../../configuration/service/dhcp-server.rst:649
+#: ../../configuration/service/dhcp-server.rst:678
 msgid "It is connected to ``eth1``"
 msgstr "It is connected to ``eth1``"
 
+#: ../../configuration/service/dhcp-server.rst:655
+msgid "It is connected to ``eth1``."
+msgstr "It is connected to ``eth1``."
+
 #: ../../configuration/system/login.rst:46
 msgid "It is highly recommended to use SSH key authentication. By default there is only one user (``vyos``), and you can assign any number of keys to that user. You can generate a ssh key with the ``ssh-keygen`` command on your local machine, which will (by default) save it as ``~/.ssh/id_rsa.pub``."
 msgstr "It is highly recommended to use SSH key authentication. By default there is only one user (``vyos``), and you can assign any number of keys to that user. You can generate a ssh key with the ``ssh-keygen`` command on your local machine, which will (by default) save it as ``~/.ssh/id_rsa.pub``."
@@ -8399,11 +9567,11 @@ msgstr "It is important to note that when creating firewall rules, the DNAT tran
 msgid "It is important to note that when creating firewall rules that the DNAT translation occurs **before** traffic traverses the firewall. In other words, the destination address has already been translated to 192.168.0.100."
 msgstr "It is important to note that when creating firewall rules that the DNAT translation occurs **before** traffic traverses the firewall. In other words, the destination address has already been translated to 192.168.0.100."
 
-#: ../../configuration/vrf/index.rst:524
+#: ../../configuration/vrf/index.rst:520
 msgid "It is not sufficient to only configure a L3VPN VRFs but L3VPN VRFs must be maintained, too.For L3VPN VRF maintenance the following operational commands are in place."
 msgstr "It is not sufficient to only configure a L3VPN VRFs but L3VPN VRFs must be maintained, too.For L3VPN VRF maintenance the following operational commands are in place."
 
-#: ../../configuration/vrf/index.rst:132
+#: ../../configuration/vrf/index.rst:128
 msgid "It is not sufficient to only configure a VRF but VRFs must be maintained, too. For VRF maintenance the following operational commands are in place."
 msgstr "It is not sufficient to only configure a VRF but VRFs must be maintained, too. For VRF maintenance the following operational commands are in place."
 
@@ -8415,7 +9583,7 @@ msgstr "It is not valid to use the `vif 1` option for VLAN aware bridges because
 msgid "It is possible to enhance authentication security by using the :abbr:`2FA (Two-factor authentication)`/:abbr:`MFA (Multi-factor authentication)` feature together with :abbr:`OTP (One-Time-Pad)` on VyOS. :abbr:`2FA (Two-factor authentication)`/:abbr:`MFA (Multi-factor authentication)` is configured independently per each user. If an OTP key is configured for a user, 2FA/MFA is automatically enabled for that particular user. If a user does not have an OTP key configured, there is no 2FA/MFA check for that user."
 msgstr "It is possible to enhance authentication security by using the :abbr:`2FA (Two-factor authentication)`/:abbr:`MFA (Multi-factor authentication)` feature together with :abbr:`OTP (One-Time-Pad)` on VyOS. :abbr:`2FA (Two-factor authentication)`/:abbr:`MFA (Multi-factor authentication)` is configured independently per each user. If an OTP key is configured for a user, 2FA/MFA is automatically enabled for that particular user. If a user does not have an OTP key configured, there is no 2FA/MFA check for that user."
 
-#: ../../configuration/vrf/index.rst:515
+#: ../../configuration/vrf/index.rst:511
 msgid "It is possible to permit BGP install VPN prefixes without transport labels. This configuration will install VPN prefixes originated from an e-bgp session, and with the next-hop directly connected."
 msgstr "It is possible to permit BGP install VPN prefixes without transport labels. This configuration will install VPN prefixes originated from an e-bgp session, and with the next-hop directly connected."
 
@@ -8428,6 +9596,10 @@ msgstr "It is possible to specify a static route for ipv6 prefixes using an SRv6
 msgid "It is possible to use either Multicast or Unicast to sync conntrack traffic. Most examples below show Multicast, but unicast can be specified by using the \"peer\" keywork after the specificed interface, as in the following example:"
 msgstr "It is possible to use either Multicast or Unicast to sync conntrack traffic. Most examples below show Multicast, but unicast can be specified by using the \"peer\" keywork after the specificed interface, as in the following example:"
 
+#: ../../configuration/service/conntrack-sync.rst:30
+msgid "It is possible to use either Multicast or Unicast to sync conntrack traffic. Most examples below show Multicast, but unicast can be specified by using the \"peer\" keywork after the specified interface, as in the following example:"
+msgstr "It is possible to use either Multicast or Unicast to sync conntrack traffic. Most examples below show Multicast, but unicast can be specified by using the \"peer\" keywork after the specified interface, as in the following example:"
+
 #: ../../configuration/vpn/dmvpn.rst:112
 msgid "It is very easy to misconfigure multicast repeating if you have multiple NHSes."
 msgstr "It is very easy to misconfigure multicast repeating if you have multiple NHSes."
@@ -8436,7 +9608,7 @@ msgstr "It is very easy to misconfigure multicast repeating if you have multiple
 msgid "It uses a single TCP or UDP connection and does not rely on packet source addresses, so it will work even through a double NAT: perfect for public hotspots and such"
 msgstr "It uses a single TCP or UDP connection and does not rely on packet source addresses, so it will work even through a double NAT: perfect for public hotspots and such"
 
-#: ../../configuration/trafficpolicy/index.rst:454
+#: ../../configuration/trafficpolicy/index.rst:504
 msgid "It uses a stochastic model to classify incoming packets into different flows and is used to provide a fair share of the bandwidth to all the flows using the queue. Each flow is managed by the CoDel queuing  discipline. Reordering within a flow is avoided since Codel internally uses a FIFO queue."
 msgstr "It uses a stochastic model to classify incoming packets into different flows and is used to provide a fair share of the bandwidth to all the flows using the queue. Each flow is managed by the CoDel queuing  discipline. Reordering within a flow is avoided since Codel internally uses a FIFO queue."
 
@@ -8444,7 +9616,7 @@ msgstr "It uses a stochastic model to classify incoming packets into different f
 msgid "It will be combined with the delegated prefix and the sla-id to form a complete interface address. The default is to use the EUI-64 address of the interface."
 msgstr "It will be combined with the delegated prefix and the sla-id to form a complete interface address. The default is to use the EUI-64 address of the interface."
 
-#: ../../configuration/vrf/index.rst:239
+#: ../../configuration/vrf/index.rst:235
 msgid "Join a given VRF. This will open a new subshell within the specified VRF."
 msgstr "Join a given VRF. This will open a new subshell within the specified VRF."
 
@@ -8452,7 +9624,7 @@ msgstr "Join a given VRF. This will open a new subshell within the specified VRF
 msgid "Jump to a different rule in this route-map on a match."
 msgstr "Jump to a different rule in this route-map on a match."
 
-#: ../../configuration/interfaces/bonding.rst:352
+#: ../../configuration/interfaces/bonding.rst:405
 msgid "Juniper EX Switch"
 msgstr "Juniper EX Switch"
 
@@ -8460,7 +9632,11 @@ msgstr "Juniper EX Switch"
 msgid "Kernel"
 msgstr "Kernel"
 
-#: ../../configuration/system/syslog.rst:112
+#: ../../configuration/container/index.rst:177
+msgid "Kernel Parameters: kernel.msgmax, kernel.msgmnb, kernel.msgmni, kernel.sem, kernel.shmall, kernel.shmmax, kernel.shmmni, kernel.shm_rmid_forced"
+msgstr "Kernel Parameters: kernel.msgmax, kernel.msgmnb, kernel.msgmni, kernel.sem, kernel.shmall, kernel.shmmax, kernel.shmmni, kernel.shm_rmid_forced"
+
+#: ../../configuration/system/syslog.rst:130
 msgid "Kernel messages"
 msgstr "Kernel messages"
 
@@ -8480,7 +9656,7 @@ msgstr "Key Management"
 msgid "Key Parameters:"
 msgstr "Key Parameters:"
 
-#: ../../configuration/firewall/zone.rst:50
+#: ../../configuration/firewall/zone.rst:47
 msgid "Key Points:"
 msgstr "Key Points:"
 
@@ -8488,7 +9664,7 @@ msgstr "Key Points:"
 msgid "Key exchange and payload encryption is done using IKE and ESP proposals as known from IKEv1 but the connections are faster to establish, more reliable, and also support roaming from IP to IP (called MOBIKE which makes sure your connection does not drop when changing networks from e.g. WIFI to LTE and back). Authentication can be achieved with X.509 certificates."
 msgstr "Key exchange and payload encryption is done using IKE and ESP proposals as known from IKEv1 but the connections are faster to establish, more reliable, and also support roaming from IP to IP (called MOBIKE which makes sure your connection does not drop when changing networks from e.g. WIFI to LTE and back). Authentication can be achieved with X.509 certificates."
 
-#: ../../configuration/vpn/ipsec.rst:381
+#: ../../configuration/vpn/ipsec.rst:401
 msgid "Key exchange and payload encryption is still done using IKE and ESP proposals as known from IKEv1 but the connections are faster to establish, more reliable, and also support roaming from IP to IP (called MOBIKE which makes sure your connection does not drop when changing networks from e.g. WIFI to LTE and back)."
 msgstr "Key exchange and payload encryption is still done using IKE and ESP proposals as known from IKEv1 but the connections are faster to establish, more reliable, and also support roaming from IP to IP (called MOBIKE which makes sure your connection does not drop when changing networks from e.g. WIFI to LTE and back)."
 
@@ -8496,7 +9672,7 @@ msgstr "Key exchange and payload encryption is still done using IKE and ESP prop
 msgid "Key usage (CLI)"
 msgstr "Key usage (CLI)"
 
-#: ../../configuration/system/option.rst:88
+#: ../../configuration/system/option.rst:108
 msgid "Keyboard Layout"
 msgstr "Keyboard Layout"
 
@@ -8504,11 +9680,15 @@ msgstr "Keyboard Layout"
 msgid "Keypairs"
 msgstr "Keypairs"
 
-#: ../../configuration/system/syslog.rst:107
-#: ../../configuration/system/syslog.rst:167
+#: ../../configuration/system/syslog.rst:125
+#: ../../configuration/system/syslog.rst:185
 msgid "Keyword"
 msgstr "Keyword"
 
+#: ../../configuration/service/config-sync.rst:112
+msgid "Known issues"
+msgstr "Known issues"
+
 #: ../../configuration/vpn/l2tp.rst:5
 msgid "L2TP"
 msgstr "L2TP"
@@ -8541,11 +9721,11 @@ msgstr "L2TPv3 is described in :rfc:`3931`."
 msgid "L2TPv3 options"
 msgstr "L2TPv3 options"
 
-#: ../../configuration/vrf/index.rst:418
+#: ../../configuration/vrf/index.rst:414
 msgid "L3VPN VRFs"
 msgstr "L3VPN VRFs"
 
-#: ../../configuration/interfaces/openvpn.rst:443
+#: ../../configuration/interfaces/openvpn.rst:447
 #: ../../configuration/service/webproxy.rst:203
 msgid "LDAP"
 msgstr "LDAP"
@@ -8570,7 +9750,7 @@ msgstr "LLDP performs functions similar to several proprietary protocols, such a
 msgid "LNS (L2TP Network Server)"
 msgstr "LNS (L2TP Network Server)"
 
-#: ../../configuration/vpn/l2tp.rst:272
+#: ../../configuration/vpn/l2tp.rst:275
 msgid "LNS are often used to connect to a LAC (L2TP Access Concentrator)."
 msgstr "LNS are often used to connect to a LAC (L2TP Access Concentrator)."
 
@@ -8578,6 +9758,10 @@ msgstr "LNS are often used to connect to a LAC (L2TP Access Concentrator)."
 msgid "Label Distribution Protocol"
 msgstr "Label Distribution Protocol"
 
+#: ../../configuration/service/monitoring.rst:157
+msgid "Label to use for the metric name when sending metrics."
+msgstr "Label to use for the metric name when sending metrics."
+
 #: ../../configuration/pki/index.rst:447
 msgid "Lastly, we can create the leaf certificates that devices and users will utilise."
 msgstr "Lastly, we can create the leaf certificates that devices and users will utilise."
@@ -8586,7 +9770,7 @@ msgstr "Lastly, we can create the leaf certificates that devices and users will
 msgid "Layer 2 Tunnelling Protocol Version 3 is an IETF standard related to L2TP that can be used as an alternative protocol to :ref:`mpls` for encapsulation of multiprotocol Layer 2 communications traffic over IP networks. Like L2TP, L2TPv3 provides a pseudo-wire service but is scaled to fit carrier requirements."
 msgstr "Layer 2 Tunnelling Protocol Version 3 is an IETF standard related to L2TP that can be used as an alternative protocol to :ref:`mpls` for encapsulation of multiprotocol Layer 2 communications traffic over IP networks. Like L2TP, L2TPv3 provides a pseudo-wire service but is scaled to fit carrier requirements."
 
-#: ../../configuration/service/dhcp-server.rst:652
+#: ../../configuration/service/dhcp-server.rst:681
 msgid "Lease time will be left at the default value which is 24 hours"
 msgstr "Lease time will be left at the default value which is 24 hours"
 
@@ -8599,6 +9783,10 @@ msgid "Legacy Firewall"
 msgstr "Legacy Firewall"
 
 #: ../../configuration/interfaces/vxlan.rst:133
+msgid "Let's assume PC4 on Leaf2 wants to ping PC5 on Leaf3. Instead of setting Leaf3 as our remote end manually, Leaf2 encapsulates the packet into a UDP-packet and sends it to its' designated multicast-address via Spine1. When Spine1 receives this packet it forwards it to all other leaves who has joined the same multicast-group, in this case Leaf3. When Leaf3 receives the packet it forwards it, while at the same time learning that PC4 is reachable behind Leaf2, because the encapsulated packet had Leaf2's IP address set as source IP."
+msgstr "Let's assume PC4 on Leaf2 wants to ping PC5 on Leaf3. Instead of setting Leaf3 as our remote end manually, Leaf2 encapsulates the packet into a UDP-packet and sends it to its' designated multicast-address via Spine1. When Spine1 receives this packet it forwards it to all other leaves who has joined the same multicast-group, in this case Leaf3. When Leaf3 receives the packet it forwards it, while at the same time learning that PC4 is reachable behind Leaf2, because the encapsulated packet had Leaf2's IP address set as source IP."
+
+#: ../../configuration/interfaces/vxlan.rst:133
 msgid "Let's assume PC4 on Leaf2 wants to ping PC5 on Leaf3. Instead of setting Leaf3 as our remote end manually, Leaf2 encapsulates the packet into a UDP-packet and sends it to its designated multicast-address via Spine1. When Spine1 receives this packet it forwards it to all other leaves who has joined the same multicast-group, in this case Leaf3. When Leaf3 receives the packet it forwards it, while at the same time learning that PC4 is reachable behind Leaf2, because the encapsulated packet had Leaf2's IP address set as source IP."
 msgstr "Let's assume PC4 on Leaf2 wants to ping PC5 on Leaf3. Instead of setting Leaf3 as our remote end manually, Leaf2 encapsulates the packet into a UDP-packet and sends it to its designated multicast-address via Spine1. When Spine1 receives this packet it forwards it to all other leaves who has joined the same multicast-group, in this case Leaf3. When Leaf3 receives the packet it forwards it, while at the same time learning that PC4 is reachable behind Leaf2, because the encapsulated packet had Leaf2's IP address set as source IP."
 
@@ -8618,11 +9806,11 @@ msgstr "Let's expand the example from above and add weight to the interfaces. Th
 msgid "Let SNMP daemon listen only on IP address 192.0.2.1"
 msgstr "Let SNMP daemon listen only on IP address 192.0.2.1"
 
-#: ../../configuration/interfaces/bonding.rst:402
+#: ../../configuration/interfaces/bonding.rst:455
 msgid "Lets assume the following topology:"
 msgstr "Lets assume the following topology:"
 
-#: ../../configuration/loadbalancing/reverse-proxy.rst:230
+#: ../../configuration/loadbalancing/haproxy.rst:282
 msgid "Level 4 balancing"
 msgstr "Level 4 balancing"
 
@@ -8638,11 +9826,11 @@ msgstr "Lifetime in days; default is 365"
 msgid "Lifetime is decremented by the number of seconds since the last RA - use in conjunction with a DHCPv6-PD prefix"
 msgstr "Lifetime is decremented by the number of seconds since the last RA - use in conjunction with a DHCPv6-PD prefix"
 
-#: ../../configuration/vpn/ipsec.rst:535
+#: ../../configuration/vpn/ipsec.rst:555
 msgid "Like on Microsoft Windows, Apple iOS/iPadOS out of the box does not expose all available VPN options via the device GUI."
 msgstr "Like on Microsoft Windows, Apple iOS/iPadOS out of the box does not expose all available VPN options via the device GUI."
 
-#: ../../configuration/loadbalancing/reverse-proxy.rst:202
+#: ../../configuration/loadbalancing/haproxy.rst:191
 msgid "Limit allowed cipher algorithms used during SSL/TLS handshake"
 msgstr "Limit allowed cipher algorithms used during SSL/TLS handshake"
 
@@ -8654,27 +9842,31 @@ msgstr "Limit logins to `<limit>` per every ``rate-time`` seconds. Rate limit mu
 msgid "Limit logins to ``rate-limit`` attemps per every `<seconds>`. Rate time must be between 15 and 600 seconds."
 msgstr "Limit logins to ``rate-limit`` attemps per every `<seconds>`. Rate time must be between 15 and 600 seconds."
 
-#: ../../configuration/loadbalancing/reverse-proxy.rst:197
+#: ../../configuration/loadbalancing/haproxy.rst:186
 msgid "Limit maximum number of connections"
 msgstr "Limit maximum number of connections"
 
-#: ../../configuration/trafficpolicy/index.rst:544
+#: ../../configuration/trafficpolicy/index.rst:594
 msgid "Limiter"
 msgstr "Limiter"
 
-#: ../../configuration/trafficpolicy/index.rst:549
+#: ../../configuration/trafficpolicy/index.rst:599
 msgid "Limiter is one of those policies that uses classes_ (Ingress qdisc is actually a classless policy but filters do work in it)."
 msgstr "Limiter is one of those policies that uses classes_ (Ingress qdisc is actually a classless policy but filters do work in it)."
 
-#: ../../configuration/system/login.rst:385
+#: ../../configuration/system/login.rst:391
 msgid "Limits"
 msgstr "Limits"
 
-#: ../../configuration/system/syslog.rst:124
+#: ../../configuration/system/syslog.rst:142
 msgid "Line printer subsystem"
 msgstr "Line printer subsystem"
 
 #: ../../configuration/service/router-advert.rst:1
+msgid "Link MTU value placed in RAs, excluded in RAs if unset"
+msgstr "Link MTU value placed in RAs, excluded in RAs if unset"
+
+#: ../../configuration/service/router-advert.rst:1
 msgid "Link MTU value placed in RAs, exluded in RAs if unset"
 msgstr "Link MTU value placed in RAs, exluded in RAs if unset"
 
@@ -8690,22 +9882,26 @@ msgstr "Linux netfilter will not NAT traffic marked as INVALID. This often confu
 msgid "List all MACsec interfaces."
 msgstr "List all MACsec interfaces."
 
-#: ../../configuration/system/syslog.rst:98
+#: ../../configuration/system/syslog.rst:116
 msgid "List of facilities used by syslog. Most facilities names are self explanatory. Facilities local0 - local7 common usage is f.e. as network logs facilities for nodes and network equipment. Generally it depends on the situation how to classify logs and put them to facilities. See facilities more as a tool rather than a directive to follow."
 msgstr "List of facilities used by syslog. Most facilities names are self explanatory. Facilities local0 - local7 common usage is f.e. as network logs facilities for nodes and network equipment. Generally it depends on the situation how to classify logs and put them to facilities. See facilities more as a tool rather than a directive to follow."
 
-#: ../../configuration/service/ntp.rst:78
+#: ../../configuration/service/ntp.rst:85
 msgid "List of networks or client addresses permitted to contact this NTP server."
 msgstr "List of networks or client addresses permitted to contact this NTP server."
 
-#: ../../configuration/service/ssh.rst:73
+#: ../../configuration/service/ssh.rst:74
 msgid "List of supported MACs: ``hmac-md5``, ``hmac-md5-96``, ``hmac-ripemd160``, ``hmac-sha1``, ``hmac-sha1-96``, ``hmac-sha2-256``, ``hmac-sha2-512``, ``umac-64@openssh.com``, ``umac-128@openssh.com``, ``hmac-md5-etm@openssh.com``, ``hmac-md5-96-etm@openssh.com``, ``hmac-ripemd160-etm@openssh.com``, ``hmac-sha1-etm@openssh.com``, ``hmac-sha1-96-etm@openssh.com``, ``hmac-sha2-256-etm@openssh.com``, ``hmac-sha2-512-etm@openssh.com``, ``umac-64-etm@openssh.com``, ``umac-128-etm@openssh.com``"
 msgstr "List of supported MACs: ``hmac-md5``, ``hmac-md5-96``, ``hmac-ripemd160``, ``hmac-sha1``, ``hmac-sha1-96``, ``hmac-sha2-256``, ``hmac-sha2-512``, ``umac-64@openssh.com``, ``umac-128@openssh.com``, ``hmac-md5-etm@openssh.com``, ``hmac-md5-96-etm@openssh.com``, ``hmac-ripemd160-etm@openssh.com``, ``hmac-sha1-etm@openssh.com``, ``hmac-sha1-96-etm@openssh.com``, ``hmac-sha2-256-etm@openssh.com``, ``hmac-sha2-512-etm@openssh.com``, ``umac-64-etm@openssh.com``, ``umac-128-etm@openssh.com``"
 
-#: ../../configuration/service/ssh.rst:96
+#: ../../configuration/service/ssh.rst:97
 msgid "List of supported algorithms: ``diffie-hellman-group1-sha1``, ``diffie-hellman-group14-sha1``, ``diffie-hellman-group14-sha256``, ``diffie-hellman-group16-sha512``, ``diffie-hellman-group18-sha512``, ``diffie-hellman-group-exchange-sha1``, ``diffie-hellman-group-exchange-sha256``, ``ecdh-sha2-nistp256``, ``ecdh-sha2-nistp384``, ``ecdh-sha2-nistp521``, ``curve25519-sha256`` and ``curve25519-sha256@libssh.org``."
 msgstr "List of supported algorithms: ``diffie-hellman-group1-sha1``, ``diffie-hellman-group14-sha1``, ``diffie-hellman-group14-sha256``, ``diffie-hellman-group16-sha512``, ``diffie-hellman-group18-sha512``, ``diffie-hellman-group-exchange-sha1``, ``diffie-hellman-group-exchange-sha256``, ``ecdh-sha2-nistp256``, ``ecdh-sha2-nistp384``, ``ecdh-sha2-nistp521``, ``curve25519-sha256`` and ``curve25519-sha256@libssh.org``."
 
+#: ../../configuration/service/ssh.rst:118
+msgid "List of supported algorithms: ``ssh-ed25519``, ``ssh-ed25519-cert-v01@openssh.com``, ``sk-ssh-ed25519@openssh.com``, ``sk-ssh-ed25519-cert-v01@openssh.com``, ``ecdsa-sha2-nistp256``, ``ecdsa-sha2-nistp256-cert-v01@openssh.com``, ``ecdsa-sha2-nistp384``, ``ecdsa-sha2-nistp384-cert-v01@openssh.com``, ``ecdsa-sha2-nistp521``, ``ecdsa-sha2-nistp521-cert-v01@openssh.com``, ``sk-ecdsa-sha2-nistp256@openssh.com``, ``sk-ecdsa-sha2-nistp256-cert-v01@openssh.com``, ``webauthn-sk-ecdsa-sha2-nistp256@openssh.com``, ``ssh-dss``, ``ssh-dss-cert-v01@openssh.com``, ``ssh-rsa``, ``ssh-rsa-cert-v01@openssh.com``, ``rsa-sha2-256``, ``rsa-sha2-256-cert-v01@openssh.com``, ``rsa-sha2-512``, ``rsa-sha2-512-cert-v01@openssh.com``"
+msgstr "List of supported algorithms: ``ssh-ed25519``, ``ssh-ed25519-cert-v01@openssh.com``, ``sk-ssh-ed25519@openssh.com``, ``sk-ssh-ed25519-cert-v01@openssh.com``, ``ecdsa-sha2-nistp256``, ``ecdsa-sha2-nistp256-cert-v01@openssh.com``, ``ecdsa-sha2-nistp384``, ``ecdsa-sha2-nistp384-cert-v01@openssh.com``, ``ecdsa-sha2-nistp521``, ``ecdsa-sha2-nistp521-cert-v01@openssh.com``, ``sk-ecdsa-sha2-nistp256@openssh.com``, ``sk-ecdsa-sha2-nistp256-cert-v01@openssh.com``, ``webauthn-sk-ecdsa-sha2-nistp256@openssh.com``, ``ssh-dss``, ``ssh-dss-cert-v01@openssh.com``, ``ssh-rsa``, ``ssh-rsa-cert-v01@openssh.com``, ``rsa-sha2-256``, ``rsa-sha2-256-cert-v01@openssh.com``, ``rsa-sha2-512``, ``rsa-sha2-512-cert-v01@openssh.com``"
+
 #: ../../configuration/service/ssh.rst:53
 msgid "List of supported ciphers: ``3des-cbc``, ``aes128-cbc``, ``aes192-cbc``, ``aes256-cbc``, ``aes128-ctr``, ``aes192-ctr``, ``aes256-ctr``, ``arcfour128``, ``arcfour256``, ``arcfour``, ``blowfish-cbc``, ``cast128-cbc``"
 msgstr "List of supported ciphers: ``3des-cbc``, ``aes128-cbc``, ``aes192-cbc``, ``aes256-cbc``, ``aes128-ctr``, ``aes192-ctr``, ``aes256-ctr``, ``arcfour128``, ``arcfour256``, ``arcfour``, ``blowfish-cbc``, ``cast128-cbc``"
@@ -8718,7 +9914,7 @@ msgstr "List of well-known communities"
 msgid "Listen for DHCP requests on interface ``eth1``."
 msgstr "Listen for DHCP requests on interface ``eth1``."
 
-#: ../../configuration/vrf/index.rst:137
+#: ../../configuration/vrf/index.rst:133
 msgid "Lists VRFs that have been created"
 msgstr "Lists VRFs that have been created"
 
@@ -8726,7 +9922,7 @@ msgstr "Lists VRFs that have been created"
 msgid "Load-balancing"
 msgstr "Load-balancing"
 
-#: ../../configuration/loadbalancing/reverse-proxy.rst:100
+#: ../../configuration/loadbalancing/haproxy.rst:112
 msgid "Load-balancing algorithms to be used for distributed requests among the available servers"
 msgstr "Load-balancing algorithms to be used for distributed requests among the available servers"
 
@@ -8734,7 +9930,7 @@ msgstr "Load-balancing algorithms to be used for distributed requests among the
 msgid "Load-balancing algorithms to be used for distributind requests among the vailable servers"
 msgstr "Load-balancing algorithms to be used for distributind requests among the vailable servers"
 
-#: ../../configuration/highavailability/index.rst:357
+#: ../../configuration/highavailability/index.rst:361
 msgid "Load-balancing schedule algorithm:"
 msgstr "Load-balancing schedule algorithm:"
 
@@ -8742,11 +9938,11 @@ msgstr "Load-balancing schedule algorithm:"
 msgid "Load Balance"
 msgstr "Load Balance"
 
-#: ../../configuration/service/pppoe-server.rst:317
+#: ../../configuration/service/pppoe-server.rst:336
 msgid "Load Balancing"
 msgstr "Load Balancing"
 
-#: ../../configuration/system/login.rst:426
+#: ../../configuration/system/login.rst:432
 msgid "Load the container image in op-mode."
 msgstr "Load the container image in op-mode."
 
@@ -8754,8 +9950,8 @@ msgstr "Load the container image in op-mode."
 msgid "Local"
 msgstr "Local"
 
-#: ../../configuration/interfaces/openvpn.rst:134
-#: ../../configuration/interfaces/openvpn.rst:241
+#: ../../configuration/interfaces/openvpn.rst:135
+#: ../../configuration/interfaces/openvpn.rst:243
 msgid "Local Configuration:"
 msgstr "Local Configuration:"
 
@@ -8791,7 +9987,7 @@ msgstr "Local Route IPv6"
 msgid "Local Route Policy"
 msgstr "Local Route Policy"
 
-#: ../../configuration/system/syslog.rst:83
+#: ../../configuration/system/syslog.rst:101
 msgid "Local User Account"
 msgstr "Local User Account"
 
@@ -8819,49 +10015,57 @@ msgstr "Locally connect to serial port identified by `<device>`."
 msgid "Locally significant administrative distance."
 msgstr "Locally significant administrative distance."
 
-#: ../../configuration/system/syslog.rst:140
+#: ../../configuration/system/syslog.rst:158
 msgid "Log alert"
 msgstr "Log alert"
 
-#: ../../configuration/system/syslog.rst:138
+#: ../../configuration/system/syslog.rst:156
 msgid "Log audit"
 msgstr "Log audit"
 
-#: ../../configuration/system/syslog.rst:169
+#: ../../configuration/protocols/openfabric.rst:84
+msgid "Log changes in adjacency state."
+msgstr "Log changes in adjacency state."
+
+#: ../../configuration/system/syslog.rst:187
 msgid "Log everything"
 msgstr "Log everything"
 
-#: ../../configuration/system/syslog.rst:212
+#: ../../configuration/system/syslog.rst:230
 msgid "Log messages from a specified image can be displayed on the console. Details of allowed parameters:"
 msgstr "Log messages from a specified image can be displayed on the console. Details of allowed parameters:"
 
-#: ../../configuration/system/syslog.rst:25
+#: ../../configuration/system/syslog.rst:43
 msgid "Log syslog messages to ``/dev/console``, for an explanation on :ref:`syslog_facilities` keywords and :ref:`syslog_severity_level` keywords see tables below."
 msgstr "Log syslog messages to ``/dev/console``, for an explanation on :ref:`syslog_facilities` keywords and :ref:`syslog_severity_level` keywords see tables below."
 
-#: ../../configuration/system/syslog.rst:36
+#: ../../configuration/system/syslog.rst:54
 msgid "Log syslog messages to file specified via `<filename>`, for an explanation on :ref:`syslog_facilities` keywords and :ref:`syslog_severity_level` keywords see tables below."
 msgstr "Log syslog messages to file specified via `<filename>`, for an explanation on :ref:`syslog_facilities` keywords and :ref:`syslog_severity_level` keywords see tables below."
 
-#: ../../configuration/system/syslog.rst:64
+#: ../../configuration/system/syslog.rst:82
 msgid "Log syslog messages to remote host specified by `<address>`. The address can be specified by either FQDN or IP address. For an explanation on :ref:`syslog_facilities` keywords and :ref:`syslog_severity_level` keywords see tables below."
 msgstr "Log syslog messages to remote host specified by `<address>`. The address can be specified by either FQDN or IP address. For an explanation on :ref:`syslog_facilities` keywords and :ref:`syslog_severity_level` keywords see tables below."
 
-#: ../../configuration/system/conntrack.rst:224
+#: ../../configuration/system/conntrack.rst:198
 msgid "Log the connection tracking events per protocol."
 msgstr "Log the connection tracking events per protocol."
 
+#: ../../configuration/system/conntrack.rst:183
+msgid "Log the connection tracking events per type."
+msgstr "Log the connection tracking events per type."
+
 #: ../../configuration/system/syslog.rst:14
 msgid "Logging"
 msgstr "Logging"
 
-#: ../../configuration/firewall/bridge.rst:151
-#: ../../configuration/firewall/ipv4.rst:198
-#: ../../configuration/firewall/ipv6.rst:198
+#: ../../configuration/firewall/bridge.rst:205
+#: ../../configuration/firewall/ipv4.rst:222
+#: ../../configuration/firewall/ipv6.rst:222
 msgid "Logging can be enable for every single firewall rule. If enabled, other log options can be defined."
 msgstr "Logging can be enable for every single firewall rule. If enabled, other log options can be defined."
 
-#: ../../configuration/system/syslog.rst:56
+#: ../../configuration/system/syslog.rst:74
 msgid "Logging to a remote host leaves the local logging configuration intact, it can be configured in parallel to a custom file or console logging. You can log to multiple hosts at the same time, using either TCP or UDP. The default is sending the messages via port 514/UDP."
 msgstr "Logging to a remote host leaves the local logging configuration intact, it can be configured in parallel to a custom file or console logging. You can log to multiple hosts at the same time, using either TCP or UDP. The default is sending the messages via port 514/UDP."
 
@@ -8869,14 +10073,18 @@ msgstr "Logging to a remote host leaves the local logging configuration intact,
 msgid "Login/User Management"
 msgstr "Login/User Management"
 
-#: ../../configuration/system/login.rst:367
+#: ../../configuration/system/login.rst:373
 msgid "Login Banner"
 msgstr "Login Banner"
 
-#: ../../configuration/system/login.rst:387
+#: ../../configuration/system/login.rst:393
 msgid "Login limits"
 msgstr "Login limits"
 
+#: ../../configuration/service/monitoring.rst:134
+msgid "Loki"
+msgstr "Loki"
+
 #: ../../configuration/protocols/isis.rst:306
 msgid "Loop Free Alternate (LFA)"
 msgstr "Loop Free Alternate (LFA)"
@@ -8889,10 +10097,10 @@ msgstr "Loopback"
 msgid "Loopbacks occurs at the IP level the same way as for other interfaces, ethernet frames are not forwarded between Pseudo-Ethernet interfaces."
 msgstr "Loopbacks occurs at the IP level the same way as for other interfaces, ethernet frames are not forwarded between Pseudo-Ethernet interfaces."
 
-#: ../../configuration/trafficpolicy/index.rst:269
-#: ../../configuration/trafficpolicy/index.rst:275
-#: ../../configuration/trafficpolicy/index.rst:281
-#: ../../configuration/trafficpolicy/index.rst:287
+#: ../../configuration/trafficpolicy/index.rst:319
+#: ../../configuration/trafficpolicy/index.rst:325
+#: ../../configuration/trafficpolicy/index.rst:331
+#: ../../configuration/trafficpolicy/index.rst:337
 msgid "Low"
 msgstr "Low"
 
@@ -8904,7 +10112,7 @@ msgstr "MAC/PHY information"
 msgid "MACVLAN - Pseudo Ethernet"
 msgstr "MACVLAN - Pseudo Ethernet"
 
-#: ../../configuration/firewall/groups.rst:109
+#: ../../configuration/firewall/groups.rst:108
 msgid "MAC Groups"
 msgstr "MAC Groups"
 
@@ -8920,6 +10128,10 @@ msgstr "MACsec"
 msgid "MACsec is an IEEE standard (IEEE 802.1AE) for MAC security, introduced in 2006. It defines a way to establish a protocol independent connection between two hosts with data confidentiality, authenticity and/or integrity, using GCM-AES-128. MACsec operates on the Ethernet layer and as such is a layer 2 protocol, which means it's designed to secure traffic within a layer 2 network, including DHCP or ARP requests. It does not compete with other security solutions such as IPsec (layer 3) or TLS (layer 4), as all those solutions are used for their own specific use cases."
 msgstr "MACsec is an IEEE standard (IEEE 802.1AE) for MAC security, introduced in 2006. It defines a way to establish a protocol independent connection between two hosts with data confidentiality, authenticity and/or integrity, using GCM-AES-128. MACsec operates on the Ethernet layer and as such is a layer 2 protocol, which means it's designed to secure traffic within a layer 2 network, including DHCP or ARP requests. It does not compete with other security solutions such as IPsec (layer 3) or TLS (layer 4), as all those solutions are used for their own specific use cases."
 
+#: ../../configuration/interfaces/macsec.rst:245
+msgid "MACsec is an interesting alternative to existing tunneling solutions that protects layer 2 by performing integrity, origin authentication, and optionally encryption. The typical use case is to use MACsec between hosts and access switches, between two hosts, or between two switches. in this example below, we use VXLAN and MACsec to secure the tunnel."
+msgstr "MACsec is an interesting alternative to existing tunneling solutions that protects layer 2 by performing integrity, origin authentication, and optionally encryption. The typical use case is to use MACsec between hosts and access switches, between two hosts, or between two switches. in this example below, we use VXLAN and MACsec to secure the tunnel."
+
 #: ../../configuration/interfaces/macsec.rst:39
 msgid "MACsec only provides authentication by default, encryption is optional. This command will enable encryption for all outgoing packets."
 msgstr "MACsec only provides authentication by default, encryption is optional. This command will enable encryption for all outgoing packets."
@@ -8928,6 +10140,10 @@ msgstr "MACsec only provides authentication by default, encryption is optional.
 msgid "MACsec options"
 msgstr "MACsec options"
 
+#: ../../configuration/interfaces/macsec.rst:243
+msgid "MACsec over wan"
+msgstr "MACsec over wan"
+
 #: ../../configuration/service/lldp.rst:32
 msgid "MDI power"
 msgstr "MDI power"
@@ -8936,6 +10152,10 @@ msgstr "MDI power"
 msgid "MFA/2FA authentication using OTP (one time passwords)"
 msgstr "MFA/2FA authentication using OTP (one time passwords)"
 
+#: ../../configuration/interfaces/openvpn.rst:723
+msgid "MFA TOTP options"
+msgstr "MFA TOTP options"
+
 #: ../../configuration/protocols/mpls.rst:5
 msgid "MPLS"
 msgstr "MPLS"
@@ -8959,7 +10179,7 @@ msgstr "MSS value = MTU - 40 (IPv6 header) - 20 (TCP header), resulting in 1432
 msgid "MTU"
 msgstr "MTU"
 
-#: ../../configuration/system/syslog.rst:116
+#: ../../configuration/system/syslog.rst:134
 msgid "Mail system"
 msgstr "Mail system"
 
@@ -8979,19 +10199,32 @@ msgstr "Main structure is shown next:"
 msgid "Maintenance mode"
 msgstr "Maintenance mode"
 
+#: ../../configuration/service/config-sync.rst:85
+msgid "Make config-sync relevant changes to Router A's configuration"
+msgstr "Make config-sync relevant changes to Router A's configuration"
+
 #: ../../configuration/service/conntrack-sync.rst:116
 msgid "Make sure conntrack is enabled by running and show connection tracking table."
 msgstr "Make sure conntrack is enabled by running and show connection tracking table."
 
+#: ../../configuration/system/conntrack.rst:206
+msgid "Manage internal queue size, default size is 4096 events."
+msgstr "Manage internal queue size, default size is 4096 events."
+
+#: ../../configuration/system/conntrack.rst:210
+msgid "Manage log level"
+msgstr "Manage log level"
+
 #: ../../configuration/service/snmp.rst:38
 msgid "Managed devices"
 msgstr "Managed devices"
 
-#: ../../configuration/interfaces/wireless.rst:85
+#: ../../configuration/interfaces/wireless.rst:97
 msgid "Management Frame Protection (MFP) according to IEEE 802.11w"
 msgstr "Management Frame Protection (MFP) according to IEEE 802.11w"
 
 #: ../../configuration/protocols/isis.rst:31
+#: ../../configuration/protocols/openfabric.rst:23
 msgid "Mandatory Settings"
 msgstr "Mandatory Settings"
 
@@ -9007,8 +10240,8 @@ msgstr "Manually trigger certificate renewal. This will be done twice a day."
 msgid "Maps the VNI to the specified VLAN id. The VLAN can then be consumed by a bridge."
 msgstr "Maps the VNI to the specified VLAN id. The VLAN can then be consumed by a bridge."
 
-#: ../../configuration/service/ipoe-server.rst:166
-#: ../../configuration/service/pppoe-server.rst:128
+#: ../../configuration/service/ipoe-server.rst:165
+#: ../../configuration/service/pppoe-server.rst:132
 #: ../../configuration/vpn/l2tp.rst:171
 #: ../../configuration/vpn/pptp.rst:111
 #: ../../configuration/vpn/sstp.rst:144
@@ -9031,8 +10264,8 @@ msgstr "Match BGP large communities."
 msgid "Match IP addresses based on its geolocation. More info: `geoip matching <https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_matching>`_."
 msgstr "Match IP addresses based on its geolocation. More info: `geoip matching <https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_matching>`_."
 
-#: ../../configuration/firewall/ipv4.rst:463
-#: ../../configuration/firewall/ipv6.rst:447
+#: ../../configuration/firewall/ipv4.rst:488
+#: ../../configuration/firewall/ipv6.rst:475
 msgid "Match IP addresses based on its geolocation. More info: `geoip matching <https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_matching>`_. Use inverse-match to match anything except the given country-codes."
 msgstr "Match IP addresses based on its geolocation. More info: `geoip matching <https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_matching>`_. Use inverse-match to match anything except the given country-codes."
 
@@ -9044,22 +10277,35 @@ msgstr "Match RPKI validation result."
 msgid "Match a protocol criteria. A protocol number or a name which is defined in: ``/etc/protocols``. Special names are ``all`` for all protocols and ``tcp_udp`` for tcp and udp based packets. The ``!`` negates the selected protocol."
 msgstr "Match a protocol criteria. A protocol number or a name which is defined in: ``/etc/protocols``. Special names are ``all`` for all protocols and ``tcp_udp`` for tcp and udp based packets. The ``!`` negates the selected protocol."
 
-#: ../../configuration/firewall/ipv4.rst:796
-#: ../../configuration/firewall/ipv6.rst:783
+#: ../../configuration/firewall/ipv4.rst:849
+#: ../../configuration/firewall/ipv6.rst:840
 msgid "Match a protocol criteria. A protocol number or a name which is here defined: ``/etc/protocols``. Special names are ``all`` for all protocols and ``tcp_udp`` for tcp and udp based packets. The ``!`` negate the selected protocol."
 msgstr "Match a protocol criteria. A protocol number or a name which is here defined: ``/etc/protocols``. Special names are ``all`` for all protocols and ``tcp_udp`` for tcp and udp based packets. The ``!`` negate the selected protocol."
 
-#: ../../configuration/firewall/ipv4.rst:854
-#: ../../configuration/firewall/ipv6.rst:840
+#: ../../configuration/firewall/ipv4.rst:905
+#: ../../configuration/firewall/ipv6.rst:895
 msgid "Match against the state of a packet."
 msgstr "Match against the state of a packet."
 
-#: ../../configuration/firewall/ipv4.rst:336
+#: ../../configuration/firewall/bridge.rst:373
+msgid "Match based on VLAN identifier. Range is also supported."
+msgstr "Match based on VLAN identifier. Range is also supported."
+
+#: ../../configuration/firewall/bridge.rst:386
+msgid "Match based on VLAN priority (Priority Code Point - PCP). Range is also supported."
+msgstr "Match based on VLAN priority (Priority Code Point - PCP). Range is also supported."
+
+#: ../../configuration/firewall/ipv4.rst:350
+#: ../../configuration/firewall/ipv6.rst:350
+msgid "Match based on connection mark."
+msgstr "Match based on connection mark."
+
+#: ../../configuration/firewall/ipv4.rst:361
 msgid "Match based on connection tracking protocol helper module to secure use of that helper module. See below for possible completions `<module>`."
 msgstr "Match based on connection tracking protocol helper module to secure use of that helper module. See below for possible completions `<module>`."
 
-#: ../../configuration/firewall/ipv4.rst:643
-#: ../../configuration/firewall/ipv6.rst:630
+#: ../../configuration/firewall/ipv4.rst:687
+#: ../../configuration/firewall/ipv6.rst:678
 msgid "Match based on dscp value."
 msgstr "Match based on dscp value."
 
@@ -9067,24 +10313,37 @@ msgstr "Match based on dscp value."
 msgid "Match based on dscp value criteria. Multiple values from 0 to 63 and ranges are supported."
 msgstr "Match based on dscp value criteria. Multiple values from 0 to 63 and ranges are supported."
 
-#: ../../configuration/firewall/ipv4.rst:654
-#: ../../configuration/firewall/ipv6.rst:641
+#: ../../configuration/firewall/ipv4.rst:699
+#: ../../configuration/firewall/ipv6.rst:690
 msgid "Match based on fragment criteria."
 msgstr "Match based on fragment criteria."
 
-#: ../../configuration/firewall/ipv4.rst:665
+#: ../../configuration/firewall/ipv4.rst:698
+#: ../../configuration/firewall/ipv6.rst:689
+msgid "Match based on fragmentation."
+msgstr "Match based on fragmentation."
+
+#: ../../configuration/firewall/ipv4.rst:709
 msgid "Match based on icmp code and type."
 msgstr "Match based on icmp code and type."
 
-#: ../../configuration/firewall/ipv4.rst:676
+#: ../../configuration/firewall/ipv4.rst:720
+msgid "Match based on icmp type-name. Use tab for information about what **type-name** criteria are supported."
+msgstr "Match based on icmp type-name. Use tab for information about what **type-name** criteria are supported."
+
+#: ../../configuration/firewall/ipv4.rst:721
 msgid "Match based on icmp type-name criteria. Use tab for information about what **type-name** criteria are supported."
 msgstr "Match based on icmp type-name criteria. Use tab for information about what **type-name** criteria are supported."
 
-#: ../../configuration/firewall/ipv6.rst:663
+#: ../../configuration/firewall/ipv6.rst:711
+msgid "Match based on icmpv6 type-name. Use tab for information about what **type-name** criteria are supported."
+msgstr "Match based on icmpv6 type-name. Use tab for information about what **type-name** criteria are supported."
+
+#: ../../configuration/firewall/ipv6.rst:712
 msgid "Match based on icmpv6 type-name criteria. Use tab for information about what **type-name** criteria are supported."
 msgstr "Match based on icmpv6 type-name criteria. Use tab for information about what **type-name** criteria are supported."
 
-#: ../../configuration/firewall/ipv6.rst:652
+#: ../../configuration/firewall/ipv6.rst:700
 #: ../../configuration/policy/route.rst:131
 msgid "Match based on icmp|icmpv6 code and type."
 msgstr "Match based on icmp|icmpv6 code and type."
@@ -9111,17 +10370,40 @@ msgstr "Match based on inbound interface. Wilcard ``*`` can be used. For example
 msgid "Match based on inbound interface. Wilcard ``*`` can be used. For example: ``eth2*``. Prepending character ``!`` for inverted matching criteria is also supportd. For example ``!eth2``"
 msgstr "Match based on inbound interface. Wilcard ``*`` can be used. For example: ``eth2*``. Prepending character ``!`` for inverted matching criteria is also supportd. For example ``!eth2``"
 
+#: ../../configuration/firewall/bridge.rst:241
+msgid "Match based on inbound interface. Wildcard ``*`` can be used. For example: ``eth2*``. Prepending character ``!`` for inverted matching criteria is also supported. For example ``!eth2``"
+msgstr "Match based on inbound interface. Wildcard ``*`` can be used. For example: ``eth2*``. Prepending character ``!`` for inverted matching criteria is also supported. For example ``!eth2``"
+
+#: ../../configuration/firewall/ipv4.rst:730
+#: ../../configuration/firewall/ipv6.rst:721
+msgid "Match based on inbound interface. Wildcard ``*`` can be used. For example: ``eth2*``. Prepending the character ``!`` to invert the criteria to match is also supported. For example ``!eth2``"
+msgstr "Match based on inbound interface. Wildcard ``*`` can be used. For example: ``eth2*``. Prepending the character ``!`` to invert the criteria to match is also supported. For example ``!eth2``"
+
 #: ../../configuration/firewall/bridge.rst:248
 #: ../../configuration/firewall/ipv4.rst:697
 #: ../../configuration/firewall/ipv6.rst:684
 msgid "Match based on inbound interface group. Prepending character ``!`` for inverted matching criteria is also supportd. For example ``!IFACE_GROUP``"
 msgstr "Match based on inbound interface group. Prepending character ``!`` for inverted matching criteria is also supportd. For example ``!IFACE_GROUP``"
 
-#: ../../configuration/firewall/ipv4.rst:730
-#: ../../configuration/firewall/ipv6.rst:717
+#: ../../configuration/firewall/bridge.rst:250
+msgid "Match based on inbound interface group. Prepending character ``!`` for inverted matching criteria is also supported. For example ``!IFACE_GROUP``"
+msgstr "Match based on inbound interface group. Prepending character ``!`` for inverted matching criteria is also supported. For example ``!IFACE_GROUP``"
+
+#: ../../configuration/firewall/ipv4.rst:782
+#: ../../configuration/firewall/ipv6.rst:773
+msgid "Match based on ipsec."
+msgstr "Match based on ipsec."
+
+#: ../../configuration/firewall/ipv4.rst:783
+#: ../../configuration/firewall/ipv6.rst:774
 msgid "Match based on ipsec criteria."
 msgstr "Match based on ipsec criteria."
 
+#: ../../configuration/firewall/ipv4.rst:339
+#: ../../configuration/firewall/ipv6.rst:339
+msgid "Match based on nat connection status."
+msgstr "Match based on nat connection status."
+
 #: ../../configuration/firewall/general.rst:999
 msgid "Match based on outbound interface. Wilcard ``*`` can be used. For example: ``eth2*``"
 msgstr "Match based on outbound interface. Wilcard ``*`` can be used. For example: ``eth2*``"
@@ -9132,79 +10414,126 @@ msgstr "Match based on outbound interface. Wilcard ``*`` can be used. For exampl
 msgid "Match based on outbound interface. Wilcard ``*`` can be used. For example: ``eth2*``. Prepending character ``!`` for inverted matching criteria is also supportd. For example ``!eth2``"
 msgstr "Match based on outbound interface. Wilcard ``*`` can be used. For example: ``eth2*``. Prepending character ``!`` for inverted matching criteria is also supportd. For example ``!eth2``"
 
+#: ../../configuration/firewall/bridge.rst:258
+msgid "Match based on outbound interface. Wildcard ``*`` can be used. For example: ``eth2*``. Prepending character ``!`` for inverted matching criteria is also supported. For example ``!eth2``"
+msgstr "Match based on outbound interface. Wildcard ``*`` can be used. For example: ``eth2*``. Prepending character ``!`` for inverted matching criteria is also supported. For example ``!eth2``"
+
+#: ../../configuration/firewall/ipv4.rst:755
+#: ../../configuration/firewall/ipv6.rst:746
+msgid "Match based on outbound interface. Wildcard ``*`` can be used. For example: ``eth2*``. Prepending the character ``!`` to invert the criteria to match is also supported. For example ``!eth2``"
+msgstr "Match based on outbound interface. Wildcard ``*`` can be used. For example: ``eth2*``. Prepending the character ``!`` to invert the criteria to match is also supported. For example ``!eth2``"
+
 #: ../../configuration/firewall/bridge.rst:265
 #: ../../configuration/firewall/ipv4.rst:718
 #: ../../configuration/firewall/ipv6.rst:705
 msgid "Match based on outbound interface group. Prepending character ``!`` for inverted matching criteria is also supportd. For example ``!IFACE_GROUP``"
 msgstr "Match based on outbound interface group. Prepending character ``!`` for inverted matching criteria is also supportd. For example ``!IFACE_GROUP``"
 
-#: ../../configuration/firewall/ipv4.rst:773
-#: ../../configuration/firewall/ipv6.rst:760
+#: ../../configuration/firewall/bridge.rst:267
+msgid "Match based on outbound interface group. Prepending character ``!`` for inverted matching criteria is also supported. For example ``!IFACE_GROUP``"
+msgstr "Match based on outbound interface group. Prepending character ``!`` for inverted matching criteria is also supported. For example ``!IFACE_GROUP``"
+
+#: ../../configuration/firewall/ipv4.rst:770
+#: ../../configuration/firewall/ipv6.rst:761
+msgid "Match based on outbound interface group. Prepending the character ``!`` to invert the criteria to match is also supported. For example ``!IFACE_GROUP``"
+msgstr "Match based on outbound interface group. Prepending the character ``!`` to invert the criteria to match is also supported. For example ``!IFACE_GROUP``"
+
 #: ../../configuration/policy/route.rst:176
 msgid "Match based on packet length criteria. Multiple values from 1 to 65535 and ranges are supported."
 msgstr "Match based on packet length criteria. Multiple values from 1 to 65535 and ranges are supported."
 
-#: ../../configuration/firewall/ipv4.rst:785
-#: ../../configuration/firewall/ipv6.rst:772
 #: ../../configuration/policy/route.rst:184
 msgid "Match based on packet type criteria."
 msgstr "Match based on packet type criteria."
 
-#: ../../configuration/firewall/ipv4.rst:752
-#: ../../configuration/firewall/ipv6.rst:739
+#: ../../configuration/firewall/ipv4.rst:848
+#: ../../configuration/firewall/ipv6.rst:839
+msgid "Match based on protocol number or name as defined in ``/etc/protocols``. Special names are ``all`` for all protocols and ``tcp_udp`` for tcp and udp based packets. The ``!`` negates the selected protocol."
+msgstr "Match based on protocol number or name as defined in ``/etc/protocols``. Special names are ``all`` for all protocols and ``tcp_udp`` for tcp and udp based packets. The ``!`` negates the selected protocol."
+
+#: ../../configuration/firewall/ipv4.rst:875
+msgid "Match based on recently seen sources."
+msgstr "Match based on recently seen sources."
+
+#: ../../configuration/firewall/ipv6.rst:370
+msgid "Match based on source and/or destination address. This is similar to the network groups part, but here you are able to negate the matching addresses."
+msgstr "Match based on source and/or destination address. This is similar to the network groups part, but here you are able to negate the matching addresses."
+
+#: ../../configuration/firewall/bridge.rst:347
+msgid "Match based on the Ethernet type of the packet."
+msgstr "Match based on the Ethernet type of the packet."
+
+#: ../../configuration/firewall/bridge.rst:360
+msgid "Match based on the Ethernet type of the packet when it is VLAN tagged."
+msgstr "Match based on the Ethernet type of the packet when it is VLAN tagged."
+
+#: ../../configuration/firewall/ipv4.rst:745
+#: ../../configuration/firewall/ipv6.rst:736
+msgid "Match based on the inbound interface group. Prepending the character ``!`` to invert the criteria to match is also supported. For example ``!IFACE_GROUP``"
+msgstr "Match based on the inbound interface group. Prepending the character ``!`` to invert the criteria to match is also supported. For example ``!IFACE_GROUP``"
+
+#: ../../configuration/firewall/ipv4.rst:804
+#: ../../configuration/firewall/ipv6.rst:795
 msgid "Match based on the maximum average rate, specified as **integer/unit**. For example **5/minutes**"
 msgstr "Match based on the maximum average rate, specified as **integer/unit**. For example **5/minutes**"
 
-#: ../../configuration/firewall/ipv4.rst:741
-#: ../../configuration/firewall/ipv6.rst:728
+#: ../../configuration/firewall/ipv4.rst:793
+#: ../../configuration/firewall/ipv6.rst:784
 msgid "Match based on the maximum number of packets to allow in excess of rate."
 msgstr "Match based on the maximum number of packets to allow in excess of rate."
 
-#: ../../configuration/firewall/bridge.rst:273
+#: ../../configuration/firewall/ipv4.rst:825
+#: ../../configuration/firewall/ipv6.rst:816
+msgid "Match based on the packet length. Multiple values from 1 to 65535 and ranges are supported."
+msgstr "Match based on the packet length. Multiple values from 1 to 65535 and ranges are supported."
+
+#: ../../configuration/firewall/ipv4.rst:837
+#: ../../configuration/firewall/ipv6.rst:828
+msgid "Match based on the packet type."
+msgstr "Match based on the packet type."
+
+#: ../../configuration/firewall/bridge.rst:275
 msgid "Match based on vlan ID. Range is also supported."
 msgstr "Match based on vlan ID. Range is also supported."
 
-#: ../../configuration/firewall/bridge.rst:280
+#: ../../configuration/firewall/bridge.rst:282
 msgid "Match based on vlan priority(pcp). Range is also supported."
 msgstr "Match based on vlan priority(pcp). Range is also supported."
 
-#: ../../configuration/firewall/ipv4.rst:824
-#: ../../configuration/firewall/ipv6.rst:810
+#: ../../configuration/firewall/ipv6.rst:865
 msgid "Match bases on recently seen sources."
 msgstr "Match bases on recently seen sources."
 
-#: ../../configuration/firewall/ipv4.rst:325
-#: ../../configuration/firewall/ipv6.rst:325
+#: ../../configuration/firewall/ipv4.rst:349
+#: ../../configuration/firewall/ipv6.rst:349
 msgid "Match criteria based on connection mark."
 msgstr "Match criteria based on connection mark."
 
-#: ../../configuration/firewall/ipv4.rst:314
-#: ../../configuration/firewall/ipv6.rst:314
+#: ../../configuration/firewall/ipv4.rst:338
+#: ../../configuration/firewall/ipv6.rst:338
 msgid "Match criteria based on nat connection status."
 msgstr "Match criteria based on nat connection status."
 
-#: ../../configuration/firewall/ipv4.rst:368
-#: ../../configuration/firewall/ipv6.rst:345
+#: ../../configuration/firewall/ipv4.rst:393
 msgid "Match criteria based on source and/or destination address. This is similar to the network groups part, but here you are able to negate the matching addresses."
 msgstr "Match criteria based on source and/or destination address. This is similar to the network groups part, but here you are able to negate the matching addresses."
 
-#: ../../configuration/firewall/bridge.rst:232
+#: ../../configuration/firewall/bridge.rst:234
 msgid "Match criteria based on source and/or destination mac-address."
 msgstr "Match criteria based on source and/or destination mac-address."
 
-#: ../../configuration/loadbalancing/reverse-proxy.rst:58
+#: ../../configuration/loadbalancing/haproxy.rst:70
 msgid "Match domain name"
 msgstr "Match domain name"
 
-#: ../../configuration/service/ipoe-server.rst:382
-#: ../../configuration/service/pppoe-server.rst:571
-#: ../../configuration/vpn/l2tp.rst:506
+#: ../../configuration/service/ipoe-server.rst:381
+#: ../../configuration/service/pppoe-server.rst:596
+#: ../../configuration/vpn/l2tp.rst:511
 #: ../../configuration/vpn/pptp.rst:430
-#: ../../configuration/vpn/sstp.rst:464
+#: ../../configuration/vpn/sstp.rst:469
 msgid "Match firewall mark value"
 msgstr "Match firewall mark value"
 
-#: ../../configuration/firewall/ipv6.rst:894
 #: ../../configuration/policy/route.rst:234
 msgid "Match hop-limit parameter, where 'eq' stands for 'equal'; 'gt' stands for 'greater than', and 'lt' stands for 'less than'."
 msgstr "Match hop-limit parameter, where 'eq' stands for 'equal'; 'gt' stands for 'greater than', and 'lt' stands for 'less than'."
@@ -9217,19 +10546,26 @@ msgstr "Match local preference."
 msgid "Match route metric."
 msgstr "Match route metric."
 
-#: ../../configuration/firewall/ipv4.rst:908
+#: ../../configuration/firewall/ipv6.rst:949
+msgid "Match the hop-limit parameter, where 'eq' stands for 'equal'; 'gt' stands for 'greater than', and 'lt' stands for 'less than'."
+msgstr "Match the hop-limit parameter, where 'eq' stands for 'equal'; 'gt' stands for 'greater than', and 'lt' stands for 'less than'."
+
+#: ../../configuration/firewall/ipv4.rst:959
+msgid "Match the time to live parameter, where 'eq' stands for 'equal'; 'gt' stands for 'greater than', and 'lt' stands for 'less than'."
+msgstr "Match the time to live parameter, where 'eq' stands for 'equal'; 'gt' stands for 'greater than', and 'lt' stands for 'less than'."
+
 #: ../../configuration/policy/route.rst:229
 msgid "Match time to live parameter, where 'eq' stands for 'equal'; 'gt' stands for 'greater than', and 'lt' stands for 'less than'."
 msgstr "Match time to live parameter, where 'eq' stands for 'equal'; 'gt' stands for 'greater than', and 'lt' stands for 'less than'."
 
-#: ../../configuration/firewall/ipv4.rst:929
-#: ../../configuration/firewall/ipv6.rst:915
+#: ../../configuration/firewall/ipv4.rst:980
+#: ../../configuration/firewall/ipv6.rst:970
 msgid "Match when 'count' amount of connections are seen within 'time'. These matching criteria can be used to block brute-force attempts."
 msgstr "Match when 'count' amount of connections are seen within 'time'. These matching criteria can be used to block brute-force attempts."
 
-#: ../../configuration/firewall/bridge.rst:219
-#: ../../configuration/firewall/ipv4.rst:301
-#: ../../configuration/firewall/ipv6.rst:301
+#: ../../configuration/firewall/bridge.rst:324
+#: ../../configuration/firewall/ipv4.rst:326
+#: ../../configuration/firewall/ipv6.rst:326
 #: ../../configuration/policy/route.rst:38
 msgid "Matching criteria"
 msgstr "Matching criteria"
@@ -9238,23 +10574,28 @@ msgstr "Matching criteria"
 msgid "Matching traffic"
 msgstr "Matching traffic"
 
-#: ../../configuration/interfaces/wireless.rst:199
+#: ../../configuration/interfaces/wireless.rst:230
 msgid "Maximum A-MSDU length 3839 (default) or 7935 octets"
 msgstr "Maximum A-MSDU length 3839 (default) or 7935 octets"
 
-#: ../../configuration/vpn/l2tp.rst:492
+#: ../../configuration/vpn/l2tp.rst:497
 #: ../../configuration/vpn/pptp.rst:416
 msgid "Maximum Transmission Unit (MTU) (default: **1436**)"
 msgstr "Maximum Transmission Unit (MTU) (default: **1436**)"
 
-#: ../../configuration/service/pppoe-server.rst:538
+#: ../../configuration/service/pppoe-server.rst:563
 msgid "Maximum Transmission Unit (MTU) (default: **1492**)"
 msgstr "Maximum Transmission Unit (MTU) (default: **1492**)"
 
-#: ../../configuration/vpn/sstp.rst:450
+#: ../../configuration/vpn/sstp.rst:455
 msgid "Maximum Transmission Unit (MTU) (default: **1500**)"
 msgstr "Maximum Transmission Unit (MTU) (default: **1500**)"
 
+#: ../../configuration/vpn/l2tp.rst:489
+#: ../../configuration/vpn/sstp.rst:447
+msgid "Maximum accepted connection rate (e.g. 1/min, 60/sec)"
+msgstr "Maximum accepted connection rate (e.g. 1/min, 60/sec)"
+
 #: ../../configuration/service/dns.rst:108
 msgid "Maximum number of DNS cache entries. 1 million per CPU core will generally suffice for most installations."
 msgstr "Maximum number of DNS cache entries. 1 million per CPU core will generally suffice for most installations."
@@ -9267,15 +10608,15 @@ msgstr "Maximum number of IPv4 nameservers"
 msgid "Maximum number of authenticator processes to spawn. If you start too few Squid will have to wait for them to process a backlog of credential verifications, slowing it down. When password verifications are done via a (slow) network you are likely to need lots of authenticator processes."
 msgstr "Maximum number of authenticator processes to spawn. If you start too few Squid will have to wait for them to process a backlog of credential verifications, slowing it down. When password verifications are done via a (slow) network you are likely to need lots of authenticator processes."
 
-#: ../../configuration/service/ipoe-server.rst:372
-#: ../../configuration/service/pppoe-server.rst:542
-#: ../../configuration/vpn/l2tp.rst:496
+#: ../../configuration/service/ipoe-server.rst:371
+#: ../../configuration/service/pppoe-server.rst:567
+#: ../../configuration/vpn/l2tp.rst:501
 #: ../../configuration/vpn/pptp.rst:420
-#: ../../configuration/vpn/sstp.rst:454
+#: ../../configuration/vpn/sstp.rst:459
 msgid "Maximum number of concurrent session start attempts"
 msgstr "Maximum number of concurrent session start attempts"
 
-#: ../../configuration/interfaces/wireless.rst:77
+#: ../../configuration/interfaces/wireless.rst:89
 msgid "Maximum number of stations allowed in station table. New stations will be rejected after the station table is full. IEEE 802.11 has a limit of 2007 different association IDs, so this number should not be larger than that."
 msgstr "Maximum number of stations allowed in station table. New stations will be rejected after the station table is full. IEEE 802.11 has a limit of 2007 different association IDs, so this number should not be larger than that."
 
@@ -9283,18 +10624,18 @@ msgstr "Maximum number of stations allowed in station table. New stations will b
 msgid "Maximum number of times an expired record’s TTL is extended by 30s when serving stale. Extension only occurs if a record cannot be refreshed. A value of 0 means the Serve Stale mechanism is not used. To allow records becoming stale to be served for an hour, use a value of 120."
 msgstr "Maximum number of times an expired record’s TTL is extended by 30s when serving stale. Extension only occurs if a record cannot be refreshed. A value of 0 means the Serve Stale mechanism is not used. To allow records becoming stale to be served for an hour, use a value of 120."
 
-#: ../../configuration/service/ipoe-server.rst:190
-#: ../../configuration/service/pppoe-server.rst:152
+#: ../../configuration/service/ipoe-server.rst:189
+#: ../../configuration/service/pppoe-server.rst:162
 #: ../../configuration/vpn/l2tp.rst:195
 #: ../../configuration/vpn/pptp.rst:135
 #: ../../configuration/vpn/sstp.rst:168
 msgid "Maximum number of tries to send Access-Request/Accounting-Request queries"
 msgstr "Maximum number of tries to send Access-Request/Accounting-Request queries"
 
-#: ../../configuration/trafficpolicy/index.rst:271
-#: ../../configuration/trafficpolicy/index.rst:277
-#: ../../configuration/trafficpolicy/index.rst:283
-#: ../../configuration/trafficpolicy/index.rst:289
+#: ../../configuration/trafficpolicy/index.rst:321
+#: ../../configuration/trafficpolicy/index.rst:327
+#: ../../configuration/trafficpolicy/index.rst:333
+#: ../../configuration/trafficpolicy/index.rst:339
 msgid "Medium"
 msgstr "Medium"
 
@@ -9303,11 +10644,11 @@ msgstr "Medium"
 msgid "Member Interfaces"
 msgstr "Member Interfaces"
 
-#: ../../configuration/interfaces/bridge.rst:205
+#: ../../configuration/interfaces/bridge.rst:204
 msgid "Member interfaces `eth1` and VLAN 10 on interface `eth2`"
 msgstr "Member interfaces `eth1` and VLAN 10 on interface `eth2`"
 
-#: ../../configuration/system/syslog.rst:122
+#: ../../configuration/system/syslog.rst:140
 msgid "Messages generated internally by syslogd"
 msgstr "Messages generated internally by syslogd"
 
@@ -9315,7 +10656,11 @@ msgstr "Messages generated internally by syslogd"
 msgid "Metris version, the default is ``2``"
 msgstr "Metris version, the default is ``2``"
 
-#: ../../configuration/vpn/ipsec.rst:510
+#: ../../configuration/vpn/ipsec.rst:519
+msgid "Microsoft Windows (10+)"
+msgstr "Microsoft Windows (10+)"
+
+#: ../../configuration/vpn/ipsec.rst:530
 msgid "Microsoft Windows expects the server name to be also used in the server's certificate common name, so it's best to use this DNS name for your VPN connection."
 msgstr "Microsoft Windows expects the server name to be also used in the server's certificate common name, so it's best to use this DNS name for your VPN connection."
 
@@ -9323,6 +10668,10 @@ msgstr "Microsoft Windows expects the server name to be also used in the server'
 msgid "Min and max intervals between unsolicited multicast RAs"
 msgstr "Min and max intervals between unsolicited multicast RAs"
 
+#: ../../configuration/firewall/flowtables.rst:107
+msgid "Minimum firewall ruleset is provided, which includes some filtering rules, and appropriate rules for using flowtable offload capabilities."
+msgstr "Minimum firewall ruleset is provided, which includes some filtering rules, and appropriate rules for using flowtable offload capabilities."
+
 #: ../../configuration/firewall/flowtables.rst:106
 msgid "Minumum firewall ruleset is provided, which includes some filtering rules, and appropiate rules for using flowtable offload capabilities."
 msgstr "Minumum firewall ruleset is provided, which includes some filtering rules, and appropiate rules for using flowtable offload capabilities."
@@ -9347,12 +10696,16 @@ msgstr "Modify the time that pim will register suppress a FHR will send register
 msgid "Monitor, the system passively monitors any kind of wireless traffic"
 msgstr "Monitor, the system passively monitors any kind of wireless traffic"
 
-#: ../../configuration/service/ipoe-server.rst:390
+#: ../../configuration/interfaces/wireless.rst:22
+msgid "Monitor mode lets the system passively monitor wireless traffic"
+msgstr "Monitor mode lets the system passively monitor wireless traffic"
+
+#: ../../configuration/service/ipoe-server.rst:389
 #: ../../configuration/service/monitoring.rst:2
-#: ../../configuration/service/pppoe-server.rst:583
-#: ../../configuration/vpn/l2tp.rst:518
+#: ../../configuration/service/pppoe-server.rst:608
+#: ../../configuration/vpn/l2tp.rst:523
 #: ../../configuration/vpn/pptp.rst:442
-#: ../../configuration/vpn/sstp.rst:538
+#: ../../configuration/vpn/sstp.rst:548
 msgid "Monitoring"
 msgstr "Monitoring"
 
@@ -9368,7 +10721,7 @@ msgstr "More details about the IPsec and VTI issue and option disable-route-auto
 msgid "Most operating systems include native client support for IPsec IKEv2 VPN connections, and others typically have an app or add-on package which adds the capability. This section covers IPsec IKEv2 client configuration for Windows 10."
 msgstr "Most operating systems include native client support for IPsec IKEv2 VPN connections, and others typically have an app or add-on package which adds the capability. This section covers IPsec IKEv2 client configuration for Windows 10."
 
-#: ../../configuration/container/index.rst:85
+#: ../../configuration/container/index.rst:110
 msgid "Mount a volume into the container"
 msgstr "Mount a volume into the container"
 
@@ -9380,6 +10733,14 @@ msgstr "Multi"
 msgid "Multi-client server is the most popular OpenVPN mode on routers. It always uses x.509 authentication and therefore requires a PKI setup. Refer this topic :ref:`configuration/pki/index:pki` to generate a CA certificate, a server certificate and key, a certificate revocation list, a Diffie-Hellman key exchange parameters file. You do not need client certificates and keys for the server setup."
 msgstr "Multi-client server is the most popular OpenVPN mode on routers. It always uses x.509 authentication and therefore requires a PKI setup. Refer this topic :ref:`configuration/pki/index:pki` to generate a CA certificate, a server certificate and key, a certificate revocation list, a Diffie-Hellman key exchange parameters file. You do not need client certificates and keys for the server setup."
 
+#: ../../configuration/interfaces/openvpn.rst:331
+msgid "Multi-client server is the most popular OpenVPN mode on routers. It always uses x.509 authentication and therefore requires a PKI setup. Refer this topic :ref:`configuration/pki/index:pki` to generate a CA certificate, a server certificate and key, a certificate revocation list, and a Diffie-Hellman key exchange parameters file. You do not need client certificates and keys for the server setup."
+msgstr "Multi-client server is the most popular OpenVPN mode on routers. It always uses x.509 authentication and therefore requires a PKI setup. Refer this topic :ref:`configuration/pki/index:pki` to generate a CA certificate, a server certificate and key, a certificate revocation list, and a Diffie-Hellman key exchange parameters file. You do not need client certificates and keys for the server setup."
+
+#: ../../configuration/interfaces/openvpn.rst:716
+msgid "Multi-factor Authentication"
+msgstr "Multi-factor Authentication"
+
 #: ../../configuration/nat/nat66.rst:42
 msgid "Multi-homed. In a multi-homed network environment, the NAT66 device connects to an internal network and simultaneously connects to different external networks. Address translation can be configured on each external network side interface of the NAT66 device to convert the same internal network address into different external network addresses, and realize the mapping of the same internal address to multiple external addresses."
 msgstr "Multi-homed. In a multi-homed network environment, the NAT66 device connects to an internal network and simultaneously connects to different external networks. Address translation can be configured on each external network side interface of the NAT66 device to convert the same internal network address into different external network addresses, and realize the mapping of the same internal address to multiple external addresses."
@@ -9412,6 +10773,10 @@ msgstr "Multicast VXLAN"
 msgid "Multicast group address for VXLAN interface. VXLAN tunnels can be built either via Multicast or via Unicast."
 msgstr "Multicast group address for VXLAN interface. VXLAN tunnels can be built either via Multicast or via Unicast."
 
+#: ../../configuration/interfaces/vxlan.rst:120
+msgid "Multicast group address for the VXLAN interface. VXLAN tunnels can be built either via Multicast or via Unicast."
+msgstr "Multicast group address for the VXLAN interface. VXLAN tunnels can be built either via Multicast or via Unicast."
+
 #: ../../configuration/service/conntrack-sync.rst:83
 msgid "Multicast group to use for syncing conntrack entries."
 msgstr "Multicast group to use for syncing conntrack entries."
@@ -9452,20 +10817,24 @@ msgstr "Multiple aliases can pe specified per host-name."
 msgid "Multiple destination ports can be specified as a comma-separated list. The whole list can also be \"negated\" using '!'. For example: '!22,telnet,http,123,1001-1005'"
 msgstr "Multiple destination ports can be specified as a comma-separated list. The whole list can also be \"negated\" using '!'. For example: '!22,telnet,http,123,1001-1005'"
 
-#: ../../configuration/system/conntrack.rst:150
+#: ../../configuration/system/conntrack.rst:118
 msgid "Multiple destination ports can be specified as a comma-separated list. The whole list can also be \"negated\" using '!'. For example: `!22,telnet,http,123,1001-1005``"
 msgstr "Multiple destination ports can be specified as a comma-separated list. The whole list can also be \"negated\" using '!'. For example: `!22,telnet,http,123,1001-1005``"
 
+#: ../../configuration/nat/cgnat.rst:129
+msgid "Multiple external addresses"
+msgstr "Multiple external addresses"
+
 #: ../../configuration/service/dhcp-relay.rst:143
 msgid "Multiple interfaces may be specified."
 msgstr "Multiple interfaces may be specified."
 
-#: ../../configuration/service/ntp.rst:80
+#: ../../configuration/service/ntp.rst:87
 msgid "Multiple networks/client IP addresses can be configured."
 msgstr "Multiple networks/client IP addresses can be configured."
 
-#: ../../configuration/system/login.rst:252
-#: ../../configuration/system/login.rst:321
+#: ../../configuration/system/login.rst:258
+#: ../../configuration/system/login.rst:327
 msgid "Multiple servers can be specified."
 msgstr "Multiple servers can be specified."
 
@@ -9473,12 +10842,12 @@ msgstr "Multiple servers can be specified."
 msgid "Multiple services can be used per interface. Just specify as many services per interface as you like!"
 msgstr "Multiple services can be used per interface. Just specify as many services per interface as you like!"
 
-#: ../../configuration/firewall/ipv4.rst:517
-#: ../../configuration/firewall/ipv6.rst:500
+#: ../../configuration/firewall/ipv4.rst:540
+#: ../../configuration/firewall/ipv6.rst:527
 msgid "Multiple source ports can be specified as a comma-separated list. The whole list can also be \"negated\" using ``!``. For example:"
 msgstr "Multiple source ports can be specified as a comma-separated list. The whole list can also be \"negated\" using ``!``. For example:"
 
-#: ../../configuration/interfaces/bonding.rst:268
+#: ../../configuration/interfaces/bonding.rst:273
 msgid "Multiple target IP addresses can be specified. At least one IP address must be given for ARP monitoring to function."
 msgstr "Multiple target IP addresses can be specified. At least one IP address must be given for ARP monitoring to function."
 
@@ -9506,7 +10875,7 @@ msgstr "Multiprotocol extensions enable BGP to carry routing information for mul
 msgid "N"
 msgstr "N"
 
-#: ../../configuration/highavailability/index.rst:373
+#: ../../configuration/highavailability/index.rst:377
 #: ../../configuration/nat/index.rst:5
 msgid "NAT"
 msgstr "NAT"
@@ -9583,7 +10952,11 @@ msgstr "NTP is intended to synchronize all participating computers to within a f
 msgid "NTP process will only listen on the specified IP address. You must specify the `<address>` and optionally the permitted clients. Multiple listen addresses can be configured."
 msgstr "NTP process will only listen on the specified IP address. You must specify the `<address>` and optionally the permitted clients. Multiple listen addresses can be configured."
 
-#: ../../configuration/system/syslog.rst:136
+#: ../../configuration/service/ntp.rst:78
+msgid "NTP process will only listen on the specified IP address. You must specify the `<address>` and optionally the permitted clients. Multiple listen addresses for same IP family is no longer supported. Only one IPv4 and one IPv6 address can be configured, using separate commands for each."
+msgstr "NTP process will only listen on the specified IP address. You must specify the `<address>` and optionally the permitted clients. Multiple listen addresses for same IP family is no longer supported. Only one IPv4 and one IPv6 address can be configured, using separate commands for each."
+
+#: ../../configuration/system/syslog.rst:154
 msgid "NTP subsystem"
 msgstr "NTP subsystem"
 
@@ -9619,7 +10992,7 @@ msgstr "Name or IPv4 address of TFTP server"
 msgid "NetBIOS over TCP/IP name server"
 msgstr "NetBIOS over TCP/IP name server"
 
-#: ../../configuration/system/flow-accounting.rst:92
+#: ../../configuration/system/flow-accounting.rst:96
 msgid "NetFlow"
 msgstr "NetFlow"
 
@@ -9627,7 +11000,7 @@ msgstr "NetFlow"
 msgid "NetFlow / IPFIX"
 msgstr "NetFlow / IPFIX"
 
-#: ../../configuration/system/flow-accounting.rst:115
+#: ../../configuration/system/flow-accounting.rst:119
 msgid "NetFlow engine-id which will appear in NetFlow data. The range is 0 to 255."
 msgstr "NetFlow engine-id which will appear in NetFlow data. The range is 0 to 255."
 
@@ -9639,7 +11012,7 @@ msgstr "NetFlow is a feature that was introduced on Cisco routers around 1996 th
 msgid "NetFlow is usually enabled on a per-interface basis to limit load on the router components involved in NetFlow, or to limit the amount of NetFlow records exported."
 msgstr "NetFlow is usually enabled on a per-interface basis to limit load on the router components involved in NetFlow, or to limit the amount of NetFlow records exported."
 
-#: ../../configuration/system/flow-accounting.rst:166
+#: ../../configuration/system/flow-accounting.rst:170
 msgid "NetFlow v5 example:"
 msgstr "NetFlow v5 example:"
 
@@ -9648,12 +11021,12 @@ msgid "Netfilter based"
 msgstr "Netfilter based"
 
 #: ../../configuration/policy/prefix-list.rst:43
-#: ../../configuration/policy/prefix-list.rst:76
+#: ../../configuration/policy/prefix-list.rst:92
 msgid "Netmask greater than length."
 msgstr "Netmask greater than length."
 
 #: ../../configuration/policy/prefix-list.rst:47
-#: ../../configuration/policy/prefix-list.rst:80
+#: ../../configuration/policy/prefix-list.rst:96
 msgid "Netmask less than length"
 msgstr "Netmask less than length"
 
@@ -9661,26 +11034,30 @@ msgstr "Netmask less than length"
 msgid "Network Advertisement Configuration"
 msgstr "Network Advertisement Configuration"
 
-#: ../../configuration/trafficpolicy/index.rst:789
+#: ../../configuration/trafficpolicy/index.rst:839
 msgid "Network Control"
 msgstr "Network Control"
 
-#: ../../configuration/trafficpolicy/index.rst:619
+#: ../../configuration/trafficpolicy/index.rst:669
 msgid "Network Emulator"
 msgstr "Network Emulator"
 
-#: ../../configuration/firewall/groups.rst:42
+#: ../../configuration/firewall/groups.rst:41
 msgid "Network Groups"
 msgstr "Network Groups"
 
-#: ../../configuration/interfaces/wireless.rst:350
+#: ../../configuration/interfaces/wireless.rst:461
 msgid "Network ID (SSID) ``Enterprise-TEST``"
 msgstr "Network ID (SSID) ``Enterprise-TEST``"
 
-#: ../../configuration/interfaces/wireless.rst:550
+#: ../../configuration/interfaces/wireless.rst:674
 msgid "Network ID (SSID) ``TEST``"
 msgstr "Network ID (SSID) ``TEST``"
 
+#: ../../configuration/interfaces/wireless.rst:729
+msgid "Network ID (SSID) ``test.ax``"
+msgstr "Network ID (SSID) ``test.ax``"
+
 #: ../../configuration/protocols/pim.rst:-1
 msgid "Network Topology Diagram"
 msgstr "Network Topology Diagram"
@@ -9689,7 +11066,7 @@ msgstr "Network Topology Diagram"
 msgid "Network management station (NMS) - software which runs on the manager"
 msgstr "Network management station (NMS) - software which runs on the manager"
 
-#: ../../configuration/system/syslog.rst:126
+#: ../../configuration/system/syslog.rst:144
 msgid "Network news subsystem"
 msgstr "Network news subsystem"
 
@@ -9727,7 +11104,7 @@ msgstr "Nexthop IPv6 address to match."
 
 #: ../../configuration/system/ip.rst:47
 #: ../../configuration/system/ipv6.rst:43
-#: ../../configuration/vrf/index.rst:71
+#: ../../configuration/vrf/index.rst:67
 msgid "Nexthop Tracking"
 msgstr "Nexthop Tracking"
 
@@ -9737,6 +11114,12 @@ msgstr "Nexthop Tracking"
 msgid "Nexthop tracking resolve nexthops via the default route by default. This is enabled by default for a traditional profile of FRR which we use. It and can be disabled if you do not wan't to e.g. allow BGP to peer across the default route."
 msgstr "Nexthop tracking resolve nexthops via the default route by default. This is enabled by default for a traditional profile of FRR which we use. It and can be disabled if you do not wan't to e.g. allow BGP to peer across the default route."
 
+#: ../../configuration/system/ip.rst:49
+#: ../../configuration/system/ipv6.rst:45
+#: ../../configuration/vrf/index.rst:69
+msgid "Nexthop tracking resolve nexthops via the default route by default. This is enabled by default for a traditional profile of FRR which we use. It and can be disabled if you do not want to e.g. allow BGP to peer across the default route."
+msgstr "Nexthop tracking resolve nexthops via the default route by default. This is enabled by default for a traditional profile of FRR which we use. It and can be disabled if you do not want to e.g. allow BGP to peer across the default route."
+
 #: ../../configuration/protocols/rpki.rst:57
 msgid "No ROA exists which covers that prefix. Unfortunately this is the case for about 40%-50% of the prefixes which were announced to the :abbr:`DFZ (default-free zone)` at the start of 2024."
 msgstr "No ROA exists which covers that prefix. Unfortunately this is the case for about 40%-50% of the prefixes which were announced to the :abbr:`DFZ (default-free zone)` at the start of 2024."
@@ -9773,28 +11156,32 @@ msgstr "Non-transparent proxying requires that the client browsers be configured
 msgid "None of the operating systems have client software installed by default"
 msgstr "None of the operating systems have client software installed by default"
 
-#: ../../configuration/system/syslog.rst:185
+#: ../../configuration/system/syslog.rst:203
 msgid "Normal but significant conditions - conditions that are not error conditions, but that may require special handling."
 msgstr "Normal but significant conditions - conditions that are not error conditions, but that may require special handling."
 
+#: ../../configuration/nat/cgnat.rst:22
+msgid "Not all :rfc:`6888` requirements are implemented in CGNAT."
+msgstr "Not all :rfc:`6888` requirements are implemented in CGNAT."
+
 #: ../../configuration/interfaces/bonding.rst:51
 msgid "Not all transmit policies may be 802.3ad compliant, particularly in regards to the packet misordering requirements of section 43.2.4 of the 802.3ad standard."
 msgstr "Not all transmit policies may be 802.3ad compliant, particularly in regards to the packet misordering requirements of section 43.2.4 of the 802.3ad standard."
 
-#: ../../configuration/interfaces/openvpn.rst:127
+#: ../../configuration/interfaces/openvpn.rst:128
 msgid "Note: certificate names don't matter, we use 'openvpn-local' and 'openvpn-remote' but they can be arbitrary."
 msgstr "Note: certificate names don't matter, we use 'openvpn-local' and 'openvpn-remote' but they can be arbitrary."
 
-#: ../../configuration/system/syslog.rst:246
+#: ../../configuration/system/syslog.rst:264
 msgid "Note that deleting the log file does not stop the system from logging events. If you use this command while the system is logging events, old log events will be deleted, but events after the delete operation will be recorded in the new file. To delete the file altogether, first delete logging to the file using system syslog :ref:`custom-file` command, and then delete the file."
 msgstr "Note that deleting the log file does not stop the system from logging events. If you use this command while the system is logging events, old log events will be deleted, but events after the delete operation will be recorded in the new file. To delete the file altogether, first delete logging to the file using system syslog :ref:`custom-file` command, and then delete the file."
 
-#: ../../configuration/vpn/ipsec.rst:298
+#: ../../configuration/vpn/ipsec.rst:318
 #: ../../configuration/vpn/rsa-keys.rst:35
 msgid "Note the command with the public key (set pki key-pair ipsec-RIGHT public key 'FAAOCAQ8AMII...')."
 msgstr "Note the command with the public key (set pki key-pair ipsec-RIGHT public key 'FAAOCAQ8AMII...')."
 
-#: ../../configuration/system/syslog.rst:185
+#: ../../configuration/system/syslog.rst:203
 msgid "Notice"
 msgstr "Notice"
 
@@ -9802,15 +11189,23 @@ msgstr "Notice"
 msgid "Now configure conntrack-sync service on ``router1`` **and** ``router2``"
 msgstr "Now configure conntrack-sync service on ``router1`` **and** ``router2``"
 
-#: ../../configuration/vpn/ipsec.rst:301
+#: ../../configuration/vpn/ipsec.rst:321
 msgid "Now the noted public keys should be entered on the opposite routers."
 msgstr "Now the noted public keys should be entered on the opposite routers."
 
+#: ../../configuration/firewall/groups.rst:393
+msgid "Now the user can connect through ssh to the router (assuming ssh is configured)."
+msgstr "Now the user can connect through ssh to the router (assuming ssh is configured)."
+
+#: ../../configuration/firewall/groups.rst:393
+msgid "Now user can connect through ssh to the router (assuming ssh is configured)."
+msgstr "Now user can connect through ssh to the router (assuming ssh is configured)."
+
 #: ../../configuration/service/dhcp-server.rst:503
 msgid "Now we add the option to the scope, adapt to your setup"
 msgstr "Now we add the option to the scope, adapt to your setup"
 
-#: ../../configuration/interfaces/openvpn.rst:385
+#: ../../configuration/interfaces/openvpn.rst:389
 msgid "Now we need to specify the server network settings. In all cases we need to specify the subnet for client tunnel endpoints. Since we want clients to access a specific network behind our router, we will use a push-route option for installing that route on clients."
 msgstr "Now we need to specify the server network settings. In all cases we need to specify the subnet for client tunnel endpoints. Since we want clients to access a specific network behind our router, we will use a push-route option for installing that route on clients."
 
@@ -9822,11 +11217,11 @@ msgstr "Now when connecting the user will first be asked for the password and th
 msgid "Now you are ready to setup IPsec. The key points:"
 msgstr "Now you are ready to setup IPsec. The key points:"
 
-#: ../../configuration/vpn/ipsec.rst:315
+#: ../../configuration/vpn/ipsec.rst:335
 msgid "Now you are ready to setup IPsec. You'll need to use an ID instead of address for the peer."
 msgstr "Now you are ready to setup IPsec. You'll need to use an ID instead of address for the peer."
 
-#: ../../configuration/interfaces/wireless.rst:224
+#: ../../configuration/interfaces/wireless.rst:255
 msgid "Number of antennas on this card"
 msgstr "Number of antennas on this card"
 
@@ -9834,7 +11229,7 @@ msgstr "Number of antennas on this card"
 msgid "Number of bits of client IPv4 address to pass when sending EDNS Client Subnet address information."
 msgstr "Number of bits of client IPv4 address to pass when sending EDNS Client Subnet address information."
 
-#: ../../configuration/system/syslog.rst:231
+#: ../../configuration/system/syslog.rst:249
 msgid "Number of lines to be displayed, default 10"
 msgstr "Number of lines to be displayed, default 10"
 
@@ -9866,7 +11261,7 @@ msgstr "OSPFv3 (IPv6)"
 msgid "OTP-key generation"
 msgstr "OTP-key generation"
 
-#: ../../configuration/interfaces/ethernet.rst:57
+#: ../../configuration/interfaces/ethernet.rst:65
 msgid "Offloading"
 msgstr "Offloading"
 
@@ -9874,11 +11269,11 @@ msgstr "Offloading"
 msgid "Offset of the client's subnet in seconds from Coordinated Universal Time (UTC)"
 msgstr "Offset of the client's subnet in seconds from Coordinated Universal Time (UTC)"
 
-#: ../../configuration/trafficpolicy/index.rst:302
+#: ../../configuration/trafficpolicy/index.rst:352
 msgid "Often we need to embed one policy into another one. It is possible to do so on classful policies, by attaching a new policy into a class. For instance, you might want to apply different policies to the different classes of a Round-Robin policy you have configured."
 msgstr "Often we need to embed one policy into another one. It is possible to do so on classful policies, by attaching a new policy into a class. For instance, you might want to apply different policies to the different classes of a Round-Robin policy you have configured."
 
-#: ../../configuration/trafficpolicy/index.rst:219
+#: ../../configuration/trafficpolicy/index.rst:269
 msgid "Often you will also have to configure your *default* traffic in the same way you do with a class. *Default* can be considered a class as it behaves like that. It contains any traffic that did not match any of the defined classes, so it is like an open class, a class without matching filters."
 msgstr "Often you will also have to configure your *default* traffic in the same way you do with a class. *Default* can be considered a class as it behaves like that. It contains any traffic that did not match any of the defined classes, so it is like an open class, a class without matching filters."
 
@@ -9886,15 +11281,15 @@ msgstr "Often you will also have to configure your *default* traffic in the same
 msgid "On active router run:"
 msgstr "On active router run:"
 
-#: ../../configuration/interfaces/openvpn.rst:83
+#: ../../configuration/interfaces/openvpn.rst:84
 msgid "On both sides, you need to generate a self-signed certificate, preferrably using the \"ec\" (elliptic curve) type. You can generate them by executing command ``run generate pki certificate self-signed install <name>`` in the configuration mode. Once the command is complete, it will add the certificate to the configuration session, to the ``pki`` subtree. You can then review the proposed changes and commit them."
 msgstr "On both sides, you need to generate a self-signed certificate, preferrably using the \"ec\" (elliptic curve) type. You can generate them by executing command ``run generate pki certificate self-signed install <name>`` in the configuration mode. Once the command is complete, it will add the certificate to the configuration session, to the ``pki`` subtree. You can then review the proposed changes and commit them."
 
-#: ../../configuration/trafficpolicy/index.rst:487
+#: ../../configuration/trafficpolicy/index.rst:537
 msgid "On low rates (below 40Mbit) you may want to tune `quantum` down to something like 300 bytes."
 msgstr "On low rates (below 40Mbit) you may want to tune `quantum` down to something like 300 bytes."
 
-#: ../../configuration/highavailability/index.rst:226
+#: ../../configuration/highavailability/index.rst:230
 msgid "On most scenarios, there's no need to change specific parameters, and using default configuration is enough. But there are cases were extra configuration is needed."
 msgstr "On most scenarios, there's no need to change specific parameters, and using default configuration is enough. But there are cases were extra configuration is needed."
 
@@ -9906,29 +11301,29 @@ msgstr "On standby router run:"
 msgid "On systems with multiple redundant uplinks and routes, it's a good idea to use a dedicated address for management and dynamic routing protocols. However, assigning that address to a physical link is risky: if that link goes down, that address will become inaccessible. A common solution is to assign the management address to a loopback or a dummy interface and advertise that address via all physical links, so that it's reachable through any of them. Since in Linux-based systems, there can be only one loopback interface, it's better to use a dummy interface for that purpose, since they can be added, removed, and taken up and down independently."
 msgstr "On systems with multiple redundant uplinks and routes, it's a good idea to use a dedicated address for management and dynamic routing protocols. However, assigning that address to a physical link is risky: if that link goes down, that address will become inaccessible. A common solution is to assign the management address to a loopback or a dummy interface and advertise that address via all physical links, so that it's reachable through any of them. Since in Linux-based systems, there can be only one loopback interface, it's better to use a dummy interface for that purpose, since they can be added, removed, and taken up and down independently."
 
-#: ../../configuration/vpn/ipsec.rst:185
-#: ../../configuration/vpn/ipsec.rst:243
-#: ../../configuration/vpn/ipsec.rst:303
+#: ../../configuration/vpn/ipsec.rst:205
+#: ../../configuration/vpn/ipsec.rst:263
+#: ../../configuration/vpn/ipsec.rst:323
 #: ../../configuration/vpn/rsa-keys.rst:40
 msgid "On the LEFT:"
 msgstr "On the LEFT:"
 
-#: ../../configuration/vpn/ipsec.rst:318
+#: ../../configuration/vpn/ipsec.rst:338
 #: ../../configuration/vpn/rsa-keys.rst:59
 msgid "On the LEFT (static address):"
 msgstr "On the LEFT (static address):"
 
-#: ../../configuration/vpn/ipsec.rst:225
+#: ../../configuration/vpn/ipsec.rst:245
 msgid "On the RIGHT, setup by analogy and swap local and remote addresses."
 msgstr "On the RIGHT, setup by analogy and swap local and remote addresses."
 
-#: ../../configuration/vpn/ipsec.rst:254
-#: ../../configuration/vpn/ipsec.rst:309
+#: ../../configuration/vpn/ipsec.rst:274
+#: ../../configuration/vpn/ipsec.rst:329
 #: ../../configuration/vpn/rsa-keys.rst:46
 msgid "On the RIGHT:"
 msgstr "On the RIGHT:"
 
-#: ../../configuration/vpn/ipsec.rst:343
+#: ../../configuration/vpn/ipsec.rst:363
 #: ../../configuration/vpn/rsa-keys.rst:84
 msgid "On the RIGHT (dynamic address):"
 msgstr "On the RIGHT (dynamic address):"
@@ -9953,7 +11348,7 @@ msgstr "On the last hop router if it is desired to not switch over to the SPT tr
 msgid "On the responder, we need to set the local id so that initiator can know who's talking to it for the point #3 to work."
 msgstr "On the responder, we need to set the local id so that initiator can know who's talking to it for the point #3 to work."
 
-#: ../../configuration/trafficpolicy/index.rst:229
+#: ../../configuration/trafficpolicy/index.rst:279
 msgid "Once a class has a filter configured, you will also have to define what you want to do with the traffic of that class, what specific Traffic-Control treatment you want to give it. You will have different possibilities depending on the Traffic Policy you are configuring."
 msgstr "Once a class has a filter configured, you will also have to define what you want to do with the traffic of that class, what specific Traffic-Control treatment you want to give it. You will have different possibilities depending on the Traffic Policy you are configuring."
 
@@ -9965,15 +11360,23 @@ msgstr "Once a neighbor has been found, the entry is considered to be valid for
 msgid "Once a route is assessed a penalty, the penalty is decreased by half each time a predefined amount of time elapses (half-life-time). When the accumulated penalties fall below a predefined threshold (reuse-value), the route is unsuppressed and added back into the BGP routing table."
 msgstr "Once a route is assessed a penalty, the penalty is decreased by half each time a predefined amount of time elapses (half-life-time). When the accumulated penalties fall below a predefined threshold (reuse-value), the route is unsuppressed and added back into the BGP routing table."
 
-#: ../../configuration/trafficpolicy/index.rst:1220
+#: ../../configuration/trafficpolicy/index.rst:1270
 msgid "Once a traffic-policy is created, you can apply it to an interface:"
 msgstr "Once a traffic-policy is created, you can apply it to an interface:"
 
+#: ../../configuration/system/login.rst:237
+msgid "Once a user has 2FA/OTP configured against their account, they must login using their password with the OTP code appended to it. For example: If the users password is vyosrocks and the OTP code is 817454 then they would enter their password as vyosrocks817454"
+msgstr "Once a user has 2FA/OTP configured against their account, they must login using their password with the OTP code appended to it. For example: If the users password is vyosrocks and the OTP code is 817454 then they would enter their password as vyosrocks817454"
+
 #: ../../configuration/interfaces/pseudo-ethernet.rst:27
 msgid "Once created in the system, Pseudo-Ethernet interfaces can be referenced in the exact same way as other Ethernet interfaces. Notes about using Pseudo- Ethernet interfaces:"
 msgstr "Once created in the system, Pseudo-Ethernet interfaces can be referenced in the exact same way as other Ethernet interfaces. Notes about using Pseudo- Ethernet interfaces:"
 
-#: ../../configuration/system/flow-accounting.rst:177
+#: ../../configuration/firewall/groups.rst:172
+msgid "Once dynamic firewall groups are defined, they should be used in firewall rules in order to dynamically add elements to it."
+msgstr "Once dynamic firewall groups are defined, they should be used in firewall rules in order to dynamically add elements to it."
+
+#: ../../configuration/system/flow-accounting.rst:181
 msgid "Once flow accounting is configured on an interfaces it provides the ability to display captured network traffic information for all configured interfaces."
 msgstr "Once flow accounting is configured on an interfaces it provides the ability to display captured network traffic information for all configured interfaces."
 
@@ -9981,7 +11384,7 @@ msgstr "Once flow accounting is configured on an interfaces it provides the abil
 msgid "Once the command is completed, it will add the certificate to the configuration session, to the pki subtree. You can then review the proposed changes and commit them."
 msgstr "Once the command is completed, it will add the certificate to the configuration session, to the pki subtree. You can then review the proposed changes and commit them."
 
-#: ../../configuration/firewall/flowtables.rst:38
+#: ../../configuration/firewall/flowtables.rst:39
 msgid "Once the first packet of the flow successfully goes through the IP forwarding path (black circles path), from the second packet on, you might decide to offload the flow to the flowtable through your ruleset. The flowtable infrastructure provides a rule action that allows you to specify when to add a flow to the flowtable (On forward filtering, red circle number 6)"
 msgstr "Once the first packet of the flow successfully goes through the IP forwarding path (black circles path), from the second packet on, you might decide to offload the flow to the flowtable through your ruleset. The flowtable infrastructure provides a rule action that allows you to specify when to add a flow to the flowtable (On forward filtering, red circle number 6)"
 
@@ -9989,7 +11392,7 @@ msgstr "Once the first packet of the flow successfully goes through the IP forwa
 msgid "Once the local tunnel endpoint ``set service pppoe-server gateway-address '10.1.1.2'`` has been defined, the client IP pool can be either defined as a range or as subnet using CIDR notation. If the CIDR notation is used, multiple subnets can be setup which are used sequentially."
 msgstr "Once the local tunnel endpoint ``set service pppoe-server gateway-address '10.1.1.2'`` has been defined, the client IP pool can be either defined as a range or as subnet using CIDR notation. If the CIDR notation is used, multiple subnets can be setup which are used sequentially."
 
-#: ../../configuration/trafficpolicy/index.rst:576
+#: ../../configuration/trafficpolicy/index.rst:626
 msgid "Once the matching rules are set for a class, you can start configuring how you want matching traffic to behave."
 msgstr "Once the matching rules are set for a class, you can start configuring how you want matching traffic to behave."
 
@@ -9997,7 +11400,7 @@ msgstr "Once the matching rules are set for a class, you can start configuring h
 msgid "Once the user is connected, the user session is using the set limits and can be displayed via 'show pppoe-server sessions'."
 msgstr "Once the user is connected, the user session is using the set limits and can be displayed via 'show pppoe-server sessions'."
 
-#: ../../configuration/service/pppoe-server.rst:285
+#: ../../configuration/service/pppoe-server.rst:304
 msgid "Once the user is connected, the user session is using the set limits and can be displayed via ``show pppoe-server sessions``."
 msgstr "Once the user is connected, the user session is using the set limits and can be displayed via ``show pppoe-server sessions``."
 
@@ -10009,7 +11412,7 @@ msgstr "Once you commit the above changes you can create a config file in the /c
 msgid "Once you have an Ethernet device connected, i.e. `eth0`, then you can configure it to open the PPPoE session for you and your DSL Transceiver (Modem/Router) just acts to translate your messages in a way that vDSL/aDSL understands."
 msgstr "Once you have an Ethernet device connected, i.e. `eth0`, then you can configure it to open the PPPoE session for you and your DSL Transceiver (Modem/Router) just acts to translate your messages in a way that vDSL/aDSL understands."
 
-#: ../../configuration/vpn/sstp.rst:478
+#: ../../configuration/vpn/sstp.rst:488
 msgid "Once you have setup your SSTP server there comes the time to do some basic testing. The Linux client used for testing is called sstpc_. sstpc_ requires a PPP configuration/peer file."
 msgstr "Once you have setup your SSTP server there comes the time to do some basic testing. The Linux client used for testing is called sstpc_. sstpc_ requires a PPP configuration/peer file."
 
@@ -10033,7 +11436,7 @@ msgstr "One implicit environment exists."
 msgid "One of the important features built on top of the Netfilter framework is connection tracking. Connection tracking allows the kernel to keep track of all logical network connections or sessions, and thereby relate all of the packets which may make up that connection. NAT relies on this information to translate all related packets in the same way, and iptables can use this information to act as a stateful firewall."
 msgstr "One of the important features built on top of the Netfilter framework is connection tracking. Connection tracking allows the kernel to keep track of all logical network connections or sessions, and thereby relate all of the packets which may make up that connection. NAT relies on this information to translate all related packets in the same way, and iptables can use this information to act as a stateful firewall."
 
-#: ../../configuration/trafficpolicy/index.rst:411
+#: ../../configuration/trafficpolicy/index.rst:461
 msgid "One of the uses of Fair Queue might be the mitigation of Denial of Service attacks."
 msgstr "One of the uses of Fair Queue might be the mitigation of Denial of Service attacks."
 
@@ -10049,8 +11452,8 @@ msgstr "Only VRRP is supported. Required option."
 msgid "Only allow certain IP addresses or prefixes to access the https webserver."
 msgstr "Only allow certain IP addresses or prefixes to access the https webserver."
 
-#: ../../configuration/firewall/ipv4.rst:482
-#: ../../configuration/firewall/ipv6.rst:466
+#: ../../configuration/firewall/ipv4.rst:506
+#: ../../configuration/firewall/ipv6.rst:494
 msgid "Only in the source criteria, you can specify a mac-address."
 msgstr "Only in the source criteria, you can specify a mac-address."
 
@@ -10078,7 +11481,7 @@ msgstr "Only the type (``ssh-rsa``) and the key (``AAAB3N...``) are used. Note t
 msgid "Only works with a VXLAN device with external flag set."
 msgstr "Only works with a VXLAN device with external flag set."
 
-#: ../../configuration/highavailability/index.rst:467
+#: ../../configuration/highavailability/index.rst:471
 msgid "Op-mode check virtual-server status"
 msgstr "Op-mode check virtual-server status"
 
@@ -10087,6 +11490,10 @@ msgid "OpenConnect"
 msgstr "OpenConnect"
 
 #: ../../configuration/vpn/openconnect.rst:7
+msgid "OpenConnect-compatible server feature has been available since Equuleus (1.3). Openconnect VPN supports SSL connection and offers full network access. SSL VPN network extension connects the end-user system to the corporate network with access controls based only on network layer information, such as destination IP address and port number. So, it provides safe communication for all types of device traffic across public networks and private networks, also encrypts the traffic with SSL protocol."
+msgstr "OpenConnect-compatible server feature has been available since Equuleus (1.3). Openconnect VPN supports SSL connection and offers full network access. SSL VPN network extension connects the end-user system to the corporate network with access controls based only on network layer information, such as destination IP address and port number. So, it provides safe communication for all types of device traffic across public networks and private networks, also encrypts the traffic with SSL protocol."
+
+#: ../../configuration/vpn/openconnect.rst:7
 msgid "OpenConnect-compatible server feature is available from this release. Openconnect VPN supports SSL connection and offers full network access. SSL VPN network extension connects the end-user system to the corporate network with access controls based only on network layer information, such as destination IP address and port number. So, it provides safe communication for all types of device traffic across public networks and private networks, also encrypts the traffic with SSL protocol."
 msgstr "OpenConnect-compatible server feature is available from this release. Openconnect VPN supports SSL connection and offers full network access. SSL VPN network extension connects the end-user system to the corporate network with access controls based only on network layer information, such as destination IP address and port number. So, it provides safe communication for all types of device traffic across public networks and private networks, also encrypts the traffic with SSL protocol."
 
@@ -10102,27 +11509,51 @@ msgstr "OpenConnect server matches the filename in a case sensitive manner, make
 msgid "OpenConnect supports a subset of it's configuration options to be applied on a per user/group basis, for configuration purposes we refer to this functionality as \"Identity based config\". The following `OpenConnect Server Manual <https://ocserv.gitlab.io/www/manual.html#:~:text=Configuration%20files%20that% 20will%20be%20applied%20per%20user%20connection%20or%0A%23%20per%20group>`_ outlines the set of configuration options that are allowed. This can be leveraged to apply different sets of configs to different users or groups of users."
 msgstr "OpenConnect supports a subset of it's configuration options to be applied on a per user/group basis, for configuration purposes we refer to this functionality as \"Identity based config\". The following `OpenConnect Server Manual <https://ocserv.gitlab.io/www/manual.html#:~:text=Configuration%20files%20that% 20will%20be%20applied%20per%20user%20connection%20or%0A%23%20per%20group>`_ outlines the set of configuration options that are allowed. This can be leveraged to apply different sets of configs to different users or groups of users."
 
+#: ../../configuration/protocols/openfabric.rst:5
+msgid "OpenFabric"
+msgstr "OpenFabric"
+
+#: ../../configuration/protocols/openfabric.rst:7
+msgid "OpenFabric, specified in `draft-white-openfabric-06.txt <https://datatracker.ietf.org/doc/html/draft-white-openfabric-06>`_, is a routing protocol derived from IS-IS, providing link-state routing with efficient flooding for topologies like spine-leaf networks."
+msgstr "OpenFabric, specified in `draft-white-openfabric-06.txt <https://datatracker.ietf.org/doc/html/draft-white-openfabric-06>`_, is a routing protocol derived from IS-IS, providing link-state routing with efficient flooding for topologies like spine-leaf networks."
+
+#: ../../configuration/protocols/openfabric.rst:65
+msgid "OpenFabric Global Configuration"
+msgstr "OpenFabric Global Configuration"
+
+#: ../../configuration/protocols/openfabric.rst:12
+msgid "OpenFabric a dual stack protocol. A single OpenFabric instance is able to perform routing for both IPv4 and IPv6."
+msgstr "OpenFabric a dual stack protocol. A single OpenFabric instance is able to perform routing for both IPv4 and IPv6."
+
 #: ../../configuration/interfaces/openvpn.rst:7
 #: ../../configuration/pki/index.rst:119
 msgid "OpenVPN"
 msgstr "OpenVPN"
 
-#: ../../configuration/interfaces/openvpn.rst:407
+#: ../../configuration/interfaces/openvpn.rst:411
 msgid "OpenVPN **will not** automatically create routes in the kernel for client subnets when they connect and will only use client-subnet association internally, so we need to create a route to the 10.23.0.0/20 network ourselves:"
 msgstr "OpenVPN **will not** automatically create routes in the kernel for client subnets when they connect and will only use client-subnet association internally, so we need to create a route to the 10.23.0.0/20 network ourselves:"
 
-#: ../../configuration/interfaces/openvpn.rst:669
+#: ../../configuration/interfaces/openvpn.rst:810
+msgid "OpenVPN DCO is not a fully supported OpenVPN feature, and is currently considered experimental. Furthermore, there are certain OpenVPN features and use cases that remain incompatible with DCO. To get a comprehensive understanding of the limitations associated with DCO, refer to the list of known limitations in the documentation."
+msgstr "OpenVPN DCO is not a fully supported OpenVPN feature, and is currently considered experimental. Furthermore, there are certain OpenVPN features and use cases that remain incompatible with DCO. To get a comprehensive understanding of the limitations associated with DCO, refer to the list of known limitations in the documentation."
+
+#: ../../configuration/interfaces/openvpn.rst:757
 msgid "OpenVPN DCO is not full OpenVPN features supported , is currently considered experimental. Furthermore, there are certain OpenVPN features and use cases that remain incompatible with DCO. To get a comprehensive understanding of the limitations associated with DCO, refer to the list of known limitations in the documentation."
 msgstr "OpenVPN DCO is not full OpenVPN features supported , is currently considered experimental. Furthermore, there are certain OpenVPN features and use cases that remain incompatible with DCO. To get a comprehensive understanding of the limitations associated with DCO, refer to the list of known limitations in the documentation."
 
-#: ../../configuration/interfaces/openvpn.rst:658
+#: ../../configuration/interfaces/openvpn.rst:799
 msgid "OpenVPN Data Channel Offload (DCO)"
 msgstr "OpenVPN Data Channel Offload (DCO)"
 
-#: ../../configuration/interfaces/openvpn.rst:660
+#: ../../configuration/interfaces/openvpn.rst:801
 msgid "OpenVPN Data Channel Offload (DCO) enables significant performance enhancement in encrypted OpenVPN data processing. By minimizing context switching for each packet, DCO effectively reduces overhead. This optimization is achieved by keeping most data handling tasks within the kernel, avoiding frequent switches between kernel and user space for encryption and packet handling."
 msgstr "OpenVPN Data Channel Offload (DCO) enables significant performance enhancement in encrypted OpenVPN data processing. By minimizing context switching for each packet, DCO effectively reduces overhead. This optimization is achieved by keeping most data handling tasks within the kernel, avoiding frequent switches between kernel and user space for encryption and packet handling."
 
+#: ../../configuration/interfaces/openvpn.rst:865
+msgid "OpenVPN Logs"
+msgstr "OpenVPN Logs"
+
 #: ../../configuration/interfaces/openvpn.rst:64
 msgid "OpenVPN allows for either TCP or UDP. UDP will provide the lowest latency, while TCP will work better for lossy connections; generally UDP is preferred when possible."
 msgstr "OpenVPN allows for either TCP or UDP. UDP will provide the lowest latency, while TCP will work better for lossy connections; generally UDP is preferred when possible."
@@ -10131,7 +11562,7 @@ msgstr "OpenVPN allows for either TCP or UDP. UDP will provide the lowest latenc
 msgid "OpenVPN is popular for client-server setups, but its site-to-site mode remains a relatively obscure feature, and many router appliances still don't support it. However, it's very useful for quickly setting up tunnels between routers."
 msgstr "OpenVPN is popular for client-server setups, but its site-to-site mode remains a relatively obscure feature, and many router appliances still don't support it. However, it's very useful for quickly setting up tunnels between routers."
 
-#: ../../configuration/interfaces/openvpn.rst:320
+#: ../../configuration/interfaces/openvpn.rst:324
 msgid "OpenVPN status can be verified using the `show openvpn` operational commands. See the built-in help for a complete list of options."
 msgstr "OpenVPN status can be verified using the `show openvpn` operational commands. See the built-in help for a complete list of options."
 
@@ -10143,15 +11574,15 @@ msgstr "Openconnect Configuration"
 msgid "Operating Modes"
 msgstr "Operating Modes"
 
-#: ../../configuration/interfaces/bonding.rst:512
+#: ../../configuration/interfaces/bonding.rst:565
 #: ../../configuration/interfaces/dummy.rst:51
-#: ../../configuration/interfaces/ethernet.rst:148
+#: ../../configuration/interfaces/ethernet.rst:164
 #: ../../configuration/interfaces/loopback.rst:41
 #: ../../configuration/interfaces/macsec.rst:106
 #: ../../configuration/interfaces/pppoe.rst:278
 #: ../../configuration/interfaces/sstp-client.rst:117
 #: ../../configuration/interfaces/virtual-ethernet.rst:55
-#: ../../configuration/interfaces/wireless.rst:416
+#: ../../configuration/interfaces/wireless.rst:534
 #: ../../configuration/interfaces/wwan.rst:79
 #: ../../configuration/pki/index.rst:321
 #: ../../configuration/protocols/igmp-proxy.rst:73
@@ -10163,38 +11594,44 @@ msgstr "Operating Modes"
 #: ../../configuration/service/dns.rst:276
 #: ../../configuration/service/lldp.rst:71
 #: ../../configuration/service/mdns.rst:79
-#: ../../configuration/service/ssh.rst:145
+#: ../../configuration/service/ssh.rst:165
 #: ../../configuration/service/webproxy.rst:330
 #: ../../configuration/system/default-route.rst:25
-#: ../../configuration/system/flow-accounting.rst:175
-#: ../../configuration/vrf/index.rst:130
-#: ../../configuration/vrf/index.rst:342
-#: ../../configuration/vrf/index.rst:522
+#: ../../configuration/system/flow-accounting.rst:179
+#: ../../configuration/vrf/index.rst:126
+#: ../../configuration/vrf/index.rst:338
+#: ../../configuration/vrf/index.rst:518
 msgid "Operation"
 msgstr "Operation"
 
-#: ../../configuration/firewall/groups.rst:186
-#: ../../configuration/firewall/zone.rst:128
+#: ../../configuration/firewall/groups.rst:397
+#: ../../configuration/firewall/zone.rst:125
 msgid "Operation-mode"
 msgstr "Operation-mode"
 
-#: ../../configuration/firewall/bridge.rst:284
-#: ../../configuration/firewall/ipv4.rst:977
-#: ../../configuration/firewall/ipv6.rst:962
+#: ../../configuration/firewall/bridge.rst:449
+#: ../../configuration/firewall/ipv4.rst:1081
+#: ../../configuration/firewall/ipv6.rst:1071
 msgid "Operation-mode Firewall"
 msgstr "Operation-mode Firewall"
 
-#: ../../configuration/container/index.rst:179
+#: ../../configuration/container/index.rst:234
 msgid "Operation Commands"
 msgstr "Operation Commands"
 
 #: ../../configuration/service/dhcp-server.rst:471
-#: ../../configuration/service/dhcp-server.rst:725
+#: ../../configuration/service/dhcp-server.rst:755
+#: ../../configuration/service/suricata.rst:78
 #: ../../configuration/system/acceleration.rst:42
+#: ../../configuration/vpn/ipsec.rst:592
 msgid "Operation Mode"
 msgstr "Operation Mode"
 
-#: ../../configuration/interfaces/wireless.rst:89
+#: ../../configuration/nat/cgnat.rst:155
+msgid "Operation commands"
+msgstr "Operation commands"
+
+#: ../../configuration/interfaces/wireless.rst:110
 msgid "Operation mode of wireless radio."
 msgstr "Operation mode of wireless radio."
 
@@ -10272,18 +11709,18 @@ msgstr "Optional Configuration"
 msgid "Optional parameter prefix-list can be use to control which groups to switch or not switch. If a group is PERMIT as per the prefix-list, then the SPT switchover does not happen for it and if it is DENY, then the SPT switchover happens."
 msgstr "Optional parameter prefix-list can be use to control which groups to switch or not switch. If a group is PERMIT as per the prefix-list, then the SPT switchover does not happen for it and if it is DENY, then the SPT switchover happens."
 
-#: ../../configuration/container/index.rst:47
+#: ../../configuration/container/index.rst:71
 msgid "Optionally set a specific static IPv4 or IPv6 address for the container. This address must be within the named network prefix."
 msgstr "Optionally set a specific static IPv4 or IPv6 address for the container. This address must be within the named network prefix."
 
-#: ../../configuration/interfaces/openvpn.rst:631
+#: ../../configuration/interfaces/openvpn.rst:639
 #: ../../configuration/service/dhcp-relay.rst:53
 #: ../../configuration/service/dhcp-relay.rst:160
 #: ../../configuration/service/dhcp-server.rst:280
 msgid "Options"
 msgstr "Options"
 
-#: ../../configuration/vpn/ipsec.rst:162
+#: ../../configuration/vpn/ipsec.rst:166
 msgid "Options (Global IPsec settings) Attributes"
 msgstr "Options (Global IPsec settings) Attributes"
 
@@ -10307,7 +11744,7 @@ msgstr "Order conntrackd to request a complete conntrack table resync against th
 msgid "Originate an AS-External (type-5) LSA describing a default route into all external-routing capable areas, of the specified metric and metric type. If the :cfgcmd:`always` keyword is given then the default is always advertised, even when there is no default present in the routing table. The argument :cfgcmd:`route-map` specifies to advertise the default route if the route map is satisfied."
 msgstr "Originate an AS-External (type-5) LSA describing a default route into all external-routing capable areas, of the specified metric and metric type. If the :cfgcmd:`always` keyword is given then the default is always advertised, even when there is no default present in the routing table. The argument :cfgcmd:`route-map` specifies to advertise the default route if the route map is satisfied."
 
-#: ../../configuration/service/pppoe-server.rst:312
+#: ../../configuration/service/pppoe-server.rst:331
 msgid "Other attributes can be used, but they have to be in one of the dictionaries in */usr/share/accel-ppp/radius*."
 msgstr "Other attributes can be used, but they have to be in one of the dictionaries in */usr/share/accel-ppp/radius*."
 
@@ -10351,12 +11788,21 @@ msgstr "Over UDP"
 msgid "Override static-mapping's name-server with a custom one that will be sent only to this host."
 msgstr "Override static-mapping's name-server with a custom one that will be sent only to this host."
 
-#: ../../configuration/firewall/bridge.rst:13
+#: ../../configuration/container/index.rst:37
+msgid "Override the default command from the image for a container."
+msgstr "Override the default command from the image for a container."
+
+#: ../../configuration/container/index.rst:33
+msgid "Override the default entrypoint from the image for a container."
+msgstr "Override the default entrypoint from the image for a container."
+
+#: ../../configuration/firewall/bridge.rst:11
 #: ../../configuration/firewall/flowtables.rst:13
 #: ../../configuration/firewall/global-options.rst:11
 #: ../../configuration/firewall/ipv4.rst:11
 #: ../../configuration/firewall/ipv6.rst:11
 #: ../../configuration/firewall/zone.rst:11
+#: ../../configuration/nat/cgnat.rst:15
 #: ../../configuration/nat/nat44.rst:68
 #: ../../configuration/nat/nat64.rst:18
 #: ../../configuration/nat/nat66.rst:15
@@ -10367,24 +11813,31 @@ msgstr "Overview"
 msgid "Overview and basic concepts"
 msgstr "Overview and basic concepts"
 
-#: ../../configuration/firewall/groups.rst:190
-#: ../../configuration/firewall/ipv6.rst:1117
+#: ../../configuration/firewall/groups.rst:402
+msgid "Overview of defined groups. You see the firewall group name, type, references (where the group is used), members, timeout and expiration (last two only present in dynamic firewall groups)."
+msgstr "Overview of defined groups. You see the firewall group name, type, references (where the group is used), members, timeout and expiration (last two only present in dynamic firewall groups)."
+
+#: ../../configuration/firewall/ipv6.rst:1227
 msgid "Overview of defined groups. You see the type, the members, and where the group is used."
 msgstr "Overview of defined groups. You see the type, the members, and where the group is used."
 
+#: ../../configuration/system/syslog.rst:35
+msgid "Overwrites the local system host name used in syslogs."
+msgstr "Overwrites the local system host name used in syslogs."
+
 #: ../../configuration/policy/examples.rst:106
 msgid "PBR multiple uplinks"
 msgstr "PBR multiple uplinks"
 
-#: ../../configuration/vrf/index.rst:263
+#: ../../configuration/vrf/index.rst:259
 msgid "PC1 is in the ``default`` VRF and acting as e.g. a \"fileserver\""
 msgstr "PC1 is in the ``default`` VRF and acting as e.g. a \"fileserver\""
 
-#: ../../configuration/vrf/index.rst:264
+#: ../../configuration/vrf/index.rst:260
 msgid "PC2 is in VRF ``blue`` which is the development department"
 msgstr "PC2 is in VRF ``blue`` which is the development department"
 
-#: ../../configuration/vrf/index.rst:265
+#: ../../configuration/vrf/index.rst:261
 msgid "PC3 and PC4 are connected to a bridge device on router ``R1`` which is in VRF ``red``. Say this is the HR department."
 msgstr "PC3 and PC4 are connected to a bridge device on router ``R1`` which is in VRF ``red``. Say this is the HR department."
 
@@ -10424,14 +11877,14 @@ msgstr "PIMv6 (Protocol Independent Multicast for IPv6) must be configured in ev
 msgid "PKI"
 msgstr "PKI"
 
-#: ../../configuration/interfaces/wireless.rst:130
+#: ../../configuration/interfaces/wireless.rst:156
 msgid "PPDU"
 msgstr "PPDU"
 
-#: ../../configuration/service/pppoe-server.rst:453
-#: ../../configuration/vpn/l2tp.rst:407
+#: ../../configuration/service/pppoe-server.rst:477
+#: ../../configuration/vpn/l2tp.rst:410
 #: ../../configuration/vpn/pptp.rst:331
-#: ../../configuration/vpn/sstp.rst:365
+#: ../../configuration/vpn/sstp.rst:368
 msgid "PPP Advanced Options"
 msgstr "PPP Advanced Options"
 
@@ -10455,10 +11908,28 @@ msgstr "PPPoE options"
 msgid "PPTP-Server"
 msgstr "PPTP-Server"
 
+#: ../../configuration/service/ntp.rst:174
+msgid "PTP Transport of NTP Packets"
+msgstr "PTP Transport of NTP Packets"
+
 #: ../../configuration/loadbalancing/wan.rst:104
 msgid "Packet-based balancing can lead to a better balance across interfaces when out of order packets are no issue. Per-packet-based balancing can be set for a balancing rule with:"
 msgstr "Packet-based balancing can lead to a better balance across interfaces when out of order packets are no issue. Per-packet-based balancing can be set for a balancing rule with:"
 
+#: ../../configuration/firewall/bridge.rst:390
+#: ../../configuration/firewall/ipv4.rst:984
+#: ../../configuration/firewall/ipv6.rst:974
+msgid "Packet Modifications"
+msgstr "Packet Modifications"
+
+#: ../../configuration/container/index.rst:179
+msgid "Parameters beginning with fs.mqueue.*"
+msgstr "Parameters beginning with fs.mqueue.*"
+
+#: ../../configuration/container/index.rst:180
+msgid "Parameters beginning with net.* (only if user-defined network is used)"
+msgstr "Parameters beginning with net.* (only if user-defined network is used)"
+
 #: ../../configuration/protocols/rpki.rst:69
 msgid "Particularly large networks may wish to run their own RPKI certificate authority and publication server instead of publishing ROAs via their RIR. This is a subject far beyond the scope of VyOS' documentation. Consider reading about Krill_ if this is a rabbit hole you need or especially want to dive down."
 msgstr "Particularly large networks may wish to run their own RPKI certificate authority and publication server instead of publishing ROAs via their RIR. This is a subject far beyond the scope of VyOS' documentation. Consider reading about Krill_ if this is a rabbit hole you need or especially want to dive down."
@@ -10515,19 +11986,19 @@ msgstr "Per default, interfaces used in a load balancing pool replace the source
 msgid "Per default VyOSs has minimal syslog logging enabled which is stored and rotated locally. Errors will be always logged to a local file, which includes `local7` error messages, emergency messages will be sent to the console, too."
 msgstr "Per default VyOSs has minimal syslog logging enabled which is stored and rotated locally. Errors will be always logged to a local file, which includes `local7` error messages, emergency messages will be sent to the console, too."
 
-#: ../../configuration/system/flow-accounting.rst:127
+#: ../../configuration/system/flow-accounting.rst:131
 msgid "Per default every packet is sampled (that is, the sampling rate is 1)."
 msgstr "Per default every packet is sampled (that is, the sampling rate is 1)."
 
-#: ../../configuration/service/pppoe-server.rst:556
+#: ../../configuration/service/pppoe-server.rst:581
 msgid "Per default the user session is being replaced if a second authentication request succeeds. Such session requests can be either denied or allowed entirely, which would allow multiple sessions for a user in the latter case. If it is denied, the second session is being rejected even if the authentication succeeds, the user has to terminate its first session and can then authentication again."
 msgstr "Per default the user session is being replaced if a second authentication request succeeds. Such session requests can be either denied or allowed entirely, which would allow multiple sessions for a user in the latter case. If it is denied, the second session is being rejected even if the authentication succeeds, the user has to terminate its first session and can then authentication again."
 
-#: ../../configuration/trafficpolicy/index.rst:1200
+#: ../../configuration/trafficpolicy/index.rst:1250
 msgid "Perform NAT lookup before applying flow-isolation rules."
 msgstr "Perform NAT lookup before applying flow-isolation rules."
 
-#: ../../configuration/system/option.rst:108
+#: ../../configuration/system/option.rst:128
 msgid "Performance"
 msgstr "Performance"
 
@@ -10535,11 +12006,11 @@ msgstr "Performance"
 msgid "Periodically, a hello packet is sent out by the Root Bridge and the Designated Bridges. Hello packets are used to communicate information about the topology throughout the entire Bridged Local Area Network."
 msgstr "Periodically, a hello packet is sent out by the Root Bridge and the Designated Bridges. Hello packets are used to communicate information about the topology throughout the entire Bridged Local Area Network."
 
-#: ../../configuration/vrf/index.rst:216
+#: ../../configuration/vrf/index.rst:212
 msgid "Ping command can be interrupted at any given time using ``<Ctrl>+c``. A brief statistic is shown afterwards."
 msgstr "Ping command can be interrupted at any given time using ``<Ctrl>+c``. A brief statistic is shown afterwards."
 
-#: ../../configuration/vrf/index.rst:202
+#: ../../configuration/vrf/index.rst:198
 msgid "Ping uses ICMP protocol's mandatory ECHO_REQUEST datagram to elicit an ICMP ECHO_RESPONSE from a host or gateway. ECHO_REQUEST datagrams (pings) will have an IP and ICMP header, followed by \"struct timeval\" and an arbitrary number of pad bytes used to fill out the packet."
 msgstr "Ping uses ICMP protocol's mandatory ECHO_REQUEST datagram to elicit an ICMP ECHO_RESPONSE from a host or gateway. ECHO_REQUEST datagrams (pings) will have an IP and ICMP header, followed by \"struct timeval\" and an arbitrary number of pad bytes used to fill out the packet."
 
@@ -10559,7 +12030,7 @@ msgstr "Play an audible beep to the system speaker when system is ready."
 msgid "Please, refer to appropiate section for more information about firewall configuration:"
 msgstr "Please, refer to appropiate section for more information about firewall configuration:"
 
-#: ../../configuration/firewall/index.rst:138
+#: ../../configuration/firewall/index.rst:185
 msgid "Please, refer to appropriate section for more information about firewall configuration:"
 msgstr "Please, refer to appropriate section for more information about firewall configuration:"
 
@@ -10627,24 +12098,36 @@ msgstr "Policy for checking targets"
 msgid "Policy to track previously established connections."
 msgstr "Policy to track previously established connections."
 
-#: ../../configuration/firewall/groups.rst:84
+#: ../../configuration/firewall/groups.rst:83
 msgid "Port Groups"
 msgstr "Port Groups"
 
-#: ../../configuration/interfaces/bonding.rst:282
-#: ../../configuration/interfaces/bridge.rst:188
-#: ../../configuration/interfaces/ethernet.rst:140
+#: ../../configuration/interfaces/bonding.rst:287
+#: ../../configuration/interfaces/bridge.rst:187
+#: ../../configuration/interfaces/ethernet.rst:156
 msgid "Port Mirror (SPAN)"
 msgstr "Port Mirror (SPAN)"
 
-#: ../../configuration/service/ipoe-server.rst:182
-#: ../../configuration/service/pppoe-server.rst:144
+#: ../../configuration/nat/cgnat.rst:52
+msgid "Port calculation"
+msgstr "Port calculation"
+
+#: ../../configuration/service/ipoe-server.rst:181
+#: ../../configuration/service/pppoe-server.rst:152
 #: ../../configuration/vpn/l2tp.rst:187
 #: ../../configuration/vpn/pptp.rst:127
 #: ../../configuration/vpn/sstp.rst:160
 msgid "Port for Dynamic Authorization Extension server (DM/CoA)"
 msgstr "Port for Dynamic Authorization Extension server (DM/CoA)"
 
+#: ../../configuration/service/suricata.rst:53
+msgid "Port groups are useful when you need to create rules that apply to specific ports. For example, if you want to create a rule that monitors traffic directed to a specific port or group of ports, you can use the group name instead of the actual port. This also simplifies rule management and makes the configuration more flexible."
+msgstr "Port groups are useful when you need to create rules that apply to specific ports. For example, if you want to create a rule that monitors traffic directed to a specific port or group of ports, you can use the group name instead of the actual port. This also simplifies rule management and makes the configuration more flexible."
+
+#: ../../configuration/firewall/groups.rst:283
+msgid "Port knocking example"
+msgstr "Port knocking example"
+
 #: ../../configuration/service/lldp.rst:27
 msgid "Port name and description"
 msgstr "Port name and description"
@@ -10665,12 +12148,12 @@ msgstr "Port to listen for HTTPS requests; default 443"
 msgid "Portions of the network which are VLAN-aware (i.e., IEEE 802.1q_ conformant) can include VLAN tags. When a frame enters the VLAN-aware portion of the network, a tag is added to represent the VLAN membership. Each frame must be distinguishable as being within exactly one VLAN. A frame in the VLAN-aware portion of the network that does not contain a VLAN tag is assumed to be flowing on the native VLAN."
 msgstr "Portions of the network which are VLAN-aware (i.e., IEEE 802.1q_ conformant) can include VLAN tags. When a frame enters the VLAN-aware portion of the network, a tag is added to represent the VLAN membership. Each frame must be distinguishable as being within exactly one VLAN. A frame in the VLAN-aware portion of the network that does not contain a VLAN tag is assumed to be flowing on the native VLAN."
 
-#: ../../configuration/interfaces/openvpn.rst:169
+#: ../../configuration/interfaces/openvpn.rst:170
 msgid "Pre-shared keys"
 msgstr "Pre-shared keys"
 
-#: ../../configuration/trafficpolicy/index.rst:787
-#: ../../configuration/trafficpolicy/index.rst:862
+#: ../../configuration/trafficpolicy/index.rst:837
+#: ../../configuration/trafficpolicy/index.rst:912
 msgid "Precedence"
 msgstr "Precedence"
 
@@ -10778,24 +12261,32 @@ msgstr "Prepend the given string of AS numbers to the AS_PATH of the BGP path's
 msgid "Principle of SNMP Communication"
 msgstr "Principle of SNMP Communication"
 
-#: ../../configuration/vrf/index.rst:551
+#: ../../configuration/vrf/index.rst:547
 msgid "Print a summary of neighbor connections for the specified AFI/SAFI combination."
 msgstr "Print a summary of neighbor connections for the specified AFI/SAFI combination."
 
-#: ../../configuration/vrf/index.rst:530
+#: ../../configuration/vrf/index.rst:526
 msgid "Print active IPV4 or IPV6 routes advertised via the VPN SAFI."
 msgstr "Print active IPV4 or IPV6 routes advertised via the VPN SAFI."
 
-#: ../../configuration/trafficpolicy/index.rst:787
-#: ../../configuration/trafficpolicy/index.rst:801
+#: ../../configuration/vpn/ipsec.rst:622
+msgid "Print out the list of existing crypto policies"
+msgstr "Print out the list of existing crypto policies"
+
+#: ../../configuration/vpn/ipsec.rst:635
+msgid "Print out the list of existing in-kernel crypto state"
+msgstr "Print out the list of existing in-kernel crypto state"
+
+#: ../../configuration/trafficpolicy/index.rst:837
+#: ../../configuration/trafficpolicy/index.rst:851
 msgid "Priority"
 msgstr "Priority"
 
-#: ../../configuration/trafficpolicy/index.rst:688
+#: ../../configuration/trafficpolicy/index.rst:738
 msgid "Priority Queue"
 msgstr "Priority Queue"
 
-#: ../../configuration/trafficpolicy/index.rst:698
+#: ../../configuration/trafficpolicy/index.rst:748
 msgid "Priority Queue, as other non-shaping policies, is only useful if your outgoing interface is really full. If it is not, VyOS will not own the queue and Priority Queue will have no effect. If there is bandwidth available on the physical link, you can embed_ Priority Queue into a classful shaping policy to make sure it owns the queue. In that case packets can be prioritized based on DSCP."
 msgstr "Priority Queue, as other non-shaping policies, is only useful if your outgoing interface is really full. If it is not, VyOS will not own the queue and Priority Queue will have no effect. If there is bandwidth available on the physical link, you can embed_ Priority Queue into a classful shaping policy to make sure it owns the queue. In that case packets can be prioritized based on DSCP."
 
@@ -10803,7 +12294,7 @@ msgstr "Priority Queue, as other non-shaping policies, is only useful if your ou
 msgid "Private VLAN proxy arp. Basically allow proxy arp replies back to the same interface (from which the ARP request/solicitation was received)."
 msgstr "Private VLAN proxy arp. Basically allow proxy arp replies back to the same interface (from which the ARP request/solicitation was received)."
 
-#: ../../configuration/vpn/ipsec.rst:544
+#: ../../configuration/vpn/ipsec.rst:564
 msgid "Profile generation happens from the operational level and is as simple as issuing the following command to create a profile to connect to the IKEv2 access server at ``vpn.vyos.net`` with the configuration for the ``rw`` remote-access connection group."
 msgstr "Profile generation happens from the operational level and is as simple as issuing the following command to create a profile to connect to the IKEv2 access server at ``vpn.vyos.net`` with the configuration for the ``rw`` remote-access connection group."
 
@@ -10811,7 +12302,7 @@ msgstr "Profile generation happens from the operational level and is as simple a
 msgid "Prometheus-client"
 msgstr "Prometheus-client"
 
-#: ../../configuration/service/ssh.rst:114
+#: ../../configuration/service/ssh.rst:134
 msgid "Protects host from brute-force attacks against SSH. Log messages are parsed, line-by-line, for recognized patterns. If an attack, such as several login failures within a few seconds, is detected, the offending IP is blocked. Offenders are unblocked after a set interval."
 msgstr "Protects host from brute-force attacks against SSH. Log messages are parsed, line-by-line, for recognized patterns. If an attack, such as several login failures within a few seconds, is detected, the offending IP is blocked. Offenders are unblocked after a set interval."
 
@@ -10831,7 +12322,7 @@ msgstr "Protocols are: tcp, sctp, dccp, udp, icmp and ipv6-icmp."
 msgid "Provide TFTP server listening on both IPv4 and IPv6 addresses ``192.0.2.1`` and ``2001:db8::1`` serving the content from ``/config/tftpboot``. Uploading via TFTP to this server is disabled."
 msgstr "Provide TFTP server listening on both IPv4 and IPv6 addresses ``192.0.2.1`` and ``2001:db8::1`` serving the content from ``/config/tftpboot``. Uploading via TFTP to this server is disabled."
 
-#: ../../configuration/firewall/groups.rst:39
+#: ../../configuration/firewall/groups.rst:38
 msgid "Provide a IPv4 or IPv6 address group description"
 msgstr "Provide a IPv4 or IPv6 address group description"
 
@@ -10839,25 +12330,26 @@ msgstr "Provide a IPv4 or IPv6 address group description"
 msgid "Provide a IPv4 or IPv6 network group description."
 msgstr "Provide a IPv4 or IPv6 network group description."
 
-#: ../../configuration/firewall/ipv4.rst:285
-#: ../../configuration/firewall/ipv6.rst:285
+#: ../../configuration/firewall/bridge.rst:307
+#: ../../configuration/firewall/ipv4.rst:310
+#: ../../configuration/firewall/ipv6.rst:310
 #: ../../configuration/policy/route.rst:30
 msgid "Provide a description for each rule."
 msgstr "Provide a description for each rule."
 
-#: ../../configuration/firewall/flowtables.rst:75
+#: ../../configuration/firewall/flowtables.rst:76
 msgid "Provide a description to the flow table."
 msgstr "Provide a description to the flow table."
 
-#: ../../configuration/firewall/groups.rst:141
+#: ../../configuration/firewall/groups.rst:140
 msgid "Provide a domain group description."
 msgstr "Provide a domain group description."
 
-#: ../../configuration/firewall/groups.rst:124
+#: ../../configuration/firewall/groups.rst:123
 msgid "Provide a mac group description."
 msgstr "Provide a mac group description."
 
-#: ../../configuration/firewall/groups.rst:106
+#: ../../configuration/firewall/groups.rst:105
 msgid "Provide a port group description."
 msgstr "Provide a port group description."
 
@@ -10865,17 +12357,17 @@ msgstr "Provide a port group description."
 msgid "Provide a rule-set description."
 msgstr "Provide a rule-set description."
 
-#: ../../configuration/firewall/bridge.rst:205
-#: ../../configuration/firewall/ipv4.rst:275
-#: ../../configuration/firewall/ipv6.rst:275
+#: ../../configuration/firewall/bridge.rst:294
+#: ../../configuration/firewall/ipv4.rst:300
+#: ../../configuration/firewall/ipv6.rst:300
 msgid "Provide a rule-set description to a custom firewall chain."
 msgstr "Provide a rule-set description to a custom firewall chain."
 
-#: ../../configuration/firewall/groups.rst:63
+#: ../../configuration/firewall/groups.rst:62
 msgid "Provide an IPv4 or IPv6 network group description."
 msgstr "Provide an IPv4 or IPv6 network group description."
 
-#: ../../configuration/firewall/groups.rst:81
+#: ../../configuration/firewall/groups.rst:80
 msgid "Provide an interface group description"
 msgstr "Provide an interface group description"
 
@@ -10911,17 +12403,17 @@ msgstr "Pseudo-Ethernet or MACVLAN interfaces can be seen as subinterfaces to re
 msgid "Pseudo Ethernet/MACVLAN options"
 msgstr "Pseudo Ethernet/MACVLAN options"
 
-#: ../../configuration/container/index.rst:74
+#: ../../configuration/container/index.rst:99
 msgid "Publish a port for the container."
 msgstr "Publish a port for the container."
 
-#: ../../configuration/container/index.rst:183
+#: ../../configuration/container/index.rst:238
 msgid "Pull a new image for container"
 msgstr "Pull a new image for container"
 
-#: ../../configuration/interfaces/ethernet.rst:133
+#: ../../configuration/interfaces/ethernet.rst:149
 #: ../../configuration/interfaces/virtual-ethernet.rst:39
-#: ../../configuration/interfaces/wireless.rst:408
+#: ../../configuration/interfaces/wireless.rst:526
 msgid "QinQ (802.1ad)"
 msgstr "QinQ (802.1ad)"
 
@@ -10941,7 +12433,7 @@ msgstr "Queue size for syncing conntrack entries in MB."
 msgid "Quotes can be used inside parameter values by replacing all quote characters with the string ``&quot;``. They will be replaced with literal quote characters when generating dhcpd.conf."
 msgstr "Quotes can be used inside parameter values by replacing all quote characters with the string ``&quot;``. They will be replaced with literal quote characters when generating dhcpd.conf."
 
-#: ../../configuration/nat/nat66.rst:118
+#: ../../configuration/nat/nat66.rst:130
 msgid "R1:"
 msgstr "R1:"
 
@@ -10949,11 +12441,11 @@ msgstr "R1:"
 msgid "R1 has 192.0.2.1/24 & 2001:db8::1/64"
 msgstr "R1 has 192.0.2.1/24 & 2001:db8::1/64"
 
-#: ../../configuration/vrf/index.rst:267
+#: ../../configuration/vrf/index.rst:263
 msgid "R1 is managed through an out-of-band network that resides in VRF ``mgmt``"
 msgstr "R1 is managed through an out-of-band network that resides in VRF ``mgmt``"
 
-#: ../../configuration/nat/nat66.rst:131
+#: ../../configuration/nat/nat66.rst:143
 msgid "R2:"
 msgstr "R2:"
 
@@ -10961,7 +12453,7 @@ msgstr "R2:"
 msgid "R2 has 192.0.2.2/24 & 2001:db8::2/64"
 msgstr "R2 has 192.0.2.2/24 & 2001:db8::2/64"
 
-#: ../../configuration/system/login.rst:238
+#: ../../configuration/system/login.rst:244
 msgid "RADIUS"
 msgstr "RADIUS"
 
@@ -10973,8 +12465,8 @@ msgstr "RADIUS Setup"
 msgid "RADIUS advanced features"
 msgstr "RADIUS advanced features"
 
-#: ../../configuration/service/ipoe-server.rst:158
-#: ../../configuration/service/pppoe-server.rst:120
+#: ../../configuration/service/ipoe-server.rst:157
+#: ../../configuration/service/pppoe-server.rst:122
 #: ../../configuration/vpn/l2tp.rst:163
 #: ../../configuration/vpn/pptp.rst:103
 #: ../../configuration/vpn/sstp.rst:136
@@ -10993,22 +12485,42 @@ msgstr "RADIUS bandwidth shaping attribute"
 msgid "RADIUS provides the IP addresses in the example above via Framed-IP-Address."
 msgstr "RADIUS provides the IP addresses in the example above via Framed-IP-Address."
 
-#: ../../configuration/interfaces/wireless.rst:354
+#: ../../configuration/interfaces/wireless.rst:465
 msgid "RADIUS server at ``192.168.3.10`` with shared-secret ``VyOSPassword``"
 msgstr "RADIUS server at ``192.168.3.10`` with shared-secret ``VyOSPassword``"
 
-#: ../../configuration/system/login.rst:270
+#: ../../configuration/system/login.rst:276
 msgid "RADIUS servers could be hardened by only allowing certain IP addresses to connect. As of this the source address of each RADIUS query can be configured."
 msgstr "RADIUS servers could be hardened by only allowing certain IP addresses to connect. As of this the source address of each RADIUS query can be configured."
 
-#: ../../configuration/service/ipoe-server.rst:144
-#: ../../configuration/service/pppoe-server.rst:106
+#: ../../configuration/service/ipoe-server.rst:143
+#: ../../configuration/service/pppoe-server.rst:107
 #: ../../configuration/vpn/l2tp.rst:149
 #: ../../configuration/vpn/pptp.rst:89
 #: ../../configuration/vpn/sstp.rst:122
 msgid "RADIUS source address"
 msgstr "RADIUS source address"
 
+#: ../../configuration/nat/cgnat.rst:26
+msgid "REQ 2: A CGN must have a default \"IP address pooling\" behavior of \"Paired\". CGN must use the same external IP address mapping for all sessions associated with the same internal IP address, be they TCP, UDP, ICMP, something else, or a mix of different protocols."
+msgstr "REQ 2: A CGN must have a default \"IP address pooling\" behavior of \"Paired\". CGN must use the same external IP address mapping for all sessions associated with the same internal IP address, be they TCP, UDP, ICMP, something else, or a mix of different protocols."
+
+#: ../../configuration/nat/cgnat.rst:30
+msgid "REQ 3: The CGN function should not have any limitations on the size or the contiguity of the external address pool."
+msgstr "REQ 3: The CGN function should not have any limitations on the size or the contiguity of the external address pool."
+
+#: ../../configuration/nat/cgnat.rst:32
+msgid "REQ 4: A CGN must support limiting the number of external ports (or, equivalently, \"identifiers\" for ICMP) that are assigned per subscriber"
+msgstr "REQ 4: A CGN must support limiting the number of external ports (or, equivalently, \"identifiers\" for ICMP) that are assigned per subscriber"
+
+#: ../../configuration/service/https.rst:71
+msgid "REST"
+msgstr "REST"
+
+#: ../../configuration/highavailability/index.rst:223
+msgid "RFC 3768 creates a virtual interface. If you want to apply the destination NAT rule to the traffic sent to the virtual MAC, set the created virtual interface as `inbound-interface`."
+msgstr "RFC 3768 creates a virtual interface. If you want to apply the destination NAT rule to the traffic sent to the virtual MAC, set the created virtual interface as `inbound-interface`."
+
 #: ../../configuration/highavailability/index.rst:202
 msgid "RFC 3768 defines a virtual MAC address to each VRRP virtual router. This virtual router MAC address will be used as the source in all periodic VRRP messages sent by the active node. When the rfc3768-compatibility option is set, a new VRRP interface is created, to which the MAC address and the virtual IP address is automatically assigned."
 msgstr "RFC 3768 defines a virtual MAC address to each VRRP virtual router. This virtual router MAC address will be used as the source in all periodic VRRP messages sent by the active node. When the rfc3768-compatibility option is set, a new VRRP interface is created, to which the MAC address and the virtual IP address is automatically assigned."
@@ -11045,11 +12557,11 @@ msgstr "RSA-Keys"
 msgid "RSA can be used for services such as key exchanges and for encryption purposes. To make IPSec work with dynamic address on one/both sides, we will have to use RSA keys for authentication. They are very fast and easy to setup."
 msgstr "RSA can be used for services such as key exchanges and for encryption purposes. To make IPSec work with dynamic address on one/both sides, we will have to use RSA keys for authentication. They are very fast and easy to setup."
 
-#: ../../configuration/trafficpolicy/index.rst:763
+#: ../../configuration/trafficpolicy/index.rst:813
 msgid "Random-Detect"
 msgstr "Random-Detect"
 
-#: ../../configuration/trafficpolicy/index.rst:807
+#: ../../configuration/trafficpolicy/index.rst:857
 msgid "Random-Detect could be useful for heavy traffic. One use of this algorithm might be to prevent a backbone overload. But only for TCP (because dropped packets could be retransmitted), not for UDP."
 msgstr "Random-Detect could be useful for heavy traffic. One use of this algorithm might be to prevent a backbone overload. But only for TCP (because dropped packets could be retransmitted), not for UDP."
 
@@ -11064,15 +12576,15 @@ msgstr "Range is 1 to 255, default is 1."
 msgid "Range is 1 to 300, default is 10."
 msgstr "Range is 1 to 300, default is 10."
 
-#: ../../configuration/trafficpolicy/index.rst:952
+#: ../../configuration/trafficpolicy/index.rst:1002
 msgid "Rate-Control is a CPU-friendly policy. You might consider using it when you just simply want to slow traffic down."
 msgstr "Rate-Control is a CPU-friendly policy. You might consider using it when you just simply want to slow traffic down."
 
-#: ../../configuration/trafficpolicy/index.rst:918
+#: ../../configuration/trafficpolicy/index.rst:968
 msgid "Rate-Control is a classless policy that limits the packet flow to a set rate. It is a pure shaper, it does not schedule traffic. Traffic is filtered based on the expenditure of tokens. Tokens roughly correspond to bytes."
 msgstr "Rate-Control is a classless policy that limits the packet flow to a set rate. It is a pure shaper, it does not schedule traffic. Traffic is filtered based on the expenditure of tokens. Tokens roughly correspond to bytes."
 
-#: ../../configuration/trafficpolicy/index.rst:913
+#: ../../configuration/trafficpolicy/index.rst:963
 msgid "Rate Control"
 msgstr "Rate Control"
 
@@ -11080,6 +12592,19 @@ msgstr "Rate Control"
 msgid "Rate limit"
 msgstr "Rate limit"
 
+#: ../../configuration/vpn/l2tp.rst:389
+#: ../../configuration/vpn/sstp.rst:347
+msgid "Rate limit the download bandwidth for `<user>` to `<bandwidth>` kbit/s."
+msgstr "Rate limit the download bandwidth for `<user>` to `<bandwidth>` kbit/s."
+
+#: ../../configuration/vpn/l2tp.rst:394
+msgid "Rate limit the upload bandwidth for `<user>` to `<bandwidth>` kbit/s"
+msgstr "Rate limit the upload bandwidth for `<user>` to `<bandwidth>` kbit/s"
+
+#: ../../configuration/vpn/sstp.rst:352
+msgid "Rate limit the upload bandwidth for `<user>` to `<bandwidth>` kbit/s."
+msgstr "Rate limit the upload bandwidth for `<user>` to `<bandwidth>` kbit/s."
+
 #: ../../configuration/service/dhcp-server.rst:395
 #: ../../configuration/service/dhcp-server.rst:471
 msgid "Raw Parameters"
@@ -11089,11 +12614,11 @@ msgstr "Raw Parameters"
 msgid "Raw parameters can be passed to shared-network-name, subnet and static-mapping:"
 msgstr "Raw parameters can be passed to shared-network-name, subnet and static-mapping:"
 
-#: ../../configuration/service/ssh.rst:162
+#: ../../configuration/service/ssh.rst:182
 msgid "Re-generated a known pub/private keyfile which can be used to connect to other services (e.g. RPKI cache)."
 msgstr "Re-generated a known pub/private keyfile which can be used to connect to other services (e.g. RPKI cache)."
 
-#: ../../configuration/service/ssh.rst:154
+#: ../../configuration/service/ssh.rst:174
 msgid "Re-generated the public/private keyportion which SSH uses to secure connections."
 msgstr "Re-generated the public/private keyportion which SSH uses to secure connections."
 
@@ -11101,15 +12626,15 @@ msgstr "Re-generated the public/private keyportion which SSH uses to secure conn
 msgid "Reachable Time"
 msgstr "Reachable Time"
 
-#: ../../configuration/highavailability/index.rst:398
+#: ../../configuration/highavailability/index.rst:402
 msgid "Real server"
 msgstr "Real server"
 
-#: ../../configuration/highavailability/index.rst:399
+#: ../../configuration/highavailability/index.rst:403
 msgid "Real server IP address and port"
 msgstr "Real server IP address and port"
 
-#: ../../configuration/highavailability/index.rst:414
+#: ../../configuration/highavailability/index.rst:418
 msgid "Real server is auto-excluded if port check with this server fail."
 msgstr "Real server is auto-excluded if port check with this server fail."
 
@@ -11117,8 +12642,8 @@ msgstr "Real server is auto-excluded if port check with this server fail."
 msgid "Receive traffic from connections created by the server is also balanced. When the local system sends an ARP Request the bonding driver copies and saves the peer's IP information from the ARP packet. When the ARP Reply arrives from the peer, its hardware address is retrieved and the bonding driver initiates an ARP reply to this peer assigning it to one of the slaves in the bond. A problematic outcome of using ARP negotiation for balancing is that each time that an ARP request is broadcast it uses the hardware address of the bond. Hence, peers learn the hardware address of the bond and the balancing of receive traffic collapses to the current slave. This is handled by sending updates (ARP Replies) to all the peers with their individually assigned hardware address such that the traffic is redistributed. Receive traffic is also redistributed when a new slave is added to the bond and when an inactive slave is re-activated. The receive load is distributed sequentially (round robin) among the group of highest speed slaves in the bond."
 msgstr "Receive traffic from connections created by the server is also balanced. When the local system sends an ARP Request the bonding driver copies and saves the peer's IP information from the ARP packet. When the ARP Reply arrives from the peer, its hardware address is retrieved and the bonding driver initiates an ARP reply to this peer assigning it to one of the slaves in the bond. A problematic outcome of using ARP negotiation for balancing is that each time that an ARP request is broadcast it uses the hardware address of the bond. Hence, peers learn the hardware address of the bond and the balancing of receive traffic collapses to the current slave. This is handled by sending updates (ARP Replies) to all the peers with their individually assigned hardware address such that the traffic is redistributed. Receive traffic is also redistributed when a new slave is added to the bond and when an inactive slave is re-activated. The receive load is distributed sequentially (round robin) among the group of highest speed slaves in the bond."
 
-#: ../../configuration/service/ipoe-server.rst:227
-#: ../../configuration/service/pppoe-server.rst:189
+#: ../../configuration/service/ipoe-server.rst:226
+#: ../../configuration/service/pppoe-server.rst:206
 #: ../../configuration/vpn/l2tp.rst:232
 #: ../../configuration/vpn/pptp.rst:172
 #: ../../configuration/vpn/sstp.rst:205
@@ -11133,7 +12658,7 @@ msgstr "Recommended for larger installations."
 msgid "Record types"
 msgstr "Record types"
 
-#: ../../configuration/loadbalancing/reverse-proxy.rst:211
+#: ../../configuration/loadbalancing/haproxy.rst:263
 msgid "Redirect HTTP to HTTPS"
 msgstr "Redirect HTTP to HTTPS"
 
@@ -11145,7 +12670,7 @@ msgstr "Redirect Microsoft RDP traffic from the internal (LAN, private) network
 msgid "Redirect Microsoft RDP traffic from the outside (WAN, external) world via :ref:`destination-nat` in rule 100 to the internal, private host 192.0.2.40."
 msgstr "Redirect Microsoft RDP traffic from the outside (WAN, external) world via :ref:`destination-nat` in rule 100 to the internal, private host 192.0.2.40."
 
-#: ../../configuration/loadbalancing/reverse-proxy.rst:91
+#: ../../configuration/loadbalancing/haproxy.rst:103
 msgid "Redirect URL to a new location"
 msgstr "Redirect URL to a new location"
 
@@ -11165,9 +12690,9 @@ msgstr "Redundancy and load sharing. There are multiple NAT66 devices at the edg
 msgid "Register DNS record ``example.vyos.io`` on DNS server ``ns1.vyos.io``"
 msgstr "Register DNS record ``example.vyos.io`` on DNS server ``ns1.vyos.io``"
 
-#: ../../configuration/interfaces/ethernet.rst:126
+#: ../../configuration/interfaces/ethernet.rst:142
 #: ../../configuration/interfaces/virtual-ethernet.rst:33
-#: ../../configuration/interfaces/wireless.rst:401
+#: ../../configuration/interfaces/wireless.rst:519
 msgid "Regular VLANs (802.1q)"
 msgstr "Regular VLANs (802.1q)"
 
@@ -11191,7 +12716,7 @@ msgstr "Regular expression to match against an extended community list, where te
 msgid "Reject DHCP leases from a given address or range. This is useful when a modem gives a local IP when first starting."
 msgstr "Reject DHCP leases from a given address or range. This is useful when a modem gives a local IP when first starting."
 
-#: ../../configuration/service/ssh.rst:135
+#: ../../configuration/service/ssh.rst:155
 msgid "Remember source IP in seconds before reset their score. The default is 1800."
 msgstr "Remember source IP in seconds before reset their score. The default is 1800."
 
@@ -11207,8 +12732,8 @@ msgstr "Remote Access \"RoadWarrior\" Example"
 msgid "Remote Access \"RoadWarrior\" clients"
 msgstr "Remote Access \"RoadWarrior\" clients"
 
-#: ../../configuration/interfaces/openvpn.rst:152
-#: ../../configuration/interfaces/openvpn.rst:247
+#: ../../configuration/interfaces/openvpn.rst:153
+#: ../../configuration/interfaces/openvpn.rst:249
 msgid "Remote Configuration:"
 msgstr "Remote Configuration:"
 
@@ -11216,10 +12741,18 @@ msgstr "Remote Configuration:"
 msgid "Remote Configuration - Annotated:"
 msgstr "Remote Configuration - Annotated:"
 
-#: ../../configuration/system/syslog.rst:54
+#: ../../configuration/system/syslog.rst:72
 msgid "Remote Host"
 msgstr "Remote Host"
 
+#: ../../configuration/service/monitoring.rst:140
+msgid "Remote Loki port"
+msgstr "Remote Loki port"
+
+#: ../../configuration/service/monitoring.rst:146
+msgid "Remote Loki url"
+msgstr "Remote Loki url"
+
 #: ../../configuration/service/monitoring.rst:130
 msgid "Remote URL"
 msgstr "Remote URL"
@@ -11256,14 +12789,14 @@ msgstr "Remote port"
 msgid "Remote transmission interval will be multiplied by this value"
 msgstr "Remote transmission interval will be multiplied by this value"
 
-#: ../../configuration/service/pppoe-server.rst:217
-#: ../../configuration/vpn/l2tp.rst:260
+#: ../../configuration/service/pppoe-server.rst:236
+#: ../../configuration/vpn/l2tp.rst:263
 #: ../../configuration/vpn/pptp.rst:200
-#: ../../configuration/vpn/sstp.rst:233
+#: ../../configuration/vpn/sstp.rst:236
 msgid "Renaming clients interfaces by RADIUS"
 msgstr "Renaming clients interfaces by RADIUS"
 
-#: ../../configuration/interfaces/openvpn.rst:129
+#: ../../configuration/interfaces/openvpn.rst:130
 msgid "Repeat the procedure on the other router."
 msgstr "Repeat the procedure on the other router."
 
@@ -11279,10 +12812,10 @@ msgstr "Request only a temporary address and not form an IA_NA (Identity Associa
 msgid "Requests are forwarded through ``eth2`` as the `upstream interface`"
 msgstr "Requests are forwarded through ``eth2`` as the `upstream interface`"
 
-#: ../../configuration/service/pppoe-server.rst:442
-#: ../../configuration/vpn/l2tp.rst:396
+#: ../../configuration/service/pppoe-server.rst:465
+#: ../../configuration/vpn/l2tp.rst:399
 #: ../../configuration/vpn/pptp.rst:320
-#: ../../configuration/vpn/sstp.rst:354
+#: ../../configuration/vpn/sstp.rst:357
 msgid "Require the peer to authenticate itself using one of the following protocols: pap, chap, mschap, mschap-v2."
 msgstr "Require the peer to authenticate itself using one of the following protocols: pap, chap, mschap, mschap-v2."
 
@@ -11294,20 +12827,32 @@ msgstr "Requirements"
 msgid "Requirements:"
 msgstr "Requirements:"
 
-#: ../../configuration/firewall/ipv4.rst:949
-#: ../../configuration/firewall/ipv6.rst:935
+#: ../../configuration/firewall/ipv4.rst:1054
+#: ../../configuration/firewall/ipv6.rst:1044
 msgid "Requirements to enable synproxy:"
 msgstr "Requirements to enable synproxy:"
 
+#: ../../configuration/nat/cgnat.rst:59
+msgid "Reserved Ports: Assume 1024 ports are reserved for well-known services and administrative purposes."
+msgstr "Reserved Ports: Assume 1024 ports are reserved for well-known services and administrative purposes."
+
 #: ../../configuration/protocols/bgp.rst:1086
 #: ../../configuration/protocols/mpls.rst:248
 msgid "Reset"
 msgstr "Reset"
 
-#: ../../configuration/interfaces/openvpn.rst:725
+#: ../../configuration/interfaces/openvpn.rst:878
 msgid "Reset OpenVPN"
 msgstr "Reset OpenVPN"
 
+#: ../../configuration/vpn/ipsec.rst:647
+msgid "Reset all site-to-site IPSec VPN sessions. It terminates all active child_sa and reinitiates the connection."
+msgstr "Reset all site-to-site IPSec VPN sessions. It terminates all active child_sa and reinitiates the connection."
+
+#: ../../configuration/vpn/ipsec.rst:652
+msgid "Reset all tunnels for a given peer, can specify tunnel or vti interface. It terminates a specific child_sa and reinitiates the connection."
+msgstr "Reset all tunnels for a given peer, can specify tunnel or vti interface. It terminates a specific child_sa and reinitiates the connection."
+
 #: ../../configuration/system/ipv6.rst:163
 msgid "Reset commands"
 msgstr "Reset commands"
@@ -11328,7 +12873,7 @@ msgstr "Restart DHCP relay service"
 msgid "Restart DHCPv6 relay agent immediately."
 msgstr "Restart DHCPv6 relay agent immediately."
 
-#: ../../configuration/container/index.rst:203
+#: ../../configuration/container/index.rst:258
 msgid "Restart a given container"
 msgstr "Restart a given container"
 
@@ -11344,7 +12889,11 @@ msgstr "Restart the DHCP server"
 msgid "Restart the IGMP proxy process."
 msgstr "Restart the IGMP proxy process."
 
-#: ../../configuration/service/ssh.rst:149
+#: ../../configuration/vpn/ipsec.rst:643
+msgid "Restart the IPsec VPN process and re-establishes the connection."
+msgstr "Restart the IPsec VPN process and re-establishes the connection."
+
+#: ../../configuration/service/ssh.rst:169
 msgid "Restart the SSH daemon process, the current session is not affected, only the background daemon is restarted."
 msgstr "Restart the SSH daemon process, the current session is not affected, only the background daemon is restarted."
 
@@ -11352,9 +12901,15 @@ msgstr "Restart the SSH daemon process, the current session is not affected, onl
 msgid "Restarts the DNS recursor process. This also invalidates the local DNS forwarding cache."
 msgstr "Restarts the DNS recursor process. This also invalidates the local DNS forwarding cache."
 
-#: ../../configuration/interfaces/wireless.rst:315
-#: ../../configuration/interfaces/wireless.rst:369
-#: ../../configuration/interfaces/wireless.rst:567
+#: ../../configuration/service/suricata.rst:88
+msgid "Restarts the service. It checks if the Suricata service is active before attempting to restart it. If it is not active, a message indicates that the service is not configured. This command is used when adding new rules manually."
+msgstr "Restarts the service. It checks if the Suricata service is active before attempting to restart it. If it is not active, a message indicates that the service is not configured. This command is used when adding new rules manually."
+
+#: ../../configuration/interfaces/wireless.rst:423
+#: ../../configuration/interfaces/wireless.rst:483
+#: ../../configuration/interfaces/wireless.rst:691
+#: ../../configuration/interfaces/wireless.rst:771
+#: ../../configuration/interfaces/wireless.rst:861
 msgid "Resulting in"
 msgstr "Resulting in"
 
@@ -11382,7 +12937,7 @@ msgstr "Retrieve public key portion from configured WIreGuard interface."
 msgid "Reverse-proxy"
 msgstr "Reverse-proxy"
 
-#: ../../configuration/trafficpolicy/index.rst:958
+#: ../../configuration/trafficpolicy/index.rst:1008
 msgid "Round Robin"
 msgstr "Round Robin"
 
@@ -11466,7 +13021,7 @@ msgstr "Router Lifetime"
 msgid "Router receives DHCP client requests on ``eth1`` and relays them to the server at 10.0.1.4 on ``eth2``."
 msgstr "Router receives DHCP client requests on ``eth1`` and relays them to the server at 10.0.1.4 on ``eth2``."
 
-#: ../../configuration/vrf/index.rst:444
+#: ../../configuration/vrf/index.rst:440
 msgid "Routes exported from a unicast VRF to the VPN RIB must be augmented by two parameters:"
 msgstr "Routes exported from a unicast VRF to the VPN RIB must be augmented by two parameters:"
 
@@ -11490,11 +13045,11 @@ msgstr "Routes with a distance of 255 are effectively disabled and not installed
 msgid "Routes with this attribute can only be sent to your neighbor if your local-role is provider or rs-server. Routes with this attribute can be received only if your local-role is customer or rs-client."
 msgstr "Routes with this attribute can only be sent to your neighbor if your local-role is provider or rs-server. Routes with this attribute can be received only if your local-role is customer or rs-client."
 
-#: ../../configuration/trafficpolicy/index.rst:803
+#: ../../configuration/trafficpolicy/index.rst:853
 msgid "Routine"
 msgstr "Routine"
 
-#: ../../configuration/vrf/index.rst:101
+#: ../../configuration/vrf/index.rst:97
 msgid "Routing"
 msgstr "Routing"
 
@@ -11506,43 +13061,43 @@ msgstr "Routing tables that will be used in this example are:"
 msgid "Rule-Sets"
 msgstr "Rule-Sets"
 
-#: ../../configuration/firewall/bridge.rst:287
-#: ../../configuration/firewall/ipv4.rst:980
-#: ../../configuration/firewall/ipv6.rst:965
+#: ../../configuration/firewall/bridge.rst:452
+#: ../../configuration/firewall/ipv4.rst:1084
+#: ../../configuration/firewall/ipv6.rst:1074
 msgid "Rule-set overview"
 msgstr "Rule-set overview"
 
-#: ../../configuration/loadbalancing/reverse-proxy.rst:258
+#: ../../configuration/loadbalancing/haproxy.rst:310
 msgid "Rule 10 matches requests with the domain name ``node1.example.com`` forwards to the backend ``bk-api-01``"
 msgstr "Rule 10 matches requests with the domain name ``node1.example.com`` forwards to the backend ``bk-api-01``"
 
-#: ../../configuration/loadbalancing/reverse-proxy.rst:295
+#: ../../configuration/loadbalancing/haproxy.rst:348
 msgid "Rule 10 matches requests with the exact URL path ``/.well-known/xxx`` and redirects to location ``/certs/``."
 msgstr "Rule 10 matches requests with the exact URL path ``/.well-known/xxx`` and redirects to location ``/certs/``."
 
-#: ../../configuration/firewall/flowtables.rst:151
+#: ../../configuration/firewall/flowtables.rst:152
 msgid "Rule 110 is hit, so connection is accepted."
 msgstr "Rule 110 is hit, so connection is accepted."
 
-#: ../../configuration/loadbalancing/reverse-proxy.rst:298
+#: ../../configuration/loadbalancing/haproxy.rst:351
 msgid "Rule 20 matches requests with URL paths ending in ``/mail`` or exact path ``/email/bar`` redirect to location ``/postfix/``."
 msgstr "Rule 20 matches requests with URL paths ending in ``/mail`` or exact path ``/email/bar`` redirect to location ``/postfix/``."
 
-#: ../../configuration/loadbalancing/reverse-proxy.rst:261
+#: ../../configuration/loadbalancing/haproxy.rst:313
 msgid "Rule 20 matches requests with the domain name ``node2.example.com`` forwards to the backend ``bk-api-02``"
 msgstr "Rule 20 matches requests with the domain name ``node2.example.com`` forwards to the backend ``bk-api-02``"
 
-#: ../../configuration/firewall/bridge.rst:208
-#: ../../configuration/firewall/ipv4.rst:288
-#: ../../configuration/firewall/ipv6.rst:288
+#: ../../configuration/firewall/bridge.rst:310
+#: ../../configuration/firewall/ipv4.rst:313
+#: ../../configuration/firewall/ipv6.rst:313
 msgid "Rule Status"
 msgstr "Rule Status"
 
-#: ../../configuration/loadbalancing/reverse-proxy.rst:50
+#: ../../configuration/loadbalancing/haproxy.rst:62
 msgid "Rules"
 msgstr "Rules"
 
-#: ../../configuration/loadbalancing/reverse-proxy.rst:51
+#: ../../configuration/loadbalancing/haproxy.rst:63
 msgid "Rules allow to control and route incoming traffic to specific backend based on predefined conditions. Rules allow to define matching criteria and perform action accordingly."
 msgstr "Rules allow to control and route incoming traffic to specific backend based on predefined conditions. Rules allow to define matching criteria and perform action accordingly."
 
@@ -11611,6 +13166,10 @@ msgid "SNMPv3 (version 3 of the SNMP protocol) introduced a whole slew of new se
 msgstr "SNMPv3 (version 3 of the SNMP protocol) introduced a whole slew of new security related features that have been missing from the previous versions. Security was one of the biggest weakness of SNMP until v3. Authentication in SNMP Versions 1 and 2 amounts to nothing more than a password (community string) sent in clear text between a manager and agent. Each SNMPv3 message contains security parameters which are encoded as an octet string. The meaning of these security parameters depends on the security model being used."
 
 #: ../../_include/interface-mirror.txt:1
+msgid "SPAN port mirroring can copy the inbound/outbound traffic of the interface to the specified interface, usually the interface can be connected to some special equipment, such as a behavior control system, intrusion detection system or traffic collector, and can copy all related traffic from this port. The benefit of mirroring the traffic is that the application is isolated from the source traffic and so application processing does not affect the traffic or the system performance."
+msgstr "SPAN port mirroring can copy the inbound/outbound traffic of the interface to the specified interface, usually the interface can be connected to some special equipment, such as a behavior control system, intrusion detection system or traffic collector, and can copy all related traffic from this port. The benefit of mirroring the traffic is that the application is isolated from the source traffic and so application processing does not affect the traffic or the system performance."
+
+#: ../../_include/interface-mirror.txt:1
 msgid "SPAN port mirroring can copy the inbound/outbound traffic of the interface to the specified interface, usually the interface can be connected to some special equipment, such as behavior control system, intrusion detection system and traffic collector, and can copy all related traffic from this port. The benefit of mirroring the traffic is that the application is isolated from the source traffic and so application processing does not affect the traffic or the system performance."
 msgstr "SPAN port mirroring can copy the inbound/outbound traffic of the interface to the specified interface, usually the interface can be connected to some special equipment, such as behavior control system, intrusion detection system and traffic collector, and can copy all related traffic from this port. The benefit of mirroring the traffic is that the application is isolated from the source traffic and so application processing does not affect the traffic or the system performance."
 
@@ -11627,7 +13186,7 @@ msgstr "SSH :ref:`ssh_key_based_authentication`"
 msgid "SSH :ref:`ssh_operation`"
 msgstr "SSH :ref:`ssh_operation`"
 
-#: ../../configuration/system/option.rst:74
+#: ../../configuration/system/option.rst:94
 msgid "SSH client"
 msgstr "SSH client"
 
@@ -11643,11 +13202,11 @@ msgstr "SSH username to establish an SSH connection to the cache server."
 msgid "SSH was designed as a replacement for Telnet and for unsecured remote shell protocols such as the Berkeley rlogin, rsh, and rexec protocols. Those protocols send information, notably passwords, in plaintext, rendering them susceptible to interception and disclosure using packet analysis. The encryption used by SSH is intended to provide confidentiality and integrity of data over an unsecured network, such as the Internet."
 msgstr "SSH was designed as a replacement for Telnet and for unsecured remote shell protocols such as the Berkeley rlogin, rsh, and rexec protocols. Those protocols send information, notably passwords, in plaintext, rendering them susceptible to interception and disclosure using packet analysis. The encryption used by SSH is intended to provide confidentiality and integrity of data over an unsecured network, such as the Internet."
 
-#: ../../configuration/interfaces/wireless.rst:114
+#: ../../configuration/interfaces/wireless.rst:140
 msgid "SSID to be used in IEEE 802.11 management frames"
 msgstr "SSID to be used in IEEE 802.11 management frames"
 
-#: ../../configuration/loadbalancing/reverse-proxy.rst:333
+#: ../../configuration/loadbalancing/haproxy.rst:387
 msgid "SSL Bridging"
 msgstr "SSL Bridging"
 
@@ -11659,7 +13218,7 @@ msgstr "SSL Certificates"
 msgid "SSL Certificates generation"
 msgstr "SSL Certificates generation"
 
-#: ../../configuration/loadbalancing/reverse-proxy.rst:67
+#: ../../configuration/loadbalancing/haproxy.rst:79
 msgid "SSL match Server Name Indication (SNI) option:"
 msgstr "SSL match Server Name Indication (SNI) option:"
 
@@ -11699,6 +13258,10 @@ msgstr "SaltStack_ is Python-based, open-source software for event-driven IT aut
 msgid "Same as export-list, but it applies to paths announced into specified area as Type-3 summary-LSAs. This command makes sense in ABR only."
 msgstr "Same as export-list, but it applies to paths announced into specified area as Type-3 summary-LSAs. This command makes sense in ABR only."
 
+#: ../../configuration/firewall/bridge.rst:333
+msgid "Same specific matching criteria that can be used in bridge firewall are described in this section:"
+msgstr "Same specific matching criteria that can be used in bridge firewall are described in this section:"
+
 #: ../../configuration/interfaces/vxlan.rst:174
 msgid "Sample configuration of SVD with VLAN to VNI mappings is shown below."
 msgstr "Sample configuration of SVD with VLAN to VNI mappings is shown below."
@@ -11707,7 +13270,7 @@ msgstr "Sample configuration of SVD with VLAN to VNI mappings is shown below."
 msgid "Sample configuration to setup LDP on VyOS"
 msgstr "Sample configuration to setup LDP on VyOS"
 
-#: ../../configuration/interfaces/wireless.rst:515
+#: ../../configuration/interfaces/wireless.rst:639
 msgid "Scanning is not supported on all wireless drivers and wireless hardware. Refer to your driver and wireless hardware documentation for further details."
 msgstr "Scanning is not supported on all wireless drivers and wireless hardware. Refer to your driver and wireless hardware documentation for further details."
 
@@ -11715,44 +13278,59 @@ msgstr "Scanning is not supported on all wireless drivers and wireless hardware.
 msgid "Script execution"
 msgstr "Script execution"
 
-#: ../../configuration/service/ipoe-server.rst:299
-#: ../../configuration/service/pppoe-server.rst:417
-#: ../../configuration/vpn/l2tp.rst:361
+#: ../../configuration/service/ipoe-server.rst:298
+#: ../../configuration/service/pppoe-server.rst:439
 #: ../../configuration/vpn/pptp.rst:285
-#: ../../configuration/vpn/sstp.rst:319
 msgid "Script to run before session interface comes up"
 msgstr "Script to run before session interface comes up"
 
-#: ../../configuration/service/ipoe-server.rst:291
-#: ../../configuration/service/pppoe-server.rst:409
-#: ../../configuration/vpn/l2tp.rst:353
+#: ../../configuration/vpn/l2tp.rst:364
+#: ../../configuration/vpn/sstp.rst:322
+msgid "Script to run before the session interface comes up"
+msgstr "Script to run before the session interface comes up"
+
+#: ../../configuration/service/ipoe-server.rst:290
+#: ../../configuration/service/pppoe-server.rst:431
 #: ../../configuration/vpn/pptp.rst:277
-#: ../../configuration/vpn/sstp.rst:311
 msgid "Script to run when session interface changed by RADIUS CoA handling"
 msgstr "Script to run when session interface changed by RADIUS CoA handling"
 
-#: ../../configuration/service/ipoe-server.rst:295
-#: ../../configuration/service/pppoe-server.rst:413
-#: ../../configuration/vpn/l2tp.rst:357
+#: ../../configuration/service/ipoe-server.rst:294
+#: ../../configuration/service/pppoe-server.rst:435
 #: ../../configuration/vpn/pptp.rst:281
-#: ../../configuration/vpn/sstp.rst:315
 msgid "Script to run when session interface going to terminate"
 msgstr "Script to run when session interface going to terminate"
 
-#: ../../configuration/service/ipoe-server.rst:303
-#: ../../configuration/service/pppoe-server.rst:421
-#: ../../configuration/vpn/l2tp.rst:365
+#: ../../configuration/service/ipoe-server.rst:302
+#: ../../configuration/service/pppoe-server.rst:443
 #: ../../configuration/vpn/pptp.rst:289
-#: ../../configuration/vpn/sstp.rst:323
 msgid "Script to run when session interface is completely configured and started"
 msgstr "Script to run when session interface is completely configured and started"
 
-#: ../../configuration/highavailability/index.rst:299
-#: ../../configuration/service/ipoe-server.rst:287
-#: ../../configuration/service/pppoe-server.rst:405
-#: ../../configuration/vpn/l2tp.rst:349
+#: ../../configuration/vpn/sstp.rst:318
+msgid "Script to run when the session interface about to terminate"
+msgstr "Script to run when the session interface about to terminate"
+
+#: ../../configuration/vpn/l2tp.rst:360
+msgid "Script to run when the session interface is about to terminate"
+msgstr "Script to run when the session interface is about to terminate"
+
+#: ../../configuration/vpn/l2tp.rst:356
+#: ../../configuration/vpn/sstp.rst:314
+msgid "Script to run when the session interface is changed by RADIUS CoA handling"
+msgstr "Script to run when the session interface is changed by RADIUS CoA handling"
+
+#: ../../configuration/vpn/l2tp.rst:368
+#: ../../configuration/vpn/sstp.rst:326
+msgid "Script to run when the session interface is completely configured and started"
+msgstr "Script to run when the session interface is completely configured and started"
+
+#: ../../configuration/highavailability/index.rst:303
+#: ../../configuration/service/ipoe-server.rst:286
+#: ../../configuration/service/pppoe-server.rst:427
+#: ../../configuration/vpn/l2tp.rst:352
 #: ../../configuration/vpn/pptp.rst:273
-#: ../../configuration/vpn/sstp.rst:307
+#: ../../configuration/vpn/sstp.rst:310
 msgid "Scripting"
 msgstr "Scripting"
 
@@ -11764,20 +13342,20 @@ msgstr "Second scenario: apply source NAT for all outgoing connections from LAN
 msgid "Secondly, we create the intermediary certificate authorities, which are used to sign the leaf certificates."
 msgstr "Secondly, we create the intermediary certificate authorities, which are used to sign the leaf certificates."
 
-#: ../../configuration/service/ipoe-server.rst:186
-#: ../../configuration/service/pppoe-server.rst:148
+#: ../../configuration/service/ipoe-server.rst:185
+#: ../../configuration/service/pppoe-server.rst:157
 #: ../../configuration/vpn/l2tp.rst:191
 #: ../../configuration/vpn/pptp.rst:131
 #: ../../configuration/vpn/sstp.rst:164
 msgid "Secret for Dynamic Authorization Extension server (DM/CoA)"
 msgstr "Secret for Dynamic Authorization Extension server (DM/CoA)"
 
-#: ../../configuration/interfaces/wireless.rst:334
+#: ../../configuration/interfaces/wireless.rst:445
 msgid "Security"
 msgstr "Security"
 
-#: ../../configuration/system/syslog.rst:120
-#: ../../configuration/system/syslog.rst:132
+#: ../../configuration/system/syslog.rst:138
+#: ../../configuration/system/syslog.rst:150
 msgid "Security/authentication messages"
 msgstr "Security/authentication messages"
 
@@ -11821,7 +13399,7 @@ msgstr "Select TLS version used."
 msgid "Select cipher suite used for cryptographic operations. This setting is mandatory."
 msgstr "Select cipher suite used for cryptographic operations. This setting is mandatory."
 
-#: ../../configuration/vrf/index.rst:487
+#: ../../configuration/vrf/index.rst:483
 msgid "Select how labels are allocated in the given VRF. By default, the per-vrf mode is selected, and one label is used for all prefixes from the VRF. The per-nexthop will use a unique label for all prefixes that are reachable via the same nexthop."
 msgstr "Select how labels are allocated in the given VRF. By default, the per-vrf mode is selected, and one label is used for all prefixes from the VRF. The per-nexthop will use a unique label for all prefixes that are reachable via the same nexthop."
 
@@ -11829,11 +13407,11 @@ msgstr "Select how labels are allocated in the given VRF. By default, the per-vr
 msgid "Self Signed CA"
 msgstr "Self Signed CA"
 
-#: ../../configuration/loadbalancing/reverse-proxy.rst:140
+#: ../../configuration/loadbalancing/haproxy.rst:147
 msgid "Send a Proxy Protocol version 1 header (text format)"
 msgstr "Send a Proxy Protocol version 1 header (text format)"
 
-#: ../../configuration/loadbalancing/reverse-proxy.rst:145
+#: ../../configuration/loadbalancing/haproxy.rst:152
 msgid "Send a Proxy Protocol version 2 header (binary format)"
 msgstr "Send a Proxy Protocol version 2 header (binary format)"
 
@@ -11841,11 +13419,15 @@ msgstr "Send a Proxy Protocol version 2 header (binary format)"
 msgid "Send all DNS queries to the IPv4/IPv6 DNS server specified under `<address>` on optional port specified under `<port>`. The port defaults to 53. You can configure multiple nameservers here."
 msgstr "Send all DNS queries to the IPv4/IPv6 DNS server specified under `<address>` on optional port specified under `<port>`. The port defaults to 53. You can configure multiple nameservers here."
 
-#: ../../configuration/interfaces/wireless.rst:57
+#: ../../configuration/interfaces/wireless.rst:69
 msgid "Send empty SSID in beacons and ignore probe request frames that do not specify full SSID, i.e., require stations to know SSID."
 msgstr "Send empty SSID in beacons and ignore probe request frames that do not specify full SSID, i.e., require stations to know SSID."
 
-#: ../../configuration/vpn/l2tp.rst:276
+#: ../../configuration/interfaces/wireless.rst:69
+msgid "Send empty SSID in beacons and ignore probe request frames that do not specify full SSID, i.e., require stations to know the SSID."
+msgstr "Send empty SSID in beacons and ignore probe request frames that do not specify full SSID, i.e., require stations to know the SSID."
+
+#: ../../configuration/vpn/l2tp.rst:279
 msgid "Sent to the client (LAC) in the Host-Name attribute"
 msgstr "Sent to the client (LAC) in the Host-Name attribute"
 
@@ -11857,7 +13439,7 @@ msgstr "Serial Console"
 msgid "Serial interfaces can be any interface which is directly connected to the CPU or chipset (mostly known as a ttyS interface in Linux) or any other USB to serial converter (Prolific PL2303 or FTDI FT232/FT4232 based chips)."
 msgstr "Serial interfaces can be any interface which is directly connected to the CPU or chipset (mostly known as a ttyS interface in Linux) or any other USB to serial converter (Prolific PL2303 or FTDI FT232/FT4232 based chips)."
 
-#: ../../configuration/interfaces/openvpn.rst:325
+#: ../../configuration/interfaces/openvpn.rst:329
 msgid "Server"
 msgstr "Server"
 
@@ -11873,10 +13455,18 @@ msgstr "Server Certificate"
 msgid "Server Configuration"
 msgstr "Server Configuration"
 
-#: ../../configuration/interfaces/openvpn.rst:588
+#: ../../configuration/interfaces/openvpn.rst:592
 msgid "Server Side"
 msgstr "Server Side"
 
+#: ../../configuration/interfaces/openvpn.rst:679
+msgid "Server Side:"
+msgstr "Server Side:"
+
+#: ../../configuration/interfaces/openvpn.rst:670
+msgid "Server bridge"
+msgstr "Server bridge"
+
 #: ../../configuration/service/ipoe-server.rst:157
 msgid "Server configuration"
 msgstr "Server configuration"
@@ -11885,12 +13475,12 @@ msgstr "Server configuration"
 msgid "Server names for virtual hosts it can be exact, wildcard or regex."
 msgstr "Server names for virtual hosts it can be exact, wildcard or regex."
 
-#: ../../configuration/loadbalancing/reverse-proxy.rst:21
+#: ../../configuration/loadbalancing/haproxy.rst:21
 #: ../../configuration/service/index.rst:3
 msgid "Service"
 msgstr "Service"
 
-#: ../../configuration/loadbalancing/reverse-proxy.rst:16
+#: ../../configuration/loadbalancing/haproxy.rst:16
 msgid "Service configuration is responsible for binding to a specific port, while the backend configuration determines the type of load balancing to be applied and specifies the real servers to be utilized."
 msgstr "Service configuration is responsible for binding to a specific port, while the backend configuration determines the type of load balancing to be applied and specifies the real servers to be utilized."
 
@@ -11950,12 +13540,12 @@ msgstr "Set SNAT rule 30 to only NAT packets arriving from the 203.0.113.0/24 ne
 msgid "Set SSL certeficate <name> for service <name>"
 msgstr "Set SSL certeficate <name> for service <name>"
 
-#: ../../configuration/loadbalancing/reverse-proxy.rst:46
+#: ../../configuration/loadbalancing/haproxy.rst:46
 msgid "Set SSL certificate <name> for service <name>"
 msgstr "Set SSL certificate <name> for service <name>"
 
-#: ../../configuration/firewall/ipv4.rst:941
-#: ../../configuration/firewall/ipv6.rst:927
+#: ../../configuration/firewall/ipv4.rst:997
+#: ../../configuration/firewall/ipv6.rst:987
 msgid "Set TCP-MSS (maximum segment size) for the connection"
 msgstr "Set TCP-MSS (maximum segment size) for the connection"
 
@@ -11967,19 +13557,19 @@ msgstr "Set TTL to 300 seconds"
 msgid "Set Virtual Tunnel Interface"
 msgstr "Set Virtual Tunnel Interface"
 
-#: ../../configuration/container/index.rst:54
+#: ../../configuration/container/index.rst:79
 msgid "Set a container description"
 msgstr "Set a container description"
 
-#: ../../configuration/trafficpolicy/index.rst:1169
+#: ../../configuration/trafficpolicy/index.rst:1219
 msgid "Set a description for the shaper."
 msgstr "Set a description for the shaper."
 
-#: ../../configuration/system/conntrack.rst:113
+#: ../../configuration/system/conntrack.rst:81
 msgid "Set a destination and/or source address. Accepted input for ipv4:"
 msgstr "Set a destination and/or source address. Accepted input for ipv4:"
 
-#: ../../configuration/system/conntrack.rst:142
+#: ../../configuration/system/conntrack.rst:110
 msgid "Set a destination and/or source port. Accepted input:"
 msgstr "Set a destination and/or source port. Accepted input:"
 
@@ -11987,11 +13577,11 @@ msgstr "Set a destination and/or source port. Accepted input:"
 msgid "Set a human readable, descriptive alias for this connection. Alias is used by e.g. the :opcmd:`show interfaces` command or SNMP based monitoring tools."
 msgstr "Set a human readable, descriptive alias for this connection. Alias is used by e.g. the :opcmd:`show interfaces` command or SNMP based monitoring tools."
 
-#: ../../configuration/system/login.rst:391
+#: ../../configuration/system/login.rst:397
 msgid "Set a limit on the maximum number of concurrent logged-in users on the system."
 msgstr "Set a limit on the maximum number of concurrent logged-in users on the system."
 
-#: ../../configuration/firewall/zone.rst:98
+#: ../../configuration/firewall/zone.rst:95
 msgid "Set a meaningful description."
 msgstr "Set a meaningful description."
 
@@ -11999,7 +13589,7 @@ msgstr "Set a meaningful description."
 msgid "Set a named api key. Every key has the same, full permissions on the system."
 msgstr "Set a named api key. Every key has the same, full permissions on the system."
 
-#: ../../configuration/system/conntrack.rst:106
+#: ../../configuration/system/conntrack.rst:74
 msgid "Set a rule description."
 msgstr "Set a rule description."
 
@@ -12011,6 +13601,18 @@ msgstr "Set a specific connection mark."
 msgid "Set a specific packet mark."
 msgstr "Set a specific packet mark."
 
+#: ../../configuration/firewall/bridge.rst:404
+#: ../../configuration/firewall/ipv4.rst:1006
+#: ../../configuration/firewall/ipv6.rst:996
+msgid "Set a specific packet mark value."
+msgstr "Set a specific packet mark value."
+
+#: ../../configuration/firewall/bridge.rst:399
+#: ../../configuration/firewall/ipv4.rst:997
+#: ../../configuration/firewall/ipv6.rst:987
+msgid "Set a specific value of Differentiated Services Codepoint (DSCP)."
+msgstr "Set a specific value of Differentiated Services Codepoint (DSCP)."
+
 #: ../../configuration/policy/route-map.rst:25
 msgid "Set action for the route-map policy."
 msgstr "Set action for the route-map policy."
@@ -12062,32 +13664,53 @@ msgstr "Set an :abbr:`SRV (Service)` record. Supports ``@`` keyword."
 msgid "Set an :abbr:`TXT (Text)` record. Supports ``@`` keyword."
 msgstr "Set an :abbr:`TXT (Text)` record. Supports ``@`` keyword."
 
+#: ../../configuration/nat/cgnat.rst:77
+msgid "Set an external port-range for the external pool, the default range is 1024-65535. Multiple entries can be added to the same pool."
+msgstr "Set an external port-range for the external pool, the default range is 1024-65535. Multiple entries can be added to the same pool."
+
 #: ../../configuration/service/ipoe-server.rst:60
-#: ../../configuration/service/ipoe-server.rst:88
-#: ../../configuration/service/pppoe-server.rst:38
+#: ../../configuration/service/pppoe-server.rst:37
 #: ../../configuration/vpn/l2tp.rst:26
 #: ../../configuration/vpn/pptp.rst:27
 #: ../../configuration/vpn/sstp.rst:53
 msgid "Set authentication backend. The configured authentication backend is used for all queries."
 msgstr "Set authentication backend. The configured authentication backend is used for all queries."
 
-#: ../../configuration/container/index.rst:122
+#: ../../configuration/firewall/bridge.rst:424
+#: ../../configuration/firewall/ipv4.rst:1031
+#: ../../configuration/firewall/ipv6.rst:1021
+msgid "Set connection mark value."
+msgstr "Set connection mark value."
+
+#: ../../configuration/container/index.rst:160
 msgid "Set container capabilities or permissions."
 msgstr "Set container capabilities or permissions."
 
-#: ../../configuration/highavailability/index.rst:247
+#: ../../configuration/container/index.rst:173
+msgid "Set container sysctl values."
+msgstr "Set container sysctl values."
+
+#: ../../configuration/loadbalancing/haproxy.rst:51
+msgid "Set custom HTTP headers to be included in all responses"
+msgstr "Set custom HTTP headers to be included in all responses"
+
+#: ../../configuration/loadbalancing/haproxy.rst:168
+msgid "Set custom HTTP headers to be included in all responses using the backend"
+msgstr "Set custom HTTP headers to be included in all responses using the backend"
+
+#: ../../configuration/highavailability/index.rst:251
 msgid "Set delay between gratuitous ARP messages sent on an interface."
 msgstr "Set delay between gratuitous ARP messages sent on an interface."
 
-#: ../../configuration/highavailability/index.rst:255
+#: ../../configuration/highavailability/index.rst:259
 msgid "Set delay for second set of gratuitous ARPs after transition to MASTER."
 msgstr "Set delay for second set of gratuitous ARPs after transition to MASTER."
 
-#: ../../configuration/service/ipoe-server.rst:356
-#: ../../configuration/service/pppoe-server.rst:522
-#: ../../configuration/vpn/l2tp.rst:476
+#: ../../configuration/service/ipoe-server.rst:355
+#: ../../configuration/service/pppoe-server.rst:547
+#: ../../configuration/vpn/l2tp.rst:481
 #: ../../configuration/vpn/pptp.rst:400
-#: ../../configuration/vpn/sstp.rst:434
+#: ../../configuration/vpn/sstp.rst:439
 msgid "Set description."
 msgstr "Set description."
 
@@ -12119,7 +13742,7 @@ msgstr "Set description for large-community-list policy."
 msgid "Set description for rule."
 msgstr "Set description for rule."
 
-#: ../../configuration/policy/prefix-list.rst:67
+#: ../../configuration/policy/prefix-list.rst:83
 msgid "Set description for rule in IPv6 prefix-list."
 msgstr "Set description for rule in IPv6 prefix-list."
 
@@ -12131,7 +13754,7 @@ msgstr "Set description for rule in the prefix-list."
 msgid "Set description for the IPv6 access list."
 msgstr "Set description for the IPv6 access list."
 
-#: ../../configuration/policy/prefix-list.rst:58
+#: ../../configuration/policy/prefix-list.rst:74
 msgid "Set description for the IPv6 prefix-list policy."
 msgstr "Set description for the IPv6 prefix-list policy."
 
@@ -12176,7 +13799,16 @@ msgstr "Set execution time in common cron_ time format. A cron `<spec>` of ``30
 msgid "Set extcommunity bandwidth"
 msgstr "Set extcommunity bandwidth"
 
-#: ../../configuration/interfaces/wireless.rst:229
+#: ../../configuration/nat/cgnat.rst:82
+msgid "Set external source port limits that will be allocated to each subscriber individually. The default value is 2000."
+msgstr "Set external source port limits that will be allocated to each subscriber individually. The default value is 2000."
+
+#: ../../configuration/firewall/bridge.rst:419
+#: ../../configuration/firewall/ipv6.rst:1014
+msgid "Set hop limit value."
+msgstr "Set hop limit value."
+
+#: ../../configuration/interfaces/wireless.rst:260
 msgid "Set if antenna pattern does not change during the lifetime of an association"
 msgstr "Set if antenna pattern does not change during the lifetime of an association"
 
@@ -12185,7 +13817,7 @@ msgstr "Set if antenna pattern does not change during the lifetime of an associa
 msgid "Set inbound interface to match."
 msgstr "Set inbound interface to match."
 
-#: ../../configuration/firewall/zone.rst:84
+#: ../../configuration/firewall/zone.rst:81
 msgid "Set interfaces to a zone. A zone can have multiple interfaces. But an interface can only be a member in one zone."
 msgstr "Set interfaces to a zone. A zone can have multiple interfaces. But an interface can only be a member in one zone."
 
@@ -12237,7 +13869,7 @@ msgstr "Set maximum hop count before packets are discarded, default: 10"
 msgid "Set maximum number of packets to alow in excess of rate."
 msgstr "Set maximum number of packets to alow in excess of rate."
 
-#: ../../configuration/highavailability/index.rst:265
+#: ../../configuration/highavailability/index.rst:269
 msgid "Set minimum time interval for refreshing gratuitous ARPs while MASTER."
 msgstr "Set minimum time interval for refreshing gratuitous ARPs while MASTER."
 
@@ -12245,11 +13877,11 @@ msgstr "Set minimum time interval for refreshing gratuitous ARPs while MASTER."
 msgid "Set mode for IPsec authentication between VyOS and L2TP clients."
 msgstr "Set mode for IPsec authentication between VyOS and L2TP clients."
 
-#: ../../configuration/highavailability/index.rst:285
+#: ../../configuration/highavailability/index.rst:289
 msgid "Set number of gratuitous ARP messages to send at a time after transition to MASTER."
 msgstr "Set number of gratuitous ARP messages to send at a time after transition to MASTER."
 
-#: ../../configuration/highavailability/index.rst:275
+#: ../../configuration/highavailability/index.rst:279
 msgid "Set number of gratuitous ARP messages to send at a time while MASTER."
 msgstr "Set number of gratuitous ARP messages to send at a time while MASTER."
 
@@ -12300,7 +13932,7 @@ msgstr "Set routing table to forward packet to."
 msgid "Set rule action to drop."
 msgstr "Set rule action to drop."
 
-#: ../../configuration/loadbalancing/reverse-proxy.rst:26
+#: ../../configuration/loadbalancing/haproxy.rst:26
 msgid "Set service to bind on IP address, by default listen on any IPv4 and IPv6"
 msgstr "Set service to bind on IP address, by default listen on any IPv4 and IPv6"
 
@@ -12350,7 +13982,7 @@ msgstr "Set the IP address of the local interface to be used for the tunnel."
 msgid "Set the IP address of the remote peer. It may be specified as an IPv4 address or an IPv6 address."
 msgstr "Set the IP address of the remote peer. It may be specified as an IPv4 address or an IPv6 address."
 
-#: ../../configuration/firewall/global-options.rst:99
+#: ../../configuration/firewall/global-options.rst:104
 msgid "Set the IPv4 source validation mode. The following system parameter will be altered:"
 msgstr "Set the IPv4 source validation mode. The following system parameter will be altered:"
 
@@ -12399,7 +14031,23 @@ msgstr "Set the Segment Routing Local Block i.e. the label range used by MPLS to
 msgid "Set the Segment Routing Local Block i.e. the low label range used by MPLS to store label in the MPLS FIB for Prefix SID. Note that the block size may not exceed 65535.Segment Routing Local Block, The negative command always unsets both."
 msgstr "Set the Segment Routing Local Block i.e. the low label range used by MPLS to store label in the MPLS FIB for Prefix SID. Note that the block size may not exceed 65535.Segment Routing Local Block, The negative command always unsets both."
 
-#: ../../configuration/container/index.rst:99
+#: ../../configuration/firewall/bridge.rst:409
+#: ../../configuration/firewall/ipv4.rst:1015
+#: ../../configuration/firewall/ipv6.rst:1005
+msgid "Set the TCP-MSS (TCP maximum segment size) for the connection."
+msgstr "Set the TCP-MSS (TCP maximum segment size) for the connection."
+
+#: ../../configuration/firewall/ipv4.rst:1045
+#: ../../configuration/firewall/ipv6.rst:1035
+msgid "Set the TCP-MSS (maximum segment size) for the connection"
+msgstr "Set the TCP-MSS (maximum segment size) for the connection"
+
+#: ../../configuration/firewall/bridge.rst:414
+#: ../../configuration/firewall/ipv4.rst:1024
+msgid "Set the TTL (Time to Live) value."
+msgstr "Set the TTL (Time to Live) value."
+
+#: ../../configuration/container/index.rst:124
 msgid "Set the User ID or Group ID of the container"
 msgstr "Set the User ID or Group ID of the container"
 
@@ -12415,27 +14063,31 @@ msgstr "Set the :abbr:`MRU (Maximum Receive Unit)` to `mru`. PPPd will ask the p
 msgid "Set the :abbr:`TTL (Time-to-live)` for the record in seconds. Default is 300 seconds."
 msgstr "Set the :abbr:`TTL (Time-to-live)` for the record in seconds. Default is 300 seconds."
 
-#: ../../configuration/service/ssh.rst:106
+#: ../../configuration/service/ssh.rst:107
 msgid "Set the ``sshd`` log level. The default is ``info``."
 msgstr "Set the ``sshd`` log level. The default is ``info``."
 
-#: ../../configuration/loadbalancing/reverse-proxy.rst:130
+#: ../../configuration/loadbalancing/haproxy.rst:137
 msgid "Set the address of the backend port"
 msgstr "Set the address of the backend port"
 
-#: ../../configuration/loadbalancing/reverse-proxy.rst:124
+#: ../../configuration/loadbalancing/haproxy.rst:131
 msgid "Set the address of the backend server to which the incoming traffic will be forwarded"
 msgstr "Set the address of the backend server to which the incoming traffic will be forwarded"
 
-#: ../../configuration/service/https.rst:94
+#: ../../configuration/service/https.rst:97
 msgid "Set the authentication type for GraphQL, default option is key. Available options are:"
 msgstr "Set the authentication type for GraphQL, default option is key. Available options are:"
 
-#: ../../configuration/service/https.rst:106
+#: ../../configuration/service/https.rst:109
 msgid "Set the byte length of the JWT secret. Default is 32."
 msgstr "Set the byte length of the JWT secret. Default is 32."
 
-#: ../../configuration/highavailability/index.rst:295
+#: ../../configuration/container/index.rst:41
+msgid "Set the command arguments for a container."
+msgstr "Set the command arguments for a container."
+
+#: ../../configuration/highavailability/index.rst:299
 msgid "Set the default VRRP version to use. This defaults to 2, but IPv6 instances will always use version 3."
 msgstr "Set the default VRRP version to use. This defaults to 2, but IPv6 instances will always use version 3."
 
@@ -12459,19 +14111,23 @@ msgstr "Set the distance for the default gateway sent by the SSTP server."
 msgid "Set the encapsulation type of the tunnel. Valid values for encapsulation are: udp, ip."
 msgstr "Set the encapsulation type of the tunnel. Valid values for encapsulation are: udp, ip."
 
-#: ../../configuration/firewall/global-options.rst:127
+#: ../../configuration/firewall/global-options.rst:132
 msgid "Set the global setting for an established connection."
 msgstr "Set the global setting for an established connection."
 
-#: ../../configuration/firewall/global-options.rst:137
+#: ../../configuration/firewall/global-options.rst:142
 msgid "Set the global setting for invalid packets."
 msgstr "Set the global setting for invalid packets."
 
-#: ../../configuration/firewall/global-options.rst:147
+#: ../../configuration/firewall/global-options.rst:152
 msgid "Set the global setting for related connections."
 msgstr "Set the global setting for related connections."
 
-#: ../../configuration/service/https.rst:102
+#: ../../configuration/container/index.rst:45
+msgid "Set the host name for a container."
+msgstr "Set the host name for a container."
+
+#: ../../configuration/service/https.rst:105
 msgid "Set the lifetime for JWT tokens in seconds. Default is 3600 seconds."
 msgstr "Set the lifetime for JWT tokens in seconds. Default is 3600 seconds."
 
@@ -12483,7 +14139,7 @@ msgstr "Set the listen port of the local API, this has no effect on the webserve
 msgid "Set the maximum hop `<count>` before packets are discarded. Range 0...255, default 10."
 msgstr "Set the maximum hop `<count>` before packets are discarded. Range 0...255, default 10."
 
-#: ../../configuration/interfaces/wireless.rst:277
+#: ../../configuration/interfaces/wireless.rst:313
 msgid "Set the maximum length of A-MPDU pre-EOF padding that the station can receive"
 msgstr "Set the maximum length of A-MPDU pre-EOF padding that the station can receive"
 
@@ -12507,6 +14163,10 @@ msgstr "Set the name of the x509 client keypair used to authenticate against the
 msgid "Set the native VLAN ID flag of the interface. When a data packet without a VLAN tag enters the port, the data packet will be forced to add a tag of a specific vlan id. When the vlan id flag flows out, the tag of the vlan id will be stripped"
 msgstr "Set the native VLAN ID flag of the interface. When a data packet without a VLAN tag enters the port, the data packet will be forced to add a tag of a specific vlan id. When the vlan id flag flows out, the tag of the vlan id will be stripped"
 
+#: ../../configuration/interfaces/bridge.rst:157
+msgid "Set the native VLAN ID flag of the interface. When a data packet without a VLAN tag enters the port, the data packet will have a specific vlan id added to it. When the packet flows out, the native vlan tag will be stripped."
+msgstr "Set the native VLAN ID flag of the interface. When a data packet without a VLAN tag enters the port, the data packet will have a specific vlan id added to it. When the packet flows out, the native vlan tag will be stripped."
+
 #: ../../configuration/policy/route-map.rst:287
 msgid "Set the next-hop as unchanged. Pass through the route-map without changing its value"
 msgstr "Set the next-hop as unchanged. Pass through the route-map without changing its value"
@@ -12547,7 +14207,19 @@ msgstr "Set the peer's key used to receive (RX) traffic"
 msgid "Set the peer-session-id, which is a 32-bit integer value assigned to the session by the peer. The value used must match the session_id value being used at the peer."
 msgstr "Set the peer-session-id, which is a 32-bit integer value assigned to the session by the peer. The value used must match the session_id value being used at the peer."
 
-#: ../../configuration/container/index.rst:103
+#: ../../configuration/nat/cgnat.rst:87
+msgid "Set the range of external IP addresses for the CGNAT pool."
+msgstr "Set the range of external IP addresses for the CGNAT pool."
+
+#: ../../configuration/nat/cgnat.rst:87
+msgid "Set the range of external IP addresses for the CGNAT pool. The sequence is optional; if set, a lower value means higher priority."
+msgstr "Set the range of external IP addresses for the CGNAT pool. The sequence is optional; if set, a lower value means higher priority."
+
+#: ../../configuration/nat/cgnat.rst:92
+msgid "Set the range of internal IP addresses for the CGNAT pool."
+msgstr "Set the range of internal IP addresses for the CGNAT pool."
+
+#: ../../configuration/container/index.rst:128
 msgid "Set the restart behavior of the container."
 msgstr "Set the restart behavior of the container."
 
@@ -12559,11 +14231,19 @@ msgstr "Set the route metric. When used with BGP, set the BGP attribute MED to a
 msgid "Set the routing table to forward packet with."
 msgstr "Set the routing table to forward packet with."
 
+#: ../../configuration/nat/cgnat.rst:96
+msgid "Set the rule for the source pool."
+msgstr "Set the rule for the source pool."
+
+#: ../../configuration/nat/cgnat.rst:100
+msgid "Set the rule for the translation pool."
+msgstr "Set the rule for the translation pool."
+
 #: ../../configuration/interfaces/l2tpv3.rst:64
 msgid "Set the session id, which is a 32-bit integer value. Uniquely identifies the session being created. The value used must match the peer_session_id value being used at the peer."
 msgstr "Set the session id, which is a 32-bit integer value. Uniquely identifies the session being created. The value used must match the peer_session_id value being used at the peer."
 
-#: ../../configuration/trafficpolicy/index.rst:1164
+#: ../../configuration/trafficpolicy/index.rst:1214
 msgid "Set the shaper bandwidth, either as an explicit bitrate or a percentage of the interface bandwidth."
 msgstr "Set the shaper bandwidth, either as an explicit bitrate or a percentage of the interface bandwidth."
 
@@ -12575,6 +14255,14 @@ msgstr "Set the size of the hash table. The connection tracking hash table makes
 msgid "Set the source IP of forwarded packets, otherwise original senders address is used."
 msgstr "Set the source IP of forwarded packets, otherwise original senders address is used."
 
+#: ../../configuration/firewall/global-options.rst:184
+msgid "Set the timeout in seconds for a protocol or state."
+msgstr "Set the timeout in seconds for a protocol or state."
+
+#: ../../configuration/system/conntrack.rst:143
+msgid "Set the timeout in seconds for a protocol or state in a custom rule."
+msgstr "Set the timeout in seconds for a protocol or state in a custom rule."
+
 #: ../../configuration/system/conntrack.rst:97
 msgid "Set the timeout in secounds for a protocol or state."
 msgstr "Set the timeout in secounds for a protocol or state."
@@ -12588,8 +14276,8 @@ msgstr "Set the timeout in secounds for a protocol or state in a custom rule."
 msgid "Set the tunnel id, which is a 32-bit integer value. Uniquely identifies the tunnel into which the session will be created."
 msgstr "Set the tunnel id, which is a 32-bit integer value. Uniquely identifies the tunnel into which the session will be created."
 
-#: ../../configuration/firewall/ipv4.rst:945
-#: ../../configuration/firewall/ipv6.rst:931
+#: ../../configuration/firewall/ipv4.rst:1050
+#: ../../configuration/firewall/ipv6.rst:1040
 msgid "Set the window scale factor for TCP window scaling"
 msgstr "Set the window scale factor for TCP window scaling"
 
@@ -12597,15 +14285,19 @@ msgstr "Set the window scale factor for TCP window scaling"
 msgid "Set window of concurrently valid codes."
 msgstr "Set window of concurrently valid codes."
 
-#: ../../configuration/loadbalancing/reverse-proxy.rst:172
+#: ../../configuration/loadbalancing/haproxy.rst:223
 msgid "Sets the HTTP method to be used, can be either: option, get, post, put"
 msgstr "Sets the HTTP method to be used, can be either: option, get, post, put"
 
-#: ../../configuration/loadbalancing/reverse-proxy.rst:177
+#: ../../configuration/loadbalancing/haproxy.rst:228
 msgid "Sets the endpoint to be used for health checks"
 msgstr "Sets the endpoint to be used for health checks"
 
-#: ../../configuration/loadbalancing/reverse-proxy.rst:182
+#: ../../configuration/loadbalancing/haproxy.rst:233
+msgid "Sets the expected result condition for considering a server healthy."
+msgstr "Sets the expected result condition for considering a server healthy."
+
+#: ../../configuration/loadbalancing/reverse-proxy.rst:187
 msgid "Sets the expected result condition for considering a server healthy. Some possible examples are:"
 msgstr "Sets the expected result condition for considering a server healthy. Some possible examples are:"
 
@@ -12625,6 +14317,10 @@ msgstr "Sets the listening port for a listening address. This overrides the defa
 msgid "Sets the unique id for this vxlan-interface. Not sure how it correlates with multicast-address."
 msgstr "Sets the unique id for this vxlan-interface. Not sure how it correlates with multicast-address."
 
+#: ../../configuration/service/https.rst:119
+msgid "Setting REST API and an API-KEY is the minimal configuration to get a working API Endpoint."
+msgstr "Setting REST API and an API-KEY is the minimal configuration to get a working API Endpoint."
+
 #: ../../configuration/highavailability/index.rst:96
 msgid "Setting VRRP group priority"
 msgstr "Setting VRRP group priority"
@@ -12641,15 +14337,15 @@ msgstr "Setting this up on AWS will require a \"Custom Protocol Rule\" for proto
 msgid "Setting up IPSec:"
 msgstr "Setting up IPSec:"
 
-#: ../../configuration/interfaces/openvpn.rst:132
+#: ../../configuration/interfaces/openvpn.rst:133
 msgid "Setting up OpenVPN"
 msgstr "Setting up OpenVPN"
 
-#: ../../configuration/interfaces/openvpn.rst:76
+#: ../../configuration/interfaces/openvpn.rst:77
 msgid "Setting up a full-blown PKI with a CA certificate would arguably defeat the purpose of site-to-site OpenVPN, since its main goal is supposed to be configuration simplicity, compared to server setups that need to support multiple clients."
 msgstr "Setting up a full-blown PKI with a CA certificate would arguably defeat the purpose of site-to-site OpenVPN, since its main goal is supposed to be configuration simplicity, compared to server setups that need to support multiple clients."
 
-#: ../../configuration/interfaces/openvpn.rst:74
+#: ../../configuration/interfaces/openvpn.rst:75
 msgid "Setting up certificates"
 msgstr "Setting up certificates"
 
@@ -12662,7 +14358,8 @@ msgid "Setting up tunnel:"
 msgstr "Setting up tunnel:"
 
 #: ../../configuration/system/option.rst:42
-#: ../../configuration/system/option.rst:53
+#: ../../configuration/system/option.rst:51
+#: ../../configuration/system/option.rst:71
 msgid "Setting will only become active with the next reboot!"
 msgstr "Setting will only become active with the next reboot!"
 
@@ -12678,11 +14375,11 @@ msgstr "Setup DHCP failover for network 192.0.2.0/24"
 msgid "Setup encrypted password for given username. This is useful for transferring a hashed password from system to system."
 msgstr "Setup encrypted password for given username. This is useful for transferring a hashed password from system to system."
 
-#: ../../configuration/system/login.rst:266
+#: ../../configuration/system/login.rst:272
 msgid "Setup the `<timeout>` in seconds when querying the RADIUS server."
 msgstr "Setup the `<timeout>` in seconds when querying the RADIUS server."
 
-#: ../../configuration/system/login.rst:335
+#: ../../configuration/system/login.rst:341
 msgid "Setup the `<timeout>` in seconds when querying the TACACS server."
 msgstr "Setup the `<timeout>` in seconds when querying the TACACS server."
 
@@ -12698,39 +14395,39 @@ msgstr "Setup the dynamic DNS hostname `<hostname>` associated with the DynDNS p
 msgid "Setup the dynamic DNS hostname `<hostname>` associated with the DynDNS provider identified by `<service>` when the IP address on interface `<interface>` changes."
 msgstr "Setup the dynamic DNS hostname `<hostname>` associated with the DynDNS provider identified by `<service>` when the IP address on interface `<interface>` changes."
 
-#: ../../configuration/system/option.rst:61
+#: ../../configuration/system/option.rst:81
 msgid "Several commands utilize cURL to initiate transfers. Configure the local source IPv4/IPv6 address used for all cURL operations."
 msgstr "Several commands utilize cURL to initiate transfers. Configure the local source IPv4/IPv6 address used for all cURL operations."
 
-#: ../../configuration/system/option.rst:66
+#: ../../configuration/system/option.rst:86
 msgid "Several commands utilize curl to initiate transfers. Configure the local source interface used for all CURL operations."
 msgstr "Several commands utilize curl to initiate transfers. Configure the local source interface used for all CURL operations."
 
-#: ../../configuration/system/syslog.rst:167
+#: ../../configuration/system/syslog.rst:185
 msgid "Severity"
 msgstr "Severity"
 
-#: ../../configuration/system/syslog.rst:164
+#: ../../configuration/system/syslog.rst:182
 msgid "Severity Level"
 msgstr "Severity Level"
 
-#: ../../configuration/trafficpolicy/index.rst:1017
+#: ../../configuration/trafficpolicy/index.rst:1067
 msgid "Shaper"
 msgstr "Shaper"
 
-#: ../../configuration/interfaces/wireless.rst:282
+#: ../../configuration/interfaces/wireless.rst:319
 msgid "Short GI capabilities"
 msgstr "Short GI capabilities"
 
-#: ../../configuration/interfaces/wireless.rst:204
+#: ../../configuration/interfaces/wireless.rst:235
 msgid "Short GI capabilities for 20 and 40 MHz"
 msgstr "Short GI capabilities for 20 and 40 MHz"
 
-#: ../../configuration/trafficpolicy/index.rst:923
+#: ../../configuration/trafficpolicy/index.rst:973
 msgid "Short bursts can be allowed to exceed the limit. On creation, the Rate-Control traffic is stocked with tokens which correspond to the amount of traffic that can be burst in one go. Tokens arrive at a steady rate, until the bucket is full."
 msgstr "Short bursts can be allowed to exceed the limit. On creation, the Rate-Control traffic is stocked with tokens which correspond to the amount of traffic that can be burst in one go. Tokens arrive at a steady rate, until the bucket is full."
 
-#: ../../configuration/vrf/index.rst:507
+#: ../../configuration/vrf/index.rst:503
 msgid "Shortcut syntax for specifying automatic leaking from vrf VRFNAME to the current VRF using the VPN RIB as intermediary. The RD and RT are auto derived and should not be specified explicitly for either the source or destination VRF’s."
 msgstr "Shortcut syntax for specifying automatic leaking from vrf VRFNAME to the current VRF using the VPN RIB as intermediary. The RD and RT are auto derived and should not be specified explicitly for either the source or destination VRF’s."
 
@@ -12739,17 +14436,21 @@ msgstr "Shortcut syntax for specifying automatic leaking from vrf VRFNAME to the
 msgid "Show"
 msgstr "Show"
 
+#: ../../configuration/nat/cgnat.rst:170
+msgid "Show CGNAT allocations"
+msgstr "Show CGNAT allocations"
+
 #: ../../configuration/service/dhcp-server.rst:475
 msgid "Show DHCP server daemon log file"
 msgstr "Show DHCP server daemon log file"
 
-#: ../../configuration/service/dhcp-server.rst:729
+#: ../../configuration/service/dhcp-server.rst:759
 msgid "Show DHCPv6 server daemon log file"
 msgstr "Show DHCPv6 server daemon log file"
 
-#: ../../configuration/firewall/bridge.rst:306
-#: ../../configuration/firewall/ipv4.rst:1138
-#: ../../configuration/firewall/ipv6.rst:1138
+#: ../../configuration/firewall/bridge.rst:471
+#: ../../configuration/firewall/ipv4.rst:1242
+#: ../../configuration/firewall/ipv6.rst:1248
 msgid "Show Firewall log"
 msgstr "Show Firewall log"
 
@@ -12757,19 +14458,19 @@ msgstr "Show Firewall log"
 msgid "Show LLDP neighbors connected via interface `<interface>`."
 msgstr "Show LLDP neighbors connected via interface `<interface>`."
 
-#: ../../configuration/service/ssh.rst:232
+#: ../../configuration/service/ssh.rst:252
 msgid "Show SSH dynamic-protection log."
 msgstr "Show SSH dynamic-protection log."
 
-#: ../../configuration/service/ssh.rst:224
+#: ../../configuration/service/ssh.rst:244
 msgid "Show SSH server log."
 msgstr "Show SSH server log."
 
-#: ../../configuration/service/ssh.rst:248
+#: ../../configuration/service/ssh.rst:268
 msgid "Show SSH server public key fingerprints, including a visual ASCII art representation."
 msgstr "Show SSH server public key fingerprints, including a visual ASCII art representation."
 
-#: ../../configuration/service/ssh.rst:244
+#: ../../configuration/service/ssh.rst:264
 msgid "Show SSH server public key fingerprints."
 msgstr "Show SSH server public key fingerprints."
 
@@ -12813,7 +14514,11 @@ msgstr "Show WWAN module model."
 msgid "Show WWAN module signal strength."
 msgstr "Show WWAN module signal strength."
 
-#: ../../configuration/container/index.rst:199
+#: ../../configuration/vpn/ipsec.rst:630
+msgid "Show a detailed information of all active IPsec Security Associations (SA) in verbose format."
+msgstr "Show a detailed information of all active IPsec Security Associations (SA) in verbose format."
+
+#: ../../configuration/container/index.rst:254
 msgid "Show a list available container networks"
 msgstr "Show a list available container networks"
 
@@ -12829,11 +14534,43 @@ msgstr "Show a list of installed :abbr:`CRLs (Certificate Revocation List)`."
 msgid "Show a list of installed certificates"
 msgstr "Show a list of installed certificates"
 
+#: ../../configuration/nat/cgnat.rst:159
+msgid "Show address and port allocations"
+msgstr "Show address and port allocations"
+
 #: ../../configuration/protocols/bfd.rst:105
 msgid "Show all BFD peers"
 msgstr "Show all BFD peers"
 
-#: ../../configuration/interfaces/ethernet.rst:226
+#: ../../configuration/vpn/ipsec.rst:626
+msgid "Show all active IPsec Security Associations (SA)"
+msgstr "Show all active IPsec Security Associations (SA)"
+
+#: ../../configuration/nat/cgnat.rst:163
+msgid "Show all allocations for an external IP address"
+msgstr "Show all allocations for an external IP address"
+
+#: ../../configuration/nat/cgnat.rst:167
+msgid "Show all allocations for an internal IP address"
+msgstr "Show all allocations for an internal IP address"
+
+#: ../../configuration/vpn/ipsec.rst:596
+msgid "Show all currently active IKE Security Associations."
+msgstr "Show all currently active IKE Security Associations."
+
+#: ../../configuration/vpn/ipsec.rst:605
+msgid "Show all currently active IKE Security Associations (SA) for a specific peer."
+msgstr "Show all currently active IKE Security Associations (SA) for a specific peer."
+
+#: ../../configuration/vpn/ipsec.rst:600
+msgid "Show all currently active IKE Security Associations (SA) that are using NAT Traversal."
+msgstr "Show all currently active IKE Security Associations (SA) that are using NAT Traversal."
+
+#: ../../configuration/vpn/ipsec.rst:610
+msgid "Show all the configured pre-shared secret keys."
+msgstr "Show all the configured pre-shared secret keys."
+
+#: ../../configuration/interfaces/ethernet.rst:242
 msgid "Show available offloading functions on given `<interface>`"
 msgstr "Show available offloading functions on given `<interface>`"
 
@@ -12841,17 +14578,17 @@ msgstr "Show available offloading functions on given `<interface>`"
 msgid "Show binded qat device interrupts to certain core."
 msgstr "Show binded qat device interrupts to certain core."
 
-#: ../../configuration/interfaces/bridge.rst:292
+#: ../../configuration/interfaces/bridge.rst:291
 msgid "Show bridge `<name>` fdb displays the current forwarding table:"
 msgstr "Show bridge `<name>` fdb displays the current forwarding table:"
 
-#: ../../configuration/interfaces/bridge.rst:319
+#: ../../configuration/interfaces/bridge.rst:318
 msgid "Show bridge `<name>` mdb displays the current multicast group membership table.The table is populated by IGMP and MLD snooping in the bridge driver automatically."
 msgstr "Show bridge `<name>` mdb displays the current multicast group membership table.The table is populated by IGMP and MLD snooping in the bridge driver automatically."
 
-#: ../../configuration/interfaces/bonding.rst:516
+#: ../../configuration/interfaces/bonding.rst:569
 #: ../../configuration/interfaces/dummy.rst:55
-#: ../../configuration/interfaces/ethernet.rst:152
+#: ../../configuration/interfaces/ethernet.rst:168
 #: ../../configuration/interfaces/loopback.rst:45
 #: ../../configuration/interfaces/virtual-ethernet.rst:59
 msgid "Show brief interface information."
@@ -12889,13 +14626,13 @@ msgstr "Show detailed information about all learned Segment Routing Nodes"
 msgid "Show detailed information about prefix-sid and label learned"
 msgstr "Show detailed information about prefix-sid and label learned"
 
-#: ../../configuration/interfaces/bonding.rst:548
+#: ../../configuration/interfaces/bonding.rst:601
 msgid "Show detailed information about the underlaying physical links on given bond `<interface>`."
 msgstr "Show detailed information about the underlaying physical links on given bond `<interface>`."
 
-#: ../../configuration/interfaces/bonding.rst:531
+#: ../../configuration/interfaces/bonding.rst:584
 #: ../../configuration/interfaces/dummy.rst:67
-#: ../../configuration/interfaces/ethernet.rst:166
+#: ../../configuration/interfaces/ethernet.rst:182
 #: ../../configuration/interfaces/pppoe.rst:282
 #: ../../configuration/interfaces/sstp-client.rst:121
 #: ../../configuration/interfaces/virtual-ethernet.rst:72
@@ -12911,11 +14648,15 @@ msgstr "Show detailed information on the given loopback interface `lo`."
 msgid "Show detailed information summary on given `<interface>`"
 msgstr "Show detailed information summary on given `<interface>`"
 
-#: ../../configuration/system/flow-accounting.rst:182
+#: ../../configuration/vpn/ipsec.rst:618
+msgid "Show details of all available VPN connections"
+msgstr "Show details of all available VPN connections"
+
+#: ../../configuration/system/flow-accounting.rst:186
 msgid "Show flow accounting information for given `<interface>`."
 msgstr "Show flow accounting information for given `<interface>`."
 
-#: ../../configuration/system/flow-accounting.rst:199
+#: ../../configuration/system/flow-accounting.rst:203
 msgid "Show flow accounting information for given `<interface>` for a specific host only."
 msgstr "Show flow accounting information for given `<interface>` for a specific host only."
 
@@ -12927,19 +14668,23 @@ msgstr "Show general information about specific WireGuard interface"
 msgid "Show info about the Wireguard service. It also shows the latest handshake."
 msgstr "Show info about the Wireguard service. It also shows the latest handshake."
 
-#: ../../configuration/interfaces/ethernet.rst:185
+#: ../../configuration/interfaces/ethernet.rst:201
 msgid "Show information about physical `<interface>`"
 msgstr "Show information about physical `<interface>`"
 
-#: ../../configuration/service/ssh.rst:240
+#: ../../configuration/service/ssh.rst:260
 msgid "Show list of IPs currently blocked by SSH dynamic-protection."
 msgstr "Show list of IPs currently blocked by SSH dynamic-protection."
 
+#: ../../configuration/vpn/ipsec.rst:657
+msgid "Show logs for IPsec"
+msgstr "Show logs for IPsec"
+
 #: ../../configuration/service/mdns.rst:87
 msgid "Show logs for mDNS repeater service."
 msgstr "Show logs for mDNS repeater service."
 
-#: ../../configuration/container/index.rst:195
+#: ../../configuration/container/index.rst:250
 msgid "Show logs from a given container"
 msgstr "Show logs from a given container"
 
@@ -12947,7 +14692,7 @@ msgstr "Show logs from a given container"
 msgid "Show logs from all DHCP client processes."
 msgstr "Show logs from all DHCP client processes."
 
-#: ../../configuration/service/dhcp-server.rst:733
+#: ../../configuration/service/dhcp-server.rst:763
 msgid "Show logs from all DHCPv6 client processes."
 msgstr "Show logs from all DHCPv6 client processes."
 
@@ -12955,7 +14700,7 @@ msgstr "Show logs from all DHCPv6 client processes."
 msgid "Show logs from specific `interface` DHCP client process."
 msgstr "Show logs from specific `interface` DHCP client process."
 
-#: ../../configuration/service/dhcp-server.rst:737
+#: ../../configuration/service/dhcp-server.rst:767
 msgid "Show logs from specific `interface` DHCPv6 client process."
 msgstr "Show logs from specific `interface` DHCPv6 client process."
 
@@ -12968,11 +14713,11 @@ msgid "Show only information for specified certificate."
 msgstr "Show only information for specified certificate."
 
 #: ../../configuration/service/dhcp-server.rst:537
-#: ../../configuration/service/dhcp-server.rst:760
+#: ../../configuration/service/dhcp-server.rst:792
 msgid "Show only leases in the specified pool."
 msgstr "Show only leases in the specified pool."
 
-#: ../../configuration/service/dhcp-server.rst:769
+#: ../../configuration/service/dhcp-server.rst:801
 msgid "Show only leases with the specified state. Possible states: abandoned, active, all, backup, expired, free, released, reset (default = active)"
 msgstr "Show only leases with the specified state. Possible states: abandoned, active, all, backup, expired, free, released, reset (default = active)"
 
@@ -13012,15 +14757,19 @@ msgstr "Show the DHCP server statistics for the specified pool."
 msgid "Show the console server log."
 msgstr "Show the console server log."
 
+#: ../../configuration/vpn/ipsec.rst:614
+msgid "Show the detailed status information of IKE charon process."
+msgstr "Show the detailed status information of IKE charon process."
+
 #: ../../configuration/system/acceleration.rst:46
 msgid "Show the full config uploaded to the QAT device."
 msgstr "Show the full config uploaded to the QAT device."
 
-#: ../../configuration/container/index.rst:187
+#: ../../configuration/container/index.rst:242
 msgid "Show the list of all active containers."
 msgstr "Show the list of all active containers."
 
-#: ../../configuration/container/index.rst:191
+#: ../../configuration/container/index.rst:246
 msgid "Show the local container images."
 msgstr "Show the local container images."
 
@@ -13028,15 +14777,15 @@ msgstr "Show the local container images."
 msgid "Show the logs of a specific Rule-Set."
 msgstr "Show the logs of a specific Rule-Set."
 
-#: ../../configuration/firewall/bridge.rst:316
+#: ../../configuration/firewall/bridge.rst:481
 msgid "Show the logs of all firewall; show all bridge firewall logs; show all logs for forward hook; show all logs for forward hook and priority filter; show all logs for particular custom chain; show logs for specific Rule-Set."
 msgstr "Show the logs of all firewall; show all bridge firewall logs; show all logs for forward hook; show all logs for forward hook and priority filter; show all logs for particular custom chain; show logs for specific Rule-Set."
 
-#: ../../configuration/firewall/ipv4.rst:1148
+#: ../../configuration/firewall/ipv4.rst:1252
 msgid "Show the logs of all firewall; show all ipv4 firewall logs; show all logs for particular hook; show all logs for particular hook and priority; show all logs for particular custom chain; show logs for specific Rule-Set."
 msgstr "Show the logs of all firewall; show all ipv4 firewall logs; show all logs for particular hook; show all logs for particular hook and priority; show all logs for particular custom chain; show logs for specific Rule-Set."
 
-#: ../../configuration/firewall/ipv6.rst:1148
+#: ../../configuration/firewall/ipv6.rst:1258
 msgid "Show the logs of all firewall; show all ipv6 firewall logs; show all logs for particular hook; show all logs for particular hook and priority; show all logs for particular custom chain; show logs for specific Rule-Set."
 msgstr "Show the logs of all firewall; show all ipv6 firewall logs; show all logs for particular hook; show all logs for particular hook and priority; show all logs for particular custom chain; show logs for specific Rule-Set."
 
@@ -13045,7 +14794,11 @@ msgstr "Show the logs of all firewall; show all ipv6 firewall logs; show all log
 msgid "Show the route"
 msgstr "Show the route"
 
-#: ../../configuration/interfaces/ethernet.rst:258
+#: ../../configuration/vpn/ipsec.rst:639
+msgid "Show the status of running IPsec process and process ID."
+msgstr "Show the status of running IPsec process and process ID."
+
+#: ../../configuration/interfaces/ethernet.rst:274
 msgid "Show transceiver information from plugin modules, e.g SFP+, QSFP"
 msgstr "Show transceiver information from plugin modules, e.g SFP+, QSFP"
 
@@ -13053,7 +14806,7 @@ msgstr "Show transceiver information from plugin modules, e.g SFP+, QSFP"
 msgid "Showing BFD monitored static routes"
 msgstr "Showing BFD monitored static routes"
 
-#: ../../configuration/service/dhcp-server.rst:745
+#: ../../configuration/service/dhcp-server.rst:775
 msgid "Shows status of all assigned leases:"
 msgstr "Shows status of all assigned leases:"
 
@@ -13085,6 +14838,10 @@ msgstr "Sierra Wireless AirPrime MC7710 miniPCIe card (LTE)"
 msgid "Similar combinations are applicable for the dead-peer-detection."
 msgstr "Similar combinations are applicable for the dead-peer-detection."
 
+#: ../../configuration/interfaces/bonding.rst:335
+msgid "Similarly traffic received from ES peers via the overlay cannot be forwarded to the server. This is split-horizon-filtering with local bias."
+msgstr "Similarly traffic received from ES peers via the overlay cannot be forwarded to the server. This is split-horizon-filtering with local bias."
+
 #: ../../configuration/protocols/babel.rst:190
 msgid "Simple Babel configuration using 2 nodes and redistributing connected interfaces."
 msgstr "Simple Babel configuration using 2 nodes and redistributing connected interfaces."
@@ -13105,16 +14862,28 @@ msgstr "Simple text password authentication is insecure and deprecated in favour
 msgid "Since both routers do not know their effective public addresses, we set the local-address of the peer to \"any\"."
 msgstr "Since both routers do not know their effective public addresses, we set the local-address of the peer to \"any\"."
 
+#: ../../configuration/firewall/bridge.rst:330
+msgid "Since bridges operates at layer 2, both matchers for IPv4 and IPv6 are supported in bridge firewall configuration. Same applies for firewall groups."
+msgstr "Since bridges operates at layer 2, both matchers for IPv4 and IPv6 are supported in bridge firewall configuration. Same applies for firewall groups."
+
+#: ../../configuration/firewall/bridge.rst:330
+msgid "Since bridges operats at layer 2, both matchers for IPv4 and IPv6 are supported in bridge firewall configuration. Same applies to firewall groups."
+msgstr "Since bridges operats at layer 2, both matchers for IPv4 and IPv6 are supported in bridge firewall configuration. Same applies to firewall groups."
+
 #: ../../configuration/interfaces/openvpn.rst:395
 msgid "Since it's a HQ and branch offices setup, we will want all clients to have fixed addresses and we will route traffic to specific subnets through them. We need configuration for each client to achieve this."
 msgstr "Since it's a HQ and branch offices setup, we will want all clients to have fixed addresses and we will route traffic to specific subnets through them. We need configuration for each client to achieve this."
 
+#: ../../configuration/interfaces/openvpn.rst:399
+msgid "Since it's a HQ with branch offices setup, we will want all clients to have fixed addresses and we will route traffic to specific subnets through them. We need configuration for each client to achieve this."
+msgstr "Since it's a HQ with branch offices setup, we will want all clients to have fixed addresses and we will route traffic to specific subnets through them. We need configuration for each client to achieve this."
+
 #: ../../configuration/vpn/l2tp.rst:151
 msgid "Since the RADIUS server would be a single point of failure, multiple RADIUS servers can be setup and will be used subsequentially."
 msgstr "Since the RADIUS server would be a single point of failure, multiple RADIUS servers can be setup and will be used subsequentially."
 
-#: ../../configuration/service/ipoe-server.rst:131
-#: ../../configuration/service/pppoe-server.rst:93
+#: ../../configuration/service/ipoe-server.rst:130
+#: ../../configuration/service/pppoe-server.rst:94
 #: ../../configuration/vpn/l2tp.rst:136
 #: ../../configuration/vpn/pptp.rst:76
 #: ../../configuration/vpn/sstp.rst:109
@@ -13130,6 +14899,10 @@ msgid "Since the mDNS protocol sends the :abbr:`AA(Authoritative Answer)` record
 msgstr "Since the mDNS protocol sends the :abbr:`AA(Authoritative Answer)` records in the packet itself, the repeater does not need to forge the source address. Instead, the source address is of the interface that repeats the packet."
 
 #: ../../configuration/service/ids.rst:98
+msgid "Since we are analyzing attacks to and from our internal network, two types of attacks can be identified, and different actions are needed:"
+msgstr "Since we are analyzing attacks to and from our internal network, two types of attacks can be identified, and different actions are needed:"
+
+#: ../../configuration/service/ids.rst:98
 msgid "Since we are analyzing attacks to and from our internal network, two types of attacks can be identified, and differents actions are needed:"
 msgstr "Since we are analyzing attacks to and from our internal network, two types of attacks can be identified, and differents actions are needed:"
 
@@ -13137,6 +14910,10 @@ msgstr "Since we are analyzing attacks to and from our internal network, two typ
 msgid "Single VXLAN device (SVD)"
 msgstr "Single VXLAN device (SVD)"
 
+#: ../../configuration/nat/cgnat.rst:111
+msgid "Single external address"
+msgstr "Single external address"
+
 #: ../../configuration/interfaces/openvpn.rst:39
 #: ../../configuration/vpn/site2site_ipsec.rst:4
 msgid "Site-to-Site"
@@ -13186,8 +14963,8 @@ msgstr "Some ISPs by default only delegate a /64 prefix. To request for a specif
 msgid "Some IT environments require the use of a proxy to connect to the Internet. Without this configuration VyOS updates could not be installed directly by using the :opcmd:`add system image` command (:ref:`update_vyos`)."
 msgstr "Some IT environments require the use of a proxy to connect to the Internet. Without this configuration VyOS updates could not be installed directly by using the :opcmd:`add system image` command (:ref:`update_vyos`)."
 
-#: ../../configuration/service/ipoe-server.rst:140
-#: ../../configuration/service/pppoe-server.rst:102
+#: ../../configuration/service/ipoe-server.rst:139
+#: ../../configuration/service/pppoe-server.rst:103
 #: ../../configuration/vpn/pptp.rst:85
 #: ../../configuration/vpn/sstp.rst:118
 msgid "Some RADIUS severs use an access control list which allows or denies queries, make sure to add your VyOS router to the allowed client list."
@@ -13201,7 +14978,7 @@ msgstr "Some RADIUS_ severs use an access control list which allows or denies qu
 msgid "Some application service providers (ASPs) operate a VPN gateway to provide access to their internal resources, and require that a connecting organisation translate all traffic to the service provider network to a source address provided by the ASP."
 msgstr "Some application service providers (ASPs) operate a VPN gateway to provide access to their internal resources, and require that a connecting organisation translate all traffic to the service provider network to a source address provided by the ASP."
 
-#: ../../configuration/container/index.rst:171
+#: ../../configuration/container/index.rst:226
 msgid "Some container registries require credentials to be used."
 msgstr "Some container registries require credentials to be used."
 
@@ -13213,14 +14990,18 @@ msgstr "Some firewall settings are global and have an affect on the whole system
 msgid "Some firewall settings are global and have an affect on the whole system. In this section there's useful information about these global-options that can be configured using vyos cli."
 msgstr "Some firewall settings are global and have an affect on the whole system. In this section there's useful information about these global-options that can be configured using vyos cli."
 
-#: ../../configuration/trafficpolicy/index.rst:327
+#: ../../configuration/trafficpolicy/index.rst:377
 msgid "Some policies already include other embedded policies inside. That is the case of Shaper_: each of its classes use fair-queue unless you change it."
 msgstr "Some policies already include other embedded policies inside. That is the case of Shaper_: each of its classes use fair-queue unless you change it."
 
-#: ../../configuration/trafficpolicy/index.rst:342
+#: ../../configuration/trafficpolicy/index.rst:392
 msgid "Some policies can be combined, you will be able to embed_ a different policy that will be applied to a class of the main policy."
 msgstr "Some policies can be combined, you will be able to embed_ a different policy that will be applied to a class of the main policy."
 
+#: ../../configuration/loadbalancing/haproxy.rst:237
+msgid "Some possible examples are:"
+msgstr "Some possible examples are:"
+
 #: ../../configuration/system/proxy.rst:27
 msgid "Some proxys require/support the \"basic\" HTTP authentication scheme as per :rfc:`7617`, thus a password can be configured."
 msgstr "Some proxys require/support the \"basic\" HTTP authentication scheme as per :rfc:`7617`, thus a password can be configured."
@@ -13241,11 +15022,11 @@ msgstr "Some services don't work correctly when being handled via a web proxy. S
 msgid "Some users tend to connect their mobile devices using WireGuard to their VyOS router. To ease deployment one can generate a \"per mobile\" configuration from the VyOS CLI."
 msgstr "Some users tend to connect their mobile devices using WireGuard to their VyOS router. To ease deployment one can generate a \"per mobile\" configuration from the VyOS CLI."
 
-#: ../../configuration/interfaces/openvpn.rst:651
+#: ../../configuration/interfaces/openvpn.rst:665
 msgid "Sometimes option lines in the generated OpenVPN configuration require quotes. This is done through a hack on our config generator. You can pass quotes using the ``&quot;`` statement."
 msgstr "Sometimes option lines in the generated OpenVPN configuration require quotes. This is done through a hack on our config generator. You can pass quotes using the ``&quot;`` statement."
 
-#: ../../configuration/service/dhcp-server.rst:764
+#: ../../configuration/service/dhcp-server.rst:796
 msgid "Sort the output by the specified key. Possible keys: expires, iaid_duid, ip, last_comm, pool, remaining, state, type (default = ip)"
 msgstr "Sort the output by the specified key. Possible keys: expires, iaid_duid, ip, last_comm, pool, remaining, state, type (default = ip)"
 
@@ -13261,10 +15042,10 @@ msgstr "Source Address"
 msgid "Source IP address used for VXLAN underlay. This is mandatory when using VXLAN via L2VPN/EVPN."
 msgstr "Source IP address used for VXLAN underlay. This is mandatory when using VXLAN via L2VPN/EVPN."
 
-#: ../../configuration/service/ipoe-server.rst:152
-#: ../../configuration/service/ipoe-server.rst:208
-#: ../../configuration/service/pppoe-server.rst:114
-#: ../../configuration/service/pppoe-server.rst:170
+#: ../../configuration/service/ipoe-server.rst:151
+#: ../../configuration/service/ipoe-server.rst:207
+#: ../../configuration/service/pppoe-server.rst:116
+#: ../../configuration/service/pppoe-server.rst:184
 #: ../../configuration/vpn/l2tp.rst:157
 #: ../../configuration/vpn/l2tp.rst:213
 #: ../../configuration/vpn/pptp.rst:97
@@ -13282,11 +15063,11 @@ msgstr "Source NAT rules"
 msgid "Source Prefix"
 msgstr "Source Prefix"
 
-#: ../../configuration/system/login.rst:280
+#: ../../configuration/system/login.rst:286
 msgid "Source all connections to the RADIUS servers from given VRF `<name>`."
 msgstr "Source all connections to the RADIUS servers from given VRF `<name>`."
 
-#: ../../configuration/system/login.rst:349
+#: ../../configuration/system/login.rst:355
 msgid "Source all connections to the TACACS servers from given VRF `<name>`."
 msgstr "Source all connections to the TACACS servers from given VRF `<name>`."
 
@@ -13294,7 +15075,7 @@ msgstr "Source all connections to the TACACS servers from given VRF `<name>`."
 msgid "Source protocol to match."
 msgstr "Source protocol to match."
 
-#: ../../configuration/vpn/ipsec.rst:229
+#: ../../configuration/vpn/ipsec.rst:249
 msgid "Source tunnel from dummy interface"
 msgstr "Source tunnel from dummy interface"
 
@@ -13314,7 +15095,7 @@ msgstr "Spanning Tree Protocol hello advertisement `<interval>` in seconds (defa
 msgid "Spanning Tree Protocol is not enabled by default in VyOS. :ref:`stp` can be easily enabled if needed."
 msgstr "Spanning Tree Protocol is not enabled by default in VyOS. :ref:`stp` can be easily enabled if needed."
 
-#: ../../configuration/interfaces/wireless.rst:209
+#: ../../configuration/interfaces/wireless.rst:240
 msgid "Spatial Multiplexing Power Save (SMPS) settings"
 msgstr "Spatial Multiplexing Power Save (SMPS) settings"
 
@@ -13322,36 +15103,36 @@ msgstr "Spatial Multiplexing Power Save (SMPS) settings"
 msgid "Specfying nhs makes all multicast packets to be repeated to each statically configured next hop."
 msgstr "Specfying nhs makes all multicast packets to be repeated to each statically configured next hop."
 
-#: ../../configuration/service/ipoe-server.rst:178
-#: ../../configuration/service/pppoe-server.rst:140
+#: ../../configuration/service/ipoe-server.rst:177
+#: ../../configuration/service/pppoe-server.rst:147
 #: ../../configuration/vpn/l2tp.rst:183
 #: ../../configuration/vpn/pptp.rst:123
 #: ../../configuration/vpn/sstp.rst:156
 msgid "Specifies IP address for Dynamic Authorization Extension server (DM/CoA)"
 msgstr "Specifies IP address for Dynamic Authorization Extension server (DM/CoA)"
 
-#: ../../configuration/service/pppoe-server.rst:470
-#: ../../configuration/vpn/l2tp.rst:424
+#: ../../configuration/service/pppoe-server.rst:495
+#: ../../configuration/vpn/l2tp.rst:427
 #: ../../configuration/vpn/pptp.rst:348
-#: ../../configuration/vpn/sstp.rst:382
+#: ../../configuration/vpn/sstp.rst:385
 msgid "Specifies IPv4 negotiation preference."
 msgstr "Specifies IPv4 negotiation preference."
 
-#: ../../configuration/service/pppoe-server.rst:345
-#: ../../configuration/vpn/l2tp.rst:289
+#: ../../configuration/service/pppoe-server.rst:365
+#: ../../configuration/vpn/l2tp.rst:292
 #: ../../configuration/vpn/pptp.rst:213
-#: ../../configuration/vpn/sstp.rst:247
+#: ../../configuration/vpn/sstp.rst:250
 msgid "Specifies IPv6 negotiation preference."
 msgstr "Specifies IPv6 negotiation preference."
 
-#: ../../configuration/service/pppoe-server.rst:552
+#: ../../configuration/service/pppoe-server.rst:577
 msgid "Specifies Service-Name to respond. If absent any Service-Name is acceptable and client’s Service-Name will be sent back. Also possible set multiple service-names: `sn1,sn2,sn3`"
 msgstr "Specifies Service-Name to respond. If absent any Service-Name is acceptable and client’s Service-Name will be sent back. Also possible set multiple service-names: `sn1,sn2,sn3`"
 
-#: ../../configuration/service/pppoe-server.rst:502
-#: ../../configuration/vpn/l2tp.rst:456
+#: ../../configuration/service/pppoe-server.rst:527
+#: ../../configuration/vpn/l2tp.rst:460
 #: ../../configuration/vpn/pptp.rst:380
-#: ../../configuration/vpn/sstp.rst:414
+#: ../../configuration/vpn/sstp.rst:418
 msgid "Specifies :abbr:`MPPE (Microsoft Point-to-Point Encryption)` negotiation preference."
 msgstr "Specifies :abbr:`MPPE (Microsoft Point-to-Point Encryption)` negotiation preference."
 
@@ -13363,7 +15144,7 @@ msgstr "Specifies :abbr:`MPPE (Microsoft Point-to-Point Encryption)` negotioatio
 msgid "Specifies address to be used as server ip address if radius can assign only client address. In such case if client address is matched network and mask then specified address and mask will be used. You can specify multiple such options."
 msgstr "Specifies address to be used as server ip address if radius can assign only client address. In such case if client address is matched network and mask then specified address and mask will be used. You can specify multiple such options."
 
-#: ../../configuration/vrf/index.rst:496
+#: ../../configuration/vrf/index.rst:492
 msgid "Specifies an optional route-map to be applied to routes imported or exported between the current unicast VRF and VPN."
 msgstr "Specifies an optional route-map to be applied to routes imported or exported between the current unicast VRF and VPN."
 
@@ -13371,10 +15152,8 @@ msgstr "Specifies an optional route-map to be applied to routes imported or expo
 msgid "Specifies an upstream network `<interface>` from which replies from `<server>` and other relay agents will be accepted."
 msgstr "Specifies an upstream network `<interface>` from which replies from `<server>` and other relay agents will be accepted."
 
-#: ../../configuration/service/pppoe-server.rst:388
-#: ../../configuration/vpn/l2tp.rst:332
+#: ../../configuration/service/pppoe-server.rst:409
 #: ../../configuration/vpn/pptp.rst:256
-#: ../../configuration/vpn/sstp.rst:290
 msgid "Specifies fixed or random interface identifier for IPv6. By default is fixed."
 msgstr "Specifies fixed or random interface identifier for IPv6. By default is fixed."
 
@@ -13382,14 +15161,22 @@ msgstr "Specifies fixed or random interface identifier for IPv6. By default is f
 msgid "Specifies how long squid assumes an externally validated username:password pair is valid for - in other words how often the helper program is called for that user. Set this low to force revalidation with short lived passwords."
 msgstr "Specifies how long squid assumes an externally validated username:password pair is valid for - in other words how often the helper program is called for that user. Set this low to force revalidation with short lived passwords."
 
+#: ../../configuration/vpn/l2tp.rst:335
+#: ../../configuration/vpn/sstp.rst:293
+msgid "Specifies if a fixed or random interface identifier is used for IPv6. The default is fixed."
+msgstr "Specifies if a fixed or random interface identifier is used for IPv6. The default is fixed."
+
 #: ../../configuration/interfaces/vxlan.rst:89
 msgid "Specifies if unknown source link layer addresses and IP addresses are entered into the VXLAN device forwarding database."
 msgstr "Specifies if unknown source link layer addresses and IP addresses are entered into the VXLAN device forwarding database."
 
-#: ../../configuration/service/pppoe-server.rst:462
-#: ../../configuration/vpn/l2tp.rst:416
+#: ../../configuration/vpn/l2tp.rst:419
+#: ../../configuration/vpn/sstp.rst:377
+msgid "Specifies number of interfaces to cache. This prevents interfaces from being removed once the corresponding session is destroyed. Instead, interfaces are cached for later use in new sessions. This should reduce the kernel-level interface creation/deletion rate. Default value is **0**."
+msgstr "Specifies number of interfaces to cache. This prevents interfaces from being removed once the corresponding session is destroyed. Instead, interfaces are cached for later use in new sessions. This should reduce the kernel-level interface creation/deletion rate. Default value is **0**."
+
+#: ../../configuration/service/pppoe-server.rst:486
 #: ../../configuration/vpn/pptp.rst:340
-#: ../../configuration/vpn/sstp.rst:374
 msgid "Specifies number of interfaces to keep in cache. It means that don’t destroy interface after corresponding session is destroyed, instead place it to cache and use it later for new sessions repeatedly. This should reduce kernel-level interface creation/deletion rate lack. Default value is **0**."
 msgstr "Specifies number of interfaces to keep in cache. It means that don’t destroy interface after corresponding session is destroyed, instead place it to cache and use it later for new sessions repeatedly. This should reduce kernel-level interface creation/deletion rate lack. Default value is **0**."
 
@@ -13397,10 +15184,8 @@ msgstr "Specifies number of interfaces to keep in cache. It means that don’t d
 msgid "Specifies one of the bonding policies. The default is 802.3ad. Possible values are:"
 msgstr "Specifies one of the bonding policies. The default is 802.3ad. Possible values are:"
 
-#: ../../configuration/service/pppoe-server.rst:396
-#: ../../configuration/vpn/l2tp.rst:340
+#: ../../configuration/service/pppoe-server.rst:418
 #: ../../configuration/vpn/pptp.rst:264
-#: ../../configuration/vpn/sstp.rst:298
 msgid "Specifies peer interface identifier for IPv6. By default is fixed."
 msgstr "Specifies peer interface identifier for IPv6. By default is fixed."
 
@@ -13408,7 +15193,7 @@ msgstr "Specifies peer interface identifier for IPv6. By default is fixed."
 msgid "Specifies proxy service listening address. The listen address is the IP address on which the web proxy service listens for client requests."
 msgstr "Specifies proxy service listening address. The listen address is the IP address on which the web proxy service listens for client requests."
 
-#: ../../configuration/service/ipoe-server.rst:348
+#: ../../configuration/service/ipoe-server.rst:347
 msgid "Specifies relay agent IP addre"
 msgstr "Specifies relay agent IP addre"
 
@@ -13423,11 +15208,11 @@ msgstr "Specifies single `<gateway>` IP address to be used as local address of P
 msgid "Specifies that the :abbr:`NBMA (Non-broadcast multiple-access network)` addresses of the next hop servers are defined in the domain name nbma-domain-name. For each A record opennhrp creates a dynamic NHS entry."
 msgstr "Specifies that the :abbr:`NBMA (Non-broadcast multiple-access network)` addresses of the next hop servers are defined in the domain name nbma-domain-name. For each A record opennhrp creates a dynamic NHS entry."
 
-#: ../../configuration/interfaces/bonding.rst:245
+#: ../../configuration/interfaces/bonding.rst:250
 msgid "Specifies the ARP link monitoring `<time>` in seconds."
 msgstr "Specifies the ARP link monitoring `<time>` in seconds."
 
-#: ../../configuration/interfaces/bonding.rst:264
+#: ../../configuration/interfaces/bonding.rst:269
 msgid "Specifies the IP addresses to use as ARP monitoring peers when :cfgcmd:`arp-monitor interval` option is > 0. These are the targets of the ARP request sent to determine the health of the link to the targets."
 msgstr "Specifies the IP addresses to use as ARP monitoring peers when :cfgcmd:`arp-monitor interval` option is > 0. These are the targets of the ARP request sent to determine the health of the link to the targets."
 
@@ -13435,10 +15220,18 @@ msgstr "Specifies the IP addresses to use as ARP monitoring peers when :cfgcmd:`
 msgid "Specifies the available :abbr:`MAC (Message Authentication Code)` algorithms. The MAC algorithm is used in protocol version 2 for data integrity protection. Multiple algorithms can be provided."
 msgstr "Specifies the available :abbr:`MAC (Message Authentication Code)` algorithms. The MAC algorithm is used in protocol version 2 for data integrity protection. Multiple algorithms can be provided."
 
+#: ../../configuration/service/ssh.rst:69
+msgid "Specifies the available :abbr:`MAC (Message Authentication Code)` algorithms. The MAC algorithm is used in protocol version 2 for data integrity protection. Multiple algorithms can be provided by using multiple commands, defining one algorithm per command."
+msgstr "Specifies the available :abbr:`MAC (Message Authentication Code)` algorithms. The MAC algorithm is used in protocol version 2 for data integrity protection. Multiple algorithms can be provided by using multiple commands, defining one algorithm per command."
+
 #: ../../configuration/service/webproxy.rst:207
 msgid "Specifies the base DN under which the users are located."
 msgstr "Specifies the base DN under which the users are located."
 
+#: ../../configuration/service/ipoe-server.rst:88
+msgid "Specifies the client connectivity mode."
+msgstr "Specifies the client connectivity mode."
+
 #: ../../configuration/service/dhcp-server.rst:295
 msgid "Specifies the clients subnet mask as per RFC 950. If unset, subnet declaration is used."
 msgstr "Specifies the clients subnet mask as per RFC 950. If unset, subnet declaration is used."
@@ -13448,7 +15241,7 @@ msgstr "Specifies the clients subnet mask as per RFC 950. If unset, subnet decla
 msgid "Specifies the holding time for NHRP Registration Requests and Resolution Replies sent from this interface or shortcut-target. The holdtime is specified in seconds and defaults to two hours."
 msgstr "Specifies the holding time for NHRP Registration Requests and Resolution Replies sent from this interface or shortcut-target. The holdtime is specified in seconds and defaults to two hours."
 
-#: ../../configuration/system/flow-accounting.rst:132
+#: ../../configuration/system/flow-accounting.rst:136
 msgid "Specifies the interval at which Netflow data will be sent to a collector. As per default, Netflow data will be sent every 60 seconds."
 msgstr "Specifies the interval at which Netflow data will be sent to a collector. As per default, Netflow data will be sent every 60 seconds."
 
@@ -13464,6 +15257,11 @@ msgstr "Specifies the minimum number of links that must be active before asserti
 msgid "Specifies the name of the DN attribute that contains the username/login. Combined with the base DN to construct the users DN when no search filter is specified (`filter-expression`)."
 msgstr "Specifies the name of the DN attribute that contains the username/login. Combined with the base DN to construct the users DN when no search filter is specified (`filter-expression`)."
 
+#: ../../configuration/vpn/l2tp.rst:343
+#: ../../configuration/vpn/sstp.rst:301
+msgid "Specifies the peer interface identifier for IPv6. The default is fixed."
+msgstr "Specifies the peer interface identifier for IPv6. The default is fixed."
+
 #: ../../configuration/interfaces/pseudo-ethernet.rst:59
 msgid "Specifies the physical `<ethX>` Ethernet interface associated with a Pseudo Ethernet `<interface>`."
 msgstr "Specifies the physical `<ethX>` Ethernet interface associated with a Pseudo Ethernet `<interface>`."
@@ -13476,30 +15274,43 @@ msgstr "Specifies the port `<port>` that the SSTP port will listen on (default 4
 msgid "Specifies the protection scope (aka realm name) which is to be reported to the client for the authentication scheme. It is commonly part of the text the user will see when prompted for their username and password."
 msgstr "Specifies the protection scope (aka realm name) which is to be reported to the client for the authentication scheme. It is commonly part of the text the user will see when prompted for their username and password."
 
-#: ../../configuration/vrf/index.rst:471
+#: ../../configuration/vrf/index.rst:467
 msgid "Specifies the route-target list to be attached to a route (export) or the route-target list to match against (import) when exporting/importing between the current unicast VRF and VPN.The RTLIST is a space-separated list of route-targets, which are BGP extended community values as described in Extended Communities Attribute."
 msgstr "Specifies the route-target list to be attached to a route (export) or the route-target list to match against (import) when exporting/importing between the current unicast VRF and VPN.The RTLIST is a space-separated list of route-targets, which are BGP extended community values as described in Extended Communities Attribute."
 
-#: ../../configuration/vrf/index.rst:464
+#: ../../configuration/vrf/index.rst:460
 msgid "Specifies the route distinguisher to be added to a route exported from the current unicast VRF to VPN."
 msgstr "Specifies the route distinguisher to be added to a route exported from the current unicast VRF to VPN."
 
-#: ../../configuration/service/ipoe-server.rst:224
-#: ../../configuration/service/pppoe-server.rst:186
-#: ../../configuration/vpn/l2tp.rst:229
-#: ../../configuration/vpn/pptp.rst:169
+#: ../../configuration/service/ssh.rst:115
+msgid "Specifies the signature algorithms that will be accepted for public key authentication"
+msgstr "Specifies the signature algorithms that will be accepted for public key authentication"
+
 #: ../../configuration/vpn/sstp.rst:202
+msgid "Specifies the vendor dictionary, This dictionary needs to be present in /usr/share/accel-ppp/radius."
+msgstr "Specifies the vendor dictionary, This dictionary needs to be present in /usr/share/accel-ppp/radius."
+
+#: ../../configuration/service/ipoe-server.rst:223
+#: ../../configuration/service/pppoe-server.rst:203
+#: ../../configuration/vpn/pptp.rst:169
 msgid "Specifies the vendor dictionary, dictionary needs to be in /usr/share/accel-ppp/radius."
 msgstr "Specifies the vendor dictionary, dictionary needs to be in /usr/share/accel-ppp/radius."
 
+#: ../../configuration/vpn/l2tp.rst:229
+msgid "Specifies the vendor dictionary. This dictionary needs to be present in /usr/share/accel-ppp/radius."
+msgstr "Specifies the vendor dictionary. This dictionary needs to be present in /usr/share/accel-ppp/radius."
+
+#: ../../configuration/vpn/l2tp.rst:447
+#: ../../configuration/vpn/sstp.rst:405
+msgid "Specifies timeout in seconds to wait for any peer activity. If this option is specified it turns on adaptive lcp echo functionality and \"lcp-echo-failure\" is not used. Default value is **0**."
+msgstr "Specifies timeout in seconds to wait for any peer activity. If this option is specified it turns on adaptive lcp echo functionality and \"lcp-echo-failure\" is not used. Default value is **0**."
+
 #: ../../configuration/vpn/sstp.rst:194
 msgid "Specifies timeout in seconds to wait for any peer activity. If this option specified it turns on adaptive lcp echo functionality and \"lcp-echo-failure\" is not used."
 msgstr "Specifies timeout in seconds to wait for any peer activity. If this option specified it turns on adaptive lcp echo functionality and \"lcp-echo-failure\" is not used."
 
-#: ../../configuration/service/pppoe-server.rst:490
-#: ../../configuration/vpn/l2tp.rst:444
+#: ../../configuration/service/pppoe-server.rst:515
 #: ../../configuration/vpn/pptp.rst:368
-#: ../../configuration/vpn/sstp.rst:402
 msgid "Specifies timeout in seconds to wait for any peer activity. If this option specified it turns on adaptive lcp echo functionality and \"lcp-echo-failure\" is not used. Default value is **0**."
 msgstr "Specifies timeout in seconds to wait for any peer activity. If this option specified it turns on adaptive lcp echo functionality and \"lcp-echo-failure\" is not used. Default value is **0**."
 
@@ -13515,18 +15326,18 @@ msgstr "Specifies whether the VXLAN device is capable of vni filtering."
 msgid "Specifies whether this NSSA border router will unconditionally translate Type-7 LSAs into Type-5 LSAs. When role is Always, Type-7 LSAs are translated into Type-5 LSAs regardless of the translator state of other NSSA border routers. When role is Candidate, this router participates in the translator election to determine if it will perform the translations duties. When role is Never, this router will never translate Type-7 LSAs into Type-5 LSAs."
 msgstr "Specifies whether this NSSA border router will unconditionally translate Type-7 LSAs into Type-5 LSAs. When role is Always, Type-7 LSAs are translated into Type-5 LSAs regardless of the translator state of other NSSA border routers. When role is Candidate, this router participates in the translator election to determine if it will perform the translations duties. When role is Never, this router will never translate Type-7 LSAs into Type-5 LSAs."
 
-#: ../../configuration/service/ipoe-server.rst:212
+#: ../../configuration/service/ipoe-server.rst:211
 #: ../../configuration/vpn/l2tp.rst:217
 #: ../../configuration/vpn/pptp.rst:157
 #: ../../configuration/vpn/sstp.rst:190
 msgid "Specifies which RADIUS server attribute contains the rate limit information. The default attribute is `Filter-Id`."
 msgstr "Specifies which RADIUS server attribute contains the rate limit information. The default attribute is `Filter-Id`."
 
-#: ../../configuration/service/pppoe-server.rst:174
+#: ../../configuration/service/pppoe-server.rst:189
 msgid "Specifies which RADIUS server attribute contains the rate limit information. The default attribute is ``Filter-Id``."
 msgstr "Specifies which RADIUS server attribute contains the rate limit information. The default attribute is ``Filter-Id``."
 
-#: ../../configuration/service/ipoe-server.rst:344
+#: ../../configuration/service/ipoe-server.rst:343
 msgid "Specify DHCPv4 relay IP address to pass requests to. If specified giaddr is also needed."
 msgstr "Specify DHCPv4 relay IP address to pass requests to. If specified giaddr is also needed."
 
@@ -13542,11 +15353,16 @@ msgstr "Specify IPv4 and/or IPv6 networks that should be protected/monitored."
 msgid "Specify IPv4 and/or IPv6 networks which are going to be excluded."
 msgstr "Specify IPv4 and/or IPv6 networks which are going to be excluded."
 
-#: ../../configuration/firewall/ipv4.rst:424
-#: ../../configuration/firewall/ipv6.rst:408
+#: ../../configuration/firewall/ipv4.rst:448
+#: ../../configuration/firewall/ipv6.rst:436
 msgid "Specify a Fully Qualified Domain Name as source/destination matcher. Ensure router is able to resolve such dns query."
 msgstr "Specify a Fully Qualified Domain Name as source/destination matcher. Ensure router is able to resolve such dns query."
 
+#: ../../configuration/firewall/ipv4.rst:449
+#: ../../configuration/firewall/ipv6.rst:436
+msgid "Specify a Fully Qualified Domain Name as source/destination to match. Ensure that the router is able to resolve this dns query."
+msgstr "Specify a Fully Qualified Domain Name as source/destination to match. Ensure that the router is able to resolve this dns query."
+
 #: ../../configuration/service/dhcp-server.rst:609
 msgid "Specify a NIS+ server address for DHCPv6 clients."
 msgstr "Specify a NIS+ server address for DHCPv6 clients."
@@ -13567,7 +15383,7 @@ msgstr "Specify a range of group addresses via a prefix-list that forces PIM to
 msgid "Specify absolute `<path>` to script which will be run when `<task>` is executed."
 msgstr "Specify absolute `<path>` to script which will be run when `<task>` is executed."
 
-#: ../../configuration/service/ssh.rst:94
+#: ../../configuration/service/ssh.rst:95
 msgid "Specify allowed :abbr:`KEX (Key Exchange)` algorithms."
 msgstr "Specify allowed :abbr:`KEX (Key Exchange)` algorithms."
 
@@ -13579,17 +15395,23 @@ msgstr "Specify an alternate AS for this BGP process when interacting with the s
 msgid "Specify an alternate TCP port where the ldap server is listening if other than the default LDAP port 389."
 msgstr "Specify an alternate TCP port where the ldap server is listening if other than the default LDAP port 389."
 
+#: ../../configuration/loadbalancing/haproxy.rst:56
+#: ../../configuration/loadbalancing/haproxy.rst:173
+#: ../../configuration/loadbalancing/haproxy.rst:201
+msgid "Specify facility and level for logging. For an explanation on :ref:`syslog_facilities` and :ref:`syslog_severity_level` see tables in syslog configuration section."
+msgstr "Specify facility and level for logging. For an explanation on :ref:`syslog_facilities` and :ref:`syslog_severity_level` see tables in syslog configuration section."
+
 #: ../../configuration/service/dns.rst:348
 msgid "Specify interval in seconds to wait between Dynamic DNS updates. The default is  300 seconds."
 msgstr "Specify interval in seconds to wait between Dynamic DNS updates. The default is  300 seconds."
 
-#: ../../configuration/service/ipoe-server.rst:339
+#: ../../configuration/service/ipoe-server.rst:338
 msgid "Specify local range of ip address to give to dhcp clients. First IP in range is router IP. If you need more customization use `client-ip-pool`"
 msgstr "Specify local range of ip address to give to dhcp clients. First IP in range is router IP. If you need more customization use `client-ip-pool`"
 
-#: ../../configuration/service/ntp.rst:84
-#: ../../configuration/service/ssh.rst:110
-#: ../../configuration/system/syslog.rst:79
+#: ../../configuration/service/ntp.rst:91
+#: ../../configuration/service/ssh.rst:111
+#: ../../configuration/system/syslog.rst:97
 msgid "Specify name of the :abbr:`VRF (Virtual Routing and Forwarding)` instance."
 msgstr "Specify name of the :abbr:`VRF (Virtual Routing and Forwarding)` instance."
 
@@ -13601,11 +15423,11 @@ msgstr "Specify nexthop on the path to the destination, ``ipv4-address`` can be
 msgid "Specify static route into the routing table sending all non local traffic to the nexthop address `<address>`."
 msgstr "Specify static route into the routing table sending all non local traffic to the nexthop address `<address>`."
 
-#: ../../configuration/system/login.rst:249
+#: ../../configuration/system/login.rst:255
 msgid "Specify the IP `<address>` of the RADIUS server user with the pre-shared-secret given in `<secret>`."
 msgstr "Specify the IP `<address>` of the RADIUS server user with the pre-shared-secret given in `<secret>`."
 
-#: ../../configuration/system/login.rst:318
+#: ../../configuration/system/login.rst:324
 msgid "Specify the IP `<address>` of the TACACS server user with the pre-shared-secret given in `<secret>`."
 msgstr "Specify the IP `<address>` of the TACACS server user with the pre-shared-secret given in `<secret>`."
 
@@ -13617,6 +15439,10 @@ msgstr "Specify the IPv4 source address to use for the BGP session to this neigh
 msgid "Specify the LDAP server to connect to."
 msgstr "Specify the LDAP server to connect to."
 
+#: ../../configuration/service/config-sync.rst:29
+msgid "Specify the address, API key, timeout and port of the secondary router. You need to enable and configure the HTTP API service on the secondary router for config sync to operate."
+msgstr "Specify the address, API key, timeout and port of the secondary router. You need to enable and configure the HTTP API service on the secondary router for config sync to operate."
+
 #: ../../_include/interface-dhcpv6-prefix-delegation.txt:50
 msgid "Specify the identifier value of the site-level aggregator (SLA) on the interface. ID must be a decimal number greater then 0 which fits in the length of SLA IDs (see below)."
 msgstr "Specify the identifier value of the site-level aggregator (SLA) on the interface. ID must be a decimal number greater then 0 which fits in the length of SLA IDs (see below)."
@@ -13625,7 +15451,7 @@ msgstr "Specify the identifier value of the site-level aggregator (SLA) on the i
 msgid "Specify the interface address used locally on the interface where the prefix has been delegated to. ID must be a decimal integer."
 msgstr "Specify the interface address used locally on the interface where the prefix has been delegated to. ID must be a decimal integer."
 
-#: ../../configuration/loadbalancing/reverse-proxy.rst:207
+#: ../../configuration/loadbalancing/haproxy.rst:196
 msgid "Specify the minimum required TLS version 1.2 or 1.3"
 msgstr "Specify the minimum required TLS version 1.2 or 1.3"
 
@@ -13637,6 +15463,10 @@ msgstr "Specify the plaintext password user by user `<name>` on this system. The
 msgid "Specify the port used on which the proxy service is listening for requests. This port is the default port used for the specified listen-address."
 msgstr "Specify the port used on which the proxy service is listening for requests. This port is the default port used for the specified listen-address."
 
+#: ../../configuration/service/config-sync.rst:35
+msgid "Specify the section of the configuration to synchronize. If more than one section is to be synchronized, repeat the command to add additional sections as required."
+msgstr "Specify the section of the configuration to synchronize. If more than one section is to be synchronized, repeat the command to add additional sections as required."
+
 #: ../../configuration/system/time-zone.rst:13
 msgid "Specify the systems `<timezone>` as the Region/Location that best defines your location. For example, specifying US/Pacific sets the time zone to US Pacific time."
 msgstr "Specify the systems `<timezone>` as the Region/Location that best defines your location. For example, specifying US/Pacific sets the time zone to US Pacific time."
@@ -13649,15 +15479,19 @@ msgstr "Specify the time interval when `<task>` should be executed. The interval
 msgid "Specify timeout / update interval to check if IP address changed."
 msgstr "Specify timeout / update interval to check if IP address changed."
 
-#: ../../configuration/service/ssh.rst:90
+#: ../../configuration/service/ssh.rst:91
 msgid "Specify timeout interval for keepalive message in seconds."
 msgstr "Specify timeout interval for keepalive message in seconds."
 
-#: ../../configuration/service/ipoe-server.rst:97
+#: ../../configuration/service/ipoe-server.rst:96
 msgid "Specify where interface is shared by multiple users or it is vlan-per-user."
 msgstr "Specify where interface is shared by multiple users or it is vlan-per-user."
 
 #: ../../configuration/interfaces/vxlan.rst:191
+msgid "Spine1 is a Cisco IOS router running version 15.4, Leaf2 and Leaf3 are each VyOS routers running 1.2."
+msgstr "Spine1 is a Cisco IOS router running version 15.4, Leaf2 and Leaf3 are each VyOS routers running 1.2."
+
+#: ../../configuration/interfaces/vxlan.rst:191
 msgid "Spine1 is a Cisco IOS router running version 15.4, Leaf2 and Leaf3 is each a VyOS router running 1.2."
 msgstr "Spine1 is a Cisco IOS router running version 15.4, Leaf2 and Leaf3 is each a VyOS router running 1.2."
 
@@ -13685,6 +15519,24 @@ msgstr "Start Webserver in given  VRF."
 msgid "Start by checking for IPSec SAs (Security Associations) with:"
 msgstr "Start by checking for IPSec SAs (Security Associations) with:"
 
+#: ../../configuration/firewall/bridge.rst:392
+#: ../../configuration/firewall/ipv4.rst:986
+#: ../../configuration/firewall/ipv6.rst:976
+msgid "Starting from **VyOS-1.5-rolling-202410060007**, the firewall can modify packets before they are sent out. This feaure provides more flexibility in packet handling."
+msgstr "Starting from **VyOS-1.5-rolling-202410060007**, the firewall can modify packets before they are sent out. This feaure provides more flexibility in packet handling."
+
+#: ../../configuration/firewall/zone.rst:13
+msgid "Starting from VyOS 1.4-rolling-202308040557, a new firewall structure can be found on all VyOS installations. The Zone based firewall was removed in that version, but re introduced in VyOS 1.4 and 1.5. All versions built after 2023-10-22 have this feature. Documentation for most of the new firewall CLI can be found in the `firewall <https://docs.vyos.io/en/latest/configuration/firewall/general.html>`_ chapter."
+msgstr "Starting from VyOS 1.4-rolling-202308040557, a new firewall structure can be found on all VyOS installations. The Zone based firewall was removed in that version, but re introduced in VyOS 1.4 and 1.5. All versions built after 2023-10-22 have this feature. Documentation for most of the new firewall CLI can be found in the `firewall <https://docs.vyos.io/en/latest/configuration/firewall/general.html>`_ chapter."
+
+#: ../../configuration/firewall/zone.rst:13
+msgid "Starting from VyOS 1.4-rolling-202308040557, a new firewall structure can be found on all VyOS installations. The Zone based firewall was removed in that version, but re introduced in VyOS 1.4 and 1.5. All versions built after 2023-10-22 have this feature. Documentation for most of the new firewall CLI can be found in the `firewall <https://docs.vyos.io/en/latest/configuration/firewall/general.html>`_ chapter. The legacy firewall is still available for versions before 1.4-rolling-202308040557 and can be found in the :doc:`legacy firewall configuration </configuration/firewall/general-legacy>` chapter."
+msgstr "Starting from VyOS 1.4-rolling-202308040557, a new firewall structure can be found on all VyOS installations. The Zone based firewall was removed in that version, but re introduced in VyOS 1.4 and 1.5. All versions built after 2023-10-22 have this feature. Documentation for most of the new firewall CLI can be found in the `firewall <https://docs.vyos.io/en/latest/configuration/firewall/general.html>`_ chapter. The legacy firewall is still available for versions before 1.4-rolling-202308040557 and can be found in the :doc:`legacy firewall configuration </configuration/firewall/general-legacy>` chapter."
+
+#: ../../configuration/firewall/zone.rst:13
+msgid "Starting from VyOS 1.4-rolling-202308040557, a new firewall structure can be found on all VyOS installations. Zone based firewall was removed in that version, but re introduced in VyOS 1.4 and 1.5. All versions built after 2023-10-22 has this feature. Documentation for most of the new firewall CLI can be found in the `firewall <https://docs.vyos.io/en/latest/configuration/firewall/general.html>`_ chapter. The legacy firewall is still available for versions before 1.4-rolling-202308040557 and can be found in the :doc:`legacy firewall configuration </configuration/firewall/general-legacy>` chapter."
+msgstr "Starting from VyOS 1.4-rolling-202308040557, a new firewall structure can be found on all VyOS installations. Zone based firewall was removed in that version, but re introduced in VyOS 1.4 and 1.5. All versions built after 2023-10-22 has this feature. Documentation for most of the new firewall CLI can be found in the `firewall <https://docs.vyos.io/en/latest/configuration/firewall/general.html>`_ chapter. The legacy firewall is still available for versions before 1.4-rolling-202308040557 and can be found in the :doc:`legacy firewall configuration </configuration/firewall/general-legacy>` chapter."
+
 #: ../../configuration/firewall/zone.rst:9
 msgid "Starting from VyOS 1.4-rolling-202308040557, a new firewall structure can be found on all vyos instalations, and zone based firewall is no longer supported. Documentation for most of the new firewall CLI can be found in the `firewall <https://docs.vyos.io/en/latest/configuration/firewall/general.html>`_ chapter. The legacy firewall is still available for versions before 1.4-rolling-202308040557 and can be found in the :ref:`firewall-legacy` chapter. The examples in this section use the legacy firewall configuration commands, since this feature has been removed in earlier releases."
 msgstr "Starting from VyOS 1.4-rolling-202308040557, a new firewall structure can be found on all vyos instalations, and zone based firewall is no longer supported. Documentation for most of the new firewall CLI can be found in the `firewall <https://docs.vyos.io/en/latest/configuration/firewall/general.html>`_ chapter. The legacy firewall is still available for versions before 1.4-rolling-202308040557 and can be found in the :ref:`firewall-legacy` chapter. The examples in this section use the legacy firewall configuration commands, since this feature has been removed in earlier releases."
@@ -13729,7 +15581,7 @@ msgstr "Static Keys"
 msgid "Static Routes"
 msgstr "Static Routes"
 
-#: ../../configuration/interfaces/openvpn.rst:235
+#: ../../configuration/interfaces/openvpn.rst:237
 msgid "Static Routing:"
 msgstr "Static Routing:"
 
@@ -13742,12 +15594,12 @@ msgid "Static :abbr:`SAK (Secure Authentication Key)` mode can be configured man
 msgstr "Static :abbr:`SAK (Secure Authentication Key)` mode can be configured manually on each device wishing to use MACsec. Keys must be set statically on all devices for traffic to flow properly. Key rotation is dependent on the administrator updating all keys manually across connected devices. Static SAK mode can not be used with MKA."
 
 #: ../../configuration/service/dhcp-server.rst:224
-#: ../../configuration/service/dhcp-server.rst:682
+#: ../../configuration/service/dhcp-server.rst:712
 msgid "Static mappings"
 msgstr "Static mappings"
 
 #: ../../configuration/service/dhcp-server.rst:519
-#: ../../configuration/service/dhcp-server.rst:755
+#: ../../configuration/service/dhcp-server.rst:787
 msgid "Static mappings aren't shown. To show all states, use ``show dhcp server leases state all``."
 msgstr "Static mappings aren't shown. To show all states, use ``show dhcp server leases state all``."
 
@@ -13755,11 +15607,15 @@ msgstr "Static mappings aren't shown. To show all states, use ``show dhcp server
 msgid "Static routes are manually configured routes, which, in general, cannot be updated dynamically from information VyOS learns about the network topology from other routing protocols. However, if a link fails, the router will remove routes, including static routes, from the :abbr:`RIPB (Routing Information Base)` that used this interface to reach the next hop. In general, static routes should only be used for very simple network topologies, or to override the behavior of a dynamic routing protocol for a small number of routes. The collection of all routes the router has learned from its configuration or from its dynamic routing protocols is stored in the RIB. Unicast routes are directly used to determine the forwarding table used for unicast packet forwarding."
 msgstr "Static routes are manually configured routes, which, in general, cannot be updated dynamically from information VyOS learns about the network topology from other routing protocols. However, if a link fails, the router will remove routes, including static routes, from the :abbr:`RIPB (Routing Information Base)` that used this interface to reach the next hop. In general, static routes should only be used for very simple network topologies, or to override the behavior of a dynamic routing protocol for a small number of routes. The collection of all routes the router has learned from its configuration or from its dynamic routing protocols is stored in the RIB. Unicast routes are directly used to determine the forwarding table used for unicast packet forwarding."
 
-#: ../../configuration/interfaces/openvpn.rst:237
+#: ../../configuration/interfaces/openvpn.rst:239
 msgid "Static routes can be configured referencing the tunnel interface; for example, the local router will use a network of 10.0.0.0/16, while the remote has a network of 10.1.0.0/16:"
 msgstr "Static routes can be configured referencing the tunnel interface; for example, the local router will use a network of 10.0.0.0/16, while the remote has a network of 10.1.0.0/16:"
 
-#: ../../configuration/interfaces/wireless.rst:298
+#: ../../configuration/interfaces/wireless.rst:19
+msgid "Station mode acts as a Wi-Fi client accessing the network through an available WAP"
+msgstr "Station mode acts as a Wi-Fi client accessing the network through an available WAP"
+
+#: ../../configuration/interfaces/wireless.rst:335
 msgid "Station supports receiving VHT variant HT Control field"
 msgstr "Station supports receiving VHT variant HT Control field"
 
@@ -13787,7 +15643,7 @@ msgstr "Summarisation starts only after this delay timer expiry."
 msgid "Supported Modules"
 msgstr "Supported Modules"
 
-#: ../../configuration/interfaces/wireless.rst:150
+#: ../../configuration/interfaces/wireless.rst:180
 msgid "Supported channel width set."
 msgstr "Supported channel width set."
 
@@ -13799,7 +15655,7 @@ msgstr "Supported daemons:"
 msgid "Supported interface types:"
 msgstr "Supported interface types:"
 
-#: ../../configuration/service/ssh.rst:198
+#: ../../configuration/service/ssh.rst:218
 msgid "Supported remote protocols are FTP, FTPS, HTTP, HTTPS, SCP/SFTP and TFTP."
 msgstr "Supported remote protocols are FTP, FTPS, HTTP, HTTPS, SCP/SFTP and TFTP."
 
@@ -13812,11 +15668,11 @@ msgstr "Supported versions of RIP are:"
 msgid "Supports as HELPER for configured grace period."
 msgstr "Supports as HELPER for configured grace period."
 
-#: ../../configuration/vpn/ipsec.rst:182
+#: ../../configuration/vpn/ipsec.rst:202
 msgid "Suppose the LEFT router has external address 192.0.2.10 on its eth0 interface, and the RIGHT router is 203.0.113.45"
 msgstr "Suppose the LEFT router has external address 192.0.2.10 on its eth0 interface, and the RIGHT router is 203.0.113.45"
 
-#: ../../configuration/interfaces/openvpn.rst:338
+#: ../../configuration/interfaces/openvpn.rst:342
 msgid "Suppose you want to use 10.23.1.0/24 network for client tunnel endpoints and all client subnets belong to 10.23.0.0/20. All clients need access to the 192.168.0.0/16 network."
 msgstr "Suppose you want to use 10.23.1.0/24 network for client tunnel endpoints and all client subnets belong to 10.23.0.0/20. All clients need access to the 192.168.0.0/16 network."
 
@@ -13824,6 +15680,14 @@ msgstr "Suppose you want to use 10.23.1.0/24 network for client tunnel endpoints
 msgid "Suppress sending Capability Negotiation as OPEN message optional parameter to the peer. This command only affects the peer is configured other than IPv4 unicast configuration."
 msgstr "Suppress sending Capability Negotiation as OPEN message optional parameter to the peer. This command only affects the peer is configured other than IPv4 unicast configuration."
 
+#: ../../configuration/service/suricata.rst:12
+msgid "Suricata Features"
+msgstr "Suricata Features"
+
+#: ../../configuration/service/suricata.rst:7
+msgid "Suricata and VyOS are powerful tools for ensuring network security and traffic management. Suricata is an open-source intrusion detection and prevention system (IDS/IPS) that analyzes network packets in real-time."
+msgstr "Suricata and VyOS are powerful tools for ensuring network security and traffic management. Suricata is an open-source intrusion detection and prevention system (IDS/IPS) that analyzes network packets in real-time."
+
 #: ../../configuration/vpn/dmvpn.rst:108
 msgid "Synamic instructs to forward to all peers which we have a direct connection with. Alternatively, you can specify the directive multiple times for each protocol-address the multicast traffic should be sent to."
 msgstr "Synamic instructs to forward to all peers which we have a direct connection with. Alternatively, you can specify the directive multiple times for each protocol-address the multicast traffic should be sent to."
@@ -13832,18 +15696,22 @@ msgstr "Synamic instructs to forward to all peers which we have a direct connect
 msgid "Sync groups"
 msgstr "Sync groups"
 
-#: ../../configuration/firewall/ipv4.rst:934
-#: ../../configuration/firewall/ipv6.rst:920
+#: ../../configuration/service/config-sync.rst:63
+msgid "Synchronize the time-zone and OSPF configuration from Router A to Router B"
+msgstr "Synchronize the time-zone and OSPF configuration from Router A to Router B"
+
+#: ../../configuration/firewall/ipv4.rst:1035
+#: ../../configuration/firewall/ipv6.rst:1025
 msgid "Synproxy"
 msgstr "Synproxy"
 
-#: ../../configuration/firewall/ipv4.rst:935
-#: ../../configuration/firewall/ipv6.rst:921
+#: ../../configuration/firewall/ipv4.rst:1036
+#: ../../configuration/firewall/ipv6.rst:1026
 msgid "Synproxy connections"
 msgstr "Synproxy connections"
 
-#: ../../configuration/firewall/ipv4.rst:952
-#: ../../configuration/firewall/ipv6.rst:938
+#: ../../configuration/firewall/ipv4.rst:1057
+#: ../../configuration/firewall/ipv6.rst:1047
 msgid "Synproxy relies on syncookies and TCP timestamps, ensure these are enabled"
 msgstr "Synproxy relies on syncookies and TCP timestamps, ensure these are enabled"
 
@@ -13863,11 +15731,15 @@ msgstr "Syslog"
 msgid "Syslog supports logging to multiple targets, those targets could be a plain file on your VyOS installation itself, a serial console or a remote syslog server which is reached via :abbr:`IP (Internet Protocol)` UDP/TCP."
 msgstr "Syslog supports logging to multiple targets, those targets could be a plain file on your VyOS installation itself, a serial console or a remote syslog server which is reached via :abbr:`IP (Internet Protocol)` UDP/TCP."
 
+#: ../../configuration/system/syslog.rst:66
+msgid "Syslog uses logrotate to rotate logfiles after a number of gives bytes. We keep as many as `<number>` rotated file before they are deleted on the system."
+msgstr "Syslog uses logrotate to rotate logfiles after a number of gives bytes. We keep as many as `<number>` rotated file before they are deleted on the system."
+
 #: ../../configuration/system/syslog.rst:48
 msgid "Syslog uses logrotate to rotate logiles after a number of gives bytes. We keep as many as `<number>` rotated file before they are deleted on the system."
 msgstr "Syslog uses logrotate to rotate logiles after a number of gives bytes. We keep as many as `<number>` rotated file before they are deleted on the system."
 
-#: ../../configuration/system/syslog.rst:42
+#: ../../configuration/system/syslog.rst:60
 msgid "Syslog will write `<size>` kilobytes into the file specified by `<filename>`. After this limit has been reached, the custom file is \"rotated\" by logrotate and a new custom file is created."
 msgstr "Syslog will write `<size>` kilobytes into the file specified by `<filename>`. After this limit has been reached, the custom file is \"rotated\" by logrotate and a new custom file is created."
 
@@ -13891,6 +15763,10 @@ msgstr "System Name and Description"
 msgid "System Proxy"
 msgstr "System Proxy"
 
+#: ../../configuration/interfaces/wireless.rst:40
+msgid "System Wide configuration"
+msgstr "System Wide configuration"
+
 #: ../../configuration/service/lldp.rst:30
 msgid "System capabilities (switching, routing, etc.)"
 msgstr "System capabilities (switching, routing, etc.)"
@@ -13900,43 +15776,52 @@ msgstr "System capabilities (switching, routing, etc.)"
 msgid "System configuration commands"
 msgstr "System configuration commands"
 
-#: ../../configuration/system/syslog.rst:118
+#: ../../configuration/system/syslog.rst:136
 msgid "System daemons"
 msgstr "System daemons"
 
 #: ../../configuration/protocols/isis.rst:57
+#: ../../configuration/protocols/openfabric.rst:47
+msgid "System identifier: ``1921.6800.1002`` - for system identifiers we recommend to use IP address or MAC address of the router itself. The way to construct this is to keep all of the zeroes of the router IP address, and then change the periods from being every three numbers to every four numbers. The address that is listed here is ``192.168.1.2``, which if expanded will turn into ``192.168.001.002``. Then all one has to do is move the dots to have four numbers instead of three. This gives us ``1921.6800.1002``."
+msgstr "System identifier: ``1921.6800.1002`` - for system identifiers we recommend to use IP address or MAC address of the router itself. The way to construct this is to keep all of the zeroes of the router IP address, and then change the periods from being every three numbers to every four numbers. The address that is listed here is ``192.168.1.2``, which if expanded will turn into ``192.168.001.002``. Then all one has to do is move the dots to have four numbers instead of three. This gives us ``1921.6800.1002``."
+
+#: ../../configuration/protocols/isis.rst:57
 msgid "System identifier: ``1921.6800.1002`` - for system idetifiers we recommend to use IP address or MAC address of the router itself. The way to construct this is to keep all of the zeroes of the router IP address, and then change the periods from being every three numbers to every four numbers. The address that is listed here is ``192.168.1.2``, which if expanded will turn into ``192.168.001.002``. Then all one has to do is move the dots to have four numbers instead of three. This gives us ``1921.6800.1002``."
 msgstr "System identifier: ``1921.6800.1002`` - for system idetifiers we recommend to use IP address or MAC address of the router itself. The way to construct this is to keep all of the zeroes of the router IP address, and then change the periods from being every three numbers to every four numbers. The address that is listed here is ``192.168.1.2``, which if expanded will turn into ``192.168.001.002``. Then all one has to do is move the dots to have four numbers instead of three. This gives us ``1921.6800.1002``."
 
-#: ../../configuration/system/syslog.rst:171
+#: ../../configuration/system/syslog.rst:189
 msgid "System is unusable - a panic condition"
 msgstr "System is unusable - a panic condition"
 
-#: ../../configuration/system/login.rst:303
+#: ../../configuration/system/login.rst:309
 msgid "TACACS+"
 msgstr "TACACS+"
 
-#: ../../configuration/system/login.rst:422
+#: ../../configuration/system/login.rst:428
 msgid "TACACS Example"
 msgstr "TACACS Example"
 
-#: ../../configuration/system/login.rst:309
+#: ../../configuration/system/login.rst:315
 msgid "TACACS is defined in :rfc:`8907`."
 msgstr "TACACS is defined in :rfc:`8907`."
 
-#: ../../configuration/system/login.rst:339
+#: ../../configuration/system/login.rst:345
 msgid "TACACS servers could be hardened by only allowing certain IP addresses to connect. As of this the source address of each TACACS query can be configured."
 msgstr "TACACS servers could be hardened by only allowing certain IP addresses to connect. As of this the source address of each TACACS query can be configured."
 
 #: ../../configuration/protocols/static.rst:173
-#: ../../configuration/system/flow-accounting.rst:83
+#: ../../configuration/system/flow-accounting.rst:87
 msgid "TBD"
 msgstr "TBD"
 
-#: ../../configuration/vrf/index.rst:40
+#: ../../configuration/vrf/index.rst:36
 msgid "TCP & UDP services running in the default VRF context (ie., not bound to any VRF device) can work across all VRF domains by enabling this option."
 msgstr "TCP & UDP services running in the default VRF context (ie., not bound to any VRF device) can work across all VRF domains by enabling this option."
 
+#: ../../configuration/loadbalancing/haproxy.rst:242
+msgid "TCP checks"
+msgstr "TCP checks"
+
 #: ../../configuration/service/tftp-server.rst:5
 msgid "TFTP Server"
 msgstr "TFTP Server"
@@ -13953,6 +15838,10 @@ msgstr "Task Scheduler"
 msgid "Telegraf"
 msgstr "Telegraf"
 
+#: ../../configuration/service/monitoring.rst:136
+msgid "Telegraf can be used to send logs to Loki using tags as labels."
+msgstr "Telegraf can be used to send logs to Loki using tags as labels."
+
 #: ../../configuration/service/monitoring.rst:6
 msgid "Telegraf output plugin azure-data-explorer_"
 msgstr "Telegraf output plugin azure-data-explorer_"
@@ -13981,23 +15870,27 @@ msgstr "Tell hosts to use the administered (stateful) protocol (i.e. DHCP) for a
 msgid "Tell hosts to use the administered stateful protocol (i.e. DHCP) for autoconfiguration"
 msgstr "Tell hosts to use the administered stateful protocol (i.e. DHCP) for autoconfiguration"
 
-#: ../../configuration/service/ipoe-server.rst:170
-#: ../../configuration/service/pppoe-server.rst:132
+#: ../../configuration/interfaces/wireless.rst:343
+msgid "Tell the AP that antenna positions are fixed and will not change during the lifetime of an association."
+msgstr "Tell the AP that antenna positions are fixed and will not change during the lifetime of an association."
+
+#: ../../configuration/service/ipoe-server.rst:169
+#: ../../configuration/service/pppoe-server.rst:137
 #: ../../configuration/vpn/l2tp.rst:175
 #: ../../configuration/vpn/pptp.rst:115
 #: ../../configuration/vpn/sstp.rst:148
 msgid "Temporary disable this RADIUS server."
 msgstr "Temporary disable this RADIUS server."
 
-#: ../../configuration/system/login.rst:262
+#: ../../configuration/system/login.rst:268
 msgid "Temporary disable this RADIUS server. It won't be queried."
 msgstr "Temporary disable this RADIUS server. It won't be queried."
 
-#: ../../configuration/system/login.rst:331
+#: ../../configuration/system/login.rst:337
 msgid "Temporary disable this TACACS server. It won't be queried."
 msgstr "Temporary disable this TACACS server. It won't be queried."
 
-#: ../../configuration/loadbalancing/reverse-proxy.rst:286
+#: ../../configuration/loadbalancing/haproxy.rst:338
 msgid "Terminate SSL"
 msgstr "Terminate SSL"
 
@@ -14033,7 +15926,7 @@ msgstr "Testing and Validation"
 msgid "Thanks to this discovery, any subsequent traffic between PC4 and PC5 will not be using the multicast-address between the leaves as they both know behind which Leaf the PCs are connected. This saves traffic as less multicast packets sent reduces the load on the network, which improves scalability when more leaves are added."
 msgstr "Thanks to this discovery, any subsequent traffic between PC4 and PC5 will not be using the multicast-address between the leaves as they both know behind which Leaf the PCs are connected. This saves traffic as less multicast packets sent reduces the load on the network, which improves scalability when more leaves are added."
 
-#: ../../configuration/trafficpolicy/index.rst:1262
+#: ../../configuration/trafficpolicy/index.rst:1312
 msgid "That is how it is possible to do the so-called \"ingress shaping\"."
 msgstr "That is how it is possible to do the so-called \"ingress shaping\"."
 
@@ -14041,7 +15934,7 @@ msgstr "That is how it is possible to do the so-called \"ingress shaping\"."
 msgid "That looks good - we defined 2 tunnels and they're both up and running."
 msgstr "That looks good - we defined 2 tunnels and they're both up and running."
 
-#: ../../configuration/interfaces/bonding.rst:247
+#: ../../configuration/interfaces/bonding.rst:252
 msgid "The ARP monitor works by periodically checking the slave devices to determine whether they have sent or received traffic recently (the precise criteria depends upon the bonding mode, and the state of the slave). Regular traffic is generated via ARP probes issued for the addresses specified by the :cfgcmd:`arp-monitor target` option."
 msgstr "The ARP monitor works by periodically checking the slave devices to determine whether they have sent or received traffic recently (the precise criteria depends upon the bonding mode, and the state of the slave). Regular traffic is generated via ARP probes issued for the addresses specified by the :cfgcmd:`arp-monitor target` option."
 
@@ -14053,14 +15946,19 @@ msgstr "The ASP has documented their IPSec requirements:"
 msgid "The BGP router can connect to one or more RPKI cache servers to receive validated prefix to origin AS mappings. Advanced failover can be implemented by server sockets with different preference values."
 msgstr "The BGP router can connect to one or more RPKI cache servers to receive validated prefix to origin AS mappings. Advanced failover can be implemented by server sockets with different preference values."
 
-#: ../../configuration/vrf/index.rst:113
+#: ../../configuration/vrf/index.rst:109
 msgid "The CLI configuration is same as mentioned in above articles. The only difference is, that each routing protocol used, must be prefixed with the `vrf name <name>` command."
 msgstr "The CLI configuration is same as mentioned in above articles. The only difference is, that each routing protocol used, must be prefixed with the `vrf name <name>` command."
 
 #: ../../configuration/protocols/isis.rst:50
+#: ../../configuration/protocols/openfabric.rst:40
 msgid "The CLNS address consists of the following parts:"
 msgstr "The CLNS address consists of the following parts:"
 
+#: ../../configuration/interfaces/bonding.rst:328
+msgid "The DF preference is configurable per-ES."
+msgstr "The DF preference is configurable per-ES."
+
 #: ../../_include/interface-dhcpv6-options.txt:4
 msgid "The DHCP unique identifier (DUID) is used by a client to get an IP address from a DHCPv6 server. It has a 2-byte DUID type field, and a variable-length identifier field up to 128 bytes. Its actual length depends on its type. The server compares the DUID with its database and delivers configuration data (address, lease times, DNS servers, etc.) to the client."
 msgstr "The DHCP unique identifier (DUID) is used by a client to get an IP address from a DHCPv6 server. It has a 2-byte DUID type field, and a variable-length identifier field up to 128 bytes. Its actual length depends on its type. The server compares the DUID with its database and delivers configuration data (address, lease times, DNS servers, etc.) to the client."
@@ -14073,11 +15971,11 @@ msgstr "The DN and password to bind as while performing searches."
 msgid "The DN and password to bind as while performing searches. As the password needs to be printed in plain text in your Squid configuration it is strongly recommended to use a account with minimal associated privileges. This to limit the damage in case someone could get hold of a copy of your Squid configuration file."
 msgstr "The DN and password to bind as while performing searches. As the password needs to be printed in plain text in your Squid configuration it is strongly recommended to use a account with minimal associated privileges. This to limit the damage in case someone could get hold of a copy of your Squid configuration file."
 
-#: ../../configuration/trafficpolicy/index.rst:446
+#: ../../configuration/trafficpolicy/index.rst:496
 msgid "The FQ-CoDel policy distributes the traffic into 1024 FIFO queues and tries to provide good service between all of them. It also tries to keep the length of all the queues short."
 msgstr "The FQ-CoDel policy distributes the traffic into 1024 FIFO queues and tries to provide good service between all of them. It also tries to keep the length of all the queues short."
 
-#: ../../configuration/loadbalancing/reverse-proxy.rst:256
+#: ../../configuration/loadbalancing/haproxy.rst:308
 msgid "The HTTP service listen on TCP port 80."
 msgstr "The HTTP service listen on TCP port 80."
 
@@ -14085,7 +15983,7 @@ msgstr "The HTTP service listen on TCP port 80."
 msgid "The IP address of the internal system we wish to forward traffic to."
 msgstr "The IP address of the internal system we wish to forward traffic to."
 
-#: ../../configuration/interfaces/wireless.rst:604
+#: ../../configuration/interfaces/wireless.rst:916
 msgid "The Intel AX200 card does not work out of the box in AP mode, see https://unix.stackexchange.com/questions/598275/intel-ax200-ap-mode. You can still put this card into AP mode using the following configuration:"
 msgstr "The Intel AX200 card does not work out of the box in AP mode, see https://unix.stackexchange.com/questions/598275/intel-ax200-ap-mode. You can still put this card into AP mode using the following configuration:"
 
@@ -14101,7 +15999,11 @@ msgstr "The Point-to-Point Tunneling Protocol (PPTP_) has been implemented in Vy
 msgid "The PowerDNS recursor has 5 different levels of DNSSEC processing, which can be set with the dnssec setting. In order from least to most processing, these are:"
 msgstr "The PowerDNS recursor has 5 different levels of DNSSEC processing, which can be set with the dnssec setting. In order from least to most processing, these are:"
 
-#: ../../configuration/trafficpolicy/index.rst:694
+#: ../../configuration/service/ntp.rst:176
+msgid "The Precision Time Protocol (IEEE 1588) is a local network time synchronization protocol that provides high precision time synchronization by leveraging hardware clocks in NICs and other network elements. VyOS does not currently support standards-based PTP, which can be deployed independently of NTP."
+msgstr "The Precision Time Protocol (IEEE 1588) is a local network time synchronization protocol that provides high precision time synchronization by leveraging hardware clocks in NICs and other network elements. VyOS does not currently support standards-based PTP, which can be deployed independently of NTP."
+
+#: ../../configuration/trafficpolicy/index.rst:744
 msgid "The Priority Queue is a classful scheduling policy. It does not delay packets (Priority Queue is not a shaping policy), it simply dequeues packets according to their priority."
 msgstr "The Priority Queue is a classful scheduling policy. It does not delay packets (Priority Queue is not a shaping policy), it simply dequeues packets according to their priority."
 
@@ -14117,7 +16019,7 @@ msgstr "The RADIUS dictionaries in VyOS are located at ``/usr/share/accel-ppp/ra
 msgid "The SR segments are portions of the network path taken by the packet, and are called SIDs. At each node, the first SID of the list is read, executed as a forwarding function, and may be popped to let the next node read the next SID of the list. The SID list completely determines the path where the packet is forwarded."
 msgstr "The SR segments are portions of the network path taken by the packet, and are called SIDs. At each node, the first SID of the list is read, executed as a forwarding function, and may be popped to let the next node read the next SID of the list. The SID list completely determines the path where the packet is forwarded."
 
-#: ../../configuration/trafficpolicy/index.rst:1023
+#: ../../configuration/trafficpolicy/index.rst:1073
 msgid "The Shaper policy does not guarantee a low delay, but it does guarantee bandwidth to different traffic classes and also lets you decide how to allocate more traffic once the guarantees are met."
 msgstr "The Shaper policy does not guarantee a low delay, but it does guarantee bandwidth to different traffic classes and also lets you decide how to allocate more traffic once the guarantees are met."
 
@@ -14125,6 +16027,10 @@ msgstr "The Shaper policy does not guarantee a low delay, but it does guarantee
 msgid "The UDP port number used by your apllication. It is mandatory for this kind of operation."
 msgstr "The UDP port number used by your apllication. It is mandatory for this kind of operation."
 
+#: ../../configuration/service/broadcast-relay.rst:38
+msgid "The UDP port number used by your application. It is mandatory for this kind of operation."
+msgstr "The UDP port number used by your application. It is mandatory for this kind of operation."
+
 #: ../../configuration/interfaces/vxlan.rst:23
 msgid "The VXLAN specification was originally created by VMware, Arista Networks and Cisco. Other backers of the VXLAN technology include Huawei, Broadcom, Citrix, Pica8, Big Switch Networks, Cumulus Networks, Dell EMC, Ericsson, Mellanox, FreeBSD, OpenBSD, Red Hat, Joyent, and Juniper Networks."
 msgstr "The VXLAN specification was originally created by VMware, Arista Networks and Cisco. Other backers of the VXLAN technology include Huawei, Broadcom, Citrix, Pica8, Big Switch Networks, Cumulus Networks, Dell EMC, Ericsson, Mellanox, FreeBSD, OpenBSD, Red Hat, Joyent, and Juniper Networks."
@@ -14157,8 +16063,12 @@ msgstr "The VyOS PKI subsystem can also be used to automatically retrieve Certif
 msgid "The VyOS container implementation is based on `Podman<https://podman.io/>` as a deamonless container engine."
 msgstr "The VyOS container implementation is based on `Podman<https://podman.io/>` as a deamonless container engine."
 
-#: ../../configuration/interfaces/wireless.rst:347
-#: ../../configuration/interfaces/wireless.rst:547
+#: ../../configuration/container/index.rst:7
+msgid "The VyOS container implementation is based on `Podman <https://podman.io/>`_ as a deamonless container engine."
+msgstr "The VyOS container implementation is based on `Podman <https://podman.io/>`_ as a deamonless container engine."
+
+#: ../../configuration/interfaces/wireless.rst:458
+#: ../../configuration/interfaces/wireless.rst:671
 msgid "The WAP in this example has the following characteristics:"
 msgstr "The WAP in this example has the following characteristics:"
 
@@ -14178,6 +16088,10 @@ msgstr "The :abbr:`DNPTv6 (Destination IPv6-to-IPv6 Network Prefix Translation)`
 msgid "The :abbr:`MPLS (Multi-Protocol Label Switching)` architecture does not assume a single protocol to create MPLS paths. VyOS supports the Label Distribution Protocol (LDP) as implemented by FRR, based on :rfc:`5036`."
 msgstr "The :abbr:`MPLS (Multi-Protocol Label Switching)` architecture does not assume a single protocol to create MPLS paths. VyOS supports the Label Distribution Protocol (LDP) as implemented by FRR, based on :rfc:`5036`."
 
+#: ../../configuration/interfaces/wireless.rst:9
+msgid "The :abbr:`WLAN (Wireless LAN)` interface provides 802.11 (a/b/g/n/ac) wireless support (commonly referred to as Wi-Fi) by means of compatible hardware. If your hardware supports it, VyOS supports multiple logical wireless interfaces per physical device."
+msgstr "The :abbr:`WLAN (Wireless LAN)` interface provides 802.11 (a/b/g/n/ac) wireless support (commonly referred to as Wi-Fi) by means of compatible hardware. If your hardware supports it, VyOS supports multiple logical wireless interfaces per physical device."
+
 #: ../../configuration/nat/nat66.rst:75
 msgid "The :ref:`source-nat66` rule replaces the source address of the packet and calculates the converted address using the prefix specified in the rule."
 msgstr "The :ref:`source-nat66` rule replaces the source address of the packet and calculates the converted address using the prefix specified in the rule."
@@ -14194,7 +16108,7 @@ msgstr "The ``address`` can be configured either on the VRRP interface or on not
 msgid "The ``address`` parameter can be either an IPv4 or IPv6 address, but you can not mix IPv4 and IPv6 in the same group, and will need to create groups with different VRIDs specially for IPv4 and IPv6. If you want to use IPv4 + IPv6 address you can use option ``excluded-address``"
 msgstr "The ``address`` parameter can be either an IPv4 or IPv6 address, but you can not mix IPv4 and IPv6 in the same group, and will need to create groups with different VRIDs specially for IPv4 and IPv6. If you want to use IPv4 + IPv6 address you can use option ``excluded-address``"
 
-#: ../../configuration/loadbalancing/reverse-proxy.rst:345
+#: ../../configuration/loadbalancing/haproxy.rst:399
 msgid "The ``bk-bridge-ssl`` backend connects to sr01 server on port 443 via HTTPS and checks backend server has a valid certificate trusted by CA ``cacert``"
 msgstr "The ``bk-bridge-ssl`` backend connects to sr01 server on port 443 via HTTPS and checks backend server has a valid certificate trusted by CA ``cacert``"
 
@@ -14202,11 +16116,11 @@ msgstr "The ``bk-bridge-ssl`` backend connects to sr01 server on port 443 via HT
 msgid "The ``http`` service is lestens on port 80 and force redirects from HTTP to HTTPS."
 msgstr "The ``http`` service is lestens on port 80 and force redirects from HTTP to HTTPS."
 
-#: ../../configuration/loadbalancing/reverse-proxy.rst:289
+#: ../../configuration/loadbalancing/haproxy.rst:341
 msgid "The ``http`` service is listens on port 80 and force redirects from HTTP to HTTPS."
 msgstr "The ``http`` service is listens on port 80 and force redirects from HTTP to HTTPS."
 
-#: ../../configuration/loadbalancing/reverse-proxy.rst:342
+#: ../../configuration/loadbalancing/haproxy.rst:396
 msgid "The ``https`` service listens on port 443 with backend ``bk-bridge-ssl`` to handle HTTPS traffic. It uses certificate named ``cert`` for SSL termination."
 msgstr "The ``https`` service listens on port 443 with backend ``bk-bridge-ssl`` to handle HTTPS traffic. It uses certificate named ``cert`` for SSL termination."
 
@@ -14214,23 +16128,30 @@ msgstr "The ``https`` service listens on port 443 with backend ``bk-bridge-ssl``
 msgid "The ``https`` service listens on port 443 with backend ``bk-default`` to handle HTTPS traffic. It uses certificate named ``cert`` for SSL termination."
 msgstr "The ``https`` service listens on port 443 with backend ``bk-default`` to handle HTTPS traffic. It uses certificate named ``cert`` for SSL termination."
 
+#: ../../configuration/loadbalancing/haproxy.rst:344
+msgid "The ``https`` service listens on port 443 with backend ``bk-default`` to handle HTTPS traffic. It uses certificate named ``cert`` for SSL termination. HSTS header is set with a 1-year expiry, to tell browsers to always use SSL for site."
+msgstr "The ``https`` service listens on port 443 with backend ``bk-default`` to handle HTTPS traffic. It uses certificate named ``cert`` for SSL termination. HSTS header is set with a 1-year expiry, to tell browsers to always use SSL for site."
+
 #: ../../configuration/loadbalancing/reverse-proxy.rst:251
 msgid "The ``https`` service listens on port 443 with backend `bk-default` to handle HTTPS traffic. It uses certificate named ``cert`` for SSL termination."
 msgstr "The ``https`` service listens on port 443 with backend `bk-default` to handle HTTPS traffic. It uses certificate named ``cert`` for SSL termination."
 
-#: ../../configuration/interfaces/openvpn.rst:66
+#: ../../configuration/interfaces/openvpn.rst:67
 msgid "The ``persistent-tunnel`` directive will allow us to configure tunnel-related attributes, such as firewall policy as we would on any normal network interface."
 msgstr "The ``persistent-tunnel`` directive will allow us to configure tunnel-related attributes, such as firewall policy as we would on any normal network interface."
 
-#: ../../configuration/service/ipoe-server.rst:154
-#: ../../configuration/service/pppoe-server.rst:116
-#: ../../configuration/vpn/l2tp.rst:159
+#: ../../configuration/service/ipoe-server.rst:153
+#: ../../configuration/service/pppoe-server.rst:118
 #: ../../configuration/vpn/pptp.rst:99
-#: ../../configuration/vpn/sstp.rst:132
 msgid "The ``source-address`` must be configured on one of VyOS interface. Best practice would be a loopback or dummy interface."
 msgstr "The ``source-address`` must be configured on one of VyOS interface. Best practice would be a loopback or dummy interface."
 
-#: ../../configuration/interfaces/bridge.rst:279
+#: ../../configuration/vpn/l2tp.rst:159
+#: ../../configuration/vpn/sstp.rst:132
+msgid "The ``source-address`` must be configured to that of an interface. Best practice would be a loopback or dummy interface."
+msgstr "The ``source-address`` must be configured to that of an interface. Best practice would be a loopback or dummy interface."
+
+#: ../../configuration/interfaces/bridge.rst:278
 msgid "The `show bridge` operational command can be used to display configured bridges:"
 msgstr "The `show bridge` operational command can be used to display configured bridges:"
 
@@ -14238,11 +16159,15 @@ msgstr "The `show bridge` operational command can be used to display configured
 msgid "The above directory and default-config must be a child directory of /config/auth, since files outside this directory are not persisted after an image upgrade."
 msgstr "The above directory and default-config must be a child directory of /config/auth, since files outside this directory are not persisted after an image upgrade."
 
-#: ../../configuration/firewall/ipv4.rst:86
-#: ../../configuration/firewall/ipv6.rst:86
+#: ../../configuration/firewall/ipv4.rst:110
+#: ../../configuration/firewall/ipv6.rst:110
 msgid "The action can be :"
 msgstr "The action can be :"
 
+#: ../../configuration/service/config-sync.rst:64
+msgid "The address of Router B is 10.0.20.112 and the port used is 8443"
+msgstr "The address of Router B is 10.0.20.112 and the port used is 8443"
+
 #: ../../configuration/pki/index.rst:302
 msgid "The address the server listens to during http-01 challenge"
 msgstr "The address the server listens to during http-01 challenge"
@@ -14263,10 +16188,30 @@ msgstr "The amount of Duplicate Address Detection probes to send."
 msgid "The attributes :cfgcmd:`prefix-list` and :cfgcmd:`distribute-list` are mutually exclusive, and only one command (distribute-list or prefix-list) can be applied to each inbound or outbound direction for a particular neighbor."
 msgstr "The attributes :cfgcmd:`prefix-list` and :cfgcmd:`distribute-list` are mutually exclusive, and only one command (distribute-list or prefix-list) can be applied to each inbound or outbound direction for a particular neighbor."
 
-#: ../../configuration/loadbalancing/reverse-proxy.rst:80
+#: ../../configuration/system/option.rst:57
+msgid "The available modes are:"
+msgstr "The available modes are:"
+
+#: ../../configuration/loadbalancing/haproxy.rst:92
 msgid "The available options for <match> are:"
 msgstr "The available options for <match> are:"
 
+#: ../../configuration/firewall/ipv4.rst:72
+msgid "The base chain for traffic towards the router is ``set firewall ipv4 input filter ...``"
+msgstr "The base chain for traffic towards the router is ``set firewall ipv4 input filter ...``"
+
+#: ../../configuration/firewall/ipv6.rst:72
+msgid "The base chain for traffic towards the router is ``set firewall ipv6 input filter ...``"
+msgstr "The base chain for traffic towards the router is ``set firewall ipv6 input filter ...``"
+
+#: ../../configuration/firewall/ipv4.rst:60
+msgid "The base firewall chain to configure filtering rules for transit traffic is ``set firewall ipv4 forward filter ...``, which happens in stage 5, highlighted in the color red."
+msgstr "The base firewall chain to configure filtering rules for transit traffic is ``set firewall ipv4 forward filter ...``, which happens in stage 5, highlighted in the color red."
+
+#: ../../configuration/firewall/ipv6.rst:60
+msgid "The base firewall chain to configure filtering rules for transit traffic is ``set firewall ipv6 forward filter ...``, which happens in stage 5, highlighted in the color red."
+msgstr "The base firewall chain to configure filtering rules for transit traffic is ``set firewall ipv6 forward filter ...``, which happens in stage 5, highlighted in the color red."
+
 #: ../../configuration/vpn/dmvpn.rst:175
 msgid "The below referenced IP address `192.0.2.1` is used as example address representing a global unicast address under which the HUB can be contacted by each and every individual spoke."
 msgstr "The below referenced IP address `192.0.2.1` is used as example address representing a global unicast address under which the HUB can be contacted by each and every individual spoke."
@@ -14275,11 +16220,20 @@ msgstr "The below referenced IP address `192.0.2.1` is used as example address r
 msgid "The bonding interface provides a method for aggregating multiple network interfaces into a single logical \"bonded\" interface, or LAG, or ether-channel, or port-channel. The behavior of the bonded interfaces depends upon the mode; generally speaking, modes provide either hot standby or load balancing services. Additionally, link integrity monitoring may be performed."
 msgstr "The bonding interface provides a method for aggregating multiple network interfaces into a single logical \"bonded\" interface, or LAG, or ether-channel, or port-channel. The behavior of the bonded interfaces depends upon the mode; generally speaking, modes provide either hot standby or load balancing services. Additionally, link integrity monitoring may be performed."
 
-#: ../../configuration/trafficpolicy/index.rst:1247
+#: ../../configuration/trafficpolicy/index.rst:1297
 msgid "The case of ingress shaping"
 msgstr "The case of ingress shaping"
 
-#: ../../configuration/service/pppoe-server.rst:644
+#: ../../configuration/service/ntp.rst:126
+msgid "The chrony daemon on VyOS can leverage NIC hardware capabilities to record the exact time packets are received on the interface, as well as when packets were actually transmitted. This provides improved accuracy and stability when the system is under load, as queuing and OS context switching can introduce a variable delay between when the packet is received on the network and when it is actually processed by the NTP daemon."
+msgstr "The chrony daemon on VyOS can leverage NIC hardware capabilities to record the exact time packets are received on the interface, as well as when packets were actually transmitted. This provides improved accuracy and stability when the system is under load, as queuing and OS context switching can introduce a variable delay between when the packet is received on the network and when it is actually processed by the NTP daemon."
+
+#: ../../configuration/vpn/l2tp.rst:257
+#: ../../configuration/vpn/sstp.rst:230
+msgid "The client's interface can be put into a VRF context via a RADIUS Access-Accept packet, or changed via RADIUS CoA. ``Accel-VRF-Name`` is used for these purposes. This is a custom `ACCEL-PPP attribute`_. Define it in your RADIUS server."
+msgstr "The client's interface can be put into a VRF context via a RADIUS Access-Accept packet, or changed via RADIUS CoA. ``Accel-VRF-Name`` is used for these purposes. This is a custom `ACCEL-PPP attribute`_. Define it in your RADIUS server."
+
+#: ../../configuration/service/pppoe-server.rst:669
 msgid "The client, once successfully authenticated, will receive an IPv4 and an IPv6 /64 address to terminate the PPPoE endpoint on the client side and a /56 subnet for the clients internal use."
 msgstr "The client, once successfully authenticated, will receive an IPv4 and an IPv6 /64 address to terminate the PPPoE endpoint on the client side and a /56 subnet for the clients internal use."
 
@@ -14299,7 +16253,11 @@ msgstr "The command :opcmd:`show interfaces wireguard wg01 public-key` will then
 msgid "The command also generates a configuration snipped which can be copy/pasted into the VyOS CLI if needed. The supplied ``<name>`` on the CLI will become the peer name in the snippet."
 msgstr "The command also generates a configuration snipped which can be copy/pasted into the VyOS CLI if needed. The supplied ``<name>`` on the CLI will become the peer name in the snippet."
 
-#: ../../configuration/service/pppoe-server.rst:305
+#: ../../configuration/interfaces/wireguard.rst:412
+msgid "The command also generates a configuration snippet which can be copy/pasted into the VyOS CLI if needed. The supplied ``<name>`` on the CLI will become the peer name in the snippet."
+msgstr "The command also generates a configuration snippet which can be copy/pasted into the VyOS CLI if needed. The supplied ``<name>`` on the CLI will become the peer name in the snippet."
+
+#: ../../configuration/service/pppoe-server.rst:324
 msgid "The command below enables it, assuming the RADIUS connection has been setup and is working."
 msgstr "The command below enables it, assuming the RADIUS connection has been setup and is working."
 
@@ -14311,20 +16269,36 @@ msgstr "The command displays current RIP status. It includes RIP timer, filterin
 msgid "The command pon TESTUNNEL establishes the PPTP tunnel to the remote system."
 msgstr "The command pon TESTUNNEL establishes the PPTP tunnel to the remote system."
 
+#: ../../configuration/container/index.rst:145
+msgid "The command translates to \"--cpus=<num>\" when the container is created."
+msgstr "The command translates to \"--cpus=<num>\" when the container is created."
+
+#: ../../configuration/container/index.rst:60
+msgid "The command translates to \"--net host\" when the container is created."
+msgstr "The command translates to \"--net host\" when the container is created."
+
+#: ../../configuration/container/index.rst:53
+msgid "The command translates to \"--pid host\" when the container is created."
+msgstr "The command translates to \"--pid host\" when the container is created."
+
 #: ../../configuration/nat/nat44.rst:32
 msgid "The computers on an internal network can use any of the addresses set aside by the :abbr:`IANA (Internet Assigned Numbers Authority)` for private addressing (see :rfc:`1918`). These reserved IP addresses are not in use on the Internet, so an external machine will not directly route to them. The following addresses are reserved for private use:"
 msgstr "The computers on an internal network can use any of the addresses set aside by the :abbr:`IANA (Internet Assigned Numbers Authority)` for private addressing (see :rfc:`1918`). These reserved IP addresses are not in use on the Internet, so an external machine will not directly route to them. The following addresses are reserved for private use:"
 
 #: ../../configuration/service/dhcp-server.rst:266
-#: ../../configuration/service/dhcp-server.rst:661
-#: ../../configuration/service/dhcp-server.rst:705
+#: ../../configuration/service/dhcp-server.rst:691
+#: ../../configuration/service/dhcp-server.rst:735
 msgid "The configuration will look as follows:"
 msgstr "The configuration will look as follows:"
 
-#: ../../configuration/interfaces/openvpn.rst:253
+#: ../../configuration/interfaces/openvpn.rst:255
 msgid "The configurations above will default to using 256-bit AES in GCM mode for encryption (if both sides support NCP) and SHA-1 for HMAC authentication. SHA-1 is considered weak, but other hashing algorithms are available, as are encryption algorithms:"
 msgstr "The configurations above will default to using 256-bit AES in GCM mode for encryption (if both sides support NCP) and SHA-1 for HMAC authentication. SHA-1 is considered weak, but other hashing algorithms are available, as are encryption algorithms:"
 
+#: ../../configuration/interfaces/openvpn.rst:255
+msgid "The configurations above will default to using 256-bit AES in GCM mode for encryption (if both sides support data cipher negotiation) and SHA-1 for HMAC authentication. SHA-1 is considered weak, but other hashing algorithms are available, as are encryption algorithms:"
+msgstr "The configurations above will default to using 256-bit AES in GCM mode for encryption (if both sides support data cipher negotiation) and SHA-1 for HMAC authentication. SHA-1 is considered weak, but other hashing algorithms are available, as are encryption algorithms:"
+
 #: ../../configuration/service/conntrack-sync.rst:14
 msgid "The connection state however is completely independent of any upper-level state, such as TCP's or SCTP's state. Part of the reason for this is that when merely forwarding packets, i.e. no local delivery, the TCP engine may not necessarily be invoked at all. Even connectionless-mode transmissions such as UDP, IPsec (AH/ESP), GRE and other tunneling protocols have, at least, a pseudo connection state. The heuristic for such protocols is often based upon a preset timeout value for inactivity, after whose expiration a Netfilter connection is dropped."
 msgstr "The connection state however is completely independent of any upper-level state, such as TCP's or SCTP's state. Part of the reason for this is that when merely forwarding packets, i.e. no local delivery, the TCP engine may not necessarily be invoked at all. Even connectionless-mode transmissions such as UDP, IPsec (AH/ESP), GRE and other tunneling protocols have, at least, a pseudo connection state. The heuristic for such protocols is often based upon a preset timeout value for inactivity, after whose expiration a Netfilter connection is dropped."
@@ -14337,11 +16311,15 @@ msgstr "The connection tracking expect table contains one entry for each expecte
 msgid "The connection tracking table contains one entry for each connection being tracked by the system."
 msgstr "The connection tracking table contains one entry for each connection being tracked by the system."
 
+#: ../../configuration/container/index.rst:49
+msgid "The container and the host share the same process namespace. This means that processes running on the host are visible inside the container, and processes inside the container are visible on the host."
+msgstr "The container and the host share the same process namespace. This means that processes running on the host are visible inside the container, and processes inside the container are visible on the host."
+
 #: ../../configuration/service/pppoe-server.rst:225
 msgid "The current attribute 'Filter-Id' is being used as default and can be setup within RADIUS:"
 msgstr "The current attribute 'Filter-Id' is being used as default and can be setup within RADIUS:"
 
-#: ../../configuration/service/pppoe-server.rst:299
+#: ../../configuration/service/pppoe-server.rst:318
 msgid "The current attribute ``Filter-Id`` is being used as default and can be setup within RADIUS:"
 msgstr "The current attribute ``Filter-Id`` is being used as default and can be setup within RADIUS:"
 
@@ -14421,7 +16399,7 @@ msgstr "The default value is 86400 seconds which corresponds to one day."
 msgid "The default value is slow."
 msgstr "The default value is slow."
 
-#: ../../configuration/trafficpolicy/index.rst:859
+#: ../../configuration/trafficpolicy/index.rst:909
 msgid "The default values for the minimum-threshold depend on IP precedence:"
 msgstr "The default values for the minimum-threshold depend on IP precedence:"
 
@@ -14467,7 +16445,7 @@ msgstr "The embedded Squid proxy can use LDAP to authenticate users against a co
 msgid "The example above uses 192.0.2.2 as external IP address. A LAC normally requires an authentication password, which is set in the example configuration to ``lns shared-secret 'secret'``. This setup requires the Compression Control Protocol (CCP) being disabled, the command ``set vpn l2tp remote-access ccp-disable`` accomplishes that."
 msgstr "The example above uses 192.0.2.2 as external IP address. A LAC normally requires an authentication password, which is set in the example configuration to ``lns shared-secret 'secret'``. This setup requires the Compression Control Protocol (CCP) being disabled, the command ``set vpn l2tp remote-access ccp-disable`` accomplishes that."
 
-#: ../../configuration/service/pppoe-server.rst:627
+#: ../../configuration/service/pppoe-server.rst:652
 msgid "The example below covers a dual-stack configuration."
 msgstr "The example below covers a dual-stack configuration."
 
@@ -14475,15 +16453,19 @@ msgstr "The example below covers a dual-stack configuration."
 msgid "The example below covers a dual-stack configuration via pppoe-server."
 msgstr "The example below covers a dual-stack configuration via pppoe-server."
 
-#: ../../configuration/service/pppoe-server.rst:606
+#: ../../configuration/service/pppoe-server.rst:631
 msgid "The example below uses ACN as access-concentrator name, assigns an address from the pool 10.1.1.100-111, terminates at the local endpoint 10.1.1.1 and serves requests only on eth1."
 msgstr "The example below uses ACN as access-concentrator name, assigns an address from the pool 10.1.1.100-111, terminates at the local endpoint 10.1.1.1 and serves requests only on eth1."
 
 #: ../../configuration/service/ipoe-server.rst:34
+msgid "The example configuration below will assign an IP to the client on the incoming interface eth1 with the client mac address 00:50:79:66:68:00. Other DHCP discovery requests will be ignored, unless the client mac has been enabled in the configuration."
+msgstr "The example configuration below will assign an IP to the client on the incoming interface eth1 with the client mac address 00:50:79:66:68:00. Other DHCP discovery requests will be ignored, unless the client mac has been enabled in the configuration."
+
+#: ../../configuration/service/ipoe-server.rst:34
 msgid "The example configuration below will assign an IP to the client on the incoming interface eth2 with the client mac address 08:00:27:2f:d8:06. Other DHCP discovery requests will be ignored, unless the client mac has been enabled in the configuration."
 msgstr "The example configuration below will assign an IP to the client on the incoming interface eth2 with the client mac address 08:00:27:2f:d8:06. Other DHCP discovery requests will be ignored, unless the client mac has been enabled in the configuration."
 
-#: ../../configuration/interfaces/wireless.rst:303
+#: ../../configuration/interfaces/wireless.rst:411
 msgid "The example creates a wireless station (commonly referred to as Wi-Fi client) that accesses the network through the WAP defined in the above example. The default physical device (``phy0``) is used."
 msgstr "The example creates a wireless station (commonly referred to as Wi-Fi client) that accesses the network through the WAP defined in the above example. The default physical device (``phy0``) is used."
 
@@ -14499,7 +16481,7 @@ msgstr "The firewall supports the creation of groups for addresses, domains, int
 msgid "The firewall supports the creation of groups for ports, addresses, and networks (implemented using netfilter ipset) and the option of interface or zone based firewall policy."
 msgstr "The firewall supports the creation of groups for ports, addresses, and networks (implemented using netfilter ipset) and the option of interface or zone based firewall policy."
 
-#: ../../configuration/container/index.rst:50
+#: ../../configuration/container/index.rst:74
 msgid "The first IP in the container network is reserved by the engine and cannot be used"
 msgstr "The first IP in the container network is reserved by the engine and cannot be used"
 
@@ -14507,7 +16489,7 @@ msgstr "The first IP in the container network is reserved by the engine and cann
 msgid "The first address of the parameter ``client-subnet``, will be used as the default gateway. Connected sessions can be checked via the ``show ipoe-server sessions`` command."
 msgstr "The first address of the parameter ``client-subnet``, will be used as the default gateway. Connected sessions can be checked via the ``show ipoe-server sessions`` command."
 
-#: ../../configuration/vpn/ipsec.rst:178
+#: ../../configuration/vpn/ipsec.rst:198
 msgid "The first and arguably cleaner option is to make your IPsec policy match GRE packets between external addresses of your routers. This is the best option if both routers have static external addresses."
 msgstr "The first and arguably cleaner option is to make your IPsec policy match GRE packets between external addresses of your routers. This is the best option if both routers have static external addresses."
 
@@ -14523,10 +16505,14 @@ msgstr "The first ip address is the RP's address and the second value is the mat
 msgid "The first registration request is sent to the protocol broadcast address, and the server's real protocol address is dynamically detected from the first registration reply."
 msgstr "The first registration request is sent to the protocol broadcast address, and the server's real protocol address is dynamically detected from the first registration reply."
 
-#: ../../configuration/vpn/sstp.rst:484
+#: ../../configuration/vpn/sstp.rst:494
 msgid "The following PPP configuration tests MSCHAP-v2:"
 msgstr "The following PPP configuration tests MSCHAP-v2:"
 
+#: ../../configuration/service/ntp.rst:158
+msgid "The following `receive-filter` modes can be selected:"
+msgstr "The following `receive-filter` modes can be selected:"
+
 #: ../../configuration/system/login.rst:147
 msgid "The following command can be used to generate the OTP key as well as the CLI commands to configure them:"
 msgstr "The following command can be used to generate the OTP key as well as the CLI commands to configure them:"
@@ -14535,11 +16521,11 @@ msgstr "The following command can be used to generate the OTP key as well as the
 msgid "The following command uses the explicit-null label value for all the BGP instances."
 msgstr "The following command uses the explicit-null label value for all the BGP instances."
 
-#: ../../configuration/interfaces/openvpn.rst:708
+#: ../../configuration/interfaces/openvpn.rst:849
 msgid "The following commands let you check tunnel status."
 msgstr "The following commands let you check tunnel status."
 
-#: ../../configuration/interfaces/openvpn.rst:727
+#: ../../configuration/interfaces/openvpn.rst:880
 msgid "The following commands let you reset OpenVPN."
 msgstr "The following commands let you reset OpenVPN."
 
@@ -14547,11 +16533,11 @@ msgstr "The following commands let you reset OpenVPN."
 msgid "The following commands translate to \"--net host\" when the container is created"
 msgstr "The following commands translate to \"--net host\" when the container is created"
 
-#: ../../configuration/vrf/index.rst:120
+#: ../../configuration/vrf/index.rst:116
 msgid "The following commands would be required to set options for a given dynamic routing protocol inside a given vrf:"
 msgstr "The following commands would be required to set options for a given dynamic routing protocol inside a given vrf:"
 
-#: ../../configuration/loadbalancing/reverse-proxy.rst:253
+#: ../../configuration/loadbalancing/haproxy.rst:305
 msgid "The following configuration demonstrates how to use VyOS to achieve load balancing based on the domain name."
 msgstr "The following configuration demonstrates how to use VyOS to achieve load balancing based on the domain name."
 
@@ -14559,7 +16545,7 @@ msgstr "The following configuration demonstrates how to use VyOS to achieve load
 msgid "The following configuration explicitly joins multicast group `ff15::1234` on interface `eth1` and source-specific multicast group `ff15::5678` with source address `2001:db8::1` on interface `eth1`:"
 msgstr "The following configuration explicitly joins multicast group `ff15::1234` on interface `eth1` and source-specific multicast group `ff15::5678` with source address `2001:db8::1` on interface `eth1`:"
 
-#: ../../configuration/interfaces/bonding.rst:293
+#: ../../configuration/interfaces/bonding.rst:346
 msgid "The following configuration on VyOS applies to all following 3rd party vendors. It creates a bond with two links and VLAN 10, 100 on the bonded interfaces with a per VIF IPv4 address."
 msgstr "The following configuration on VyOS applies to all following 3rd party vendors. It creates a bond with two links and VLAN 10, 100 on the bonded interfaces with a per VIF IPv4 address."
 
@@ -14567,11 +16553,11 @@ msgstr "The following configuration on VyOS applies to all following 3rd party v
 msgid "The following configuration reverse-proxy terminate SSL."
 msgstr "The following configuration reverse-proxy terminate SSL."
 
-#: ../../configuration/loadbalancing/reverse-proxy.rst:287
+#: ../../configuration/loadbalancing/haproxy.rst:339
 msgid "The following configuration terminates SSL on the router."
 msgstr "The following configuration terminates SSL on the router."
 
-#: ../../configuration/loadbalancing/reverse-proxy.rst:334
+#: ../../configuration/loadbalancing/haproxy.rst:388
 msgid "The following configuration terminates incoming HTTPS traffic on the router, then re-encrypts the traffic and sends to the backend server via HTTPS. This is useful if encryption is required for both legs, but you do not want to install publicly trusted certificates on each backend server."
 msgstr "The following configuration terminates incoming HTTPS traffic on the router, then re-encrypts the traffic and sends to the backend server via HTTPS. This is useful if encryption is required for both legs, but you do not want to install publicly trusted certificates on each backend server."
 
@@ -14587,7 +16573,7 @@ msgstr "The following configuration will setup a PPPoE session source from eth1
 msgid "The following example allows VyOS to use :abbr:`PBR (Policy-Based Routing)` for traffic, which originated from the router itself. That solution for multiple ISP's and VyOS router will respond from the same interface that the packet was received. Also, it used, if we want that one VPN tunnel to be through one provider, and the second through another."
 msgstr "The following example allows VyOS to use :abbr:`PBR (Policy-Based Routing)` for traffic, which originated from the router itself. That solution for multiple ISP's and VyOS router will respond from the same interface that the packet was received. Also, it used, if we want that one VPN tunnel to be through one provider, and the second through another."
 
-#: ../../configuration/interfaces/wireless.rst:543
+#: ../../configuration/interfaces/wireless.rst:667
 msgid "The following example creates a WAP. When configuring multiple WAP interfaces, you must specify unique IP addresses, channels, Network IDs commonly referred to as :abbr:`SSID (Service Set Identifier)`, and MAC addresses."
 msgstr "The following example creates a WAP. When configuring multiple WAP interfaces, you must specify unique IP addresses, channels, Network IDs commonly referred to as :abbr:`SSID (Service Set Identifier)`, and MAC addresses."
 
@@ -14595,7 +16581,7 @@ msgstr "The following example creates a WAP. When configuring multiple WAP inter
 msgid "The following example is based on a Sierra Wireless MC7710 miniPCIe card (only the form factor in reality it runs UBS) and Deutsche Telekom as ISP. The card is assembled into a :ref:`pc-engines-apu4`."
 msgstr "The following example is based on a Sierra Wireless MC7710 miniPCIe card (only the form factor in reality it runs UBS) and Deutsche Telekom as ISP. The card is assembled into a :ref:`pc-engines-apu4`."
 
-#: ../../configuration/vrf/index.rst:256
+#: ../../configuration/vrf/index.rst:252
 msgid "The following example topology was built using EVE-NG."
 msgstr "The following example topology was built using EVE-NG."
 
@@ -14607,6 +16593,10 @@ msgstr "The following example will show how VyOS can be used to redirect web tra
 msgid "The following examples show how to configure NAT64 on a VyOS router. The 192.0.2.10 address is used as the IPv4 address for the translation pool."
 msgstr "The following examples show how to configure NAT64 on a VyOS router. The 192.0.2.10 address is used as the IPv4 address for the translation pool."
 
+#: ../../configuration/interfaces/wireless.rst:726
+msgid "The following examples will show valid configurations for WiFi-6 (2.4GHz) and WiFi-6e (6GHz) Access-Points with the following characteristics:"
+msgstr "The following examples will show valid configurations for WiFi-6 (2.4GHz) and WiFi-6e (6GHz) Access-Points with the following characteristics:"
+
 #: ../../configuration/interfaces/wwan.rst:309
 msgid "The following hardware modules have been tested successfully in an :ref:`pc-engines-apu4` board:"
 msgstr "The following hardware modules have been tested successfully in an :ref:`pc-engines-apu4` board:"
@@ -14615,11 +16605,11 @@ msgstr "The following hardware modules have been tested successfully in an :ref:
 msgid "The following is the config for the iPhone peer above. It's important to note that the ``AllowedIPs`` wildcard setting directs all IPv4 and IPv6 traffic through the connection."
 msgstr "The following is the config for the iPhone peer above. It's important to note that the ``AllowedIPs`` wildcard setting directs all IPv4 and IPv6 traffic through the connection."
 
-#: ../../configuration/vrf/index.rst:54
+#: ../../configuration/vrf/index.rst:50
 msgid "The following protocols can be used: any, babel, bgp, connected, eigrp, isis, kernel, ospf, rip, static, table"
 msgstr "The following protocols can be used: any, babel, bgp, connected, eigrp, isis, kernel, ospf, rip, static, table"
 
-#: ../../configuration/vrf/index.rst:64
+#: ../../configuration/vrf/index.rst:60
 msgid "The following protocols can be used: any, babel, bgp, connected, isis, kernel, ospfv3, ripng, static, table"
 msgstr "The following protocols can be used: any, babel, bgp, connected, isis, kernel, ospfv3, ripng, static, table"
 
@@ -14627,7 +16617,7 @@ msgstr "The following protocols can be used: any, babel, bgp, connected, isis, k
 msgid "The following structure respresent the cli structure."
 msgstr "The following structure respresent the cli structure."
 
-#: ../../configuration/interfaces/bonding.rst:205
+#: ../../configuration/interfaces/bonding.rst:210
 msgid "The formula for unfragmented TCP and UDP packets is"
 msgstr "The formula for unfragmented TCP and UDP packets is"
 
@@ -14668,7 +16658,7 @@ msgstr "The hostname can be up to 63 characters. A hostname must start and end w
 msgid "The hostname or IP address of the master"
 msgstr "The hostname or IP address of the master"
 
-#: ../../configuration/service/dhcp-server.rst:693
+#: ../../configuration/service/dhcp-server.rst:723
 msgid "The identifier is the device's DUID: colon-separated hex list (as used by isc-dhcp option dhcpv6.client-id). If the device already has a dynamic lease from the DHCPv6 server, its DUID can be found with ``show service dhcpv6 server leases``. The DUID begins at the 5th octet (after the 4th colon) of IAID_DUID."
 msgstr "The identifier is the device's DUID: colon-separated hex list (as used by isc-dhcp option dhcpv6.client-id). If the device already has a dynamic lease from the DHCPv6 server, its DUID can be found with ``show service dhcpv6 server leases``. The DUID begins at the 5th octet (after the 4th colon) of IAID_DUID."
 
@@ -14680,6 +16670,10 @@ msgstr "The individual spoke configurations only differ in the local IP address
 msgid "The inner tag is the tag which is closest to the payload portion of the frame. It is officially called C-TAG (customer tag, with ethertype 0x8100). The outer tag is the one closer/closest to the Ethernet header, its name is S-TAG (service tag with Ethernet Type = 0x88a8)."
 msgstr "The inner tag is the tag which is closest to the payload portion of the frame. It is officially called C-TAG (customer tag, with ethertype 0x8100). The outer tag is the one closer/closest to the Ethernet header, its name is S-TAG (service tag with Ethernet Type = 0x88a8)."
 
+#: ../../configuration/service/suricata.rst:64
+msgid "The interface that will be monitored by the Suricata service."
+msgstr "The interface that will be monitored by the Suricata service."
+
 #: ../../configuration/nat/nat44.rst:523
 msgid "The interface traffic will be coming in on;"
 msgstr "The interface traffic will be coming in on;"
@@ -14708,7 +16702,7 @@ msgstr "The last step is to define an interface route for 192.168.2.0/24 to get
 msgid "The legacy and zone-based firewall configuration options is not longer supported. They are here for reference purposes only."
 msgstr "The legacy and zone-based firewall configuration options is not longer supported. They are here for reference purposes only."
 
-#: ../../configuration/trafficpolicy/index.rst:552
+#: ../../configuration/trafficpolicy/index.rst:602
 msgid "The limiter performs basic ingress policing of traffic flows. Multiple classes of traffic can be defined and traffic limits can be applied to each class. Although the policer uses a token bucket mechanism internally, it does not have the capability to delay a packet as a shaping mechanism does. Traffic exceeding the defined bandwidth limits is directly dropped. A maximum allowed burst can be configured too."
 msgstr "The limiter performs basic ingress policing of traffic flows. Multiple classes of traffic can be defined and traffic limits can be applied to each class. Although the policer uses a token bucket mechanism internally, it does not have the capability to delay a packet as a shaping mechanism does. Traffic exceeding the defined bandwidth limits is directly dropped. A maximum allowed burst can be configured too."
 
@@ -14724,7 +16718,7 @@ msgstr "The local IPv4 or IPv6 addresses to bind the DNS forwarder to. The forwa
 msgid "The local IPv4 or IPv6 addresses to use as a source address for sending queries. The forwarder will send forwarded outbound DNS requests from this address."
 msgstr "The local IPv4 or IPv6 addresses to use as a source address for sending queries. The forwarder will send forwarded outbound DNS requests from this address."
 
-#: ../../configuration/interfaces/openvpn.rst:62
+#: ../../configuration/interfaces/openvpn.rst:63
 msgid "The local site will have a subnet of 10.0.0.0/16."
 msgstr "The local site will have a subnet of 10.0.0.0/16."
 
@@ -14732,7 +16726,11 @@ msgstr "The local site will have a subnet of 10.0.0.0/16."
 msgid "The loopback networking interface is a virtual network device implemented entirely in software. All traffic sent to it \"loops back\" and just targets services on your local machine."
 msgstr "The loopback networking interface is a virtual network device implemented entirely in software. All traffic sent to it \"loops back\" and just targets services on your local machine."
 
-#: ../../configuration/firewall/index.rst:20
+#: ../../configuration/service/config-sync.rst:11
+msgid "The main benefit to configuration synchronization is that it eliminates having to manually replicate configuration changes made on the primary router to the secondary (replica) router."
+msgstr "The main benefit to configuration synchronization is that it eliminates having to manually replicate configuration changes made on the primary router to the secondary (replica) router."
+
+#: ../../configuration/firewall/index.rst:25
 msgid "The main points regarding this packet flow and terminology used in VyOS firewall are covered below:"
 msgstr "The main points regarding this packet flow and terminology used in VyOS firewall are covered below:"
 
@@ -14740,11 +16738,11 @@ msgstr "The main points regarding this packet flow and terminology used in VyOS
 msgid "The main structure VyOS firewall cli is shown next:"
 msgstr "The main structure VyOS firewall cli is shown next:"
 
-#: ../../configuration/firewall/index.rst:92
+#: ../../configuration/firewall/index.rst:125
 msgid "The main structure of the VyOS firewall CLI is shown next:"
 msgstr "The main structure of the VyOS firewall CLI is shown next:"
 
-#: ../../configuration/interfaces/bonding.rst:271
+#: ../../configuration/interfaces/bonding.rst:276
 msgid "The maximum number of targets that can be specified is 16. The default value is no IP address."
 msgstr "The maximum number of targets that can be specified is 16. The default value is no IP address."
 
@@ -14752,7 +16750,7 @@ msgstr "The maximum number of targets that can be specified is 16. The default v
 msgid "The meaning of the Class ID is not the same for every type of policy. Normally policies just need a meaningless number to identify a class (Class ID), but that does not apply to every policy. The number of a class in a Priority Queue it does not only identify it, it also defines its priority."
 msgstr "The meaning of the Class ID is not the same for every type of policy. Normally policies just need a meaningless number to identify a class (Class ID), but that does not apply to every policy. The number of a class in a Priority Queue it does not only identify it, it also defines its priority."
 
-#: ../../configuration/interfaces/bridge.rst:239
+#: ../../configuration/interfaces/bridge.rst:238
 msgid "The member interface `eth1` is a trunk that allows VLAN 10 to pass"
 msgstr "The member interface `eth1` is a trunk that allows VLAN 10 to pass"
 
@@ -14772,7 +16770,7 @@ msgstr "The most visible application of the protocol is for access to shell acco
 msgid "The multicast-group used by all leaves for this vlan extension. Has to be the same on all leaves that has this interface."
 msgstr "The multicast-group used by all leaves for this vlan extension. Has to be the same on all leaves that has this interface."
 
-#: ../../configuration/loadbalancing/reverse-proxy.rst:222
+#: ../../configuration/loadbalancing/haproxy.rst:274
 msgid "The name of the service can be different, in this example it is only for convenience."
 msgstr "The name of the service can be different, in this example it is only for convenience."
 
@@ -14804,7 +16802,7 @@ msgstr "The number of milliseconds to wait for a remote authoritative server to
 msgid "The number parameter (1-10) configures the amount of accepted occurences of the system AS number in AS path."
 msgstr "The number parameter (1-10) configures the amount of accepted occurences of the system AS number in AS path."
 
-#: ../../configuration/interfaces/openvpn.rst:64
+#: ../../configuration/interfaces/openvpn.rst:65
 msgid "The official port for OpenVPN is 1194, which we reserve for client VPN; we will use 1195 for site-to-site VPN."
 msgstr "The official port for OpenVPN is 1194, which we reserve for client VPN; we will use 1195 for site-to-site VPN."
 
@@ -14832,7 +16830,7 @@ msgstr "The outgoing interface to perform the translation on"
 msgid "The peer name must be an alphanumeric and can have hypen or underscore as special characters. It is purely informational."
 msgstr "The peer name must be an alphanumeric and can have hypen or underscore as special characters. It is purely informational."
 
-#: ../../configuration/vpn/ipsec.rst:239
+#: ../../configuration/vpn/ipsec.rst:259
 msgid "The peer names RIGHT and LEFT are used as informational text."
 msgstr "The peer names RIGHT and LEFT are used as informational text."
 
@@ -14840,7 +16838,7 @@ msgstr "The peer names RIGHT and LEFT are used as informational text."
 msgid "The peer with lower priority will become the key server and start distributing SAKs."
 msgstr "The peer with lower priority will become the key server and start distributing SAKs."
 
-#: ../../configuration/vrf/index.rst:200
+#: ../../configuration/vrf/index.rst:196
 msgid "The ping command is used to test whether a network host is reachable or not."
 msgstr "The ping command is used to test whether a network host is reachable or not."
 
@@ -14848,7 +16846,7 @@ msgstr "The ping command is used to test whether a network host is reachable or
 msgid "The popular Unix/Linux ``dig`` tool sets the AD-bit in the query. This might lead to unexpected query results when testing. Set ``+noad`` on the ``dig`` command line when this is the case."
 msgstr "The popular Unix/Linux ``dig`` tool sets the AD-bit in the query. This might lead to unexpected query results when testing. Set ``+noad`` on the ``dig`` command line when this is the case."
 
-#: ../../configuration/interfaces/openvpn.rst:50
+#: ../../configuration/interfaces/openvpn.rst:51
 msgid "The pre-shared key mode is deprecated and will be removed from future OpenVPN versions, so VyOS will have to remove support for that option as well. The reason is that using pre-shared keys is significantly less secure than using TLS."
 msgstr "The pre-shared key mode is deprecated and will be removed from future OpenVPN versions, so VyOS will have to remove support for that option as well. The reason is that using pre-shared keys is significantly less secure than using TLS."
 
@@ -14868,7 +16866,7 @@ msgstr "The primary DHCP server uses address `192.168.189.252`"
 msgid "The primary and secondary statements determines whether the server is primary or secondary."
 msgstr "The primary and secondary statements determines whether the server is primary or secondary."
 
-#: ../../configuration/interfaces/bonding.rst:240
+#: ../../configuration/interfaces/bonding.rst:245
 msgid "The primary option is only valid for active-backup, transmit-load-balance, and adaptive-load-balance mode."
 msgstr "The primary option is only valid for active-backup, transmit-load-balance, and adaptive-load-balance mode."
 
@@ -14880,7 +16878,7 @@ msgstr "The priority must be an integer number from 1 to 255. Higher priority va
 msgid "The procedure to specify a :abbr:`NIS+ (Network Information Service Plus)` domain is similar to the NIS domain one:"
 msgstr "The procedure to specify a :abbr:`NIS+ (Network Information Service Plus)` domain is similar to the NIS domain one:"
 
-#: ../../configuration/vrf/index.rst:241
+#: ../../configuration/vrf/index.rst:237
 msgid "The prompt is adjusted to reflect this change in both config and op-mode."
 msgstr "The prompt is adjusted to reflect this change in both config and op-mode."
 
@@ -14900,11 +16898,11 @@ msgstr "The protocol overhead of L2TPv3 is also significantly bigger than MPLS."
 msgid "The proxy service in VyOS is based on Squid_ and some related modules."
 msgstr "The proxy service in VyOS is based on Squid_ and some related modules."
 
-#: ../../configuration/interfaces/openvpn.rst:59
+#: ../../configuration/interfaces/openvpn.rst:60
 msgid "The public IP address of the local side of the VPN will be 198.51.100.10."
 msgstr "The public IP address of the local side of the VPN will be 198.51.100.10."
 
-#: ../../configuration/interfaces/openvpn.rst:60
+#: ../../configuration/interfaces/openvpn.rst:61
 msgid "The public IP address of the remote side of the VPN will be 203.0.113.11."
 msgstr "The public IP address of the remote side of the VPN will be 203.0.113.11."
 
@@ -14921,7 +16919,7 @@ msgstr "The regular expression matches if and only if the entire string matches
 msgid "The remote peer `to-wg02` uses XMrlPykaxhdAAiSjhtPlvi30NVkvLQliQuKP7AI7CyI= as its public key portion"
 msgstr "The remote peer `to-wg02` uses XMrlPykaxhdAAiSjhtPlvi30NVkvLQliQuKP7AI7CyI= as its public key portion"
 
-#: ../../configuration/interfaces/openvpn.rst:63
+#: ../../configuration/interfaces/openvpn.rst:64
 msgid "The remote site will have a subnet of 10.1.0.0/16."
 msgstr "The remote site will have a subnet of 10.1.0.0/16."
 
@@ -14933,7 +16931,7 @@ msgstr "The remote user will use the openconnect client to connect to the router
 msgid "The requestor netmask for which the requestor IP Address should be used as the EDNS Client Subnet for outgoing queries."
 msgstr "The requestor netmask for which the requestor IP Address should be used as the EDNS Client Subnet for outgoing queries."
 
-#: ../../configuration/interfaces/openvpn.rst:458
+#: ../../configuration/interfaces/openvpn.rst:462
 msgid "The required config file may look like this:"
 msgstr "The required config file may look like this:"
 
@@ -14949,7 +16947,7 @@ msgstr "The resulting configuration will look like:"
 msgid "The root cause of the problem is that for VTI tunnels to work, their traffic selectors have to be set to 0.0.0.0/0 for traffic to match the tunnel, even though actual routing decision is made according to netfilter marks. Unless route insertion is disabled entirely, StrongSWAN thus mistakenly inserts a default route through the VTI peer address, which makes all traffic routed to nowhere."
 msgstr "The root cause of the problem is that for VTI tunnels to work, their traffic selectors have to be set to 0.0.0.0/0 for traffic to match the tunnel, even though actual routing decision is made according to netfilter marks. Unless route insertion is disabled entirely, StrongSWAN thus mistakenly inserts a default route through the VTI peer address, which makes all traffic routed to nowhere."
 
-#: ../../configuration/trafficpolicy/index.rst:963
+#: ../../configuration/trafficpolicy/index.rst:1013
 msgid "The round-robin policy is a classful scheduler that divides traffic in different classes_ you can configure (up to 4096). You can embed_ a new policy into each of those classes (default included)."
 msgstr "The round-robin policy is a classful scheduler that divides traffic in different classes_ you can configure (up to 4096). You can embed_ a new policy into each of those classes (default included)."
 
@@ -14977,7 +16975,7 @@ msgstr "The sFlow accounting based on hsflowd https://sflow.net/"
 msgid "The same configuration options apply when Identity based config is configured in group mode except that group mode can only be used with RADIUS authentication."
 msgstr "The same configuration options apply when Identity based config is configured in group mode except that group mode can only be used with RADIUS authentication."
 
-#: ../../configuration/vpn/ipsec.rst:231
+#: ../../configuration/vpn/ipsec.rst:251
 msgid "The scheme above doesn't work when one of the routers has a dynamic external address though. The classic workaround for this is to setup an address on a loopback interface and use it as a source address for the GRE tunnel, then setup an IPsec policy to match those loopback addresses."
 msgstr "The scheme above doesn't work when one of the routers has a dynamic external address though. The classic workaround for this is to setup an address on a loopback interface and use it as a source address for the GRE tunnel, then setup an IPsec policy to match those loopback addresses."
 
@@ -15013,6 +17011,18 @@ msgstr "The speed (baudrate) of the console device. Supported values are:"
 msgid "The standard was developed by IEEE 802.1, a working group of the IEEE 802 standards committee, and continues to be actively revised. One of the notable revisions is 802.1Q-2014 which incorporated IEEE 802.1aq (Shortest Path Bridging) and much of the IEEE 802.1d standard."
 msgstr "The standard was developed by IEEE 802.1, a working group of the IEEE 802 standards committee, and continues to be actively revised. One of the notable revisions is 802.1Q-2014 which incorporated IEEE 802.1aq (Shortest Path Bridging) and much of the IEEE 802.1d standard."
 
+#: ../../configuration/container/index.rst:175
+msgid "The subset of possible parameters are:"
+msgstr "The subset of possible parameters are:"
+
+#: ../../configuration/interfaces/ethernet.rst:60
+msgid "The supported values for a specific interface can be obtained with: `ethtool -g <interface>`"
+msgstr "The supported values for a specific interface can be obtained with: `ethtool -g <interface>`"
+
+#: ../../configuration/interfaces/bonding.rst:307
+msgid "The sys-mac and local discriminator are used for generating a 10-byte, Type-3 Ethernet Segment ID. ESINAME is a 10-byte, Type-0 Ethernet Segment ID - \"00:AA:BB:CC:DD:EE:FF:GG:HH:II\"."
+msgstr "The sys-mac and local discriminator are used for generating a 10-byte, Type-3 Ethernet Segment ID. ESINAME is a 10-byte, Type-0 Ethernet Segment ID - \"00:AA:BB:CC:DD:EE:FF:GG:HH:II\"."
+
 #: ../../configuration/system/lcd.rst:7
 msgid "The system LCD :abbr:`LCD (Liquid-crystal display)` option is for users running VyOS on hardware that features an LCD display. This is typically a small display built in an 19 inch rack-mountable appliance. Those displays are used to show runtime data."
 msgstr "The system LCD :abbr:`LCD (Liquid-crystal display)` option is for users running VyOS on hardware that features an LCD display. This is typically a small display built in an 19 inch rack-mountable appliance. Those displays are used to show runtime data."
@@ -15033,7 +17043,7 @@ msgstr "The task scheduler allows you to execute tasks on a given schedule. It m
 msgid "The translation address must be set to one of the available addresses on the configured `outbound-interface` or it must be set to `masquerade` which will use the primary IP address of the `outbound-interface` as its translation address."
 msgstr "The translation address must be set to one of the available addresses on the configured `outbound-interface` or it must be set to `masquerade` which will use the primary IP address of the `outbound-interface` as its translation address."
 
-#: ../../configuration/interfaces/openvpn.rst:61
+#: ../../configuration/interfaces/openvpn.rst:62
 msgid "The tunnel will use 10.255.1.1 for the local IP and 10.255.1.2 for the remote."
 msgstr "The tunnel will use 10.255.1.1 for the local IP and 10.255.1.2 for the remote."
 
@@ -15049,10 +17059,10 @@ msgstr "The ultimate goal of classifying traffic is to give each class a differe
 msgid "The use of IPoE addresses the disadvantage that PPP is unsuited for multicast delivery to multiple users. Typically, IPoE uses Dynamic Host Configuration Protocol and Extensible Authentication Protocol to provide the same functionality as PPPoE, but in a less robust manner."
 msgstr "The use of IPoE addresses the disadvantage that PPP is unsuited for multicast delivery to multiple users. Typically, IPoE uses Dynamic Host Configuration Protocol and Extensible Authentication Protocol to provide the same functionality as PPPoE, but in a less robust manner."
 
-#: ../../configuration/service/pppoe-server.rst:222
-#: ../../configuration/vpn/l2tp.rst:265
+#: ../../configuration/service/pppoe-server.rst:241
+#: ../../configuration/vpn/l2tp.rst:268
 #: ../../configuration/vpn/pptp.rst:205
-#: ../../configuration/vpn/sstp.rst:238
+#: ../../configuration/vpn/sstp.rst:241
 msgid "The value of the attribute ``NAS-Port-Id`` must be less than 16 characters, otherwise the interface won't be renamed."
 msgstr "The value of the attribute ``NAS-Port-Id`` must be less than 16 characters, otherwise the interface won't be renamed."
 
@@ -15072,10 +17082,18 @@ msgstr "The well known NAT64 prefix is ``64:ff9b::/96``"
 msgid "The window size must be between 1 and 21."
 msgstr "The window size must be between 1 and 21."
 
-#: ../../configuration/interfaces/wireless.rst:340
+#: ../../configuration/interfaces/wireless.rst:343
 msgid "The wireless client (supplicant) authenticates against the RADIUS server (authentication server) using an :abbr:`EAP (Extensible Authentication Protocol)`  method configured on the RADIUS server. The WAP (also referred to as authenticator) role is to send all authentication messages between the supplicant and the configured authentication server, thus the RADIUS server is responsible for authenticating the users."
 msgstr "The wireless client (supplicant) authenticates against the RADIUS server (authentication server) using an :abbr:`EAP (Extensible Authentication Protocol)`  method configured on the RADIUS server. The WAP (also referred to as authenticator) role is to send all authentication messages between the supplicant and the configured authentication server, thus the RADIUS server is responsible for authenticating the users."
 
+#: ../../configuration/interfaces/wireless.rst:451
+msgid "The wireless client (supplicant) authenticates against the RADIUS server (authentication server) using an :abbr:`EAP (Extensible Authentication Protocol)` method configured on the RADIUS server. The WAP (also referred to as authenticator) role is to send all authentication messages between the supplicant and the configured authentication server, thus the RADIUS server is responsible for authenticating the users."
+msgstr "The wireless client (supplicant) authenticates against the RADIUS server (authentication server) using an :abbr:`EAP (Extensible Authentication Protocol)` method configured on the RADIUS server. The WAP (also referred to as authenticator) role is to send all authentication messages between the supplicant and the configured authentication server, thus the RADIUS server is responsible for authenticating the users."
+
+#: ../../configuration/service/config-sync.rst:15
+msgid "The writing of the configuration to the secondary router is performed through the VyOS HTTP API. The user can specify which portion(s) of the configuration will be synchronized and the mode to use - whether to replace or add."
+msgstr "The writing of the configuration to the secondary router is performed through the VyOS HTTP API. The user can specify which portion(s) of the configuration will be synchronized and the mode to use - whether to replace or add."
+
 #: ../../configuration/service/ids.rst:125
 msgid "Then, FastNetMon configuration:"
 msgstr "Then, FastNetMon configuration:"
@@ -15088,11 +17106,15 @@ msgstr "Then a corresponding SNAT rule is created to NAT outgoing traffic for th
 msgid "Then we need to generate, add and specify the names of the cryptographic materials. Each of the install command should be applied to the configuration and commited before using under the openvpn interface configuration."
 msgstr "Then we need to generate, add and specify the names of the cryptographic materials. Each of the install command should be applied to the configuration and commited before using under the openvpn interface configuration."
 
-#: ../../configuration/interfaces/openvpn.rst:196
+#: ../../configuration/interfaces/openvpn.rst:363
+msgid "Then we need to generate, add and specify the names of the cryptographic materials. Each of the install commands should be applied to the configuration and commited before using under the openvpn interface configuration."
+msgstr "Then we need to generate, add and specify the names of the cryptographic materials. Each of the install commands should be applied to the configuration and commited before using under the openvpn interface configuration."
+
+#: ../../configuration/interfaces/openvpn.rst:198
 msgid "Then you need to install the key on the remote router:"
 msgstr "Then you need to install the key on the remote router:"
 
-#: ../../configuration/interfaces/openvpn.rst:202
+#: ../../configuration/interfaces/openvpn.rst:204
 msgid "Then you need to set the key in your OpenVPN interface settings:"
 msgstr "Then you need to set the key in your OpenVPN interface settings:"
 
@@ -15109,12 +17131,15 @@ msgstr "There are 3 default NTP server set. You are able to change them."
 msgid "There are a lot of matching criteria against which the package can be tested."
 msgstr "There are a lot of matching criteria against which the package can be tested."
 
-#: ../../configuration/firewall/bridge.rst:221
-#: ../../configuration/firewall/ipv4.rst:303
-#: ../../configuration/firewall/ipv6.rst:303
+#: ../../configuration/firewall/ipv4.rst:328
+#: ../../configuration/firewall/ipv6.rst:328
 msgid "There are a lot of matching criteria against which the packet can be tested."
 msgstr "There are a lot of matching criteria against which the packet can be tested."
 
+#: ../../configuration/firewall/bridge.rst:326
+msgid "There are a lot of matching criteria against which the packet can be tested. Please refer to :doc:`IPv4</configuration/firewall/ipv4>` and :doc:`IPv6</configuration/firewall/ipv6>` matching criteria for more details."
+msgstr "There are a lot of matching criteria against which the packet can be tested. Please refer to :doc:`IPv4</configuration/firewall/ipv4>` and :doc:`IPv6</configuration/firewall/ipv6>` matching criteria for more details."
+
 #: ../../configuration/policy/route.rst:40
 msgid "There are a lot of matching criteria options available, both for ``policy route`` and ``policy route6``. These options are listed in this section."
 msgstr "There are a lot of matching criteria options available, both for ``policy route`` and ``policy route6``. These options are listed in this section."
@@ -15123,7 +17148,7 @@ msgstr "There are a lot of matching criteria options available, both for ``polic
 msgid "There are different parameters for getting prefix-list information:"
 msgstr "There are different parameters for getting prefix-list information:"
 
-#: ../../configuration/interfaces/wireless.rst:157
+#: ../../configuration/interfaces/wireless.rst:188
 msgid "There are limits on which channels can be used with HT40- and HT40+. Following table shows the channels that may be available for HT40- and HT40+ use per IEEE 802.11n Annex J:"
 msgstr "There are limits on which channels can be used with HT40- and HT40+. Following table shows the channels that may be available for HT40- and HT40+ use per IEEE 802.11n Annex J:"
 
@@ -15131,7 +17156,7 @@ msgstr "There are limits on which channels can be used with HT40- and HT40+. Fol
 msgid "There are many parameters you will be able to use in order to match the traffic you want for a class:"
 msgstr "There are many parameters you will be able to use in order to match the traffic you want for a class:"
 
-#: ../../configuration/system/flow-accounting.rst:96
+#: ../../configuration/system/flow-accounting.rst:100
 msgid "There are multiple versions available for the NetFlow data. The `<version>` used in the exported flow data can be configured here. The following versions are supported:"
 msgstr "There are multiple versions available for the NetFlow data. The `<version>` used in the exported flow data can be configured here. The following versions are supported:"
 
@@ -15183,7 +17208,11 @@ msgstr "These are the commands for a basic setup."
 msgid "These commands allow the VLAN10 and VLAN11 hosts to communicate with each other using the main routing table."
 msgstr "These commands allow the VLAN10 and VLAN11 hosts to communicate with each other using the main routing table."
 
-#: ../../configuration/highavailability/index.rst:238
+#: ../../configuration/service/suricata.rst:29
+msgid "These commands create a flexible interface for configuring the Suricata service, allowing users to specify addresses, ports, and logging parameters."
+msgstr "These commands create a flexible interface for configuring the Suricata service, allowing users to specify addresses, ports, and logging parameters."
+
+#: ../../configuration/highavailability/index.rst:242
 msgid "These configuration is not mandatory and in most cases there's no need to configure it. But if necessary, Gratuitous ARP can be configured in ``global-parameters`` and/or in ``group`` section."
 msgstr "These configuration is not mandatory and in most cases there's no need to configure it. But if necessary, Gratuitous ARP can be configured in ``global-parameters`` and/or in ``group`` section."
 
@@ -15199,6 +17228,10 @@ msgstr "These parameters need to be part of the DHCP global options. They stay u
 msgid "They can be **decimal** prefixes."
 msgstr "They can be **decimal** prefixes."
 
+#: ../../configuration/firewall/flowtables.rst:103
+msgid "Things to be considered in this setup:"
+msgstr "Things to be considered in this setup:"
+
 #: ../../configuration/firewall/flowtables.rst:102
 msgid "Things to be considred in this setup:"
 msgstr "Things to be considred in this setup:"
@@ -15207,20 +17240,20 @@ msgstr "Things to be considred in this setup:"
 msgid "This address must be the address of a local interface. It may be specified as an IPv4 address or an IPv6 address."
 msgstr "This address must be the address of a local interface. It may be specified as an IPv4 address or an IPv6 address."
 
-#: ../../configuration/interfaces/bonding.rst:172
-#: ../../configuration/interfaces/bonding.rst:198
+#: ../../configuration/interfaces/bonding.rst:177
+#: ../../configuration/interfaces/bonding.rst:203
 msgid "This algorithm is 802.3ad compliant."
 msgstr "This algorithm is 802.3ad compliant."
 
-#: ../../configuration/interfaces/bonding.rst:224
+#: ../../configuration/interfaces/bonding.rst:229
 msgid "This algorithm is not fully 802.3ad compliant. A single TCP or UDP conversation containing both fragmented and unfragmented packets will see packets striped across two interfaces. This may result in out of order delivery. Most traffic types will not meet these criteria, as TCP rarely fragments traffic, and most UDP traffic is not involved in extended conversations. Other implementations of 802.3ad may or may not tolerate this noncompliance."
 msgstr "This algorithm is not fully 802.3ad compliant. A single TCP or UDP conversation containing both fragmented and unfragmented packets will see packets striped across two interfaces. This may result in out of order delivery. Most traffic types will not meet these criteria, as TCP rarely fragments traffic, and most UDP traffic is not involved in extended conversations. Other implementations of 802.3ad may or may not tolerate this noncompliance."
 
-#: ../../configuration/interfaces/bonding.rst:169
+#: ../../configuration/interfaces/bonding.rst:174
 msgid "This algorithm will place all traffic to a particular network peer on the same slave."
 msgstr "This algorithm will place all traffic to a particular network peer on the same slave."
 
-#: ../../configuration/interfaces/bonding.rst:190
+#: ../../configuration/interfaces/bonding.rst:195
 msgid "This algorithm will place all traffic to a particular network peer on the same slave. For non-IP traffic, the formula is the same as for the layer2 transmit hash policy."
 msgstr "This algorithm will place all traffic to a particular network peer on the same slave. For non-IP traffic, the formula is the same as for the layer2 transmit hash policy."
 
@@ -15244,6 +17277,10 @@ msgstr "This article touches on 'classic' IP tunneling protocols."
 msgid "This blueprint uses VyOS as the DMVPN Hub and Cisco (7206VXR) and VyOS as multiple spoke sites. The lab was build using :abbr:`EVE-NG (Emulated Virtual Environment NG)`."
 msgstr "This blueprint uses VyOS as the DMVPN Hub and Cisco (7206VXR) and VyOS as multiple spoke sites. The lab was build using :abbr:`EVE-NG (Emulated Virtual Environment NG)`."
 
+#: ../../configuration/vpn/dmvpn.rst:164
+msgid "This blueprint uses VyOS as the DMVPN Hub and Cisco (7206VXR) and VyOS as multiple spoke sites. The lab was built using :abbr:`EVE-NG (Emulated Virtual Environment NG)`."
+msgstr "This blueprint uses VyOS as the DMVPN Hub and Cisco (7206VXR) and VyOS as multiple spoke sites. The lab was built using :abbr:`EVE-NG (Emulated Virtual Environment NG)`."
+
 #: ../../configuration/policy/examples.rst:78
 msgid "This can be confirmed using the ``show ip route table 100`` operational command."
 msgstr "This can be confirmed using the ``show ip route table 100`` operational command."
@@ -15409,6 +17446,10 @@ msgstr "This command changes the eBGP behavior of FRR. By default FRR enables :r
 msgid "This command configures padding on hello packets to accommodate asymmetrical maximum transfer units (MTUs) from different hosts as described in :rfc:`3719`. This helps to prevent a premature adjacency Up state when one routing devices MTU does not meet the requirements to establish the adjacency."
 msgstr "This command configures padding on hello packets to accommodate asymmetrical maximum transfer units (MTUs) from different hosts as described in :rfc:`3719`. This helps to prevent a premature adjacency Up state when one routing devices MTU does not meet the requirements to establish the adjacency."
 
+#: ../../configuration/protocols/openfabric.rst:70
+msgid "This command configures the authentication password for a routing domain, as clear text or md5 one."
+msgstr "This command configures the authentication password for a routing domain, as clear text or md5 one."
+
 #: ../../configuration/protocols/isis.rst:196
 msgid "This command configures the authentication password for the interface."
 msgstr "This command configures the authentication password for the interface."
@@ -15433,7 +17474,7 @@ msgstr "This command creates a new route-map policy, identified by <text>."
 msgid "This command creates a new rule in the IPv6 access list and defines an action."
 msgstr "This command creates a new rule in the IPv6 access list and defines an action."
 
-#: ../../configuration/policy/prefix-list.rst:62
+#: ../../configuration/policy/prefix-list.rst:78
 msgid "This command creates a new rule in the IPv6 prefix-list and defines an action."
 msgstr "This command creates a new rule in the IPv6 prefix-list and defines an action."
 
@@ -15449,7 +17490,7 @@ msgstr "This command creates a new rule in the prefix-list and defines an action
 msgid "This command creates the new IPv6 access list, identified by <text>"
 msgstr "This command creates the new IPv6 access list, identified by <text>"
 
-#: ../../configuration/policy/prefix-list.rst:54
+#: ../../configuration/policy/prefix-list.rst:70
 msgid "This command creates the new IPv6 prefix-list policy, identified by <text>."
 msgstr "This command creates the new IPv6 prefix-list policy, identified by <text>."
 
@@ -15669,6 +17710,10 @@ msgstr "This command enables IP fast re-routing that is part of :rfc:`5286`. Spe
 msgid "This command enables IS-IS on this interface, and allows for adjacency to occur. Note that the name of IS-IS instance must be the same as the one used to configure the IS-IS process."
 msgstr "This command enables IS-IS on this interface, and allows for adjacency to occur. Note that the name of IS-IS instance must be the same as the one used to configure the IS-IS process."
 
+#: ../../configuration/protocols/openfabric.rst:61
+msgid "This command enables OpenFabric instance with <NAME> on this interface, and allows for adjacency to occur for address family (IPv4 or IPv6 or both)."
+msgstr "This command enables OpenFabric instance with <NAME> on this interface, and allows for adjacency to occur for address family (IPv4 or IPv6 or both)."
+
 #: ../../configuration/protocols/rip.rst:27
 msgid "This command enables RIP and sets the RIP enable interface by NETWORK. The interfaces which have addresses matching with NETWORK are enabled."
 msgstr "This command enables RIP and sets the RIP enable interface by NETWORK. The interfaces which have addresses matching with NETWORK are enabled."
@@ -15677,6 +17722,10 @@ msgstr "This command enables RIP and sets the RIP enable interface by NETWORK. T
 msgid "This command enables :abbr:`BFD (Bidirectional Forwarding Detection)` on this OSPF link interface."
 msgstr "This command enables :abbr:`BFD (Bidirectional Forwarding Detection)` on this OSPF link interface."
 
+#: ../../configuration/protocols/openfabric.rst:75
+msgid "This command enables :rfc:`6232` purge originator identification."
+msgstr "This command enables :rfc:`6232` purge originator identification."
+
 #: ../../configuration/protocols/isis.rst:106
 msgid "This command enables :rfc:`6232` purge originator identification. Enable purge originator identification (POI) by adding the type, length and value (TLV) with the Intermediate System (IS) identification to the LSPs that do not contain POI information. If an IS generates a purge, VyOS adds this TLV with the system ID of the IS to the purge."
 msgstr "This command enables :rfc:`6232` purge originator identification. Enable purge originator identification (POI) by adding the type, length and value (TLV) with the Intermediate System (IS) identification to the LSPs that do not contain POI information. If an IS generates a purge, VyOS adds this TLV with the system ID of the IS to the purge."
@@ -15697,10 +17746,22 @@ msgstr "This command enables sending timestamps with each Hello and IHU message
 msgid "This command enables support for dynamic hostname TLV. Dynamic hostname mapping determined as described in :rfc:`2763`, Dynamic Hostname Exchange Mechanism for IS-IS."
 msgstr "This command enables support for dynamic hostname TLV. Dynamic hostname mapping determined as described in :rfc:`2763`, Dynamic Hostname Exchange Mechanism for IS-IS."
 
+#: ../../configuration/firewall/bridge.rst:437
+msgid "This command enables the IPv4 firewall for bridged traffic. If this options is used, then packet will also be parsed by rules defined in ``set firewall ipv4 ...``"
+msgstr "This command enables the IPv4 firewall for bridged traffic. If this options is used, then packet will also be parsed by rules defined in ``set firewall ipv4 ...``"
+
+#: ../../configuration/firewall/bridge.rst:443
+msgid "This command enables the IPv6 firewall for bridged traffic. If this options is used, then packet will also be parsed by rules defined in ``set firewall ipv6 ...``"
+msgstr "This command enables the IPv6 firewall for bridged traffic. If this options is used, then packet will also be parsed by rules defined in ``set firewall ipv6 ...``"
+
 #: ../../configuration/protocols/bgp.rst:897
 msgid "This command enables the ORF capability (described in :rfc:`5291`) on the local router, and enables ORF capability advertisement to the specified BGP peer. The :cfgcmd:`receive` keyword configures a router to advertise ORF receive capabilities. The :cfgcmd:`send` keyword configures a router to advertise ORF send capabilities. To advertise a filter from a sender, you must create an IP prefix list for the specified BGP peer applied in inbound derection."
 msgstr "This command enables the ORF capability (described in :rfc:`5291`) on the local router, and enables ORF capability advertisement to the specified BGP peer. The :cfgcmd:`receive` keyword configures a router to advertise ORF receive capabilities. The :cfgcmd:`send` keyword configures a router to advertise ORF send capabilities. To advertise a filter from a sender, you must create an IP prefix list for the specified BGP peer applied in inbound derection."
 
+#: ../../configuration/protocols/openfabric.rst:116
+msgid "This command enables the passive mode for this interface."
+msgstr "This command enables the passive mode for this interface."
+
 #: ../../configuration/protocols/bgp.rst:467
 msgid "This command enforces Generalized TTL Security Mechanism (GTSM), as specified in :rfc:`5082`. With this command, only neighbors that are specified number of hops away will be allowed to become neighbors. The number of hops range is 1 to 254. This command is mutually exclusive with :cfgcmd:`ebgp-multihop`."
 msgstr "This command enforces Generalized TTL Security Mechanism (GTSM), as specified in :rfc:`5082`. With this command, only neighbors that are specified number of hops away will be allowed to become neighbors. The number of hops range is 1 to 254. This command is mutually exclusive with :cfgcmd:`ebgp-multihop`."
@@ -15717,7 +17778,7 @@ msgstr "This command forces the BGP speaker to report itself as the next hop for
 msgid "This command generate a default route into the RIP."
 msgstr "This command generate a default route into the RIP."
 
-#: ../../configuration/interfaces/wireless.rst:484
+#: ../../configuration/interfaces/wireless.rst:608
 msgid "This command gives a brief status overview of a specified wireless interface. The wireless interface identifier can range from wlan0 to wlan999."
 msgstr "This command gives a brief status overview of a specified wireless interface. The wireless interface identifier can range from wlan0 to wlan999."
 
@@ -15760,7 +17821,7 @@ msgstr "This command is specific to FRR and VyOS. The route command makes a stat
 msgid "This command is used for advertising IPv4 or IPv6 networks."
 msgstr "This command is used for advertising IPv4 or IPv6 networks."
 
-#: ../../configuration/interfaces/wireless.rst:511
+#: ../../configuration/interfaces/wireless.rst:635
 msgid "This command is used to retrieve information about WAP within the range of your wireless interface. This command is useful on wireless interfaces configured in station mode."
 msgstr "This command is used to retrieve information about WAP within the range of your wireless interface. This command is useful on wireless interfaces configured in station mode."
 
@@ -15852,14 +17913,26 @@ msgstr "This command set the channel number that diversity routing uses for this
 msgid "This command sets ATT bit to 1 in Level1 LSPs. It is described in :rfc:`3787`."
 msgstr "This command sets ATT bit to 1 in Level1 LSPs. It is described in :rfc:`3787`."
 
+#: ../../configuration/protocols/openfabric.rst:126
+msgid "This command sets Complete Sequence Number Packets (CSNP) interval in seconds. The interval range is 1 to 600."
+msgstr "This command sets Complete Sequence Number Packets (CSNP) interval in seconds. The interval range is 1 to 600."
+
 #: ../../configuration/protocols/isis.rst:275
 msgid "This command sets LSP maximum LSP lifetime in seconds. The interval range is 350 to 65535. LSPs remain in a database for 1200 seconds by default. If they are not refreshed by that time, they are deleted. You can change the LSP refresh interval or the LSP lifetime. The LSP refresh interval should be less than the LSP lifetime or else LSPs will time out before they are refreshed."
 msgstr "This command sets LSP maximum LSP lifetime in seconds. The interval range is 350 to 65535. LSPs remain in a database for 1200 seconds by default. If they are not refreshed by that time, they are deleted. You can change the LSP refresh interval or the LSP lifetime. The LSP refresh interval should be less than the LSP lifetime or else LSPs will time out before they are refreshed."
 
+#: ../../configuration/protocols/openfabric.rst:150
+msgid "This command sets LSP maximum LSP lifetime in seconds. The interval range is 360 to 65535. LSPs remain in a database for 1200 seconds by default. If they are not refreshed by that time, they are deleted. You can change the LSP refresh interval or the LSP lifetime. The LSP refresh interval should be less than the LSP lifetime or else LSPs will time out before they are refreshed."
+msgstr "This command sets LSP maximum LSP lifetime in seconds. The interval range is 360 to 65535. LSPs remain in a database for 1200 seconds by default. If they are not refreshed by that time, they are deleted. You can change the LSP refresh interval or the LSP lifetime. The LSP refresh interval should be less than the LSP lifetime or else LSPs will time out before they are refreshed."
+
 #: ../../configuration/protocols/isis.rst:266
 msgid "This command sets LSP refresh interval in seconds. IS-IS generates LSPs when the state of a link changes. However, to ensure that routing databases on all routers remain converged, LSPs in stable networks are generated on a regular basis even though there has been no change to the state of the links. The interval range is 1 to 65235. The default value is 900 seconds."
 msgstr "This command sets LSP refresh interval in seconds. IS-IS generates LSPs when the state of a link changes. However, to ensure that routing databases on all routers remain converged, LSPs in stable networks are generated on a regular basis even though there has been no change to the state of the links. The interval range is 1 to 65235. The default value is 900 seconds."
 
+#: ../../configuration/protocols/openfabric.rst:145
+msgid "This command sets LSP refresh interval in seconds. The interval range is 1 to 65235."
+msgstr "This command sets LSP refresh interval in seconds. The interval range is 1 to 65235."
+
 #: ../../configuration/protocols/ospf.rst:368
 msgid "This command sets OSPF authentication key to a simple password. After setting, all OSPF packets are authenticated. Key has length up to 8 chars."
 msgstr "This command sets OSPF authentication key to a simple password. After setting, all OSPF packets are authenticated. Key has length up to 8 chars."
@@ -15868,36 +17941,66 @@ msgstr "This command sets OSPF authentication key to a simple password. After se
 msgid "This command sets PSNP interval in seconds. The interval range is 0 to 127."
 msgstr "This command sets PSNP interval in seconds. The interval range is 0 to 127."
 
+#: ../../configuration/protocols/openfabric.rst:132
+msgid "This command sets Partial Sequence Number Packets (PSNP) interval in seconds. The interval range is 1 to 120."
+msgstr "This command sets Partial Sequence Number Packets (PSNP) interval in seconds. The interval range is 1 to 120."
+
 #: ../../configuration/protocols/ospf.rst:443
 #: ../../configuration/protocols/ospf.rst:1180
 msgid "This command sets Router Priority integer value. The router with the highest priority will be more eligible to become Designated Router. Setting the value to 0, makes the router ineligible to become Designated Router. The default value is 1. The interval range is 0 to 255."
 msgstr "This command sets Router Priority integer value. The router with the highest priority will be more eligible to become Designated Router. Setting the value to 0, makes the router ineligible to become Designated Router. The default value is 1. The interval range is 0 to 255."
 
+#: ../../configuration/protocols/openfabric.rst:88
+msgid "This command sets a static tier number to advertise as location in the fabric."
+msgstr "This command sets a static tier number to advertise as location in the fabric."
+
 #: ../../configuration/protocols/rip.rst:69
 msgid "This command sets default RIP distance to a specified value when the routes source IP address matches the specified prefix."
 msgstr "This command sets default RIP distance to a specified value when the routes source IP address matches the specified prefix."
 
+#: ../../configuration/protocols/openfabric.rst:111
+msgid "This command sets default metric for circuit. The metric range is 1 to 16777215."
+msgstr "This command sets default metric for circuit. The metric range is 1 to 16777215."
+
 #: ../../configuration/protocols/isis.rst:160
 msgid "This command sets hello interval in seconds on a given interface. The range is 1 to 600."
 msgstr "This command sets hello interval in seconds on a given interface. The range is 1 to 600."
 
+#: ../../configuration/protocols/openfabric.rst:98
+msgid "This command sets hello interval in seconds on a given interface. The range is 1 to 600. Hello packets are used to establish and maintain adjacency between OpenFabric neighbors."
+msgstr "This command sets hello interval in seconds on a given interface. The range is 1 to 600. Hello packets are used to establish and maintain adjacency between OpenFabric neighbors."
+
 #: ../../configuration/protocols/ospf.rst:391
 #: ../../configuration/protocols/ospf.rst:1143
 msgid "This command sets link cost for the specified interface. The cost value is set to router-LSA’s metric field and used for SPF calculation. The cost range is 1 to 65535."
 msgstr "This command sets link cost for the specified interface. The cost value is set to router-LSA’s metric field and used for SPF calculation. The cost range is 1 to 65535."
 
+#: ../../configuration/protocols/openfabric.rst:140
+msgid "This command sets minimum interval at which link-state packets (LSPs) are generated. The interval range is 1 to 120."
+msgstr "This command sets minimum interval at which link-state packets (LSPs) are generated. The interval range is 1 to 120."
+
 #: ../../configuration/protocols/isis.rst:284
 msgid "This command sets minimum interval between consecutive SPF calculations in seconds.The interval range is 1 to 120."
 msgstr "This command sets minimum interval between consecutive SPF calculations in seconds.The interval range is 1 to 120."
 
+#: ../../configuration/protocols/openfabric.rst:159
+msgid "This command sets minimum interval between consecutive shortest path first (SPF) calculations in seconds.The interval range is 1 to 120."
+msgstr "This command sets minimum interval between consecutive shortest path first (SPF) calculations in seconds.The interval range is 1 to 120."
+
 #: ../../configuration/protocols/isis.rst:261
 msgid "This command sets minimum interval in seconds between regenerating same LSP. The interval range is 1 to 120."
 msgstr "This command sets minimum interval in seconds between regenerating same LSP. The interval range is 1 to 120."
 
 #: ../../configuration/protocols/isis.rst:166
+#: ../../configuration/protocols/openfabric.rst:105
 msgid "This command sets multiplier for hello holding time on a given interface. The range is 2 to 100."
 msgstr "This command sets multiplier for hello holding time on a given interface. The range is 2 to 100."
 
+#: ../../configuration/protocols/isis.rst:42
+#: ../../configuration/protocols/openfabric.rst:32
+msgid "This command sets network entity title (NET) provided in ISO format."
+msgstr "This command sets network entity title (NET) provided in ISO format."
+
 #: ../../configuration/protocols/ospf.rst:458
 #: ../../configuration/protocols/ospf.rst:1202
 msgid "This command sets number of seconds for InfTransDelay value. It allows to set and adjust for each interface the delay interval before starting the synchronizing process of the router's database with all neighbors. The default value is 1 seconds. The interval range is 3 to 65535."
@@ -15916,6 +18019,10 @@ msgstr "This command sets old-style (ISO 10589) or new style packet formats:"
 msgid "This command sets other confederations <nsubasn> as members of autonomous system specified by :cfgcmd:`confederation identifier <asn>`."
 msgstr "This command sets other confederations <nsubasn> as members of autonomous system specified by :cfgcmd:`confederation identifier <asn>`."
 
+#: ../../configuration/protocols/openfabric.rst:79
+msgid "This command sets overload bit to avoid any transit traffic through this router."
+msgstr "This command sets overload bit to avoid any transit traffic through this router."
+
 #: ../../configuration/protocols/isis.rst:118
 msgid "This command sets overload bit to avoid any transit traffic through this router. It is described in :rfc:`3787`."
 msgstr "This command sets overload bit to avoid any transit traffic through this router. It is described in :rfc:`3787`."
@@ -15928,6 +18035,10 @@ msgstr "This command sets priority for the interface for :abbr:`DIS (Designated
 msgid "This command sets the administrative distance for a particular route. The distance range is 1 to 255."
 msgstr "This command sets the administrative distance for a particular route. The distance range is 1 to 255."
 
+#: ../../configuration/protocols/openfabric.rst:121
+msgid "This command sets the authentication password for the interface."
+msgstr "This command sets the authentication password for the interface."
+
 #: ../../configuration/protocols/ospf.rst:239
 msgid "This command sets the cost of default-summary LSAs announced to stubby areas. The cost range is 0 to 16777215."
 msgstr "This command sets the cost of default-summary LSAs announced to stubby areas. The cost range is 0 to 16777215."
@@ -15980,7 +18091,7 @@ msgstr "This command sets the specified interface to passive mode. On passive mo
 msgid "This command should NOT be set normally."
 msgstr "This command should NOT be set normally."
 
-#: ../../configuration/interfaces/wireless.rst:463
+#: ../../configuration/interfaces/wireless.rst:584
 msgid "This command shows both status and statistics on the specified wireless interface. The wireless interface identifier can range from wlan0 to wlan999."
 msgstr "This command shows both status and statistics on the specified wireless interface. The wireless interface identifier can range from wlan0 to wlan999."
 
@@ -16282,11 +18393,11 @@ msgstr "This command will generate a default-route in L1 database."
 msgid "This command will generate a default-route in L2 database."
 msgstr "This command will generate a default-route in L2 database."
 
-#: ../../configuration/firewall/ipv6.rst:1113
+#: ../../configuration/firewall/ipv6.rst:1223
 msgid "This command will give an overview of a rule in a single rule-set"
 msgstr "This command will give an overview of a rule in a single rule-set"
 
-#: ../../configuration/firewall/ipv4.rst:1114
+#: ../../configuration/firewall/ipv4.rst:1218
 msgid "This command will give an overview of a rule in a single rule-set, plus information for default action."
 msgstr "This command will give an overview of a rule in a single rule-set, plus information for default action."
 
@@ -16294,8 +18405,8 @@ msgstr "This command will give an overview of a rule in a single rule-set, plus
 msgid "This command will give an overview of a rule in a single rule-set."
 msgstr "This command will give an overview of a rule in a single rule-set."
 
-#: ../../configuration/firewall/ipv4.rst:1095
-#: ../../configuration/firewall/ipv6.rst:1088
+#: ../../configuration/firewall/ipv4.rst:1199
+#: ../../configuration/firewall/ipv6.rst:1198
 msgid "This command will give an overview of a single rule-set."
 msgstr "This command will give an overview of a single rule-set."
 
@@ -16315,11 +18426,11 @@ msgstr "This commands creates a bridge that is used to bind traffic on eth1 vlan
 msgid "This commands specifies the Finite State Machine (FSM) intended to control the timing of the execution of SPF calculations in response to IGP events. The process described in :rfc:`8405`."
 msgstr "This commands specifies the Finite State Machine (FSM) intended to control the timing of the execution of SPF calculations in response to IGP events. The process described in :rfc:`8405`."
 
-#: ../../configuration/loadbalancing/reverse-proxy.rst:367
+#: ../../configuration/loadbalancing/haproxy.rst:421
 msgid "This configuration enables HTTP health checks on backend servers."
 msgstr "This configuration enables HTTP health checks on backend servers."
 
-#: ../../configuration/loadbalancing/reverse-proxy.rst:232
+#: ../../configuration/loadbalancing/haproxy.rst:284
 msgid "This configuration enables the TCP reverse proxy for the \"my-tcp-api\" service. Incoming TCP connections on port 8888 will be load balanced across the backend servers (srv01 and srv02) using the round-robin load-balancing algorithm."
 msgstr "This configuration enables the TCP reverse proxy for the \"my-tcp-api\" service. Incoming TCP connections on port 8888 will be load balanced across the backend servers (srv01 and srv02) using the round-robin load-balancing algorithm."
 
@@ -16327,7 +18438,7 @@ msgstr "This configuration enables the TCP reverse proxy for the \"my-tcp-api\"
 msgid "This configuration generates & installs into the VyOS PKI system a root certificate authority, alongside two intermediary certificate authorities for client & server certificates. These CAs are then used to generate a server certificate for the router, and a client certificate for a user."
 msgstr "This configuration generates & installs into the VyOS PKI system a root certificate authority, alongside two intermediary certificate authorities for client & server certificates. These CAs are then used to generate a server certificate for the router, and a client certificate for a user."
 
-#: ../../configuration/loadbalancing/reverse-proxy.rst:214
+#: ../../configuration/loadbalancing/haproxy.rst:266
 msgid "This configuration listen on port 80 and redirect incoming requests to HTTPS:"
 msgstr "This configuration listen on port 80 and redirect incoming requests to HTTPS:"
 
@@ -16352,7 +18463,7 @@ msgstr "This configuration parameter lets you specify a vendor-option for the en
 msgid "This configuration parameter lets you specify a vendor-option for the subnet specified within the shared network definition. An example for Ubiquiti is shown below:"
 msgstr "This configuration parameter lets you specify a vendor-option for the subnet specified within the shared network definition. An example for Ubiquiti is shown below:"
 
-#: ../../configuration/trafficpolicy/index.rst:628
+#: ../../configuration/trafficpolicy/index.rst:678
 msgid "This could be helpful if you want to test how an application behaves under certain network conditions."
 msgstr "This could be helpful if you want to test how an application behaves under certain network conditions."
 
@@ -16364,11 +18475,11 @@ msgstr "This creates a route policy called FILTER-WEB with one rule to set the r
 msgid "This defaults to 10000."
 msgstr "This defaults to 10000."
 
-#: ../../configuration/system/login.rst:258
+#: ../../configuration/system/login.rst:264
 msgid "This defaults to 1812."
 msgstr "This defaults to 1812."
 
-#: ../../configuration/interfaces/wireless.rst:81
+#: ../../configuration/interfaces/wireless.rst:93
 msgid "This defaults to 2007."
 msgstr "This defaults to 2007."
 
@@ -16380,7 +18491,7 @@ msgstr "This defaults to 300 seconds."
 msgid "This defaults to 30 seconds."
 msgstr "This defaults to 30 seconds."
 
-#: ../../configuration/system/login.rst:327
+#: ../../configuration/system/login.rst:333
 msgid "This defaults to 49."
 msgstr "This defaults to 49."
 
@@ -16400,11 +18511,11 @@ msgstr "This defaults to both 1.2 and 1.3."
 msgid "This defaults to https://acme-v02.api.letsencrypt.org/directory"
 msgstr "This defaults to https://acme-v02.api.letsencrypt.org/directory"
 
-#: ../../configuration/interfaces/wireless.rst:101
+#: ../../configuration/interfaces/wireless.rst:125
 msgid "This defaults to phy0."
 msgstr "This defaults to phy0."
 
-#: ../../configuration/interfaces/wireless.rst:65
+#: ../../configuration/interfaces/wireless.rst:77
 msgid "This depends on the driver capabilities and may not be available with all drivers."
 msgstr "This depends on the driver capabilities and may not be available with all drivers."
 
@@ -16420,7 +18531,7 @@ msgstr "This diagram corresponds with the example site to site configuration bel
 msgid "This enables :rfc:`3137` support, where the OSPF process describes its transit links in its router-LSA as having infinite distance so that other routers will avoid calculating transit paths through the router while still being able to reach networks through the router."
 msgstr "This enables :rfc:`3137` support, where the OSPF process describes its transit links in its router-LSA as having infinite distance so that other routers will avoid calculating transit paths through the router while still being able to reach networks through the router."
 
-#: ../../configuration/interfaces/wireless.rst:186
+#: ../../configuration/interfaces/wireless.rst:217
 msgid "This enables the greenfield option which sets the ``[GF]`` option"
 msgstr "This enables the greenfield option which sets the ``[GF]`` option"
 
@@ -16428,15 +18539,19 @@ msgstr "This enables the greenfield option which sets the ``[GF]`` option"
 msgid "This establishes our Port Forward rule, but if we created a firewall policy it will likely block the traffic."
 msgstr "This establishes our Port Forward rule, but if we created a firewall policy it will likely block the traffic."
 
+#: ../../configuration/policy/prefix-list.rst:52
+msgid "This example creates an IPv4 prefix-list named PL4-EXAMPLE-NAME, defines 3 rules each with 1 prefix, and matches le (less than/equal to) /32."
+msgstr "This example creates an IPv4 prefix-list named PL4-EXAMPLE-NAME, defines 3 rules each with 1 prefix, and matches le (less than/equal to) /32."
+
 #: ../../configuration/policy/examples.rst:189
 msgid "This example shows how to target an MSS clamp (in our example to 1360 bytes) to a specific destination IP."
 msgstr "This example shows how to target an MSS clamp (in our example to 1360 bytes) to a specific destination IP."
 
-#: ../../configuration/vpn/ipsec.rst:392
+#: ../../configuration/vpn/ipsec.rst:412
 msgid "This example uses CACert as certificate authority."
 msgstr "This example uses CACert as certificate authority."
 
-#: ../../configuration/vpn/ipsec.rst:386
+#: ../../configuration/vpn/ipsec.rst:406
 msgid "This feature closely works together with :ref:`pki` subsystem as you required a x509 certificate."
 msgstr "This feature closely works together with :ref:`pki` subsystem as you required a x509 certificate."
 
@@ -16452,8 +18567,8 @@ msgstr "This feature summarises originated external LSAs (Type-5 and Type-7). Su
 msgid "This functionality is controlled by adding the following configuration:"
 msgstr "This functionality is controlled by adding the following configuration:"
 
-#: ../../configuration/firewall/ipv4.rst:399
-#: ../../configuration/firewall/ipv6.rst:378
+#: ../../configuration/firewall/ipv4.rst:424
+#: ../../configuration/firewall/ipv6.rst:403
 msgid "This functions for both individual addresses and address groups."
 msgstr "This functions for both individual addresses and address groups."
 
@@ -16473,6 +18588,10 @@ msgstr "This gives us MPLS segment routing enabled and labels for far end loopba
 msgid "This gives us the following neighborships, Level 1 and Level 2:"
 msgstr "This gives us the following neighborships, Level 1 and Level 2:"
 
+#: ../../configuration/protocols/openfabric.rst:194
+msgid "This gives us the following neighborships:"
+msgstr "This gives us the following neighborships:"
+
 #: ../../configuration/vpn/dmvpn.rst:139
 msgid "This instructs opennhrp to reply with authorative answers on NHRP Resolution Requests destinied to addresses in this interface (instead of forwarding the packets). This effectively allows the creation of shortcut routes to subnets located on the interface."
 msgstr "This instructs opennhrp to reply with authorative answers on NHRP Resolution Requests destinied to addresses in this interface (instead of forwarding the packets). This effectively allows the creation of shortcut routes to subnets located on the interface."
@@ -16507,7 +18626,7 @@ msgstr "This is a mandatory option"
 msgid "This is a mandatory setting."
 msgstr "This is a mandatory setting."
 
-#: ../../configuration/trafficpolicy/index.rst:780
+#: ../../configuration/trafficpolicy/index.rst:830
 msgid "This is achieved by using the first three bits of the ToS (Type of Service) field to categorize data streams and, in accordance with the defined precedence parameters, a decision is made."
 msgstr "This is achieved by using the first three bits of the ToS (Type of Service) field to categorize data streams and, in accordance with the defined precedence parameters, a decision is made."
 
@@ -16585,6 +18704,10 @@ msgstr "This is the name of the physical interface used to connect to your LCD d
 msgid "This is the policy that requieres the lowest resources for the same amount of traffic. But **very likely you do not need it as you cannot get much from it. Sometimes it is used just to enable logging.**"
 msgstr "This is the policy that requieres the lowest resources for the same amount of traffic. But **very likely you do not need it as you cannot get much from it. Sometimes it is used just to enable logging.**"
 
+#: ../../configuration/trafficpolicy/index.rst:421
+msgid "This is the policy that requires the lowest resources for the same amount of traffic. But **very likely you do not need it as you cannot get much from it. Sometimes it is used just to enable logging.**"
+msgstr "This is the policy that requires the lowest resources for the same amount of traffic. But **very likely you do not need it as you cannot get much from it. Sometimes it is used just to enable logging.**"
+
 #: ../../configuration/service/dhcp-server.rst:251
 msgid "This is useful, for example, in combination with hostfile update."
 msgstr "This is useful, for example, in combination with hostfile update."
@@ -16614,10 +18737,18 @@ msgstr "This mode provides fault tolerance. The :cfgcmd:`primary` option, docume
 msgid "This mode provides load balancing and fault tolerance."
 msgstr "This mode provides load balancing and fault tolerance."
 
-#: ../../configuration/interfaces/wireless.rst:107
+#: ../../configuration/interfaces/wireless.rst:131
 msgid "This option adds Power Constraint element when applicable and Country element is added. Power Constraint element is required by Transmit Power Control."
 msgstr "This option adds Power Constraint element when applicable and Country element is added. Power Constraint element is required by Transmit Power Control."
 
+#: ../../configuration/interfaces/wireless.rst:132
+msgid "This option adds the Power Constraint information element when applicable and the Country information element is configured. The Power Constraint element is required by Transmit Power Control."
+msgstr "This option adds the Power Constraint information element when applicable and the Country information element is configured. The Power Constraint element is required by Transmit Power Control."
+
+#: ../../configuration/interfaces/bonding.rst:161
+msgid "This option allow to specifies the 802.3ad system MAC address.You can set a random mac-address that can be used for these LACPDU exchanges."
+msgstr "This option allow to specifies the 802.3ad system MAC address.You can set a random mac-address that can be used for these LACPDU exchanges."
+
 #: ../../configuration/service/dhcp-server.rst:135
 msgid "This option can be specified multiple times."
 msgstr "This option can be specified multiple times."
@@ -16626,7 +18757,8 @@ msgstr "This option can be specified multiple times."
 msgid "This option can be supplied multiple times."
 msgstr "This option can be supplied multiple times."
 
-#: ../../configuration/interfaces/wireless.rst:53
+#: ../../configuration/interfaces/wireless.rst:48
+#: ../../configuration/interfaces/wireless.rst:59
 msgid "This option is mandatory in Access-Point mode."
 msgstr "This option is mandatory in Access-Point mode."
 
@@ -16642,7 +18774,7 @@ msgstr "This option is used by some DHCP clients as a way for users to specify i
 msgid "This option is used by some DHCP clients to identify the vendor type and possibly the configuration of a DHCP client. The information is a string of bytes whose contents are specific to the vendor and are not specified in a standard."
 msgstr "This option is used by some DHCP clients to identify the vendor type and possibly the configuration of a DHCP client. The information is a string of bytes whose contents are specific to the vendor and are not specified in a standard."
 
-#: ../../configuration/system/login.rst:394
+#: ../../configuration/system/login.rst:400
 msgid "This option must be used with ``timeout`` option."
 msgstr "This option must be used with ``timeout`` option."
 
@@ -16651,10 +18783,18 @@ msgstr "This option must be used with ``timeout`` option."
 msgid "This option only affects 802.3ad mode."
 msgstr "This option only affects 802.3ad mode."
 
-#: ../../configuration/highavailability/index.rst:232
+#: ../../configuration/interfaces/wireless.rst:105
+msgid "This option requires :abbr:`MFP (Management Frame Protection)` to be enabled."
+msgstr "This option requires :abbr:`MFP (Management Frame Protection)` to be enabled."
+
+#: ../../configuration/highavailability/index.rst:236
 msgid "This option specifies a delay in seconds before vrrp instances start up after keepalived starts."
 msgstr "This option specifies a delay in seconds before vrrp instances start up after keepalived starts."
 
+#: ../../configuration/interfaces/openvpn.rst:281
+msgid "This option was called --ncp-ciphers in OpenVPN 2.4 but has been renamed to --data-ciphers in OpenVPN 2.5 to more accurately reflect its meaning. The first cipher in that list that is also in the client's --data-ciphers list is chosen. If no common cipher is found the client is rejected."
+msgstr "This option was called --ncp-ciphers in OpenVPN 2.4 but has been renamed to --data-ciphers in OpenVPN 2.5 to more accurately reflect its meaning. The first cipher in that list that is also in the client's --data-ciphers list is chosen. If no common cipher is found the client is rejected."
+
 #: ../../configuration/pki/index.rst:308
 msgid "This options defaults to 2048"
 msgstr "This options defaults to 2048"
@@ -16663,7 +18803,7 @@ msgstr "This options defaults to 2048"
 msgid "This parameter allows to \"shortcut\" routes (non-backbone) for inter-area routes. There are three modes available for routes shortcutting:"
 msgstr "This parameter allows to \"shortcut\" routes (non-backbone) for inter-area routes. There are three modes available for routes shortcutting:"
 
-#: ../../configuration/interfaces/bonding.rst:194
+#: ../../configuration/interfaces/bonding.rst:199
 msgid "This policy is intended to provide a more balanced distribution of traffic than layer2 alone, especially in environments where a layer3 gateway device is required to reach most destinations."
 msgstr "This policy is intended to provide a more balanced distribution of traffic than layer2 alone, especially in environments where a layer3 gateway device is required to reach most destinations."
 
@@ -16675,18 +18815,21 @@ msgstr "This prompted some ISPs to develop a policy within the :abbr:`ARIN (Amer
 msgid "This required setting defines the action of the current rule. If action is set to ``jump``, then ``jump-target`` is also needed."
 msgstr "This required setting defines the action of the current rule. If action is set to ``jump``, then ``jump-target`` is also needed."
 
-#: ../../configuration/firewall/bridge.rst:90
-#: ../../configuration/firewall/ipv4.rst:114
-#: ../../configuration/firewall/ipv6.rst:114
+#: ../../configuration/firewall/bridge.rst:118
 msgid "This required setting defines the action of the current rule. If action is set to jump, then jump-target is also needed."
 msgstr "This required setting defines the action of the current rule. If action is set to jump, then jump-target is also needed."
 
+#: ../../configuration/firewall/ipv4.rst:138
+#: ../../configuration/firewall/ipv6.rst:138
+msgid "This required setting defines the action of the current rule. If the action is set to jump, then a jump-target is also needed."
+msgstr "This required setting defines the action of the current rule. If the action is set to jump, then a jump-target is also needed."
+
 #: ../../configuration/interfaces/tunnel.rst:161
 msgid "This requires two files, one to create the device (XXX.netdev) and one to configure the network on the device (XXX.network)"
 msgstr "This requires two files, one to create the device (XXX.netdev) and one to configure the network on the device (XXX.network)"
 
-#: ../../configuration/interfaces/bridge.rst:217
-#: ../../configuration/interfaces/bridge.rst:253
+#: ../../configuration/interfaces/bridge.rst:216
+#: ../../configuration/interfaces/bridge.rst:252
 msgid "This results in the active configuration:"
 msgstr "This results in the active configuration:"
 
@@ -16716,23 +18859,40 @@ msgid "This set the default action of the rule-set if no rule matched a packet c
 msgstr "This set the default action of the rule-set if no rule matched a packet criteria. If defacult-action is set to ``jump``, then ``default-jump-target`` is also needed. Note that for base chains, default action can only be set to ``accept`` or ``drop``, while on custom chain, more actions are available."
 
 #: ../../configuration/firewall/bridge.rst:132
-#: ../../configuration/firewall/ipv4.rst:179
-#: ../../configuration/firewall/ipv6.rst:179
+#: ../../configuration/firewall/ipv4.rst:203
+#: ../../configuration/firewall/ipv6.rst:203
 msgid "This set the default action of the rule-set if no rule matched a packet criteria. If default-action is set to ``jump``, then ``default-jump-target`` is also needed. Note that for base chains, default action can only be set to ``accept`` or ``drop``, while on custom chain, more actions are available."
 msgstr "This set the default action of the rule-set if no rule matched a packet criteria. If default-action is set to ``jump``, then ``default-jump-target`` is also needed. Note that for base chains, default action can only be set to ``accept`` or ``drop``, while on custom chain, more actions are available."
 
-#: ../../configuration/interfaces/openvpn.rst:278
+#: ../../configuration/interfaces/openvpn.rst:280
 msgid "This sets the accepted ciphers to use when version => 2.4.0 and NCP is enabled (which is the default). Default NCP cipher for versions >= 2.4.0 is aes256gcm. The first cipher in this list is what server pushes to clients."
 msgstr "This sets the accepted ciphers to use when version => 2.4.0 and NCP is enabled (which is the default). Default NCP cipher for versions >= 2.4.0 is aes256gcm. The first cipher in this list is what server pushes to clients."
 
-#: ../../configuration/interfaces/openvpn.rst:260
+#: ../../configuration/interfaces/openvpn.rst:262
 msgid "This sets the cipher when NCP (Negotiable Crypto Parameters) is disabled or OpenVPN version < 2.4.0."
 msgstr "This sets the cipher when NCP (Negotiable Crypto Parameters) is disabled or OpenVPN version < 2.4.0."
 
+#: ../../configuration/interfaces/openvpn.rst:262
+msgid "This sets the cipher when NCP (Negotiable Crypto Parameters) is disabled or OpenVPN version < 2.4.0. This option should not be used any longer in TLS mode and still exists for compatibility with old configurations."
+msgstr "This sets the cipher when NCP (Negotiable Crypto Parameters) is disabled or OpenVPN version < 2.4.0. This option should not be used any longer in TLS mode and still exists for compatibility with old configurations."
+
+#: ../../configuration/firewall/bridge.rst:186
+msgid "This sets the default action of the rule-set if a packet does not match any of the rules in that chain. If default-action is set to ``jump``, then ``default-jump-target`` is also needed. Note that for base chains, default action can only be set to ``accept`` or ``drop``, while on custom chains more actions are available."
+msgstr "This sets the default action of the rule-set if a packet does not match any of the rules in that chain. If default-action is set to ``jump``, then ``default-jump-target`` is also needed. Note that for base chains, default action can only be set to ``accept`` or ``drop``, while on custom chains more actions are available."
+
+#: ../../configuration/firewall/ipv4.rst:203
+#: ../../configuration/firewall/ipv6.rst:203
+msgid "This sets the default action of the rule-set if a packet does not match the criteria of any rule. If default-action is set to ``jump``, then ``default-jump-target`` is also needed. Note that for base chains, the default action can only be set to ``accept`` or ``drop``, while on custom chains, more actions are available."
+msgstr "This sets the default action of the rule-set if a packet does not match the criteria of any rule. If default-action is set to ``jump``, then ``default-jump-target`` is also needed. Note that for base chains, the default action can only be set to ``accept`` or ``drop``, while on custom chains, more actions are available."
+
 #: ../../configuration/service/dns.rst:120
 msgid "This setting, which defaults to 3600 seconds, puts a maximum on the amount of time negative entries are cached."
 msgstr "This setting, which defaults to 3600 seconds, puts a maximum on the amount of time negative entries are cached."
 
+#: ../../configuration/interfaces/wireless.rst:397
+msgid "This setting configures Spacial Stream and Modulation Coding Scheme settings for HE mode (HE-MCS). It is usually not needed to set this explicitly, but it might help with some WiFi adapters."
+msgstr "This setting configures Spacial Stream and Modulation Coding Scheme settings for HE mode (HE-MCS). It is usually not needed to set this explicitly, but it might help with some WiFi adapters."
+
 #: ../../configuration/service/dns.rst:128
 msgid "This setting defaults to 1500 and is valid between 10 and 60000."
 msgstr "This setting defaults to 1500 and is valid between 10 and 60000."
@@ -16741,14 +18901,31 @@ msgstr "This setting defaults to 1500 and is valid between 10 and 60000."
 msgid "This setting enable or disable the response of icmp broadcast messages. The following system parameter will be altered:"
 msgstr "This setting enable or disable the response of icmp broadcast messages. The following system parameter will be altered:"
 
+#: ../../configuration/firewall/global-options.rst:63
+msgid "This setting enables or disables the response to icmp broadcast messages. The following system parameter will be altered:"
+msgstr "This setting enables or disables the response to icmp broadcast messages. The following system parameter will be altered:"
+
 #: ../../configuration/firewall/global-options.rst:66
 msgid "This setting handle if VyOS accept packets with a source route option. The following system parameter will be altered:"
 msgstr "This setting handle if VyOS accept packets with a source route option. The following system parameter will be altered:"
 
-#: ../../configuration/highavailability/index.rst:310
+#: ../../configuration/firewall/global-options.rst:71
+msgid "This setting handles if VyOS accepts packets with a source route option. The following system parameters will be altered:"
+msgstr "This setting handles if VyOS accepts packets with a source route option. The following system parameters will be altered:"
+
+#: ../../configuration/highavailability/index.rst:314
 msgid "This setup will make the VRRP process execute the ``/config/scripts/vrrp-check.sh script`` every 60 seconds, and transition the group to the fault state if it fails (i.e. exits with non-zero status) three times:"
 msgstr "This setup will make the VRRP process execute the ``/config/scripts/vrrp-check.sh script`` every 60 seconds, and transition the group to the fault state if it fails (i.e. exits with non-zero status) three times:"
 
+#: ../../configuration/container/index.rst:138
+msgid "This specifies the number of CPU resources the container can use."
+msgstr "This specifies the number of CPU resources the container can use."
+
+#: ../../configuration/firewall/ipv4.rst:43
+#: ../../configuration/firewall/ipv6.rst:43
+msgid "This stage includes:"
+msgstr "This stage includes:"
+
 #: ../../_include/interface-dhcpv6-options.txt:28
 msgid "This statement specifies dhcp6c to only exchange informational configuration parameters with servers. A list of DNS server addresses is an example of such parameters. This statement is useful when the client does not need stateful configuration parameters such as IPv6 addresses or prefixes."
 msgstr "This statement specifies dhcp6c to only exchange informational configuration parameters with servers. A list of DNS server addresses is an example of such parameters. This statement is useful when the client does not need stateful configuration parameters such as IPv6 addresses or prefixes."
@@ -16765,7 +18942,7 @@ msgstr "This technique is commonly referred to as NAT Reflection or Hairpin NAT.
 msgid "This technology is known by different names:"
 msgstr "This technology is known by different names:"
 
-#: ../../configuration/trafficpolicy/index.rst:357
+#: ../../configuration/trafficpolicy/index.rst:407
 msgid "This the simplest queue possible you can apply to your traffic. Traffic must go through a finite queue before it is actually sent. You must define how many packets that queue can contain."
 msgstr "This the simplest queue possible you can apply to your traffic. Traffic must go through a finite queue before it is actually sent. You must define how many packets that queue can contain."
 
@@ -16777,7 +18954,8 @@ msgstr "This topology was built using GNS3."
 msgid "This will add the following option to the Kernel commandline:"
 msgstr "This will add the following option to the Kernel commandline:"
 
-#: ../../configuration/system/option.rst:48
+#: ../../configuration/system/option.rst:46
+#: ../../configuration/system/option.rst:66
 msgid "This will add the following two options to the Kernel commandline:"
 msgstr "This will add the following two options to the Kernel commandline:"
 
@@ -16797,18 +18975,30 @@ msgstr "This will match TCP traffic with source port 80."
 msgid "This will render the following ddclient_ configuration entry:"
 msgstr "This will render the following ddclient_ configuration entry:"
 
-#: ../../configuration/firewall/ipv6.rst:969
+#: ../../configuration/firewall/ipv6.rst:1030
 msgid "This will show you a basic firewall overview"
 msgstr "This will show you a basic firewall overview"
 
-#: ../../configuration/firewall/ipv4.rst:984
+#: ../../configuration/firewall/ipv4.rst:1088
+msgid "This will show you a basic firewall overview, for all rule-sets, and not only for ipv4"
+msgstr "This will show you a basic firewall overview, for all rule-sets, and not only for ipv4"
+
+#: ../../configuration/firewall/ipv6.rst:1078
+msgid "This will show you a basic firewall overview, for all rule-sets, and not only for ipv6"
+msgstr "This will show you a basic firewall overview, for all rule-sets, and not only for ipv6"
+
+#: ../../configuration/firewall/ipv4.rst:1041
 msgid "This will show you a basic firewall overview, for all ruleset, and not only for ipv4"
 msgstr "This will show you a basic firewall overview, for all ruleset, and not only for ipv4"
 
-#: ../../configuration/firewall/zone.rst:149
+#: ../../configuration/firewall/zone.rst:146
 msgid "This will show you a basic summary of a particular zone."
 msgstr "This will show you a basic summary of a particular zone."
 
+#: ../../configuration/firewall/zone.rst:129
+msgid "This will show you a basic summary of the zone configuration."
+msgstr "This will show you a basic summary of the zone configuration."
+
 #: ../../configuration/firewall/zone.rst:132
 msgid "This will show you a basic summary of zones configuration."
 msgstr "This will show you a basic summary of zones configuration."
@@ -16817,17 +19007,17 @@ msgstr "This will show you a basic summary of zones configuration."
 msgid "This will show you a rule-set statistic since the last boot."
 msgstr "This will show you a rule-set statistic since the last boot."
 
-#: ../../configuration/firewall/ipv4.rst:1135
-#: ../../configuration/firewall/ipv6.rst:1135
+#: ../../configuration/firewall/ipv4.rst:1239
+#: ../../configuration/firewall/ipv6.rst:1245
 msgid "This will show you a statistic of all rule-sets since the last boot."
 msgstr "This will show you a statistic of all rule-sets since the last boot."
 
-#: ../../configuration/firewall/ipv4.rst:1039
-#: ../../configuration/firewall/ipv6.rst:1032
+#: ../../configuration/firewall/ipv4.rst:1143
+#: ../../configuration/firewall/ipv6.rst:1142
 msgid "This will show you a summary of rule-sets and groups"
 msgstr "This will show you a summary of rule-sets and groups"
 
-#: ../../configuration/trafficpolicy/index.rst:1256
+#: ../../configuration/trafficpolicy/index.rst:1306
 msgid "This workaround lets you apply a shaping policy to the ingress traffic by first redirecting it to an in-between virtual interface (`Intermediate Functional Block`_). There, in that virtual interface, you will be able to apply any of the policies that work for outbound traffic, for instance, a shaping one."
 msgstr "This workaround lets you apply a shaping policy to the ingress traffic by first redirecting it to an in-between virtual interface (`Intermediate Functional Block`_). There, in that virtual interface, you will be able to apply any of the policies that work for outbound traffic, for instance, a shaping one."
 
@@ -16871,17 +19061,21 @@ msgstr "Time in seconds that the prefix will remain valid (default: 65528 second
 msgid "Time is in minutes and defaults to 60."
 msgstr "Time is in minutes and defaults to 60."
 
-#: ../../configuration/firewall/ipv4.rst:897
-#: ../../configuration/firewall/ipv6.rst:883
+#: ../../configuration/firewall/ipv4.rst:948
+#: ../../configuration/firewall/ipv6.rst:938
 #: ../../configuration/policy/route.rst:225
 msgid "Time to match the defined rule."
 msgstr "Time to match the defined rule."
 
-#: ../../configuration/service/ipoe-server.rst:368
-#: ../../configuration/service/pppoe-server.rst:534
-#: ../../configuration/vpn/l2tp.rst:488
+#: ../../configuration/firewall/groups.rst:216
+msgid "Timeout can be defined using seconds, minutes, hours or days:"
+msgstr "Timeout can be defined using seconds, minutes, hours or days:"
+
+#: ../../configuration/service/ipoe-server.rst:367
+#: ../../configuration/service/pppoe-server.rst:559
+#: ../../configuration/vpn/l2tp.rst:493
 #: ../../configuration/vpn/pptp.rst:412
-#: ../../configuration/vpn/sstp.rst:446
+#: ../../configuration/vpn/sstp.rst:451
 msgid "Timeout in seconds"
 msgstr "Timeout in seconds"
 
@@ -16889,16 +19083,16 @@ msgstr "Timeout in seconds"
 msgid "Timeout in seconds between health target checks."
 msgstr "Timeout in seconds between health target checks."
 
-#: ../../configuration/service/ipoe-server.rst:174
-#: ../../configuration/service/pppoe-server.rst:136
+#: ../../configuration/service/ipoe-server.rst:173
+#: ../../configuration/service/pppoe-server.rst:142
 #: ../../configuration/vpn/l2tp.rst:179
 #: ../../configuration/vpn/pptp.rst:119
 #: ../../configuration/vpn/sstp.rst:152
 msgid "Timeout to wait reply for Interim-Update packets. (default 3 seconds)"
 msgstr "Timeout to wait reply for Interim-Update packets. (default 3 seconds)"
 
-#: ../../configuration/service/ipoe-server.rst:194
-#: ../../configuration/service/pppoe-server.rst:156
+#: ../../configuration/service/ipoe-server.rst:193
+#: ../../configuration/service/pppoe-server.rst:167
 #: ../../configuration/vpn/l2tp.rst:199
 #: ../../configuration/vpn/pptp.rst:139
 #: ../../configuration/vpn/sstp.rst:172
@@ -16907,6 +19101,7 @@ msgstr "Timeout to wait response from server (seconds)"
 
 #: ../../configuration/protocols/bgp.rst:689
 #: ../../configuration/protocols/isis.rst:257
+#: ../../configuration/protocols/openfabric.rst:136
 msgid "Timers"
 msgstr "Timers"
 
@@ -16950,35 +19145,56 @@ msgstr "To automatically assign the client an IP address as tunnel endpoint, a c
 msgid "To be used only when ``action`` is set to ``jump``. Use this command to specify jump target."
 msgstr "To be used only when ``action`` is set to ``jump``. Use this command to specify jump target."
 
+#: ../../configuration/firewall/bridge.rst:194
+msgid "To be used only when ``default-action`` is set to ``jump``. Use this command to specify jump target for default rule."
+msgstr "To be used only when ``default-action`` is set to ``jump``. Use this command to specify jump target for default rule."
+
+#: ../../configuration/firewall/ipv4.rst:211
+#: ../../configuration/firewall/ipv6.rst:211
+msgid "To be used only when ``default-action`` is set to ``jump``. Use this command to specify the jump target for the default rule."
+msgstr "To be used only when ``default-action`` is set to ``jump``. Use this command to specify the jump target for the default rule."
+
 #: ../../configuration/firewall/bridge.rst:140
 #: ../../configuration/firewall/ipv4.rst:187
 #: ../../configuration/firewall/ipv6.rst:187
 msgid "To be used only when ``defult-action`` is set to ``jump``. Use this command to specify jump target for default rule."
 msgstr "To be used only when ``defult-action`` is set to ``jump``. Use this command to specify jump target for default rule."
 
-#: ../../configuration/firewall/ipv4.rst:126
-#: ../../configuration/firewall/ipv6.rst:126
+#: ../../configuration/firewall/ipv4.rst:150
+#: ../../configuration/firewall/ipv6.rst:150
 msgid "To be used only when action is set to ``jump``. Use this command to specify jump target."
 msgstr "To be used only when action is set to ``jump``. Use this command to specify jump target."
 
-#: ../../configuration/firewall/bridge.rst:120
-#: ../../configuration/firewall/ipv4.rst:163
-#: ../../configuration/firewall/ipv6.rst:163
+#: ../../configuration/firewall/ipv4.rst:150
+#: ../../configuration/firewall/ipv6.rst:150
+msgid "To be used only when action is set to ``jump``. Use this command to specify the jump target."
+msgstr "To be used only when action is set to ``jump``. Use this command to specify the jump target."
+
+#: ../../configuration/firewall/ipv4.rst:187
+#: ../../configuration/firewall/ipv6.rst:187
 msgid "To be used only when action is set to ``queue``. Use this command to distribute packets between several queues."
 msgstr "To be used only when action is set to ``queue``. Use this command to distribute packets between several queues."
 
 #: ../../configuration/firewall/bridge.rst:111
-#: ../../configuration/firewall/ipv4.rst:150
-#: ../../configuration/firewall/ipv6.rst:150
 msgid "To be used only when action is set to ``queue``. Use this command to let packet go through firewall when no userspace software is connected to the queue."
 msgstr "To be used only when action is set to ``queue``. Use this command to let packet go through firewall when no userspace software is connected to the queue."
 
+#: ../../configuration/firewall/ipv4.rst:174
+#: ../../configuration/firewall/ipv6.rst:174
+msgid "To be used only when action is set to ``queue``. Use this command to let the packet go through firewall when no userspace software is connected to the queue."
+msgstr "To be used only when action is set to ``queue``. Use this command to let the packet go through firewall when no userspace software is connected to the queue."
+
 #: ../../configuration/firewall/bridge.rst:103
-#: ../../configuration/firewall/ipv4.rst:138
-#: ../../configuration/firewall/ipv6.rst:138
+#: ../../configuration/firewall/ipv4.rst:162
+#: ../../configuration/firewall/ipv6.rst:162
 msgid "To be used only when action is set to ``queue``. Use this command to specify queue target to use. Queue range is also supported."
 msgstr "To be used only when action is set to ``queue``. Use this command to specify queue target to use. Queue range is also supported."
 
+#: ../../configuration/firewall/ipv4.rst:162
+#: ../../configuration/firewall/ipv6.rst:162
+msgid "To be used only when action is set to ``queue``. Use this command to specify the queue target to use. Queue range is also supported."
+msgstr "To be used only when action is set to ``queue``. Use this command to specify the queue target to use. Queue range is also supported."
+
 #: ../../configuration/firewall/ipv4.rst:126
 #: ../../configuration/firewall/ipv6.rst:126
 msgid "To be used only when action is set to jump. Use this command to specify jump target."
@@ -17000,7 +19216,7 @@ msgstr "To configure IPv6 assignments for clients, two options need to be config
 msgid "To configure VyOS with the :doc:`legacy firewall configuration </configuration/firewall/general-legacy>`"
 msgstr "To configure VyOS with the :doc:`legacy firewall configuration </configuration/firewall/general-legacy>`"
 
-#: ../../configuration/firewall/index.rst:173
+#: ../../configuration/firewall/index.rst:220
 msgid "To configure VyOS with the :doc:`zone-based firewall configuration </configuration/firewall/zone>`"
 msgstr "To configure VyOS with the :doc:`zone-based firewall configuration </configuration/firewall/zone>`"
 
@@ -17028,7 +19244,7 @@ msgstr "To configure your LCD display you must first identify the used hardware,
 msgid "To create VLANs per user during runtime, the following settings are required on a per interface basis. VLAN ID and VLAN range can be present in the configuration at the same time."
 msgstr "To create VLANs per user during runtime, the following settings are required on a per interface basis. VLAN ID and VLAN range can be present in the configuration at the same time."
 
-#: ../../configuration/system/login.rst:381
+#: ../../configuration/system/login.rst:387
 msgid "To create a new line in your login message you need to escape the new line character by using ``\\\\n``."
 msgstr "To create a new line in your login message you need to escape the new line character by using ``\\\\n``."
 
@@ -17040,7 +19256,7 @@ msgstr "To create more than one tunnel, use distinct UDP ports."
 msgid "To create routing table 100 and add a new default gateway to be used by traffic matching our route policy:"
 msgstr "To create routing table 100 and add a new default gateway to be used by traffic matching our route policy:"
 
-#: ../../configuration/firewall/zone.rst:80
+#: ../../configuration/firewall/zone.rst:77
 msgid "To define a zone setup either one with interfaces or a local zone."
 msgstr "To define a zone setup either one with interfaces or a local zone."
 
@@ -17065,19 +19281,22 @@ msgstr "To enable/disable helper support for a specific neighbour, the router-id
 msgid "To enable MLD reports and query on interfaces `eth0` and `eth1`:"
 msgstr "To enable MLD reports and query on interfaces `eth0` and `eth1`:"
 
-#: ../../configuration/service/ipoe-server.rst:116
+#: ../../configuration/service/ipoe-server.rst:115
 #: ../../configuration/service/pppoe-server.rst:78
 #: ../../configuration/vpn/l2tp.rst:121
 #: ../../configuration/vpn/pptp.rst:61
-#: ../../configuration/vpn/sstp.rst:94
 msgid "To enable RADIUS based authentication, the authentication mode needs to be changed within the configuration. Previous settings like the local users, still exists within the configuration, however they are not used if the mode has been changed from local to radius. Once changed back to local, it will use all local accounts again."
 msgstr "To enable RADIUS based authentication, the authentication mode needs to be changed within the configuration. Previous settings like the local users, still exists within the configuration, however they are not used if the mode has been changed from local to radius. Once changed back to local, it will use all local accounts again."
 
+#: ../../configuration/vpn/sstp.rst:94
+msgid "To enable RADIUS based authentication, the authentication mode needs to be changed within the configuration. Previous settings like the local users still exist within the configuration, however they are not used if the mode has been changed from local to radius. Once changed back to local, it will use all local accounts again."
+msgstr "To enable RADIUS based authentication, the authentication mode needs to be changed within the configuration. Previous settings like the local users still exist within the configuration, however they are not used if the mode has been changed from local to radius. Once changed back to local, it will use all local accounts again."
+
 #: ../../configuration/vpn/l2tp.rst:182
 msgid "To enable bandwidth shaping via RADIUS, the option rate-limit needs to be enabled."
 msgstr "To enable bandwidth shaping via RADIUS, the option rate-limit needs to be enabled."
 
-#: ../../configuration/service/https.rst:72
+#: ../../configuration/service/https.rst:79
 msgid "To enable debug messages. Available via :opcmd:`show log` or :opcmd:`monitor log`"
 msgstr "To enable debug messages. Available via :opcmd:`show log` or :opcmd:`monitor log`"
 
@@ -17097,7 +19316,7 @@ msgstr "To enable the HTTP security headers in the configuration file, use the c
 msgid "To exclude traffic from load balancing, traffic matching an exclude rule is not balanced but routed through the system routing table instead:"
 msgstr "To exclude traffic from load balancing, traffic matching an exclude rule is not balanced but routed through the system routing table instead:"
 
-#: ../../configuration/vpn/l2tp.rst:282
+#: ../../configuration/vpn/l2tp.rst:285
 msgid "To explain the usage of LNS follow our blueprint :ref:`examples-lac-lns`."
 msgstr "To explain the usage of LNS follow our blueprint :ref:`examples-lac-lns`."
 
@@ -17113,7 +19332,7 @@ msgstr "To forward all broadcast packets received on `UDP port 1900` on `eth3`,
 msgid "To generate the CA, the server private key and certificates the following commands can be used."
 msgstr "To generate the CA, the server private key and certificates the following commands can be used."
 
-#: ../../configuration/interfaces/wireless.rst:594
+#: ../../configuration/interfaces/wireless.rst:718
 msgid "To get it to work as an access point with this configuration you will need to set up a DHCP server to work with that network. You can - of course - also bridge the Wireless interface with any configured bridge (:ref:`bridge-interface`) on the system."
 msgstr "To get it to work as an access point with this configuration you will need to set up a DHCP server to work with that network. You can - of course - also bridge the Wireless interface with any configured bridge (:ref:`bridge-interface`) on the system."
 
@@ -17121,11 +19340,11 @@ msgstr "To get it to work as an access point with this configuration you will ne
 msgid "To hand out individual prefixes to your clients the following configuration is used:"
 msgstr "To hand out individual prefixes to your clients the following configuration is used:"
 
-#: ../../configuration/vpn/ipsec.rst:405
+#: ../../configuration/vpn/ipsec.rst:425
 msgid "To import it from the filesystem use:"
 msgstr "To import it from the filesystem use:"
 
-#: ../../configuration/highavailability/index.rst:346
+#: ../../configuration/highavailability/index.rst:350
 msgid "To know more about scripting, check the :ref:`command-scripting` section."
 msgstr "To know more about scripting, check the :ref:`command-scripting` section."
 
@@ -17142,11 +19361,15 @@ msgstr "To manipulate or display ARP_ table entries, the following commands are
 msgid "To perform a graceful shutdown, the FRR ``graceful-restart prepare ip ospf`` EXEC-level command needs to be issued before restarting the ospfd daemon."
 msgstr "To perform a graceful shutdown, the FRR ``graceful-restart prepare ip ospf`` EXEC-level command needs to be issued before restarting the ospfd daemon."
 
+#: ../../configuration/service/config-sync.rst:19
+msgid "To prevent issues with divergent configurations between the pair of routers, synchronization is strictly unidirectional from primary to replica. Both routers should be online and run the same version of VyOS."
+msgstr "To prevent issues with divergent configurations between the pair of routers, synchronization is strictly unidirectional from primary to replica. Both routers should be online and run the same version of VyOS."
+
 #: ../../_include/interface-dhcpv6-prefix-delegation.txt:17
 msgid "To request a /56 prefix from your ISP use:"
 msgstr "To request a /56 prefix from your ISP use:"
 
-#: ../../configuration/service/dhcp-server.rst:741
+#: ../../configuration/service/dhcp-server.rst:771
 msgid "To restart the DHCPv6 server"
 msgstr "To restart the DHCPv6 server"
 
@@ -17158,7 +19381,7 @@ msgstr "To setup SNAT, we need to know:"
 msgid "To setup a destination NAT rule we need to gather:"
 msgstr "To setup a destination NAT rule we need to gather:"
 
-#: ../../configuration/interfaces/wwan.rst:329
+#: ../../configuration/interfaces/wwan.rst:330
 msgid "To update the firmware, VyOS also ships the `qmi-firmware-update` binary. To upgrade the firmware of an e.g. Sierra Wireless MC7710 module to the firmware provided in the file ``9999999_9999999_9200_03.05.14.00_00_generic_000.000_001_SPKG_MC.cwe`` use the following command:"
 msgstr "To update the firmware, VyOS also ships the `qmi-firmware-update` binary. To upgrade the firmware of an e.g. Sierra Wireless MC7710 module to the firmware provided in the file ``9999999_9999999_9200_03.05.14.00_00_generic_000.000_001_SPKG_MC.cwe`` use the following command:"
 
@@ -17178,6 +19401,10 @@ msgstr "To use such a service, one must define a login, password, one or multipl
 msgid "To use the Salt-Minion, a running Salt-Master is required. You can find more in the `Salt Poject Documentaion <https://docs.saltproject.io/en/latest/contents.html>`_"
 msgstr "To use the Salt-Minion, a running Salt-Master is required. You can find more in the `Salt Poject Documentaion <https://docs.saltproject.io/en/latest/contents.html>`_"
 
+#: ../../configuration/service/salt-minion.rst:19
+msgid "To use the Salt-Minion, a running Salt-Master is required. You can find more in the `Salt Project Documentation <https://docs.saltproject.io/en/latest/contents.html>`_"
+msgstr "To use the Salt-Minion, a running Salt-Master is required. You can find more in the `Salt Project Documentation <https://docs.saltproject.io/en/latest/contents.html>`_"
+
 #: ../../configuration/service/https.rst:77
 msgid "To use this full configuration we asume a public accessible hostname."
 msgstr "To use this full configuration we asume a public accessible hostname."
@@ -17190,7 +19417,11 @@ msgstr "Topology:"
 msgid "Topology: PC4 - Leaf2 - Spine1 - Leaf3 - PC5"
 msgstr "Topology: PC4 - Leaf2 - Spine1 - Leaf3 - PC5"
 
-#: ../../configuration/service/ipoe-server.rst:433
+#: ../../configuration/nat/cgnat.rst:58
+msgid "Total Ports: 65536 (0 to 65535)"
+msgstr "Total Ports: 65536 (0 to 65535)"
+
+#: ../../configuration/service/ipoe-server.rst:432
 msgid "Toubleshooting"
 msgstr "Toubleshooting"
 
@@ -17214,6 +19445,10 @@ msgstr "Traditionally firewalls weere configured with the concept of data going
 msgid "Traditionally hardware routers implement IPsec exclusively due to relative ease of implementing it in hardware and insufficient CPU power for doing encryption in software. Since VyOS is a software router, this is less of a concern. OpenVPN has been widely used on UNIX platform for a long time and is a popular option for remote access VPN, though it's also capable of site-to-site connections."
 msgstr "Traditionally hardware routers implement IPsec exclusively due to relative ease of implementing it in hardware and insufficient CPU power for doing encryption in software. Since VyOS is a software router, this is less of a concern. OpenVPN has been widely used on UNIX platform for a long time and is a popular option for remote access VPN, though it's also capable of site-to-site connections."
 
+#: ../../configuration/interfaces/openvpn.rst:9
+msgid "Traditionally hardware routers implement IPsec exclusively due to relative ease of implementing it in hardware and insufficient CPU power for doing encryption in software. Since VyOS is a software router, this is less of a concern. OpenVPN has been widely used on the UNIX platform for a long time and is a popular option for remote access VPN, though it's also capable of site-to-site connections."
+msgstr "Traditionally hardware routers implement IPsec exclusively due to relative ease of implementing it in hardware and insufficient CPU power for doing encryption in software. Since VyOS is a software router, this is less of a concern. OpenVPN has been widely used on the UNIX platform for a long time and is a popular option for remote access VPN, though it's also capable of site-to-site connections."
+
 #: ../../configuration/nat/nat44.rst:143
 msgid "Traffic Filters"
 msgstr "Traffic Filters"
@@ -17222,10 +19457,18 @@ msgstr "Traffic Filters"
 msgid "Traffic Filters are used to control which packets will have the defined NAT rules applied. Five different filters can be applied within a NAT rule."
 msgstr "Traffic Filters are used to control which packets will have the defined NAT rules applied. Five different filters can be applied within a NAT rule."
 
+#: ../../configuration/trafficpolicy/index.rst:216
+msgid "Traffic Match Group"
+msgstr "Traffic Match Group"
+
 #: ../../configuration/trafficpolicy/index.rst:5
 msgid "Traffic Policy"
 msgstr "Traffic Policy"
 
+#: ../../configuration/firewall/zone.rst:53
+msgid "Traffic cannot flow between a zone member interface and any interface that is not a zone member."
+msgstr "Traffic cannot flow between a zone member interface and any interface that is not a zone member."
+
 #: ../../configuration/firewall/zone.rst:56
 msgid "Traffic cannot flow between zone member interface and any interface that is not a zone member."
 msgstr "Traffic cannot flow between zone member interface and any interface that is not a zone member."
@@ -17242,8 +19485,8 @@ msgstr "Traffic from multicast sources will go to the Rendezvous Point, and rece
 msgid "Traffic from multicast sources will go to the Rendezvous Point, and receivers will pull it from a shared tree using :abbr:`IGMP (Internet Group Management Protocol)`."
 msgstr "Traffic from multicast sources will go to the Rendezvous Point, and receivers will pull it from a shared tree using :abbr:`IGMP (Internet Group Management Protocol)`."
 
-#: ../../configuration/firewall/ipv4.rst:951
-#: ../../configuration/firewall/ipv6.rst:937
+#: ../../configuration/firewall/ipv4.rst:1056
+#: ../../configuration/firewall/ipv6.rst:1046
 msgid "Traffic must be symmetric"
 msgstr "Traffic must be symmetric"
 
@@ -17251,11 +19494,15 @@ msgstr "Traffic must be symmetric"
 msgid "Traffic which is received by the router on an interface which is member of a bridge is processed on the **Bridge Layer**. A simplified packet flow diagram for this layer is shown next:"
 msgstr "Traffic which is received by the router on an interface which is member of a bridge is processed on the **Bridge Layer**. A simplified packet flow diagram for this layer is shown next:"
 
-#: ../../configuration/highavailability/index.rst:332
+#: ../../configuration/firewall/bridge.rst:38
+msgid "Traffic which is received by the router on an interface which is member of a bridge is processed on the **Bridge Layer**. Before the bridge decision is made, all packets are analyzed at **Prerouting**. First filters can be applied here, and also rules for ignoring connection tracking system can be configured. The relevant configuration that acts in **prerouting** is:"
+msgstr "Traffic which is received by the router on an interface which is member of a bridge is processed on the **Bridge Layer**. Before the bridge decision is made, all packets are analyzed at **Prerouting**. First filters can be applied here, and also rules for ignoring connection tracking system can be configured. The relevant configuration that acts in **prerouting** is:"
+
+#: ../../configuration/highavailability/index.rst:336
 msgid "Transition scripts"
 msgstr "Transition scripts"
 
-#: ../../configuration/highavailability/index.rst:334
+#: ../../configuration/highavailability/index.rst:338
 msgid "Transition scripts can help you implement various fixups, such as starting and stopping services, or even modifying the VyOS config on VRRP transition. This setup will make the VRRP process execute the ``/config/scripts/vrrp-fail.sh`` with argument ``Foo`` when VRRP fails, and the ``/config/scripts/vrrp-master.sh`` when the router becomes the master:"
 msgstr "Transition scripts can help you implement various fixups, such as starting and stopping services, or even modifying the VyOS config on VRRP transition. This setup will make the VRRP process execute the ``/config/scripts/vrrp-fail.sh`` with argument ``Foo`` when VRRP fails, and the ``/config/scripts/vrrp-master.sh`` when the router becomes the master:"
 
@@ -17263,10 +19510,10 @@ msgstr "Transition scripts can help you implement various fixups, such as starti
 msgid "Transparent Proxy"
 msgstr "Transparent Proxy"
 
-#: ../../configuration/interfaces/openvpn.rst:701
+#: ../../configuration/interfaces/openvpn.rst:842
 #: ../../configuration/interfaces/tunnel.rst:227
 #: ../../configuration/vpn/pptp.rst:484
-#: ../../configuration/vpn/sstp.rst:580
+#: ../../configuration/vpn/sstp.rst:590
 msgid "Troubleshooting"
 msgstr "Troubleshooting"
 
@@ -17282,26 +19529,42 @@ msgstr "Tunnel"
 msgid "Tunnel keys"
 msgstr "Tunnel keys"
 
-#: ../../configuration/vpn/l2tp.rst:280
+#: ../../configuration/vpn/l2tp.rst:283
 msgid "Tunnel password used to authenticate the client (LAC)"
 msgstr "Tunnel password used to authenticate the client (LAC)"
 
+#: ../../configuration/system/conntrack.rst:202
+msgid "Turn on flow-based timestamp extension."
+msgstr "Turn on flow-based timestamp extension."
+
 #: ../../configuration/loadbalancing/wan.rst:257
 msgid "Two environment variables are available:"
 msgstr "Two environment variables are available:"
 
-#: ../../configuration/firewall/flowtables.rst:104
+#: ../../configuration/firewall/flowtables.rst:105
 msgid "Two interfaces are going to be used in the flowtables: eth0 and eth1"
 msgstr "Two interfaces are going to be used in the flowtables: eth0 and eth1"
 
-#: ../../configuration/service/ssh.rst:188
+#: ../../configuration/service/ssh.rst:208
 msgid "Two new files ``/config/auth/id_rsa_rpki`` and ``/config/auth/id_rsa_rpki.pub`` will be created."
 msgstr "Two new files ``/config/auth/id_rsa_rpki`` and ``/config/auth/id_rsa_rpki.pub`` will be created."
 
+#: ../../configuration/service/config-sync.rst:41
+msgid "Two options are available for `mode`: either `load` and replace or `set` the configuration section."
+msgstr "Two options are available for `mode`: either `load` and replace or `set` the configuration section."
+
 #: ../../configuration/interfaces/macsec.rst:155
 msgid "Two routers connected both via eth1 through an untrusted switch"
 msgstr "Two routers connected both via eth1 through an untrusted switch"
 
+#: ../../configuration/interfaces/bonding.rst:311
+msgid "Type-1 (EAD-per-ES and EAD-per-EVI) routes are used to advertise the locally attached ESs and to learn off remote ESs in the network. Local Type-2/MAC-IP routes are also advertised with a destination ESI allowing for MAC-IP syncing between Ethernet Segment peers. Reference: RFC 7432, RFC 8365"
+msgstr "Type-1 (EAD-per-ES and EAD-per-EVI) routes are used to advertise the locally attached ESs and to learn off remote ESs in the network. Local Type-2/MAC-IP routes are also advertised with a destination ESI allowing for MAC-IP syncing between Ethernet Segment peers. Reference: RFC 7432, RFC 8365"
+
+#: ../../configuration/interfaces/bonding.rst:323
+msgid "Type-4 (ESR) routes are used for Designated Forwarder (DF) election. DFs forward BUM traffic received via the overlay network. This implementation uses a preference based DF election specified by draft-ietf-bess-evpn-pref-df."
+msgstr "Type-4 (ESR) routes are used for Designated Forwarder (DF) election. DFs forward BUM traffic received via the overlay network. This implementation uses a preference based DF election specified by draft-ietf-bess-evpn-pref-df."
+
 #: ../../configuration/service/monitoring.rst:26
 msgid "Type of metrics grouping when push to Azure Data Explorer. The default is ``table-per-metric``."
 msgstr "Type of metrics grouping when push to Azure Data Explorer. The default is ``table-per-metric``."
@@ -17346,11 +19609,11 @@ msgstr "URL with signature of master for auth reply verification"
 msgid "USB to serial converters will handle most of their work in software so you should be carefull with the selected baudrate as some times they can't cope with the expected speed."
 msgstr "USB to serial converters will handle most of their work in software so you should be carefull with the selected baudrate as some times they can't cope with the expected speed."
 
-#: ../../configuration/system/syslog.rst:128
+#: ../../configuration/system/syslog.rst:146
 msgid "UUCP subsystem"
 msgstr "UUCP subsystem"
 
-#: ../../configuration/interfaces/ethernet.rst:73
+#: ../../configuration/interfaces/ethernet.rst:81
 msgid "Under some circumstances, LRO is known to modify the packet headers of forwarded traffic, which breaks the end-to-end principle of computer networking. LRO is also only able to offload TCP segments encapsulated in IPv4 packets. Due to these limitations, it is recommended to use GRO (Generic Receive Offload) where possible. More information on the limitations of LRO can be found here: https://lwn.net/Articles/358910/"
 msgstr "Under some circumstances, LRO is known to modify the packet headers of forwarded traffic, which breaks the end-to-end principle of computer networking. LRO is also only able to offload TCP segments encapsulated in IPv4 packets. Due to these limitations, it is recommended to use GRO (Generic Receive Offload) where possible. More information on the limitations of LRO can be found here: https://lwn.net/Articles/358910/"
 
@@ -17374,11 +19637,11 @@ msgstr "Unit of this command is MB."
 msgid "Units"
 msgstr "Units"
 
-#: ../../configuration/interfaces/openvpn.rst:171
+#: ../../configuration/interfaces/openvpn.rst:172
 msgid "Until VyOS 1.4, the only option for site-to-site OpenVPN without PKI was to use pre-shared keys. That option is still available but it is deprecated and will be removed in the future. However, if you need to set up a tunnel to an older VyOS version or a system with older OpenVPN, you need to still need to know how to use it."
 msgstr "Until VyOS 1.4, the only option for site-to-site OpenVPN without PKI was to use pre-shared keys. That option is still available but it is deprecated and will be removed in the future. However, if you need to set up a tunnel to an older VyOS version or a system with older OpenVPN, you need to still need to know how to use it."
 
-#: ../../configuration/trafficpolicy/index.rst:705
+#: ../../configuration/trafficpolicy/index.rst:755
 msgid "Up to seven queues -defined as classes_ with different priorities- can be configured. Packets are placed into queues based on associated match criteria. Packets are transmitted from the queues in priority order. If classes with a higher priority are being filled with packets continuously, packets from lower priority classes will only be transmitted after traffic volume from higher priority classes decreases."
 msgstr "Up to seven queues -defined as classes_ with different priorities- can be configured. Packets are placed into queues based on associated match criteria. Packets are transmitted from the queues in priority order. If classes with a higher priority are being filled with packets continuously, packets from lower priority classes will only be transmitted after traffic volume from higher priority classes decreases."
 
@@ -17386,12 +19649,12 @@ msgstr "Up to seven queues -defined as classes_ with different priorities- can b
 msgid "Update"
 msgstr "Update"
 
-#: ../../configuration/container/index.rst:207
+#: ../../configuration/container/index.rst:262
 msgid "Update container image"
 msgstr "Update container image"
 
-#: ../../configuration/firewall/ipv4.rst:1198
-#: ../../configuration/firewall/ipv6.rst:1191
+#: ../../configuration/firewall/ipv4.rst:1302
+#: ../../configuration/firewall/ipv6.rst:1301
 msgid "Update geoip database"
 msgstr "Update geoip database"
 
@@ -17403,14 +19666,16 @@ msgstr "Updates"
 msgid "Updates from the RPKI cache servers are directly applied and path selection is updated accordingly. (Soft reconfiguration must be enabled for this to work)."
 msgstr "Updates from the RPKI cache servers are directly applied and path selection is updated accordingly. (Soft reconfiguration must be enabled for this to work)."
 
-#: ../../configuration/service/pppoe-server.rst:267
-#: ../../configuration/vpn/l2tp.rst:391
+#: ../../configuration/interfaces/ethernet.rst:132
+msgid "Uplink/Core tracking."
+msgstr "Uplink/Core tracking."
+
+#: ../../configuration/service/pppoe-server.rst:286
 #: ../../configuration/vpn/pptp.rst:315
-#: ../../configuration/vpn/sstp.rst:349
 msgid "Upload bandwidth limit in kbit/s for `<user>`."
 msgstr "Upload bandwidth limit in kbit/s for `<user>`."
 
-#: ../../configuration/service/ipoe-server.rst:325
+#: ../../configuration/service/ipoe-server.rst:324
 msgid "Upload bandwidth limit in kbit/s for for user on interface `<interface>`."
 msgstr "Upload bandwidth limit in kbit/s for for user on interface `<interface>`."
 
@@ -17422,8 +19687,20 @@ msgstr "Upon reception of an incoming packet, when a response is sent, it might
 msgid "Upon shutdown, this option will deprecate the prefix by announcing it in the shutdown RA"
 msgstr "Upon shutdown, this option will deprecate the prefix by announcing it in the shutdown RA"
 
-#: ../../configuration/interfaces/wireless.rst:352
-#: ../../configuration/interfaces/wireless.rst:552
+#: ../../configuration/nat/cgnat.rst:60
+msgid "Usable Ports: 65536 - 1024 = 64512"
+msgstr "Usable Ports: 65536 - 1024 = 64512"
+
+#: ../../configuration/nat/cgnat.rst:68
+msgid "Usable Ports / Ports per Subscriber"
+msgstr "Usable Ports / Ports per Subscriber"
+
+#: ../../configuration/interfaces/wireless.rst:731
+msgid "Use 802.11ax protocol"
+msgstr "Use 802.11ax protocol"
+
+#: ../../configuration/interfaces/wireless.rst:463
+#: ../../configuration/interfaces/wireless.rst:676
 msgid "Use 802.11n protocol"
 msgstr "Use 802.11n protocol"
 
@@ -17435,6 +19712,10 @@ msgstr "Use CA certificate from PKI subsystem"
 msgid "Use DynDNS as your preferred provider:"
 msgstr "Use DynDNS as your preferred provider:"
 
+#: ../../configuration/firewall/bridge.rst:428
+msgid "Use IP firewall"
+msgstr "Use IP firewall"
+
 #: ../../configuration/service/monitoring.rst:88
 msgid "Use TLS but skip host validation"
 msgstr "Use TLS but skip host validation"
@@ -17451,7 +19732,7 @@ msgstr "Use :abbr:`DH (Diffie–Hellman)` parameters from PKI subsystem. Must be
 msgid "Use `<subnet>` as the IP pool for all connecting clients."
 msgstr "Use `<subnet>` as the IP pool for all connecting clients."
 
-#: ../../configuration/system/syslog.rst:236
+#: ../../configuration/system/syslog.rst:254
 msgid "Use ``show log | strip-private`` if you want to hide private data when sharing your logs."
 msgstr "Use ``show log | strip-private`` if you want to hide private data when sharing your logs."
 
@@ -17463,31 +19744,66 @@ msgstr "Use `delete system conntrack modules` to deactive all modules."
 msgid "Use a persistent LDAP connection. Normally the LDAP connection is only open while validating a username to preserve resources at the LDAP server. This option causes the LDAP connection to be kept open, allowing it to be reused for further user validations."
 msgstr "Use a persistent LDAP connection. Normally the LDAP connection is only open while validating a username to preserve resources at the LDAP server. This option causes the LDAP connection to be kept open, allowing it to be reused for further user validations."
 
-#: ../../configuration/firewall/ipv4.rst:538
-#: ../../configuration/firewall/ipv6.rst:525
+#: ../../configuration/firewall/ipv4.rst:562
+#: ../../configuration/firewall/ipv6.rst:553
 msgid "Use a specific address-group. Prepend character ``!`` for inverted matching criteria."
 msgstr "Use a specific address-group. Prepend character ``!`` for inverted matching criteria."
 
-#: ../../configuration/firewall/ipv4.rst:601
-#: ../../configuration/firewall/ipv6.rst:588
+#: ../../configuration/firewall/ipv4.rst:561
+#: ../../configuration/firewall/ipv6.rst:552
+msgid "Use a specific address-group. Prepending the character ``!`` to invert the criteria to match is also supported."
+msgstr "Use a specific address-group. Prepending the character ``!`` to invert the criteria to match is also supported."
+
+#: ../../configuration/firewall/ipv4.rst:646
+#: ../../configuration/firewall/ipv6.rst:637
 msgid "Use a specific domain-group. Prepend character ``!`` for inverted matching criteria."
 msgstr "Use a specific domain-group. Prepend character ``!`` for inverted matching criteria."
 
-#: ../../configuration/firewall/ipv4.rst:622
-#: ../../configuration/firewall/ipv6.rst:609
+#: ../../configuration/firewall/ipv4.rst:645
+#: ../../configuration/firewall/ipv6.rst:636
+msgid "Use a specific domain-group. Prepending the character ``!`` to invert the criteria to match is also supported."
+msgstr "Use a specific domain-group. Prepending the character ``!`` to invert the criteria to match is also supported."
+
+#: ../../configuration/firewall/ipv4.rst:583
+#: ../../configuration/firewall/ipv6.rst:574
+msgid "Use a specific dynamic-address-group. Prepend character ``!`` for inverted matching criteria."
+msgstr "Use a specific dynamic-address-group. Prepend character ``!`` for inverted matching criteria."
+
+#: ../../configuration/firewall/ipv4.rst:582
+#: ../../configuration/firewall/ipv6.rst:573
+msgid "Use a specific dynamic-address-group. Prepending the character ``!`` to invert the criteria to match is also supported."
+msgstr "Use a specific dynamic-address-group. Prepending the character ``!`` to invert the criteria to match is also supported."
+
+#: ../../configuration/firewall/ipv4.rst:667
+#: ../../configuration/firewall/ipv6.rst:658
 msgid "Use a specific mac-group. Prepend character ``!`` for inverted matching criteria."
 msgstr "Use a specific mac-group. Prepend character ``!`` for inverted matching criteria."
 
-#: ../../configuration/firewall/ipv4.rst:559
-#: ../../configuration/firewall/ipv6.rst:546
+#: ../../configuration/firewall/ipv4.rst:666
+#: ../../configuration/firewall/ipv6.rst:657
+msgid "Use a specific mac-group. Prepending the character ``!`` to invert the criteria to match is also supported."
+msgstr "Use a specific mac-group. Prepending the character ``!`` to invert the criteria to match is also supported."
+
+#: ../../configuration/firewall/ipv4.rst:604
+#: ../../configuration/firewall/ipv6.rst:595
 msgid "Use a specific network-group. Prepend character ``!`` for inverted matching criteria."
 msgstr "Use a specific network-group. Prepend character ``!`` for inverted matching criteria."
 
-#: ../../configuration/firewall/ipv4.rst:580
-#: ../../configuration/firewall/ipv6.rst:567
+#: ../../configuration/firewall/ipv4.rst:603
+#: ../../configuration/firewall/ipv6.rst:594
+msgid "Use a specific network-group. Prepending the character ``!`` to invert the criteria to match is also supported."
+msgstr "Use a specific network-group. Prepending the character ``!`` to invert the criteria to match is also supported."
+
+#: ../../configuration/firewall/ipv4.rst:625
+#: ../../configuration/firewall/ipv6.rst:616
 msgid "Use a specific port-group. Prepend character ``!`` for inverted matching criteria."
 msgstr "Use a specific port-group. Prepend character ``!`` for inverted matching criteria."
 
+#: ../../configuration/firewall/ipv4.rst:624
+#: ../../configuration/firewall/ipv6.rst:615
+msgid "Use a specific port-group. Prepending the character ``!`` to invert the criteria to match is also supported."
+msgstr "Use a specific port-group. Prepending the character ``!`` to invert the criteria to match is also supported."
+
 #: ../../configuration/service/dhcp-server.rst:430
 msgid "Use active-active HA mode."
 msgstr "Use active-active HA mode."
@@ -17536,19 +19852,23 @@ msgstr "Use local user `foo` with password `bar`"
 msgid "Use tab completion to get a list of categories."
 msgstr "Use tab completion to get a list of categories."
 
-#: ../../configuration/system/option.rst:83
+#: ../../configuration/interfaces/openvpn.rst:793
+msgid "Use the QR code to add the user account in Google authenticator application and on client side, use the OTP number as password."
+msgstr "Use the QR code to add the user account in Google authenticator application and on client side, use the OTP number as password."
+
+#: ../../configuration/system/option.rst:103
 msgid "Use the address of the specified interface on the local machine as the source address of the connection."
 msgstr "Use the address of the specified interface on the local machine as the source address of the connection."
 
-#: ../../configuration/nat/nat66.rst:111
+#: ../../configuration/nat/nat66.rst:123
 msgid "Use the following topology to build a nat66 based isolated network between internal and external networks (dynamic prefix is not supported):"
 msgstr "Use the following topology to build a nat66 based isolated network between internal and external networks (dynamic prefix is not supported):"
 
-#: ../../configuration/nat/nat66.rst:142
+#: ../../configuration/nat/nat66.rst:154
 msgid "Use the following topology to translate internal user local addresses (``fc::/7``) to DHCPv6-PD provided prefixes from an ISP connected to a VyOS HA pair."
 msgstr "Use the following topology to translate internal user local addresses (``fc::/7``) to DHCPv6-PD provided prefixes from an ISP connected to a VyOS HA pair."
 
-#: ../../configuration/system/option.rst:78
+#: ../../configuration/system/option.rst:98
 msgid "Use the specified address on the local machine as the source address of the connection. Only useful on systems with more than one address."
 msgstr "Use the specified address on the local machine as the source address of the connection. Only useful on systems with more than one address."
 
@@ -17560,6 +19880,10 @@ msgstr "Use these commands if you would like to set the discovery hello and hold
 msgid "Use these commands if you would like to set the discovery hello and hold time parameters for the targeted LDP neighbors."
 msgstr "Use these commands if you would like to set the discovery hello and hold time parameters for the targeted LDP neighbors."
 
+#: ../../configuration/firewall/global-options.rst:58
+msgid "Use these commands to also use IPv4, or IPv6 firewall rules for bridged traffic"
+msgstr "Use these commands to also use IPv4, or IPv6 firewall rules for bridged traffic"
+
 #: ../../configuration/protocols/mpls.rst:136
 msgid "Use these commands to control the exporting of forwarding equivalence classes (FECs) for LDP to neighbors. This would be useful for example on only announcing the labeled routes that are needed and not ones that are not needed, such as announcing loopback interfaces and no others."
 msgstr "Use these commands to control the exporting of forwarding equivalence classes (FECs) for LDP to neighbors. This would be useful for example on only announcing the labeled routes that are needed and not ones that are not needed, such as announcing loopback interfaces and no others."
@@ -17580,11 +19904,11 @@ msgstr "Use this PIM command to modify the time out value (31-60000 seconds) for
 msgid "Use this comand to set the IPv6 address pool from which a PPPoE client will get an IPv6 prefix of your defined length (mask) to terminate the PPPoE endpoint at their side. The mask length can be set from 48 to 128 bit long, the default value is 64."
 msgstr "Use this comand to set the IPv6 address pool from which a PPPoE client will get an IPv6 prefix of your defined length (mask) to terminate the PPPoE endpoint at their side. The mask length can be set from 48 to 128 bit long, the default value is 64."
 
-#: ../../configuration/service/ipoe-server.rst:261
+#: ../../configuration/service/ipoe-server.rst:260
 msgid "Use this comand to set the IPv6 address pool from which an IPoE client will get an IPv6 prefix of your defined length (mask) to terminate the IPoE endpoint at their side. The mask length can be set from 48 to 128 bit long, the default value is 64."
 msgstr "Use this comand to set the IPv6 address pool from which an IPoE client will get an IPv6 prefix of your defined length (mask) to terminate the IPoE endpoint at their side. The mask length can be set from 48 to 128 bit long, the default value is 64."
 
-#: ../../configuration/service/pppoe-server.rst:355
+#: ../../configuration/service/pppoe-server.rst:375
 msgid "Use this comand to set the IPv6 address pool from which an PPPoE client will get an IPv6 prefix of your defined length (mask) to terminate the PPPoE endpoint at their side. The mask length can be set from 48 to 128 bit long, the default value is 64."
 msgstr "Use this comand to set the IPv6 address pool from which an PPPoE client will get an IPv6 prefix of your defined length (mask) to terminate the PPPoE endpoint at their side. The mask length can be set from 48 to 128 bit long, the default value is 64."
 
@@ -17592,10 +19916,18 @@ msgstr "Use this comand to set the IPv6 address pool from which an PPPoE client
 msgid "Use this comand to set the IPv6 address pool from which an PPTP client will get an IPv6 prefix of your defined length (mask) to terminate the PPTP endpoint at their side. The mask length can be set from 48 to 128 bit long, the default value is 64."
 msgstr "Use this comand to set the IPv6 address pool from which an PPTP client will get an IPv6 prefix of your defined length (mask) to terminate the PPTP endpoint at their side. The mask length can be set from 48 to 128 bit long, the default value is 64."
 
+#: ../../configuration/vpn/sstp.rst:260
+msgid "Use this comand to set the IPv6 address pool from which an SSTP client will get an IPv6 prefix of your defined length (mask) to terminate the SSTP endpoint at their side. The mask length can be set between 48 and 128 bits long, the default value is 64."
+msgstr "Use this comand to set the IPv6 address pool from which an SSTP client will get an IPv6 prefix of your defined length (mask) to terminate the SSTP endpoint at their side. The mask length can be set between 48 and 128 bits long, the default value is 64."
+
 #: ../../configuration/vpn/sstp.rst:257
 msgid "Use this comand to set the IPv6 address pool from which an SSTP client will get an IPv6 prefix of your defined length (mask) to terminate the SSTP endpoint at their side. The mask length can be set from 48 to 128 bit long, the default value is 64."
 msgstr "Use this comand to set the IPv6 address pool from which an SSTP client will get an IPv6 prefix of your defined length (mask) to terminate the SSTP endpoint at their side. The mask length can be set from 48 to 128 bit long, the default value is 64."
 
+#: ../../configuration/vpn/l2tp.rst:302
+msgid "Use this comand to set the IPv6 address pool from which an l2tp client will get an IPv6 prefix of your defined length (mask) to terminate the l2tp endpoint at their side. The mask length can be set between 48 and 128 bits long, the default value is 64."
+msgstr "Use this comand to set the IPv6 address pool from which an l2tp client will get an IPv6 prefix of your defined length (mask) to terminate the l2tp endpoint at their side. The mask length can be set between 48 and 128 bits long, the default value is 64."
+
 #: ../../configuration/vpn/l2tp.rst:299
 msgid "Use this comand to set the IPv6 address pool from which an l2tp client will get an IPv6 prefix of your defined length (mask) to terminate the l2tp endpoint at their side. The mask length can be set from 48 to 128 bit long, the default value is 64."
 msgstr "Use this comand to set the IPv6 address pool from which an l2tp client will get an IPv6 prefix of your defined length (mask) to terminate the l2tp endpoint at their side. The mask length can be set from 48 to 128 bit long, the default value is 64."
@@ -17632,15 +19964,23 @@ msgstr "Use this command to allow the selected interface to join a multicast gro
 msgid "Use this command to allow the selected interface to join a source-specific multicast group."
 msgstr "Use this command to allow the selected interface to join a source-specific multicast group."
 
-#: ../../configuration/interfaces/openvpn.rst:712
+#: ../../configuration/interfaces/openvpn.rst:874
+msgid "Use this command to check log messages specific to an interface."
+msgstr "Use this command to check log messages specific to an interface."
+
+#: ../../configuration/interfaces/openvpn.rst:869
+msgid "Use this command to check log messages which include entries for successful connections as well as failures and errors related to all OpenVPN interfaces."
+msgstr "Use this command to check log messages which include entries for successful connections as well as failures and errors related to all OpenVPN interfaces."
+
+#: ../../configuration/interfaces/openvpn.rst:853
 msgid "Use this command to check the tunnel status for OpenVPN client interfaces."
 msgstr "Use this command to check the tunnel status for OpenVPN client interfaces."
 
-#: ../../configuration/interfaces/openvpn.rst:716
+#: ../../configuration/interfaces/openvpn.rst:857
 msgid "Use this command to check the tunnel status for OpenVPN server interfaces."
 msgstr "Use this command to check the tunnel status for OpenVPN server interfaces."
 
-#: ../../configuration/interfaces/openvpn.rst:720
+#: ../../configuration/interfaces/openvpn.rst:861
 msgid "Use this command to check the tunnel status for OpenVPN site-to-site interfaces."
 msgstr "Use this command to check the tunnel status for OpenVPN site-to-site interfaces."
 
@@ -17652,11 +19992,11 @@ msgstr "Use this command to clear Border Gateway Protocol statistics or status."
 msgid "Use this command to configure DHCPv6 Prefix Delegation (RFC3633). You will have to set your IPv6 pool and the length of the delegation prefix. From the defined IPv6 pool you will be handing out networks of the defined length (delegation-prefix). The length of the delegation prefix can be set from 32 to 64 bit long."
 msgstr "Use this command to configure DHCPv6 Prefix Delegation (RFC3633). You will have to set your IPv6 pool and the length of the delegation prefix. From the defined IPv6 pool you will be handing out networks of the defined length (delegation-prefix). The length of the delegation prefix can be set from 32 to 64 bit long."
 
-#: ../../configuration/service/ipoe-server.rst:269
+#: ../../configuration/service/ipoe-server.rst:268
 msgid "Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on IPoE. You will have to set your IPv6 pool and the length of the delegation prefix. From the defined IPv6 pool you will be handing out networks of the defined length (delegation-prefix). The length of the delegation prefix can be set from 32 to 64 bit long."
 msgstr "Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on IPoE. You will have to set your IPv6 pool and the length of the delegation prefix. From the defined IPv6 pool you will be handing out networks of the defined length (delegation-prefix). The length of the delegation prefix can be set from 32 to 64 bit long."
 
-#: ../../configuration/service/pppoe-server.rst:363
+#: ../../configuration/service/pppoe-server.rst:383
 msgid "Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on PPPoE. You will have to set your IPv6 pool and the length of the delegation prefix. From the defined IPv6 pool you will be handing out networks of the defined length (delegation-prefix). The length of the delegation prefix can be set from 32 to 64 bit long."
 msgstr "Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on PPPoE. You will have to set your IPv6 pool and the length of the delegation prefix. From the defined IPv6 pool you will be handing out networks of the defined length (delegation-prefix). The length of the delegation prefix can be set from 32 to 64 bit long."
 
@@ -17664,10 +20004,18 @@ msgstr "Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on PPPo
 msgid "Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on PPTP. You will have to set your IPv6 pool and the length of the delegation prefix. From the defined IPv6 pool you will be handing out networks of the defined length (delegation-prefix). The length of the delegation prefix can be set from 32 to 64 bit long."
 msgstr "Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on PPTP. You will have to set your IPv6 pool and the length of the delegation prefix. From the defined IPv6 pool you will be handing out networks of the defined length (delegation-prefix). The length of the delegation prefix can be set from 32 to 64 bit long."
 
+#: ../../configuration/vpn/sstp.rst:268
+msgid "Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on SSTP. You will have to set your IPv6 pool and the length of the delegation prefix. From the defined IPv6 pool you will be handing out networks of the defined length (delegation-prefix). The length of the delegation prefix can be set between 32 and 64 bits long."
+msgstr "Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on SSTP. You will have to set your IPv6 pool and the length of the delegation prefix. From the defined IPv6 pool you will be handing out networks of the defined length (delegation-prefix). The length of the delegation prefix can be set between 32 and 64 bits long."
+
 #: ../../configuration/vpn/sstp.rst:265
 msgid "Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on SSTP. You will have to set your IPv6 pool and the length of the delegation prefix. From the defined IPv6 pool you will be handing out networks of the defined length (delegation-prefix). The length of the delegation prefix can be set from 32 to 64 bit long."
 msgstr "Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on SSTP. You will have to set your IPv6 pool and the length of the delegation prefix. From the defined IPv6 pool you will be handing out networks of the defined length (delegation-prefix). The length of the delegation prefix can be set from 32 to 64 bit long."
 
+#: ../../configuration/vpn/l2tp.rst:310
+msgid "Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on l2tp. You will have to set your IPv6 pool and the length of the delegation prefix. From the defined IPv6 pool you will be handing out networks of the defined length (delegation-prefix). The length of the delegation prefix can be between 32 and 64 bits long."
+msgstr "Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on l2tp. You will have to set your IPv6 pool and the length of the delegation prefix. From the defined IPv6 pool you will be handing out networks of the defined length (delegation-prefix). The length of the delegation prefix can be between 32 and 64 bits long."
+
 #: ../../configuration/vpn/l2tp.rst:307
 msgid "Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on l2tp. You will have to set your IPv6 pool and the length of the delegation prefix. From the defined IPv6 pool you will be handing out networks of the defined length (delegation-prefix). The length of the delegation prefix can be set from 32 to 64 bit long."
 msgstr "Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on l2tp. You will have to set your IPv6 pool and the length of the delegation prefix. From the defined IPv6 pool you will be handing out networks of the defined length (delegation-prefix). The length of the delegation prefix can be set from 32 to 64 bit long."
@@ -17681,75 +20029,75 @@ msgstr "Use this command to configure Dynamic Authorization Extensions to RADIUS
 msgid "Use this command to configure a \"black-hole\" route on the router. A black-hole route is a route for which the system silently discard packets that are matched. This prevents networks leaking out public interfaces, but it does not prevent them from being used as a more specific route inside your network."
 msgstr "Use this command to configure a \"black-hole\" route on the router. A black-hole route is a route for which the system silently discard packets that are matched. This prevents networks leaking out public interfaces, but it does not prevent them from being used as a more specific route inside your network."
 
-#: ../../configuration/trafficpolicy/index.rst:649
+#: ../../configuration/trafficpolicy/index.rst:699
 msgid "Use this command to configure a Network Emulator policy defining its name and the fixed amount of time you want to add to all packet going out of the interface. The latency will be added through the Token Bucket Filter qdisc. It will only take effect if you have configured its bandwidth too. You can use secs, ms and us. Default: 50ms."
 msgstr "Use this command to configure a Network Emulator policy defining its name and the fixed amount of time you want to add to all packet going out of the interface. The latency will be added through the Token Bucket Filter qdisc. It will only take effect if you have configured its bandwidth too. You can use secs, ms and us. Default: 50ms."
 
-#: ../../configuration/trafficpolicy/index.rst:753
+#: ../../configuration/trafficpolicy/index.rst:803
 msgid "Use this command to configure a Priority Queue policy, set its name, set a class with a priority from 1 to 7 and define a hard limit on the real queue size. When this limit is reached, new packets are dropped."
 msgstr "Use this command to configure a Priority Queue policy, set its name, set a class with a priority from 1 to 7 and define a hard limit on the real queue size. When this limit is reached, new packets are dropped."
 
-#: ../../configuration/trafficpolicy/index.rst:814
+#: ../../configuration/trafficpolicy/index.rst:864
 msgid "Use this command to configure a Random-Detect policy, set its name and set the available bandwidth for this policy. It is used for calculating the average queue size after some idle time. It should be set to the bandwidth of your interface. Random Detect is not a shaping policy, this command will not shape."
 msgstr "Use this command to configure a Random-Detect policy, set its name and set the available bandwidth for this policy. It is used for calculating the average queue size after some idle time. It should be set to the bandwidth of your interface. Random Detect is not a shaping policy, this command will not shape."
 
-#: ../../configuration/trafficpolicy/index.rst:885
+#: ../../configuration/trafficpolicy/index.rst:935
 msgid "Use this command to configure a Random-Detect policy and set its name, then name the IP Precedence for the virtual queue you are configuring and what the maximum size of its queue will be (from 1 to 1-4294967295 packets). Packets are dropped when the current queue length reaches this value."
 msgstr "Use this command to configure a Random-Detect policy and set its name, then name the IP Precedence for the virtual queue you are configuring and what the maximum size of its queue will be (from 1 to 1-4294967295 packets). Packets are dropped when the current queue length reaches this value."
 
-#: ../../configuration/trafficpolicy/index.rst:834
+#: ../../configuration/trafficpolicy/index.rst:884
 msgid "Use this command to configure a Random-Detect policy and set its name, then state the IP Precedence for the virtual queue you are configuring and what its mark (drop) probability will be. Set the probability by giving the N value of the fraction 1/N (default: 10)."
 msgstr "Use this command to configure a Random-Detect policy and set its name, then state the IP Precedence for the virtual queue you are configuring and what its mark (drop) probability will be. Set the probability by giving the N value of the fraction 1/N (default: 10)."
 
-#: ../../configuration/trafficpolicy/index.rst:843
+#: ../../configuration/trafficpolicy/index.rst:893
 msgid "Use this command to configure a Random-Detect policy and set its name, then state the IP Precedence for the virtual queue you are configuring and what its maximum threshold for random detection will be (from 0 to 4096 packets, default: 18). At this size, the marking (drop) probability is maximal."
 msgstr "Use this command to configure a Random-Detect policy and set its name, then state the IP Precedence for the virtual queue you are configuring and what its maximum threshold for random detection will be (from 0 to 4096 packets, default: 18). At this size, the marking (drop) probability is maximal."
 
-#: ../../configuration/trafficpolicy/index.rst:852
+#: ../../configuration/trafficpolicy/index.rst:902
 msgid "Use this command to configure a Random-Detect policy and set its name, then state the IP Precedence for the virtual queue you are configuring and what its minimum threshold for random detection will be (from 0 to 4096 packets).  If this value is exceeded, packets start being eligible for being dropped."
 msgstr "Use this command to configure a Random-Detect policy and set its name, then state the IP Precedence for the virtual queue you are configuring and what its minimum threshold for random detection will be (from 0 to 4096 packets).  If this value is exceeded, packets start being eligible for being dropped."
 
-#: ../../configuration/trafficpolicy/index.rst:823
+#: ../../configuration/trafficpolicy/index.rst:873
 msgid "Use this command to configure a Random-Detect policy and set its name, then state the IP Precedence for the virtual queue you are configuring and what the size of its average-packet should be (in bytes, default: 1024)."
 msgstr "Use this command to configure a Random-Detect policy and set its name, then state the IP Precedence for the virtual queue you are configuring and what the size of its average-packet should be (in bytes, default: 1024)."
 
-#: ../../configuration/trafficpolicy/index.rst:947
+#: ../../configuration/trafficpolicy/index.rst:997
 msgid "Use this command to configure a Rate-Control policy, set its name and the maximum amount of time a packet can be queued (default: 50 ms)."
 msgstr "Use this command to configure a Rate-Control policy, set its name and the maximum amount of time a packet can be queued (default: 50 ms)."
 
-#: ../../configuration/trafficpolicy/index.rst:930
+#: ../../configuration/trafficpolicy/index.rst:980
 msgid "Use this command to configure a Rate-Control policy, set its name and the rate limit you want to have."
 msgstr "Use this command to configure a Rate-Control policy, set its name and the rate limit you want to have."
 
-#: ../../configuration/trafficpolicy/index.rst:935
+#: ../../configuration/trafficpolicy/index.rst:985
 msgid "Use this command to configure a Rate-Control policy, set its name and the size of the bucket in bytes which will be available for burst."
 msgstr "Use this command to configure a Rate-Control policy, set its name and the size of the bucket in bytes which will be available for burst."
 
-#: ../../configuration/trafficpolicy/index.rst:987
+#: ../../configuration/trafficpolicy/index.rst:1037
 msgid "Use this command to configure a Round-Robin policy, set its name, set a class ID, and the quantum for that class. The deficit counter will add that value each round."
 msgstr "Use this command to configure a Round-Robin policy, set its name, set a class ID, and the quantum for that class. The deficit counter will add that value each round."
 
-#: ../../configuration/trafficpolicy/index.rst:994
+#: ../../configuration/trafficpolicy/index.rst:1044
 msgid "Use this command to configure a Round-Robin policy, set its name, set a class ID, and the queue size in packets."
 msgstr "Use this command to configure a Round-Robin policy, set its name, set a class ID, and the queue size in packets."
 
-#: ../../configuration/trafficpolicy/index.rst:1049
+#: ../../configuration/trafficpolicy/index.rst:1099
 msgid "Use this command to configure a Shaper policy, set its name, define a class and set the guaranteed traffic you want to allocate to that class."
 msgstr "Use this command to configure a Shaper policy, set its name, define a class and set the guaranteed traffic you want to allocate to that class."
 
-#: ../../configuration/trafficpolicy/index.rst:1063
+#: ../../configuration/trafficpolicy/index.rst:1113
 msgid "Use this command to configure a Shaper policy, set its name, define a class and set the maximum speed possible for this class. The default ceiling value is the bandwidth value."
 msgstr "Use this command to configure a Shaper policy, set its name, define a class and set the maximum speed possible for this class. The default ceiling value is the bandwidth value."
 
-#: ../../configuration/trafficpolicy/index.rst:1070
+#: ../../configuration/trafficpolicy/index.rst:1120
 msgid "Use this command to configure a Shaper policy, set its name, define a class and set the priority for usage of available bandwidth once guarantees have been met. The lower the priority number, the higher the priority. The default priority value is 0, the highest priority."
 msgstr "Use this command to configure a Shaper policy, set its name, define a class and set the priority for usage of available bandwidth once guarantees have been met. The lower the priority number, the higher the priority. The default priority value is 0, the highest priority."
 
-#: ../../configuration/trafficpolicy/index.rst:1056
+#: ../../configuration/trafficpolicy/index.rst:1106
 msgid "Use this command to configure a Shaper policy, set its name, define a class and set the size of the `tocken bucket`_ in bytes, which will be available to be sent at ceiling speed (default: 15Kb)."
 msgstr "Use this command to configure a Shaper policy, set its name, define a class and set the size of the `tocken bucket`_ in bytes, which will be available to be sent at ceiling speed (default: 15Kb)."
 
-#: ../../configuration/trafficpolicy/index.rst:1042
+#: ../../configuration/trafficpolicy/index.rst:1092
 msgid "Use this command to configure a Shaper policy, set its name and the maximum bandwidth for all combined traffic."
 msgstr "Use this command to configure a Shaper policy, set its name and the maximum bandwidth for all combined traffic."
 
@@ -17757,7 +20105,7 @@ msgstr "Use this command to configure a Shaper policy, set its name and the maxi
 msgid "Use this command to configure a data-rate limit to PPPOoE clients for traffic download or upload. The rate-limit is set in kbit/sec."
 msgstr "Use this command to configure a data-rate limit to PPPOoE clients for traffic download or upload. The rate-limit is set in kbit/sec."
 
-#: ../../configuration/trafficpolicy/index.rst:378
+#: ../../configuration/trafficpolicy/index.rst:428
 msgid "Use this command to configure a drop-tail policy (PFIFO). Choose a unique name for this policy and the size of the queue by setting the number of packets it can contain (maximum 4294967295)."
 msgstr "Use this command to configure a drop-tail policy (PFIFO). Choose a unique name for this policy and the size of the queue by setting the number of packets it can contain (maximum 4294967295)."
 
@@ -17765,47 +20113,47 @@ msgstr "Use this command to configure a drop-tail policy (PFIFO). Choose a uniqu
 msgid "Use this command to configure a specific session hold time for LDP peers. Set the IP address of the LDP peer and a session hold time that should be configured for it. You may have to reset the neighbor for this to work."
 msgstr "Use this command to configure a specific session hold time for LDP peers. Set the IP address of the LDP peer and a session hold time that should be configured for it. You may have to reset the neighbor for this to work."
 
-#: ../../configuration/trafficpolicy/index.rst:571
+#: ../../configuration/trafficpolicy/index.rst:621
 msgid "Use this command to configure an Ingress Policer, defining its name, a class identifier (1-4090), a class matching rule name and its description."
 msgstr "Use this command to configure an Ingress Policer, defining its name, a class identifier (1-4090), a class matching rule name and its description."
 
-#: ../../configuration/trafficpolicy/index.rst:611
+#: ../../configuration/trafficpolicy/index.rst:661
 msgid "Use this command to configure an Ingress Policer, defining its name, a class identifier (1-4090), and the priority (0-20, default 20) in which the rule is evaluated (the lower the number, the higher the priority)."
 msgstr "Use this command to configure an Ingress Policer, defining its name, a class identifier (1-4090), and the priority (0-20, default 20) in which the rule is evaluated (the lower the number, the higher the priority)."
 
-#: ../../configuration/trafficpolicy/index.rst:591
+#: ../../configuration/trafficpolicy/index.rst:641
 msgid "Use this command to configure an Ingress Policer, defining its name, a class identifier (1-4090) and the burst size in bytes for this class (default: 15)."
 msgstr "Use this command to configure an Ingress Policer, defining its name, a class identifier (1-4090) and the burst size in bytes for this class (default: 15)."
 
-#: ../../configuration/trafficpolicy/index.rst:583
+#: ../../configuration/trafficpolicy/index.rst:633
 msgid "Use this command to configure an Ingress Policer, defining its name, a class identifier (1-4090) and the maximum allowed bandwidth for this class."
 msgstr "Use this command to configure an Ingress Policer, defining its name, a class identifier (1-4090) and the maximum allowed bandwidth for this class."
 
-#: ../../configuration/trafficpolicy/index.rst:604
+#: ../../configuration/trafficpolicy/index.rst:654
 msgid "Use this command to configure an Ingress Policer, defining its name and the burst size in bytes (default: 15) for its default policy."
 msgstr "Use this command to configure an Ingress Policer, defining its name and the burst size in bytes (default: 15) for its default policy."
 
-#: ../../configuration/trafficpolicy/index.rst:598
+#: ../../configuration/trafficpolicy/index.rst:648
 msgid "Use this command to configure an Ingress Policer, defining its name and the maximum allowed bandwidth for its default policy."
 msgstr "Use this command to configure an Ingress Policer, defining its name and the maximum allowed bandwidth for its default policy."
 
-#: ../../configuration/trafficpolicy/index.rst:517
+#: ../../configuration/trafficpolicy/index.rst:567
 msgid "Use this command to configure an fq-codel policy, set its name, and define a hard limit on the real queue size. When this limit is reached, new packets are dropped (default: 10240 packets)."
 msgstr "Use this command to configure an fq-codel policy, set its name, and define a hard limit on the real queue size. When this limit is reached, new packets are dropped (default: 10240 packets)."
 
-#: ../../configuration/trafficpolicy/index.rst:523
+#: ../../configuration/trafficpolicy/index.rst:573
 msgid "Use this command to configure an fq-codel policy, set its name, and define the acceptable minimum standing/persistent queue delay. This minimum delay is identified by tracking the local minimum queue delay that packets experience (default: 5ms)."
 msgstr "Use this command to configure an fq-codel policy, set its name, and define the acceptable minimum standing/persistent queue delay. This minimum delay is identified by tracking the local minimum queue delay that packets experience (default: 5ms)."
 
-#: ../../configuration/trafficpolicy/index.rst:497
+#: ../../configuration/trafficpolicy/index.rst:547
 msgid "Use this command to configure an fq-codel policy, set its name and the maximum number of bytes (default: 1514) to be dequeued from a queue at once."
 msgstr "Use this command to configure an fq-codel policy, set its name and the maximum number of bytes (default: 1514) to be dequeued from a queue at once."
 
-#: ../../configuration/trafficpolicy/index.rst:503
+#: ../../configuration/trafficpolicy/index.rst:553
 msgid "Use this command to configure an fq-codel policy, set its name and the number of sub-queues (default: 1024) into which packets are classified."
 msgstr "Use this command to configure an fq-codel policy, set its name and the number of sub-queues (default: 1024) into which packets are classified."
 
-#: ../../configuration/trafficpolicy/index.rst:509
+#: ../../configuration/trafficpolicy/index.rst:559
 msgid "Use this command to configure an fq-codel policy, set its name and the time period used by the control loop of CoDel to detect when a persistent queue is developing, ensuring that the measured minimum delay does not become too stale (default: 100ms)."
 msgstr "Use this command to configure an fq-codel policy, set its name and the time period used by the control loop of CoDel to detect when a persistent queue is developing, ensuring that the measured minimum delay does not become too stale (default: 100ms)."
 
@@ -17849,11 +20197,11 @@ msgstr "Use this command to configure the IP address used as the LDP router-id o
 msgid "Use this command to configure the PIM hello interval in seconds (1-180) for the selected interface."
 msgstr "Use this command to configure the PIM hello interval in seconds (1-180) for the selected interface."
 
-#: ../../configuration/system/flow-accounting.rst:119
+#: ../../configuration/system/flow-accounting.rst:123
 msgid "Use this command to configure the  sampling rate for flow accounting. The system samples one in every `<rate>` packets, where `<rate>` is the value configured for the sampling-rate option. The advantage of sampling every n packets, where n > 1, allows you to decrease the amount of processing resources required for flow accounting. The disadvantage of not sampling every packet is that the statistics produced are estimates of actual data flows."
 msgstr "Use this command to configure the  sampling rate for flow accounting. The system samples one in every `<rate>` packets, where `<rate>` is the value configured for the sampling-rate option. The advantage of sampling every n packets, where n > 1, allows you to decrease the amount of processing resources required for flow accounting. The disadvantage of not sampling every packet is that the statistics produced are estimates of actual data flows."
 
-#: ../../configuration/trafficpolicy/index.rst:640
+#: ../../configuration/trafficpolicy/index.rst:690
 msgid "Use this command to configure the burst size of the traffic in a Network Emulator policy. Define the name of the Network Emulator policy and its traffic burst size (it will be configured through the Token Bucket Filter qdisc). Default:15kb. It will only take effect if you have configured its bandwidth too."
 msgstr "Use this command to configure the burst size of the traffic in a Network Emulator policy. Define the name of the Network Emulator policy and its traffic burst size (it will be configured through the Token Bucket Filter qdisc). Default:15kb. It will only take effect if you have configured its bandwidth too."
 
@@ -17861,7 +20209,7 @@ msgstr "Use this command to configure the burst size of the traffic in a Network
 msgid "Use this command to configure the local gateway IP address."
 msgstr "Use this command to configure the local gateway IP address."
 
-#: ../../configuration/trafficpolicy/index.rst:634
+#: ../../configuration/trafficpolicy/index.rst:684
 msgid "Use this command to configure the maximum rate at which traffic will be shaped in a Network Emulator policy. Define the name of the policy and the rate."
 msgstr "Use this command to configure the maximum rate at which traffic will be shaped in a Network Emulator policy. Define the name of the policy and the rate."
 
@@ -17877,7 +20225,7 @@ msgstr "Use this command to configure the username and the password of a locally
 msgid "Use this command to control the maximum number of equal cost paths to reach a specific destination. The upper limit may differ if you change the value of MULTIPATH_NUM during compilation. The default is MULTIPATH_NUM (64)."
 msgstr "Use this command to control the maximum number of equal cost paths to reach a specific destination. The upper limit may differ if you change the value of MULTIPATH_NUM during compilation. The default is MULTIPATH_NUM (64)."
 
-#: ../../configuration/trafficpolicy/index.rst:398
+#: ../../configuration/trafficpolicy/index.rst:448
 msgid "Use this command to create a Fair-Queue policy and give it a name. It is based on the Stochastic Fairness Queueing and can be applied to outbound traffic."
 msgstr "Use this command to create a Fair-Queue policy and give it a name. It is based on the Stochastic Fairness Queueing and can be applied to outbound traffic."
 
@@ -17885,19 +20233,19 @@ msgstr "Use this command to create a Fair-Queue policy and give it a name. It is
 msgid "Use this command to define IPsec interface."
 msgstr "Use this command to define IPsec interface."
 
-#: ../../configuration/trafficpolicy/index.rst:425
+#: ../../configuration/trafficpolicy/index.rst:475
 msgid "Use this command to define a Fair-Queue policy, based on the Stochastic Fairness Queueing, and set the number of maximum packets allowed to wait in the queue. Any other packet will be dropped."
 msgstr "Use this command to define a Fair-Queue policy, based on the Stochastic Fairness Queueing, and set the number of maximum packets allowed to wait in the queue. Any other packet will be dropped."
 
-#: ../../configuration/trafficpolicy/index.rst:416
+#: ../../configuration/trafficpolicy/index.rst:466
 msgid "Use this command to define a Fair-Queue policy, based on the Stochastic Fairness Queueing, and set the number of seconds at which a new queue algorithm perturbation will occur (maximum 4294967295)."
 msgstr "Use this command to define a Fair-Queue policy, based on the Stochastic Fairness Queueing, and set the number of seconds at which a new queue algorithm perturbation will occur (maximum 4294967295)."
 
-#: ../../configuration/service/ipoe-server.rst:277
-#: ../../configuration/service/pppoe-server.rst:371
-#: ../../configuration/vpn/l2tp.rst:315
+#: ../../configuration/service/ipoe-server.rst:276
+#: ../../configuration/service/pppoe-server.rst:391
+#: ../../configuration/vpn/l2tp.rst:318
 #: ../../configuration/vpn/pptp.rst:239
-#: ../../configuration/vpn/sstp.rst:273
+#: ../../configuration/vpn/sstp.rst:276
 msgid "Use this command to define default IPv6 address pool name."
 msgstr "Use this command to define default IPv6 address pool name."
 
@@ -17957,7 +20305,7 @@ msgstr "Use this command to define the interface the PPPoE server will use to li
 msgid "Use this command to define the last IP address of a pool of addresses to be given to PPPoE clients. It must be within a /24 subnet."
 msgstr "Use this command to define the last IP address of a pool of addresses to be given to PPPoE clients. It must be within a /24 subnet."
 
-#: ../../configuration/trafficpolicy/index.rst:681
+#: ../../configuration/trafficpolicy/index.rst:731
 msgid "Use this command to define the length of the queue of your Network Emulator policy. Set the policy name and the maximum number of packets (1-4294967295) the queue may hold queued at a time."
 msgstr "Use this command to define the length of the queue of your Network Emulator policy. Set the policy name and the maximum number of packets (1-4294967295) the queue may hold queued at a time."
 
@@ -17969,11 +20317,11 @@ msgstr "Use this command to define the maximum number of entries to keep in the
 msgid "Use this command to define the maximum number of entries to keep in the Neighbor cache (1024, 2048, 4096, 8192, 16384, 32768)."
 msgstr "Use this command to define the maximum number of entries to keep in the Neighbor cache (1024, 2048, 4096, 8192, 16384, 32768)."
 
-#: ../../configuration/service/ipoe-server.rst:332
-#: ../../configuration/service/pppoe-server.rst:450
-#: ../../configuration/vpn/l2tp.rst:404
+#: ../../configuration/service/ipoe-server.rst:331
+#: ../../configuration/service/pppoe-server.rst:474
+#: ../../configuration/vpn/l2tp.rst:407
 #: ../../configuration/vpn/pptp.rst:328
-#: ../../configuration/vpn/sstp.rst:362
+#: ../../configuration/vpn/sstp.rst:365
 msgid "Use this command to define the next address pool name."
 msgstr "Use this command to define the next address pool name."
 
@@ -18005,15 +20353,15 @@ msgstr "Use this command to disable IPv6 operation on interface when Duplicate A
 msgid "Use this command to disable the generation of Ethernet flow control (pause frames)."
 msgstr "Use this command to disable the generation of Ethernet flow control (pause frames)."
 
-#: ../../configuration/trafficpolicy/index.rst:659
+#: ../../configuration/trafficpolicy/index.rst:709
 msgid "Use this command to emulate noise in a Network Emulator policy. Set the policy name and the percentage of corrupted packets you want. A random error will be introduced in a random position for the chosen percent of packets."
 msgstr "Use this command to emulate noise in a Network Emulator policy. Set the policy name and the percentage of corrupted packets you want. A random error will be introduced in a random position for the chosen percent of packets."
 
-#: ../../configuration/trafficpolicy/index.rst:667
+#: ../../configuration/trafficpolicy/index.rst:717
 msgid "Use this command to emulate packet-loss conditions in a Network Emulator policy. Set the policy name and the percentage of loss packets your traffic will suffer."
 msgstr "Use this command to emulate packet-loss conditions in a Network Emulator policy. Set the policy name and the percentage of loss packets your traffic will suffer."
 
-#: ../../configuration/trafficpolicy/index.rst:674
+#: ../../configuration/trafficpolicy/index.rst:724
 msgid "Use this command to emulate packet-reordering conditions in a Network Emulator policy. Set the policy name and the percentage of reordered packets your traffic will suffer."
 msgstr "Use this command to emulate packet-reordering conditions in a Network Emulator policy. Set the policy name and the percentage of reordered packets your traffic will suffer."
 
@@ -18041,7 +20389,7 @@ msgstr "Use this command to enable PIMv6 in the selected interface so that it ca
 msgid "Use this command to enable acquisition of IPv6 address using stateless autoconfig (SLAAC)."
 msgstr "Use this command to enable acquisition of IPv6 address using stateless autoconfig (SLAAC)."
 
-#: ../../configuration/service/pppoe-server.rst:310
+#: ../../configuration/service/pppoe-server.rst:329
 msgid "Use this command to enable bandwidth shaping via RADIUS."
 msgstr "Use this command to enable bandwidth shaping via RADIUS."
 
@@ -18053,7 +20401,7 @@ msgstr "Use this command to enable proxy Address Resolution Protocol (ARP) on th
 msgid "Use this command to enable targeted LDP sessions to the local router. The router will then respond to any sessions that are trying to connect to it that are not a link local type of TCP connection."
 msgstr "Use this command to enable targeted LDP sessions to the local router. The router will then respond to any sessions that are trying to connect to it that are not a link local type of TCP connection."
 
-#: ../../configuration/service/pppoe-server.rst:323
+#: ../../configuration/service/pppoe-server.rst:342
 msgid "Use this command to enable the delay of PADO (PPPoE Active Discovery Offer) packets, which can be used as a session balancing mechanism with other PPPoE servers."
 msgstr "Use this command to enable the delay of PADO (PPPoE Active Discovery Offer) packets, which can be used as a session balancing mechanism with other PPPoE servers."
 
@@ -18069,9 +20417,9 @@ msgstr "Use this command to enable the logging of the default action."
 msgid "Use this command to enable the logging of the default action on custom chains."
 msgstr "Use this command to enable the logging of the default action on custom chains."
 
-#: ../../configuration/firewall/bridge.rst:163
-#: ../../configuration/firewall/ipv4.rst:214
-#: ../../configuration/firewall/ipv6.rst:214
+#: ../../configuration/firewall/bridge.rst:223
+#: ../../configuration/firewall/ipv4.rst:238
+#: ../../configuration/firewall/ipv6.rst:238
 msgid "Use this command to enable the logging of the default action on the specified chain."
 msgstr "Use this command to enable the logging of the default action on the specified chain."
 
@@ -18099,11 +20447,11 @@ msgstr "Use this command to instruct the system to establish a PPPoE connection
 msgid "Use this command to link the PPPoE connection to a physical interface. Each PPPoE connection must be established over a physical interface. Interfaces can be regular Ethernet interfaces, VIFs or bonding interfaces/VIFs."
 msgstr "Use this command to link the PPPoE connection to a physical interface. Each PPPoE connection must be established over a physical interface. Interfaces can be regular Ethernet interfaces, VIFs or bonding interfaces/VIFs."
 
-#: ../../configuration/service/ipoe-server.rst:394
+#: ../../configuration/service/ipoe-server.rst:393
 msgid "Use this command to locally check the active sessions in the IPoE server."
 msgstr "Use this command to locally check the active sessions in the IPoE server."
 
-#: ../../configuration/service/pppoe-server.rst:587
+#: ../../configuration/service/pppoe-server.rst:612
 msgid "Use this command to locally check the active sessions in the PPPoE server."
 msgstr "Use this command to locally check the active sessions in the PPPoE server."
 
@@ -18111,7 +20459,7 @@ msgstr "Use this command to locally check the active sessions in the PPPoE serve
 msgid "Use this command to locally check the active sessions in the PPTP server."
 msgstr "Use this command to locally check the active sessions in the PPTP server."
 
-#: ../../configuration/vpn/sstp.rst:542
+#: ../../configuration/vpn/sstp.rst:552
 msgid "Use this command to locally check the active sessions in the SSTP server."
 msgstr "Use this command to locally check the active sessions in the SSTP server."
 
@@ -18136,11 +20484,11 @@ msgstr "Use this command to reset IPv6 Neighbor Discovery Protocol cache for an
 msgid "Use this command to reset an LDP neighbor/TCP session that is established"
 msgstr "Use this command to reset an LDP neighbor/TCP session that is established"
 
-#: ../../configuration/interfaces/openvpn.rst:735
+#: ../../configuration/interfaces/openvpn.rst:888
 msgid "Use this command to reset the OpenVPN process on a specific interface."
 msgstr "Use this command to reset the OpenVPN process on a specific interface."
 
-#: ../../configuration/interfaces/openvpn.rst:731
+#: ../../configuration/interfaces/openvpn.rst:884
 msgid "Use this command to reset the specified OpenVPN client."
 msgstr "Use this command to reset the specified OpenVPN client."
 
@@ -18168,7 +20516,7 @@ msgstr "Use this command to see discovery hello information"
 msgid "Use this command to see the Label Information Base."
 msgstr "Use this command to see the Label Information Base."
 
-#: ../../configuration/service/pppoe-server.rst:33
+#: ../../configuration/service/pppoe-server.rst:32
 msgid "Use this command to set a name for this PPPoE-server access concentrator."
 msgstr "Use this command to set a name for this PPPoE-server access concentrator."
 
@@ -18268,15 +20616,15 @@ msgstr "Use this command to use ordered label distribution control mode. FRR by
 msgid "Use this command to user Layer 4 information for ECMP hashing."
 msgstr "Use this command to user Layer 4 information for ECMP hashing."
 
-#: ../../configuration/interfaces/wireless.rst:431
+#: ../../configuration/interfaces/wireless.rst:549
 msgid "Use this command to view operational status and details wireless-specific information about all wireless interfaces."
 msgstr "Use this command to view operational status and details wireless-specific information about all wireless interfaces."
 
-#: ../../configuration/interfaces/wireless.rst:420
+#: ../../configuration/interfaces/wireless.rst:538
 msgid "Use this command to view operational status and wireless-specific information about all wireless interfaces."
 msgstr "Use this command to view operational status and wireless-specific information about all wireless interfaces."
 
-#: ../../configuration/interfaces/wireless.rst:498
+#: ../../configuration/interfaces/wireless.rst:622
 msgid "Use this command to view wireless interface queue information. The wireless interface identifier can range from wlan0 to wlan999."
 msgstr "Use this command to view wireless interface queue information. The wireless interface identifier can range from wlan0 to wlan999."
 
@@ -18292,15 +20640,13 @@ msgstr "Used to block a specific mime-type."
 msgid "Used to block specific domains by the Proxy. Specifying \"vyos.net\" will block all access to vyos.net, and specifying \".xxx\" will block all access to URLs having an URL ending on .xxx."
 msgstr "Used to block specific domains by the Proxy. Specifying \"vyos.net\" will block all access to vyos.net, and specifying \".xxx\" will block all access to URLs having an URL ending on .xxx."
 
-#: ../../configuration/system/syslog.rst:114
+#: ../../configuration/system/syslog.rst:132
 msgid "User-level messages"
 msgstr "User-level messages"
 
-#: ../../configuration/service/ipoe-server.rst:250
-#: ../../configuration/service/pppoe-server.rst:212
-#: ../../configuration/vpn/l2tp.rst:255
+#: ../../configuration/service/ipoe-server.rst:249
+#: ../../configuration/service/pppoe-server.rst:231
 #: ../../configuration/vpn/pptp.rst:195
-#: ../../configuration/vpn/sstp.rst:228
 msgid "User interface can be put to VRF context via RADIUS Access-Accept packet, or change it via RADIUS CoA. ``Accel-VRF-Name`` is used from these purposes. It is custom `ACCEL-PPP attribute`_. Define it in your RADIUS server."
 msgstr "User interface can be put to VRF context via RADIUS Access-Accept packet, or change it via RADIUS CoA. ``Accel-VRF-Name`` is used from these purposes. It is custom `ACCEL-PPP attribute`_. Define it in your RADIUS server."
 
@@ -18312,6 +20658,10 @@ msgstr "Using 'soft-reconfiguration' we get the policy update without bouncing t
 msgid "Using **openvpn-option -reneg-sec** can be tricky. This option is used to renegotiate data channel after n seconds. When used at both server and client, the lower value will trigger the renegotiation. If you set it to 0 on one side of the connection (to disable it), the chosen value on the other side will determine when the renegotiation will occur."
 msgstr "Using **openvpn-option -reneg-sec** can be tricky. This option is used to renegotiate data channel after n seconds. When used at both server and client, the lower value will trigger the renegotiation. If you set it to 0 on one side of the connection (to disable it), the chosen value on the other side will determine when the renegotiation will occur."
 
+#: ../../configuration/interfaces/openvpn.rst:350
+msgid "Using **openvpn-option -reneg-sec** can be tricky. This option is used to renegotiate data channel after n seconds. When used on both the server and client, the lower value will trigger the renegotiation. If you set it to 0 on one side of the connection (to disable it), the chosen value on the other side will determine when the renegotiation will occur."
+msgstr "Using **openvpn-option -reneg-sec** can be tricky. This option is used to renegotiate data channel after n seconds. When used on both the server and client, the lower value will trigger the renegotiation. If you set it to 0 on one side of the connection (to disable it), the chosen value on the other side will determine when the renegotiation will occur."
+
 #: ../../configuration/protocols/bgp.rst:922
 msgid "Using BGP confederation"
 msgstr "Using BGP confederation"
@@ -18320,15 +20670,31 @@ msgstr "Using BGP confederation"
 msgid "Using BGP route-reflectors"
 msgstr "Using BGP route-reflectors"
 
-#: ../../configuration/interfaces/bridge.rst:234
+#: ../../configuration/firewall/groups.rst:228
+msgid "Using Dynamic Firewall Groups"
+msgstr "Using Dynamic Firewall Groups"
+
+#: ../../configuration/system/flow-accounting.rst:45
+msgid "Using NetFlow on routers with high traffic levels may lead to high CPU usage and may affect the router's performance. In such cases, consider using sFlow instead."
+msgstr "Using NetFlow on routers with high traffic levels may lead to high CPU usage and may affect the router's performance. In such cases, consider using sFlow instead."
+
+#: ../../configuration/interfaces/bridge.rst:233
 msgid "Using VLAN aware Bridge"
 msgstr "Using VLAN aware Bridge"
 
+#: ../../configuration/service/suricata.rst:94
+msgid "Using address and port groups allows you to make your Suricata configuration more flexible and manageable. Instead of specifying IP addresses and ports directly in each rule, you can define them once in the vars section and then reference them by group names. This is especially useful in large networks and complex configurations where multiple IP addresses and ports need to be monitored."
+msgstr "Using address and port groups allows you to make your Suricata configuration more flexible and manageable. Instead of specifying IP addresses and ports directly in each rule, you can define them once in the vars section and then reference them by group names. This is especially useful in large networks and complex configurations where multiple IP addresses and ports need to be monitored."
+
+#: ../../configuration/firewall/groups.rst:285
+msgid "Using dynamic firewall groups, we can secure access to the router, or any other device if needed, by using the technique of port knocking."
+msgstr "Using dynamic firewall groups, we can secure access to the router, or any other device if needed, by using the technique of port knocking."
+
 #: ../../configuration/vpn/sstp.rst:29
 msgid "Using our documentation chapter - :ref:`pki` generate and install CA and Server certificate"
 msgstr "Using our documentation chapter - :ref:`pki` generate and install CA and Server certificate"
 
-#: ../../configuration/interfaces/bridge.rst:275
+#: ../../configuration/interfaces/bridge.rst:274
 msgid "Using the operation mode command to view Bridge Information"
 msgstr "Using the operation mode command to view Bridge Information"
 
@@ -18340,32 +20706,32 @@ msgstr "Using this command, you will create a new client configuration which can
 msgid "Usually this configuration is used in PEs (Provider Edge) to replace the incoming customer AS number so the connected CE ( Customer Edge) can use the same AS number as the other customer sites. This allows customers of the provider network to use the same AS number across their sites."
 msgstr "Usually this configuration is used in PEs (Provider Edge) to replace the incoming customer AS number so the connected CE ( Customer Edge) can use the same AS number as the other customer sites. This allows customers of the provider network to use the same AS number across their sites."
 
-#: ../../configuration/interfaces/wireless.rst:220
+#: ../../configuration/interfaces/wireless.rst:251
 msgid "VHT (Very High Throughput) capabilities (802.11ac)"
 msgstr "VHT (Very High Throughput) capabilities (802.11ac)"
 
-#: ../../configuration/interfaces/wireless.rst:267
+#: ../../configuration/interfaces/wireless.rst:303
 msgid "VHT link adaptation capabilities"
 msgstr "VHT link adaptation capabilities"
 
-#: ../../configuration/interfaces/wireless.rst:245
+#: ../../configuration/interfaces/wireless.rst:280
 msgid "VHT operating channel center frequency - center freq 1 (for use with 80, 80+80 and 160 modes)"
 msgstr "VHT operating channel center frequency - center freq 1 (for use with 80, 80+80 and 160 modes)"
 
-#: ../../configuration/interfaces/wireless.rst:248
+#: ../../configuration/interfaces/wireless.rst:283
 msgid "VHT operating channel center frequency - center freq 2 (for use with the 80+80 mode)"
 msgstr "VHT operating channel center frequency - center freq 2 (for use with the 80+80 mode)"
 
-#: ../../configuration/interfaces/bonding.rst:275
+#: ../../configuration/interfaces/bonding.rst:280
 #: ../../configuration/interfaces/bridge.rst:123
-#: ../../configuration/interfaces/ethernet.rst:123
+#: ../../configuration/interfaces/ethernet.rst:139
 #: ../../configuration/interfaces/pseudo-ethernet.rst:63
 #: ../../configuration/interfaces/virtual-ethernet.rst:30
-#: ../../configuration/interfaces/wireless.rst:398
+#: ../../configuration/interfaces/wireless.rst:516
 msgid "VLAN"
 msgstr "VLAN"
 
-#: ../../configuration/service/pppoe-server.rst:232
+#: ../../configuration/service/pppoe-server.rst:251
 msgid "VLAN's can be created by Accel-ppp on the fly via the use of a Kernel module named ``vlan_mon``, which is monitoring incoming vlans and creates the necessary VLAN if required and allowed. VyOS supports the use of either VLAN ID's or entire ranges, both values can be defined at the same time for an interface."
 msgstr "VLAN's can be created by Accel-ppp on the fly via the use of a Kernel module named ``vlan_mon``, which is monitoring incoming vlans and creates the necessary VLAN if required and allowed. VyOS supports the use of either VLAN ID's or entire ranges, both values can be defined at the same time for an interface."
 
@@ -18373,7 +20739,7 @@ msgstr "VLAN's can be created by Accel-ppp on the fly via the use of a Kernel mo
 msgid "VLAN's can be created by Accel-ppp on the fly via the use of a Kernel module named `vlan_mon`, which is monitoring incoming vlans and creates the necessary VLAN if required and allowed. VyOS supports the use of either VLAN ID's or entire ranges, both values can be defined at the same time for an interface."
 msgstr "VLAN's can be created by Accel-ppp on the fly via the use of a Kernel module named `vlan_mon`, which is monitoring incoming vlans and creates the necessary VLAN if required and allowed. VyOS supports the use of either VLAN ID's or entire ranges, both values can be defined at the same time for an interface."
 
-#: ../../configuration/interfaces/bridge.rst:240
+#: ../../configuration/interfaces/bridge.rst:239
 msgid "VLAN 10 on member interface `eth2` (ACCESS mode)"
 msgstr "VLAN 10 on member interface `eth2` (ACCESS mode)"
 
@@ -18385,7 +20751,7 @@ msgstr "VLAN Example"
 msgid "VLAN Options"
 msgstr "VLAN Options"
 
-#: ../../configuration/service/ipoe-server.rst:315
+#: ../../configuration/service/ipoe-server.rst:314
 msgid "VLAN monitor for automatic creation of VLAN interfaces for specific user on specific <interface>"
 msgstr "VLAN monitor for automatic creation of VLAN interfaces for specific user on specific <interface>"
 
@@ -18409,32 +20775,32 @@ msgstr "VPN-clients will request configuration parameters, optionally you can DN
 msgid "VRF"
 msgstr "VRF"
 
-#: ../../configuration/vrf/index.rst:430
+#: ../../configuration/vrf/index.rst:426
 msgid "VRF Route Leaking"
 msgstr "VRF Route Leaking"
 
-#: ../../configuration/vrf/index.rst:302
+#: ../../configuration/vrf/index.rst:298
 msgid "VRF and NAT"
 msgstr "VRF and NAT"
 
-#: ../../configuration/vrf/index.rst:399
+#: ../../configuration/vrf/index.rst:395
 msgid "VRF blue routing table"
 msgstr "VRF blue routing table"
 
-#: ../../configuration/vrf/index.rst:366
+#: ../../configuration/vrf/index.rst:362
 msgid "VRF default routing table"
 msgstr "VRF default routing table"
 
-#: ../../configuration/vrf/index.rst:382
+#: ../../configuration/vrf/index.rst:378
 msgid "VRF red routing table"
 msgstr "VRF red routing table"
 
-#: ../../configuration/vrf/index.rst:254
-#: ../../configuration/vrf/index.rst:261
+#: ../../configuration/vrf/index.rst:250
+#: ../../configuration/vrf/index.rst:257
 msgid "VRF route leaking"
 msgstr "VRF route leaking"
 
-#: ../../configuration/vrf/index.rst:261
+#: ../../configuration/vrf/index.rst:257
 msgid "VRF topology example"
 msgstr "VRF topology example"
 
@@ -18446,7 +20812,7 @@ msgstr "VRRP (Virtual Router Redundancy Protocol) provides active/backup redunda
 msgid "VRRP can use two modes: preemptive and non-preemptive. In the preemptive mode, if a router with a higher priority fails and then comes back, routers with lower priority will give up their master status. In non-preemptive mode, the newly elected master will keep the master status and the virtual address indefinitely."
 msgstr "VRRP can use two modes: preemptive and non-preemptive. In the preemptive mode, if a router with a higher priority fails and then comes back, routers with lower priority will give up their master status. In non-preemptive mode, the newly elected master will keep the master status and the virtual address indefinitely."
 
-#: ../../configuration/highavailability/index.rst:301
+#: ../../configuration/highavailability/index.rst:305
 msgid "VRRP functionality can be extended with scripts. VyOS supports two kinds of scripts: health check scripts and transition scripts. Health check scripts execute custom checks in addition to the master router reachability. Transition scripts are executed when VRRP state changes from master to backup or fault and vice versa and can be used to enable or disable certain services, for example."
 msgstr "VRRP functionality can be extended with scripts. VyOS supports two kinds of scripts: health check scripts and transition scripts. Health check scripts execute custom checks in addition to the master router reachability. Transition scripts are executed when VRRP state changes from master to backup or fault and vice versa and can be used to enable or disable certain services, for example."
 
@@ -18482,24 +20848,28 @@ msgstr "VXLAN specific options"
 msgid "VXLAN was officially documented by the IETF in :rfc:`7348`."
 msgstr "VXLAN was officially documented by the IETF in :rfc:`7348`."
 
-#: ../../configuration/interfaces/wireless.rst:110
+#: ../../configuration/interfaces/wireless.rst:136
 msgid "Valid values are 0..255."
 msgstr "Valid values are 0..255."
 
-#: ../../configuration/system/syslog.rst:167
+#: ../../configuration/interfaces/wireless.rst:364
+msgid "Valid values are 1..63"
+msgstr "Valid values are 1..63"
+
+#: ../../configuration/system/syslog.rst:185
 msgid "Value"
 msgstr "Value"
 
-#: ../../configuration/service/ipoe-server.rst:203
-#: ../../configuration/service/pppoe-server.rst:165
+#: ../../configuration/service/ipoe-server.rst:202
+#: ../../configuration/service/pppoe-server.rst:178
 #: ../../configuration/vpn/l2tp.rst:208
 #: ../../configuration/vpn/pptp.rst:148
 #: ../../configuration/vpn/sstp.rst:181
 msgid "Value to send to RADIUS server in NAS-IP-Address attribute and to be matched in DM/CoA requests. Also DM/CoA server will bind to that address."
 msgstr "Value to send to RADIUS server in NAS-IP-Address attribute and to be matched in DM/CoA requests. Also DM/CoA server will bind to that address."
 
-#: ../../configuration/service/ipoe-server.rst:198
-#: ../../configuration/service/pppoe-server.rst:160
+#: ../../configuration/service/ipoe-server.rst:197
+#: ../../configuration/service/pppoe-server.rst:172
 #: ../../configuration/vpn/l2tp.rst:203
 #: ../../configuration/vpn/pptp.rst:143
 #: ../../configuration/vpn/sstp.rst:176
@@ -18516,19 +20886,23 @@ msgstr "Verification"
 msgid "Verification:"
 msgstr "Verification:"
 
-#: ../../configuration/nat/nat66.rst:226
+#: ../../configuration/service/config-sync.rst:101
+msgid "Verify configuration changes have been replicated to Router B"
+msgstr "Verify configuration changes have been replicated to Router B"
+
+#: ../../configuration/nat/nat66.rst:238
 msgid "Verify that connections are hitting the rule on both sides:"
 msgstr "Verify that connections are hitting the rule on both sides:"
 
-#: ../../configuration/highavailability/index.rst:291
+#: ../../configuration/highavailability/index.rst:295
 msgid "Version"
 msgstr "Version"
 
-#: ../../configuration/highavailability/index.rst:349
+#: ../../configuration/highavailability/index.rst:353
 msgid "Virtual-server"
 msgstr "Virtual-server"
 
-#: ../../configuration/highavailability/index.rst:408
+#: ../../configuration/highavailability/index.rst:412
 msgid "Virtual-server can be configured with VRRP virtual address or without VRRP."
 msgstr "Virtual-server can be configured with VRRP virtual address or without VRRP."
 
@@ -18536,11 +20910,11 @@ msgstr "Virtual-server can be configured with VRRP virtual address or without VR
 msgid "Virtual Ethernet"
 msgstr "Virtual Ethernet"
 
-#: ../../configuration/highavailability/index.rst:352
+#: ../../configuration/highavailability/index.rst:356
 msgid "Virtual Server allows to Load-balance traffic destination virtual-address:port between several real servers."
 msgstr "Virtual Server allows to Load-balance traffic destination virtual-address:port between several real servers."
 
-#: ../../configuration/container/index.rst:94
+#: ../../configuration/container/index.rst:119
 msgid "Volume is either mounted as rw (read-write - default) or ro (read-only)"
 msgstr "Volume is either mounted as rw (read-write - default) or ro (read-only)"
 
@@ -18552,11 +20926,15 @@ msgstr "VyOS 1.1 supported login as user ``root``. This has been removed due to
 msgid "VyOS 1.3 (equuleus) supports DHCPv6-PD (:rfc:`3633`). DHCPv6 Prefix Delegation is supported by most ISPs who provide native IPv6 for consumers on fixed networks."
 msgstr "VyOS 1.3 (equuleus) supports DHCPv6-PD (:rfc:`3633`). DHCPv6 Prefix Delegation is supported by most ISPs who provide native IPv6 for consumers on fixed networks."
 
-#: ../../configuration/vrf/index.rst:103
+#: ../../configuration/vrf/index.rst:99
 msgid "VyOS 1.4 (sagitta) introduced dynamic routing support for VRFs."
 msgstr "VyOS 1.4 (sagitta) introduced dynamic routing support for VRFs."
 
 #: ../../configuration/pki/index.rst:11
+msgid "VyOS 1.4 changed the way in how encryption keys or certificates are stored on the system. In the pre VyOS 1.4 era, certificates got stored under /config and every service referenced a file. That made copying a running configuration from system A to system B a bit harder, as you had to copy the files and their permissions by hand."
+msgstr "VyOS 1.4 changed the way in how encryption keys or certificates are stored on the system. In the pre VyOS 1.4 era, certificates got stored under /config and every service referenced a file. That made copying a running configuration from system A to system B a bit harder, as you had to copy the files and their permissions by hand."
+
+#: ../../configuration/pki/index.rst:11
 msgid "VyOS 1.4 changed the way in how encrytion keys or certificates are stored on the system. In the pre VyOS 1.4 era, certificates got stored under /config and every service referenced a file. That made copying a running configuration from system A to system B a bit harder, as you had to copy the files and their permissions by hand."
 msgstr "VyOS 1.4 changed the way in how encrytion keys or certificates are stored on the system. In the pre VyOS 1.4 era, certificates got stored under /config and every service referenced a file. That made copying a running configuration from system A to system B a bit harder, as you had to copy the files and their permissions by hand."
 
@@ -18568,7 +20946,7 @@ msgstr "VyOS 1.4 uses chrony instead of ntpd (see :vytask:`T3008`) which will no
 msgid "VyOS Arista EOS setup"
 msgstr "VyOS Arista EOS setup"
 
-#: ../../configuration/vpn/ipsec.rst:123
+#: ../../configuration/vpn/ipsec.rst:124
 msgid "VyOS ESP group has the next options:"
 msgstr "VyOS ESP group has the next options:"
 
@@ -18576,7 +20954,7 @@ msgstr "VyOS ESP group has the next options:"
 msgid "VyOS Field"
 msgstr "VyOS Field"
 
-#: ../../configuration/vpn/ipsec.rst:45
+#: ../../configuration/vpn/ipsec.rst:46
 msgid "VyOS IKE group has the next options:"
 msgstr "VyOS IKE group has the next options:"
 
@@ -18592,7 +20970,7 @@ msgstr "VyOS NAT66 DHCPv6 using a dummy interface"
 msgid "VyOS NAT66 Simple Configure"
 msgstr "VyOS NAT66 Simple Configure"
 
-#: ../../configuration/trafficpolicy/index.rst:624
+#: ../../configuration/trafficpolicy/index.rst:674
 msgid "VyOS Network Emulator policy emulates the conditions you can suffer in a real network. You will be able to configure things like rate, burst, delay, packet loss, packet corruption or packet reordering."
 msgstr "VyOS Network Emulator policy emulates the conditions you can suffer in a real network. You will be able to configure things like rate, burst, delay, packet loss, packet corruption or packet reordering."
 
@@ -18616,7 +20994,7 @@ msgstr "VyOS also comes with a build in SSTP server, see :ref:`sstp`."
 msgid "VyOS also provides DHCPv6 server functionality which is described in this section."
 msgstr "VyOS also provides DHCPv6 server functionality which is described in this section."
 
-#: ../../configuration/vpn/ipsec.rst:474
+#: ../../configuration/vpn/ipsec.rst:494
 msgid "VyOS also supports (currently) two different modes of authentication, local and RADIUS. To create a new local user named ``vyos`` with password ``vyos`` use the following commands."
 msgstr "VyOS also supports (currently) two different modes of authentication, local and RADIUS. To create a new local user named ``vyos`` with password ``vyos`` use the following commands."
 
@@ -18636,6 +21014,10 @@ msgstr "VyOS can be configured to track connections using the connection trackin
 msgid "VyOS can not only act as an OpenVPN site-to-site or server for multiple clients. You can indeed also configure any VyOS OpenVPN interface as an OpenVPN client connecting to a VyOS OpenVPN server or any other OpenVPN server."
 msgstr "VyOS can not only act as an OpenVPN site-to-site or server for multiple clients. You can indeed also configure any VyOS OpenVPN interface as an OpenVPN client connecting to a VyOS OpenVPN server or any other OpenVPN server."
 
+#: ../../configuration/interfaces/openvpn.rst:577
+msgid "VyOS can not only act as an OpenVPN site-to-site or server for multiple clients but you can also configure any VyOS OpenVPN interface as an OpenVPN client that connects to a VyOS OpenVPN server or any other OpenVPN server."
+msgstr "VyOS can not only act as an OpenVPN site-to-site or server for multiple clients but you can also configure any VyOS OpenVPN interface as an OpenVPN client that connects to a VyOS OpenVPN server or any other OpenVPN server."
+
 #: ../../configuration/interfaces/ethernet.rst:34
 #: ../../configuration/interfaces/ethernet.rst:53
 msgid "VyOS default will be `auto`."
@@ -18677,7 +21059,7 @@ msgstr "VyOS is also able to use any service relying on protocols supported by d
 msgid "VyOS itself supports SNMPv2_ (version 2) and SNMPv3_ (version 3) where the later is recommended because of improved security (optional authentication and encryption)."
 msgstr "VyOS itself supports SNMPv2_ (version 2) and SNMPv3_ (version 3) where the later is recommended because of improved security (optional authentication and encryption)."
 
-#: ../../configuration/trafficpolicy/index.rst:337
+#: ../../configuration/trafficpolicy/index.rst:387
 msgid "VyOS lets you control traffic in many different ways, here we will cover every possibility. You can configure as many policies as you want, but you will only be able to apply one policy per interface and direction (inbound or outbound)."
 msgstr "VyOS lets you control traffic in many different ways, here we will cover every possibility. You can configure as many policies as you want, but you will only be able to apply one policy per interface and direction (inbound or outbound)."
 
@@ -18733,7 +21115,7 @@ msgstr "VyOS provides policies commands exclusively for BGP traffic filtering an
 msgid "VyOS provides policies commands exclusively for BGP traffic filtering and manipulation: **large-community-list** is one of them."
 msgstr "VyOS provides policies commands exclusively for BGP traffic filtering and manipulation: **large-community-list** is one of them."
 
-#: ../../configuration/interfaces/openvpn.rst:703
+#: ../../configuration/interfaces/openvpn.rst:844
 msgid "VyOS provides some operational commands on OpenVPN."
 msgstr "VyOS provides some operational commands on OpenVPN."
 
@@ -18765,10 +21147,18 @@ msgstr "VyOS supports both MLD version 1 and version 2 (which allows source-spec
 msgid "VyOS supports flow-accounting for both IPv4 and IPv6 traffic. The system acts as a flow exporter, and you are free to use it with any compatible collector."
 msgstr "VyOS supports flow-accounting for both IPv4 and IPv6 traffic. The system acts as a flow exporter, and you are free to use it with any compatible collector."
 
+#: ../../configuration/interfaces/openvpn.rst:718
+msgid "VyOS supports multi-factor authentication (MFA) or two-factor authentication using Time-based One-Time Password (TOTP). Compatible with Google Authenticator software token, other software tokens."
+msgstr "VyOS supports multi-factor authentication (MFA) or two-factor authentication using Time-based One-Time Password (TOTP). Compatible with Google Authenticator software token, other software tokens."
+
 #: ../../configuration/vpn/ipsec.rst:452
 msgid "VyOS supports multiple IKEv2 remote-access connections. Every connection can have its dedicated IKE/ESP ciphers, certificates or local listen address for e.g. inbound load balancing."
 msgstr "VyOS supports multiple IKEv2 remote-access connections. Every connection can have its dedicated IKE/ESP ciphers, certificates or local listen address for e.g. inbound load balancing."
 
+#: ../../configuration/vpn/ipsec.rst:472
+msgid "VyOS supports multiple IKEv2 remote-access connections. Every connection can have its own dedicated IKE/ESP ciphers, certificates or local listen address for e.g. inbound load balancing."
+msgstr "VyOS supports multiple IKEv2 remote-access connections. Every connection can have its own dedicated IKE/ESP ciphers, certificates or local listen address for e.g. inbound load balancing."
+
 #: ../../configuration/system/updates.rst:5
 msgid "VyOS supports online checking for updates"
 msgstr "VyOS supports online checking for updates"
@@ -18777,7 +21167,7 @@ msgstr "VyOS supports online checking for updates"
 msgid "VyOS supports sFlow accounting for both IPv4 and IPv6 traffic. The system acts as a flow exporter, and you are free to use it with any compatible collector."
 msgstr "VyOS supports sFlow accounting for both IPv4 and IPv6 traffic. The system acts as a flow exporter, and you are free to use it with any compatible collector."
 
-#: ../../configuration/system/conntrack.rst:67
+#: ../../configuration/firewall/global-options.rst:154
 msgid "VyOS supports setting timeouts for connections according to the connection type. You can set timeout values for generic connections, for ICMP connections, UDP connections, or for TCP connections in a number of different states."
 msgstr "VyOS supports setting timeouts for connections according to the connection type. You can set timeout values for generic connections, for ICMP connections, UDP connections, or for TCP connections in a number of different states."
 
@@ -18837,28 +21227,32 @@ msgstr "WAN load balancing"
 msgid "WLAN/WIFI - Wireless LAN"
 msgstr "WLAN/WIFI - Wireless LAN"
 
-#: ../../configuration/interfaces/wireless.rst:145
+#: ../../configuration/interfaces/wireless.rst:175
 msgid "WMM-PS Unscheduled Automatic Power Save Delivery [U-APSD]"
 msgstr "WMM-PS Unscheduled Automatic Power Save Delivery [U-APSD]"
 
-#: ../../configuration/interfaces/wireless.rst:351
-#: ../../configuration/interfaces/wireless.rst:551
+#: ../../configuration/interfaces/wireless.rst:462
+#: ../../configuration/interfaces/wireless.rst:675
 msgid "WPA passphrase ``12345678``"
 msgstr "WPA passphrase ``12345678``"
 
+#: ../../configuration/interfaces/wireless.rst:730
+msgid "WPA passphrase ``super-dooper-secure-passphrase``"
+msgstr "WPA passphrase ``super-dooper-secure-passphrase``"
+
 #: ../../configuration/interfaces/wwan.rst:7
 msgid "WWAN - Wireless Wide-Area-Network"
 msgstr "WWAN - Wireless Wide-Area-Network"
 
-#: ../../configuration/system/syslog.rst:183
+#: ../../configuration/system/syslog.rst:201
 msgid "Warning"
 msgstr "Warning"
 
-#: ../../configuration/system/syslog.rst:183
+#: ../../configuration/system/syslog.rst:201
 msgid "Warning conditions"
 msgstr "Warning conditions"
 
-#: ../../configuration/interfaces/openvpn.rst:54
+#: ../../configuration/interfaces/openvpn.rst:55
 msgid "We'll configure OpenVPN using self-signed certificates, and then discuss the legacy pre-shared key mode."
 msgstr "We'll configure OpenVPN using self-signed certificates, and then discuss the legacy pre-shared key mode."
 
@@ -18866,7 +21260,7 @@ msgstr "We'll configure OpenVPN using self-signed certificates, and then discuss
 msgid "We'll use the IKE and ESP groups created above for this VPN. Because we need access to 2 different subnets on the far side, we will need two different tunnels. If you changed the names of the ESP group and IKE group in the previous step, make sure you use the correct names here too."
 msgstr "We'll use the IKE and ESP groups created above for this VPN. Because we need access to 2 different subnets on the far side, we will need two different tunnels. If you changed the names of the ESP group and IKE group in the previous step, make sure you use the correct names here too."
 
-#: ../../configuration/vpn/ipsec.rst:236
+#: ../../configuration/vpn/ipsec.rst:256
 msgid "We assume that the LEFT router has static 192.0.2.10 address on eth0, and the RIGHT router has a dynamic address on eth0."
 msgstr "We assume that the LEFT router has static 192.0.2.10 address on eth0, and the RIGHT router has a dynamic address on eth0."
 
@@ -18878,11 +21272,15 @@ msgstr "We can't support all displays from the beginning. If your display type i
 msgid "We can also create the certificates using Cerbort which is an easy-to-use client that fetches a certificate from Let's Encrypt an open certificate authority launched by the EFF, Mozilla, and others and deploys it to a web server."
 msgstr "We can also create the certificates using Cerbort which is an easy-to-use client that fetches a certificate from Let's Encrypt an open certificate authority launched by the EFF, Mozilla, and others and deploys it to a web server."
 
+#: ../../configuration/vpn/openconnect.rst:35
+msgid "We can also create the certificates using Certbot which is an easy-to-use client that fetches a certificate from Let's Encrypt an open certificate authority launched by the EFF, Mozilla, and others and deploys it to a web server."
+msgstr "We can also create the certificates using Certbot which is an easy-to-use client that fetches a certificate from Let's Encrypt an open certificate authority launched by the EFF, Mozilla, and others and deploys it to a web server."
+
 #: ../../configuration/protocols/rpki.rst:168
 msgid "We can build route-maps for import based on these states. Here is a simple RPKI configuration, where `routinator` is the RPKI-validating \"cache\" server with ip `192.0.2.1`:"
 msgstr "We can build route-maps for import based on these states. Here is a simple RPKI configuration, where `routinator` is the RPKI-validating \"cache\" server with ip `192.0.2.1`:"
 
-#: ../../configuration/vpn/ipsec.rst:456
+#: ../../configuration/vpn/ipsec.rst:476
 msgid "We configure a new connection named ``rw`` for road-warrior, that identifies itself as ``192.0.2.1`` to the clients and uses the ``vyos`` certificate signed by the `CAcert_Class3_Root`` intermediate CA. We select our previously specified IKE/ESP groups and also link the IP address pool to draw addresses from."
 msgstr "We configure a new connection named ``rw`` for road-warrior, that identifies itself as ``192.0.2.1`` to the clients and uses the ``vyos`` certificate signed by the `CAcert_Class3_Root`` intermediate CA. We select our previously specified IKE/ESP groups and also link the IP address pool to draw addresses from."
 
@@ -18890,7 +21288,7 @@ msgstr "We configure a new connection named ``rw`` for road-warrior, that identi
 msgid "We could expand on this and also deny link local and multicast in the rule 20 action deny."
 msgstr "We could expand on this and also deny link local and multicast in the rule 20 action deny."
 
-#: ../../configuration/interfaces/openvpn.rst:633
+#: ../../configuration/interfaces/openvpn.rst:641
 msgid "We do not have CLI nodes for every single OpenVPN option. If an option is missing, a feature request should be opened at Phabricator_ so all users can benefit from it (see :ref:`issues_features`)."
 msgstr "We do not have CLI nodes for every single OpenVPN option. If an option is missing, a feature request should be opened at Phabricator_ so all users can benefit from it (see :ref:`issues_features`)."
 
@@ -18898,7 +21296,7 @@ msgstr "We do not have CLI nodes for every single OpenVPN option. If an option i
 msgid "We don't recomend to use arguments. Using environments is more preffereble."
 msgstr "We don't recomend to use arguments. Using environments is more preffereble."
 
-#: ../../configuration/vpn/ipsec.rst:506
+#: ../../configuration/vpn/ipsec.rst:526
 msgid "We generate a connection profile used by Windows clients that will connect to the \"rw\" connection on our VyOS server on the VPN servers IP address/fqdn `vpn.vyos.net`."
 msgstr "We generate a connection profile used by Windows clients that will connect to the \"rw\" connection on our VyOS server on the VPN servers IP address/fqdn `vpn.vyos.net`."
 
@@ -18910,7 +21308,7 @@ msgstr "We listen on port 51820"
 msgid "We need to generate the certificate which authenticates users who attempt to access the network resource through the SSL VPN tunnels. The following commands will create a self signed certificates and will be stored in configuration:"
 msgstr "We need to generate the certificate which authenticates users who attempt to access the network resource through the SSL VPN tunnels. The following commands will create a self signed certificates and will be stored in configuration:"
 
-#: ../../configuration/system/option.rst:115
+#: ../../configuration/system/option.rst:135
 msgid "We now utilize `tuned` for dynamic resource balancing based on profiles."
 msgstr "We now utilize `tuned` for dynamic resource balancing based on profiles."
 
@@ -18926,10 +21324,14 @@ msgstr "We only need a single step for this interface:"
 msgid "We route all traffic for the 192.168.2.0/24 network to interface `wg01`"
 msgstr "We route all traffic for the 192.168.2.0/24 network to interface `wg01`"
 
-#: ../../configuration/system/login.rst:424
+#: ../../configuration/system/login.rst:430
 msgid "We use a vontainer providing the TACACS serve rin this example."
 msgstr "We use a vontainer providing the TACACS serve rin this example."
 
+#: ../../configuration/firewall/flowtables.rst:115
+msgid "We will only accept traffic coming from interface eth0, protocol tcp and destination port 1122. All other traffic trespassing the router should be blocked."
+msgstr "We will only accept traffic coming from interface eth0, protocol tcp and destination port 1122. All other traffic trespassing the router should be blocked."
+
 #: ../../configuration/firewall/flowtables.rst:114
 msgid "We will only accept traffic comming from interface eth0, protocol tcp and destination port 1122. All other traffic traspassing the router should be blocked."
 msgstr "We will only accept traffic comming from interface eth0, protocol tcp and destination port 1122. All other traffic traspassing the router should be blocked."
@@ -18958,7 +21360,7 @@ msgstr "When LDP is working, you will be able to see label information in the ou
 msgid "When PIM receives a register packet the source of the packet will be compared to the prefix-list specified, and if a permit is received normal processing continues. If a deny is returned for the source address of the register packet a register stop message is sent to the source."
 msgstr "When PIM receives a register packet the source of the packet will be compared to the prefix-list specified, and if a permit is received normal processing continues. If a deny is returned for the source address of the register packet a register stop message is sent to the source."
 
-#: ../../configuration/vrf/index.rst:92
+#: ../../configuration/vrf/index.rst:88
 msgid "When VRFs are used it is not only mandatory to create a VRF but also the VRF itself needs to be assigned to an interface."
 msgstr "When VRFs are used it is not only mandatory to create a VRF but also the VRF itself needs to be assigned to an interface."
 
@@ -18982,7 +21384,7 @@ msgstr "When a failover occurs in active-backup mode, bonding will issue one or
 msgid "When a link is reconnected or a new slave joins the bond the receive traffic is redistributed among all active slaves in the bond by initiating ARP Replies with the selected MAC address to each of the clients. The updelay parameter (detailed below) must be set to a value equal or greater than the switch's forwarding delay so that the ARP Replies sent to the peers will not be blocked by the switch."
 msgstr "When a link is reconnected or a new slave joins the bond the receive traffic is redistributed among all active slaves in the bond by initiating ARP Replies with the selected MAC address to each of the clients. The updelay parameter (detailed below) must be set to a value equal or greater than the switch's forwarding delay so that the ARP Replies sent to the peers will not be blocked by the switch."
 
-#: ../../configuration/trafficpolicy/index.rst:361
+#: ../../configuration/trafficpolicy/index.rst:411
 msgid "When a packet is to be sent, it will have to go through that queue, so the packet will be placed at the tail of it. When the packet completely goes through it, it will be dequeued emptying its place in the queue and being eventually handed to the NIC to be actually sent out."
 msgstr "When a packet is to be sent, it will have to go through that queue, so the packet will be placed at the tail of it. When the packet completely goes through it, it will be dequeued emptying its place in the queue and being eventually handed to the NIC to be actually sent out."
 
@@ -18998,15 +21400,19 @@ msgstr "When a route fails, a routing update is sent to withdraw the route from
 msgid "When adding IPv6 routing information exchange feature to BGP. There were some proposals. :abbr:`IETF (Internet Engineering Task Force)` :abbr:`IDR (Inter Domain Routing)` adopted a proposal called Multiprotocol Extension for BGP. The specification is described in :rfc:`2283`. The protocol does not define new protocols. It defines new attributes to existing BGP. When it is used exchanging IPv6 routing information it is called BGP-4+. When it is used for exchanging multicast routing information it is called MBGP."
 msgstr "When adding IPv6 routing information exchange feature to BGP. There were some proposals. :abbr:`IETF (Internet Engineering Task Force)` :abbr:`IDR (Inter Domain Routing)` adopted a proposal called Multiprotocol Extension for BGP. The specification is described in :rfc:`2283`. The protocol does not define new protocols. It defines new attributes to existing BGP. When it is used exchanging IPv6 routing information it is called BGP-4+. When it is used for exchanging multicast routing information it is called MBGP."
 
+#: ../../_include/interface-evpn-uplink.txt:3
+msgid "When all the underlay links go down the PE no longer has access to the VxLAN +overlay. To prevent blackholing of traffic the server/ES links are protodowned on the PE."
+msgstr "When all the underlay links go down the PE no longer has access to the VxLAN +overlay. To prevent blackholing of traffic the server/ES links are protodowned on the PE."
+
 #: ../../configuration/service/dns.rst:155
 msgid "When an authoritative server does not answer a query or sends a reply the recursor does not like, it is throttled. Any servers matching the supplied netmasks will never be throttled."
 msgstr "When an authoritative server does not answer a query or sends a reply the recursor does not like, it is throttled. Any servers matching the supplied netmasks will never be throttled."
 
-#: ../../configuration/service/pppoe-server.rst:238
+#: ../../configuration/service/pppoe-server.rst:257
 msgid "When configured, PPPoE will create the necessary VLANs when required. Once the user session has been cancelled and the VLAN is not needed anymore, VyOS will remove it again."
 msgstr "When configured, PPPoE will create the necessary VLANs when required. Once the user session has been cancelled and the VLAN is not needed anymore, VyOS will remove it again."
 
-#: ../../configuration/trafficpolicy/index.rst:828
+#: ../../configuration/trafficpolicy/index.rst:878
 msgid "When configuring a Random-Detect policy: **the higher the precedence number, the higher the priority**."
 msgstr "When configuring a Random-Detect policy: **the higher the precedence number, the higher the priority**."
 
@@ -19019,16 +21425,22 @@ msgid "When configuring your traffic policy, you will have to set data rate valu
 msgstr "When configuring your traffic policy, you will have to set data rate values, watch out the units you are managing, it is easy to get confused with the different prefixes and suffixes you can use. VyOS will always show you the different units you can use."
 
 #: ../../configuration/firewall/bridge.rst:210
-#: ../../configuration/firewall/ipv4.rst:290
-#: ../../configuration/firewall/ipv6.rst:290
+#: ../../configuration/firewall/ipv4.rst:314
+#: ../../configuration/firewall/ipv6.rst:314
 msgid "When defining a rule, it is enable by default. In some cases, it is useful to just disable the rule, rather than removing it."
 msgstr "When defining a rule, it is enable by default. In some cases, it is useful to just disable the rule, rather than removing it."
 
+#: ../../configuration/firewall/bridge.rst:312
+#: ../../configuration/firewall/ipv4.rst:315
+#: ../../configuration/firewall/ipv6.rst:315
+msgid "When defining a rule, it is enabled by default. In some cases, it is useful to just disable the rule, rather than removing it."
+msgstr "When defining a rule, it is enabled by default. In some cases, it is useful to just disable the rule, rather than removing it."
+
 #: ../../configuration/nat/nat44.rst:311
 msgid "When defining the translated address, called ``backends``, a ``weight`` must be configured. This lets the user define load balance distribution according to their needs. Them sum of all the weights defined for the backends should be equal to 100. In oder words, the weight defined for the backend is the percentage of the connections that will receive such backend."
 msgstr "When defining the translated address, called ``backends``, a ``weight`` must be configured. This lets the user define load balance distribution according to their needs. Them sum of all the weights defined for the backends should be equal to 100. In oder words, the weight defined for the backend is the percentage of the connections that will receive such backend."
 
-#: ../../configuration/trafficpolicy/index.rst:420
+#: ../../configuration/trafficpolicy/index.rst:470
 msgid "When dequeuing, each hash-bucket with data is queried in a round robin fashion. You can configure the length of the queue."
 msgstr "When dequeuing, each hash-bucket with data is queried in a round robin fashion. You can configure the length of the queue."
 
@@ -19036,14 +21448,18 @@ msgstr "When dequeuing, each hash-bucket with data is queried in a round robin f
 msgid "When designing your NAT ruleset leave some space between consecutive rules for later extension. Your ruleset could start with numbers 10, 20, 30. You thus can later extend the ruleset and place new rules between existing ones."
 msgstr "When designing your NAT ruleset leave some space between consecutive rules for later extension. Your ruleset could start with numbers 10, 20, 30. You thus can later extend the ruleset and place new rules between existing ones."
 
-#: ../../configuration/vrf/index.rst:207
+#: ../../configuration/vrf/index.rst:203
 msgid "When doing fault isolation with ping, you should first run it on the local host, to verify that the local network interface is up and running. Then, continue with hosts and gateways further down the road towards your destination. Round-trip time and packet loss statistics are computed."
 msgstr "When doing fault isolation with ping, you should first run it on the local host, to verify that the local network interface is up and running. Then, continue with hosts and gateways further down the road towards your destination. Round-trip time and packet loss statistics are computed."
 
-#: ../../configuration/vpn/ipsec.rst:529
+#: ../../configuration/vpn/ipsec.rst:549
 msgid "When first connecting to the new VPN the user is prompted to enter proper credentials."
 msgstr "When first connecting to the new VPN the user is prompted to enter proper credentials."
 
+#: ../../configuration/nat/cgnat.rst:54
+msgid "When implementing CGNAT, ensuring that there are enough ports allocated per subscriber is critical. Below is a summary based on RFC 6888."
+msgstr "When implementing CGNAT, ensuring that there are enough ports allocated per subscriber is critical. Below is a summary based on RFC 6888."
+
 #: ../../configuration/pki/index.rst:178
 #: ../../configuration/pki/index.rst:221
 msgid "When loading the certificate you need to manually strip the ``-----BEGIN CERTIFICATE-----`` and ``-----END CERTIFICATE-----`` tags. Also, the certificate/key needs to be presented in a single line without line breaks (``\\n``), this can be done using the following shell command:"
@@ -19059,10 +21475,14 @@ msgid "When mathcing all patterns defined in a rule, then different actions can
 msgstr "When mathcing all patterns defined in a rule, then different actions can be made. This includes droping the packet, modifying certain data, or setting a different routing table."
 
 #: ../../_include/interface-dhcpv6-options.txt:17
+msgid "When no-release is specified, dhcp6c will avoid sending a release message on client exit in order to prevent losing an assigned address or prefix."
+msgstr "When no-release is specified, dhcp6c will avoid sending a release message on client exit in order to prevent losing an assigned address or prefix."
+
+#: ../../_include/interface-dhcpv6-options.txt:17
 msgid "When no-release is specified, dhcp6c will send a release message on client exit to prevent losing an assigned address or prefix."
 msgstr "When no-release is specified, dhcp6c will send a release message on client exit to prevent losing an assigned address or prefix."
 
-#: ../../configuration/system/syslog.rst:233
+#: ../../configuration/system/syslog.rst:251
 msgid "When no options/parameters are used, the contents of the main syslog file are displayed."
 msgstr "When no options/parameters are used, the contents of the main syslog file are displayed."
 
@@ -19078,7 +21498,7 @@ msgstr "When rapid-commit is specified, dhcp6c will include a rapid-commit optio
 msgid "When remote peer does not have capability negotiation feature, remote peer will not send any capabilities at all. In that case, bgp configures the peer with configured capabilities."
 msgstr "When remote peer does not have capability negotiation feature, remote peer will not send any capabilities at all. In that case, bgp configures the peer with configured capabilities."
 
-#: ../../configuration/trafficpolicy/index.rst:479
+#: ../../configuration/trafficpolicy/index.rst:529
 msgid "When running it at 1Gbit and lower, you may want to reduce the `queue-limit` to 1000 packets or less. In rates like 10Mbit, you may want to set it to 600 packets."
 msgstr "When running it at 1Gbit and lower, you may want to reduce the `queue-limit` to 1000 packets or less. In rates like 10Mbit, you may want to set it to 600 packets."
 
@@ -19094,6 +21514,10 @@ msgstr "When set the interface is enabled for \"dial-on-demand\"."
 msgid "When specified, this should be the only keyword for the interface."
 msgstr "When specified, this should be the only keyword for the interface."
 
+#: ../../configuration/system/option.rst:110
+msgid "When starting a VyOS live system (the installation CD) the configured keyboard layout defaults to US. As this might not suite everyone's use case you can adjust the used keyboard layout on the system console."
+msgstr "When starting a VyOS live system (the installation CD) the configured keyboard layout defaults to US. As this might not suite everyone's use case you can adjust the used keyboard layout on the system console."
+
 #: ../../configuration/system/option.rst:90
 msgid "When starting a VyOS live system (the installation CD) the configured keyboard layout defaults to US. As this might not suite everyones use case you can adjust the used keyboard layout on the system console."
 msgstr "When starting a VyOS live system (the installation CD) the configured keyboard layout defaults to US. As this might not suite everyones use case you can adjust the used keyboard layout on the system console."
@@ -19115,15 +21539,19 @@ msgstr "When the command above is set, VyOS will answer every ICMP echo request
 msgid "When the command above is set, VyOS will answer no ICMP echo request addressed to itself at all, no matter where it comes from or whether more specific rules are being applied to accept them."
 msgstr "When the command above is set, VyOS will answer no ICMP echo request addressed to itself at all, no matter where it comes from or whether more specific rules are being applied to accept them."
 
-#: ../../configuration/highavailability/index.rst:321
+#: ../../configuration/highavailability/index.rst:325
 msgid "When the vrrp group is a member of the sync group will use only the sync group health check script. This example shows how to configure it for the sync group:"
 msgstr "When the vrrp group is a member of the sync group will use only the sync group health check script. This example shows how to configure it for the sync group:"
 
+#: ../../configuration/service/ntp.rst:137
+msgid "When timestamping is enabled on an interface, chrony's default behavior is to try to configure the interface to only timestamp NTP packets. If this mode is not supported, chrony will attempt to set it to timestamp all packets. If neither option is supported (e.g. the NIC can only timestamp received PTP packets), chrony will leverage timestamping on transmitted packets only, which still provides some benefit."
+msgstr "When timestamping is enabled on an interface, chrony's default behavior is to try to configure the interface to only timestamp NTP packets. If this mode is not supported, chrony will attempt to set it to timestamp all packets. If neither option is supported (e.g. the NIC can only timestamp received PTP packets), chrony will leverage timestamping on transmitted packets only, which still provides some benefit."
+
 #: ../../_include/interface-address-with-dhcp.txt:14
 msgid "When using DHCP to retrieve IPv4 address and if local customizations are needed, they should be possible using the enter and exit hooks provided. The hook dirs are:"
 msgstr "When using DHCP to retrieve IPv4 address and if local customizations are needed, they should be possible using the enter and exit hooks provided. The hook dirs are:"
 
-#: ../../configuration/interfaces/bonding.rst:505
+#: ../../configuration/interfaces/bonding.rst:558
 msgid "When using EVE-NG to lab this environment ensure you are using e1000 as the desired driver for your VyOS network interfaces. When using the regular virtio network driver no LACP PDUs will be sent by VyOS thus the port-channel will never become active!"
 msgstr "When using EVE-NG to lab this environment ensure you are using e1000 as the desired driver for your VyOS network interfaces. When using the regular virtio network driver no LACP PDUs will be sent by VyOS thus the port-channel will never become active!"
 
@@ -19155,7 +21583,7 @@ msgstr "When using site-to-site IPsec with VTI interfaces, be sure to disable ro
 msgid "When using the IPv6 protocol, MRU must be at least 1280 bytes."
 msgstr "When using the IPv6 protocol, MRU must be at least 1280 bytes."
 
-#: ../../configuration/interfaces/bonding.rst:398
+#: ../../configuration/interfaces/bonding.rst:451
 msgid "When utilizing VyOS in an environment with Arista gear you can use this blue print as an initial setup to get an LACP bond / port-channel operational between those two devices."
 msgstr "When utilizing VyOS in an environment with Arista gear you can use this blue print as an initial setup to get an LACP bond / port-channel operational between those two devices."
 
@@ -19167,10 +21595,18 @@ msgstr "Where, main key words and configuration paths that needs to be understoo
 msgid "Where both routes were received from eBGP peers, then prefer the route which is already selected. Note that this check is not applied if :cfgcmd:`bgp bestpath compare-routerid` is configured. This check can prevent some cases of oscillation."
 msgstr "Where both routes were received from eBGP peers, then prefer the route which is already selected. Note that this check is not applied if :cfgcmd:`bgp bestpath compare-routerid` is configured. This check can prevent some cases of oscillation."
 
+#: ../../configuration/firewall/ipv4.rst:43
+msgid "Where firewall base chain to configure firewall filtering rules for transit traffic is ``set firewall ipv4 forward filter ...``, which happens in stage 5, highlighted with red color."
+msgstr "Where firewall base chain to configure firewall filtering rules for transit traffic is ``set firewall ipv4 forward filter ...``, which happens in stage 5, highlighted with red color."
+
 #: ../../configuration/firewall/ipv4.rst:42
 msgid "Where firewall base chain to configure firewall filtering rules for transit traffic is ``set firewall ipv4 forward filter ...``, which happens in stage 5, highlightened with red color."
 msgstr "Where firewall base chain to configure firewall filtering rules for transit traffic is ``set firewall ipv4 forward filter ...``, which happens in stage 5, highlightened with red color."
 
+#: ../../configuration/firewall/ipv6.rst:43
+msgid "Where firewall base chain to configure firewall filtering rules for transit traffic is ``set firewall ipv6 forward filter ...``, which happens in stage 5, highlighted with red color."
+msgstr "Where firewall base chain to configure firewall filtering rules for transit traffic is ``set firewall ipv6 forward filter ...``, which happens in stage 5, highlighted with red color."
+
 #: ../../configuration/firewall/ipv6.rst:42
 msgid "Where firewall base chain to configure firewall filtering rules for transit traffic is ``set firewall ipv6 forward filter ...``, which happens in stage 5, highlightened with red color."
 msgstr "Where firewall base chain to configure firewall filtering rules for transit traffic is ``set firewall ipv6 forward filter ...``, which happens in stage 5, highlightened with red color."
@@ -19199,6 +21635,10 @@ msgstr "Which would generate the following NAT destination configuration:"
 msgid "While **network groups** accept IP networks in CIDR notation, specific IP addresses can be added as a 32-bit prefix. If you foresee the need to add a mix of addresses and networks, the network group is recommended."
 msgstr "While **network groups** accept IP networks in CIDR notation, specific IP addresses can be added as a 32-bit prefix. If you foresee the need to add a mix of addresses and networks, the network group is recommended."
 
+#: ../../configuration/firewall/groups.rst:43
+msgid "While **network groups** accept IP networks in CIDR notation, specific IP addresses can be added as a 32-bit prefix. If you foresee the need to add a mix of addresses and networks, then a network group is recommended."
+msgstr "While **network groups** accept IP networks in CIDR notation, specific IP addresses can be added as a 32-bit prefix. If you foresee the need to add a mix of addresses and networks, then a network group is recommended."
+
 #: ../../configuration/interfaces/openvpn.rst:43
 msgid "While many are aware of OpenVPN as a Client VPN solution, it is often overlooked as a site-to-site VPN solution due to lack of support for this mode in many router platforms."
 msgstr "While many are aware of OpenVPN as a Client VPN solution, it is often overlooked as a site-to-site VPN solution due to lack of support for this mode in many router platforms."
@@ -19207,19 +21647,31 @@ msgstr "While many are aware of OpenVPN as a Client VPN solution, it is often ov
 msgid "While normal GRE is for layer 3, GRETAP is for layer 2. GRETAP can encapsulate Ethernet frames, thus it can be bridged with other interfaces to create datalink layer segments that span multiple remote sites."
 msgstr "While normal GRE is for layer 3, GRETAP is for layer 2. GRETAP can encapsulate Ethernet frames, thus it can be bridged with other interfaces to create datalink layer segments that span multiple remote sites."
 
-#: ../../configuration/service/ssh.rst:125
+#: ../../configuration/service/ssh.rst:145
 msgid "Whitelist of addresses and networks. Always allow inbound connections from these systems."
 msgstr "Whitelist of addresses and networks. Always allow inbound connections from these systems."
 
+#: ../../configuration/interfaces/wireless.rst:724
+msgid "WiFi-6(e) - 802.11ax"
+msgstr "WiFi-6(e) - 802.11ax"
+
+#: ../../configuration/interfaces/openvpn.rst:650
+msgid "Will add ``persist-key`` to the generated OpenVPN configuration. Please use this only as last resort - things might break and OpenVPN won't start if you pass invalid options/syntax."
+msgstr "Will add ``persist-key`` to the generated OpenVPN configuration. Please use this only as last resort - things might break and OpenVPN won't start if you pass invalid options/syntax."
+
 #: ../../configuration/interfaces/openvpn.rst:642
 msgid "Will add ``persistent-key`` at the end of the generated OpenVPN configuration. Please use this only as last resort - things might break and OpenVPN won't start if you pass invalid options/syntax."
 msgstr "Will add ``persistent-key`` at the end of the generated OpenVPN configuration. Please use this only as last resort - things might break and OpenVPN won't start if you pass invalid options/syntax."
 
-#: ../../configuration/interfaces/openvpn.rst:649
+#: ../../configuration/interfaces/openvpn.rst:657
 msgid "Will add ``push \"keepalive 1 10\"`` to the generated OpenVPN config file."
 msgstr "Will add ``push \"keepalive 1 10\"`` to the generated OpenVPN config file."
 
-#: ../../configuration/system/flow-accounting.rst:56
+#: ../../configuration/interfaces/openvpn.rst:662
+msgid "Will add ``route-up \"/config/auth/tun_up.sh arg1\"`` to the generated OpenVPN config file. The path and arguments need to be single- or double-quoted."
+msgstr "Will add ``route-up \"/config/auth/tun_up.sh arg1\"`` to the generated OpenVPN config file. The path and arguments need to be single- or double-quoted."
+
+#: ../../configuration/system/flow-accounting.rst:60
 msgid "Will be recorded only packets/flows on **incoming** direction in configured interfaces by default."
 msgstr "Will be recorded only packets/flows on **incoming** direction in configured interfaces by default."
 
@@ -19227,14 +21679,14 @@ msgstr "Will be recorded only packets/flows on **incoming** direction in configu
 msgid "Will drop `<shared-network-name>_` from client DNS record, using only the host declaration name and domain: `<hostname>.<domain-name>`"
 msgstr "Will drop `<shared-network-name>_` from client DNS record, using only the host declaration name and domain: `<hostname>.<domain-name>`"
 
-#: ../../configuration/vpn/ipsec.rst:501
+#: ../../configuration/vpn/ipsec.rst:521
 msgid "Windows 10 does not allow a user to choose the integrity and encryption ciphers using the GUI and it uses some older proposals by default. A user can only change the proposals on the client side by configuring the IPSec connection profile via PowerShell."
 msgstr "Windows 10 does not allow a user to choose the integrity and encryption ciphers using the GUI and it uses some older proposals by default. A user can only change the proposals on the client side by configuring the IPSec connection profile via PowerShell."
 
-#: ../../configuration/service/pppoe-server.rst:579
-#: ../../configuration/vpn/l2tp.rst:514
+#: ../../configuration/service/pppoe-server.rst:604
+#: ../../configuration/vpn/l2tp.rst:519
 #: ../../configuration/vpn/pptp.rst:438
-#: ../../configuration/vpn/sstp.rst:472
+#: ../../configuration/vpn/sstp.rst:477
 msgid "Windows Internet Name Service (WINS) servers propagated to client"
 msgstr "Windows Internet Name Service (WINS) servers propagated to client"
 
@@ -19267,24 +21719,32 @@ msgstr "WireGuard requires the generation of a keypair, which includes a private
 msgid "WirelessModem (WWAN) options"
 msgstr "WirelessModem (WWAN) options"
 
-#: ../../configuration/interfaces/wireless.rst:353
-#: ../../configuration/interfaces/wireless.rst:553
+#: ../../configuration/interfaces/wireless.rst:732
+msgid "Wireless channel ``11`` for 2.4GHz"
+msgstr "Wireless channel ``11`` for 2.4GHz"
+
+#: ../../configuration/interfaces/wireless.rst:464
+#: ../../configuration/interfaces/wireless.rst:677
 msgid "Wireless channel ``1``"
 msgstr "Wireless channel ``1``"
 
-#: ../../configuration/interfaces/wireless.rst:119
+#: ../../configuration/interfaces/wireless.rst:733
+msgid "Wireless channel ``5`` for 6GHz"
+msgstr "Wireless channel ``5`` for 6GHz"
+
+#: ../../configuration/interfaces/wireless.rst:145
 msgid "Wireless device type for this interface"
 msgstr "Wireless device type for this interface"
 
-#: ../../configuration/interfaces/wireless.rst:99
+#: ../../configuration/interfaces/wireless.rst:123
 msgid "Wireless hardware device used as underlay radio."
 msgstr "Wireless hardware device used as underlay radio."
 
-#: ../../configuration/interfaces/wireless.rst:40
+#: ../../configuration/interfaces/wireless.rst:51
 msgid "Wireless options"
 msgstr "Wireless options"
 
-#: ../../configuration/interfaces/wireless.rst:301
+#: ../../configuration/interfaces/wireless.rst:409
 msgid "Wireless options (Station/Client)"
 msgstr "Wireless options (Station/Client)"
 
@@ -19304,11 +21764,23 @@ msgstr "With the ``name-server`` option set to ``none``, VyOS will ignore the na
 msgid "With the firewall you can set rules to accept, drop or reject ICMP in, out or local traffic. You can also use the general **firewall all-ping** command. This command affects only to LOCAL (packets destined for your VyOS system), not to IN or OUT traffic."
 msgstr "With the firewall you can set rules to accept, drop or reject ICMP in, out or local traffic. You can also use the general **firewall all-ping** command. This command affects only to LOCAL (packets destined for your VyOS system), not to IN or OUT traffic."
 
-#: ../../configuration/loadbalancing/reverse-proxy.rst:75
+#: ../../configuration/loadbalancing/haproxy.rst:87
 msgid "With this command, you can specify how the URL path should be matched against incoming requests."
 msgstr "With this command, you can specify how the URL path should be matched against incoming requests."
 
-#: ../../configuration/firewall/index.rst:166
+#: ../../configuration/firewall/groups.rst:342
+msgid "With this configuration, in order to get ssh access to the router, the user needs to:"
+msgstr "With this configuration, in order to get ssh access to the router, the user needs to:"
+
+#: ../../configuration/firewall/groups.rst:342
+msgid "With this configuration, in order to get ssh access to the router, user needs to:"
+msgstr "With this configuration, in order to get ssh access to the router, user needs to:"
+
+#: ../../configuration/firewall/index.rst:213
+msgid "With zone-based firewalls a new concept was implemented, in addition to the standard in and out traffic flows, a local flow was added. This local flow was for traffic originating and destined to the router itself. Which means that additional rules were required to secure the firewall itself from the network, in addition to the existing inbound and outbound rules from the traditional concept above."
+msgstr "With zone-based firewalls a new concept was implemented, in addition to the standard in and out traffic flows, a local flow was added. This local flow was for traffic originating and destined to the router itself. Which means that additional rules were required to secure the firewall itself from the network, in addition to the existing inbound and outbound rules from the traditional concept above."
+
+#: ../../configuration/firewall/index.rst:183
 msgid "With zone-based firewalls a new concept was implemented, in addition to the standard in and out traffic flows, a local flow was added. This local was for traffic originating and destined to the router itself. Which means additional rules were required to secure the firewall itself from the network, in addition to the existing inbound and outbound rules from the traditional concept above."
 msgstr "With zone-based firewalls a new concept was implemented, in addition to the standard in and out traffic flows, a local flow was added. This local was for traffic originating and destined to the router itself. Which means additional rules were required to secure the firewall itself from the network, in addition to the existing inbound and outbound rules from the traditional concept above."
 
@@ -19330,11 +21802,11 @@ msgstr "With zone-based firewalls a new concept was implemented, in addtion to t
 msgid "Y"
 msgstr "Y"
 
-#: ../../configuration/firewall/zone.rst:118
+#: ../../configuration/firewall/zone.rst:115
 msgid "You apply a rule-set always to a zone from an other zone, it is recommended to create one rule-set for each zone pair."
 msgstr "You apply a rule-set always to a zone from an other zone, it is recommended to create one rule-set for each zone pair."
 
-#: ../../configuration/system/login.rst:369
+#: ../../configuration/system/login.rst:375
 msgid "You are able to set post-login or pre-login banner messages to display certain information for this system."
 msgstr "You are able to set post-login or pre-login banner messages to display certain information for this system."
 
@@ -19382,15 +21854,15 @@ msgstr "You can assign multiple keys to the same user by using a unique identifi
 msgid "You can avoid the \"leaky\" behavior by using a firewall policy that drops \"invalid\" state packets."
 msgstr "You can avoid the \"leaky\" behavior by using a firewall policy that drops \"invalid\" state packets."
 
-#: ../../configuration/interfaces/bonding.rst:318
+#: ../../configuration/interfaces/bonding.rst:371
 msgid "You can check your NIC driver by issuing :opcmd:`show interfaces ethernet eth0 physical | grep -i driver`"
 msgstr "You can check your NIC driver by issuing :opcmd:`show interfaces ethernet eth0 physical | grep -i driver`"
 
-#: ../../configuration/trafficpolicy/index.rst:314
+#: ../../configuration/trafficpolicy/index.rst:364
 msgid "You can configure a policy into a class through the ``queue-type`` setting."
 msgstr "You can configure a policy into a class through the ``queue-type`` setting."
 
-#: ../../configuration/trafficpolicy/index.rst:559
+#: ../../configuration/trafficpolicy/index.rst:609
 msgid "You can configure classes (up to 4090) with different settings and a default policy which will be applied to any traffic not matching any of the configured classes."
 msgstr "You can configure classes (up to 4090) with different settings and a default policy which will be applied to any traffic not matching any of the configured classes."
 
@@ -19402,10 +21874,22 @@ msgstr "You can configure multiple interfaces which whould participate in flow a
 msgid "You can configure multiple interfaces which whould participate in sflow accounting."
 msgstr "You can configure multiple interfaces which whould participate in sflow accounting."
 
+#: ../../configuration/system/flow-accounting.rst:57
+msgid "You can configure multiple interfaces which would participate in flow accounting."
+msgstr "You can configure multiple interfaces which would participate in flow accounting."
+
+#: ../../configuration/system/sflow.rst:32
+msgid "You can configure multiple interfaces which would participate in sflow accounting."
+msgstr "You can configure multiple interfaces which would participate in sflow accounting."
+
 #: ../../_include/interface-vlan-8021q.txt:29
 msgid "You can create multiple VLAN interfaces on a physical interface. The VLAN ID range is from 0 to 4094."
 msgstr "You can create multiple VLAN interfaces on a physical interface. The VLAN ID range is from 0 to 4094."
 
+#: ../../configuration/system/conntrack.rst:67
+msgid "You can define custom timeout values to apply to a specific subset of connections, based on a packet and flow selector. To do this, you need to create a rule defining the packet and flow selector."
+msgstr "You can define custom timeout values to apply to a specific subset of connections, based on a packet and flow selector. To do this, you need to create a rule defining the packet and flow selector."
+
 #: ../../configuration/highavailability/index.rst:72
 msgid "You can disable a VRRP group with ``disable`` option:"
 msgstr "You can disable a VRRP group with ``disable`` option:"
@@ -19422,18 +21906,23 @@ msgstr "You can not assign the same allowed-ips statement to multiple WireGuard
 msgid "You can not run this in a VRRP setup, if multiple mDNS repeaters are launched in a subnet you will experience the mDNS packet storm death!"
 msgstr "You can not run this in a VRRP setup, if multiple mDNS repeaters are launched in a subnet you will experience the mDNS packet storm death!"
 
-#: ../../configuration/vpn/sstp.rst:505
+#: ../../configuration/vpn/sstp.rst:515
 msgid "You can now \"dial\" the peer with the follwoing command: ``sstpc --log-level 4 --log-stderr --user vyos --password vyos vpn.example.com -- call vyos``."
 msgstr "You can now \"dial\" the peer with the follwoing command: ``sstpc --log-level 4 --log-stderr --user vyos --password vyos vpn.example.com -- call vyos``."
 
-#: ../../configuration/system/login.rst:447
+#: ../../configuration/system/login.rst:453
 msgid "You can now SSH into your system using admin/admin as a default user supplied from the ``lfkeitel/tacacs_plus:latest`` container."
 msgstr "You can now SSH into your system using admin/admin as a default user supplied from the ``lfkeitel/tacacs_plus:latest`` container."
 
-#: ../../configuration/trafficpolicy/index.rst:1226
+#: ../../configuration/trafficpolicy/index.rst:1276
 msgid "You can only apply one policy per interface and direction, but you could reuse a policy on different interfaces and directions:"
 msgstr "You can only apply one policy per interface and direction, but you could reuse a policy on different interfaces and directions:"
 
+#: ../../configuration/firewall/ipv4.rst:507
+#: ../../configuration/firewall/ipv6.rst:494
+msgid "You can only specify a source mac-address to match."
+msgstr "You can only specify a source mac-address to match."
+
 #: ../../configuration/service/broadcast-relay.rst:51
 msgid "You can run the UDP broadcast relay service on multiple routers connected to a subnet. There is **NO** UDP broadcast relay packet storm!"
 msgstr "You can run the UDP broadcast relay service on multiple routers connected to a subnet. There is **NO** UDP broadcast relay packet storm!"
@@ -19462,14 +21951,22 @@ msgstr "You can view that the policy is being correctly (or incorrectly) utilise
 msgid "You cannot easily redistribute IPv6 routes via OSPFv3 on a WireGuard interface link. This requires you to configure link-local addresses manually on the WireGuard interfaces, see :vytask:`T1483`."
 msgstr "You cannot easily redistribute IPv6 routes via OSPFv3 on a WireGuard interface link. This requires you to configure link-local addresses manually on the WireGuard interfaces, see :vytask:`T1483`."
 
-#: ../../configuration/interfaces/openvpn.rst:119
+#: ../../configuration/interfaces/openvpn.rst:120
 msgid "You do **not** need to copy the certificate to the other router. Instead, you need to retrieve its SHA-256 fingerprint. OpenVPN only supports SHA-256 fingerprints at the moment, so you need to use the following command:"
 msgstr "You do **not** need to copy the certificate to the other router. Instead, you need to retrieve its SHA-256 fingerprint. OpenVPN only supports SHA-256 fingerprints at the moment, so you need to use the following command:"
 
-#: ../../configuration/system/flow-accounting.rst:135
+#: ../../configuration/system/flow-accounting.rst:139
 msgid "You may also additionally configure timeouts for different types of connections."
 msgstr "You may also additionally configure timeouts for different types of connections."
 
+#: ../../configuration/interfaces/wireless.rst:739
+msgid "You may expect real throughputs around 10MBytes/s or higher in crowded areas."
+msgstr "You may expect real throughputs around 10MBytes/s or higher in crowded areas."
+
+#: ../../configuration/interfaces/wireless.rst:830
+msgid "You may expect real throughputs around 50MBytes/s to 150MBytes/s, depending on obstructions by walls, water, metal or other materials with high electro-magnetic dampening at 6GHz. Best results are achieved with the AP being in the same room and in line-of-sight."
+msgstr "You may expect real throughputs around 50MBytes/s to 150MBytes/s, depending on obstructions by walls, water, metal or other materials with high electro-magnetic dampening at 6GHz. Best results are achieved with the AP being in the same room and in line-of-sight."
+
 #: ../../configuration/protocols/bgp.rst:291
 msgid "You may prefer locally configured capabilities more than the negotiated capabilities even though remote peer sends capabilities. If the peer is configured by :cfgcmd:`override-capability`, VyOS ignores received capabilities then override negotiated capabilities with configured values."
 msgstr "You may prefer locally configured capabilities more than the negotiated capabilities even though remote peer sends capabilities. If the peer is configured by :cfgcmd:`override-capability`, VyOS ignores received capabilities then override negotiated capabilities with configured values."
@@ -19478,7 +21975,7 @@ msgstr "You may prefer locally configured capabilities more than the negotiated
 msgid "You may want to disable sending Capability Negotiation OPEN message optional parameter to the peer when remote peer does not implement Capability Negotiation. Please use :cfgcmd:`disable-capability-negotiation` command to disable the feature."
 msgstr "You may want to disable sending Capability Negotiation OPEN message optional parameter to the peer when remote peer does not implement Capability Negotiation. Please use :cfgcmd:`disable-capability-negotiation` command to disable the feature."
 
-#: ../../configuration/firewall/zone.rst:58
+#: ../../configuration/firewall/zone.rst:55
 msgid "You need 2 separate firewalls to define traffic: one for each direction."
 msgstr "You need 2 separate firewalls to define traffic: one for each direction."
 
@@ -19498,7 +21995,7 @@ msgstr "You now see the longer AS path."
 msgid "You should add a firewall to your configuration above as well by assigning it to the pppoe0 itself as shown here:"
 msgstr "You should add a firewall to your configuration above as well by assigning it to the pppoe0 itself as shown here:"
 
-#: ../../configuration/interfaces/openvpn.rst:227
+#: ../../configuration/interfaces/openvpn.rst:229
 msgid "You should also ensure that the OUTISDE_LOCAL firewall group is applied to the WAN interface and a direction (local)."
 msgstr "You should also ensure that the OUTISDE_LOCAL firewall group is applied to the WAN interface and a direction (local)."
 
@@ -19514,18 +22011,24 @@ msgstr "You will also need the public key of your peer as well as the network(s)
 msgid "Your ISPs modem is connected to port ``eth0`` of your VyOS box."
 msgstr "Your ISPs modem is connected to port ``eth0`` of your VyOS box."
 
-#: ../../configuration/service/router-advert.rst:110
+#: ../../configuration/service/router-advert.rst:117
 msgid "Your LAN connected on eth0 uses prefix ``2001:db8:beef:2::/64`` with the router beeing ``2001:db8:beef:2::1``"
 msgstr "Your LAN connected on eth0 uses prefix ``2001:db8:beef:2::/64`` with the router beeing ``2001:db8:beef:2::1``"
 
 #: ../../configuration/system/ip.rst:31
 #: ../../configuration/system/ipv6.rst:27
-#: ../../configuration/vrf/index.rst:44
+#: ../../configuration/vrf/index.rst:40
 msgid "Zebra/Kernel route filtering"
 msgstr "Zebra/Kernel route filtering"
 
 #: ../../configuration/system/ip.rst:33
 #: ../../configuration/system/ipv6.rst:29
+#: ../../configuration/vrf/index.rst:42
+msgid "Zebra supports prefix-lists and Route Maps to match routes received from other FRR components. The permit/deny facilities provided by these commands can be used to filter which routes zebra will install in the kernel."
+msgstr "Zebra supports prefix-lists and Route Maps to match routes received from other FRR components. The permit/deny facilities provided by these commands can be used to filter which routes zebra will install in the kernel."
+
+#: ../../configuration/system/ip.rst:33
+#: ../../configuration/system/ipv6.rst:29
 #: ../../configuration/vrf/index.rst:46
 msgid "Zebra supports prefix-lists and Route Mapss to match routes received from other FRR components. The permit/deny facilities provided by these commands can be used to filter which routes zebra will install in the kernel."
 msgstr "Zebra supports prefix-lists and Route Mapss to match routes received from other FRR components. The permit/deny facilities provided by these commands can be used to filter which routes zebra will install in the kernel."
@@ -19534,7 +22037,7 @@ msgstr "Zebra supports prefix-lists and Route Mapss to match routes received fro
 msgid "Zone-Policy Overview"
 msgstr "Zone-Policy Overview"
 
-#: ../../configuration/firewall/index.rst:159
+#: ../../configuration/firewall/index.rst:206
 msgid "Zone-based firewall"
 msgstr "Zone-based firewall"
 
@@ -19558,6 +22061,10 @@ msgstr "(This can be useful when a called service has many and/or often changing
 msgid ":abbr:`AFI (Address family authority identifier)` - ``49`` The AFI value 49 is what IS-IS uses for private addressing."
 msgstr ":abbr:`AFI (Address family authority identifier)` - ``49`` The AFI value 49 is what IS-IS uses for private addressing."
 
+#: ../../configuration/protocols/openfabric.rst:42
+msgid ":abbr:`AFI (Address family authority identifier)` - ``49`` The AFI value 49 is what OpenFabric uses for private addressing."
+msgstr ":abbr:`AFI (Address family authority identifier)` - ``49`` The AFI value 49 is what OpenFabric uses for private addressing."
+
 #: ../../configuration/protocols/static.rst:185
 msgid ":abbr:`ARP (Address Resolution Protocol)` is a communication protocol used for discovering the link layer address, such as a MAC address, associated with a given internet layer address, typically an IPv4 address. This mapping is a critical function in the Internet protocol suite. ARP was defined in 1982 by :rfc:`826` which is Internet Standard STD 37."
 msgstr ":abbr:`ARP (Address Resolution Protocol)` is a communication protocol used for discovering the link layer address, such as a MAC address, associated with a given internet layer address, typically an IPv4 address. This mapping is a critical function in the Internet protocol suite. ARP was defined in 1982 by :rfc:`826` which is Internet Standard STD 37."
@@ -19570,6 +22077,10 @@ msgstr ":abbr:`BFD (Bidirectional Forwarding Detection)` is described and extend
 msgid ":abbr:`BGP (Border Gateway Protocol)` is one of the Exterior Gateway Protocols and the de facto standard interdomain routing protocol. The latest BGP version is 4. BGP-4 is described in :rfc:`1771` and updated by :rfc:`4271`. :rfc:`2858` adds multiprotocol support to BGP."
 msgstr ":abbr:`BGP (Border Gateway Protocol)` is one of the Exterior Gateway Protocols and the de facto standard interdomain routing protocol. The latest BGP version is 4. BGP-4 is described in :rfc:`1771` and updated by :rfc:`4271`. :rfc:`2858` adds multiprotocol support to BGP."
 
+#: ../../configuration/nat/cgnat.rst:7
+msgid ":abbr:`CGNAT (Carrier-Grade Network Address Translation)` , also known as Large-Scale NAT (LSN), is a type of network address translation used by Internet Service Providers (ISPs) to enable multiple private IP addresses to share a single public IP address. This technique helps to conserve the limited IPv4 address space. The 100.64.0.0/10 address block is reserved for use in carrier-grade NAT"
+msgstr ":abbr:`CGNAT (Carrier-Grade Network Address Translation)` , also known as Large-Scale NAT (LSN), is a type of network address translation used by Internet Service Providers (ISPs) to enable multiple private IP addresses to share a single public IP address. This technique helps to conserve the limited IPv4 address space. The 100.64.0.0/10 address block is reserved for use in carrier-grade NAT"
+
 #: ../../configuration/interfaces/macsec.rst:85
 msgid ":abbr:`CKN (MACsec connectivity association name)` key"
 msgstr ":abbr:`CKN (MACsec connectivity association name)` key"
@@ -19598,11 +22109,11 @@ msgstr ":abbr:`GENEVE (Generic Network Virtualization Encapsulation)` supports a
 msgid ":abbr:`GRE (Generic Routing Encapsulation)`, GRE/IPsec (or IPIP/IPsec, SIT/IPsec, or any other stateless tunnel protocol over IPsec) is the usual way to protect the traffic inside a tunnel."
 msgstr ":abbr:`GRE (Generic Routing Encapsulation)`, GRE/IPsec (or IPIP/IPsec, SIT/IPsec, or any other stateless tunnel protocol over IPsec) is the usual way to protect the traffic inside a tunnel."
 
-#: ../../configuration/interfaces/ethernet.rst:90
+#: ../../configuration/interfaces/ethernet.rst:98
 msgid ":abbr:`GRO (Generic receive offload)` is the complement to GSO. Ideally any frame assembled by GRO should be segmented to create an identical sequence of frames using GSO, and any sequence of frames segmented by GSO should be able to be reassembled back to the original by GRO. The only exception to this is IPv4 ID in the case that the DF bit is set for a given IP header. If the value of the IPv4 ID is not sequentially incrementing it will be altered so that it is when a frame assembled via GRO is segmented via GSO."
 msgstr ":abbr:`GRO (Generic receive offload)` is the complement to GSO. Ideally any frame assembled by GRO should be segmented to create an identical sequence of frames using GSO, and any sequence of frames segmented by GSO should be able to be reassembled back to the original by GRO. The only exception to this is IPv4 ID in the case that the DF bit is set for a given IP header. If the value of the IPv4 ID is not sequentially incrementing it will be altered so that it is when a frame assembled via GRO is segmented via GSO."
 
-#: ../../configuration/interfaces/ethernet.rst:80
+#: ../../configuration/interfaces/ethernet.rst:88
 msgid ":abbr:`GSO (Generic Segmentation Offload)` is a pure software offload that is meant to deal with cases where device drivers cannot perform the offloads described above. What occurs in GSO is that a given skbuff will have its data broken out over multiple skbuffs that have been resized to match the MSS provided via skb_shinfo()->gso_size."
 msgstr ":abbr:`GSO (Generic Segmentation Offload)` is a pure software offload that is meant to deal with cases where device drivers cannot perform the offloads described above. What occurs in GSO is that a given skbuff will have its data broken out over multiple skbuffs that have been resized to match the MSS provided via skb_shinfo()->gso_size."
 
@@ -19618,7 +22129,11 @@ msgstr ":abbr:`IPSec (IP Security)` - too many RFCs to list, but start with :rfc
 msgid ":abbr:`IS-IS (Intermediate System to Intermediate System)` is a link-state interior gateway protocol (IGP) which is described in ISO10589, :rfc:`1195`, :rfc:`5308`. IS-IS runs the Dijkstra shortest-path first (SPF) algorithm to create a database of the network’s topology, and from that database to determine the best (that is, lowest cost) path to a destination. The intermediate systems (the name for routers) exchange topology information with their directly conencted neighbors. IS-IS runs directly on the data link layer (Layer 2). IS-IS addresses are called :abbr:`NETs (Network Entity Titles)` and can be 8 to 20 bytes long, but are generally 10 bytes long. The tree database that is created with IS-IS is similar to the one that is created with OSPF in that the paths chosen should be similar. Comparisons to OSPF are inevitable and often are reasonable ones to make in regards to the way a network will respond with either IGP."
 msgstr ":abbr:`IS-IS (Intermediate System to Intermediate System)` is a link-state interior gateway protocol (IGP) which is described in ISO10589, :rfc:`1195`, :rfc:`5308`. IS-IS runs the Dijkstra shortest-path first (SPF) algorithm to create a database of the network’s topology, and from that database to determine the best (that is, lowest cost) path to a destination. The intermediate systems (the name for routers) exchange topology information with their directly conencted neighbors. IS-IS runs directly on the data link layer (Layer 2). IS-IS addresses are called :abbr:`NETs (Network Entity Titles)` and can be 8 to 20 bytes long, but are generally 10 bytes long. The tree database that is created with IS-IS is similar to the one that is created with OSPF in that the paths chosen should be similar. Comparisons to OSPF are inevitable and often are reasonable ones to make in regards to the way a network will respond with either IGP."
 
-#: ../../configuration/vrf/index.rst:420
+#: ../../configuration/protocols/isis.rst:9
+msgid ":abbr:`IS-IS (Intermediate System to Intermediate System)` is a link-state interior gateway protocol (IGP) which is described in ISO10589, :rfc:`1195`, :rfc:`5308`. IS-IS runs the Dijkstra shortest-path first (SPF) algorithm to create a database of the network’s topology, and from that database to determine the best (that is, lowest cost) path to a destination. The intermediate systems (the name for routers) exchange topology information with their directly connected neighbors. IS-IS runs directly on the data link layer (Layer 2). IS-IS addresses are called :abbr:`NETs (Network Entity Titles)` and can be 8 to 20 bytes long, but are generally 10 bytes long. The tree database that is created with IS-IS is similar to the one that is created with OSPF in that the paths chosen should be similar. Comparisons to OSPF are inevitable and often are reasonable ones to make in regards to the way a network will respond with either IGP."
+msgstr ":abbr:`IS-IS (Intermediate System to Intermediate System)` is a link-state interior gateway protocol (IGP) which is described in ISO10589, :rfc:`1195`, :rfc:`5308`. IS-IS runs the Dijkstra shortest-path first (SPF) algorithm to create a database of the network’s topology, and from that database to determine the best (that is, lowest cost) path to a destination. The intermediate systems (the name for routers) exchange topology information with their directly connected neighbors. IS-IS runs directly on the data link layer (Layer 2). IS-IS addresses are called :abbr:`NETs (Network Entity Titles)` and can be 8 to 20 bytes long, but are generally 10 bytes long. The tree database that is created with IS-IS is similar to the one that is created with OSPF in that the paths chosen should be similar. Comparisons to OSPF are inevitable and often are reasonable ones to make in regards to the way a network will respond with either IGP."
+
+#: ../../configuration/vrf/index.rst:416
 msgid ":abbr:`L3VPN VRFs ( Layer 3 Virtual Private Networks )` bgpd supports for IPv4 RFC 4364 and IPv6 RFC 4659. L3VPN routes, and their associated VRF MPLS labels, can be distributed to VPN SAFI neighbors in the default, i.e., non VRF, BGP instance. VRF MPLS labels are reached using core MPLS labels which are distributed using LDP or BGP labeled unicast. bgpd also supports inter-VRF route leaking."
 msgstr ":abbr:`L3VPN VRFs ( Layer 3 Virtual Private Networks )` bgpd supports for IPv4 RFC 4364 and IPv6 RFC 4659. L3VPN routes, and their associated VRF MPLS labels, can be distributed to VPN SAFI neighbors in the default, i.e., non VRF, BGP instance. VRF MPLS labels are reached using core MPLS labels which are distributed using LDP or BGP labeled unicast. bgpd also supports inter-VRF route leaking."
 
@@ -19630,10 +22145,14 @@ msgstr ":abbr:`LDP (Label Distribution Protocol)` is a TCP based MPLS signaling
 msgid ":abbr:`LLDP (Link Layer Discovery Protocol)` is a vendor-neutral link layer protocol in the Internet Protocol Suite used by network devices for advertising their identity, capabilities, and neighbors on an IEEE 802 local area network, principally wired Ethernet. The protocol is formally referred to by the IEEE as Station and Media Access Control Connectivity Discovery specified in IEEE 802.1AB and IEEE 802.3-2012 section 6 clause 79."
 msgstr ":abbr:`LLDP (Link Layer Discovery Protocol)` is a vendor-neutral link layer protocol in the Internet Protocol Suite used by network devices for advertising their identity, capabilities, and neighbors on an IEEE 802 local area network, principally wired Ethernet. The protocol is formally referred to by the IEEE as Station and Media Access Control Connectivity Discovery specified in IEEE 802.1AB and IEEE 802.3-2012 section 6 clause 79."
 
-#: ../../configuration/interfaces/ethernet.rst:64
+#: ../../configuration/interfaces/ethernet.rst:72
 msgid ":abbr:`LRO (Large Receive Offload)` is a technique designed to boost the efficiency of how your computer's network interface card (NIC) processes incoming network traffic. Typically, network data arrives in smaller chunks called packets. Processing each packet individually consumes CPU (central processing unit) resources. Lots of small packets can lead to a performance bottleneck. Instead of handing the CPU each packet as it comes in, LRO instructs the NIC to combine multiple incoming packets into a single, larger packet. This larger packet is then passed to the CPU for processing."
 msgstr ":abbr:`LRO (Large Receive Offload)` is a technique designed to boost the efficiency of how your computer's network interface card (NIC) processes incoming network traffic. Typically, network data arrives in smaller chunks called packets. Processing each packet individually consumes CPU (central processing unit) resources. Lots of small packets can lead to a performance bottleneck. Instead of handing the CPU each packet as it comes in, LRO instructs the NIC to combine multiple incoming packets into a single, larger packet. This larger packet is then passed to the CPU for processing."
 
+#: ../../configuration/interfaces/wireless.rst:99
+msgid ":abbr:`MFP (Management Frame Protection)` is required for WPA3."
+msgstr ":abbr:`MFP (Management Frame Protection)` is required for WPA3."
+
 #: ../../configuration/interfaces/macsec.rst:74
 msgid ":abbr:`MKA (MACsec Key Agreement protocol)` is used to synchronize keys between individual peers."
 msgstr ":abbr:`MKA (MACsec Key Agreement protocol)` is used to synchronize keys between individual peers."
@@ -19655,6 +22174,7 @@ msgid ":abbr:`NAT (Network Address Translation)` is configured entirely on a ser
 msgstr ":abbr:`NAT (Network Address Translation)` is configured entirely on a series of so called `rules`. Rules are numbered and evaluated by the underlying OS in numerical order! The rule numbers can be changes by utilizing the :cfgcmd:`rename` and :cfgcmd:`copy` commands."
 
 #: ../../configuration/protocols/isis.rst:65
+#: ../../configuration/protocols/openfabric.rst:55
 msgid ":abbr:`NET (Network Entity Title)` selector: ``00`` Must always be 00. This setting indicates \"this system\" or \"local system.\""
 msgstr ":abbr:`NET (Network Entity Title)` selector: ``00`` Must always be 00. This setting indicates \"this system\" or \"local system.\""
 
@@ -19698,7 +22218,7 @@ msgstr ":abbr:`RPKI (Resource Public Key Infrastructure)` is a framework :abbr:`
 msgid ":abbr:`RPKI (Resource Public Key Infrastructure)` is a framework designed to secure the Internet routing infrastructure. It associates BGP route announcements with the correct originating :abbr:`ASN (Autonomus System Number)` which BGP routers can then use to check each route against the corresponding :abbr:`ROA (Route Origin Authorisation)` for validity. RPKI is described in :rfc:`6480`."
 msgstr ":abbr:`RPKI (Resource Public Key Infrastructure)` is a framework designed to secure the Internet routing infrastructure. It associates BGP route announcements with the correct originating :abbr:`ASN (Autonomus System Number)` which BGP routers can then use to check each route against the corresponding :abbr:`ROA (Route Origin Authorisation)` for validity. RPKI is described in :rfc:`6480`."
 
-#: ../../configuration/interfaces/ethernet.rst:98
+#: ../../configuration/interfaces/ethernet.rst:106
 msgid ":abbr:`RPS (Receive Packet Steering)` is logically a software implementation of :abbr:`RSS (Receive Side Scaling)`. Being in software, it is necessarily called later in the datapath. Whereas RSS selects the queue and hence CPU that will run the hardware interrupt handler, RPS selects the CPU to perform protocol processing above the interrupt handler. This is accomplished by placing the packet on the desired CPU's backlog queue and waking up the CPU for processing. RPS has some advantages over RSS:"
 msgstr ":abbr:`RPS (Receive Packet Steering)` is logically a software implementation of :abbr:`RSS (Receive Side Scaling)`. Being in software, it is necessarily called later in the datapath. Whereas RSS selects the queue and hence CPU that will run the hardware interrupt handler, RPS selects the CPU to perform protocol processing above the interrupt handler. This is accomplished by placing the packet on the desired CPU's backlog queue and waking up the CPU for processing. RPS has some advantages over RSS:"
 
@@ -19742,7 +22262,7 @@ msgstr ":abbr:`STP (Spanning Tree Protocol)` is a network protocol that builds a
 msgid ":abbr:`TFTP (Trivial File Transfer Protocol)` is a simple, lockstep file transfer protocol which allows a client to get a file from or put a file onto a remote host. One of its primary uses is in the early stages of nodes booting from a local area network. TFTP has been used for this application because it is very simple to implement."
 msgstr ":abbr:`TFTP (Trivial File Transfer Protocol)` is a simple, lockstep file transfer protocol which allows a client to get a file from or put a file onto a remote host. One of its primary uses is in the early stages of nodes booting from a local area network. TFTP has been used for this application because it is very simple to implement."
 
-#: ../../configuration/interfaces/geneve.rst:57
+#: ../../configuration/interfaces/geneve.rst:81
 msgid ":abbr:`VNI (Virtual Network Identifier)` is an identifier for a unique element of a virtual network.  In many situations this may represent an L2 segment, however, the control plane defines the forwarding semantics of decapsulated packets. The VNI MAY be used as part of ECMP forwarding decisions or MAY be used as a mechanism to distinguish between overlapping address spaces contained in the encapsulated packet when load balancing across CPUs."
 msgstr ":abbr:`VNI (Virtual Network Identifier)` is an identifier for a unique element of a virtual network.  In many situations this may represent an L2 segment, however, the control plane defines the forwarding semantics of decapsulated packets. The VNI MAY be used as part of ECMP forwarding decisions or MAY be used as a mechanism to distinguish between overlapping address spaces contained in the encapsulated packet when load balancing across CPUs."
 
@@ -19755,6 +22275,10 @@ msgid ":abbr:`VXLAN (Virtual Extensible LAN)` is a network virtualization techno
 msgstr ":abbr:`VXLAN (Virtual Extensible LAN)` is a network virtualization technology that attempts to address the scalability problems associated with large cloud computing deployments. It uses a VLAN-like encapsulation technique to encapsulate OSI layer 2 Ethernet frames within layer 4 UDP datagrams, using 4789 as the default IANA-assigned destination UDP port number. VXLAN endpoints, which terminate VXLAN tunnels and may be either virtual or physical switch ports, are known as :abbr:`VTEPs (VXLAN tunnel endpoints)`."
 
 #: ../../configuration/interfaces/wireless.rst:16
+msgid ":abbr:`WAP (Wireless Access-Point)` mode provides network access to connecting stations if the physical hardware supports acting as a WAP"
+msgstr ":abbr:`WAP (Wireless Access-Point)` mode provides network access to connecting stations if the physical hardware supports acting as a WAP"
+
+#: ../../configuration/interfaces/wireless.rst:16
 msgid ":abbr:`WAP (Wireless Access-Point)` provides network access to connecting stations if the physical hardware supports acting as a WAP"
 msgstr ":abbr:`WAP (Wireless Access-Point)` provides network access to connecting stations if the physical hardware supports acting as a WAP"
 
@@ -19762,7 +22286,11 @@ msgstr ":abbr:`WAP (Wireless Access-Point)` provides network access to connectin
 msgid ":abbr:`WLAN (Wireless LAN)` interface provide 802.11 (a/b/g/n/ac) wireless support (commonly referred to as Wi-Fi) by means of compatible hardware. If your hardware supports it, VyOS supports multiple logical wireless interfaces per physical device."
 msgstr ":abbr:`WLAN (Wireless LAN)` interface provide 802.11 (a/b/g/n/ac) wireless support (commonly referred to as Wi-Fi) by means of compatible hardware. If your hardware supports it, VyOS supports multiple logical wireless interfaces per physical device."
 
-#: ../../configuration/interfaces/wireless.rst:336
+#: ../../configuration/interfaces/wireless.rst:447
+msgid ":abbr:`WPA (Wi-Fi Protected Access)`, WPA2 Enterprise and WPA3 Enterprise in combination with 802.1x based authentication can be used to authenticate users or computers in a domain."
+msgstr ":abbr:`WPA (Wi-Fi Protected Access)`, WPA2 Enterprise and WPA3 Enterprise in combination with 802.1x based authentication can be used to authenticate users or computers in a domain."
+
+#: ../../configuration/interfaces/wireless.rst:339
 msgid ":abbr:`WPA (Wi-Fi Protected Access)` and WPA2 Enterprise in combination with 802.1x based authentication can be used to authenticate users or computers in a domain."
 msgstr ":abbr:`WPA (Wi-Fi Protected Access)` and WPA2 Enterprise in combination with 802.1x based authentication can be used to authenticate users or computers in a domain."
 
@@ -19810,6 +22338,30 @@ msgstr ":code:`set service webproxy whitelist source-address 192.168.1.2`"
 msgid ":code:`set service webproxy whitelist source-address 192.168.2.0/24`"
 msgstr ":code:`set service webproxy whitelist source-address 192.168.2.0/24`"
 
+#: ../../configuration/firewall/ipv4.rst:47
+msgid ":doc:`Conntrack Ignore</configuration/system/conntrack>`: ``set system conntrack ignore ipv4...``"
+msgstr ":doc:`Conntrack Ignore</configuration/system/conntrack>`: ``set system conntrack ignore ipv4...``"
+
+#: ../../configuration/firewall/ipv6.rst:47
+msgid ":doc:`Conntrack Ignore</configuration/system/conntrack>`: ``set system conntrack ignore ipv6...``"
+msgstr ":doc:`Conntrack Ignore</configuration/system/conntrack>`: ``set system conntrack ignore ipv6...``"
+
+#: ../../configuration/firewall/ipv6.rst:51
+msgid ":doc:`Destination NAT</configuration/nat/nat44>`: commands found under ``set nat66 destination ...``"
+msgstr ":doc:`Destination NAT</configuration/nat/nat44>`: commands found under ``set nat66 destination ...``"
+
+#: ../../configuration/firewall/ipv4.rst:51
+msgid ":doc:`Destination NAT</configuration/nat/nat44>`: commands found under ``set nat destination ...``"
+msgstr ":doc:`Destination NAT</configuration/nat/nat44>`: commands found under ``set nat destination ...``"
+
+#: ../../configuration/firewall/ipv6.rst:49
+msgid ":doc:`Policy Route</configuration/policy/route>`: commands found under ``set policy route6 ...``"
+msgstr ":doc:`Policy Route</configuration/policy/route>`: commands found under ``set policy route6 ...``"
+
+#: ../../configuration/firewall/ipv4.rst:49
+msgid ":doc:`Policy Route</configuration/policy/route>`: commands found under ``set policy route ...``"
+msgstr ":doc:`Policy Route</configuration/policy/route>`: commands found under ``set policy route ...``"
+
 #: ../../configuration/policy/index.rst:1
 msgid ":lastproofread:2021-07-12"
 msgstr ":lastproofread:2021-07-12"
@@ -19818,43 +22370,43 @@ msgstr ":lastproofread:2021-07-12"
 msgid ":opcmd:`generate pki wireguard key-pair`."
 msgstr ":opcmd:`generate pki wireguard key-pair`."
 
-#: ../../configuration/vrf/index.rst:107
+#: ../../configuration/vrf/index.rst:103
 msgid ":ref:`routing-bgp`"
 msgstr ":ref:`routing-bgp`"
 
-#: ../../configuration/vrf/index.rst:123
+#: ../../configuration/vrf/index.rst:119
 msgid ":ref:`routing-bgp`: ``set vrf name <name> protocols bgp ...``"
 msgstr ":ref:`routing-bgp`: ``set vrf name <name> protocols bgp ...``"
 
-#: ../../configuration/vrf/index.rst:108
+#: ../../configuration/vrf/index.rst:104
 msgid ":ref:`routing-isis`"
 msgstr ":ref:`routing-isis`"
 
-#: ../../configuration/vrf/index.rst:124
+#: ../../configuration/vrf/index.rst:120
 msgid ":ref:`routing-isis`: ``set vrf name <name> protocols isis ...``"
 msgstr ":ref:`routing-isis`: ``set vrf name <name> protocols isis ...``"
 
-#: ../../configuration/vrf/index.rst:109
+#: ../../configuration/vrf/index.rst:105
 msgid ":ref:`routing-ospf`"
 msgstr ":ref:`routing-ospf`"
 
-#: ../../configuration/vrf/index.rst:125
+#: ../../configuration/vrf/index.rst:121
 msgid ":ref:`routing-ospf`: ``set vrf name <name> protocols ospf ...``"
 msgstr ":ref:`routing-ospf`: ``set vrf name <name> protocols ospf ...``"
 
-#: ../../configuration/vrf/index.rst:110
+#: ../../configuration/vrf/index.rst:106
 msgid ":ref:`routing-ospfv3`"
 msgstr ":ref:`routing-ospfv3`"
 
-#: ../../configuration/vrf/index.rst:126
+#: ../../configuration/vrf/index.rst:122
 msgid ":ref:`routing-ospfv3`: ``set vrf name <name> protocols ospfv3 ...``"
 msgstr ":ref:`routing-ospfv3`: ``set vrf name <name> protocols ospfv3 ...``"
 
-#: ../../configuration/vrf/index.rst:111
+#: ../../configuration/vrf/index.rst:107
 msgid ":ref:`routing-static`"
 msgstr ":ref:`routing-static`"
 
-#: ../../configuration/vrf/index.rst:127
+#: ../../configuration/vrf/index.rst:123
 msgid ":ref:`routing-static`: ``set vrf name <name> protocols static ...``"
 msgstr ":ref:`routing-static`: ``set vrf name <name> protocols static ...``"
 
@@ -19870,6 +22422,14 @@ msgstr ":rfc:`2136` Based"
 msgid ":rfc:`2328`, the successor to :rfc:`1583`, suggests according to section G.2 (changes) in section 16.4.1 a change to the path preference algorithm that prevents possible routing loops that were possible in the old version of OSPFv2. More specifically it demands that inter-area paths and intra-area backbone path are now of equal preference but still both preferred to external paths."
 msgstr ":rfc:`2328`, the successor to :rfc:`1583`, suggests according to section G.2 (changes) in section 16.4.1 a change to the path preference algorithm that prevents possible routing loops that were possible in the old version of OSPFv2. More specifically it demands that inter-area paths and intra-area backbone path are now of equal preference but still both preferred to external paths."
 
+#: ../../configuration/nat/cgnat.rst:195
+msgid ":rfc:`6598` - IANA-Reserved IPv4 Prefix for Shared Address Space"
+msgstr ":rfc:`6598` - IANA-Reserved IPv4 Prefix for Shared Address Space"
+
+#: ../../configuration/nat/cgnat.rst:196
+msgid ":rfc:`6888` - Requirements for CGNAT"
+msgstr ":rfc:`6888` - Requirements for CGNAT"
+
 #: ../../configuration/pki/index.rst:17
 msgid ":vytask:`T3642` describes a new CLI subsystem that serves as a \"certstore\" to all services requiring any kind of encryption key(s). In short, public and private certificates are now stored in PKCS#8 format in the regular VyOS CLI. Keys can now be added, edited, and deleted using the regular set/edit/delete CLI commands."
 msgstr ":vytask:`T3642` describes a new CLI subsystem that serves as a \"certstore\" to all services requiring any kind of encryption key(s). In short, public and private certificates are now stored in PKCS#8 format in the regular VyOS CLI. Keys can now be added, edited, and deleted using the regular set/edit/delete CLI commands."
@@ -19894,7 +22454,7 @@ msgstr "`4. Add optional parameters`_"
 msgid "`<name>` must be identical on both sides!"
 msgstr "`<name>` must be identical on both sides!"
 
-#: ../../configuration/trafficpolicy/index.rst:1156
+#: ../../configuration/trafficpolicy/index.rst:1206
 msgid "`Common Applications Kept Enhanced`_ (CAKE) is a comprehensive queue management system, implemented as a queue discipline (qdisc) for the Linux kernel. It is designed to replace and improve upon the complex hierarchy of simple qdiscs presently required to effectively tackle the bufferbloat problem at the network edge."
 msgstr "`Common Applications Kept Enhanced`_ (CAKE) is a comprehensive queue management system, implemented as a queue discipline (qdisc) for the Linux kernel. It is designed to replace and improve upon the complex hierarchy of simple qdiscs presently required to effectively tackle the bufferbloat problem at the network edge."
 
@@ -19938,10 +22498,14 @@ msgstr "``0.pool.ntp.org``"
 msgid "``0``: No replay window, strict check"
 msgstr "``0``: No replay window, strict check"
 
-#: ../../configuration/interfaces/wireless.rst:256
+#: ../../configuration/interfaces/wireless.rst:291
 msgid "``0`` - 20 or 40 MHz channel width (default)"
 msgstr "``0`` - 20 or 40 MHz channel width (default)"
 
+#: ../../configuration/interfaces/wireless.rst:403
+msgid "``0`` - HE-MCS 0-7"
+msgstr "``0`` - HE-MCS 0-7"
+
 #: ../../configuration/interfaces/macsec.rst:102
 msgid "``1-4294967295``: Number of packets that could be misordered"
 msgstr "``1-4294967295``: Number of packets that could be misordered"
@@ -19954,6 +22518,46 @@ msgstr "``115200`` - 115,200 bps (default for serial console)"
 msgid "``1200`` - 1200 bps"
 msgstr "``1200`` - 1200 bps"
 
+#: ../../configuration/interfaces/wireless.rst:381
+msgid "``131`` - 20 MHz channel width"
+msgstr "``131`` - 20 MHz channel width"
+
+#: ../../configuration/interfaces/wireless.rst:388
+msgid "``131`` - 20 MHz channel width (6GHz)"
+msgstr "``131`` - 20 MHz channel width (6GHz)"
+
+#: ../../configuration/interfaces/wireless.rst:382
+msgid "``132`` - 40 MHz channel width"
+msgstr "``132`` - 40 MHz channel width"
+
+#: ../../configuration/interfaces/wireless.rst:389
+msgid "``132`` - 40 MHz channel width (6GHz)"
+msgstr "``132`` - 40 MHz channel width (6GHz)"
+
+#: ../../configuration/interfaces/wireless.rst:383
+msgid "``133`` - 80 MHz channel width"
+msgstr "``133`` - 80 MHz channel width"
+
+#: ../../configuration/interfaces/wireless.rst:390
+msgid "``133`` - 80 MHz channel width (6GHz)"
+msgstr "``133`` - 80 MHz channel width (6GHz)"
+
+#: ../../configuration/interfaces/wireless.rst:384
+msgid "``134`` - 160 MHz channel width"
+msgstr "``134`` - 160 MHz channel width"
+
+#: ../../configuration/interfaces/wireless.rst:391
+msgid "``134`` - 160 MHz channel width (6GHz)"
+msgstr "``134`` - 160 MHz channel width (6GHz)"
+
+#: ../../configuration/interfaces/wireless.rst:385
+msgid "``135`` - 80+80 MHz channel width"
+msgstr "``135`` - 80+80 MHz channel width"
+
+#: ../../configuration/interfaces/wireless.rst:392
+msgid "``135`` - 80+80 MHz channel width (6GHz)"
+msgstr "``135`` - 80+80 MHz channel width (6GHz)"
+
 #: ../../configuration/system/console.rst:36
 msgid "``19200`` - 19,200 bps"
 msgstr "``19200`` - 19,200 bps"
@@ -19966,10 +22570,14 @@ msgstr "``192.168.2.254`` IP addreess on VyOS eth2 from ISP2"
 msgid "``1.pool.ntp.org``"
 msgstr "``1.pool.ntp.org``"
 
-#: ../../configuration/interfaces/wireless.rst:257
+#: ../../configuration/interfaces/wireless.rst:292
 msgid "``1`` - 80 MHz channel width"
 msgstr "``1`` - 80 MHz channel width"
 
+#: ../../configuration/interfaces/wireless.rst:404
+msgid "``1`` - HE-MCS 0-9"
+msgstr "``1`` - HE-MCS 0-9"
+
 #: ../../configuration/policy/examples.rst:161
 msgid "``203.0.113.254`` IP addreess on VyOS eth1 from ISP1"
 msgstr "``203.0.113.254`` IP addreess on VyOS eth1 from ISP1"
@@ -19982,18 +22590,26 @@ msgstr "``2400`` - 2400 bps"
 msgid "``2.pool.ntp.org``"
 msgstr "``2.pool.ntp.org``"
 
-#: ../../configuration/interfaces/wireless.rst:258
+#: ../../configuration/interfaces/wireless.rst:293
 msgid "``2`` - 160 MHz channel width"
 msgstr "``2`` - 160 MHz channel width"
 
+#: ../../configuration/interfaces/wireless.rst:405
+msgid "``2`` - HE-MCS 0-11"
+msgstr "``2`` - HE-MCS 0-11"
+
 #: ../../configuration/system/console.rst:37
 msgid "``38400`` - 38,400 bps (default for Xen console)"
 msgstr "``38400`` - 38,400 bps (default for Xen console)"
 
-#: ../../configuration/interfaces/wireless.rst:259
+#: ../../configuration/interfaces/wireless.rst:294
 msgid "``3`` - 80+80 MHz channel width"
 msgstr "``3`` - 80+80 MHz channel width"
 
+#: ../../configuration/interfaces/wireless.rst:406
+msgid "``3`` - HE-MCS is not supported"
+msgstr "``3`` - HE-MCS is not supported"
+
 #: ../../configuration/system/console.rst:34
 msgid "``4800`` - 4800 bps"
 msgstr "``4800`` - 4800 bps"
@@ -20010,11 +22626,23 @@ msgstr "``64:ff9b::/96`` is the well-known prefix for IPv4-embedded IPv6 address
 msgid "``802.3ad`` - IEEE 802.3ad Dynamic link aggregation. Creates aggregation groups that share the same speed and duplex settings. Utilizes all slaves in the active aggregator according to the 802.3ad specification."
 msgstr "``802.3ad`` - IEEE 802.3ad Dynamic link aggregation. Creates aggregation groups that share the same speed and duplex settings. Utilizes all slaves in the active aggregator according to the 802.3ad specification."
 
+#: ../../configuration/interfaces/wireless.rst:383
+msgid "``81`` - 20 MHz channel width (2.4GHz)"
+msgstr "``81`` - 20 MHz channel width (2.4GHz)"
+
+#: ../../configuration/interfaces/wireless.rst:384
+msgid "``83`` - 40 MHz channel width, secondary 20MHz channel above primary channel (2.4GHz)"
+msgstr "``83`` - 40 MHz channel width, secondary 20MHz channel above primary channel (2.4GHz)"
+
+#: ../../configuration/interfaces/wireless.rst:386
+msgid "``84`` - 40 MHz channel width, secondary 20MHz channel below primary channel (2.4GHz)"
+msgstr "``84`` - 40 MHz channel width, secondary 20MHz channel below primary channel (2.4GHz)"
+
 #: ../../configuration/system/console.rst:35
 msgid "``9600`` - 9600 bps"
 msgstr "``9600`` - 9600 bps"
 
-#: ../../configuration/vpn/ipsec.rst:152
+#: ../../configuration/vpn/ipsec.rst:153
 msgid "``< dh-group >`` defines a Diffie-Hellman group for PFS;"
 msgstr "``< dh-group >`` defines a Diffie-Hellman group for PFS;"
 
@@ -20026,11 +22654,11 @@ msgstr "``@`` Use @ as record name to set the record for the root domain."
 msgid "``Known limitations:``"
 msgstr "``Known limitations:``"
 
-#: ../../configuration/service/ipoe-server.rst:247
-#: ../../configuration/service/pppoe-server.rst:209
-#: ../../configuration/vpn/l2tp.rst:252
+#: ../../configuration/service/ipoe-server.rst:246
+#: ../../configuration/service/pppoe-server.rst:227
+#: ../../configuration/vpn/l2tp.rst:254
 #: ../../configuration/vpn/pptp.rst:192
-#: ../../configuration/vpn/sstp.rst:225
+#: ../../configuration/vpn/sstp.rst:227
 msgid "``Stateful-IPv6-Address-Pool`` and ``Delegated-IPv6-Prefix-Pool`` are defined in RFC6911. If they are not defined in your RADIUS server, add new dictionary_."
 msgstr "``Stateful-IPv6-Address-Pool`` and ``Delegated-IPv6-Prefix-Pool`` are defined in RFC6911. If they are not defined in your RADIUS server, add new dictionary_."
 
@@ -20042,11 +22670,11 @@ msgstr "``WLB_INTERFACE_NAME=[interfacename]``: Interface to be monitored"
 msgid "``WLB_INTERFACE_STATE=[ACTIVE|FAILED]``: Interface state"
 msgstr "``WLB_INTERFACE_STATE=[ACTIVE|FAILED]``: Interface state"
 
-#: ../../configuration/interfaces/wireless.rst:91
+#: ../../configuration/interfaces/wireless.rst:112
 msgid "``a`` - 802.11a - 54 Mbits/sec"
 msgstr "``a`` - 802.11a - 54 Mbits/sec"
 
-#: ../../configuration/interfaces/wireless.rst:95
+#: ../../configuration/interfaces/wireless.rst:116
 msgid "``ac`` - 802.11ac - 1300 Mbits/sec"
 msgstr "``ac`` - 802.11ac - 1300 Mbits/sec"
 
@@ -20058,17 +22686,17 @@ msgstr "``accept-own-nexthop`` -           Well-known communities value accept-o
 msgid "``accept-own`` -                   Well-known communities value ACCEPT_OWN 0xFFFF0001"
 msgstr "``accept-own`` -                   Well-known communities value ACCEPT_OWN 0xFFFF0001"
 
-#: ../../configuration/firewall/bridge.rst:72
-#: ../../configuration/firewall/ipv4.rst:88
-#: ../../configuration/firewall/ipv6.rst:88
+#: ../../configuration/firewall/bridge.rst:91
+#: ../../configuration/firewall/ipv4.rst:112
+#: ../../configuration/firewall/ipv6.rst:112
 msgid "``accept``: accept the packet."
 msgstr "``accept``: accept the packet."
 
-#: ../../configuration/interfaces/wireless.rst:121
+#: ../../configuration/interfaces/wireless.rst:147
 msgid "``access-point`` - Access-point forwards packets between other nodes"
 msgstr "``access-point`` - Access-point forwards packets between other nodes"
 
-#: ../../configuration/vpn/ipsec.rst:61
+#: ../../configuration/vpn/ipsec.rst:62
 msgid "``action`` keep-alive failure action:"
 msgstr "``action`` keep-alive failure action:"
 
@@ -20076,11 +22704,19 @@ msgstr "``action`` keep-alive failure action:"
 msgid "``active-backup`` - Active-backup policy: Only one slave in the bond is active. A different slave becomes active if, and only if, the active slave fails. The bond's MAC address is externally visible on only one port (network adapter) to avoid confusing the switch."
 msgstr "``active-backup`` - Active-backup policy: Only one slave in the bond is active. A different slave becomes active if, and only if, the active slave fails. The bond's MAC address is externally visible on only one port (network adapter) to avoid confusing the switch."
 
+#: ../../configuration/system/option.rst:59
+msgid "``active`` This is the low-level firmware control mode based on the profile set and the system governor has no effect."
+msgstr "``active`` This is the low-level firmware control mode based on the profile set and the system governor has no effect."
+
 #: ../../configuration/interfaces/bonding.rst:87
 msgid "``adaptive-load-balance`` - Adaptive load balancing: includes transmit-load-balance plus receive load balancing for IPV4 traffic, and does not require any special switch support. The receive load balancing is achieved by ARP negotiation. The bonding driver intercepts the ARP Replies sent by the local system on their way out and overwrites the source hardware address with the unique hardware address of one of the slaves in the bond such that different peers use different hardware addresses for the server."
 msgstr "``adaptive-load-balance`` - Adaptive load balancing: includes transmit-load-balance plus receive load balancing for IPV4 traffic, and does not require any special switch support. The receive load balancing is achieved by ARP negotiation. The bonding driver intercepts the ARP Replies sent by the local system on their way out and overwrites the source hardware address with the unique hardware address of one of the slaves in the bond such that different peers use different hardware addresses for the server."
 
-#: ../../configuration/vpn/ipsec.rst:98
+#: ../../configuration/service/suricata.rst:47
+msgid "``address`` IP address or subnet."
+msgstr "``address`` IP address or subnet."
+
+#: ../../configuration/vpn/ipsec.rst:99
 msgid "``aggressive`` use Aggressive mode for Key Exchanges in the IKEv1 protocol aggressive mode is much more insecure compared to Main mode;"
 msgstr "``aggressive`` use Aggressive mode for Key Exchanges in the IKEv1 protocol aggressive mode is much more insecure compared to Main mode;"
 
@@ -20088,6 +22724,10 @@ msgstr "``aggressive`` use Aggressive mode for Key Exchanges in the IKEv1 protoc
 msgid "``all-available`` all checking target addresses must be available to pass this check"
 msgstr "``all-available`` all checking target addresses must be available to pass this check"
 
+#: ../../configuration/system/option.rst:69
+msgid "``amd_pstate={mode}`` Sets the p-state mode"
+msgstr "``amd_pstate={mode}`` Sets the p-state mode"
+
 #: ../../configuration/protocols/failover.rst:43
 msgid "``any-available`` any of the checking target addresses must be available to pass this check"
 msgstr "``any-available`` any of the checking target addresses must be available to pass this check"
@@ -20108,7 +22748,11 @@ msgstr "``authentication`` - configure authentication between VyOS and a remote
 msgid "``authentication`` - configure authentication between VyOS and a remote peer. Suboptions:"
 msgstr "``authentication`` - configure authentication between VyOS and a remote peer. Suboptions:"
 
-#: ../../configuration/interfaces/wireless.rst:92
+#: ../../configuration/interfaces/wireless.rst:117
+msgid "``ax`` - 802.11ax - exceeds 1GBit/sec"
+msgstr "``ax`` - 802.11ax - exceeds 1GBit/sec"
+
+#: ../../configuration/interfaces/wireless.rst:113
 msgid "``b`` - 802.11b - 11 Mbits/sec"
 msgstr "``b`` - 802.11b - 11 Mbits/sec"
 
@@ -20116,7 +22760,7 @@ msgstr "``b`` - 802.11b - 11 Mbits/sec"
 msgid "``babel`` - Babel routing protocol (Babel)"
 msgstr "``babel`` - Babel routing protocol (Babel)"
 
-#: ../../configuration/loadbalancing/reverse-proxy.rst:79
+#: ../../configuration/loadbalancing/haproxy.rst:91
 msgid "``begin`` Matches the beginning of the URL path"
 msgstr "``begin`` Matches the beginning of the URL path"
 
@@ -20160,7 +22804,7 @@ msgstr "``cert-file`` - certificate file, which will be used for authenticating
 msgid "``certificate`` - certificate file in PKI configuration, which will be used for authenticating local router on remote peer;"
 msgstr "``certificate`` - certificate file in PKI configuration, which will be used for authenticating local router on remote peer;"
 
-#: ../../configuration/vpn/ipsec.rst:66
+#: ../../configuration/vpn/ipsec.rst:67
 msgid "``clear`` closes the CHILD_SA and does not take further action (default);"
 msgstr "``clear`` closes the CHILD_SA and does not take further action (default);"
 
@@ -20176,11 +22820,11 @@ msgstr "``close-action = none | clear | hold | restart`` - defines the action to
 msgid "``close-action = none | clear | trap | start`` - defines the action to take if the remote peer unexpectedly closes a CHILD_SA (see above for meaning of values). A closeaction should not be used if the peer uses reauthentication or uniqueids."
 msgstr "``close-action = none | clear | trap | start`` - defines the action to take if the remote peer unexpectedly closes a CHILD_SA (see above for meaning of values). A closeaction should not be used if the peer uses reauthentication or uniqueids."
 
-#: ../../configuration/vpn/ipsec.rst:47
+#: ../../configuration/vpn/ipsec.rst:48
 msgid "``close-action`` defines the action to take if the remote peer unexpectedly closes a CHILD_SA:"
 msgstr "``close-action`` defines the action to take if the remote peer unexpectedly closes a CHILD_SA:"
 
-#: ../../configuration/vpn/ipsec.rst:125
+#: ../../configuration/vpn/ipsec.rst:126
 msgid "``compression``  Enables the  IPComp(IP Payload Compression) protocol which allows compressing the content of IP packets."
 msgstr "``compression``  Enables the  IPComp(IP Payload Compression) protocol which allows compressing the content of IP packets."
 
@@ -20196,9 +22840,9 @@ msgstr "``connected`` - Connected routes (directly attached subnet or host)"
 msgid "``connection-type`` - how to handle this connection process. Possible variants:"
 msgstr "``connection-type`` - how to handle this connection process. Possible variants:"
 
-#: ../../configuration/firewall/bridge.rst:74
-#: ../../configuration/firewall/ipv4.rst:90
-#: ../../configuration/firewall/ipv6.rst:90
+#: ../../configuration/firewall/bridge.rst:93
+#: ../../configuration/firewall/ipv4.rst:114
+#: ../../configuration/firewall/ipv6.rst:114
 msgid "``continue``: continue parsing next rule."
 msgstr "``continue``: continue parsing next rule."
 
@@ -20218,7 +22862,7 @@ msgstr "``dead-peer-detection action = clear | hold | restart`` - R_U_THERE noti
 msgid "``dead-peer-detection action = clear | trap | restart`` - R_U_THERE notification messages(IKEv1) or empty INFORMATIONAL messages (IKEv2) are periodically sent in order to check the liveliness of the IPsec peer. The values clear, trap, and restart all activate DPD and determine the action to perform on a timeout. With ``clear`` the connection is closed with no further actions taken. ``trap`` installs a trap policy, which will catch matching traffic and tries to re-negotiate the connection on demand. ``restart`` will immediately trigger an attempt to re-negotiate the connection."
 msgstr "``dead-peer-detection action = clear | trap | restart`` - R_U_THERE notification messages(IKEv1) or empty INFORMATIONAL messages (IKEv2) are periodically sent in order to check the liveliness of the IPsec peer. The values clear, trap, and restart all activate DPD and determine the action to perform on a timeout. With ``clear`` the connection is closed with no further actions taken. ``trap`` installs a trap policy, which will catch matching traffic and tries to re-negotiate the connection on demand. ``restart`` will immediately trigger an attempt to re-negotiate the connection."
 
-#: ../../configuration/vpn/ipsec.rst:56
+#: ../../configuration/vpn/ipsec.rst:57
 msgid "``dead-peer-detection`` controls the use of the Dead Peer Detection protocol (DPD, RFC 3706) where R_U_THERE notification messages (IKEv1) or empty INFORMATIONAL messages (IKEv2) are periodically sent in order to check the liveliness of the IPsec peer:"
 msgstr "``dead-peer-detection`` controls the use of the Dead Peer Detection protocol (DPD, RFC 3706) where R_U_THERE notification messages (IKEv1) or empty INFORMATIONAL messages (IKEv2) are periodically sent in order to check the liveliness of the IPsec peer:"
 
@@ -20230,7 +22874,7 @@ msgstr "``default-esp-group`` - ESP group to use by default for traffic encrypti
 msgid "``description`` - description for this peer;"
 msgstr "``description`` - description for this peer;"
 
-#: ../../configuration/vpn/ipsec.rst:103
+#: ../../configuration/vpn/ipsec.rst:104
 msgid "``dh-group`` dh-group;"
 msgstr "``dh-group`` dh-group;"
 
@@ -20242,14 +22886,22 @@ msgstr "``dhcp-interface`` - ID for authentication generated from DHCP address d
 msgid "``dhcp-interface`` - use an IP address, received from DHCP for IPSec connection with this peer, instead of ``local-address``;"
 msgstr "``dhcp-interface`` - use an IP address, received from DHCP for IPSec connection with this peer, instead of ``local-address``;"
 
-#: ../../configuration/vpn/ipsec.rst:90
+#: ../../configuration/vpn/ipsec.rst:91
 msgid "``disable-mobike`` disables MOBIKE Support. MOBIKE is only available for IKEv2 and enabled by default."
 msgstr "``disable-mobike`` disables MOBIKE Support. MOBIKE is only available for IKEv2 and enabled by default."
 
+#: ../../configuration/vpn/ipsec.rst:161
+msgid "``disable-rekey`` Do not locally initiate a re-key of the SA, remote peer must re-key before expiration."
+msgstr "``disable-rekey`` Do not locally initiate a re-key of the SA, remote peer must re-key before expiration."
+
 #: ../../configuration/vpn/site2site_ipsec.rst:399
 msgid "``disable-route-autoinstall`` - This option when configured disables the routes installed in the default table 220 for site-to-site ipsec. It is mostly used with VTI configuration."
 msgstr "``disable-route-autoinstall`` - This option when configured disables the routes installed in the default table 220 for site-to-site ipsec. It is mostly used with VTI configuration."
 
+#: ../../configuration/vpn/ipsec.rst:171
+msgid "``disable-route-autoinstall`` Do not automatically install routes to remote"
+msgstr "``disable-route-autoinstall`` Do not automatically install routes to remote"
+
 #: ../../configuration/vpn/ipsec.rst:166
 msgid "``disable-route-autoinstall`` Do not automatically install routes to remote networks;"
 msgstr "``disable-route-autoinstall`` Do not automatically install routes to remote networks;"
@@ -20258,7 +22910,7 @@ msgstr "``disable-route-autoinstall`` Do not automatically install routes to rem
 msgid "``disable`` - disable this tunnel;"
 msgstr "``disable`` - disable this tunnel;"
 
-#: ../../configuration/vpn/ipsec.rst:150
+#: ../../configuration/vpn/ipsec.rst:151
 msgid "``disable`` Disable PFS;"
 msgstr "``disable`` Disable PFS;"
 
@@ -20270,9 +22922,9 @@ msgstr "``disable`` disable IPComp compression (default);"
 msgid "``disable`` disable MOBIKE;"
 msgstr "``disable`` disable MOBIKE;"
 
-#: ../../configuration/firewall/bridge.rst:76
-#: ../../configuration/firewall/ipv4.rst:92
-#: ../../configuration/firewall/ipv6.rst:92
+#: ../../configuration/firewall/bridge.rst:95
+#: ../../configuration/firewall/ipv4.rst:116
+#: ../../configuration/firewall/ipv6.rst:116
 msgid "``drop``: drop the packet."
 msgstr "``drop``: drop the packet."
 
@@ -20292,7 +22944,7 @@ msgstr "``ecdsa-sha2-nistp521``"
 msgid "``edp`` - Listen for EDP for Extreme routers/switches"
 msgstr "``edp`` - Listen for EDP for Extreme routers/switches"
 
-#: ../../configuration/vpn/ipsec.rst:148
+#: ../../configuration/vpn/ipsec.rst:149
 msgid "``enable`` Inherit Diffie-Hellman group from IKE group (default);"
 msgstr "``enable`` Inherit Diffie-Hellman group from IKE group (default);"
 
@@ -20304,15 +22956,15 @@ msgstr "``enable`` enable IPComp compression;"
 msgid "``enable`` enable MOBIKE (default for IKEv2);"
 msgstr "``enable`` enable MOBIKE (default for IKEv2);"
 
-#: ../../configuration/vpn/ipsec.rst:105
+#: ../../configuration/vpn/ipsec.rst:106
 msgid "``encryption`` encryption algorithm;"
 msgstr "``encryption`` encryption algorithm;"
 
-#: ../../configuration/vpn/ipsec.rst:156
+#: ../../configuration/vpn/ipsec.rst:157
 msgid "``encryption`` encryption algorithm (default 128 bit AES-CBC);"
 msgstr "``encryption`` encryption algorithm (default 128 bit AES-CBC);"
 
-#: ../../configuration/loadbalancing/reverse-proxy.rst:80
+#: ../../configuration/loadbalancing/haproxy.rst:92
 msgid "``end`` Matches the end of the URL path."
 msgstr "``end`` Matches the end of the URL path."
 
@@ -20324,7 +22976,7 @@ msgstr "``esp-group`` - define ESP group for encrypt traffic, defined by this tu
 msgid "``esp-group`` - define ESP group for encrypt traffic, passed this VTI interface."
 msgstr "``esp-group`` - define ESP group for encrypt traffic, passed this VTI interface."
 
-#: ../../configuration/loadbalancing/reverse-proxy.rst:81
+#: ../../configuration/loadbalancing/haproxy.rst:93
 msgid "``exact`` Requires an exactly match of the URL path"
 msgstr "``exact`` Requires an exactly match of the URL path"
 
@@ -20336,10 +22988,22 @@ msgstr "``fdp`` - Listen for FDP for Foundry routers/switches"
 msgid "``file`` - path to the key file;"
 msgstr "``file`` - path to the key file;"
 
+#: ../../configuration/service/suricata.rst:71
+msgid "``filename``  Log file (default: eve.json)."
+msgstr "``filename``  Log file (default: eve.json)."
+
+#: ../../configuration/service/suricata.rst:73
+msgid "``filetype``  EVE logging destination (default: regular)."
+msgstr "``filetype``  EVE logging destination (default: regular)."
+
 #: ../../configuration/vpn/ipsec.rst:164
 msgid "``flexvpn`` Allow FlexVPN vendor ID payload (IKEv2 only). Send the Cisco FlexVPN vendor ID payload (IKEv2 only), which is required in order to make Cisco brand devices allow negotiating a local traffic selector (from strongSwan's point of view) that is not the assigned virtual IP address if such an address is requested by strongSwan. Sending the Cisco FlexVPN vendor ID prevents the peer from narrowing the initiator's local traffic selector and allows it to e.g. negotiate a TS of 0.0.0.0/0 == 0.0.0.0/0 instead. This has been tested with a \"tunnel mode ipsec ipv4\" Cisco template but should also work for GRE encapsulation;"
 msgstr "``flexvpn`` Allow FlexVPN vendor ID payload (IKEv2 only). Send the Cisco FlexVPN vendor ID payload (IKEv2 only), which is required in order to make Cisco brand devices allow negotiating a local traffic selector (from strongSwan's point of view) that is not the assigned virtual IP address if such an address is requested by strongSwan. Sending the Cisco FlexVPN vendor ID prevents the peer from narrowing the initiator's local traffic selector and allows it to e.g. negotiate a TS of 0.0.0.0/0 == 0.0.0.0/0 instead. This has been tested with a \"tunnel mode ipsec ipv4\" Cisco template but should also work for GRE encapsulation;"
 
+#: ../../configuration/vpn/ipsec.rst:181
+msgid "``flexvpn`` Allows FlexVPN vendor ID payload (IKEv2 only). Send the Cisco"
+msgstr "``flexvpn`` Allows FlexVPN vendor ID payload (IKEv2 only). Send the Cisco"
+
 #: ../../configuration/vpn/ipsec.rst:168
 msgid "``flexvpn`` Allows FlexVPN vendor ID payload (IKEv2 only). Send the Cisco FlexVPN vendor ID payload (IKEv2 only), which is required in order to make Cisco brand devices allow negotiating a local traffic selector (from strongSwan's point of view) that is not the assigned virtual IP address if such an address is requested by strongSwan. Sending the Cisco FlexVPN vendor ID prevents the peer from narrowing the initiator's local traffic selector and allows it to e.g. negotiate a TS of 0.0.0.0/0 == 0.0.0.0/0 instead. This has been tested with a \"tunnel mode ipsec ipv4\" Cisco template but should also work for GRE encapsulation;"
 msgstr "``flexvpn`` Allows FlexVPN vendor ID payload (IKEv2 only). Send the Cisco FlexVPN vendor ID payload (IKEv2 only), which is required in order to make Cisco brand devices allow negotiating a local traffic selector (from strongSwan's point of view) that is not the assigned virtual IP address if such an address is requested by strongSwan. Sending the Cisco FlexVPN vendor ID prevents the peer from narrowing the initiator's local traffic selector and allows it to e.g. negotiate a TS of 0.0.0.0/0 == 0.0.0.0/0 instead. This has been tested with a \"tunnel mode ipsec ipv4\" Cisco template but should also work for GRE encapsulation;"
@@ -20348,7 +23012,7 @@ msgstr "``flexvpn`` Allows FlexVPN vendor ID payload (IKEv2 only). Send the Cisc
 msgid "``force-udp-encapsulation`` - force encapsulation of ESP into UDP datagrams. Useful in case if between local and remote side is firewall or NAT, which not allows passing plain ESP packets between them;"
 msgstr "``force-udp-encapsulation`` - force encapsulation of ESP into UDP datagrams. Useful in case if between local and remote side is firewall or NAT, which not allows passing plain ESP packets between them;"
 
-#: ../../configuration/interfaces/wireless.rst:93
+#: ../../configuration/interfaces/wireless.rst:114
 msgid "``g`` - 802.11g - 54 Mbits/sec (default)"
 msgstr "``g`` - 802.11g - 54 Mbits/sec (default)"
 
@@ -20356,15 +23020,27 @@ msgstr "``g`` - 802.11g - 54 Mbits/sec (default)"
 msgid "``graceful-shutdown`` -            Well-known communities value GRACEFUL_SHUTDOWN 0xFFFF0000"
 msgstr "``graceful-shutdown`` -            Well-known communities value GRACEFUL_SHUTDOWN 0xFFFF0000"
 
+#: ../../configuration/service/suricata.rst:49
+msgid "``group``  Address group."
+msgstr "``group``  Address group."
+
+#: ../../configuration/service/suricata.rst:60
+msgid "``group``  Port group."
+msgstr "``group``  Port group."
+
+#: ../../configuration/system/option.rst:63
+msgid "``guided`` The driver allows to set desired performance levels and the firmware selects a performance level in this range and fitting to the current workload."
+msgstr "``guided`` The driver allows to set desired performance levels and the firmware selects a performance level in this range and fitting to the current workload."
+
 #: ../../configuration/system/task-scheduler.rst:21
 msgid "``h`` - Execution interval in hours"
 msgstr "``h`` - Execution interval in hours"
 
-#: ../../configuration/vpn/ipsec.rst:107
+#: ../../configuration/vpn/ipsec.rst:108
 msgid "``hash`` hash algorithm."
 msgstr "``hash`` hash algorithm."
 
-#: ../../configuration/vpn/ipsec.rst:158
+#: ../../configuration/vpn/ipsec.rst:159
 msgid "``hash`` hash algorithm (default sha1)."
 msgstr "``hash`` hash algorithm (default sha1)."
 
@@ -20376,11 +23052,15 @@ msgstr "``hold`` set action to hold;"
 msgid "``hold`` set action to hold (default)"
 msgstr "``hold`` set action to hold (default)"
 
-#: ../../configuration/interfaces/wireless.rst:154
+#: ../../configuration/interfaces/wireless.rst:182
+msgid "``ht20`` - 20 MHz channel width"
+msgstr "``ht20`` - 20 MHz channel width"
+
+#: ../../configuration/interfaces/wireless.rst:185
 msgid "``ht40+`` - Both 20 MHz and 40 MHz with secondary channel above the primary channel"
 msgstr "``ht40+`` - Both 20 MHz and 40 MHz with secondary channel above the primary channel"
 
-#: ../../configuration/interfaces/wireless.rst:152
+#: ../../configuration/interfaces/wireless.rst:183
 msgid "``ht40-`` - Both 20 MHz and 40 MHz with secondary channel below the primary channel"
 msgstr "``ht40-`` - Both 20 MHz and 40 MHz with secondary channel below the primary channel"
 
@@ -20396,7 +23076,7 @@ msgstr "``id`` - static ID's for authentication. In general local and remote add
 msgid "``ike-group`` - IKE group to use for key exchanges;"
 msgstr "``ike-group`` - IKE group to use for key exchanges;"
 
-#: ../../configuration/vpn/ipsec.rst:84
+#: ../../configuration/vpn/ipsec.rst:85
 msgid "``ikev1`` use IKEv1 for Key Exchange;"
 msgstr "``ikev1`` use IKEv1 for Key Exchange;"
 
@@ -20404,7 +23084,7 @@ msgstr "``ikev1`` use IKEv1 for Key Exchange;"
 msgid "``ikev2-reauth`` - reauthenticate remote peer during the rekeying process. Can be used only with IKEv2. Create a new IKE_SA from the scratch and try to recreate all IPsec SAs;"
 msgstr "``ikev2-reauth`` - reauthenticate remote peer during the rekeying process. Can be used only with IKEv2. Create a new IKE_SA from the scratch and try to recreate all IPsec SAs;"
 
-#: ../../configuration/vpn/ipsec.rst:75
+#: ../../configuration/vpn/ipsec.rst:76
 msgid "``ikev2-reauth`` whether rekeying of an IKE_SA should also reauthenticate the peer. In IKEv1, reauthentication is always done. Setting this parameter enables remote host re-authentication during an IKE rekey."
 msgstr "``ikev2-reauth`` whether rekeying of an IKE_SA should also reauthenticate the peer. In IKEv1, reauthentication is always done. Setting this parameter enables remote host re-authentication during an IKE rekey."
 
@@ -20412,7 +23092,7 @@ msgstr "``ikev2-reauth`` whether rekeying of an IKE_SA should also reauthenticat
 msgid "``ikev2-reauth`` whether rekeying of an IKE_SA should also reauthenticate the peer. In IKEv1, reauthentication is always done:"
 msgstr "``ikev2-reauth`` whether rekeying of an IKE_SA should also reauthenticate the peer. In IKEv1, reauthentication is always done:"
 
-#: ../../configuration/vpn/ipsec.rst:86
+#: ../../configuration/vpn/ipsec.rst:87
 msgid "``ikev2`` use IKEv2 for Key Exchange;"
 msgstr "``ikev2`` use IKEv2 for Key Exchange;"
 
@@ -20420,14 +23100,22 @@ msgstr "``ikev2`` use IKEv2 for Key Exchange;"
 msgid "``in``: Ruleset for forwarded packets on an inbound interface"
 msgstr "``in``: Ruleset for forwarded packets on an inbound interface"
 
+#: ../../configuration/system/option.rst:68
+msgid "``initcall_blacklist=acpi_cpufreq_init`` Disable default ACPI CPU frequency scale"
+msgstr "``initcall_blacklist=acpi_cpufreq_init`` Disable default ACPI CPU frequency scale"
+
 #: ../../configuration/vpn/site2site_ipsec.rst:72
 msgid "``initiate`` - does initial connection to remote peer immediately after configuring and after boot. In this mode the connection will not be restarted in case of disconnection, therefore should be used only together with DPD or another session tracking methods;"
 msgstr "``initiate`` - does initial connection to remote peer immediately after configuring and after boot. In this mode the connection will not be restarted in case of disconnection, therefore should be used only together with DPD or another session tracking methods;"
 
-#: ../../configuration/system/option.rst:50
+#: ../../configuration/system/option.rst:48
 msgid "``intel_idle.max_cstate=0`` Disable intel_idle and fall back on acpi_idle"
 msgstr "``intel_idle.max_cstate=0`` Disable intel_idle and fall back on acpi_idle"
 
+#: ../../configuration/vpn/ipsec.rst:185
+msgid "``interface`` Interface Name to use. The name of the interface on which"
+msgstr "``interface`` Interface Name to use. The name of the interface on which"
+
 #: ../../configuration/vpn/ipsec.rst:170
 msgid "``interface`` Interface Name to use. The name of the interface on which virtual IP addresses should be installed. If not specified the addresses will be installed on the outbound interface;"
 msgstr "``interface`` Interface Name to use. The name of the interface on which virtual IP addresses should be installed. If not specified the addresses will be installed on the outbound interface;"
@@ -20436,11 +23124,15 @@ msgstr "``interface`` Interface Name to use. The name of the interface on which
 msgid "``interface`` is used for the VyOS CLI command to identify the WireGuard interface where this private key is to be used."
 msgstr "``interface`` is used for the VyOS CLI command to identify the WireGuard interface where this private key is to be used."
 
+#: ../../configuration/service/ntp.rst:72
+msgid "``interleave`` enables NTP interleaved mode (see `draft-ntp-interleaved-modes`_), which can improve synchronization accuracy and stability when supported by both parties."
+msgstr "``interleave`` enables NTP interleaved mode (see `draft-ntp-interleaved-modes`_), which can improve synchronization accuracy and stability when supported by both parties."
+
 #: ../../configuration/policy/route-map.rst:369
 msgid "``internet`` -                     Well-known communities value 0"
 msgstr "``internet`` -                     Well-known communities value 0"
 
-#: ../../configuration/vpn/ipsec.rst:71
+#: ../../configuration/vpn/ipsec.rst:72
 msgid "``interval`` keep-alive interval in seconds <2-86400> (default 30);"
 msgstr "``interval`` keep-alive interval in seconds <2-86400> (default 30);"
 
@@ -20448,9 +23140,9 @@ msgstr "``interval`` keep-alive interval in seconds <2-86400> (default 30);"
 msgid "``isis`` - Intermediate System to Intermediate System (IS-IS)"
 msgstr "``isis`` - Intermediate System to Intermediate System (IS-IS)"
 
-#: ../../configuration/firewall/bridge.rst:78
-#: ../../configuration/firewall/ipv4.rst:96
-#: ../../configuration/firewall/ipv6.rst:96
+#: ../../configuration/firewall/bridge.rst:97
+#: ../../configuration/firewall/ipv4.rst:120
+#: ../../configuration/firewall/ipv6.rst:120
 msgid "``jump``: jump to another custom chain."
 msgstr "``jump``: jump to another custom chain."
 
@@ -20458,7 +23150,7 @@ msgstr "``jump``: jump to another custom chain."
 msgid "``kernel`` - Kernel routes"
 msgstr "``kernel`` - Kernel routes"
 
-#: ../../configuration/vpn/ipsec.rst:80
+#: ../../configuration/vpn/ipsec.rst:81
 msgid "``key-exchange`` which protocol should be used to initialize the connection If not set both protocols are handled and connections will use IKEv2 when initiating, but accept any protocol version when responding:"
 msgstr "``key-exchange`` which protocol should be used to initialize the connection If not set both protocols are handled and connections will use IKEv2 when initiating, but accept any protocol version when responding:"
 
@@ -20466,15 +23158,19 @@ msgstr "``key-exchange`` which protocol should be used to initialize the connect
 msgid "``key`` - a private key, which will be used for authenticating local router on remote peer:"
 msgstr "``key`` - a private key, which will be used for authenticating local router on remote peer:"
 
-#: ../../configuration/service/https.rst:96
+#: ../../configuration/service/https.rst:99
 msgid "``key`` use API keys configured in ``service https api keys``"
 msgstr "``key`` use API keys configured in ``service https api keys``"
 
-#: ../../configuration/system/option.rst:137
+#: ../../configuration/system/option.rst:157
 msgid "``latency``: A server profile focused on lowering network latency. This profile favors performance over power savings by setting ``intel_pstate`` and ``min_perf_pct=100``."
 msgstr "``latency``: A server profile focused on lowering network latency. This profile favors performance over power savings by setting ``intel_pstate`` and ``min_perf_pct=100``."
 
-#: ../../configuration/loadbalancing/reverse-proxy.rst:108
+#: ../../configuration/loadbalancing/haproxy.rst:250
+msgid "``ldap`` LDAP protocol check."
+msgstr "``ldap`` LDAP protocol check."
+
+#: ../../configuration/loadbalancing/haproxy.rst:120
 msgid "``least-connection`` Distributes requests to the server with the fewest active connections"
 msgstr "``least-connection`` Distributes requests to the server with the fewest active connections"
 
@@ -20482,19 +23178,19 @@ msgstr "``least-connection`` Distributes requests to the server with the fewest
 msgid "``least-connection`` Distributes requests tp tje server wotj the fewest active connections"
 msgstr "``least-connection`` Distributes requests tp tje server wotj the fewest active connections"
 
-#: ../../configuration/vpn/ipsec.rst:128
+#: ../../configuration/vpn/ipsec.rst:129
 msgid "``life-bytes`` ESP life in bytes <1024-26843545600000>. Number of bytes transmitted over an IPsec SA before it expires;"
 msgstr "``life-bytes`` ESP life in bytes <1024-26843545600000>. Number of bytes transmitted over an IPsec SA before it expires;"
 
-#: ../../configuration/vpn/ipsec.rst:131
+#: ../../configuration/vpn/ipsec.rst:132
 msgid "``life-packets`` ESP life in packets <1000-26843545600000>. Number of packets transmitted over an IPsec SA before it expires;"
 msgstr "``life-packets`` ESP life in packets <1000-26843545600000>. Number of packets transmitted over an IPsec SA before it expires;"
 
-#: ../../configuration/vpn/ipsec.rst:134
+#: ../../configuration/vpn/ipsec.rst:135
 msgid "``lifetime`` ESP lifetime in seconds <30-86400> (default 3600). How long a particular instance of a connection (a set of encryption/authentication keys for user packets) should last, from successful negotiation to expiry;"
 msgstr "``lifetime`` ESP lifetime in seconds <30-86400> (default 3600). How long a particular instance of a connection (a set of encryption/authentication keys for user packets) should last, from successful negotiation to expiry;"
 
-#: ../../configuration/vpn/ipsec.rst:88
+#: ../../configuration/vpn/ipsec.rst:89
 msgid "``lifetime`` IKE lifetime in seconds <0-86400> (default 28800);"
 msgstr "``lifetime`` IKE lifetime in seconds <0-86400> (default 28800);"
 
@@ -20538,7 +23234,7 @@ msgstr "``m`` - Execution interval in minutes"
 msgid "``main`` Routing table used by VyOS and other interfaces not participating in PBR"
 msgstr "``main`` Routing table used by VyOS and other interfaces not participating in PBR"
 
-#: ../../configuration/vpn/ipsec.rst:95
+#: ../../configuration/vpn/ipsec.rst:96
 msgid "``main`` use Main mode for Key Exchanges in the IKEv1 Protocol (Recommended Default);"
 msgstr "``main`` use Main mode for Key Exchanges in the IKEv1 Protocol (Recommended Default);"
 
@@ -20558,27 +23254,39 @@ msgstr "``mobike`` enable MOBIKE Support. MOBIKE is only available for IKEv2:"
 msgid "``mode`` - mode for authentication between VyOS and remote peer:"
 msgstr "``mode`` - mode for authentication between VyOS and remote peer:"
 
-#: ../../configuration/vpn/ipsec.rst:93
+#: ../../configuration/vpn/ipsec.rst:94
 msgid "``mode`` IKEv1 Phase 1 Mode Selection:"
 msgstr "``mode`` IKEv1 Phase 1 Mode Selection:"
 
-#: ../../configuration/vpn/ipsec.rst:139
+#: ../../configuration/vpn/ipsec.rst:140
 msgid "``mode`` the type of the connection:"
 msgstr "``mode`` the type of the connection:"
 
-#: ../../configuration/interfaces/wireless.rst:123
+#: ../../configuration/interfaces/wireless.rst:149
 msgid "``monitor`` - Passively monitor all packets on the frequency/channel"
 msgstr "``monitor`` - Passively monitor all packets on the frequency/channel"
 
-#: ../../configuration/interfaces/wireless.rst:240
+#: ../../configuration/interfaces/wireless.rst:274
+msgid "``multi-user-beamformee`` - Support for operation as multi user beamformee"
+msgstr "``multi-user-beamformee`` - Support for operation as multi user beamformee"
+
+#: ../../configuration/interfaces/wireless.rst:243
 msgid "``multi-user-beamformee`` - Support for operation as single user beamformer"
 msgstr "``multi-user-beamformee`` - Support for operation as single user beamformer"
 
-#: ../../configuration/interfaces/wireless.rst:239
+#: ../../configuration/interfaces/wireless.rst:272
+msgid "``multi-user-beamformer`` - Support for operation as multi user beamformer"
+msgstr "``multi-user-beamformer`` - Support for operation as multi user beamformer"
+
+#: ../../configuration/interfaces/wireless.rst:355
 msgid "``multi-user-beamformer`` - Support for operation as single user beamformer"
 msgstr "``multi-user-beamformer`` - Support for operation as single user beamformer"
 
-#: ../../configuration/interfaces/wireless.rst:94
+#: ../../configuration/loadbalancing/haproxy.rst:252
+msgid "``mysql`` MySQL protocol check."
+msgstr "``mysql`` MySQL protocol check."
+
+#: ../../configuration/interfaces/wireless.rst:115
 msgid "``n`` - 802.11n - 600 Mbits/sec"
 msgstr "``n`` - 802.11n - 600 Mbits/sec"
 
@@ -20586,43 +23294,43 @@ msgstr "``n`` - 802.11n - 600 Mbits/sec"
 msgid "``name`` is used for the VyOS CLI command to identify this key. This key ``name`` is then used in the CLI configuration to reference the key instance."
 msgstr "``name`` is used for the VyOS CLI command to identify this key. This key ``name`` is then used in the CLI configuration to reference the key instance."
 
-#: ../../configuration/firewall/global-options.rst:79
+#: ../../configuration/firewall/global-options.rst:84
 msgid "``net.ipv4.conf.all.accept_redirects``"
 msgstr "``net.ipv4.conf.all.accept_redirects``"
 
-#: ../../configuration/firewall/global-options.rst:69
+#: ../../configuration/firewall/global-options.rst:74
 msgid "``net.ipv4.conf.all.accept_source_route``"
 msgstr "``net.ipv4.conf.all.accept_source_route``"
 
-#: ../../configuration/firewall/global-options.rst:94
+#: ../../configuration/firewall/global-options.rst:99
 msgid "``net.ipv4.conf.all.log_martians``"
 msgstr "``net.ipv4.conf.all.log_martians``"
 
-#: ../../configuration/firewall/global-options.rst:102
+#: ../../configuration/firewall/global-options.rst:107
 msgid "``net.ipv4.conf.all.rp_filter``"
 msgstr "``net.ipv4.conf.all.rp_filter``"
 
-#: ../../configuration/firewall/global-options.rst:87
+#: ../../configuration/firewall/global-options.rst:92
 msgid "``net.ipv4.conf.all.send_redirects``"
 msgstr "``net.ipv4.conf.all.send_redirects``"
 
-#: ../../configuration/firewall/global-options.rst:61
+#: ../../configuration/firewall/global-options.rst:66
 msgid "``net.ipv4.icmp_echo_ignore_broadcasts``"
 msgstr "``net.ipv4.icmp_echo_ignore_broadcasts``"
 
-#: ../../configuration/firewall/global-options.rst:117
+#: ../../configuration/firewall/global-options.rst:122
 msgid "``net.ipv4.tcp_rfc1337``"
 msgstr "``net.ipv4.tcp_rfc1337``"
 
-#: ../../configuration/firewall/global-options.rst:109
+#: ../../configuration/firewall/global-options.rst:114
 msgid "``net.ipv4.tcp_syncookies``"
 msgstr "``net.ipv4.tcp_syncookies``"
 
-#: ../../configuration/firewall/global-options.rst:80
+#: ../../configuration/firewall/global-options.rst:85
 msgid "``net.ipv6.conf.all.accept_redirects``"
 msgstr "``net.ipv6.conf.all.accept_redirects``"
 
-#: ../../configuration/firewall/global-options.rst:70
+#: ../../configuration/firewall/global-options.rst:75
 msgid "``net.ipv6.conf.all.accept_source_route``"
 msgstr "``net.ipv6.conf.all.accept_source_route``"
 
@@ -20654,7 +23362,7 @@ msgstr "``none`` - Execution interval in minutes"
 msgid "``none`` - loads the connection only, which then can be manually initiated or used as a responder configuration."
 msgstr "``none`` - loads the connection only, which then can be manually initiated or used as a responder configuration."
 
-#: ../../configuration/vpn/ipsec.rst:50
+#: ../../configuration/vpn/ipsec.rst:51
 msgid "``none`` set action to none (default);"
 msgstr "``none`` set action to none (default);"
 
@@ -20662,11 +23370,15 @@ msgstr "``none`` set action to none (default);"
 msgid "``noselect`` marks the server as unused, except for display purposes. The server is discarded by the selection algorithm."
 msgstr "``noselect`` marks the server as unused, except for display purposes. The server is discarded by the selection algorithm."
 
+#: ../../configuration/firewall/bridge.rst:104
+msgid "``notrack``: ignore connection tracking system. This action is only available in prerouting chain."
+msgstr "``notrack``: ignore connection tracking system. This action is only available in prerouting chain."
+
 #: ../../configuration/service/ntp.rst:60
 msgid "``nts`` enables Network Time Security (NTS) for the server as specified in :rfc:`8915`"
 msgstr "``nts`` enables Network Time Security (NTS) for the server as specified in :rfc:`8915`"
 
-#: ../../configuration/vpn/ipsec.rst:164
+#: ../../configuration/vpn/ipsec.rst:168
 msgid "``options``"
 msgstr "``options``"
 
@@ -20682,6 +23394,10 @@ msgstr "``ospfv3`` - Open Shortest Path First (IPv6) (OSPFv3)"
 msgid "``out``: Ruleset for forwarded packets on an outbound interface"
 msgstr "``out``: Ruleset for forwarded packets on an outbound interface"
 
+#: ../../configuration/system/option.rst:61
+msgid "``passive`` The driver allows the system governor to manage CPU frequency while providing available performance states."
+msgstr "``passive`` The driver allows the system governor to manage CPU frequency while providing available performance states."
+
 #: ../../configuration/vpn/site2site_ipsec.rst:54
 msgid "``passphrase`` - local private key passphrase"
 msgstr "``passphrase`` - local private key passphrase"
@@ -20698,14 +23414,22 @@ msgstr "``password`` - passphrase private key, if needed."
 msgid "``peer`` is used for the VyOS CLI command to identify the WireGuard peer where this secred is to be used."
 msgstr "``peer`` is used for the VyOS CLI command to identify the WireGuard peer where this secred is to be used."
 
+#: ../../configuration/pki/index.rst:165
+msgid "``peer`` is used for the VyOS CLI command to identify the WireGuard peer where this secret is to be used."
+msgstr "``peer`` is used for the VyOS CLI command to identify the WireGuard peer where this secret is to be used."
+
 #: ../../configuration/loadbalancing/wan.rst:88
 msgid "``period``: Time window for rate calculation. Possible values: ``second`` (one second), ``minute`` (one minute), ``hour`` (one hour). Default is ``second``."
 msgstr "``period``: Time window for rate calculation. Possible values: ``second`` (one second), ``minute`` (one minute), ``hour`` (one hour). Default is ``second``."
 
-#: ../../configuration/vpn/ipsec.rst:145
+#: ../../configuration/vpn/ipsec.rst:146
 msgid "``pfs`` whether Perfect Forward Secrecy of keys is desired on the connection's keying channel and defines a Diffie-Hellman group for PFS:"
 msgstr "``pfs`` whether Perfect Forward Secrecy of keys is desired on the connection's keying channel and defines a Diffie-Hellman group for PFS:"
 
+#: ../../configuration/loadbalancing/haproxy.rst:253
+msgid "``pgsql`` PostgreSQL protocol check."
+msgstr "``pgsql`` PostgreSQL protocol check."
+
 #: ../../configuration/service/ntp.rst:63
 msgid "``pool`` mobilizes persistent client mode association with a number of remote servers."
 msgstr "``pool`` mobilizes persistent client mode association with a number of remote servers."
@@ -20715,6 +23439,10 @@ msgstr "``pool`` mobilizes persistent client mode association with a number of r
 msgid "``port`` - define port. Have effect only when used together with ``prefix``;"
 msgstr "``port`` - define port. Have effect only when used together with ``prefix``;"
 
+#: ../../configuration/service/suricata.rst:58
+msgid "``port``  Port number."
+msgstr "``port``  Port number."
+
 #: ../../configuration/vpn/site2site_ipsec.rst:38
 msgid "``pre-shared-secret`` - use predefined shared secret phrase;"
 msgstr "``pre-shared-secret`` - use predefined shared secret phrase;"
@@ -20731,7 +23459,7 @@ msgstr "``prefix`` - IP network at local side."
 msgid "``prefix`` - IP network at remote side."
 msgstr "``prefix`` - IP network at remote side."
 
-#: ../../configuration/vpn/ipsec.rst:109
+#: ../../configuration/vpn/ipsec.rst:110
 msgid "``prf`` pseudo-random function."
 msgstr "``prf`` pseudo-random function."
 
@@ -20739,15 +23467,15 @@ msgstr "``prf`` pseudo-random function."
 msgid "``priority`` - Add priority for policy-based IPSec VPN tunnels(lowest value more preferable)"
 msgstr "``priority`` - Add priority for policy-based IPSec VPN tunnels(lowest value more preferable)"
 
-#: ../../configuration/system/option.rst:51
+#: ../../configuration/system/option.rst:49
 msgid "``processor.max_cstate=1`` Limit processor to maximum C-state 1"
 msgstr "``processor.max_cstate=1`` Limit processor to maximum C-state 1"
 
-#: ../../configuration/vpn/ipsec.rst:154
+#: ../../configuration/vpn/ipsec.rst:155
 msgid "``proposal`` ESP-group proposal with number <1-65535>:"
 msgstr "``proposal`` ESP-group proposal with number <1-65535>:"
 
-#: ../../configuration/vpn/ipsec.rst:101
+#: ../../configuration/vpn/ipsec.rst:102
 msgid "``proposal`` the list of proposals and their parameters:"
 msgstr "``proposal`` the list of proposals and their parameters:"
 
@@ -20759,9 +23487,13 @@ msgstr "``protocol`` - define the protocol for match traffic, which should be en
 msgid "``psk`` - Preshared secret key name:"
 msgstr "``psk`` - Preshared secret key name:"
 
-#: ../../configuration/firewall/bridge.rst:83
-#: ../../configuration/firewall/ipv4.rst:101
-#: ../../configuration/firewall/ipv6.rst:101
+#: ../../configuration/service/ntp.rst:70
+msgid "``ptp`` enables the PTP transport for this server (see :ref:`ptp-transport`)."
+msgstr "``ptp`` enables the PTP transport for this server (see :ref:`ptp-transport`)."
+
+#: ../../configuration/firewall/bridge.rst:102
+#: ../../configuration/firewall/ipv4.rst:125
+#: ../../configuration/firewall/ipv6.rst:125
 msgid "``queue``: Enqueue packet to userspace."
 msgstr "``queue``: Enqueue packet to userspace."
 
@@ -20769,8 +23501,16 @@ msgstr "``queue``: Enqueue packet to userspace."
 msgid "``rate``: Number of packets. Default 5."
 msgstr "``rate``: Number of packets. Default 5."
 
-#: ../../configuration/firewall/ipv4.rst:94
-#: ../../configuration/firewall/ipv6.rst:94
+#: ../../configuration/service/ntp.rst:152
+msgid "``receive-filter [all|ntp|ptp|none]`` selects the receive filter mode, which controls which inbound packets the NIC applies timestamps to. The selected mode must be supported by the NIC, or timestamping will be disabled for the interface."
+msgstr "``receive-filter [all|ntp|ptp|none]`` selects the receive filter mode, which controls which inbound packets the NIC applies timestamps to. The selected mode must be supported by the NIC, or timestamping will be disabled for the interface."
+
+#: ../../configuration/loadbalancing/haproxy.rst:251
+msgid "``redis`` Redis protocol check."
+msgstr "``redis`` Redis protocol check."
+
+#: ../../configuration/firewall/ipv4.rst:118
+#: ../../configuration/firewall/ipv6.rst:118
 msgid "``reject``: reject the packet."
 msgstr "``reject``: reject the packet."
 
@@ -20794,7 +23534,7 @@ msgstr "``remote`` - define the remote destination for match traffic, which shou
 msgid "``replay-window`` - IPsec replay window to configure for this CHILD_SA (default: 32), a value of 0 disables IPsec replay protection"
 msgstr "``replay-window`` - IPsec replay window to configure for this CHILD_SA (default: 32), a value of 0 disables IPsec replay protection"
 
-#: ../../configuration/loadbalancing/reverse-proxy.rst:64
+#: ../../configuration/loadbalancing/haproxy.rst:76
 msgid "``req-ssl-sni`` SSL Server Name Indication (SNI) request match"
 msgstr "``req-ssl-sni`` SSL Server Name Indication (SNI) request match"
 
@@ -20806,7 +23546,7 @@ msgstr "``resp-time``: the maximum response time for ping in seconds. Range 1...
 msgid "``respond`` - does not try to initiate a connection to a remote peer. In this mode, the IPSec session will be established only after initiation from a remote peer. Could be useful when there is no direct connectivity to the peer due to firewall or NAT in the middle of the local and remote side."
 msgstr "``respond`` - does not try to initiate a connection to a remote peer. In this mode, the IPSec session will be established only after initiation from a remote peer. Could be useful when there is no direct connectivity to the peer due to firewall or NAT in the middle of the local and remote side."
 
-#: ../../configuration/vpn/ipsec.rst:68
+#: ../../configuration/vpn/ipsec.rst:69
 msgid "``restart`` immediately tries to re-negotiate the CHILD_SA under a fresh IKE_SA;"
 msgstr "``restart`` immediately tries to re-negotiate the CHILD_SA under a fresh IKE_SA;"
 
@@ -20815,9 +23555,9 @@ msgstr "``restart`` immediately tries to re-negotiate the CHILD_SA under a fresh
 msgid "``restart`` set action to restart;"
 msgstr "``restart`` set action to restart;"
 
-#: ../../configuration/firewall/bridge.rst:80
-#: ../../configuration/firewall/ipv4.rst:98
-#: ../../configuration/firewall/ipv6.rst:98
+#: ../../configuration/firewall/bridge.rst:99
+#: ../../configuration/firewall/ipv4.rst:122
+#: ../../configuration/firewall/ipv6.rst:122
 msgid "``return``: Return from the current chain and continue at the next rule of the last chain."
 msgstr "``return``: Return from the current chain and continue at the next rule of the last chain."
 
@@ -20833,7 +23573,7 @@ msgstr "``ripng`` - Routing Information Protocol next-generation (IPv6) (RIPng)"
 msgid "``round-robin`` - Round-robin policy: Transmit packets in sequential order from the first available slave through the last."
 msgstr "``round-robin`` - Round-robin policy: Transmit packets in sequential order from the first available slave through the last."
 
-#: ../../configuration/loadbalancing/reverse-proxy.rst:106
+#: ../../configuration/loadbalancing/haproxy.rst:118
 msgid "``round-robin`` Distributes requests in a circular manner, sequentially sending each request to the next server in line"
 msgstr "``round-robin`` Distributes requests in a circular manner, sequentially sending each request to the next server in line"
 
@@ -20873,15 +23613,28 @@ msgstr "``rsa`` - use simple shared RSA key. The key must be defined in the ``se
 msgid "``secret`` - predefined shared secret. Used if configured mode ``pre-shared-secret``;"
 msgstr "``secret`` - predefined shared secret. Used if configured mode ``pre-shared-secret``;"
 
-#: ../../configuration/firewall/index.rst:90
+#: ../../configuration/firewall/index.rst:113
 msgid "``set firewall bridge forward filter ...``."
 msgstr "``set firewall bridge forward filter ...``."
 
-#: ../../configuration/firewall/index.rst:61
+#: ../../configuration/firewall/index.rst:118
+msgid "``set firewall bridge input filter ...``."
+msgstr "``set firewall bridge input filter ...``."
+
+#: ../../configuration/firewall/index.rst:123
+msgid "``set firewall bridge output filter ...``."
+msgstr "``set firewall bridge output filter ...``."
+
+#: ../../configuration/firewall/bridge.rst:44
+#: ../../configuration/firewall/index.rst:108
+msgid "``set firewall bridge prerouting filter ...``."
+msgstr "``set firewall bridge prerouting filter ...``."
+
+#: ../../configuration/firewall/index.rst:75
 msgid "``set firewall ipv4 forward filter ...``."
 msgstr "``set firewall ipv4 forward filter ...``."
 
-#: ../../configuration/firewall/index.rst:54
+#: ../../configuration/firewall/index.rst:68
 msgid "``set firewall ipv4 input filter ...``."
 msgstr "``set firewall ipv4 input filter ...``."
 
@@ -20889,11 +23642,11 @@ msgstr "``set firewall ipv4 input filter ...``."
 msgid "``set firewall ipv4 output filter ...``."
 msgstr "``set firewall ipv4 output filter ...``."
 
-#: ../../configuration/firewall/index.rst:63
+#: ../../configuration/firewall/index.rst:77
 msgid "``set firewall ipv6 forward filter ...``."
 msgstr "``set firewall ipv6 forward filter ...``."
 
-#: ../../configuration/firewall/index.rst:56
+#: ../../configuration/firewall/index.rst:70
 msgid "``set firewall ipv6 input filter ...``."
 msgstr "``set firewall ipv6 input filter ...``."
 
@@ -20901,19 +23654,25 @@ msgstr "``set firewall ipv6 input filter ...``."
 msgid "``set firewall ipv6 output filter ...``."
 msgstr "``set firewall ipv6 output filter ...``."
 
-#: ../../configuration/interfaces/wireless.rst:238
+#: ../../configuration/interfaces/wireless.rst:270
+#: ../../configuration/interfaces/wireless.rst:353
 msgid "``single-user-beamformee`` - Support for operation as single user beamformee"
 msgstr "``single-user-beamformee`` - Support for operation as single user beamformee"
 
-#: ../../configuration/interfaces/wireless.rst:237
+#: ../../configuration/interfaces/wireless.rst:268
+#: ../../configuration/interfaces/wireless.rst:351
 msgid "``single-user-beamformer`` - Support for operation as single user beamformer"
 msgstr "``single-user-beamformer`` - Support for operation as single user beamformer"
 
+#: ../../configuration/loadbalancing/haproxy.rst:254
+msgid "``smtp`` SMTP protocol check."
+msgstr "``smtp`` SMTP protocol check."
+
 #: ../../configuration/service/lldp.rst:68
 msgid "``sonmp`` - Listen for SONMP for Nortel routers/switches"
 msgstr "``sonmp`` - Listen for SONMP for Nortel routers/switches"
 
-#: ../../configuration/loadbalancing/reverse-proxy.rst:104
+#: ../../configuration/loadbalancing/haproxy.rst:116
 msgid "``source-address`` Distributes requests based on the source IP address of the client"
 msgstr "``source-address`` Distributes requests based on the source IP address of the client"
 
@@ -20933,15 +23692,15 @@ msgstr "``ssh-rsa AAAAB3NzaC1yc2EAAAABAA...VBD5lKwEWB username@host.example.com`
 msgid "``ssh-rsa``"
 msgstr "``ssh-rsa``"
 
-#: ../../configuration/loadbalancing/reverse-proxy.rst:66
+#: ../../configuration/loadbalancing/haproxy.rst:78
 msgid "``ssl-fc-sni-end`` SSL frontend match end of connection Server Name"
 msgstr "``ssl-fc-sni-end`` SSL frontend match end of connection Server Name"
 
-#: ../../configuration/loadbalancing/reverse-proxy.rst:65
+#: ../../configuration/loadbalancing/haproxy.rst:77
 msgid "``ssl-fc-sni`` SSL frontend connection Server Name Indication match"
 msgstr "``ssl-fc-sni`` SSL frontend connection Server Name Indication match"
 
-#: ../../configuration/vpn/ipsec.rst:54
+#: ../../configuration/vpn/ipsec.rst:55
 msgid "``start`` tries to immediately re-create the CHILD_SA;"
 msgstr "``start`` tries to immediately re-create the CHILD_SA;"
 
@@ -20949,24 +23708,24 @@ msgstr "``start`` tries to immediately re-create the CHILD_SA;"
 msgid "``static`` - Statically configured routes"
 msgstr "``static`` - Statically configured routes"
 
-#: ../../configuration/interfaces/wireless.rst:122
+#: ../../configuration/interfaces/wireless.rst:148
 msgid "``station`` - Connects to another access point"
 msgstr "``station`` - Connects to another access point"
 
-#: ../../configuration/loadbalancing/reverse-proxy.rst:185
+#: ../../configuration/loadbalancing/haproxy.rst:237
 msgid "``status 200-399`` Expecting a non-failure response code"
 msgstr "``status 200-399`` Expecting a non-failure response code"
 
-#: ../../configuration/loadbalancing/reverse-proxy.rst:184
+#: ../../configuration/loadbalancing/haproxy.rst:236
 msgid "``status 200`` Expecting a 200 response code"
 msgstr "``status 200`` Expecting a 200 response code"
 
-#: ../../configuration/loadbalancing/reverse-proxy.rst:186
+#: ../../configuration/loadbalancing/haproxy.rst:238
 msgid "``string success`` Expecting the string `success` in the response body"
 msgstr "``string success`` Expecting the string `success` in the response body"
 
-#: ../../configuration/firewall/ipv4.rst:103
-#: ../../configuration/firewall/ipv6.rst:103
+#: ../../configuration/firewall/ipv4.rst:127
+#: ../../configuration/firewall/ipv6.rst:127
 msgid "``synproxy``: synproxy the packet."
 msgstr "``synproxy``: synproxy the packet."
 
@@ -21006,15 +23765,27 @@ msgstr "``test-script``: A user defined script must return 0 to be considered su
 msgid "``threshold``: ``below`` or ``above`` the specified rate limit."
 msgstr "``threshold``: ``below`` or ``above`` the specified rate limit."
 
-#: ../../configuration/system/option.rst:127
+#: ../../configuration/system/option.rst:147
 msgid "``throughput``: A server profile focused on improving network throughput. This profile favors performance over power savings by setting ``intel_pstate`` and ``max_perf_pct=100`` and increasing kernel network buffer sizes."
 msgstr "``throughput``: A server profile focused on improving network throughput. This profile favors performance over power savings by setting ``intel_pstate`` and ``max_perf_pct=100`` and increasing kernel network buffer sizes."
 
-#: ../../configuration/vpn/ipsec.rst:73
+#: ../../configuration/service/ntp.rst:49
+msgid "``time1.vyos.net``"
+msgstr "``time1.vyos.net``"
+
+#: ../../configuration/service/ntp.rst:50
+msgid "``time2.vyos.net``"
+msgstr "``time2.vyos.net``"
+
+#: ../../configuration/service/ntp.rst:51
+msgid "``time3.vyos.net``"
+msgstr "``time3.vyos.net``"
+
+#: ../../configuration/vpn/ipsec.rst:74
 msgid "``timeout`` keep-alive timeout in seconds <2-86400> (default 120) IKEv1 only"
 msgstr "``timeout`` keep-alive timeout in seconds <2-86400> (default 120) IKEv1 only"
 
-#: ../../configuration/service/https.rst:98
+#: ../../configuration/service/https.rst:101
 msgid "``token`` use JWT tokens."
 msgstr "``token`` use JWT tokens."
 
@@ -21022,15 +23793,15 @@ msgstr "``token`` use JWT tokens."
 msgid "``transmit-load-balance`` - Adaptive transmit load balancing: channel bonding that does not require any special switch support."
 msgstr "``transmit-load-balance`` - Adaptive transmit load balancing: channel bonding that does not require any special switch support."
 
-#: ../../configuration/vpn/ipsec.rst:143
+#: ../../configuration/vpn/ipsec.rst:144
 msgid "``transport`` transport mode;"
 msgstr "``transport`` transport mode;"
 
-#: ../../configuration/vpn/ipsec.rst:63
+#: ../../configuration/vpn/ipsec.rst:64
 msgid "``trap``  installs a trap policy, which will catch matching traffic and tries to re-negotiate the tunnel on-demand;"
 msgstr "``trap``  installs a trap policy, which will catch matching traffic and tries to re-negotiate the tunnel on-demand;"
 
-#: ../../configuration/vpn/ipsec.rst:52
+#: ../../configuration/vpn/ipsec.rst:53
 msgid "``trap`` installs a trap policy for the CHILD_SA;"
 msgstr "``trap`` installs a trap policy for the CHILD_SA;"
 
@@ -21050,7 +23821,7 @@ msgstr "``ttyUSBX`` - USB Serial device name"
 msgid "``tunnel`` - define criteria for traffic to be matched for encrypting and send it to a peer:"
 msgstr "``tunnel`` - define criteria for traffic to be matched for encrypting and send it to a peer:"
 
-#: ../../configuration/vpn/ipsec.rst:141
+#: ../../configuration/vpn/ipsec.rst:142
 msgid "``tunnel`` tunnel mode (default);"
 msgstr "``tunnel`` tunnel mode (default);"
 
@@ -21058,6 +23829,10 @@ msgstr "``tunnel`` tunnel mode (default);"
 msgid "``type``: Specify the type of test. type can be ping, ttl or a user defined script"
 msgstr "``type``: Specify the type of test. type can be ping, ttl or a user defined script"
 
+#: ../../configuration/service/suricata.rst:75
+msgid "``type``  Log types."
+msgstr "``type``  Log types."
+
 #: ../../configuration/vpn/site2site_ipsec.rst:56
 msgid "``use-x509-id`` - use local ID from x509 certificate. Cannot be used when ``id`` is defined;"
 msgstr "``use-x509-id`` - use local ID from x509 certificate. Cannot be used when ``id`` is defined;"
@@ -21070,6 +23845,10 @@ msgstr "``virtual-address`` - Defines a virtual IP address which is requested by
 msgid "``virtual-ip`` Allow install virtual-ip addresses. Comma separated list of virtual IPs to request in IKEv2 configuration payloads or IKEv1 Mode Config. The wildcard addresses 0.0.0.0 and :: request an arbitrary address, specific addresses may be defined. The responder may return a different address, though, or none at all."
 msgstr "``virtual-ip`` Allow install virtual-ip addresses. Comma separated list of virtual IPs to request in IKEv2 configuration payloads or IKEv1 Mode Config. The wildcard addresses 0.0.0.0 and :: request an arbitrary address, specific addresses may be defined. The responder may return a different address, though, or none at all."
 
+#: ../../configuration/vpn/ipsec.rst:192
+msgid "``virtual-ip`` Allows the installation of virtual-ip addresses. A comma"
+msgstr "``virtual-ip`` Allows the installation of virtual-ip addresses. A comma"
+
 #: ../../configuration/vpn/ipsec.rst:172
 msgid "``virtual-ip`` Allows to install virtual-ip addresses. Comma separated list of virtual IPs to request in IKEv2 configuration payloads or IKEv1 Mode Config. The wildcard addresses 0.0.0.0 and :: request an arbitrary address, specific addresses may be defined. The responder may return a different address, though, or none at all. Define the ``virtual-address`` option to configure the IP address in site-to-site hierarchy."
 msgstr "``virtual-ip`` Allows to install virtual-ip addresses. Comma separated list of virtual IPs to request in IKEv2 configuration payloads or IKEv1 Mode Config. The wildcard addresses 0.0.0.0 and :: request an arbitrary address, specific addresses may be defined. The responder may return a different address, though, or none at all. Define the ``virtual-address`` option to configure the IP address in site-to-site hierarchy."
@@ -21114,23 +23893,39 @@ msgstr "``xor-hash`` - XOR policy: Transmit based on the selected transmit hash
 msgid "``yes`` enable remote host re-authentication during an IKE rekey;"
 msgstr "``yes`` enable remote host re-authentication during an IKE rekey;"
 
-#: ../../configuration/service/ntp.rst:90
+#: ../../configuration/service/ntp.rst:160
+msgid "`all`: All received packets will be timestamped."
+msgstr "`all`: All received packets will be timestamped."
+
+#: ../../configuration/service/ntp.rst:97
 msgid "`ignore`: No correction is applied to the clock for the leap second. The clock will be corrected later in normal operation when new measurements are made and the estimated offset includes the one second error."
 msgstr "`ignore`: No correction is applied to the clock for the leap second. The clock will be corrected later in normal operation when new measurements are made and the estimated offset includes the one second error."
 
-#: ../../configuration/service/ntp.rst:94
+#: ../../configuration/service/ntp.rst:168
+msgid "`none`: No received packets will be timestamped. Hardware timestamping of transmitted packets will still be leveraged, if supported by the NIC."
+msgstr "`none`: No received packets will be timestamped. Hardware timestamping of transmitted packets will still be leveraged, if supported by the NIC."
+
+#: ../../configuration/service/ntp.rst:162
+msgid "`ntp`: Only received  NTP protocol packets will be timestamped."
+msgstr "`ntp`: Only received  NTP protocol packets will be timestamped."
+
+#: ../../configuration/service/ntp.rst:164
+msgid "`ptp`: Only received PTP protocol packets will be timestamped. Combined with the PTP transport for NTP packets, this can be leveraged to take advantage of hardware timestamping on NICs that only support the ptp filter mode."
+msgstr "`ptp`: Only received PTP protocol packets will be timestamped. Combined with the PTP transport for NTP packets, this can be leveraged to take advantage of hardware timestamping on NICs that only support the ptp filter mode."
+
+#: ../../configuration/service/ntp.rst:101
 msgid "`smear`: When smearing a leap second, the leap status is suppressed on the server and the served time is corrected slowly by slewing instead of stepping. The clients do not need any special configuration as they do not know there is any leap second and they follow the server time which eventually brings them back to UTC. Care must be taken to ensure they use only NTP servers which smear the leap second in exactly the same way for synchronisation."
 msgstr "`smear`: When smearing a leap second, the leap status is suppressed on the server and the served time is corrected slowly by slewing instead of stepping. The clients do not need any special configuration as they do not know there is any leap second and they follow the server time which eventually brings them back to UTC. Care must be taken to ensure they use only NTP servers which smear the leap second in exactly the same way for synchronisation."
 
-#: ../../configuration/system/option.rst:69
+#: ../../configuration/system/option.rst:89
 msgid "`source-address` and `source-interface` can not be used at the same time."
 msgstr "`source-address` and `source-interface` can not be used at the same time."
 
-#: ../../configuration/service/ntp.rst:102
+#: ../../configuration/service/ntp.rst:109
 msgid "`system`: When inserting a leap second, the kernel steps the system clock backwards by one second when the clock gets to 00:00:00 UTC. When deleting a leap second, it steps forward by one second when the clock gets to 23:59:59 UTC."
 msgstr "`system`: When inserting a leap second, the kernel steps the system clock backwards by one second when the clock gets to 00:00:00 UTC. When deleting a leap second, it steps forward by one second when the clock gets to 23:59:59 UTC."
 
-#: ../../configuration/service/ntp.rst:107
+#: ../../configuration/service/ntp.rst:114
 msgid "`timezone`: This directive specifies a timezone in the system timezone database which chronyd can use to determine when will the next leap second occur and what is the current offset between TAI and UTC. It will periodically check if 23:59:59 and 23:59:60 are valid times in the timezone. This normally works with the right/UTC timezone which is the default"
 msgstr "`timezone`: This directive specifies a timezone in the system timezone database which chronyd can use to determine when will the next leap second occur and what is the current offset between TAI and UTC. It will periodically check if 23:59:59 and 23:59:60 are valid times in the timezone. This normally works with the right/UTC timezone which is the default"
 
@@ -21151,17 +23946,17 @@ msgstr "a blank indicates that no test has been carried out"
 msgid "aes256 Encryption"
 msgstr "aes256 Encryption"
 
-#: ../../configuration/system/syslog.rst:173
+#: ../../configuration/system/syslog.rst:191
 msgid "alert"
 msgstr "alert"
 
-#: ../../configuration/system/syslog.rst:110
-#: ../../configuration/system/syslog.rst:169
-#: ../../configuration/system/syslog.rst:219
+#: ../../configuration/system/syslog.rst:128
+#: ../../configuration/system/syslog.rst:187
+#: ../../configuration/system/syslog.rst:237
 msgid "all"
 msgstr "all"
 
-#: ../../configuration/vrf/index.rst:447
+#: ../../configuration/vrf/index.rst:443
 msgid "an RD / RTLIST"
 msgstr "an RD / RTLIST"
 
@@ -21177,11 +23972,11 @@ msgstr "any: any IP address to match."
 msgid "any: any IPv6 address to match."
 msgstr "any: any IPv6 address to match."
 
-#: ../../configuration/system/syslog.rst:120
+#: ../../configuration/system/syslog.rst:138
 msgid "auth"
 msgstr "auth"
 
-#: ../../configuration/system/syslog.rst:221
+#: ../../configuration/system/syslog.rst:239
 msgid "authorization"
 msgstr "authorization"
 
@@ -21233,23 +24028,23 @@ msgstr "client-prefix-length"
 msgid "client example (debian 9)"
 msgstr "client example (debian 9)"
 
-#: ../../configuration/system/syslog.rst:142
+#: ../../configuration/system/syslog.rst:160
 msgid "clock"
 msgstr "clock"
 
-#: ../../configuration/system/syslog.rst:142
+#: ../../configuration/system/syslog.rst:160
 msgid "clock daemon (note 2)"
 msgstr "clock daemon (note 2)"
 
-#: ../../configuration/system/syslog.rst:178
+#: ../../configuration/system/syslog.rst:196
 msgid "crit"
 msgstr "crit"
 
-#: ../../configuration/system/syslog.rst:130
+#: ../../configuration/system/syslog.rst:148
 msgid "cron"
 msgstr "cron"
 
-#: ../../configuration/system/syslog.rst:118
+#: ../../configuration/system/syslog.rst:136
 msgid "daemon"
 msgstr "daemon"
 
@@ -21269,7 +24064,7 @@ msgstr "ddclient_ uses two methods to update a DNS record. The first one will se
 msgid "ddclient_ will skip any address located before the string set in `<pattern>`."
 msgstr "ddclient_ will skip any address located before the string set in `<pattern>`."
 
-#: ../../configuration/system/syslog.rst:191
+#: ../../configuration/system/syslog.rst:209
 msgid "debug"
 msgstr "debug"
 
@@ -21293,7 +24088,7 @@ msgstr "default-preference"
 msgid "default-router"
 msgstr "default-router"
 
-#: ../../configuration/trafficpolicy/index.rst:862
+#: ../../configuration/trafficpolicy/index.rst:912
 msgid "default min-threshold"
 msgstr "default min-threshold"
 
@@ -21301,7 +24096,7 @@ msgstr "default min-threshold"
 msgid "deprecate-prefix"
 msgstr "deprecate-prefix"
 
-#: ../../configuration/highavailability/index.rst:364
+#: ../../configuration/highavailability/index.rst:368
 msgid "destination-hashing"
 msgstr "destination-hashing"
 
@@ -21309,11 +24104,11 @@ msgstr "destination-hashing"
 msgid "dhcp-server-identifier"
 msgstr "dhcp-server-identifier"
 
-#: ../../configuration/highavailability/index.rst:374
+#: ../../configuration/highavailability/index.rst:378
 msgid "direct"
 msgstr "direct"
 
-#: ../../configuration/system/syslog.rst:223
+#: ../../configuration/system/syslog.rst:241
 msgid "directory"
 msgstr "directory"
 
@@ -21341,7 +24136,7 @@ msgstr "domain-name-servers"
 msgid "domain-search"
 msgstr "domain-search"
 
-#: ../../configuration/system/syslog.rst:171
+#: ../../configuration/system/syslog.rst:189
 msgid "emerg"
 msgstr "emerg"
 
@@ -21361,7 +24156,7 @@ msgstr "enable or disable of ICMPv4 or ICMPv6 redirect messages accepted by VyOS
 msgid "enable or disable the logging of martian IPv4 packets. The following system parameter will be altered:"
 msgstr "enable or disable the logging of martian IPv4 packets. The following system parameter will be altered:"
 
-#: ../../configuration/system/syslog.rst:181
+#: ../../configuration/system/syslog.rst:199
 msgid "err"
 msgstr "err"
 
@@ -21385,7 +24180,7 @@ msgstr "failover"
 msgid "fast: Request partner to transmit LACPDUs every 1 second"
 msgstr "fast: Request partner to transmit LACPDUs every 1 second"
 
-#: ../../configuration/system/syslog.rst:225
+#: ../../configuration/system/syslog.rst:243
 msgid "file <file name>"
 msgstr "file <file name>"
 
@@ -21394,7 +24189,7 @@ msgstr "file <file name>"
 msgid "filter-list"
 msgstr "filter-list"
 
-#: ../../configuration/system/syslog.rst:134
+#: ../../configuration/system/syslog.rst:152
 msgid "ftp"
 msgstr "ftp"
 
@@ -21418,14 +24213,18 @@ msgstr "hop-limit"
 msgid "host: single host IP address to match."
 msgstr "host: single host IP address to match."
 
-#: ../../configuration/system/option.rst:119
+#: ../../configuration/system/option.rst:139
 msgid "https://access.redhat.com/sites/default/files/attachments/201501-perf-brief-low-latency-tuning-rhel7-v2.1.pdf"
 msgstr "https://access.redhat.com/sites/default/files/attachments/201501-perf-brief-low-latency-tuning-rhel7-v2.1.pdf"
 
-#: ../../configuration/interfaces/openvpn.rst:675
+#: ../../configuration/interfaces/openvpn.rst:816
 msgid "https://community.openvpn.net/openvpn/wiki/DataChannelOffload/Features"
 msgstr "https://community.openvpn.net/openvpn/wiki/DataChannelOffload/Features"
 
+#: ../../configuration/system/option.rst:73
+msgid "https://docs.kernel.org/admin-guide/pm/amd-pstate.html"
+msgstr "https://docs.kernel.org/admin-guide/pm/amd-pstate.html"
+
 #: ../../configuration/system/acceleration.rst:28
 msgid "if there is a supported device, enable Intel® QAT"
 msgstr "if there is a supported device, enable Intel® QAT"
@@ -21434,10 +24233,14 @@ msgstr "if there is a supported device, enable Intel® QAT"
 msgid "if there is non device the command will show ```No QAT device found```"
 msgstr "if there is non device the command will show ```No QAT device found```"
 
-#: ../../configuration/system/syslog.rst:189
+#: ../../configuration/system/syslog.rst:207
 msgid "info"
 msgstr "info"
 
+#: ../../configuration/trafficpolicy/index.rst:232
+msgid "inherit matches from another group"
+msgstr "inherit matches from another group"
+
 #: ../../configuration/service/router-advert.rst:1
 msgid "interval"
 msgstr "interval"
@@ -21459,7 +24262,7 @@ msgstr "ip-forwarding"
 msgid "isisd"
 msgstr "isisd"
 
-#: ../../configuration/interfaces/ethernet.rst:106
+#: ../../configuration/interfaces/ethernet.rst:114
 msgid "it can be used with any NIC"
 msgstr "it can be used with any NIC"
 
@@ -21467,7 +24270,7 @@ msgstr "it can be used with any NIC"
 msgid "it can be used with any NIC,"
 msgstr "it can be used with any NIC,"
 
-#: ../../configuration/interfaces/ethernet.rst:108
+#: ../../configuration/interfaces/ethernet.rst:116
 msgid "it does not increase hardware device interrupt rate, although it does introduce inter-processor interrupts (IPIs)"
 msgstr "it does not increase hardware device interrupt rate, although it does introduce inter-processor interrupts (IPIs)"
 
@@ -21475,7 +24278,7 @@ msgstr "it does not increase hardware device interrupt rate, although it does in
 msgid "it does not increase hardware device interrupt rate (although it does introduce inter-processor interrupts (IPIs))."
 msgstr "it does not increase hardware device interrupt rate (although it does introduce inter-processor interrupts (IPIs))."
 
-#: ../../configuration/system/syslog.rst:112
+#: ../../configuration/system/syslog.rst:130
 msgid "kern"
 msgstr "kern"
 
@@ -21491,7 +24294,7 @@ msgstr "ldpd"
 msgid "lease"
 msgstr "lease"
 
-#: ../../configuration/highavailability/index.rst:361
+#: ../../configuration/highavailability/index.rst:365
 msgid "least-connection"
 msgstr "least-connection"
 
@@ -21515,75 +24318,75 @@ msgstr "left subnet: `192.168.0.0/24` site1, server side (i.e. locality, actuall
 msgid "link-mtu"
 msgstr "link-mtu"
 
-#: ../../configuration/system/syslog.rst:144
+#: ../../configuration/system/syslog.rst:162
 msgid "local0"
 msgstr "local0"
 
-#: ../../configuration/system/syslog.rst:146
+#: ../../configuration/system/syslog.rst:164
 msgid "local1"
 msgstr "local1"
 
-#: ../../configuration/system/syslog.rst:148
+#: ../../configuration/system/syslog.rst:166
 msgid "local2"
 msgstr "local2"
 
-#: ../../configuration/system/syslog.rst:150
+#: ../../configuration/system/syslog.rst:168
 msgid "local3"
 msgstr "local3"
 
-#: ../../configuration/system/syslog.rst:152
+#: ../../configuration/system/syslog.rst:170
 msgid "local4"
 msgstr "local4"
 
-#: ../../configuration/system/syslog.rst:154
+#: ../../configuration/system/syslog.rst:172
 msgid "local5"
 msgstr "local5"
 
-#: ../../configuration/system/syslog.rst:156
+#: ../../configuration/system/syslog.rst:174
 msgid "local6"
 msgstr "local6"
 
-#: ../../configuration/system/syslog.rst:158
+#: ../../configuration/system/syslog.rst:176
 msgid "local7"
 msgstr "local7"
 
-#: ../../configuration/system/syslog.rst:144
+#: ../../configuration/system/syslog.rst:162
 msgid "local use 0 (local0)"
 msgstr "local use 0 (local0)"
 
-#: ../../configuration/system/syslog.rst:146
+#: ../../configuration/system/syslog.rst:164
 msgid "local use 1 (local1)"
 msgstr "local use 1 (local1)"
 
-#: ../../configuration/system/syslog.rst:148
+#: ../../configuration/system/syslog.rst:166
 msgid "local use 2 (local2)"
 msgstr "local use 2 (local2)"
 
-#: ../../configuration/system/syslog.rst:150
+#: ../../configuration/system/syslog.rst:168
 msgid "local use 3 (local3)"
 msgstr "local use 3 (local3)"
 
-#: ../../configuration/system/syslog.rst:152
+#: ../../configuration/system/syslog.rst:170
 msgid "local use 4 (local4)"
 msgstr "local use 4 (local4)"
 
-#: ../../configuration/system/syslog.rst:154
+#: ../../configuration/system/syslog.rst:172
 msgid "local use 5 (local5)"
 msgstr "local use 5 (local5)"
 
-#: ../../configuration/system/syslog.rst:158
+#: ../../configuration/system/syslog.rst:176
 msgid "local use 7 (local7)"
 msgstr "local use 7 (local7)"
 
-#: ../../configuration/highavailability/index.rst:365
+#: ../../configuration/highavailability/index.rst:369
 msgid "locality-based-least-connection"
 msgstr "locality-based-least-connection"
 
-#: ../../configuration/system/syslog.rst:140
+#: ../../configuration/system/syslog.rst:158
 msgid "logalert"
 msgstr "logalert"
 
-#: ../../configuration/system/syslog.rst:138
+#: ../../configuration/system/syslog.rst:156
 msgid "logaudit"
 msgstr "logaudit"
 
@@ -21593,7 +24396,7 @@ msgstr "logaudit"
 msgid "loose: Each incoming packet's source address is also tested against the FIB and if the source address is not reachable via any interface the packet check will fail."
 msgstr "loose: Each incoming packet's source address is also tested against the FIB and if the source address is not reachable via any interface the packet check will fail."
 
-#: ../../configuration/system/syslog.rst:124
+#: ../../configuration/system/syslog.rst:142
 msgid "lpr"
 msgstr "lpr"
 
@@ -21613,7 +24416,7 @@ msgstr "mDNS repeater can be enabled either on IPv4 socket or on IPv6 socket or
 msgid "mDNS repeater can be temporarily disabled without deleting the service using"
 msgstr "mDNS repeater can be temporarily disabled without deleting the service using"
 
-#: ../../configuration/system/syslog.rst:116
+#: ../../configuration/system/syslog.rst:134
 msgid "mail"
 msgstr "mail"
 
@@ -21666,7 +24469,11 @@ msgstr "network: network/netmask to match (requires inverse-match be defined)."
 msgid "network: network/netmask to match (requires inverse-match be defined) BUG, NO invert-match option in access-list6"
 msgstr "network: network/netmask to match (requires inverse-match be defined) BUG, NO invert-match option in access-list6"
 
-#: ../../configuration/system/syslog.rst:126
+#: ../../configuration/vpn/ipsec.rst:171
+msgid "networks;"
+msgstr "networks;"
+
+#: ../../configuration/system/syslog.rst:144
 msgid "news"
 msgstr "news"
 
@@ -21686,11 +24493,11 @@ msgstr "no-on-link-flag"
 msgid "notfound"
 msgstr "notfound"
 
-#: ../../configuration/system/syslog.rst:185
+#: ../../configuration/system/syslog.rst:203
 msgid "notice"
 msgstr "notice"
 
-#: ../../configuration/system/syslog.rst:136
+#: ../../configuration/system/syslog.rst:154
 msgid "ntp"
 msgstr "ntp"
 
@@ -21805,7 +24612,7 @@ msgstr "right subnet: `10.0.0.0/24` site2,remote office side"
 msgid "ripd"
 msgstr "ripd"
 
-#: ../../configuration/highavailability/index.rst:359
+#: ../../configuration/highavailability/index.rst:363
 msgid "round-robin"
 msgstr "round-robin"
 
@@ -21818,7 +24625,7 @@ msgstr "route-map"
 msgid "routers"
 msgstr "routers"
 
-#: ../../configuration/system/flow-accounting.rst:144
+#: ../../configuration/system/flow-accounting.rst:148
 #: ../../configuration/system/sflow.rst:3
 msgid "sFlow"
 msgstr "sFlow"
@@ -21827,10 +24634,14 @@ msgstr "sFlow"
 msgid "sFlow is a technology that enables monitoring of network traffic by sending sampled packets to a collector device."
 msgstr "sFlow is a technology that enables monitoring of network traffic by sending sampled packets to a collector device."
 
-#: ../../configuration/system/syslog.rst:132
+#: ../../configuration/system/syslog.rst:150
 msgid "security"
 msgstr "security"
 
+#: ../../configuration/vpn/ipsec.rst:188
+msgid "separated list of virtual IPs to request in IKEv2 configuration payloads or IKEv1 Mode Config. The wildcard addresses 0.0.0.0 and :: request an arbitrary address, specific addresses may be defined. The responder may return a different address, or none at all. Define the ``virtual-address`` option to configure the IP address in a site-to-site hierarchy."
+msgstr "separated list of virtual IPs to request in IKEv2 configuration payloads or IKEv1 Mode Config. The wildcard addresses 0.0.0.0 and :: request an arbitrary address, specific addresses may be defined. The responder may return a different address, or none at all. Define the ``virtual-address`` option to configure the IP address in a site-to-site hierarchy."
+
 #: ../../configuration/service/dhcp-server.rst:339
 msgid "server-identifier"
 msgstr "server-identifier"
@@ -21865,7 +24676,7 @@ msgstr "slow: Request partner to transmit LACPDUs every 30 seconds"
 msgid "smtp-server"
 msgstr "smtp-server"
 
-#: ../../configuration/interfaces/ethernet.rst:107
+#: ../../configuration/interfaces/ethernet.rst:115
 msgid "software filters can easily be added to hash over new protocols"
 msgstr "software filters can easily be added to hash over new protocols"
 
@@ -21873,7 +24684,7 @@ msgstr "software filters can easily be added to hash over new protocols"
 msgid "software filters can easily be added to hash over new protocols,"
 msgstr "software filters can easily be added to hash over new protocols,"
 
-#: ../../configuration/highavailability/index.rst:363
+#: ../../configuration/highavailability/index.rst:367
 msgid "source-hashing"
 msgstr "source-hashing"
 
@@ -21903,11 +24714,15 @@ msgstr "strict: Each incoming packet is tested against the FIB and if the interf
 msgid "subnet-mask"
 msgstr "subnet-mask"
 
-#: ../../configuration/system/syslog.rst:122
+#: ../../configuration/service/suricata.rst:5
+msgid "suricata"
+msgstr "suricata"
+
+#: ../../configuration/system/syslog.rst:140
 msgid "syslog"
 msgstr "syslog"
 
-#: ../../configuration/system/syslog.rst:228
+#: ../../configuration/system/syslog.rst:246
 msgid "tail"
 msgstr "tail"
 
@@ -21938,12 +24753,12 @@ msgstr "time-server"
 msgid "time-servers"
 msgstr "time-servers"
 
-#: ../../configuration/highavailability/index.rst:375
+#: ../../configuration/highavailability/index.rst:379
 #: ../../configuration/service/router-advert.rst:20
 msgid "tunnel"
 msgstr "tunnel"
 
-#: ../../configuration/system/syslog.rst:156
+#: ../../configuration/system/syslog.rst:174
 msgid "use 6 (local6)"
 msgstr "use 6 (local6)"
 
@@ -21951,11 +24766,11 @@ msgstr "use 6 (local6)"
 msgid "use this command to check if there is an Intel® QAT supported Processor in your system."
 msgstr "use this command to check if there is an Intel® QAT supported Processor in your system."
 
-#: ../../configuration/system/syslog.rst:114
+#: ../../configuration/system/syslog.rst:132
 msgid "user"
 msgstr "user"
 
-#: ../../configuration/system/syslog.rst:128
+#: ../../configuration/system/syslog.rst:146
 msgid "uucp"
 msgstr "uucp"
 
@@ -21971,11 +24786,15 @@ msgstr "valid-lifetime"
 msgid "veth interfaces need to be created in pairs - it's called the peer name"
 msgstr "veth interfaces need to be created in pairs - it's called the peer name"
 
+#: ../../configuration/vpn/ipsec.rst:184
+msgid "virtual IP addresses should be installed. If not specified the addresses will be installed on the outbound interface;"
+msgstr "virtual IP addresses should be installed. If not specified the addresses will be installed on the outbound interface;"
+
 #: ../../configuration/service/router-advert.rst:21
 msgid "vxlan"
 msgstr "vxlan"
 
-#: ../../configuration/system/syslog.rst:183
+#: ../../configuration/system/syslog.rst:201
 msgid "warning"
 msgstr "warning"
 
@@ -21983,11 +24802,11 @@ msgstr "warning"
 msgid "we described the configuration SR ISIS / SR OSPF using 2 connected with them to share label information."
 msgstr "we described the configuration SR ISIS / SR OSPF using 2 connected with them to share label information."
 
-#: ../../configuration/highavailability/index.rst:362
+#: ../../configuration/highavailability/index.rst:366
 msgid "weighted-least-connection"
 msgstr "weighted-least-connection"
 
-#: ../../configuration/highavailability/index.rst:360
+#: ../../configuration/highavailability/index.rst:364
 msgid "weighted-round-robin"
 msgstr "weighted-round-robin"
 
diff --git a/docs/_locale/de/contributing.pot b/docs/_locale/de/contributing.pot
index 9e7d1188..688e93b3 100644
--- a/docs/_locale/de/contributing.pot
+++ b/docs/_locale/de/contributing.pot
@@ -92,8 +92,8 @@ msgstr "Eine einzelne, kurze Zusammenfassung des Commits (empfohlen 50 Zeichen o
 msgid "Abbreviations and acronyms **must** be capitalized."
 msgstr "Abkürzungen und Akronyme **müssen** groß geschrieben werden."
 
-#: ../../contributing/build-vyos.rst:443
-#: ../../contributing/build-vyos.rst:631
+#: ../../contributing/build-vyos.rst:451
+#: ../../contributing/build-vyos.rst:639
 msgid "Accel-PPP"
 msgstr "Accel-PPP"
 
@@ -113,13 +113,14 @@ msgstr "Eine oder mehrere IP-Adressen hinzufügen"
 msgid "Address"
 msgstr "Adresse"
 
-#: ../../contributing/build-vyos.rst:840
+#: ../../contributing/build-vyos.rst:880
 msgid "After a minute or two you will find the generated DEB packages next to the vyos-1x source directory:"
 msgstr "Nach ein oder zwei Minuten finden Sie die generierten DEB-Pakete neben dem vyos-1x Quellverzeichnis:"
 
-#: ../../contributing/build-vyos.rst:667
-#: ../../contributing/build-vyos.rst:696
-#: ../../contributing/build-vyos.rst:731
+#: ../../contributing/build-vyos.rst:675
+#: ../../contributing/build-vyos.rst:704
+#: ../../contributing/build-vyos.rst:739
+#: ../../contributing/build-vyos.rst:772
 msgid "After compiling the packages you will find yourself the newly generated `*.deb` binaries in ``vyos-build/packages/linux-kernel`` from which you can copy them to the ``vyos-build/packages`` folder for inclusion during the ISO build."
 msgstr "Nach dem Kompilieren der Pakete finden Sie die neu erzeugten `*.deb`-Binärdateien in ``vyos-build/packages/linux-kernel``, von wo aus sie in den ``vyos-build/packages``-Ordner kopiert werden können, um sie während der ISO-Erstellung einzubinden."
 
@@ -159,11 +160,11 @@ msgstr "Verwenden Sie immer die Option ``-x`` für den Befehl ``git cherry-pick`
 msgid "Another advantage is testability of the code. Mocking the entire config subsystem is hard, while constructing an internal representation by hand is way simpler."
 msgstr "Ein weiterer Vorteil ist die Testbarkeit des Codes. Das Mocking des gesamten Konfigurations-Subsystems ist schwierig, während die Konstruktion einer internen Darstellung von Hand viel einfacher ist."
 
-#: ../../contributing/build-vyos.rst:742
+#: ../../contributing/build-vyos.rst:782
 msgid "Any \"modified\" package may refer to an altered version of e.g. vyos-1x package that you would like to test before filing a pull request on GitHub."
 msgstr "Jedes \"modifizierte\" Paket kann sich auf eine geänderte Version von z.B. des vyos-1x Pakets beziehen, das Sie testen möchten, bevor Sie einen Pull Request auf GitHub stellen."
 
-#: ../../contributing/build-vyos.rst:871
+#: ../../contributing/build-vyos.rst:911
 msgid "Any packages in the packages directory will be added to the iso during build, replacing the upstream ones. Make sure you delete them (both the source directories and built deb packages) if you want to build an iso from purely upstream packages."
 msgstr "Alle Pakete im Paketverzeichnis werden während des Builds zur iso hinzugefügt und ersetzen die Upstream-Pakete. Stellen Sie sicher, dass Sie diese löschen (sowohl die Quellverzeichnisse als auch die erstellten deb-Pakete), wenn Sie eine Iso aus reinen Upstream-Paketen erstellen wollen."
 
@@ -183,7 +184,7 @@ msgstr "Da Smoketests die Systemkonfiguration ändern und Sie aus der Ferne eing
 msgid "As the VyOS documentation is not only for users but also for the developers - and we keep no secret documentation - this section describes how the automated testing works."
 msgstr "Da die VyOS-Dokumentation nicht nur für die Benutzer, sondern auch für die Entwickler gedacht ist - und wir keine geheime Dokumentation führen - wird in diesem Abschnitt beschrieben, wie das automatische Testen funktioniert."
 
-#: ../../contributing/build-vyos.rst:817
+#: ../../contributing/build-vyos.rst:857
 msgid "Assume we want to build the vyos-1x package on our own and modify it to our needs. We first need to clone the repository from GitHub."
 msgstr "Nehmen wir an, wir wollen das vyos-1x Paket selbst erstellen und es an unsere Bedürfnisse anpassen. Zuerst müssen wir das Repository von GitHub klonen."
 
@@ -243,15 +244,15 @@ msgstr "Fehlerbericht/Ereignis"
 msgid "Bug reports that lack reproducing procedures."
 msgstr "Bug reports that lack reproducing procedures."
 
-#: ../../contributing/build-vyos.rst:825
+#: ../../contributing/build-vyos.rst:865
 msgid "Build"
 msgstr "Erstellen"
 
-#: ../../contributing/build-vyos.rst:122
+#: ../../contributing/build-vyos.rst:126
 msgid "Build Container"
 msgstr "Container bauen"
 
-#: ../../contributing/build-vyos.rst:215
+#: ../../contributing/build-vyos.rst:219
 msgid "Build ISO"
 msgstr "ISO erstellen"
 
@@ -259,31 +260,31 @@ msgstr "ISO erstellen"
 msgid "Build VyOS"
 msgstr "VyOS erstellen"
 
-#: ../../contributing/build-vyos.rst:147
+#: ../../contributing/build-vyos.rst:151
 msgid "Build from source"
 msgstr "Aus dem Quellcode erstellen"
 
-#: ../../contributing/build-vyos.rst:622
+#: ../../contributing/build-vyos.rst:630
 msgid "Building Out-Of-Tree Modules"
 msgstr "Erstellen von Out-Of-Tree-Modulen"
 
-#: ../../contributing/build-vyos.rst:475
+#: ../../contributing/build-vyos.rst:483
 msgid "Building The Kernel"
 msgstr "Den Kernel bauen"
 
-#: ../../contributing/build-vyos.rst:286
+#: ../../contributing/build-vyos.rst:294
 msgid "Building VyOS on Windows WSL2 with Docker integrated into WSL2 will work like a charm. No problems are known so far!"
 msgstr "Die Erstellung von VyOS auf Windows WSL2 mit Docker, das in WSL2 integriert ist, funktioniert problemlos. Bislang sind keine Probleme bekannt!"
 
-#: ../../contributing/build-vyos.rst:745
+#: ../../contributing/build-vyos.rst:785
 msgid "Building an ISO with any customized package is in no way different than building a regular (customized or not) ISO image. Simply place your modified `*.deb` package inside the `packages` folder within `vyos-build`. The build process will then pickup your custom package and integrate it into your ISO."
 msgstr "Die Erstellung eines ISO-Images mit einem angepassten Paket unterscheidet sich in keiner Weise von der Erstellung eines regulären ISO-Images (angepasst oder nicht). Legen Sie einfach Ihr modifiziertes `*.deb`-Paket in den Ordner `packages` innerhalb von `vyos-build`. Der Build-Prozess wird dann Ihr angepasstes Paket aufnehmen und in Ihr ISO integrieren."
 
-#: ../../contributing/build-vyos.rst:624
+#: ../../contributing/build-vyos.rst:632
 msgid "Building the kernel is one part, but now you also need to build the required out-of-tree modules so everything is lined up and the ABIs match. To do so, you can again take a look at ``vyos-build/packages/linux-kernel/Jenkinsfile`` to see all of the required modules and their selected versions. We will show you how to build all the current required modules."
 msgstr "Den Kernel zu bauen ist ein Teil, aber jetzt müssen Sie auch die benötigten Out-of-Tree-Module bauen, damit alles zusammenpasst und die ABIs übereinstimmen. Um dies zu tun, können Sie wieder einen Blick auf ``vyos-build/packages/linux-kernel/Jenkinsfile`` werfen, um alle benötigten Module und ihre ausgewählten Versionen zu sehen. Wir werden Ihnen zeigen, wie Sie alle aktuell benötigten Module bauen können."
 
-#: ../../contributing/build-vyos.rst:515
+#: ../../contributing/build-vyos.rst:523
 msgid "Building the kernel will take some time depending on the speed and quantity of your CPU/cores and disk speed. Expect 20 minutes (or even longer) on lower end hardware."
 msgstr "Die Erstellung des Kernels wird einige Zeit in Anspruch nehmen, abhängig von der Geschwindigkeit und Anzahl Ihrer CPU/Kerne und der Festplattengeschwindigkeit. Rechnen Sie mit 20 Minuten (oder sogar länger) auf weniger leistungsfähiger Hardware."
 
@@ -303,7 +304,7 @@ msgstr "C++ Backend-Code"
 msgid "Capitalization and punctuation"
 msgstr "Großschreibung und Zeichensetzung"
 
-#: ../../contributing/build-vyos.rst:488
+#: ../../contributing/build-vyos.rst:496
 msgid "Check out the required kernel version - see ``vyos-build/data/defaults.json`` file (example uses kernel 4.19.146):"
 msgstr "Überprüfen Sie die benötigte Kernelversion - siehe ``vyos-build/data/defaults.json`` Datei (das Beispiel verwendet Kernel 4.19.146):"
 
@@ -311,7 +312,7 @@ msgstr "Überprüfen Sie die benötigte Kernelversion - siehe ``vyos-build/data/
 msgid "Clone: ``git clone https://github.com/<user>/vyos-1x.git``"
 msgstr "Klonen: ``git clone https://github.com/<user>/vyos-1x.git``"
 
-#: ../../contributing/build-vyos.rst:481
+#: ../../contributing/build-vyos.rst:489
 msgid "Clone the kernel source to `vyos-build/packages/linux-kernel/`:"
 msgstr "Klonen Sie den Kernel-Quellcode nach `vyos-build/packages/linux-kernel/`:"
 
@@ -351,7 +352,7 @@ msgstr "Ziehen Sie die documentation_ zu Rate, um sicherzustellen, dass Sie Ihr
 msgid "Continuous Integration"
 msgstr "Continuous Integration"
 
-#: ../../contributing/build-vyos.rst:295
+#: ../../contributing/build-vyos.rst:303
 msgid "Customize"
 msgstr "Anpassen"
 
@@ -363,7 +364,7 @@ msgstr "DHCP-Client und DHCPv6-Präfix-Delegation"
 msgid "DMVPN patches are added by this commit: https://github.com/vyos/vyos-strongswan/commit/1cf12b0f2f921bfc51affa3b81226"
 msgstr "DMVPN-Patches werden durch diesen Commit hinzugefügt: https://github.com/vyos/vyos-strongswan/commit/1cf12b0f2f921bfc51affa3b81226"
 
-#: ../../contributing/build-vyos.rst:753
+#: ../../contributing/build-vyos.rst:793
 msgid "Debian APT is not very verbose when it comes to errors. If your ISO build breaks for whatever reason and you suspect it's a problem with APT dependencies or installation you can add this small patch which increases the APT verbosity during ISO build."
 msgstr "Debian APT ist nicht sehr ausführlich, wenn es um Fehler geht. Wenn Ihre ISO-Erstellung aus irgendeinem Grund fehlschlägt und Sie vermuten, dass es ein Problem mit APT-Abhängigkeiten oder der Installation ist, können Sie diesen kleinen Patch hinzufügen, der die Ausführlichkeit von APT während der ISO-Erstellung erhöht."
 
@@ -419,15 +420,15 @@ msgstr "Entwicklung"
 msgid "Do not add angle brackets around the format, they will be inserted automatically"
 msgstr "Fügen Sie keine spitzen Klammern um das Format hinzu, sie werden automatisch eingefügt."
 
-#: ../../contributing/build-vyos.rst:83
+#: ../../contributing/build-vyos.rst:87
 msgid "Docker"
 msgstr "Docker"
 
-#: ../../contributing/build-vyos.rst:135
+#: ../../contributing/build-vyos.rst:139
 msgid "Dockerhub"
 msgstr "Dockerhub"
 
-#: ../../contributing/build-vyos.rst:112
+#: ../../contributing/build-vyos.rst:116
 msgid "Doing so grants privileges equivalent to the ``root`` user! It is recommended to remove the non-root user from the ``docker`` group after building the VyOS ISO. See also `Docker as non-root`_."
 msgstr "Dadurch erhält er die gleichen Rechte wie der Benutzer ``root``! Es wird empfohlen, den Nicht-Root-Benutzer aus der ``docker``-Gruppe zu entfernen, nachdem das VyOS-ISO erstellt wurde. Siehe auch `Docker als non-root`_."
 
@@ -435,7 +436,7 @@ msgstr "Dadurch erhält er die gleichen Rechte wie der Benutzer ``root``! Es wir
 msgid "Due to issues in the upstream version that sometimes set interfaces down, a modified version is used."
 msgstr "Aufgrund von Problemen in der Upstream-Version, die manchmal zum Ausfall von Schnittstellen führten, wird eine modifizierte Version verwendet."
 
-#: ../../contributing/build-vyos.rst:87
+#: ../../contributing/build-vyos.rst:91
 msgid "Due to the updated version of Docker, the following examples may become invalid."
 msgstr "Due to the updated version of Docker, the following examples may become invalid."
 
@@ -447,7 +448,7 @@ msgstr "Während der Migration und des umfangreichen Umschreibens von Funktional
 msgid "Each module is build on demand if a new commit on the branch in question is found. After a successful run the resulting Debian Package(s) will be deployed to our Debian repository which is used during build time. It is located here: http://dev.packages.vyos.net/repositories/."
 msgstr "Jedes Modul wird bei Bedarf gebaut, wenn ein neuer Commit für den betreffenden Zweig gefunden wird. Nach einem erfolgreichen Lauf werden die resultierenden Debian-Pakete in unserem Debian-Repository bereitgestellt, das während der Build-Zeit verwendet wird. Es befindet sich hier: http://dev.packages.vyos.net/repositories/."
 
-#: ../../contributing/build-vyos.rst:447
+#: ../../contributing/build-vyos.rst:455
 msgid "Each of those modules holds a dependency on the kernel version and if you are lucky enough to receive an ISO build error which sounds like:"
 msgstr "Jedes dieser Module ist von der Kernel-Version abhängig, und wenn Sie das Glück haben, einen ISO-Build-Fehler zu erhalten, der sich wie folgt anhört:"
 
@@ -505,11 +506,11 @@ msgstr "Feature Requests"
 msgid "Feature requests that do not include required information and need clarification."
 msgstr "Feature requests that do not include required information and need clarification."
 
-#: ../../contributing/build-vyos.rst:600
+#: ../../contributing/build-vyos.rst:608
 msgid "Firmware"
 msgstr "Firmware"
 
-#: ../../contributing/build-vyos.rst:633
+#: ../../contributing/build-vyos.rst:641
 msgid "First, clone the source code and check out the appropriate version by running:"
 msgstr "Klonen Sie zunächst den Quellcode und auschecken Sie die entsprechende Version aus:"
 
@@ -537,7 +538,7 @@ msgstr "Zum Beispiel kann ``/tmp/vyos.ifconfig.debug`` erstellt werden, um das D
 msgid "For example running, ``export VYOS_IFCONFIG_DEBUG=\"\"`` on your vbash, will have the same effect as ``touch /tmp/vyos.ifconfig.debug``."
 msgstr "Wenn Sie zum Beispiel ``export VYOS_IFCONFIG_DEBUG=\"\"`` in Ihrer vbash ausführen, hat das den gleichen Effekt wie ``touch /tmp/vyos.ifconfig.debug``."
 
-#: ../../contributing/build-vyos.rst:72
+#: ../../contributing/build-vyos.rst:76
 msgid "For the packages required, you can refer to the ``docker/Dockerfile`` file in the repository_. The ``./build-vyos-image`` script will also warn you if any dependencies are missing."
 msgstr "Die erforderlichen Pakete finden Sie in der Datei ``docker/Dockerfile`` im repository_. Das Skript ``./build-vyos-image`` wird Sie auch warnen, wenn irgendwelche Abhängigkeiten fehlen."
 
@@ -586,7 +587,7 @@ msgstr "Gut: PPPoE, IPsec"
 msgid "Good: RADIUS (as in remote authentication for dial-in user services)"
 msgstr "Gut: RADIUS (as in remote authentication for dial-in user services)"
 
-#: ../../contributing/build-vyos.rst:284
+#: ../../contributing/build-vyos.rst:292
 msgid "Good luck!"
 msgstr "Viel Glück!"
 
@@ -622,7 +623,7 @@ msgstr "How you'd configure it by hand there?"
 msgid "IP and IPv6 options"
 msgstr "IP- und IPv6-Optionen"
 
-#: ../../contributing/build-vyos.rst:348
+#: ../../contributing/build-vyos.rst:356
 msgid "ISO Build Issues"
 msgstr "ISO Build-Probleme"
 
@@ -658,7 +659,7 @@ msgstr "If there is no response after further two weeks, the task will be automa
 msgid "If there is no response from the reporter within two weeks, the task bot will add a comment (\"Any news?\") to remind the reporter to reply."
 msgstr "If there is no response from the reporter within two weeks, the task bot will add a comment (\"Any news?\") to remind the reporter to reply."
 
-#: ../../contributing/build-vyos.rst:739
+#: ../../contributing/build-vyos.rst:779
 msgid "If you are brave enough to build yourself an ISO image containing any modified package from our GitHub organisation - this is the place to be."
 msgstr "Wenn Sie mutig genug sind, sich ein ISO-Image zu erstellen, das ein beliebiges modifiziertes Paket aus unserer GitHub-Organisation enthält, sind Sie hier genau richtig."
 
@@ -666,7 +667,7 @@ msgstr "Wenn Sie mutig genug sind, sich ein ISO-Image zu erstellen, das ein beli
 msgid "If you aren't certain what the correct behavior is and if what you see is really a bug, or if you don't have a reproducing procedure that reliably triggers it, please create a post on the forum or ask in the chat first — or, if you have a subscription, create a support ticket. Our team and community members can help you identify the bug and work around it, then create an actionable and testable bug report."
 msgstr "If you aren't certain what the correct behavior is and if what you see is really a bug, or if you don't have a reproducing procedure that reliably triggers it, please create a post on the forum or ask in the chat first — or, if you have a subscription, create a support ticket. Our team and community members can help you identify the bug and work around it, then create an actionable and testable bug report."
 
-#: ../../contributing/build-vyos.rst:602
+#: ../../contributing/build-vyos.rst:610
 msgid "If you upgrade your kernel or include new drivers you may need new firmware. Build a new ``vyos-linux-firmware`` package with the included helper scripts."
 msgstr "Wenn Sie Ihren Kernel aktualisieren oder neue Treiber einbinden, benötigen Sie möglicherweise eine neue Firmware. Erstellen Sie ein neues ``vyos-linux-firmware`` Paket mit den enthaltenen Hilfsskripten."
 
@@ -694,7 +695,7 @@ msgstr "In order to retrieve the debug output on the command-line you need to di
 msgid "In some contexts, the first line is treated as the subject of an email and the rest of the text as the body. The blank line separating the summary from the body is critical (unless you omit the body entirely); tools like rebase can get confused if you run the two together."
 msgstr "In some contexts, the first line is treated as the subject of an email and the rest of the text as the body. The blank line separating the summary from the body is critical (unless you omit the body entirely); tools like rebase can get confused if you run the two together."
 
-#: ../../contributing/build-vyos.rst:594
+#: ../../contributing/build-vyos.rst:602
 msgid "In the end you will be presented with the kernel binary packages which you can then use in your custom ISO build process, by placing all the `*.deb` files in the vyos-build/packages folder where they will be used automatically when building VyOS as documented above."
 msgstr "In the end you will be presented with the kernel binary packages which you can then use in your custom ISO build process, by placing all the `*.deb` files in the vyos-build/packages folder where they will be used automatically when building VyOS as documented above."
 
@@ -710,7 +711,7 @@ msgstr "Ausgabe einbeziehen"
 msgid "Insert the following statement right before the section where you want to investigate a problem (e.g. a statement you see in a backtrace): ``import pdb; pdb.set_trace()`` Optionally you can surrounded this statement by an ``if`` which only triggers under the condition you are interested in."
 msgstr "Insert the following statement right before the section where you want to investigate a problem (e.g. a statement you see in a backtrace): ``import pdb; pdb.set_trace()`` Optionally you can surrounded this statement by an ``if`` which only triggers under the condition you are interested in."
 
-#: ../../contributing/build-vyos.rst:850
+#: ../../contributing/build-vyos.rst:890
 msgid "Install"
 msgstr "Installieren"
 
@@ -718,7 +719,7 @@ msgstr "Installieren"
 msgid "Install https://pypi.org/project/stdeb/"
 msgstr "Install https://pypi.org/project/stdeb/"
 
-#: ../../contributing/build-vyos.rst:85
+#: ../../contributing/build-vyos.rst:89
 msgid "Installing Docker_ and prerequisites:"
 msgstr "Installing Docker_ and prerequisites:"
 
@@ -726,19 +727,20 @@ msgstr "Installing Docker_ and prerequisites:"
 msgid "Instead of supplying all those XML nodes multiple times there are now include files with predefined features. Brief overview:"
 msgstr "Instead of supplying all those XML nodes multiple times there are now include files with predefined features. Brief overview:"
 
-#: ../../contributing/build-vyos.rst:672
+#: ../../contributing/build-vyos.rst:680
 msgid "Intel NIC"
 msgstr "Intel NIC"
 
-#: ../../contributing/build-vyos.rst:444
+#: ../../contributing/build-vyos.rst:452
 msgid "Intel NIC drivers"
 msgstr "Intel NIC drivers"
 
-#: ../../contributing/build-vyos.rst:701
+#: ../../contributing/build-vyos.rst:453
+#: ../../contributing/build-vyos.rst:709
 msgid "Intel QAT"
 msgstr "Intel QAT"
 
-#: ../../contributing/build-vyos.rst:445
+#: ../../contributing/build-vyos.rst:453
 msgid "Inter QAT"
 msgstr "Inter QAT"
 
@@ -774,7 +776,7 @@ msgstr "It is also possible to set up the debugging using environment variables.
 msgid "Jenkins CI"
 msgstr "Jenkins CI"
 
-#: ../../contributing/build-vyos.rst:856
+#: ../../contributing/build-vyos.rst:896
 msgid "Just install using the following commands:"
 msgstr "Just install using the following commands:"
 
@@ -790,7 +792,7 @@ msgstr "Keepalived normally isn't updated to newer feature releases between Debi
 msgid "Kernel"
 msgstr "Kernel"
 
-#: ../../contributing/build-vyos.rst:827
+#: ../../contributing/build-vyos.rst:867
 msgid "Launch Docker container and build package"
 msgstr "Launch Docker container and build package"
 
@@ -814,7 +816,7 @@ msgstr "Like any other project we have some small guidelines about our source co
 msgid "Limits:"
 msgstr "Limits:"
 
-#: ../../contributing/build-vyos.rst:430
+#: ../../contributing/build-vyos.rst:438
 msgid "Linux Kernel"
 msgstr "Linux Kernel"
 
@@ -842,6 +844,10 @@ msgstr "Manual config load test"
 msgid "Many base system packages are pulled straight from Debian's main and contrib repositories, but there are exceptions."
 msgstr "Many base system packages are pulled straight from Debian's main and contrib repositories, but there are exceptions."
 
+#: ../../contributing/build-vyos.rst:745
+msgid "Mellanox OFED"
+msgstr "Mellanox OFED"
+
 #: ../../contributing/development.rst:622
 msgid "Migrating old CLI"
 msgstr "Migrating old CLI"
@@ -887,23 +893,23 @@ msgstr "None"
 msgid "Notes"
 msgstr "Notes"
 
-#: ../../contributing/build-vyos.rst:236
+#: ../../contributing/build-vyos.rst:240
 msgid "Now a fresh build of the VyOS ISO can begin. Change directory to the ``vyos-build`` directory and run:"
 msgstr "Now a fresh build of the VyOS ISO can begin. Change directory to the ``vyos-build`` directory and run:"
 
-#: ../../contributing/build-vyos.rst:217
+#: ../../contributing/build-vyos.rst:221
 msgid "Now as you are aware of the prerequisites we can continue and build our own ISO from source. For this we have to fetch the latest source code from GitHub. Please note as this will differ for both `current` and `crux`."
 msgstr "Now as you are aware of the prerequisites we can continue and build our own ISO from source. For this we have to fetch the latest source code from GitHub. Please note as this will differ for both `current` and `crux`."
 
-#: ../../contributing/build-vyos.rst:424
+#: ../../contributing/build-vyos.rst:432
 msgid "Now it's time to fix the package mirror and rerun the last step until the package installation succeeds again!"
 msgstr "Now it's time to fix the package mirror and rerun the last step until the package installation succeeds again!"
 
-#: ../../contributing/build-vyos.rst:509
+#: ../../contributing/build-vyos.rst:517
 msgid "Now we can use the helper script ``build-kernel.sh`` which does all the necessary voodoo by applying required patches from the `vyos-build/packages/linux-kernel/patches` folder, copying our kernel configuration ``x86_64_vyos_defconfig`` to the right location, and finally building the Debian packages."
 msgstr "Now we can use the helper script ``build-kernel.sh`` which does all the necessary voodoo by applying required patches from the `vyos-build/packages/linux-kernel/patches` folder, copying our kernel configuration ``x86_64_vyos_defconfig`` to the right location, and finally building the Debian packages."
 
-#: ../../contributing/build-vyos.rst:199
+#: ../../contributing/build-vyos.rst:203
 msgid "Now you are prepared with two new aliases ``vybld`` and ``vybld_crux`` to spawn your development containers in your current working directory."
 msgstr "Now you are prepared with two new aliases ``vybld`` and ``vybld_crux`` to spawn your development containers in your current working directory."
 
@@ -967,8 +973,8 @@ msgstr "Our op mode scripts use the python-vici module, which is not included in
 msgid "Our smoketests not only test daemons and serives, but also check if what we configure for an interface works. Thus there is a common base classed named: ``base_interfaces_test.py`` which holds all the common code that an interface supports and is tested."
 msgstr "Our smoketests not only test daemons and serives, but also check if what we configure for an interface works. Thus there is a common base classed named: ``base_interfaces_test.py`` which holds all the common code that an interface supports and is tested."
 
-#: ../../contributing/build-vyos.rst:737
-#: ../../contributing/build-vyos.rst:806
+#: ../../contributing/build-vyos.rst:777
+#: ../../contributing/build-vyos.rst:846
 msgid "Packages"
 msgstr "Packages"
 
@@ -1048,7 +1054,7 @@ msgstr "Python 3 **shall** be used. How long can we keep Python 2 alive anyway?
 msgid "Python (or any other language, for that matter) does not provide automatic protection from bad design, so we need to also devise design guidelines and follow them to keep the system extensible and maintainable."
 msgstr "Python (or any other language, for that matter) does not provide automatic protection from bad design, so we need to also devise design guidelines and follow them to keep the system extensible and maintainable."
 
-#: ../../contributing/build-vyos.rst:785
+#: ../../contributing/build-vyos.rst:825
 msgid "QEMU"
 msgstr "QEMU"
 
@@ -1064,16 +1070,17 @@ msgstr "Recent versions use the ``vyos.frr`` framework. The Python class is loca
 msgid "Report a Bug"
 msgstr "Report a Bug"
 
-#: ../../contributing/build-vyos.rst:787
+#: ../../contributing/build-vyos.rst:827
 msgid "Run the following command after building the ISO image."
 msgstr "Run the following command after building the ISO image."
 
-#: ../../contributing/build-vyos.rst:796
+#: ../../contributing/build-vyos.rst:836
 msgid "Run the following command after building the QEMU image."
 msgstr "Run the following command after building the QEMU image."
 
-#: ../../contributing/build-vyos.rst:677
-#: ../../contributing/build-vyos.rst:706
+#: ../../contributing/build-vyos.rst:685
+#: ../../contributing/build-vyos.rst:714
+#: ../../contributing/build-vyos.rst:750
 msgid "Simply use our wrapper script to build all of the driver modules."
 msgstr "Simply use our wrapper script to build all of the driver modules."
 
@@ -1097,7 +1104,7 @@ msgstr "So if you plan to build your own custom ISO image and wan't to make use
 msgid "So if you plan to build your own custom ISO image and want to make use of our smoketests, ensure that you have the `vyos-1x-smoketest` package installed."
 msgstr "So if you plan to build your own custom ISO image and want to make use of our smoketests, ensure that you have the `vyos-1x-smoketest` package installed."
 
-#: ../../contributing/build-vyos.rst:202
+#: ../../contributing/build-vyos.rst:206
 msgid "Some VyOS packages (namely vyos-1x) come with build-time tests which verify some of the internal library calls that they work as expected. Those tests are carried out through the Python Unittest module. If you want to build the ``vyos-1x`` package (which is our main development package) you need to start your Docker container using the following argument: ``--sysctl net.ipv6.conf.lo.disable_ipv6=0``, otherwise those tests will fail."
 msgstr "Some VyOS packages (namely vyos-1x) come with build-time tests which verify some of the internal library calls that they work as expected. Those tests are carried out through the Python Unittest module. If you want to build the ``vyos-1x`` package (which is our main development package) you need to start your Docker container using the following argument: ``--sysctl net.ipv6.conf.lo.disable_ipv6=0``, otherwise those tests will fail."
 
@@ -1113,7 +1120,7 @@ msgstr "Some of the configurations have preconditions which need to be met. Thos
 msgid "Sometimes it might be useful to debug Python code interactively on the live system rather than a IDE. This can be achieved using pdb."
 msgstr "Sometimes it might be useful to debug Python code interactively on the live system rather than a IDE. This can be achieved using pdb."
 
-#: ../../contributing/build-vyos.rst:269
+#: ../../contributing/build-vyos.rst:273
 msgid "Start the build:"
 msgstr "Start the build:"
 
@@ -1165,18 +1172,22 @@ msgstr "Text generation"
 msgid "The CLI parser used in VyOS is a mix of bash, bash-completion helper and the C++ backend library [vyatta-cfg](https://github.com/vyos/vyatta-cfg). This section is a reference of common CLI commands and the respective entry point in the C/C++ code."
 msgstr "The CLI parser used in VyOS is a mix of bash, bash-completion helper and the C++ backend library [vyatta-cfg](https://github.com/vyos/vyatta-cfg). This section is a reference of common CLI commands and the respective entry point in the C/C++ code."
 
-#: ../../contributing/build-vyos.rst:674
+#: ../../contributing/build-vyos.rst:682
 msgid "The Intel NIC drivers do not come from a Git repository, instead we just fetch the tarballs from our mirror and compile them."
 msgstr "The Intel NIC drivers do not come from a Git repository, instead we just fetch the tarballs from our mirror and compile them."
 
-#: ../../contributing/build-vyos.rst:702
+#: ../../contributing/build-vyos.rst:710
 msgid "The Intel QAT (Quick Assist Technology) drivers do not come from a Git repository, instead we just fetch the tarballs from 01.org, Intel's open-source website."
 msgstr "The Intel QAT (Quick Assist Technology) drivers do not come from a Git repository, instead we just fetch the tarballs from 01.org, Intel's open-source website."
 
-#: ../../contributing/build-vyos.rst:432
+#: ../../contributing/build-vyos.rst:440
 msgid "The Linux kernel used by VyOS is heavily tied to the ISO build process. The file ``data/defaults.json`` hosts a JSON definition of the kernel version used ``kernel_version`` and the ``kernel_flavor`` of the kernel which represents the kernel's LOCAL_VERSION. Both together form the kernel version variable in the system:"
 msgstr "The Linux kernel used by VyOS is heavily tied to the ISO build process. The file ``data/defaults.json`` hosts a JSON definition of the kernel version used ``kernel_version`` and the ``kernel_flavor`` of the kernel which represents the kernel's LOCAL_VERSION. Both together form the kernel version variable in the system:"
 
+#: ../../contributing/build-vyos.rst:747
+msgid "The Mellanox OFED drivers do not come from a Git repository, instead we fetch the tarball from Nvidia and compile the sources its contains against our kernel tree."
+msgstr "The Mellanox OFED drivers do not come from a Git repository, instead we fetch the tarball from Nvidia and compile the sources its contains against our kernel tree."
+
 #: ../../contributing/development.rst:22
 msgid "The README.md file will guide you to use the this top level repository."
 msgstr "The README.md file will guide you to use the this top level repository."
@@ -1213,7 +1224,7 @@ msgstr "The bash (or better vbash) completion in VyOS is defined in *templates*.
 msgid "The behavior you expect and how it's different from the behavior you observe. Don't just include command outputs or traffic dumps — try to explain at least briefly why they are wrong and what they should be."
 msgstr "The behavior you expect and how it's different from the behavior you observe. Don't just include command outputs or traffic dumps — try to explain at least briefly why they are wrong and what they should be."
 
-#: ../../contributing/build-vyos.rst:116
+#: ../../contributing/build-vyos.rst:120
 msgid "The build process needs to be built on a local file system, building on SMB or NFS shares will result in the container failing to build properly! VirtualBox Drive Share is also not an option as block device operations are not implemented and the drive is always mounted as \"nodev\""
 msgstr "The build process needs to be built on a local file system, building on SMB or NFS shares will result in the container failing to build properly! VirtualBox Drive Share is also not an option as block device operations are not implemented and the drive is always mounted as \"nodev\""
 
@@ -1221,11 +1232,11 @@ msgstr "The build process needs to be built on a local file system, building on
 msgid "The configurations are all derived from production systems and can not only act as a testcase but also as reference if one wants to enable a certain feature. The configurations can be found here: https://github.com/vyos/vyos-1x/tree/current/smoketest/configs"
 msgstr "The configurations are all derived from production systems and can not only act as a testcase but also as reference if one wants to enable a certain feature. The configurations can be found here: https://github.com/vyos/vyos-1x/tree/current/smoketest/configs"
 
-#: ../../contributing/build-vyos.rst:149
+#: ../../contributing/build-vyos.rst:153
 msgid "The container can also be built directly from source:"
 msgstr "The container can also be built directly from source:"
 
-#: ../../contributing/build-vyos.rst:124
+#: ../../contributing/build-vyos.rst:128
 msgid "The container can be built by hand or by fetching the pre-built one from DockerHub. Using the pre-built containers from the `VyOS DockerHub organisation`_ will ensure that the container is always up-to-date. A rebuild is triggered once the container changes (please note this will take 2-3 hours after pushing to the vyos-build repository)."
 msgstr "The container can be built by hand or by fetching the pre-built one from DockerHub. Using the pre-built containers from the `VyOS DockerHub organisation`_ will ensure that the container is always up-to-date. A rebuild is triggered once the container changes (please note this will take 2-3 hours after pushing to the vyos-build repository)."
 
@@ -1233,7 +1244,7 @@ msgstr "The container can be built by hand or by fetching the pre-built one from
 msgid "The default template processor for VyOS code is Jinja2_."
 msgstr "The default template processor for VyOS code is Jinja2_."
 
-#: ../../contributing/build-vyos.rst:813
+#: ../../contributing/build-vyos.rst:853
 msgid "The easiest way to compile your package is with the above mentioned :ref:`build_docker` container, it includes all required dependencies for all VyOS related packages."
 msgstr "The easiest way to compile your package is with the above mentioned :ref:`build_docker` container, it includes all required dependencies for all VyOS related packages."
 
@@ -1265,11 +1276,11 @@ msgstr "The great thing about schemas is not only that people can know the compl
 msgid "The information is used in three ways:"
 msgstr "The information is used in three ways:"
 
-#: ../../contributing/build-vyos.rst:477
+#: ../../contributing/build-vyos.rst:485
 msgid "The kernel build is quite easy, most of the required steps can be found in the ``vyos-build/packages/linux-kernel/Jenkinsfile`` but we will walk you through it."
 msgstr "The kernel build is quite easy, most of the required steps can be found in the ``vyos-build/packages/linux-kernel/Jenkinsfile`` but we will walk you through it."
 
-#: ../../contributing/build-vyos.rst:465
+#: ../../contributing/build-vyos.rst:473
 msgid "The most obvious reasons could be:"
 msgstr "The most obvious reasons could be:"
 
@@ -1325,7 +1336,7 @@ msgstr "The switch to the Python programming language for new code is not merely
 msgid "The system startup can be debugged (like loading in the configuration file from ``/config/config.boot``. This can be achieve by extending the Kernel command-line in the bootloader."
 msgstr "The system startup can be debugged (like loading in the configuration file from ``/config/config.boot``. This can be achieve by extending the Kernel command-line in the bootloader."
 
-#: ../../contributing/build-vyos.rst:350
+#: ../../contributing/build-vyos.rst:358
 msgid "There are (rare) situations where building an ISO image is not possible at all due to a broken package feed in the background. APT is not very good at reporting the root cause of the issue. Your ISO build will likely fail with a more or less similar looking error message:"
 msgstr "There are (rare) situations where building an ISO image is not possible at all due to a broken package feed in the background. APT is not very good at reporting the root cause of the issue. Your ISO build will likely fail with a more or less similar looking error message:"
 
@@ -1345,7 +1356,7 @@ msgstr "There are two flags available to aid in debugging configuration scripts.
 msgid "There is a special status for tasks where all work on the side of maintainers and contributors is complete: \"Needs reporter action\"."
 msgstr "There is a special status for tasks where all work on the side of maintainers and contributors is complete: \"Needs reporter action\"."
 
-#: ../../contributing/build-vyos.rst:297
+#: ../../contributing/build-vyos.rst:305
 msgid "This ISO can be customized with the following list of configure options. The full and current list can be generated with ``./build-vyos-image --help``:"
 msgstr "This ISO can be customized with the following list of configure options. The full and current list can be generated with ``./build-vyos-image --help``:"
 
@@ -1377,11 +1388,11 @@ msgstr "This package doesn't exist in Debian. A debianized fork is kept at https
 msgid "This package doesn't exist in Debian. A debianized fork is kept at https://github.com/vyos/udp-broadcast-relay"
 msgstr "This package doesn't exist in Debian. A debianized fork is kept at https://github.com/vyos/udp-broadcast-relay"
 
-#: ../../contributing/build-vyos.rst:612
+#: ../../contributing/build-vyos.rst:620
 msgid "This tries to automatically detect which blobs are needed based on which drivers were built. If it fails to find the correct files you can add them manually to ``vyos-build/packages/linux-kernel/build-linux-firmware.sh``:"
 msgstr "This tries to automatically detect which blobs are needed based on which drivers were built. If it fails to find the correct files you can add them manually to ``vyos-build/packages/linux-kernel/build-linux-firmware.sh``:"
 
-#: ../../contributing/build-vyos.rst:76
+#: ../../contributing/build-vyos.rst:80
 msgid "This will guide you through the process of building a VyOS ISO using Docker. This process has been tested on clean installs of Debian Bullseye (11) and Bookworm (12)."
 msgstr "This will guide you through the process of building a VyOS ISO using Docker. This process has been tested on clean installs of Debian Bullseye (11) and Bookworm (12)."
 
@@ -1397,11 +1408,11 @@ msgstr "This will limit the `bond` interface test to only make use of `eth1` and
 msgid "Those common tests consists out of:"
 msgstr "Those common tests consists out of:"
 
-#: ../../contributing/build-vyos.rst:173
+#: ../../contributing/build-vyos.rst:177
 msgid "Tips and Tricks"
 msgstr "Tips and Tricks"
 
-#: ../../contributing/build-vyos.rst:108
+#: ../../contributing/build-vyos.rst:112
 msgid "To be able to use Docker_ without ``sudo``, the current non-root user must be added to the ``docker`` group by calling: ``sudo usermod -aG docker yourusername``."
 msgstr "To be able to use Docker_ without ``sudo``, the current non-root user must be added to the ``docker`` group by calling: ``sudo usermod -aG docker yourusername``."
 
@@ -1417,7 +1428,7 @@ msgstr "To build our modules we utilize a CI/CD Pipeline script. Each and every
 msgid "To debug issues in priorities or to see what's going on in the background you can use the ``/opt/vyatta/sbin/priority.pl`` script which lists to you the execution order of the scripts."
 msgstr "To debug issues in priorities or to see what's going on in the background you can use the ``/opt/vyatta/sbin/priority.pl`` script which lists to you the execution order of the scripts."
 
-#: ../../contributing/build-vyos.rst:373
+#: ../../contributing/build-vyos.rst:381
 msgid "To debug the build process and gain additional information of what could be the root cause, you need to use `chroot` to change into the build directory. This is explained in the following step by step procedure:"
 msgstr "To debug the build process and gain additional information of what could be the root cause, you need to use `chroot` to change into the build directory. This is explained in the following step by step procedure:"
 
@@ -1449,7 +1460,7 @@ msgstr "To ensure uniform look and feel, and improve readability, we should foll
 msgid "To make this approach work, every change must be associated with a task number (prefixed with **T**) and a component. If there is no bug report/feature request for the changes you are going to make, you have to create a Phabricator_ task first. Once there is an entry in Phabricator_, you should reference its id in your commit message, as shown below:"
 msgstr "To make this approach work, every change must be associated with a task number (prefixed with **T**) and a component. If there is no bug report/feature request for the changes you are going to make, you have to create a Phabricator_ task first. Once there is an entry in Phabricator_, you should reference its id in your commit message, as shown below:"
 
-#: ../../contributing/build-vyos.rst:137
+#: ../../contributing/build-vyos.rst:141
 msgid "To manually download the container from DockerHub, run:"
 msgstr "To manually download the container from DockerHub, run:"
 
@@ -1457,11 +1468,11 @@ msgstr "To manually download the container from DockerHub, run:"
 msgid "To start, clone the repository to your local machine:"
 msgstr "To start, clone the repository to your local machine:"
 
-#: ../../contributing/build-vyos.rst:852
+#: ../../contributing/build-vyos.rst:892
 msgid "To take your newly created package on a test drive you can simply SCP it to a running VyOS instance and install the new `*.deb` package over the current running one."
 msgstr "To take your newly created package on a test drive you can simply SCP it to a running VyOS instance and install the new `*.deb` package over the current running one."
 
-#: ../../contributing/build-vyos.rst:751
+#: ../../contributing/build-vyos.rst:791
 msgid "Troubleshooting"
 msgstr "Troubleshooting"
 
@@ -1505,7 +1516,7 @@ msgstr "VIF (incl. VIF-S/VIF-C)"
 msgid "VLANs (QinQ and regular 802.1q)"
 msgstr "VLANs (QinQ and regular 802.1q)"
 
-#: ../../contributing/build-vyos.rst:794
+#: ../../contributing/build-vyos.rst:834
 msgid "VMware"
 msgstr "VMware"
 
@@ -1517,7 +1528,7 @@ msgstr "Verbs, when they are necessary, **should** be in their infinitive form."
 msgid "Verbs **should** be avoided. If a verb can be omitted, omit it."
 msgstr "Verbs **should** be avoided. If a verb can be omitted, omit it."
 
-#: ../../contributing/build-vyos.rst:782
+#: ../../contributing/build-vyos.rst:822
 msgid "Virtualization Platforms"
 msgstr "Virtualization Platforms"
 
@@ -1529,11 +1540,11 @@ msgstr "VyOS CLI is all about priorities. Every CLI node has a corresponding ``n
 msgid "VyOS CLI is all about priorities. Every CLI node has a corresponding ``node.def`` file and possibly an attached script that is executed when the node is present. Nodes can have a priority, and on system bootup - or any other ``commit`` to the config all scripts are executed from lowest to highest priority. This is good as this gives a deterministic behavior."
 msgstr "VyOS CLI is all about priorities. Every CLI node has a corresponding ``node.def`` file and possibly an attached script that is executed when the node is present. Nodes can have a priority, and on system bootup - or any other ``commit`` to the config all scripts are executed from lowest to highest priority. This is good as this gives a deterministic behavior."
 
-#: ../../contributing/build-vyos.rst:168
+#: ../../contributing/build-vyos.rst:172
 msgid "VyOS has switched to Debian (12) Bookworm in its ``current`` branch, Due to software version updates, it is recommended to use the official Docker Hub image to build VyOS ISO."
 msgstr "VyOS has switched to Debian (12) Bookworm in its ``current`` branch, Due to software version updates, it is recommended to use the official Docker Hub image to build VyOS ISO."
 
-#: ../../contributing/build-vyos.rst:808
+#: ../../contributing/build-vyos.rst:848
 msgid "VyOS itself comes with a bunch of packages that are specific to our system and thus cannot be found in any Debian mirror. Those packages can be found at the `VyOS GitHub project`_ in their source format can easily be compiled into a custom Debian (`*.deb`) package."
 msgstr "VyOS itself comes with a bunch of packages that are specific to our system and thus cannot be found in any Debian mirror. Those packages can be found at the `VyOS GitHub project`_ in their source format can easily be compiled into a custom Debian (`*.deb`) package."
 
@@ -1541,7 +1552,7 @@ msgstr "VyOS itself comes with a bunch of packages that are specific to our syst
 msgid "VyOS makes use of Jenkins_ as our Continuous Integration (CI) service. Our `VyOS CI`_ server is publicly accessible here: https://ci.vyos.net. You can get a brief overview of all required components shipped in a VyOS ISO."
 msgstr "VyOS makes use of Jenkins_ as our Continuous Integration (CI) service. Our `VyOS CI`_ server is publicly accessible here: https://ci.vyos.net. You can get a brief overview of all required components shipped in a VyOS ISO."
 
-#: ../../contributing/build-vyos.rst:640
+#: ../../contributing/build-vyos.rst:648
 msgid "We again make use of a helper script and some patches to make the build work. Just run the following command:"
 msgstr "We again make use of a helper script and some patches to make the build work. Just run the following command:"
 
@@ -1553,11 +1564,11 @@ msgstr "We assign that status to:"
 msgid "We differentiate in two independent tests, which are both run in parallel by two separate QEmu instances which are launched via ``make test`` and ``make testc`` from within the vyos-build_ repository."
 msgstr "We differentiate in two independent tests, which are both run in parallel by two separate QEmu instances which are launched via ``make test`` and ``make testc`` from within the vyos-build_ repository."
 
-#: ../../contributing/build-vyos.rst:389
+#: ../../contributing/build-vyos.rst:397
 msgid "We now are free to run any command we would like to use for debugging, e.g. re-installing the failed package after updating the repository."
 msgstr "We now are free to run any command we would like to use for debugging, e.g. re-installing the failed package after updating the repository."
 
-#: ../../contributing/build-vyos.rst:381
+#: ../../contributing/build-vyos.rst:389
 msgid "We now need to mount some required, volatile filesystems"
 msgstr "We now need to mount some required, volatile filesystems"
 
@@ -1597,7 +1608,7 @@ msgstr "When having trouble compiling your own ISO image or debugging Jenkins is
 msgid "When modifying the source code, remember these rules of the legacy elimination campaign:"
 msgstr "When modifying the source code, remember these rules of the legacy elimination campaign:"
 
-#: ../../contributing/build-vyos.rst:281
+#: ../../contributing/build-vyos.rst:289
 msgid "When the build is successful, the resulting iso can be found inside the ``build`` directory as ``live-image-[architecture].hybrid.iso``."
 msgstr "When the build is successful, the resulting iso can be found inside the ``build`` directory as ``live-image-[architecture].hybrid.iso``."
 
@@ -1654,11 +1665,11 @@ msgstr "XML interface definition files use the `xml.in` file extension which was
 msgid "XML interface definitions for VyOS come with a RelaxNG schema and are located in the vyos-1x_ module. This schema is a slightly modified schema from VyConf_ alias VyOS 2.0 So VyOS 1.2.x interface definitions will be reusable in Nextgen VyOS Versions with very minimal changes."
 msgstr "XML interface definitions for VyOS come with a RelaxNG schema and are located in the vyos-1x_ module. This schema is a slightly modified schema from VyConf_ alias VyOS 2.0 So VyOS 1.2.x interface definitions will be reusable in Nextgen VyOS Versions with very minimal changes."
 
-#: ../../contributing/build-vyos.rst:867
+#: ../../contributing/build-vyos.rst:907
 msgid "You can also place the generated `*.deb` into your ISO build environment to include it in a custom iso, see :ref:`build_custom_packages` for more information."
 msgstr "You can also place the generated `*.deb` into your ISO build environment to include it in a custom iso, see :ref:`build_custom_packages` for more information."
 
-#: ../../contributing/build-vyos.rst:175
+#: ../../contributing/build-vyos.rst:179
 msgid "You can create yourself some handy Bash aliases to always launch the latest - per release train (`current` or `crux`) - container. Add the following to your ``.bash_aliases`` file:"
 msgstr "You can create yourself some handy Bash aliases to always launch the latest - per release train (`current` or `crux`) - container. Add the following to your ``.bash_aliases`` file:"
 
@@ -1674,7 +1685,7 @@ msgstr "You have an idea of how to make VyOS better or you are in need of a spec
 msgid "You have an idea of how to make VyOS better or you are in need of a specific feature which all users of VyOS would benefit from? To send a feature request please search Phabricator_ to check if there is already a request pending. You can enhance it or if you don't find one, create a new one by use the quick link in the left side under the specific project."
 msgstr "You have an idea of how to make VyOS better or you are in need of a specific feature which all users of VyOS would benefit from? To send a feature request please search Phabricator_ to check if there is already a request pending. You can enhance it or if you don't find one, create a new one by use the quick link in the left side under the specific project."
 
-#: ../../contributing/build-vyos.rst:470
+#: ../../contributing/build-vyos.rst:478
 msgid "You have your own custom kernel `*.deb` packages in the `packages` folder but neglected to create all required out-of tree modules like Accel-PPP, Intel QAT or Intel NIC drivers"
 msgstr "You have your own custom kernel `*.deb` packages in the `packages` folder but neglected to create all required out-of tree modules like Accel-PPP, Intel QAT or Intel NIC drivers"
 
@@ -1767,7 +1778,7 @@ msgstr "``log`` - In some rare cases, it may be useful to see what the OS is doi
 msgid "``set``"
 msgstr "``set``"
 
-#: ../../contributing/build-vyos.rst:467
+#: ../../contributing/build-vyos.rst:475
 msgid "``vyos-build`` repo is outdated, please ``git pull`` to update to the latest release kernel version from us."
 msgstr "``vyos-build`` repo is outdated, please ``git pull`` to update to the latest release kernel version from us."
 
diff --git a/docs/_locale/de/index.pot b/docs/_locale/de/index.pot
index 85da659d..2c1777da 100644
--- a/docs/_locale/de/index.pot
+++ b/docs/_locale/de/index.pot
@@ -12,23 +12,23 @@ msgstr ""
 msgid "Add missing parts or improve the :ref:`Documentation<documentation:Write Documentation>`."
 msgstr "Add missing parts or improve the :ref:`Documentation<documentation:Write Documentation>`."
 
-#: ../../index.rst:72
+#: ../../index.rst:71
 msgid "Adminguide"
 msgstr "Adminguide"
 
-#: ../../index.rst:33
+#: ../../index.rst:32
 msgid "Automate"
 msgstr "Automate"
 
-#: ../../index.rst:25
+#: ../../index.rst:24
 msgid "Configuration and Operation"
 msgstr "Configuration and Operation"
 
-#: ../../index.rst:46
+#: ../../index.rst:45
 msgid "Contribute and Community"
 msgstr "Contribute and Community"
 
-#: ../../index.rst:85
+#: ../../index.rst:84
 msgid "Development"
 msgstr "Development"
 
@@ -36,31 +36,31 @@ msgstr "Development"
 msgid "Discuss in `Slack <https://slack.vyos.io/>`_ or the `Forum <https://forum.vyos.io>`_."
 msgstr "Discuss in `Slack <https://slack.vyos.io/>`_ or the `Forum <https://forum.vyos.io>`_."
 
-#: ../../index.rst:40
+#: ../../index.rst:39
 msgid "Examples"
 msgstr "Examples"
 
-#: ../../index.rst:63
+#: ../../index.rst:62
 msgid "First Steps"
 msgstr "First Steps"
 
-#: ../../index.rst:12
+#: ../../index.rst:11
 msgid "Get / Build VyOS"
 msgstr "Get / Build VyOS"
 
-#: ../../index.rst:42
+#: ../../index.rst:41
 msgid "Get some inspiration from the :ref:`Configuration Blueprints<configexamples/index:Configuration Blueprints>` to build your infrastructure."
 msgstr "Get some inspiration from the :ref:`Configuration Blueprints<configexamples/index:Configuration Blueprints>` to build your infrastructure."
 
-#: ../../index.rst:18
+#: ../../index.rst:17
 msgid "Install VyOS"
 msgstr "Install VyOS"
 
-#: ../../index.rst:35
+#: ../../index.rst:34
 msgid "Integrate VyOS in your automation Workflow with :ref:`Ansible<vyos-ansible>`, have your own :ref:`local scripts<command-scripting>`, or configure VyOS with the :ref:`HTTPS-API<vyosapi>`."
 msgstr "Integrate VyOS in your automation Workflow with :ref:`Ansible<vyos-ansible>`, have your own :ref:`local scripts<command-scripting>`, or configure VyOS with the :ref:`HTTPS-API<vyosapi>`."
 
-#: ../../index.rst:98
+#: ../../index.rst:97
 msgid "Misc"
 msgstr "Misc"
 
@@ -68,10 +68,14 @@ msgstr "Misc"
 msgid "Or you can pick up a `Task <https://vyos.dev/>`_ and fix the :ref:`code<contributing/development:development>`."
 msgstr "Or you can pick up a `Task <https://vyos.dev/>`_ and fix the :ref:`code<contributing/development:development>`."
 
-#: ../../index.rst:15
+#: ../../index.rst:14
 msgid "Quickly :ref:`Build<contributing/build-vyos:build vyos>` your own Image or take a look at how to :ref:`download<installation/install:download>` a free or supported version."
 msgstr "Quickly :ref:`Build<contributing/build-vyos:build vyos>` your own Image or take a look at how to :ref:`download<installation/install:download>` a free or supported version."
 
+#: ../../index.rst:19
+msgid "Read about how to install VyOS on :ref:`Bare Metal<installation/install:installation>` or in a :ref:`Virtual Environment<installation/virtual/index:Virtual Environments>` and how to use an image with the usual :ref:`cloud<installation/cloud/index:Cloud Environments>` providers"
+msgstr "Read about how to install VyOS on :ref:`Bare Metal<installation/install:installation>` or in a :ref:`Virtual Environment<installation/virtual/index:Virtual Environments>` and how to use an image with the usual :ref:`cloud<installation/cloud/index:Cloud Environments>` providers"
+
 #: ../../index.rst:20
 msgid "Read about how to install VyOS on :ref:`Bare Metal<installation/install:installation>` or in a :ref:`Virtual Environment<installation/virtual/index:running vyos in virtual environments>` and how to use an image with the usual :ref:`cloud<installation/cloud/index:running VyOS in Cloud Environments>` providers"
 msgstr "Read about how to install VyOS on :ref:`Bare Metal<installation/install:installation>` or in a :ref:`Virtual Environment<installation/virtual/index:running vyos in virtual environments>` and how to use an image with the usual :ref:`cloud<installation/cloud/index:running VyOS in Cloud Environments>` providers"
@@ -80,7 +84,7 @@ msgstr "Read about how to install VyOS on :ref:`Bare Metal<installation/install:
 msgid "There are many ways to contribute to the project."
 msgstr "There are many ways to contribute to the project."
 
-#: ../../index.rst:27
+#: ../../index.rst:26
 msgid "Use the :ref:`Quickstart Guide<quick-start:Quick Start>`, to have a fast overview. Or go deeper and set up :ref:`advanced routing<configuration/protocols/index:protocols>`, :ref:`VRFs<configuration/vrf/index:vrf>`, or :ref:`VPNs<configuration/vpn/index:vpn>` for example."
 msgstr "Use the :ref:`Quickstart Guide<quick-start:Quick Start>`, to have a fast overview. Or go deeper and set up :ref:`advanced routing<configuration/protocols/index:protocols>`, :ref:`VRFs<configuration/vrf/index:vrf>`, or :ref:`VPNs<configuration/vpn/index:vpn>` for example."
 
diff --git a/docs/_locale/de/installation.pot b/docs/_locale/de/installation.pot
index f4eb678e..09f50f9b 100644
--- a/docs/_locale/de/installation.pot
+++ b/docs/_locale/de/installation.pot
@@ -28,7 +28,7 @@ msgstr "**Delete the VM** from the GNS3 project."
 msgid "**Early Production Access**"
 msgstr "**Early Production Access**"
 
-#: ../../installation/install.rst:541
+#: ../../installation/install.rst:542
 msgid "**First** run a web server - you can use a simple one like `Python's SimpleHTTPServer`_ and start serving the `filesystem.squashfs` file. The file can be found inside the `/live` directory of the extracted contents of the ISO file."
 msgstr "**First** run a web server - you can use a simple one like `Python's SimpleHTTPServer`_ and start serving the `filesystem.squashfs` file. The file can be found inside the `/live` directory of the extracted contents of the ISO file."
 
@@ -40,6 +40,10 @@ msgstr "**General settings** tab: Set the boot priority to **HDD**"
 msgid "**Long-Term Support**"
 msgstr "**Long-Term Support**"
 
+#: ../../installation/bare-metal.rst:436
+msgid "**NOTE:** This is the entry level platform. Other derivates exists with i3-N305 CPU and 2x 25GbE!"
+msgstr "**NOTE:** This is the entry level platform. Other derivates exists with i3-N305 CPU and 2x 25GbE!"
+
 #: ../../installation/install.rst:21
 msgid "**Nightly (Beta)**"
 msgstr "**Nightly (Beta)**"
@@ -52,11 +56,11 @@ msgstr "**Nightly (Current)**"
 msgid "**Release Candidate**"
 msgstr "**Release Candidate**"
 
-#: ../../installation/install.rst:432
+#: ../../installation/install.rst:433
 msgid "**Requirements**"
 msgstr "**Requirements**"
 
-#: ../../installation/install.rst:546
+#: ../../installation/install.rst:547
 msgid "**Second**, edit the configuration file of the :ref:`install_from_tftp` so that it shows the correct URL at ``fetch=http://<address_of_your_HTTP_server>/filesystem.squashfs``."
 msgstr "**Second**, edit the configuration file of the :ref:`install_from_tftp` so that it shows the correct URL at ``fetch=http://<address_of_your_HTTP_server>/filesystem.squashfs``."
 
@@ -64,99 +68,115 @@ msgstr "**Second**, edit the configuration file of the :ref:`install_from_tftp`
 msgid "**Snapshot**"
 msgstr "**Snapshot**"
 
-#: ../../installation/install.rst:300
+#: ../../installation/install.rst:301
 msgid "**Warning**: This will destroy all data on the USB drive!"
 msgstr "**Warning**: This will destroy all data on the USB drive!"
 
-#: ../../installation/vyos-on-baremetal.rst:20
+#: ../../installation/bare-metal.rst:20
 msgid "1x Crucial CT4G4DFS824A (4GB DDR4 RAM 2400 MT/s, PC4-19200)"
 msgstr "1x Crucial CT4G4DFS824A (4GB DDR4 RAM 2400 MT/s, PC4-19200)"
 
-#: ../../installation/vyos-on-baremetal.rst:102
+#: ../../installation/bare-metal.rst:442
+msgid "1x Gowin GW-FN-1UR1-10G"
+msgstr "1x Gowin GW-FN-1UR1-10G"
+
+#: ../../installation/bare-metal.rst:449
+msgid "1x HP LT4120 Snapdragon X5 LTE WWAN module"
+msgstr "1x HP LT4120 Snapdragon X5 LTE WWAN module"
+
+#: ../../installation/bare-metal.rst:102
 msgid "1x Kingston SUV500MS/120G"
 msgstr "1x Kingston SUV500MS/120G"
 
-#: ../../installation/vyos-on-baremetal.rst:21
+#: ../../installation/bare-metal.rst:448
+msgid "1x MediaTek 7921E M.2 NGFF WIFI module (not tested as this currently leads to a Kernel crash)"
+msgstr "1x MediaTek 7921E M.2 NGFF WIFI module (not tested as this currently leads to a Kernel crash)"
+
+#: ../../installation/bare-metal.rst:21
 msgid "1x SanDisk Ultra Fit 32GB (USB-A 3.0 SDCZ43-032G-G46 mass storage for OS)"
 msgstr "1x SanDisk Ultra Fit 32GB (USB-A 3.0 SDCZ43-032G-G46 mass storage for OS)"
 
-#: ../../installation/vyos-on-baremetal.rst:18
+#: ../../installation/bare-metal.rst:18
 msgid "1x Supermicro A2SDi-2C-HLN4F (Intel Atom C3338, 2C/2T, 4MB cache, Quad LAN with Intel C3000 SoC 1GbE)"
 msgstr "1x Supermicro A2SDi-2C-HLN4F (Intel Atom C3338, 2C/2T, 4MB cache, Quad LAN with Intel C3000 SoC 1GbE)"
 
-#: ../../installation/vyos-on-baremetal.rst:16
+#: ../../installation/bare-metal.rst:16
 msgid "1x Supermicro CSE-505-203B (19\" 1U chassis, inkl. 200W PSU)"
 msgstr "1x Supermicro CSE-505-203B (19\" 1U chassis, inkl. 200W PSU)"
 
-#: ../../installation/vyos-on-baremetal.rst:30
+#: ../../installation/bare-metal.rst:30
 msgid "1x Supermicro MCP-120-00063-0N (Riser Card Bracket)"
 msgstr "1x Supermicro MCP-120-00063-0N (Riser Card Bracket)"
 
-#: ../../installation/vyos-on-baremetal.rst:17
+#: ../../installation/bare-metal.rst:17
 msgid "1x Supermicro MCP-260-00085-0B (I/O Shield for A2SDi-2C-HLN4F)"
 msgstr "1x Supermicro MCP-260-00085-0B (I/O Shield for A2SDi-2C-HLN4F)"
 
-#: ../../installation/vyos-on-baremetal.rst:22
+#: ../../installation/bare-metal.rst:22
 msgid "1x Supermicro MCP-320-81302-0B (optional FAN tray)"
 msgstr "1x Supermicro MCP-320-81302-0B (optional FAN tray)"
 
-#: ../../installation/vyos-on-baremetal.rst:29
+#: ../../installation/bare-metal.rst:29
 msgid "1x Supermicro RSC-RR1U-E8 (Riser Card)"
 msgstr "1x Supermicro RSC-RR1U-E8 (Riser Card)"
 
-#: ../../installation/vyos-on-baremetal.rst:103
+#: ../../installation/bare-metal.rst:103
 msgid "1x VARIA Group Item 326745 19\" dual rack for APU4"
 msgstr "1x VARIA Group Item 326745 19\" dual rack for APU4"
 
-#: ../../installation/vyos-on-baremetal.rst:101
+#: ../../installation/bare-metal.rst:101
 msgid "1x apu4c4 = 4 i211AT LAN / AMD GX-412TC CPU / 4 GB DRAM / dual SIM"
 msgstr "1x apu4c4 = 4 i211AT LAN / AMD GX-412TC CPU / 4 GB DRAM / dual SIM"
 
-#: ../../installation/vyos-on-baremetal.rst:91
+#: ../../installation/bare-metal.rst:91
 msgid "2 miniPCI express (one with SIM socket for 3G modem)."
 msgstr "2 miniPCI express (one with SIM socket for 3G modem)."
 
-#: ../../installation/vyos-on-baremetal.rst:89
+#: ../../installation/bare-metal.rst:443
+msgid "2x 128GB M.2 NVMe SSDs"
+msgstr "2x 128GB M.2 NVMe SSDs"
+
+#: ../../installation/bare-metal.rst:89
 msgid "4 GB DDR3-1333 DRAM, with optional ECC support"
 msgstr "4 GB DDR3-1333 DRAM, with optional ECC support"
 
-#: ../../installation/vyos-on-baremetal.rst:92
+#: ../../installation/bare-metal.rst:92
 msgid "4 Gigabit Ethernet channels using Intel i211AT NICs"
 msgstr "4 Gigabit Ethernet channels using Intel i211AT NICs"
 
-#: ../../installation/vyos-on-baremetal.rst:87
+#: ../../installation/bare-metal.rst:87
 msgid "AMD Embedded G series GX-412TC, 1 GHz quad Jaguar core with 64 bit and AES-NI support, 32K data + 32K instruction cache per core, shared 2MB L2 cache."
 msgstr "AMD Embedded G series GX-412TC, 1 GHz quad Jaguar core with 64 bit and AES-NI support, 32K data + 32K instruction cache per core, shared 2MB L2 cache."
 
-#: ../../installation/vyos-on-baremetal.rst:-1
+#: ../../installation/bare-metal.rst:-1
 msgid "APU4 custom VyOS powder coat"
 msgstr "APU4 custom VyOS powder coat"
 
-#: ../../installation/vyos-on-baremetal.rst:-1
+#: ../../installation/bare-metal.rst:-1
 msgid "APU4 desktop back"
 msgstr "APU4 desktop back"
 
-#: ../../installation/vyos-on-baremetal.rst:-1
+#: ../../installation/bare-metal.rst:-1
 msgid "APU4 desktop closed"
 msgstr "APU4 desktop closed"
 
-#: ../../installation/vyos-on-baremetal.rst:-1
+#: ../../installation/bare-metal.rst:-1
 msgid "APU4 rack closed"
 msgstr "APU4 rack closed"
 
-#: ../../installation/vyos-on-baremetal.rst:-1
+#: ../../installation/bare-metal.rst:-1
 msgid "APU4 rack front"
 msgstr "APU4 rack front"
 
-#: ../../installation/vyos-on-baremetal.rst:-1
+#: ../../installation/bare-metal.rst:-1
 msgid "APU4 rack module #1"
 msgstr "APU4 rack module #1"
 
-#: ../../installation/vyos-on-baremetal.rst:-1
+#: ../../installation/bare-metal.rst:-1
 msgid "APU4 rack module #2"
 msgstr "APU4 rack module #2"
 
-#: ../../installation/vyos-on-baremetal.rst:-1
+#: ../../installation/bare-metal.rst:-1
 msgid "APU4 rack module #3 with PSU"
 msgstr "APU4 rack module #3 with PSU"
 
@@ -164,7 +184,7 @@ msgstr "APU4 rack module #3 with PSU"
 msgid "A VyOS installation image (.iso file). You can find how to get it on the :ref:`installation` page"
 msgstr "A VyOS installation image (.iso file). You can find how to get it on the :ref:`installation` page"
 
-#: ../../installation/install.rst:490
+#: ../../installation/install.rst:491
 msgid "A directory named pxelinux.cfg which must contain the configuration file. We will use the configuration_ file shown below, which we named default_."
 msgstr "A directory named pxelinux.cfg which must contain the configuration file. We will use the configuration_ file shown below, which we named default_."
 
@@ -172,15 +192,19 @@ msgstr "A directory named pxelinux.cfg which must contain the configuration file
 msgid "A particularly stable release frozen from nightly each month after manual testing. Still contains experimental code."
 msgstr "A particularly stable release frozen from nightly each month after manual testing. Still contains experimental code."
 
-#: ../../installation/install.rst:269
+#: ../../installation/install.rst:270
 msgid "A permanent VyOS installation always requires to go first through a live installation."
 msgstr "A permanent VyOS installation always requires to go first through a live installation."
 
+#: ../../installation/bare-metal.rst:428
+msgid "A platform utilizing an Intel Alder Lake-N100 CPU with 6M cache, TDP 6W. Onboard LPDDR5 16GB RAM and 128GB eMMC (can be used for image installation)."
+msgstr "A platform utilizing an Intel Alder Lake-N100 CPU with 6M cache, TDP 6W. Onboard LPDDR5 16GB RAM and 128GB eMMC (can be used for image installation)."
+
 #: ../../installation/virtual/gns3.rst:22
 msgid "A working GNS3 installation. For further information see the `GNS3 documentation <https://docs.gns3.com/>`__."
 msgstr "A working GNS3 installation. For further information see the `GNS3 documentation <https://docs.gns3.com/>`__."
 
-#: ../../installation/vyos-on-baremetal.rst:90
+#: ../../installation/bare-metal.rst:90
 msgid "About 6 to 10W of 12V DC power depending on CPU load"
 msgstr "About 6 to 10W of 12V DC power depending on CPU load"
 
@@ -196,7 +220,7 @@ msgstr "Access to Images"
 msgid "Access to Source"
 msgstr "Access to Source"
 
-#: ../../installation/vyos-on-baremetal.rst:368
+#: ../../installation/bare-metal.rst:368
 msgid "Acrosser AND-J190N1"
 msgstr "Acrosser AND-J190N1"
 
@@ -216,7 +240,7 @@ msgstr "Additional storage. You can remove additional storage ``/dev/sdb``. Firs
 msgid "Additional storage. You can remove additional storage ``/dev/sdb``. First root device will be ``/dev/xvda``. You can skip this step."
 msgstr "Additional storage. You can remove additional storage ``/dev/sdb``. First root device will be ``/dev/xvda``. You can skip this step."
 
-#: ../../installation/vyos-on-baremetal.rst:394
+#: ../../installation/bare-metal.rst:394
 msgid "Advanced > Serial Port Console Redirection > Console Redirection Settings:"
 msgstr "Advanced > Serial Port Console Redirection > Console Redirection Settings:"
 
@@ -236,11 +260,15 @@ msgstr "After installation - exit from the console using the key combination ``C
 msgid "After installation has completed, remove the installation iso using the GUI or ``qm set 200 --ide2 none``."
 msgstr "After installation has completed, remove the installation iso using the GUI or ``qm set 200 --ide2 none``."
 
-#: ../../installation/update.rst:88
+#: ../../installation/update.rst:93
 msgid "After reboot you might want to verify the version you are running with the :opcmd:`show version` command."
 msgstr "After reboot you might want to verify the version you are running with the :opcmd:`show version` command."
 
-#: ../../installation/install.rst:413
+#: ../../installation/secure-boot.rst:155
+msgid "After the Kernel CI build completes, the generated key is discarded - meaning we can no londer sign additional modules with out key. Our Kernel configuration also contains the option ``CONFIG_MODULE_SIG_FORCE=y`` which means that we enforce all modules to be signed. If you try to load an unsigned module, it will be rejected with the following error:"
+msgstr "After the Kernel CI build completes, the generated key is discarded - meaning we can no londer sign additional modules with out key. Our Kernel configuration also contains the option ``CONFIG_MODULE_SIG_FORCE=y`` which means that we enforce all modules to be signed. If you try to load an unsigned module, it will be rejected with the following error:"
+
+#: ../../installation/install.rst:414
 msgid "After the installation is completed, remove the live USB stick or CD."
 msgstr "After the installation is completed, remove the live USB stick or CD."
 
@@ -256,15 +284,15 @@ msgstr "Amazon AWS"
 msgid "Amazon CloudWatch Agent Usage"
 msgstr "Amazon CloudWatch Agent Usage"
 
-#: ../../installation/install.rst:450
+#: ../../installation/install.rst:451
 msgid "An IP address"
 msgstr "An IP address"
 
-#: ../../installation/vyos-on-baremetal.rst:334
+#: ../../installation/bare-metal.rst:334
 msgid "An external RS232 serial port is available, internally a GPIO header as well. It does have Realtek based audio on board for some reason, but you can disable that. Booting works on both USB2 and USB3 ports. Switching between serial BIOS mode and HDMI BIOS mode depends on what is connected at startup; it goes into serial mode if you disconnect HDMI and plug in serial, in all other cases it's HDMI mode."
 msgstr "An external RS232 serial port is available, internally a GPIO header as well. It does have Realtek based audio on board for some reason, but you can disable that. Booting works on both USB2 and USB3 ports. Switching between serial BIOS mode and HDMI BIOS mode depends on what is connected at startup; it goes into serial mode if you disconnect HDMI and plug in serial, in all other cases it's HDMI mode."
 
-#: ../../installation/install.rst:554
+#: ../../installation/install.rst:555
 msgid "And **third**, restart the TFTP service. If you are using VyOS as your TFTP Server, you can restart the service with ``sudo service tftpd-hpa restart``."
 msgstr "And **third**, restart the TFTP service. If you are using VyOS as your TFTP Server, you can restart the service with ``sudo service tftpd-hpa restart``."
 
@@ -276,11 +304,15 @@ msgstr "Another issue of GPG is that it creates a /root/.gnupg directory just fo
 msgid "Another point is that we are using RSA now, which requires absurdly large keys to be secure."
 msgstr "Another point is that we are using RSA now, which requires absurdly large keys to be secure."
 
-#: ../../installation/vyos-on-baremetal.rst:201
+#: ../../installation/secure-boot.rst:33
+msgid "As our version of ``shim`` is not signed by Microsoft we need to enroll the previously generated :abbr:`MOK (Machine Owner Key)` to the system."
+msgstr "As our version of ``shim`` is not signed by Microsoft we need to enroll the previously generated :abbr:`MOK (Machine Owner Key)` to the system."
+
+#: ../../installation/bare-metal.rst:201
 msgid "As the APU board itself still used a serial setting of 115200 8N1 it is strongly recommended that you change the VyOS serial interface settings after your first successful boot."
 msgstr "As the APU board itself still used a serial setting of 115200 8N1 it is strongly recommended that you change the VyOS serial interface settings after your first successful boot."
 
-#: ../../installation/vyos-on-baremetal.rst:82
+#: ../../installation/bare-metal.rst:82
 msgid "As this platform seems to be quite common in terms of noise, cost, power and performance it makes sense to write a small installation manual."
 msgstr "As this platform seems to be quite common in terms of noise, cost, power and performance it makes sense to write a small installation manual."
 
@@ -320,15 +352,23 @@ msgstr "Azure does not allow you attach interface when the instance in the **Run
 msgid "Azure has a way to access the serial console of a VM, but this needs to be configured on the VyOS. It's there by default, but keep it in mind if you are replacing config.boot and rebooting: ``set system console device ttyS0 speed '9600'``"
 msgstr "Azure has a way to access the serial console of a VM, but this needs to be configured on the VyOS. It's there by default, but keep it in mind if you are replacing config.boot and rebooting: ``set system console device ttyS0 speed '9600'``"
 
-#: ../../installation/vyos-on-baremetal.rst:382
+#: ../../installation/bare-metal.rst:470
+msgid "BIOS Settings"
+msgstr "BIOS Settings"
+
+#: ../../installation/bare-metal.rst:382
 msgid "BIOS Settings:"
 msgstr "BIOS Settings:"
 
-#: ../../installation/install.rst:334
+#: ../../installation/bare-metal.rst:5
+msgid "Bare Metal Deployment"
+msgstr "Bare Metal Deployment"
+
+#: ../../installation/install.rst:335
 msgid "Before a permanent installation, VyOS requires a :ref:`live_installation`."
 msgstr "Before a permanent installation, VyOS requires a :ref:`live_installation`."
 
-#: ../../installation/vyos-on-baremetal.rst:358
+#: ../../installation/bare-metal.rst:358
 msgid "Begin rapidly pressing delete on the keyboard. The boot prompt is very quick, but with a few tries you should be able to get into the BIOS."
 msgstr "Begin rapidly pressing delete on the keyboard. The boot prompt is very quick, but with a few tries you should be able to get into the BIOS."
 
@@ -336,19 +376,19 @@ msgstr "Begin rapidly pressing delete on the keyboard. The boot prompt is very q
 msgid "Being again at the **Preferences** window, having **Qemu VMs** selected and having our new VM selected, click the ``Edit`` button."
 msgstr "Being again at the **Preferences** window, having **Qemu VMs** selected and having our new VM selected, click the ``Edit`` button."
 
-#: ../../installation/vyos-on-baremetal.rst:397
+#: ../../installation/bare-metal.rst:397
 msgid "Bits per second : 9600"
 msgstr "Bits per second : 9600"
 
-#: ../../installation/install.rst:583
+#: ../../installation/install.rst:584
 msgid "Black screen on install"
 msgstr "Black screen on install"
 
-#: ../../installation/vyos-on-baremetal.rst:362
+#: ../../installation/bare-metal.rst:362
 msgid "Boot to the VyOS installer and install as usual."
 msgstr "Boot to the VyOS installer and install as usual."
 
-#: ../../installation/vyos-on-baremetal.rst:236
+#: ../../installation/bare-metal.rst:236
 msgid "Both device types operate without any moving parts and emit zero noise."
 msgstr "Both device types operate without any moving parts and emit zero noise."
 
@@ -360,39 +400,39 @@ msgstr "Building from source"
 msgid "CLI"
 msgstr "CLI"
 
-#: ../../installation/vyos-on-baremetal.rst:-1
+#: ../../installation/bare-metal.rst:-1
 msgid "CSE-505-203B Back"
 msgstr "CSE-505-203B Back"
 
-#: ../../installation/vyos-on-baremetal.rst:-1
+#: ../../installation/bare-metal.rst:-1
 msgid "CSE-505-203B Front"
 msgstr "CSE-505-203B Front"
 
-#: ../../installation/vyos-on-baremetal.rst:-1
+#: ../../installation/bare-metal.rst:-1
 msgid "CSE-505-203B Open 1"
 msgstr "CSE-505-203B Open 1"
 
-#: ../../installation/vyos-on-baremetal.rst:-1
+#: ../../installation/bare-metal.rst:-1
 msgid "CSE-505-203B Open 2"
 msgstr "CSE-505-203B Open 2"
 
-#: ../../installation/vyos-on-baremetal.rst:-1
+#: ../../installation/bare-metal.rst:-1
 msgid "CSE-505-203B Open 3"
 msgstr "CSE-505-203B Open 3"
 
-#: ../../installation/vyos-on-baremetal.rst:-1
+#: ../../installation/bare-metal.rst:-1
 msgid "CSE-505-203B w/ 10GE Open"
 msgstr "CSE-505-203B w/ 10GE Open"
 
-#: ../../installation/vyos-on-baremetal.rst:-1
+#: ../../installation/bare-metal.rst:-1
 msgid "CSE-505-203B w/ 10GE Open 1"
 msgstr "CSE-505-203B w/ 10GE Open 1"
 
-#: ../../installation/vyos-on-baremetal.rst:-1
+#: ../../installation/bare-metal.rst:-1
 msgid "CSE-505-203B w/ 10GE Open 2"
 msgstr "CSE-505-203B w/ 10GE Open 2"
 
-#: ../../installation/vyos-on-baremetal.rst:-1
+#: ../../installation/bare-metal.rst:-1
 msgid "CSE-505-203B w/ 10GE Open 3"
 msgstr "CSE-505-203B w/ 10GE Open 3"
 
@@ -400,7 +440,7 @@ msgstr "CSE-505-203B w/ 10GE Open 3"
 msgid "Change Deployment name/Zone/Machine type and click ``Deploy``"
 msgstr "Change Deployment name/Zone/Machine type and click ``Deploy``"
 
-#: ../../installation/vyos-on-baremetal.rst:360
+#: ../../installation/bare-metal.rst:360
 msgid "Chipset > South Bridge > USB Configuration: set XHCI to Disabled and USB 2.0 (EHCI) to Enabled. Without doing this, the USB drive won't boot."
 msgstr "Chipset > South Bridge > USB Configuration: set XHCI to Disabled and USB 2.0 (EHCI) to Enabled. Without doing this, the USB drive won't boot."
 
@@ -457,11 +497,11 @@ msgstr "Click to ``Instances`` and ``Launch Instance``"
 msgid "Click to your new vm and find out your Public IP address."
 msgstr "Click to your new vm and find out your Public IP address."
 
-#: ../../installation/install.rst:565
+#: ../../installation/install.rst:566
 msgid "Client Boot"
 msgstr "Client Boot"
 
-#: ../../installation/install.rst:434
+#: ../../installation/install.rst:435
 msgid "Clients (where VyOS is to be installed) with a PXE-enabled NIC"
 msgstr "Clients (where VyOS is to be installed) with a PXE-enabled NIC"
 
@@ -477,15 +517,19 @@ msgstr "CloudWatchAgentServerRole is too permissive and should be used for singl
 msgid "CloudWatch SSM Configuration creation"
 msgstr "CloudWatch SSM Configuration creation"
 
+#: ../../installation/cloud/index.rst:3
+msgid "Cloud Environments"
+msgstr "Cloud Environments"
+
 #: ../../installation/install.rst:12
 msgid "Comparison of VyOS image releases"
 msgstr "Comparison of VyOS image releases"
 
-#: ../../installation/vyos-on-baremetal.rst:117
+#: ../../installation/bare-metal.rst:117
 msgid "Compex WLE900VX mini-PCIe WiFi module, only supported in mPCIe slot 1."
 msgstr "Compex WLE900VX mini-PCIe WiFi module, only supported in mPCIe slot 1."
 
-#: ../../installation/install.rst:443
+#: ../../installation/install.rst:444
 msgid "Configuration"
 msgstr "Configuration"
 
@@ -493,11 +537,11 @@ msgstr "Configuration"
 msgid "Configure Security Group. It's recommended that you configure ssh access only from certain address sources. Or permit any (by default)."
 msgstr "Configure Security Group. It's recommended that you configure ssh access only from certain address sources. Or permit any (by default)."
 
-#: ../../installation/install.rst:448
+#: ../../installation/install.rst:449
 msgid "Configure a DHCP server to provide the client with:"
 msgstr "Configure a DHCP server to provide the client with:"
 
-#: ../../installation/install.rst:479
+#: ../../installation/install.rst:480
 msgid "Configure a TFTP server so that it serves the following:"
 msgstr "Configure a TFTP server so that it serves the following:"
 
@@ -505,7 +549,11 @@ msgstr "Configure a TFTP server so that it serves the following:"
 msgid "Configure instance for your requirements. Select number of instances / network / subnet"
 msgstr "Configure instance for your requirements. Select number of instances / network / subnet"
 
-#: ../../installation/vyos-on-baremetal.rst:142
+#: ../../installation/bare-metal.rst:509
+msgid "Connect serial port to a PC through a USB <-> RJ45 console cable. Set terminal emulator to 115200 8N1. You can also perform the installation using VGA or HDMI ports."
+msgstr "Connect serial port to a PC through a USB <-> RJ45 console cable. Set terminal emulator to 115200 8N1. You can also perform the installation using VGA or HDMI ports."
+
+#: ../../installation/bare-metal.rst:142
 msgid "Connect serial port to a PC through null modem cable (RXD / TXD crossed over). Set terminal emulator to 115200 8N1."
 msgstr "Connect serial port to a PC through null modem cable (RXD / TXD crossed over). Set terminal emulator to 115200 8N1."
 
@@ -517,7 +565,7 @@ msgstr "Connect to VM  with command ``virsh console vyos_r1``"
 msgid "Connect to VM  with command ``virsh console vyos_r2``"
 msgstr "Connect to VM  with command ``virsh console vyos_r2``"
 
-#: ../../installation/vyos-on-baremetal.rst:391
+#: ../../installation/bare-metal.rst:391
 msgid "Connect to serial (115200bps). Power on the appliance and press Del in the console when requested to enter BIOS settings."
 msgstr "Connect to serial (115200bps). Power on the appliance and press Del in the console when requested to enter BIOS settings."
 
@@ -530,12 +578,16 @@ msgstr "Connect to the instance. SSH key was generated in the first step."
 msgid "Connect to the instance by SSH key."
 msgstr "Connect to the instance by SSH key."
 
-#: ../../installation/cloud/index.rst:7
-#: ../../installation/index.rst:7
+#: ../../installation/cloud/index.rst:5
+#: ../../installation/index.rst:5
 #: ../../installation/virtual/index.rst:5
 msgid "Content"
 msgstr "Content"
 
+#: ../../installation/bare-metal.rst:463
+msgid "Cooling"
+msgstr "Cooling"
+
 #: ../../installation/virtual/proxmox.rst:14
 msgid "Copy the qcow2 image to a temporary directory on the Proxmox server."
 msgstr "Copy the qcow2 image to a temporary directory on the Proxmox server."
@@ -548,11 +600,11 @@ msgstr "Create VM name ``vyos_r1``. You must specify the path to the ``ISO`` ima
 msgid "Create VM with ``import`` qcow2 disk option."
 msgstr "Create VM with ``import`` qcow2 disk option."
 
-#: ../../installation/vyos-on-baremetal.rst:412
+#: ../../installation/bare-metal.rst:412
 msgid "Create a VyOS bootable USB key. I used the 64-bit ISO (VyOS 1.1.7) and `LinuxLive USB Creator <http://www.linuxliveusb.com/>`_."
 msgstr "Create a VyOS bootable USB key. I used the 64-bit ISO (VyOS 1.1.7) and `LinuxLive USB Creator <http://www.linuxliveusb.com/>`_."
 
-#: ../../installation/vyos-on-baremetal.rst:140
+#: ../../installation/bare-metal.rst:140
 msgid "Create a bootable USB pendrive using e.g. Rufus_ on a Windows machine."
 msgstr "Create a bootable USB pendrive using e.g. Rufus_ on a Windows machine."
 
@@ -588,7 +640,7 @@ msgstr "Define network, subnet, Public IP. Or it will be created by default."
 msgid "Delete no longer needed images from the system. You can specify an optional image name to delete, the image name can be retrieved via a list of available images can be shown using the :opcmd:`show system image`."
 msgstr "Delete no longer needed images from the system. You can specify an optional image name to delete, the image name can be retrieved via a list of available images can be shown using the :opcmd:`show system image`."
 
-#: ../../installation/vyos-on-baremetal.rst:137
+#: ../../installation/bare-metal.rst:137
 msgid "Depending on the VyOS versions you intend to install there is a difference in the serial port settings (:vytask:`T1327`)."
 msgstr "Depending on the VyOS versions you intend to install there is a difference in the serial port settings (:vytask:`T1327`)."
 
@@ -632,7 +684,7 @@ msgstr "Deploy from qcow2"
 msgid "Description"
 msgstr "Description"
 
-#: ../../installation/vyos-on-baremetal.rst:270
+#: ../../installation/bare-metal.rst:270
 msgid "Desktop / Bench Top"
 msgstr "Desktop / Bench Top"
 
@@ -644,7 +696,11 @@ msgstr "Developing VyOS, testing new features, experimenting."
 msgid "Developing and testing the latest major version under development."
 msgstr "Developing and testing the latest major version under development."
 
-#: ../../installation/vyos-on-baremetal.rst:406
+#: ../../installation/secure-boot.rst:-1
+msgid "Disable UEFI secure boot"
+msgstr "Disable UEFI secure boot"
+
+#: ../../installation/bare-metal.rst:406
 msgid "Disable XHCI"
 msgstr "Disable XHCI"
 
@@ -652,7 +708,7 @@ msgstr "Disable XHCI"
 msgid "Disk size"
 msgstr "Disk size"
 
-#: ../../installation/install.rst:550
+#: ../../installation/install.rst:551
 msgid "Do not change the name of the *filesystem.squashfs* file. If you are working with different versions, you can create different directories instead."
 msgstr "Do not change the name of the *filesystem.squashfs* file. If you are working with different versions, you can create different directories instead."
 
@@ -688,10 +744,14 @@ msgstr "Download the rolling release iso from https://vyos.net/get/nightly-build
 msgid "Drag the newly created VyOS VM into it."
 msgstr "Drag the newly created VyOS VM into it."
 
-#: ../../installation/install.rst:256
+#: ../../installation/install.rst:257
 msgid "During an image upgrade VyOS performas the following command:"
 msgstr "During an image upgrade VyOS performas the following command:"
 
+#: ../../installation/secure-boot.rst:127
+msgid "During image installation you will install your :abbr:`MOK (Machine Owner Key)` into the UEFI variables to add trust to this key. After enabling secure boot support in UEFI again, you can only boot into your signed image."
+msgstr "During image installation you will install your :abbr:`MOK (Machine Owner Key)` into the UEFI variables to add trust to this key. After enabling secure boot support in UEFI again, you can only boot into your signed image."
+
 #: ../../installation/virtual/vmware.rst:7
 msgid "ESXi 5.5 or later"
 msgstr "ESXi 5.5 or later"
@@ -704,7 +764,7 @@ msgstr "EVE-NG"
 msgid "Edit /etc/docker/daemon.json to set the ``ipv6`` key to ``true`` and to specify the ``fixed-cidr-v6`` to your desired IPv6 subnet."
 msgstr "Edit /etc/docker/daemon.json to set the ``ipv6`` key to ``true`` and to specify the ``fixed-cidr-v6`` to your desired IPv6 subnet."
 
-#: ../../installation/vyos-on-baremetal.rst:407
+#: ../../installation/bare-metal.rst:407
 msgid "Enable USB 2.0 (EHCI) Support"
 msgstr "Enable USB 2.0 (EHCI) Support"
 
@@ -725,7 +785,7 @@ msgstr "Every month until RC comes out"
 msgid "Every night"
 msgstr "Every night"
 
-#: ../../installation/install.rst:343
+#: ../../installation/install.rst:344
 msgid "Every version is contained in its own squashfs image that is mounted in a union filesystem together with a directory for mutable data such as configurations, keys, or custom scripts."
 msgstr "Every version is contained in its own squashfs image that is mounted in a union filesystem together with a directory for mutable data such as configurations, keys, or custom scripts."
 
@@ -750,23 +810,23 @@ msgstr "Example"
 msgid "Example:"
 msgstr "Example:"
 
-#: ../../installation/install.rst:522
+#: ../../installation/install.rst:523
 msgid "Example of simple (no menu) configuration file:"
 msgstr "Example of simple (no menu) configuration file:"
 
-#: ../../installation/install.rst:502
+#: ../../installation/install.rst:503
 msgid "Example of the contents of the TFTP server:"
 msgstr "Example of the contents of the TFTP server:"
 
-#: ../../installation/vyos-on-baremetal.rst:109
+#: ../../installation/bare-metal.rst:109
 msgid "Extension Modules"
 msgstr "Extension Modules"
 
-#: ../../installation/install.rst:439
+#: ../../installation/install.rst:440
 msgid "Files *pxelinux.0* and *ldlinux.c32* `from the Syslinux distribution <https://kernel.org/pub/linux/utils/boot/syslinux/>`_"
 msgstr "Files *pxelinux.0* and *ldlinux.c32* `from the Syslinux distribution <https://kernel.org/pub/linux/utils/boot/syslinux/>`_"
 
-#: ../../installation/install.rst:567
+#: ../../installation/install.rst:568
 msgid "Finally, turn on your PXE-enabled client or clients. They will automatically get an IP address from the DHCP server and start booting into VyOS live from the files automatically taken from the TFTP and HTTP servers."
 msgstr "Finally, turn on your PXE-enabled client or clients. They will automatically get an IP address from the DHCP server and start booting into VyOS live from the files automatically taken from the TFTP and HTTP servers."
 
@@ -774,7 +834,7 @@ msgstr "Finally, turn on your PXE-enabled client or clients. They will automatic
 msgid "Finally, verify the authenticity of the downloaded image:"
 msgstr "Finally, verify the authenticity of the downloaded image:"
 
-#: ../../installation/install.rst:285
+#: ../../installation/install.rst:286
 msgid "Find out the device name of your USB drive (you can use the ``lsblk`` command)"
 msgstr "Find out the device name of your USB drive (you can use the ``lsblk`` command)"
 
@@ -794,7 +854,15 @@ msgstr "First, a virtual machine (VM) for the VyOS installation must be created
 msgid "First, install GPG or another OpenPGP implementation. On most GNU+Linux distributions it is installed by default as package managers use it to verify package signatures. If not pre-installed, it will need to be downloaded and installed."
 msgstr "First, install GPG or another OpenPGP implementation. On most GNU+Linux distributions it is installed by default as package managers use it to verify package signatures. If not pre-installed, it will need to be downloaded and installed."
 
-#: ../../installation/vyos-on-baremetal.rst:384
+#: ../../installation/bare-metal.rst:481
+msgid "First Boot"
+msgstr "First Boot"
+
+#: ../../installation/secure-boot.rst:36
+msgid "First of all you will need to disable UEFI secure boot for the installation."
+msgstr "First of all you will need to disable UEFI secure boot for the installation."
+
+#: ../../installation/bare-metal.rst:384
 msgid "First thing you want to do is getting a more user friendly console to configure BIOS. Default VT100 brings a lot of issues. Configure VT100+ instead."
 msgstr "First thing you want to do is getting a more user friendly console to configure BIOS. Default VT100 brings a lot of issues. Configure VT100+ instead."
 
@@ -802,10 +870,18 @@ msgstr "First thing you want to do is getting a more user friendly console to co
 msgid "For completion the key below corresponds to the key listed in the URL above."
 msgstr "For completion the key below corresponds to the key listed in the URL above."
 
-#: ../../installation/vyos-on-baremetal.rst:387
+#: ../../installation/bare-metal.rst:678
+msgid "For more information please refer to chapter: :ref:`wwan-interface`"
+msgstr "For more information please refer to chapter: :ref:`wwan-interface`"
+
+#: ../../installation/bare-metal.rst:387
 msgid "For practical issues change speed from 115200 to 9600. 9600 is the default speed at which both linux kernel and VyOS will reconfigure the serial port when loading."
 msgstr "For practical issues change speed from 115200 to 9600. 9600 is the default speed at which both linux kernel and VyOS will reconfigure the serial port when loading."
 
+#: ../../installation/update.rst:84
+msgid "For updates to the Rolling Release for AMD64, the following URL may be used:"
+msgstr "For updates to the Rolling Release for AMD64, the following URL may be used:"
+
 #: ../../installation/migrate-from-vyatta.rst:161
 msgid "Future releases of VyOS will break the direct upgrade path from Vyatta core. Please upgrade through an intermediate VyOS version e.g. VyOS 1.2. After this you can continue upgrading to newer releases once you bootet into VyOS 1.2 once."
 msgstr "Future releases of VyOS will break the direct upgrade path from Vyatta core. Please upgrade through an intermediate VyOS version e.g. VyOS 1.2. After this you can continue upgrading to newer releases once you bootet into VyOS 1.2 once."
@@ -814,7 +890,7 @@ msgstr "Future releases of VyOS will break the direct upgrade path from Vyatta c
 msgid "GPG verification"
 msgstr "GPG verification"
 
-#: ../../installation/install.rst:585
+#: ../../installation/install.rst:586
 msgid "GRUB attempts to redirect all output to a serial port for ease of installation on headless hosts. This appears to cause an hard lockup on some hardware that lacks a serial port, with the result being a black screen after selecting the `Live system` option from the installation image."
 msgstr "GRUB attempts to redirect all output to a serial port for ease of installation on headless hosts. This appears to cause an hard lockup on some hardware that lacks a serial port, with the result being a black screen after selecting the `Live system` option from the installation image."
 
@@ -838,11 +914,16 @@ msgstr "Go to the GNS3 **File** menu, click **New template** and choose select *
 msgid "Google Cloud Platform"
 msgstr "Google Cloud Platform"
 
+#: ../../installation/bare-metal.rst:426
+msgid "Gowin GW-FN-1UR1-10G"
+msgstr "Gowin GW-FN-1UR1-10G"
+
 #: ../../installation/install.rst:37
 msgid "Guaranteed to be stable and carefully maintained for several years after the release. No features are introduced but security updates are released in a timely manner."
 msgstr "Guaranteed to be stable and carefully maintained for several years after the release. No features are introduced but security updates are released in a timely manner."
 
-#: ../../installation/vyos-on-baremetal.rst:304
+#: ../../installation/bare-metal.rst:304
+#: ../../installation/bare-metal.rst:608
 msgid "Hardware"
 msgstr "Hardware"
 
@@ -862,11 +943,11 @@ msgstr "Highly stable with no known bugs. Needs to be tested repeatedly under di
 msgid "Home labs and simple networks that call for new features."
 msgstr "Home labs and simple networks that call for new features."
 
-#: ../../installation/vyos-on-baremetal.rst:132
+#: ../../installation/bare-metal.rst:132
 msgid "Huawei ME909u-521 miniPCIe card (LTE)"
 msgstr "Huawei ME909u-521 miniPCIe card (LTE)"
 
-#: ../../installation/vyos-on-baremetal.rst:415
+#: ../../installation/bare-metal.rst:415
 msgid "I'm not sure if it helps the process but I changed default option to live-serial (line “default xxxx”) on the USB key under syslinux/syslinux.cfg."
 msgstr "I'm not sure if it helps the process but I changed default option to live-serial (line “default xxxx”) on the USB key under syslinux/syslinux.cfg."
 
@@ -874,15 +955,15 @@ msgstr "I'm not sure if it helps the process but I changed default option to liv
 msgid "IPv6 Support for docker"
 msgstr "IPv6 Support for docker"
 
-#: ../../installation/vyos-on-baremetal.rst:346
+#: ../../installation/bare-metal.rst:346
 msgid "I believe this is actually the same hardware as the Protectli. I purchased it in June 2018. It came pre-loaded with pfSense."
 msgstr "I believe this is actually the same hardware as the Protectli. I purchased it in June 2018. It came pre-loaded with pfSense."
 
-#: ../../installation/vyos-on-baremetal.rst:418
+#: ../../installation/bare-metal.rst:418
 msgid "I connected the key to one black USB port on the back and powered on. The first VyOS screen has some readability issues. Press :kbd:`Enter` to continue."
 msgstr "I connected the key to one black USB port on the back and powered on. The first VyOS screen has some readability issues. Press :kbd:`Enter` to continue."
 
-#: ../../installation/vyos-on-baremetal.rst:10
+#: ../../installation/bare-metal.rst:10
 msgid "I opted to get one of the new Intel Atom C3000 CPUs to spawn VyOS on it. Running VyOS on an UEFI only device is supported as of VyOS release 1.2."
 msgstr "I opted to get one of the new Intel Atom C3000 CPUs to spawn VyOS on it. Running VyOS on an UEFI only device is supported as of VyOS release 1.2."
 
@@ -902,11 +983,11 @@ msgstr "If using as a router, you will want your LAN interface to absorb some or
 msgid "If you can not go to this screen"
 msgstr "If you can not go to this screen"
 
-#: ../../installation/install.rst:319
+#: ../../installation/install.rst:320
 msgid "If you find difficulties with this method, prefer to use a GUI program, or have a different operating system, there are other programs you can use to create a bootable USB drive, like balenaEtcher_ (for GNU/Linux, macOS and Windows), Rufus_ (for Windows) and `many others`_. You can follow their instructions to create a bootable USB drive from an .iso file."
 msgstr "If you find difficulties with this method, prefer to use a GUI program, or have a different operating system, there are other programs you can use to create a bootable USB drive, like balenaEtcher_ (for GNU/Linux, macOS and Windows), Rufus_ (for Windows) and `many others`_. You can follow their instructions to create a bootable USB drive from an .iso file."
 
-#: ../../installation/install.rst:280
+#: ../../installation/install.rst:281
 msgid "If you have a GNU+Linux system, you can create your VyOS bootable USB stick with with the ``dd`` command:"
 msgstr "If you have a GNU+Linux system, you can create your VyOS bootable USB stick with with the ``dd`` command:"
 
@@ -926,7 +1007,7 @@ msgstr "If you need to rollback to a previous image, you can easily do so. First
 msgid "If you want to create a new default route for VMs on the subnet, use **Address Prefix** ``0.0.0.0/0`` Also note that if you want to use this as a typical edge device, you'll want masquerade NAT for the ``WAN`` interface."
 msgstr "If you want to create a new default route for VMs on the subnet, use **Address Prefix** ``0.0.0.0/0`` Also note that if you want to use this as a typical edge device, you'll want masquerade NAT for the ``WAN`` interface."
 
-#: ../../installation/vyos-on-baremetal.rst:26
+#: ../../installation/bare-metal.rst:26
 msgid "If you want to get additional ethernet ports or even 10GE connectivity the following optional parts will be required:"
 msgstr "If you want to get additional ethernet ports or even 10GE connectivity the following optional parts will be required:"
 
@@ -934,6 +1015,10 @@ msgstr "If you want to get additional ethernet ports or even 10GE connectivity t
 msgid "Image Management"
 msgstr "Image Management"
 
+#: ../../installation/secure-boot.rst:121
+msgid "Image Update"
+msgstr "Image Update"
+
 #: ../../installation/virtual/gns3.rst:90
 msgid "In **Category** select in which group you want to find your VM."
 msgstr "In **Category** select in which group you want to find your VM."
@@ -942,11 +1027,23 @@ msgstr "In **Category** select in which group you want to find your VM."
 msgid "In 2015, OpenBSD introduced signify. An alternative implementation of the same protocol is minisign, which is also available for Windows and macOS, and in most GNU/Linux distros it's in the repositories now."
 msgstr "In 2015, OpenBSD introduced signify. An alternative implementation of the same protocol is minisign, which is also available for Windows and macOS, and in most GNU/Linux distros it's in the repositories now."
 
+#: ../../installation/bare-metal.rst:434
+msgid "In addition there is a Mellanox ConnectX-3 2* 10GbE SFP+ NIC available."
+msgstr "In addition there is a Mellanox ConnectX-3 2* 10GbE SFP+ NIC available."
+
+#: ../../installation/secure-boot.rst:169
+msgid "In most of the cases if something goes wrong you will see the following error message during system boot:"
+msgstr "In most of the cases if something goes wrong you will see the following error message during system boot:"
+
 #: ../../installation/cloud/gcp.rst:20
 msgid "In name \"vyos@mypc\" The first value must be \"**vyos**\". Because default user is vyos and google api uses this option."
 msgstr "In name \"vyos@mypc\" The first value must be \"**vyos**\". Because default user is vyos and google api uses this option."
 
-#: ../../installation/install.rst:354
+#: ../../installation/secure-boot.rst:145
+msgid "In order to add an additional layer of security that can already be used in nonesecure boot images already is ephem,eral key signing of the Linux Kernel modules."
+msgstr "In order to add an additional layer of security that can already be used in nonesecure boot images already is ephem,eral key signing of the Linux Kernel modules."
+
+#: ../../installation/install.rst:355
 msgid "In order to proceed with a permanent installation:"
 msgstr "In order to proceed with a permanent installation:"
 
@@ -962,20 +1059,30 @@ msgstr "In the **General settings** tab of your **QEMU VM template configuration
 msgid "In the **Network** tab,  set **0** as the number of adapters, set the **Name format** to **eth{0}** and the **Type** to **Paravirtualized Network I/O (virtio-net-pci)**."
 msgstr "In the **Network** tab,  set **0** as the number of adapters, set the **Name format** to **eth{0}** and the **Type** to **Paravirtualized Network I/O (virtio-net-pci)**."
 
-#: ../../installation/install.rst:494
+#: ../../installation/install.rst:495
 msgid "In the example we configured our existent VyOS as the TFTP server too:"
 msgstr "In the example we configured our existent VyOS as the TFTP server too:"
 
-#: ../../installation/install.rst:454
+#: ../../installation/bare-metal.rst:512
+msgid "In this example I choose to install VyOS as RAID-1 on both NVMe drives. However, a previous installation on the 128GB eMMC storage worked without any issues, too."
+msgstr "In this example I choose to install VyOS as RAID-1 on both NVMe drives. However, a previous installation on the 128GB eMMC storage worked without any issues, too."
+
+#: ../../installation/install.rst:455
 msgid "In this example we configured an existent VyOS as the DHCP server:"
 msgstr "In this example we configured an existent VyOS as the DHCP server:"
 
-#: ../../installation/vyos-on-baremetal.rst:410
+#: ../../installation/secure-boot.rst:7
+msgid "Initial UEFI secure boot support is available (:vytask:`T861`). We utilize ``shim`` from Debian 12 (Bookworm) which is properly signed by the UEFI SecureBoot key from Microsoft."
+msgstr "Initial UEFI secure boot support is available (:vytask:`T861`). We utilize ``shim`` from Debian 12 (Bookworm) which is properly signed by the UEFI SecureBoot key from Microsoft."
+
+#: ../../installation/bare-metal.rst:410
 msgid "Install VyOS:"
 msgstr "Install VyOS:"
 
+#: ../../installation/bare-metal.rst:352
+#: ../../installation/bare-metal.rst:475
 #: ../../installation/install.rst:5
-#: ../../installation/vyos-on-baremetal.rst:352
+#: ../../installation/secure-boot.rst:31
 msgid "Installation"
 msgstr "Installation"
 
@@ -983,15 +1090,15 @@ msgstr "Installation"
 msgid "Installation and Image Management"
 msgstr "Installation and Image Management"
 
-#: ../../installation/install.rst:597
+#: ../../installation/install.rst:598
 msgid "Installation can then continue as outlined above."
 msgstr "Installation can then continue as outlined above."
 
-#: ../../installation/vyos-on-baremetal.rst:224
+#: ../../installation/bare-metal.rst:224
 msgid "Installing the rolling release on an APU2 board does not require any change on the serial console from your host side as :vytask:`T1327` was successfully implemented."
 msgstr "Installing the rolling release on an APU2 board does not require any change on the serial console from your host side as :vytask:`T1327` was successfully implemented."
 
-#: ../../installation/vyos-on-baremetal.rst:118
+#: ../../installation/bare-metal.rst:118
 msgid "Intel Corporation AX200 mini-PCIe WiFi module, only supported in mPCIe slot 1. (see :ref:`wireless-interface-intel-ax200`)"
 msgstr "Intel Corporation AX200 mini-PCIe WiFi module, only supported in mPCIe slot 1. (see :ref:`wireless-interface-intel-ax200`)"
 
@@ -1015,11 +1122,15 @@ msgstr "It can be retrieved directly from a key server:"
 msgid "It is advised that VyOS routers are configured in a resource group with adequate memory reservations so that ballooning is not inflicted on virtual VyOS guests."
 msgstr "It is advised that VyOS routers are configured in a resource group with adequate memory reservations so that ballooning is not inflicted on virtual VyOS guests."
 
+#: ../../installation/secure-boot.rst:131
+msgid "It is no longer possible to boot into a CI generated rolling release as those are currently not signed by a trusted party (:vytask:`T861` work in progress). This also means that you need to sign all your successor builds you build on your own with the exact same key, otherwise you will see:"
+msgstr "It is no longer possible to boot into a CI generated rolling release as those are currently not signed by a trusted party (:vytask:`T861` work in progress). This also means that you need to sign all your successor builds you build on your own with the exact same key, otherwise you will see:"
+
 #: ../../installation/install.rst:235
 msgid "Its installed size (complete with libsodium) is less than that of GPG binary alone (not including libgcrypt and some other libs, which I think we only use for GPG). Since it uses elliptic curves, it gets away with much smaller keys, and it doesn't include as much metadata to begin with."
 msgstr "Its installed size (complete with libsodium) is less than that of GPG binary alone (not including libgcrypt and some other libs, which I think we only use for GPG). Since it uses elliptic curves, it gets away with much smaller keys, and it doesn't include as much metadata to begin with."
 
-#: ../../installation/install.rst:578
+#: ../../installation/install.rst:579
 msgid "Known Issues"
 msgstr "Known Issues"
 
@@ -1035,7 +1146,7 @@ msgstr "Labs, small offices and non-critical production systems backed by a high
 msgid "Large-scale enterprise networks, internet service providers, critical production environments that call for minimum downtime."
 msgstr "Large-scale enterprise networks, internet service providers, critical production environments that call for minimum downtime."
 
-#: ../../installation/vyos-on-baremetal.rst:32
+#: ../../installation/bare-metal.rst:32
 msgid "Latest VyOS rolling releases boot without any problem on this board. You also receive a nice IPMI interface realized with an ASPEED AST2400 BMC (no information about `OpenBMC <https://www.openbmc.org/>`_ so far on this motherboard)."
 msgstr "Latest VyOS rolling releases boot without any problem on this board. You also receive a nice IPMI interface realized with an ASPEED AST2400 BMC (no information about `OpenBMC <https://www.openbmc.org/>`_ so far on this motherboard)."
 
@@ -1043,19 +1154,23 @@ msgstr "Latest VyOS rolling releases boot without any problem on this board. You
 msgid "Libvirt is an open-source API, daemon and management tool for managing platform virtualization. There are several ways to deploy VyOS on libvirt kvm. Use Virt-manager and native CLI. In an example we will be use use 4 gigabytes of memory, 2 cores CPU and default network virbr0."
 msgstr "Libvirt is an open-source API, daemon and management tool for managing platform virtualization. There are several ways to deploy VyOS on libvirt kvm. Use Virt-manager and native CLI. In an example we will be use use 4 gigabytes of memory, 2 cores CPU and default network virbr0."
 
+#: ../../installation/secure-boot.rst:143
+msgid "Linux Kernel"
+msgstr "Linux Kernel"
+
 #: ../../installation/image.rst:33
 msgid "List all available system images which can be booted on the current system."
 msgstr "List all available system images which can be booted on the current system."
 
-#: ../../installation/install.rst:267
+#: ../../installation/install.rst:268
 msgid "Live installation"
 msgstr "Live installation"
 
-#: ../../installation/install.rst:356
+#: ../../installation/install.rst:357
 msgid "Log into the VyOS live system (use the default credentials: vyos, vyos)"
 msgstr "Log into the VyOS live system (use the default credentials: vyos, vyos)"
 
-#: ../../installation/install.rst:558
+#: ../../installation/install.rst:559
 msgid "Make sure the available directories and files in both TFTP and HTTP server have the right permissions to be accessed from the booting clients."
 msgstr "Make sure the available directories and files in both TFTP and HTTP server have the right permissions to be accessed from the booting clients."
 
@@ -1092,6 +1207,10 @@ msgstr "New system images can be added using the :opcmd:`add system image` comma
 msgid "Next add the VyOS image."
 msgstr "Next add the VyOS image."
 
+#: ../../installation/bare-metal.rst:472
+msgid "No settings needed to be altered, everything worked out of the box!"
+msgstr "No settings needed to be altered, everything worked out of the box!"
+
 #: ../../installation/install.rst:33
 msgid "Non-critical production environments, preparing for the LTS release."
 msgstr "Non-critical production environments, preparing for the LTS release."
@@ -1100,15 +1219,23 @@ msgstr "Non-critical production environments, preparing for the LTS release."
 msgid "Non-subscribers can always get the LTS release by building it from source. Instructions can be found in the :ref:`build` section of this manual. VyOS source code repository is available for everyone at https://github.com/vyos/vyos-build."
 msgstr "Non-subscribers can always get the LTS release by building it from source. Instructions can be found in the :ref:`build` section of this manual. VyOS source code repository is available for everyone at https://github.com/vyos/vyos-build."
 
-#: ../../installation/vyos-on-baremetal.rst:166
+#: ../../installation/bare-metal.rst:166
 msgid "Now boot from the ``USB MSC Drive Generic Flash Disk 8.07`` media by pressing ``2``, the VyOS boot menu will appear, just wait 10 seconds or press ``Enter`` to continue."
 msgstr "Now boot from the ``USB MSC Drive Generic Flash Disk 8.07`` media by pressing ``2``, the VyOS boot menu will appear, just wait 10 seconds or press ``Enter`` to continue."
 
+#: ../../installation/secure-boot.rst:77
+msgid "Now reboot and re-enable UEFI secure boot."
+msgstr "Now reboot and re-enable UEFI secure boot."
+
 #: ../../installation/virtual/gns3.rst:78
 msgid "Now the VM settings have to be edited."
 msgstr "Now the VM settings have to be edited."
 
-#: ../../installation/install.rst:347
+#: ../../installation/secure-boot.rst:72
+msgid "Now you will need the password previously defined"
+msgstr "Now you will need the password previously defined"
+
+#: ../../installation/install.rst:348
 msgid "Older versions (prior to VyOS 1.1) used to support non-image installation (``install system`` command). Support for this has been removed from VyOS 1.2 and newer releases. Older releases can still be upgraded via the general ``add system image <image_path>`` upgrade command (consult :ref:`image-mgmt` for further information)."
 msgstr "Older versions (prior to VyOS 1.1) used to support non-image installation (``install system`` command). Support for this has been removed from VyOS 1.2 and newer releases. Older releases can still be upgraded via the general ``add system image <image_path>`` upgrade command (consult :ref:`image-mgmt` for further information)."
 
@@ -1124,11 +1251,11 @@ msgstr "On the marketplace search \"VyOS\""
 msgid "On the marketplace search ``VyOS`` and choose the appropriate subscription"
 msgstr "On the marketplace search ``VyOS`` and choose the appropriate subscription"
 
-#: ../../installation/install.rst:315
+#: ../../installation/install.rst:316
 msgid "Once VyOS is completely loaded, enter the default credentials (login: vyos, password: vyos)."
 msgstr "Once VyOS is completely loaded, enter the default credentials (login: vyos, password: vyos)."
 
-#: ../../installation/install.rst:309
+#: ../../installation/install.rst:310
 msgid "Once ``dd`` has finished, pull the USB drive out and plug it into the powered-off computer where you want to install (or test) VyOS."
 msgstr "Once ``dd`` has finished, pull the USB drive out and plug it into the powered-off computer where you want to install (or test) VyOS."
 
@@ -1136,11 +1263,11 @@ msgstr "Once ``dd`` has finished, pull the USB drive out and plug it into the po
 msgid "Once booted into the live system, type ``install image`` into the command line and follow the prompts to install VyOS to the virtual drive."
 msgstr "Once booted into the live system, type ``install image`` into the command line and follow the prompts to install VyOS to the virtual drive."
 
-#: ../../installation/install.rst:572
+#: ../../installation/install.rst:573
 msgid "Once finished you will be able to proceed with the ``install image`` command as in a regular VyOS installation."
 msgstr "Once finished you will be able to proceed with the ``install image`` command as in a regular VyOS installation."
 
-#: ../../installation/vyos-on-baremetal.rst:211
+#: ../../installation/bare-metal.rst:211
 msgid "Once you ``commit`` the above changes access to the serial interface is lost until you set your terminal emulator to 115200 8N1 again."
 msgstr "Once you ``commit`` the above changes access to the serial interface is lost until you set your terminal emulator to 115200 8N1 again."
 
@@ -1165,14 +1292,18 @@ msgstr "Open a console. The console should show the system booting. It will ask
 msgid "Open a secondary/parallel session and use this command to reboot the VM:"
 msgstr "Open a secondary/parallel session and use this command to reboot the VM:"
 
-#: ../../installation/install.rst:283
+#: ../../installation/install.rst:284
 msgid "Open your terminal emulator."
 msgstr "Open your terminal emulator."
 
-#: ../../installation/vyos-on-baremetal.rst:25
+#: ../../installation/bare-metal.rst:25
 msgid "Optional (10GE)"
 msgstr "Optional (10GE)"
 
+#: ../../installation/bare-metal.rst:446
+msgid "Optional (WiFi + WWAN)"
+msgstr "Optional (WiFi + WWAN)"
+
 #: ../../installation/virtual/proxmox.rst:24
 msgid "Optionally, the user can attach a CDROM with an ISO as a cloud-init data source. The below command assumes the ISO has been uploaded to the `local` storage pool with the name `seed.iso`."
 msgstr "Optionally, the user can attach a CDROM with an ISO as a cloud-init data source. The below command assumes the ISO has been uploaded to the `local` storage pool with the name `seed.iso`."
@@ -1189,28 +1320,37 @@ msgstr "Or it can be accessed via a web browser:"
 msgid "Oracle"
 msgstr "Oracle"
 
-#: ../../installation/vyos-on-baremetal.rst:80
+#: ../../installation/bare-metal.rst:80
 msgid "PC Engines APU4"
 msgstr "PC Engines APU4"
 
-#: ../../installation/install.rst:427
+#: ../../installation/install.rst:428
 msgid "PXE Boot"
 msgstr "PXE Boot"
 
-#: ../../installation/vyos-on-baremetal.rst:342
+#: ../../installation/bare-metal.rst:342
 msgid "Partaker i5"
 msgstr "Partaker i5"
 
-#: ../../installation/install.rst:332
+#: ../../installation/bare-metal.rst:521
+msgid "Perform Image installation using `install image` CLI command. This installation uses two 128GB NVMe disks setup as RAID1."
+msgstr "Perform Image installation using `install image` CLI command. This installation uses two 128GB NVMe disks setup as RAID1."
+
+#: ../../installation/install.rst:333
 msgid "Permanent installation"
 msgstr "Permanent installation"
 
-#: ../../installation/vyos-on-baremetal.rst:38
-#: ../../installation/vyos-on-baremetal.rst:234
+#: ../../installation/bare-metal.rst:38
+#: ../../installation/bare-metal.rst:234
+#: ../../installation/bare-metal.rst:452
 msgid "Pictures"
 msgstr "Pictures"
 
-#: ../../installation/vyos-on-baremetal.rst:355
+#: ../../installation/bare-metal.rst:483
+msgid "Please note that there is a weirdness on the network interface mapping. The interface <-> MAC mapping is going upwards but the NICs are placed somehow swapped on the mainboard/MACs programmed in a swapped order."
+msgstr "Please note that there is a weirdness on the network interface mapping. The interface <-> MAC mapping is going upwards but the NICs are placed somehow swapped on the mainboard/MACs programmed in a swapped order."
+
+#: ../../installation/bare-metal.rst:355
 msgid "Plug in VGA, power, USB keyboard, and USB drive"
 msgstr "Plug in VGA, power, USB keyboard, and USB drive"
 
@@ -1218,11 +1358,11 @@ msgstr "Plug in VGA, power, USB keyboard, and USB drive"
 msgid "Popularity of GPG for release signing comes from the fact that many people already had it installed for email encryption/signing. Inside a VyOS image, signature checking is the only reason to have it installed. However, it still comes with all the features no one needs, such as support for multiple outdated cipher suits and ability to embed a photo in the key file. More importantly, web of trust, the basic premise of PGP, is never used in release signing context. Once you have a knowingly authentic image, authenticity of upgrades is checked using a key that comes in the image, and to get their first image people never rely on keyservers either."
 msgstr "Popularity of GPG for release signing comes from the fact that many people already had it installed for email encryption/signing. Inside a VyOS image, signature checking is the only reason to have it installed. However, it still comes with all the features no one needs, such as support for multiple outdated cipher suits and ability to embed a photo in the key file. More importantly, web of trust, the basic premise of PGP, is never used in release signing context. Once you have a knowingly authentic image, authenticity of upgrades is checked using a key that comes in the image, and to get their first image people never rely on keyservers either."
 
-#: ../../installation/vyos-on-baremetal.rst:324
+#: ../../installation/bare-metal.rst:324
 msgid "Power supply is a 12VDC barrel jack, and included switching power supply, which is why SATA power regulation is on-board. Internally it has a NUC-board-style on-board 12V input header as well, the molex locking style."
 msgstr "Power supply is a 12VDC barrel jack, and included switching power supply, which is why SATA power regulation is on-board. Internally it has a NUC-board-style on-board 12V input header as well, the molex locking style."
 
-#: ../../installation/install.rst:312
+#: ../../installation/install.rst:313
 msgid "Power the computer on, making sure it boots from the USB drive (you might need to select booting device or change booting settings)."
 msgstr "Power the computer on, making sure it boots from the USB drive (you might need to select booting device or change booting settings)."
 
@@ -1234,19 +1374,23 @@ msgstr "Prepare VM for installation from ISO media. The commands below assume th
 msgid "Preparing for the verification"
 msgstr "Preparing for the verification"
 
-#: ../../installation/vyos-on-baremetal.rst:356
+#: ../../installation/bare-metal.rst:356
 msgid "Press \"SW\" button on the front (this is the power button; I don't know what \"SW\" is supposed to mean)."
 msgstr "Press \"SW\" button on the front (this is the power button; I don't know what \"SW\" is supposed to mean)."
 
+#: ../../installation/secure-boot.rst:41
+msgid "Proceed with the regular VyOS :ref:`installation <permanent_installation>` on your system, but instead of the final ``reboot`` we will enroll the :abbr:`MOK (Machine Owner Key)`."
+msgstr "Proceed with the regular VyOS :ref:`installation <permanent_installation>` on your system, but instead of the final ``reboot`` we will enroll the :abbr:`MOK (Machine Owner Key)`."
+
 #: ../../installation/virtual/proxmox.rst:7
 msgid "Proxmox is an open-source platform for virtualization. Please visit https://vyos.io to see how to get a qcow2 image that can be imported into Proxmox."
 msgstr "Proxmox is an open-source platform for virtualization. Please visit https://vyos.io to see how to get a qcow2 image that can be imported into Proxmox."
 
-#: ../../installation/vyos-on-baremetal.rst:291
+#: ../../installation/bare-metal.rst:291
 msgid "Qotom Q355G4"
 msgstr "Qotom Q355G4"
 
-#: ../../installation/vyos-on-baremetal.rst:240
+#: ../../installation/bare-metal.rst:240
 msgid "Rack Mount"
 msgstr "Rack Mount"
 
@@ -1254,11 +1398,11 @@ msgstr "Rack Mount"
 msgid "Rather stable. All development focuses on testing and hunting down remaining bugs following the feature freeze."
 msgstr "Rather stable. All development focuses on testing and hunting down remaining bugs following the feature freeze."
 
-#: ../../installation/vyos-on-baremetal.rst:404
+#: ../../installation/bare-metal.rst:404
 msgid "Reboot into BIOS, Chipset > South Bridge > USB Configuration:"
 msgstr "Reboot into BIOS, Chipset > South Bridge > USB Configuration:"
 
-#: ../../installation/install.rst:416
+#: ../../installation/install.rst:417
 msgid "Reboot the system."
 msgstr "Reboot the system."
 
@@ -1266,11 +1410,11 @@ msgstr "Reboot the system."
 msgid "Reboot the virtual machine using the GUI or ``qm reboot 200``."
 msgstr "Reboot the virtual machine using the GUI or ``qm reboot 200``."
 
-#: ../../installation/vyos-on-baremetal.rst:114
+#: ../../installation/bare-metal.rst:114
 msgid "Refer to :ref:`wireless-interface` for additional information, below listed modules have been tested successfully on this Hardware platform:"
 msgstr "Refer to :ref:`wireless-interface` for additional information, below listed modules have been tested successfully on this Hardware platform:"
 
-#: ../../installation/vyos-on-baremetal.rst:124
+#: ../../installation/bare-metal.rst:124
 msgid "Refer to :ref:`wwan-interface` for additional information, below listed modules have been tested successfully on this Hardware platform using VyOS 1.3 (equuleus):"
 msgstr "Refer to :ref:`wwan-interface` for additional information, below listed modules have been tested successfully on this Hardware platform using VyOS 1.3 (equuleus):"
 
@@ -1327,7 +1471,7 @@ msgstr "Rolling releases contain all the latest enhancements and fixes. This mea
 msgid "Run Cloudwatch configuration wizard."
 msgstr "Run Cloudwatch configuration wizard."
 
-#: ../../installation/install.rst:359
+#: ../../installation/install.rst:360
 msgid "Run the ``install image`` command and follow the wizard:"
 msgstr "Run the ``install image`` command and follow the wizard:"
 
@@ -1363,10 +1507,18 @@ msgstr "Running on Proxmox"
 msgid "Running on VMware ESXi"
 msgstr "Running on VMware ESXi"
 
-#: ../../installation/vyos-on-baremetal.rst:399
+#: ../../installation/bare-metal.rst:399
 msgid "Save, reboot and change serial speed to 9600 on your client."
 msgstr "Save, reboot and change serial speed to 9600 on your client."
 
+#: ../../installation/secure-boot.rst:5
+msgid "Secure Boot"
+msgstr "Secure Boot"
+
+#: ../../installation/bare-metal.rst:487
+msgid "See interface description for more detailed mapping."
+msgstr "See interface description for more detailed mapping."
+
 #: ../../installation/virtual/gns3.rst:55
 msgid "Select **New image** for the base disk image of your VM and click ``Create``."
 msgstr "Select **New image** for the base disk image of your VM and click ``Create``."
@@ -1387,6 +1539,10 @@ msgstr "Select **telnet** as your console type and click ``Next``."
 msgid "Select SSH key pair and click ``Launch Instances``"
 msgstr "Select SSH key pair and click ``Launch Instances``"
 
+#: ../../installation/secure-boot.rst:59
+msgid "Select ``Enroll MOK``"
+msgstr "Select ``Enroll MOK``"
+
 #: ../../installation/image.rst:105
 msgid "Select the default boot image which will be started on the next boot of the system."
 msgstr "Select the default boot image which will be started on the next boot of the system."
@@ -1407,8 +1563,9 @@ msgstr "Set the disk size to 2000 MiB, and click ``Finish`` to end the **Quemu i
 msgid "Set the number of required network adapters, for example **4**."
 msgstr "Set the number of required network adapters, for example **4**."
 
-#: ../../installation/vyos-on-baremetal.rst:14
-#: ../../installation/vyos-on-baremetal.rst:99
+#: ../../installation/bare-metal.rst:14
+#: ../../installation/bare-metal.rst:99
+#: ../../installation/bare-metal.rst:440
 msgid "Shopping Cart"
 msgstr "Shopping Cart"
 
@@ -1416,27 +1573,27 @@ msgstr "Shopping Cart"
 msgid "Show current system image version."
 msgstr "Show current system image version."
 
-#: ../../installation/vyos-on-baremetal.rst:128
+#: ../../installation/bare-metal.rst:128
 msgid "Sierra Wireless AirPrime MC7304 miniPCIe card (LTE)"
 msgstr "Sierra Wireless AirPrime MC7304 miniPCIe card (LTE)"
 
-#: ../../installation/vyos-on-baremetal.rst:129
+#: ../../installation/bare-metal.rst:129
 msgid "Sierra Wireless AirPrime MC7430 miniPCIe card (LTE)"
 msgstr "Sierra Wireless AirPrime MC7430 miniPCIe card (LTE)"
 
-#: ../../installation/vyos-on-baremetal.rst:130
+#: ../../installation/bare-metal.rst:130
 msgid "Sierra Wireless AirPrime MC7455 miniPCIe card (LTE)"
 msgstr "Sierra Wireless AirPrime MC7455 miniPCIe card (LTE)"
 
-#: ../../installation/vyos-on-baremetal.rst:131
+#: ../../installation/bare-metal.rst:131
 msgid "Sierra Wireless AirPrime MC7710 miniPCIe card (LTE)"
 msgstr "Sierra Wireless AirPrime MC7710 miniPCIe card (LTE)"
 
-#: ../../installation/vyos-on-baremetal.rst:228
+#: ../../installation/bare-metal.rst:228
 msgid "Simply proceed with a regular image installation as described in :ref:`installation`."
 msgstr "Simply proceed with a regular image installation as described in :ref:`installation`."
 
-#: ../../installation/vyos-on-baremetal.rst:401
+#: ../../installation/bare-metal.rst:401
 msgid "Some options have to be changed for VyOS to boot correctly. With XHCI enabled the installer can’t access the USB key. Enable EHCI instead."
 msgstr "Some options have to be changed for VyOS to boot correctly. With XHCI enabled the installer can’t access the USB key. Enable EHCI instead."
 
@@ -1460,15 +1617,15 @@ msgstr "Start the virtual machine in the proxmox GUI or CLI using ``qm start 200
 msgid "Stayed in this stage. This is because the KVM console is chosen as the default boot option."
 msgstr "Stayed in this stage. This is because the KVM console is chosen as the default boot option."
 
-#: ../../installation/install.rst:446
+#: ../../installation/install.rst:447
 msgid "Step 1: DHCP"
 msgstr "Step 1: DHCP"
 
-#: ../../installation/install.rst:477
+#: ../../installation/install.rst:478
 msgid "Step 2: TFTP"
 msgstr "Step 2: TFTP"
 
-#: ../../installation/install.rst:534
+#: ../../installation/install.rst:535
 msgid "Step 3: HTTP"
 msgstr "Step 3: HTTP"
 
@@ -1480,7 +1637,7 @@ msgstr "Store the key in a new text file and import it into GPG via: ``gpg --imp
 msgid "Subscribers, contributors, non-profits, emergency services, academic institutions"
 msgstr "Subscribers, contributors, non-profits, emergency services, academic institutions"
 
-#: ../../installation/vyos-on-baremetal.rst:8
+#: ../../installation/bare-metal.rst:8
 msgid "Supermicro A2SDi (Atom C3000)"
 msgstr "Supermicro A2SDi (Atom C3000)"
 
@@ -1488,7 +1645,7 @@ msgstr "Supermicro A2SDi (Atom C3000)"
 msgid "System rollback"
 msgstr "System rollback"
 
-#: ../../installation/vyos-on-baremetal.rst:396
+#: ../../installation/bare-metal.rst:396
 msgid "Terminal Type : VT100+"
 msgstr "Terminal Type : VT100+"
 
@@ -1496,27 +1653,31 @@ msgstr "Terminal Type : VT100+"
 msgid "The *VyOS-hda.qcow2* file now contains a working VyOS image and can be used as a template. But it still needs some fixes before we can deploy VyOS in our labs."
 msgstr "The *VyOS-hda.qcow2* file now contains a working VyOS image and can be used as a template. But it still needs some fixes before we can deploy VyOS in our labs."
 
-#: ../../installation/install.rst:452
+#: ../../installation/install.rst:453
 msgid "The *bootfile name* (DHCP option 67), which is *pxelinux.0*"
 msgstr "The *bootfile name* (DHCP option 67), which is *pxelinux.0*"
 
-#: ../../installation/install.rst:482
+#: ../../installation/install.rst:483
 msgid "The *ldlinux.c32* file from the Syslinux distribution"
 msgstr "The *ldlinux.c32* file from the Syslinux distribution"
 
-#: ../../installation/install.rst:481
+#: ../../installation/install.rst:482
 msgid "The *pxelinux.0* file from the Syslinux distribution"
 msgstr "The *pxelinux.0* file from the Syslinux distribution"
 
-#: ../../installation/vyos-on-baremetal.rst:105
+#: ../../installation/bare-metal.rst:105
 msgid "The 19\" enclosure can accommodate up to two APU4 boards - there is a single and dual front cover."
 msgstr "The 19\" enclosure can accommodate up to two APU4 boards - there is a single and dual front cover."
 
-#: ../../installation/vyos-on-baremetal.rst:187
+#: ../../installation/bare-metal.rst:187
 msgid "The Kernel will now spin up using a different console setting. Set terminal emulator to 9600 8N1 and after a while your console will show:"
 msgstr "The Kernel will now spin up using a different console setting. Set terminal emulator to 9600 8N1 and after a while your console will show:"
 
-#: ../../installation/install.rst:451
+#: ../../installation/bare-metal.rst:667
+msgid "The LTE module can be enabled as simple as this config snippet:"
+msgstr "The LTE module can be enabled as simple as this config snippet:"
+
+#: ../../installation/install.rst:452
 msgid "The TFTP server address (DHCP option 66). Sometimes referred as *boot server*"
 msgstr "The TFTP server address (DHCP option 66). Sometimes referred as *boot server*"
 
@@ -1540,11 +1701,15 @@ msgstr "The `add system image` command also supports installing new versions of
 msgid "The amazon-cloudwatch-agent package is normally included in VyOS 1.3.3+ and 1.4+"
 msgstr "The amazon-cloudwatch-agent package is normally included in VyOS 1.3.3+ and 1.4+"
 
-#: ../../installation/vyos-on-baremetal.rst:94
+#: ../../installation/bare-metal.rst:431
+msgid "The appliance comes with 2 * 2.5GbE Intel I226-V and 3 * 1GbE Intel I210 where one supports IEEE802.3at PoE+ (Typical 30W)."
+msgstr "The appliance comes with 2 * 2.5GbE Intel I226-V and 3 * 1GbE Intel I210 where one supports IEEE802.3at PoE+ (Typical 30W)."
+
+#: ../../installation/bare-metal.rst:94
 msgid "The board can be powered via 12V from the front or via a 5V onboard connector."
 msgstr "The board can be powered via 12V from the front or via a 5V onboard connector."
 
-#: ../../installation/vyos-on-baremetal.rst:314
+#: ../../installation/bare-metal.rst:314
 msgid "The chassis is a U-shaped alu extrusion with removable I/O plates and removable bottom plate. Cooling is completely passive with a heatsink on the SoC with internal and external fins, a flat interface surface, thermal pad on top of that, which then directly attaches to the chassis, which has fins as well. It comes with mounting hardware and rubber feet, so you could place it like a desktop model or mount it on a VESA mount, or even wall mount it with the provided mounting plate. The closing plate doubles as internal 2.5\" mounting place for an HDD or SSD, and comes supplied with a small SATA cable and SATA power cable."
 msgstr "The chassis is a U-shaped alu extrusion with removable I/O plates and removable bottom plate. Cooling is completely passive with a heatsink on the SoC with internal and external fins, a flat interface surface, thermal pad on top of that, which then directly attaches to the chassis, which has fins as well. It comes with mounting hardware and rubber feet, so you could place it like a desktop model or mount it on a VESA mount, or even wall mount it with the provided mounting plate. The closing plate doubles as internal 2.5\" mounting place for an HDD or SSD, and comes supplied with a small SATA cable and SATA power cable."
 
@@ -1556,10 +1721,14 @@ msgstr "The commands below assume that virtual machine ID 200 is unused and that
 msgid "The convenience of using :abbr:`KVM (Kernel-based Virtual Machine)` images is that they don't need to be installed. Download predefined VyOS.qcow2 image for ``KVM``"
 msgstr "The convenience of using :abbr:`KVM (Kernel-based Virtual Machine)` images is that they don't need to be installed. Download predefined VyOS.qcow2 image for ``KVM``"
 
-#: ../../installation/install.rst:326
+#: ../../installation/install.rst:327
 msgid "The default username and password for the live system is *vyos*."
 msgstr "The default username and password for the live system is *vyos*."
 
+#: ../../installation/bare-metal.rst:465
+msgid "The device itself is passivly cooled, whereas the power supply has an active fan. Even if the main processor is powered off, the power supply fan is operating and the entire chassis draws 7.5W. During operation the chassis drew arround 38W."
+msgstr "The device itself is passivly cooled, whereas the power supply has an active fan. Even if the main processor is powered off, the power supply fan is operating and the entire chassis draws 7.5W. During operation the chassis drew arround 38W."
+
 #: ../../installation/image.rst:10
 msgid "The directory structure of the boot device:"
 msgstr "The directory structure of the boot device:"
@@ -1576,7 +1745,7 @@ msgstr "The following link will always fetch the most recent VyOS build for AMD6
 msgid "The image directory contains the system kernel, a compressed image of the root filesystem for the OS, and a directory for persistent storage, such as configuration. On boot, the system will extract the OS image into memory and mount the appropriate live-rw sub-directories to provide persistent storage system configuration."
 msgstr "The image directory contains the system kernel, a compressed image of the root filesystem for the OS, and a directory for persistent storage, such as configuration. On boot, the system will extract the OS image into memory and mount the appropriate live-rw sub-directories to provide persistent storage system configuration."
 
-#: ../../installation/vyos-on-baremetal.rst:180
+#: ../../installation/bare-metal.rst:180
 msgid "The image will be loaded and the last lines you will get will be:"
 msgstr "The image will be loaded and the last lines you will get will be:"
 
@@ -1584,15 +1753,15 @@ msgstr "The image will be loaded and the last lines you will get will be:"
 msgid "The import can be verified with:"
 msgstr "The import can be verified with:"
 
-#: ../../installation/install.rst:486
+#: ../../installation/install.rst:487
 msgid "The initial ramdisk of the VyOS ISO you want to deploy. That is the *initrd.img* file inside the */live* directory of the extracted contents from the ISO file. Do not use an empty (0 bytes) initrd.img file you might find, the correct file may have a longer name."
 msgstr "The initial ramdisk of the VyOS ISO you want to deploy. That is the *initrd.img* file inside the */live* directory of the extracted contents from the ISO file. Do not use an empty (0 bytes) initrd.img file you might find, the correct file may have a longer name."
 
-#: ../../installation/vyos-on-baremetal.rst:293
+#: ../../installation/bare-metal.rst:293
 msgid "The install on this Q355G4 box is pretty much plug and play. The port numbering the OS does might differ from the labels on the outside, but the UEFI firmware has a port blink test built in with MAC addresses so you can very quickly identify which is which. MAC labels are on the inside as well, and this test can be done from VyOS or plain Linux too. Default settings in the UEFI will make it boot, but depending on your installation wishes (i.e. storage type, boot type, console type) you might want to adjust them. This Qotom company seems to be the real OEM/ODM for many other relabelling companies like Protectli."
 msgstr "The install on this Q355G4 box is pretty much plug and play. The port numbering the OS does might differ from the labels on the outside, but the UEFI firmware has a port blink test built in with MAC addresses so you can very quickly identify which is which. MAC labels are on the inside as well, and this test can be done from VyOS or plain Linux too. Default settings in the UEFI will make it boot, but depending on your installation wishes (i.e. storage type, boot type, console type) you might want to adjust them. This Qotom company seems to be the real OEM/ODM for many other relabelling companies like Protectli."
 
-#: ../../installation/install.rst:483
+#: ../../installation/install.rst:484
 msgid "The kernel of the VyOS software you want to deploy. That is the *vmlinuz* file inside the */live* directory of the extracted contents from the ISO file."
 msgstr "The kernel of the VyOS software you want to deploy. That is the *vmlinuz* file inside the */live* directory of the extracted contents from the ISO file."
 
@@ -1604,10 +1773,18 @@ msgstr "The minimum system requirements are 1024 MiB RAM and 2 GiB storage. Depe
 msgid "The most up-do-date Rolling Release for AMD64 can be accessed using the following URL:"
 msgstr "The most up-do-date Rolling Release for AMD64 can be accessed using the following URL:"
 
+#: ../../installation/update.rst:88
+msgid "The most up-do-date Rolling Release for AMD64 can be accessed using the following URL from a web browser:"
+msgstr "The most up-do-date Rolling Release for AMD64 can be accessed using the following URL from a web browser:"
+
 #: ../../installation/install.rst:107
 msgid "The official VyOS public key can be retrieved in a number of ways. Skip to :ref:`gpg-verification` if the key is already present."
 msgstr "The official VyOS public key can be retrieved in a number of ways. Skip to :ref:`gpg-verification` if the key is already present."
 
+#: ../../installation/secure-boot.rst:51
+msgid "The requested ``input password`` can be user chosen and is only needed after rebooting the system into MOK Manager to permanently install the keys."
+msgstr "The requested ``input password`` can be user chosen and is only needed after rebooting the system into MOK Manager to permanently install the keys."
+
 #: ../../installation/install.rst:197
 msgid "The signature can be downloaded by appending `.asc` to the URL of the downloaded VyOS image. That small *.asc* file is the signature for the associated image."
 msgstr "The signature can be downloaded by appending `.asc` to the URL of the downloaded VyOS image. That small *.asc* file is the signature for the associated image."
@@ -1616,15 +1793,19 @@ msgstr "The signature can be downloaded by appending `.asc` to the URL of the do
 msgid "The system is fully operational."
 msgstr "The system is fully operational."
 
+#: ../../installation/bare-metal.rst:477
+msgid "The system provides a regular RS232 console port using 115200,8n1 setting which is sufficient to install VyOS from a USB pendrive."
+msgstr "The system provides a regular RS232 console port using 115200,8n1 setting which is sufficient to install VyOS from a USB pendrive."
+
 #: ../../installation/virtual/libvirt.rst:120
 msgid "The virt-manager application is a desktop user interface for managing virtual machines through libvirt. On the linux open :abbr:`VMM (Virtual Machine Manager)`."
 msgstr "The virt-manager application is a desktop user interface for managing virtual machines through libvirt. On the linux open :abbr:`VMM (Virtual Machine Manager)`."
 
-#: ../../installation/install.rst:590
+#: ../../installation/install.rst:591
 msgid "The workaround is to type `e` when the boot menu appears and edit the GRUB boot options.  Specifically, remove the:"
 msgstr "The workaround is to type `e` when the boot menu appears and edit the GRUB boot options.  Specifically, remove the:"
 
-#: ../../installation/vyos-on-baremetal.rst:421
+#: ../../installation/bare-metal.rst:421
 msgid "Then VyOS should boot and you can perform the ``install image``"
 msgstr "Then VyOS should boot and you can perform the ``install image``"
 
@@ -1641,11 +1822,11 @@ msgstr "Then reboot the system."
 msgid "Then you will be taken to the console."
 msgstr "Then you will be taken to the console."
 
-#: ../../installation/vyos-on-baremetal.rst:328
+#: ../../installation/bare-metal.rst:328
 msgid "There are WDT options and auto-boot on power enable, which is great for remote setups. Firmware is reasonably secure (no backdoors found, BootGuard is enabled in enforcement mode, which is good but also means no coreboot option), yet has most options available to configure (so it's not locked out like most firmwares are)."
 msgstr "There are WDT options and auto-boot on power enable, which is great for remote setups. Firmware is reasonably secure (no backdoors found, BootGuard is enabled in enforcement mode, which is good but also means no coreboot option), yet has most options available to configure (so it's not locked out like most firmwares are)."
 
-#: ../../installation/vyos-on-baremetal.rst:306
+#: ../../installation/bare-metal.rst:306
 msgid "There are a number of other options, but they all seem to be close to Intel reference designs, with added features like more serial ports, more network interfaces and the likes. Because they don't deviate too much from standard designs all the hardware is well-supported by mainline. It accepts one LPDDR3 SO-DIMM, but chances are that if you need more than that, you'll also want something even beefier than an i5. There are options for antenna holes, and SIM slots, so you could in theory add an LTE/Cell modem (not tested so far)."
 msgstr "There are a number of other options, but they all seem to be close to Intel reference designs, with added features like more serial ports, more network interfaces and the likes. Because they don't deviate too much from standard designs all the hardware is well-supported by mainline. It accepts one LPDDR3 SO-DIMM, but chances are that if you need more than that, you'll also want something even beefier than an i5. There are options for antenna holes, and SIM slots, so you could in theory add an LTE/Cell modem (not tested so far)."
 
@@ -1653,11 +1834,16 @@ msgstr "There are a number of other options, but they all seem to be close to In
 msgid "There have been previous documented issues with GRE/IPSEC tunneling using the E1000 adapter on the VyOS guest, and use of the VMXNET3 has been advised."
 msgstr "There have been previous documented issues with GRE/IPSEC tunneling using the E1000 adapter on the VyOS guest, and use of the VMXNET3 has been advised."
 
+#: ../../installation/secure-boot.rst:11
+#: ../../installation/secure-boot.rst:123
+msgid "There is yet no signed version of ``shim`` for VyOS, thus we provide no signed image for secure boot yet. If you are interested in secure boot you can build an image on your own."
+msgstr "There is yet no signed version of ``shim`` for VyOS, thus we provide no signed image for secure boot yet. If you are interested in secure boot you can build an image on your own."
+
 #: ../../installation/migrate-from-vyatta.rst:101
 msgid "This example uses VyOS 1.0.0, however, it's better to install the latest release."
 msgstr "This example uses VyOS 1.0.0, however, it's better to install the latest release."
 
-#: ../../installation/vyos-on-baremetal.rst:85
+#: ../../installation/bare-metal.rst:85
 msgid "This guide was developed using an APU4C4 board with the following specs:"
 msgstr "This guide was developed using an APU4C4 board with the following specs:"
 
@@ -1665,11 +1851,15 @@ msgstr "This guide was developed using an APU4C4 board with the following specs:
 msgid "This guide will provide the necessary steps for installing and setting up VyOS on GNS3."
 msgstr "This guide will provide the necessary steps for installing and setting up VyOS on GNS3."
 
-#: ../../installation/install.rst:580
+#: ../../installation/install.rst:581
 msgid "This is a list of known issues that can arise during installation."
 msgstr "This is a list of known issues that can arise during installation."
 
-#: ../../installation/vyos-on-baremetal.rst:374
+#: ../../installation/secure-boot.rst:177
+msgid "This means that the Machine Owner Key used to sign the Kernel is not trusted by your UEFI. You need to install the MOK via ``install mok`` as stated above."
+msgstr "This means that the Machine Owner Key used to sign the Kernel is not trusted by your UEFI. You need to install the MOK via ``install mok`` as stated above."
+
+#: ../../installation/bare-metal.rst:374
 msgid "This microbox network appliance was build to create OpenVPN bridges. It can saturate a 100Mbps link. It is a small (serial console only) PC with 6 Gb LAN"
 msgstr "This microbox network appliance was build to create OpenVPN bridges. It can saturate a 100Mbps link. It is a small (serial console only) PC with 6 Gb LAN"
 
@@ -1685,10 +1875,18 @@ msgstr "This step also enables systemd service and runs it."
 msgid "This subsection only applies to LTS images, for Rolling images please jump to :ref:`live_installation`."
 msgstr "This subsection only applies to LTS images, for Rolling images please jump to :ref:`live_installation`."
 
+#: ../../installation/secure-boot.rst:162
+msgid "Thos we close the door to load any malicious stuff after the image was assembled into the Kernel as module. You can of course disable this behavior on custom builds."
+msgstr "Thos we close the door to load any malicious stuff after the image was assembled into the Kernel as module. You can of course disable this behavior on custom builds."
+
 #: ../../installation/cloud/gcp.rst:8
 msgid "To deploy VyOS on GCP (Google Cloud Platform)"
 msgstr "To deploy VyOS on GCP (Google Cloud Platform)"
 
+#: ../../installation/secure-boot.rst:15
+msgid "To generate a custom ISO with your own secure boot keys, run the following commands prior to your ISO image build:"
+msgstr "To generate a custom ISO with your own secure boot keys, run the following commands prior to your ISO image build:"
+
 #: ../../installation/virtual/gns3.rst:153
 msgid "To turn the template into a working VyOS machine, further steps are necessary as outlined below:"
 msgstr "To turn the template into a working VyOS machine, further steps are necessary as outlined below:"
@@ -1701,15 +1899,23 @@ msgstr "To use Amazon CloudWatch Agent, configure it within the Amazon SSM Param
 msgid "To use the `latest` option the \"system update-check url\" must be configured."
 msgstr "To use the `latest` option the \"system update-check url\" must be configured."
 
+#: ../../installation/update.rst:81
+msgid "To use the `latest` option the \"system update-check url\" must be configured appropriately for the installed release."
+msgstr "To use the `latest` option the \"system update-check url\" must be configured appropriately for the installed release."
+
 #: ../../installation/install.rst:248
 msgid "To verify a VyOS image starting off with VyOS 1.3.0-rc6 you can run:"
 msgstr "To verify a VyOS image starting off with VyOS 1.3.0-rc6 you can run:"
 
-#: ../../installation/install.rst:337
+#: ../../installation/secure-boot.rst:167
+msgid "Troubleshoot"
+msgstr "Troubleshoot"
+
+#: ../../installation/install.rst:338
 msgid "Unlike general purpose Linux distributions, VyOS uses \"image installation\" that mimics the user experience of traditional hardware routers and allows keeping multiple VyOS versions installed simultaneously. This makes it possible to switch to a previous version if something breaks or miss-behaves after an image upgrade."
 msgstr "Unlike general purpose Linux distributions, VyOS uses \"image installation\" that mimics the user experience of traditional hardware routers and allows keeping multiple VyOS versions installed simultaneously. This makes it possible to switch to a previous version if something breaks or miss-behaves after an image upgrade."
 
-#: ../../installation/install.rst:288
+#: ../../installation/install.rst:289
 msgid "Unmount the USB drive. Replace X in the example below with the letter of your device and keep the asterisk (wildcard) to unmount all partitions."
 msgstr "Unmount the USB drive. Replace X in the example below with the letter of your device and keep the asterisk (wildcard) to unmount all partitions."
 
@@ -1733,7 +1939,7 @@ msgstr "Use the defaults in the **Binary and format** window and click ``Next``.
 msgid "Use the defaults in the **Qcow2 options** window and click ``Next``."
 msgstr "Use the defaults in the **Qcow2 options** window and click ``Next``."
 
-#: ../../installation/vyos-on-baremetal.rst:205
+#: ../../installation/bare-metal.rst:205
 msgid "Use the following command to adjust the :ref:`serial-console` settings:"
 msgstr "Use the following command to adjust the :ref:`serial-console` settings:"
 
@@ -1753,27 +1959,35 @@ msgstr "VM setup"
 msgid "Virt-manager"
 msgstr "Virt-manager"
 
+#: ../../installation/virtual/index.rst:3
+msgid "Virtual Environments"
+msgstr "Virtual Environments"
+
 #: ../../installation/virtual/proxmox.rst:54
 msgid "Visit https://www.proxmox.com/en/ for more information about the download and installation of this hypervisor."
 msgstr "Visit https://www.proxmox.com/en/ for more information about the download and installation of this hypervisor."
 
-#: ../../installation/install.rst:272
+#: ../../installation/install.rst:273
 msgid "VyOS, as other GNU+Linux distributions, can be tested without installing it in your hard drive. **With your downloaded VyOS .iso file you can create a bootable USB drive that will let you boot into a fully functional VyOS system**. Once you have tested it, you can either decide to begin a :ref:`permanent_installation` in your hard drive or power your system off, remove the USB drive, and leave everything as it was."
 msgstr "VyOS, as other GNU+Linux distributions, can be tested without installing it in your hard drive. **With your downloaded VyOS .iso file you can create a bootable USB drive that will let you boot into a fully functional VyOS system**. Once you have tested it, you can either decide to begin a :ref:`permanent_installation` in your hard drive or power your system off, remove the USB drive, and leave everything as it was."
 
-#: ../../installation/vyos-on-baremetal.rst:135
+#: ../../installation/bare-metal.rst:135
 msgid "VyOS 1.2 (crux)"
 msgstr "VyOS 1.2 (crux)"
 
-#: ../../installation/vyos-on-baremetal.rst:222
+#: ../../installation/bare-metal.rst:222
 msgid "VyOS 1.2 (rolling)"
 msgstr "VyOS 1.2 (rolling)"
 
+#: ../../installation/bare-metal.rst:507
+msgid "VyOS 1.4 (sagitta)"
+msgstr "VyOS 1.4 (sagitta)"
+
 #: ../../installation/migrate-from-vyatta.rst:6
 msgid "VyOS 1.x line aims to preserve backward compatibility and provide a safe upgrade path for existing Vyatta Core users. You may think of VyOS 1.0.0 as VC7.0."
 msgstr "VyOS 1.x line aims to preserve backward compatibility and provide a safe upgrade path for existing Vyatta Core users. You may think of VyOS 1.0.0 as VC7.0."
 
-#: ../../installation/install.rst:438
+#: ../../installation/install.rst:439
 msgid "VyOS ISO image to be installed (do not use images prior to VyOS 1.2.3)"
 msgstr "VyOS ISO image to be installed (do not use images prior to VyOS 1.2.3)"
 
@@ -1785,7 +1999,7 @@ msgstr "VyOS VM configuration"
 msgid "VyOS automatically associates the configuration to the image, so you don't need to worry about that. Each image has a unique copy of its configuration."
 msgstr "VyOS automatically associates the configuration to the image, so you don't need to worry about that. Each image has a unique copy of its configuration."
 
-#: ../../installation/install.rst:429
+#: ../../installation/install.rst:430
 msgid "VyOS can also be installed through PXE. This is a more complex installation method that allows deploying VyOS through the network."
 msgstr "VyOS can also be installed through PXE. This is a more complex installation method that allows deploying VyOS through the network."
 
@@ -1793,7 +2007,7 @@ msgstr "VyOS can also be installed through PXE. This is a more complex installat
 msgid "VyOS configuration is associated to each image, and **each image has a unique copy of its configuration**. This is different than a traditional network router where the configuration is shared across all images."
 msgstr "VyOS configuration is associated to each image, and **each image has a unique copy of its configuration**. This is different than a traditional network router where the configuration is shared across all images."
 
-#: ../../installation/vyos-on-baremetal.rst:263
+#: ../../installation/bare-metal.rst:263
 msgid "VyOS custom print"
 msgstr "VyOS custom print"
 
@@ -1809,6 +2023,10 @@ msgstr "VyOS installation requires a downloaded VyOS .iso file. That file is a l
 msgid "VyOS requires an IPv6-enabled docker network. Currently linux distributions do not enable docker IPv6 support by default. You can enable IPv6 support in two ways."
 msgstr "VyOS requires an IPv6-enabled docker network. Currently linux distributions do not enable docker IPv6 support by default. You can enable IPv6 support in two ways."
 
+#: ../../installation/secure-boot.rst:82
+msgid "VyOS will now launch in UEFI secure boot mode. This can be double-checked by running either one of the commands:"
+msgstr "VyOS will now launch in UEFI secure boot mode. This can be double-checked by running either one of the commands:"
+
 #: ../../installation/migrate-from-vyatta.rst:15
 msgid "Vyatta Core 6.4 and earlier may have incompatibilities. In Vyatta 6.5 the \"modify\" firewall was removed and replaced with the ``set policy route`` command family, old configs can not be automatically converted. You will have to adapt it to post-6.5 Vyatta syntax manually."
 msgstr "Vyatta Core 6.4 and earlier may have incompatibilities. In Vyatta 6.5 the \"modify\" firewall was removed and replaced with the ``set policy route`` command family, old configs can not be automatically converted. You will have to adapt it to post-6.5 Vyatta syntax manually."
@@ -1821,23 +2039,24 @@ msgstr "Vyatta Core releases from 6.5 to 6.6 should be 100% compatible."
 msgid "Vyatta release compatibility"
 msgstr "Vyatta release compatibility"
 
-#: ../../installation/vyos-on-baremetal.rst:122
+#: ../../installation/bare-metal.rst:122
+#: ../../installation/bare-metal.rst:665
 msgid "WWAN"
 msgstr "WWAN"
 
-#: ../../installation/install.rst:306
+#: ../../installation/install.rst:307
 msgid "Wait until you get the outcome (bytes copied). Be patient, in some computers it might take more than one minute."
 msgstr "Wait until you get the outcome (bytes copied). Be patient, in some computers it might take more than one minute."
 
-#: ../../installation/vyos-on-baremetal.rst:364
+#: ../../installation/bare-metal.rst:364
 msgid "Warning the interface labels on my device are backwards; the left-most \"LAN4\" port is eth0 and the right-most \"LAN1\" port is eth3."
 msgstr "Warning the interface labels on my device are backwards; the left-most \"LAN4\" port is eth0 and the right-most \"LAN1\" port is eth3."
 
-#: ../../installation/install.rst:536
+#: ../../installation/install.rst:537
 msgid "We also need to provide the *filesystem.squashfs* file. That is a heavy file and TFTP is slow, so you could send it through HTTP to speed up the transfer. That is how it is done in our example, you can find that in the configuration file above."
 msgstr "We also need to provide the *filesystem.squashfs* file. That is a heavy file and TFTP is slow, so you could send it through HTTP to speed up the transfer. That is how it is done in our example, you can find that in the configuration file above."
 
-#: ../../installation/install.rst:437
+#: ../../installation/install.rst:438
 msgid "Webserver (HTTP) - optional, but we will use it to speed up installation"
 msgstr "Webserver (HTTP) - optional, but we will use it to speed up installation"
 
@@ -1849,15 +2068,23 @@ msgstr "When prompted, answer \"yes\" to the question \"Do you want to store the
 msgid "When the underlying ESXi host is approaching ~92% memory utilisation it will start the balloon process in a 'soft' state to start reclaiming memory from guest operating systems. This causes an artificial pressure using the vmmemctl driver on memory usage on the virtual guest. As VyOS by default does not have a swap file, this vmmemctl pressure is unable to force processes to move in memory data to the paging file, and blindly consumes memory forcing the virtual guest into a low memory state with no way to escape. The balloon can expand to 65% of guest allocated memory, so a VyOS guest running >35% of memory usage, can encounter an out of memory situation, and trigger the kernel oom_kill process. At this point a weighted lottery favouring memory hungry processes will be run with the unlucky winner being terminated by the kernel."
 msgstr "When the underlying ESXi host is approaching ~92% memory utilisation it will start the balloon process in a 'soft' state to start reclaiming memory from guest operating systems. This causes an artificial pressure using the vmmemctl driver on memory usage on the virtual guest. As VyOS by default does not have a swap file, this vmmemctl pressure is unable to force processes to move in memory data to the paging file, and blindly consumes memory forcing the virtual guest into a low memory state with no way to escape. The balloon can expand to 65% of guest allocated memory, so a VyOS guest running >35% of memory usage, can encounter an out of memory situation, and trigger the kernel oom_kill process. At this point a weighted lottery favouring memory hungry processes will be run with the unlucky winner being terminated by the kernel."
 
-#: ../../installation/vyos-on-baremetal.rst:112
+#: ../../installation/secure-boot.rst:150
+msgid "Whenever our CI system builds a Kernel package and the required 3rd party modules, we will generate a temporary (ephemeral) public/private key-pair that's used for signing the modules. The public key portion is embedded into the Kernel binary to verify the loaded modules."
+msgstr "Whenever our CI system builds a Kernel package and the required 3rd party modules, we will generate a temporary (ephemeral) public/private key-pair that's used for signing the modules. The public key portion is embedded into the Kernel binary to verify the loaded modules."
+
+#: ../../installation/bare-metal.rst:112
 msgid "WiFi"
 msgstr "WiFi"
 
+#: ../../installation/secure-boot.rst:54
+msgid "With the next reboot, MOK Manager will automatically launch"
+msgstr "With the next reboot, MOK Manager will automatically launch"
+
 #: ../../installation/install.rst:194
 msgid "With the public key imported, the signature for the desired image needs to be downloaded."
 msgstr "With the public key imported, the signature for the desired image needs to be downloaded."
 
-#: ../../installation/vyos-on-baremetal.rst:354
+#: ../../installation/bare-metal.rst:354
 msgid "Write VyOS ISO to USB drive of some sort"
 msgstr "Write VyOS ISO to USB drive of some sort"
 
@@ -1865,7 +2092,7 @@ msgstr "Write VyOS ISO to USB drive of some sort"
 msgid "Write a name for your VM, for instance \"VyOS\", and click ``Next``."
 msgstr "Write a name for your VM, for instance \"VyOS\", and click ``Next``."
 
-#: ../../installation/install.rst:296
+#: ../../installation/install.rst:297
 msgid "Write the image (your VyOS .iso file) to the USB drive. Note that here you want to use the device name (e.g. /dev/sdb), not the partition name (e.g. /dev/sdb1)."
 msgstr "Write the image (your VyOS .iso file) to the USB drive. Note that here you want to use the device name (e.g. /dev/sdb), not the partition name (e.g. /dev/sdb1)."
 
@@ -1881,10 +2108,14 @@ msgstr "You can execute ``docker stop vyos`` when you are finished with the cont
 msgid "You can go back to your Vyatta install using the ``set system image default-boot`` command and selecting the your previous Vyatta Core image."
 msgstr "You can go back to your Vyatta install using the ``set system image default-boot`` command and selecting the your previous Vyatta Core image."
 
-#: ../../installation/vyos-on-baremetal.rst:198
+#: ../../installation/bare-metal.rst:198
 msgid "You can now proceed with a regular image installation as described in :ref:`installation`."
 msgstr "You can now proceed with a regular image installation as described in :ref:`installation`."
 
+#: ../../installation/secure-boot.rst:64
+msgid "You can now view the key to be installed and ``continue`` with the Key installation"
+msgstr "You can now view the key to be installed and ``continue`` with the Key installation"
+
 #: ../../installation/update.rst:75
 msgid "You can use ``latest`` option. It loads the latest available Rolling release."
 msgstr "You can use ``latest`` option. It loads the latest available Rolling release."
@@ -1893,7 +2124,7 @@ msgstr "You can use ``latest`` option. It loads the latest available Rolling rel
 msgid "You just use ``add system image``, as if it was a new VC release (see :ref:`update_vyos` for additional information). The only thing you want to do is to verify the new images digital signature. You will have to add the public key manually once as it is not shipped the first time."
 msgstr "You just use ``add system image``, as if it was a new VC release (see :ref:`update_vyos` for additional information). The only thing you want to do is to verify the new images digital signature. You will have to add the public key manually once as it is not shipped the first time."
 
-#: ../../installation/vyos-on-baremetal.rst:377
+#: ../../installation/bare-metal.rst:377
 msgid "You may have to add your own RAM and HDD/SSD. There is no VGA connector. But Acrosser provides a DB25 adapter for the VGA header on the motherboard (not used)."
 msgstr "You may have to add your own RAM and HDD/SSD. There is no VGA connector. But Acrosser provides a DB25 adapter for the VGA header on the motherboard (not used)."
 
@@ -1901,7 +2132,7 @@ msgstr "You may have to add your own RAM and HDD/SSD. There is no VGA connector.
 msgid "You probably will want to accept to copy the .iso file to your default image directory when you are asked."
 msgstr "You probably will want to accept to copy the .iso file to your default image directory when you are asked."
 
-#: ../../installation/install.rst:423
+#: ../../installation/install.rst:424
 msgid "You will boot now into a permanent VyOS system."
 msgstr "You will boot now into a permanent VyOS system."
 
@@ -1913,11 +2144,11 @@ msgstr ".ova files are available for supporting users, and a VyOS can also be st
 msgid ":ref:`Install VyOS <installation>` as normal (that is, using the ``install image`` command)."
 msgstr ":ref:`Install VyOS <installation>` as normal (that is, using the ``install image`` command)."
 
-#: ../../installation/install.rst:435
+#: ../../installation/install.rst:436
 msgid ":ref:`dhcp-server`"
 msgstr ":ref:`dhcp-server`"
 
-#: ../../installation/install.rst:436
+#: ../../installation/install.rst:437
 msgid ":ref:`tftp-server`"
 msgstr ":ref:`tftp-server`"
 
@@ -1925,7 +2156,7 @@ msgstr ":ref:`tftp-server`"
 msgid ":vytask:`T2108` switched the validation system to prefer minisign over GPG keys."
 msgstr ":vytask:`T2108` switched the validation system to prefer minisign over GPG keys."
 
-#: ../../installation/vyos-on-baremetal.rst:349
+#: ../../installation/bare-metal.rst:349
 msgid "`Manufacturer product page <http://www.inctel.com.cn/product/detail/338.html>`_."
 msgstr "`Manufacturer product page <http://www.inctel.com.cn/product/detail/338.html>`_."
 
@@ -1933,7 +2164,11 @@ msgstr "`Manufacturer product page <http://www.inctel.com.cn/product/detail/338.
 msgid "``gpg --recv-keys FD220285A0FE6D7E``"
 msgstr "``gpg --recv-keys FD220285A0FE6D7E``"
 
-#: ../../installation/install.rst:593
+#: ../../installation/secure-boot.rst:160
+msgid "``insmod: ERROR: could not insert module malicious.ko: Key was rejected by service``"
+msgstr "``insmod: ERROR: could not insert module malicious.ko: Key was rejected by service``"
+
+#: ../../installation/install.rst:594
 msgid "`console=ttyS0,115200`"
 msgstr "`console=ttyS0,115200`"
 
@@ -1961,11 +2196,19 @@ msgstr "https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/install-C
 msgid "https://muralidba.blogspot.com/2018/03/how-does-linux-out-of-memory-oom-killer.html"
 msgstr "https://muralidba.blogspot.com/2018/03/how-does-linux-out-of-memory-oom-killer.html"
 
+#: ../../installation/secure-boot.rst:148
+msgid "https://patchwork.kernel.org/project/linux-integrity/patch/20210218220011.67625-5-nayna@linux.ibm.com/"
+msgstr "https://patchwork.kernel.org/project/linux-integrity/patch/20210218220011.67625-5-nayna@linux.ibm.com/"
+
 #: ../../installation/install.rst:116
 msgid "https://pgp.mit.edu/pks/lookup?op=get&search=0xFD220285A0FE6D7E"
 msgstr "https://pgp.mit.edu/pks/lookup?op=get&search=0xFD220285A0FE6D7E"
 
 #: ../../installation/update.rst:86
+msgid "https://raw.githubusercontent.com/vyos/vyos-nightly-build/refs/heads/current/version.json"
+msgstr "https://raw.githubusercontent.com/vyos/vyos-nightly-build/refs/heads/current/version.json"
+
+#: ../../installation/update.rst:91
 msgid "https://vyos.net/get/nightly-builds/"
 msgstr "https://vyos.net/get/nightly-builds/"
 
@@ -1981,6 +2224,6 @@ msgstr "https://www.oracle.com/cloud/"
 msgid "ly-builds/releases/download/1.4-rolling-202308240020/vyos-1.4-rolling-202308240020-amd64.iso"
 msgstr "ly-builds/releases/download/1.4-rolling-202308240020/vyos-1.4-rolling-202308240020-amd64.iso"
 
-#: ../../installation/install.rst:595
+#: ../../installation/install.rst:596
 msgid "option, and type CTRL-X to boot."
 msgstr "option, and type CTRL-X to boot."