Merge pull request #1 from vyos/master

Update fork

19 files changed, 3445 insertions, 0 deletions

diff --git a/docs/configuration/service/broadcast-relay.rst b/docs/configuration/service/broadcast-relay.rst
new file mode 100644
index 00000000..df48bfd6
--- /dev/null
+++ b/docs/configuration/service/broadcast-relay.rst
@@ -0,0 +1,61 @@
+.. _udp_broadcast_relay:
+
+###################
+UDP Broadcast Relay
+###################
+
+Certain vendors use broadcasts to identify their equipment within one ethernet
+segment. Unfortunately if you split your network with multiple VLANs you loose
+the ability of identifying your equipment.
+
+This is where "UDP broadcast relay" comes into play! It will forward received
+broadcasts to other configured networks.
+
+Every UDP port which will be forward requires one unique ID. Currently we
+support 99 IDs!
+
+Configuration
+-------------
+
+.. cfgcmd:: set service broadcast-relay id <n> description <description>
+
+   A description can be added for each and every unique relay ID. This is
+   useful to distinguish between multiple different ports/appliactions.
+
+.. cfgcmd:: set service broadcast-relay id <n> interface <interface>
+
+   The interface used to receive and relay individual broadcast packets. If you
+   want to receive/relay packets on both `eth1` and `eth2` both interfaces need
+   to be added.
+
+.. cfgcmd:: set service broadcast-relay id <n> port <port>
+
+   The UDP port number used by your apllication. It is mandatory for this kind
+   of operation.
+
+.. cfgcmd:: set service broadcast-relay id <n> disable
+
+   Each broadcast relay instance can be individually disabled without deleting
+   the configured node by using the following command:
+
+.. cfgcmd:: set service broadcast-relay disable
+
+   In addition you can also disable the whole service without the need to remove
+   it from the current configuration.
+
+.. note:: You can run the UDP broadcast relay service on multiple routers
+   connected to a subnet. There is **NO** UDP broadcast relay packet storm!
+
+Example
+-------
+
+To forward all broadcast packets received on `UDP port 1900` on `eth3`, `eth4`
+or `eth5` to all other interfaces in this configuration.
+
+.. code-block:: none
+
+  set service broadcast-relay id 1 description 'SONOS'
+  set service broadcast-relay id 1 interface 'eth3'
+  set service broadcast-relay id 1 interface 'eth4'
+  set service broadcast-relay id 1 interface 'eth5'
+  set service broadcast-relay id 1 port '1900'
diff --git a/docs/configuration/service/conntrack-sync.rst b/docs/configuration/service/conntrack-sync.rst
new file mode 100644
index 00000000..3c9f08e4
--- /dev/null
+++ b/docs/configuration/service/conntrack-sync.rst
@@ -0,0 +1,201 @@
+.. include:: /_include/need_improvement.txt
+
+Conntrack
+---------
+
+One of the important features built on top of the Netfilter framework is
+connection tracking. Connection tracking allows the kernel to keep track of all
+logical network connections or sessions, and thereby relate all of the packets
+which may make up that connection. NAT relies on this information to translate
+all related packets in the same way, and iptables can use this information to
+act as a stateful firewall.
+
+The connection state however is completely independent of any upper-level
+state, such as TCP's or SCTP's state. Part of the reason for this is that when
+merely forwarding packets, i.e. no local delivery, the TCP engine may not
+necessarily be invoked at all. Even connectionless-mode transmissions such as
+UDP, IPsec (AH/ESP), GRE and other tunneling protocols have, at least, a pseudo
+connection state. The heuristic for such protocols is often based upon a preset
+timeout value for inactivity, after whose expiration a Netfilter connection is
+dropped.
+
+Each Netfilter connection is uniquely identified by a (layer-3 protocol, source
+address, destination address, layer-4 protocol, layer-4 key) tuple. The layer-4
+key depends on the transport protocol; for TCP/UDP it is the port numbers, for
+tunnels it can be their tunnel ID, but otherwise is just zero, as if it were
+not part of the tuple. To be able to inspect the TCP port in all cases, packets
+will be mandatorily defragmented.
+
+It is possible to use either Multicast or Unicast to sync conntrack traffic.
+Most examples below show Multicast, but unicast can be specified by using the
+"peer" keywork after the specificed interface, as in the following example:  
+
+set service conntrack-sync interface eth0 peer 192.168.0.250
+
+Configuration
+^^^^^^^^^^^^^
+
+.. code-block:: none
+
+  # Protocols only for which local conntrack entries will be synced (tcp, udp, icmp, sctp)
+  set service conntrack-sync accept-protocol
+
+  # Queue size for listening to local conntrack events (in MB)
+  set service conntrack-sync event-listen-queue-size <int>
+
+  # Protocol for which expect entries need to be synchronized. (all, ftp, h323, nfs, sip, sqlnet)
+  set service conntrack-sync expect-sync
+
+  # Failover mechanism to use for conntrack-sync [REQUIRED]
+  set service conntrack-sync failover-mechanism
+
+  set service conntrack-sync cluster group <string>
+  set service conntrack-sync vrrp sync-group <1-255>
+
+  # IP addresses for which local conntrack entries will not be synced
+  set service conntrack-sync ignore-address ipv4 <x.x.x.x>
+
+  # Interface to use for syncing conntrack entries [REQUIRED]
+  set service conntrack-sync interface <ifname>
+ 
+  # Multicast group to use for syncing conntrack entries
+  set service conntrack-sync mcast-group <x.x.x.x>
+  
+  # Peer to send Unicast UDP conntrack sync entires to, if not using Multicast above
+  set service conntrack-sync interface <ifname> peer <remote IP of peer>
+
+  # Queue size for syncing conntrack entries (in MB)
+  set service conntrack-sync sync-queue-size <size>
+
+Example
+^^^^^^^
+The next example is a simple configuration of conntrack-sync.
+
+
+.. figure:: /_static/images/service_conntrack_sync-schema.png
+   :scale: 60 %
+   :alt: Conntrack Sync Example
+
+   Conntrack Sync Example
+
+First of all, make sure conntrack is enabled by running
+
+.. code-block:: none
+
+  show conntrack table ipv4
+
+If the table is empty and you have a warning message, it means conntrack is not
+enabled. To enable conntrack, just create a NAT or a firewall rule.
+
+.. code-block:: none
+
+  set firewall state-policy established action accept
+
+You now should have a conntrack table
+
+.. code-block:: none
+
+  $ show conntrack table ipv4
+  TCP state codes: SS - SYN SENT, SR - SYN RECEIVED, ES - ESTABLISHED,
+                   FW - FIN WAIT, CW - CLOSE WAIT, LA - LAST ACK,
+                   TW - TIME WAIT, CL - CLOSE, LI - LISTEN
+
+  CONN ID    Source                 Destination            Protocol         TIMEOUT
+  1015736576 10.35.100.87:58172     172.31.20.12:22        tcp [6] ES       430279
+  1006235648 10.35.101.221:57483    172.31.120.21:22       tcp [6] ES       413310
+  1006237088 10.100.68.100          172.31.120.21          icmp [1]         29
+  1015734848 10.35.100.87:56282     172.31.20.12:22        tcp [6] ES       300
+  1015734272 172.31.20.12:60286     239.10.10.14:694       udp [17]         29
+  1006239392 10.35.101.221          172.31.120.21          icmp [1]         29
+
+Now configure conntrack-sync service on ``router1`` **and** ``router2``
+
+.. code-block:: none
+
+  set service conntrack-sync accept-protocol 'tcp,udp,icmp'
+  set service conntrack-sync event-listen-queue-size '8'
+  set service conntrack-sync failover-mechanism cluster group 'GROUP'
+  set service conntrack-sync interface 'eth0'
+  set service conntrack-sync mcast-group '225.0.0.50'
+  set service conntrack-sync sync-queue-size '8'
+
+If you are using VRRP, you need to define a VRRP sync-group, and use
+``vrrp sync-group`` instead of ``cluster group``.
+
+.. code-block:: none
+
+  set high-availablilty vrrp group internal virtual-address ... etc ...
+  set high-availability vrrp sync-group syncgrp member 'internal'
+  set service conntrack-sync failover-mechanism vrrp sync-group 'syncgrp'
+
+
+On the active router, you should have information in the internal-cache of
+conntrack-sync. The same current active connections number should be shown in
+the external-cache of the standby router
+
+On active router run:
+
+.. code-block:: none
+
+  $ show conntrack-sync statistics
+
+  Main Table Statistics:
+
+  cache internal:
+  current active connections:               10
+  connections created:                    8517    failed:            0
+  connections updated:                     127    failed:            0
+  connections destroyed:                  8507    failed:            0
+
+  cache external:
+  current active connections:                0
+  connections created:                       0    failed:            0
+  connections updated:                       0    failed:            0
+  connections destroyed:                     0    failed:            0
+
+  traffic processed:
+                     0 Bytes                         0 Pckts
+
+  multicast traffic (active device=eth0):
+                868780 Bytes sent               224136 Bytes recv
+                 20595 Pckts sent                14034 Pckts recv
+                     0 Error send                    0 Error recv
+
+  message tracking:
+                     0 Malformed msgs                    0 Lost msgs
+
+
+
+On standby router run:
+
+
+.. code-block:: none
+
+
+  $ show conntrack-sync statistics
+
+  Main Table Statistics:
+
+  cache internal:
+  current active connections:                0
+  connections created:                       0    failed:            0
+  connections updated:                       0    failed:            0
+  connections destroyed:                     0    failed:            0
+
+  cache external:
+  current active connections:               10
+  connections created:                     888    failed:            0
+  connections updated:                     134    failed:            0
+  connections destroyed:                   878    failed:            0
+
+  traffic processed:
+                     0 Bytes                         0 Pckts
+
+  multicast traffic (active device=eth0):
+                234184 Bytes sent               907504 Bytes recv
+                 14663 Pckts sent                21495 Pckts recv
+                     0 Error send                    0 Error recv
+
+  message tracking:
+                     0 Malformed msgs                    0 Lost msgs
+
diff --git a/docs/configuration/service/console-server.rst b/docs/configuration/service/console-server.rst
new file mode 100644
index 00000000..a509723e
--- /dev/null
+++ b/docs/configuration/service/console-server.rst
@@ -0,0 +1,108 @@
+.. _console_server:
+
+##############
+Console Server
+##############
+
+Starting of with VyOS 1.3 (equuleus) we added support for running VyOS as an
+Out-of-Band Management device which provides remote access by means of SSH to
+directly attached serial interfaces.
+
+Serial interfaces can be any interface which is directly connected to the CPU
+or chipset (mostly known as a ttyS interface in Linux) or any other USB to
+serial converter (Prolific PL2303 or FTDI FT232/FT4232 based chips).
+
+If you happened to use a Cisco NM-16A - Sixteen Port Async Network Module or
+NM-32A - Thirty-two Port Async Network Module - this is your VyOS replacement.
+
+For USB port information please refor to: :ref:`hardware_usb`.
+
+Configuration
+=============
+
+Between computers, the most common configuration used was "8N1": eight bit
+characters, with one start bit, one stop bit, and no parity bit. Thus 10 Baud
+times are used to send a single character, and so dividing the signalling
+bit-rate by ten results in the overall transmission speed in characters per
+second. This is also the default setting if none of those options are defined.
+
+.. cfgcmd:: set service console-server <device> data-bits [7 | 8]
+
+  Configure either seven or eight data bits. This defaults to eight data
+  bits if left unconfigured.
+
+.. cfgcmd:: set service console-server <device> description <string>
+
+  A user friendly description identifying the connected peripheral.
+
+.. cfgcmd:: set service console-server <device> parity [even | odd | none]
+
+  Set the parity option for the console. If unset this will default to none.
+
+.. cfgcmd:: set service console-server <device> stop-bits [1 | 2]
+
+  Configure either one or two stop bits. This defaults to one stop bits if
+  left unconfigured.
+
+.. cfgcmd:: set service console-server <device> speed 
+   [ 300 | 1200 | 2400 | 4800 | 9600 | 19200 | 38400 | 57600 | 115200 ]
+
+  .. note:: USB to serial converters will handle most of their work in software
+     so you should be carefull with the selected baudrate as some times they
+     can't cope with the expected speed.
+
+Remote Access
+-------------
+
+Each individual configured console-server device can be directly exposed to
+the outside world. A user can directly connect via SSH to the configured
+port.
+
+.. cfgcmd:: set service console-server <device> ssh port <port>
+
+  Accept SSH connections for the given `<device>` on TCP port `<port>`.
+  After successfull authentication the user will be directly dropped to
+  the connected serial device.
+
+  .. hint:: Multiple users can connect to the same serial device but only
+     one is allowed to write to the console port.
+
+Operation
+=========
+
+.. opcmd:: show console-server ports
+
+  Show configured serial ports and their respective interface configuration.
+
+  .. code-block:: none
+
+    vyos@vyos:~$ show console-server ports
+     usb0b2.4p1.0             on /dev/serial/by-bus/usb0b2.4p1.0@ at   9600n
+
+.. opcmd:: show console-server user
+
+  Show currently connected users.
+
+  .. code-block:: none
+
+    vyos@vyos:~$ show console-server user
+     usb0b2.4p1.0               up   vyos@localhost
+
+
+.. opcmd:: connect console-server <device>
+
+  Locally connect to serial port identified by `<device>`.
+
+  .. code-block:: none
+
+    vyos@vyos-r1:~$ connect console-server usb0b2.4p1.0
+    [Enter `^Ec?' for help]
+    [-- MOTD -- VyOS Console Server]
+
+    vyos-r2 login:
+
+  .. hint:: Multiple users can connect to the same serial device but only
+     one is allowed to write to the console port.
+
+  .. hint:: The sequence ``^Ec?`` translates to: ``Ctrl+E c ?``. To quit
+     the session use: ``Ctrl+E c .``
diff --git a/docs/configuration/service/dhcp-relay.rst b/docs/configuration/service/dhcp-relay.rst
new file mode 100644
index 00000000..5355a0fd
--- /dev/null
+++ b/docs/configuration/service/dhcp-relay.rst
@@ -0,0 +1,159 @@
+.. _dhcp-relay:
+
+##########
+DHCP Relay
+##########
+
+If you want your router to forward DHCP requests to an external DHCP server
+you can configure the system to act as a DHCP relay agent. The DHCP relay
+agent works with IPv4 and IPv6 addresses.
+
+All interfaces used for the DHCP relay must be configured.
+
+**********
+IPv4 relay
+**********
+
+Configuration
+=============
+
+.. cfgcmd:: set service dhcp-relay interface <interface>
+
+   Enable the DHCP relay service on the given interface.
+
+.. cfgcmd:: set service dhcp-relay server <server>
+
+   Configure IP address of the DHCP `<server>` which will handle the relayed
+   packets.
+
+.. cfgcmd:: set service dhcp-relay relay-options relay-agents-packets discard
+
+   The router should discard DHCP packages already containing relay agent
+   information to ensure that only requests from DHCP clients are forwarded.
+
+Options
+-------
+
+.. cfgcmd:: set service dhcp-relay relay-options hop-count <count>
+
+   Set the maximum hop `<count>` before packets are discarded. Range 0...255,
+   default 10.
+
+.. cfgcmd:: set service dhcp-relay relay-options max-size <size>
+
+   Set maximum `<size>` of DHCP packets including relay agent information. If a
+   DHCP packet size surpasses this value it will be forwarded without appending
+   relay agent information. Range 64...1400, default 576.
+
+.. cfgcmd:: set service dhcp-relay relay-options relay-agents-packet
+   <append | discard | forward | replace>
+
+   Four policies for reforwarding DHCP packets exist:
+
+   * **append:** The relay agent is allowed to append its own relay information
+     to a received DHCP packet, disregarding relay information already present
+     in the packet.
+
+   * **discard:** Received packets which already contain relay information will
+     be discarded.
+
+   * **forward:** All packets are forwarded, relay information already present
+     will be ignored.
+
+   * **replace:** Relay information already present in a packet is stripped and
+     replaced with the router's own relay information set.
+
+Example
+=======
+
+* Listen for DHCP requests on interface ``eth1``.
+* DHCP server is located at IPv4 address 10.0.1.4.
+* Router receives DHCP client requests on ``eth1`` and relays them to the server
+  at 10.0.1.4.
+
+.. figure:: /_static/images/service_dhcp-relay01.png
+   :scale: 80 %
+   :alt: DHCP relay example
+
+   DHCP relay example
+
+The generated configuration will look like:
+
+.. code-block:: none
+
+  show service dhcp-relay
+      interface eth1
+      server 10.0.1.4
+      relay-options {
+         relay-agents-packets discard
+      }
+
+Operation
+=========
+
+.. opcmd:: restart dhcp relay-agent
+
+   Restart DHCP relay service
+
+**********
+IPv6 relay
+**********
+
+Configuration
+=============
+
+.. cfgcmd:: set service dhcpv6-relay listen-interface <interface>
+
+   Set eth1 to be the listening interface for the DHCPv6 relay.
+
+   Multiple interfaces may be specified.
+
+.. cfgcmd:: set service dhcpv6-relay upstream-interface <interface>
+   address <server>
+
+   Specifies an upstream network `<interface>` from which replies from
+   `<server>` and other relay agents will be accepted.
+
+Options
+-------
+
+.. cfgcmd:: set service dhcpv6-relay max-hop-count 'count'
+
+   Set maximum hop count before packets are discarded, default: 10
+
+.. cfgcmd:: set service dhcpv6-relay use-interface-id-option
+
+   If this is set the relay agent will insert the interface ID. This option is
+   set automatically if more than one listening interfaces are in use.
+
+Example
+=======
+
+* DHCPv6 requests are received by the router on `listening interface` ``eth1``
+* Requests are forwarded through ``eth2`` as the `upstream interface`
+* External DHCPv6 server is at 2001:db8::4
+
+.. figure:: /_static/images/service_dhcpv6-relay01.png
+   :scale: 80 %
+   :alt: DHCPv6 relay example
+
+   DHCPv6 relay example
+
+The generated configuration will look like:
+
+.. code-block:: none
+
+  commit
+  show service dhcpv6-relay
+      listen-interface eth1 {
+      }
+      upstream-interface eth2 {
+         address 2001:db8::4
+      }
+
+Operation
+=========
+
+.. opcmd:: restart dhcpv6 relay-agent
+
+   Restart DHCPv6 relay agent immediately.
diff --git a/docs/configuration/service/dhcp-server.rst b/docs/configuration/service/dhcp-server.rst
new file mode 100644
index 00000000..28dddb2f
--- /dev/null
+++ b/docs/configuration/service/dhcp-server.rst
@@ -0,0 +1,621 @@
+.. _dhcp-server:
+
+###########
+DHCP Server
+###########
+
+VyOS uses ISC DHCP server for both IPv4 and IPv6 address assignment.
+
+***********
+IPv4 server
+***********
+
+The network topology is declared by shared-network-name and the subnet
+declarations. The DHCP service can serve multiple shared networks, with each
+shared network having 1 or more subnets. Each subnet must be present on an
+interface. A range can be declared inside a subnet to define a pool of dynamic
+addresses. Multiple ranges can be defined and can contain holes. Static
+mappings can be set to assign "static" addresses to clients based on their MAC
+address.
+
+Configuration
+=============
+
+.. cfgcmd:: set service dhcp-server shared-network-name <name> authoritative
+
+   This says that this device is the only DHCP server for this network. If other
+   devices are trying to offer DHCP leases, this machine will send 'DHCPNAK' to
+   any device trying to request an IP address that is not valid for this
+   network.
+
+.. cfgcmd:: set service dhcp-server shared-network-name <name> subnet <subnet>
+   default-router <address>
+
+   This is a configuration parameter for the `<subnet>`, saying that as part of
+   the response, tell the client that the default gateway can be reached at
+   `<address>`.
+
+.. cfgcmd:: set service dhcp-server shared-network-name <name> subnet <subnet>
+   dns-server <address>
+
+   This is a configuration parameter for the subnet, saying that as part of the
+   response, tell the client that the DNS server can be found at `<address>`.
+
+   Multiple DNS servers can be defined.
+
+.. cfgcmd:: set service dhcp-server shared-network-name <name> subnet <subnet>
+   lease <time>
+
+   Assign the IP address to this machine for `<time>` seconds.
+
+   The default value is 86400 seconds which corresponds to one day.
+
+.. cfgcmd:: set service dhcp-server shared-network-name <name> subnet <subnet>
+   range <n> start <address>
+
+   Create DHCP address range with a range id of `<n>`. DHCP leases are taken
+   from this pool. The pool starts at address `<address>`.
+
+.. cfgcmd:: set service dhcp-server shared-network-name <name> subnet <subnet>
+   range <n> stop <address>
+
+   Create DHCP address range with a range id of `<n>`. DHCP leases are taken
+   from this pool. The pool stops with address `<address>`.
+
+.. cfgcmd:: set service dhcp-server shared-network-name <name> subnet <subnet>
+   exclude <address>
+
+   Always exclude this address from any defined range. This address will never
+   be assigned by the DHCP server.
+
+   This option can be specified multiple times.
+
+.. cfgcmd:: set service dhcp-server shared-network-name <name> subnet <subnet>
+   domain-name <domain-name>
+
+   The domain-name parameter should be the domain name that will be appended to
+   the client's hostname to form a fully-qualified domain-name (FQDN) (DHCP
+   Option 015).
+
+.. cfgcmd:: set service dhcp-server shared-network-name <name> subnet <subnet>
+   domain-search <domain-name>
+
+   The domain-name parameter should be the domain name used when completing DNS
+   request where no full FQDN is passed. This option can be given multiple times
+   if you need multiple search domains (DHCP Option 119).
+
+Failover
+--------
+
+VyOS provides support for DHCP failover. DHCP failover must be configured
+explicitly by the following statements.
+
+.. cfgcmd:: set service dhcp-server shared-network-name <name> subnet
+   <subnet> failover local-address <address>
+
+   Local IP `<address>` used when communicating to the failover peer.
+
+.. cfgcmd:: set service dhcp-server shared-network-name <name> subnet
+   <subnet> failover peer-address <address>
+
+   Remote peer IP `<address>` of the second DHCP server in this failover
+   cluster.
+
+.. cfgcmd:: set service dhcp-server shared-network-name <name> subnet
+   <subnet> failover name <name>
+
+   A generic `<name>` referencing this sync service.
+
+   .. note:: `<name>` must be identical on both sides!
+
+.. cfgcmd:: set service dhcp-server shared-network-name <name> subnet
+   <subnet> failover status <primary | secondary>
+
+   The primary and secondary statements determines whether the server is primary
+   or secondary.
+
+   .. note:: In order for the primary and the secondary DHCP server to keep
+      their lease tables in sync, they must be able to reach each other on TCP
+      port 647. If you have firewall rules in effect, adjust them accordingly.
+
+   .. hint:: The dialogue between failover partners is neither encrypted nor
+      authenticated. Since most DHCP servers exist within an organisation's own
+      secure Intranet, this would be an unnecessary overhead. However, if you
+      have DHCP failover peers whose communications traverse insecure networks,
+      then we recommend that you consider the use of VPN tunneling between them
+      to ensure that the failover partnership is immune to disruption
+      (accidental or otherwise) via third parties.
+
+Static mappings
+---------------
+
+You can specify a static DHCP assignment on a per host basis. You will need the
+MAC address of the station and your desired IP address. The address must be
+inside the subnet definition but can be outside of the range statement.
+
+.. cfgcmd:: set service dhcp-server shared-network-name <name> subnet
+   <subnet> static-mapping <description> mac-address <address>
+
+   Create a new DHCP static mapping named `<description>` which is valid for
+   the host identified by its MAC `<address>`.
+
+.. cfgcmd:: set service dhcp-server shared-network-name <name> subnet
+   <subnet> static-mapping <description> ip-address <address>
+
+   Static DHCP IP address assign to host identified by `<description>`. IP
+   address must be inside the `<subnet>` which is defined but can be outside
+   the dynamic range created with :cfgcmd:`set service dhcp-server
+   shared-network-name <name> subnet <subnet> range <n>`. If no ip-address is
+   specified, an IP from the dynamic pool is used.
+
+   This is useful, for example, in combination with hostfile update.
+
+   .. hint:: This is the equivalent of the host block in dhcpd.conf of
+      isc-dhcpd.
+
+Options
+=======
+
+.. list-table::
+   :header-rows: 1
+   :stub-columns: 0
+   :widths: 12 7 23 40 20
+
+   * - Setting name
+     - Option number
+     - ISC-DHCP Option name
+     - Option description
+     - Multi
+   * - client-prefix-length
+     - 1
+     - subnet-mask
+     - Specifies the clients subnet mask as per RFC 950. If unset,
+       subnet declaration is used.
+     - N
+   * - time-offset
+     - 2
+     - time-offset
+     - Offset of the client's subnet in seconds from Coordinated
+       Universal Time (UTC)
+     - N
+   * - default-router
+     - 3
+     - routers
+     - IPv4 address of router on the client's subnet
+     - N
+   * - time-server
+     - 4
+     - time-servers
+     - RFC 868 time server IPv4 address
+     - Y
+   * - dns-server
+     - 6
+     - domain-name-servers
+     - DNS server IPv4 address
+     - Y
+   * - domain-name
+     - 15
+     - domain-name
+     - Client domain name
+     - Y
+   * - ip-forwarding
+     - 19
+     - ip-forwarding
+     - Enable IP forwarding on client
+     - N
+   * - ntp-server
+     - 42
+     - ntp-servers
+     - IP address of NTP server
+     - Y
+   * - wins-server
+     - 44
+     - netbios-name-servers
+     - NetBIOS over TCP/IP name server
+     - Y
+   * - server-identifier
+     - 54
+     - dhcp-server-identifier
+     - IP address for DHCP server identifier
+     - N
+   * - bootfile-server
+     - siaddr
+     - next-server
+     - IPv4 address of next bootstrap server
+     - N
+   * - tftp-server-name
+     - 66
+     - tftp-server-name
+     - Name or IPv4 address of TFTP server
+     - N
+   * - bootfile-name
+     - 67
+     - bootfile-name, filename
+     - Bootstrap file name
+     - N
+   * - smtp-server
+     - 69
+     - smtp-server
+     - IP address of SMTP server
+     - Y
+   * - pop-server
+     - 70
+     - pop-server
+     - IP address of POP3 server
+     - Y
+   * - domain-search
+     - 119
+     - domain-search
+     - Client domain search
+     - Y
+   * - static-route
+     - 121, 249
+     - rfc3442-static-route, windows-static-route
+     - Classless static route
+     - N
+   * - wpad-url
+     - 252
+     - wpad-url, wpad-url code 252 = text
+     - Web Proxy Autodiscovery (WPAD) URL
+     - N
+   * - lease
+     -
+     - default-lease-time, max-lease-time
+     - Lease timeout in seconds (default: 86400)
+     - N
+   * - range
+     -
+     - range
+     - DHCP lease range
+     - Y
+   * - exclude
+     -
+     -
+     - IP address to exclude from DHCP lease range
+     - Y
+   * - failover
+     -
+     -
+     - DHCP failover parameters
+     -
+   * - static-mapping
+     -
+     -
+     - Name of static mapping
+     - Y
+
+Multi: can be specified multiple times.
+
+Raw Parameters
+==============
+
+Raw parameters can be passed to shared-network-name, subnet and static-mapping:
+
+.. code-block:: none
+
+  set service dhcp-server shared-network-name <name> shared-network-parameters
+     <text>       Additional shared-network parameters for DHCP server.
+  set service dhcp-server shared-network-name <name> subnet <subnet> subnet-parameters
+     <text>       Additional subnet parameters for DHCP server.
+  set service dhcp-server shared-network-name <name> subnet <subnet> static-mapping <description> static-mapping-parameters
+     <text>       Additional static-mapping parameters for DHCP server.
+                  Will be placed inside the "host" block of the mapping.
+
+These parameters are passed as-is to isc-dhcp's dhcpd.conf under the
+configuration node they are defined in. They are not validated so an error in
+the raw parameters won't be caught by vyos's scripts and will cause dhcpd to
+fail to start. Always verify that the parameters are correct before committing
+the configuration. Refer to isc-dhcp's dhcpd.conf manual for more information:
+https://kb.isc.org/docs/isc-dhcp-44-manual-pages-dhcpdconf
+
+Quotes can be used inside parameter values by replacing all quote characters
+with the string ``&quot;``. They will be replaced with literal quote characters
+when generating dhcpd.conf.
+
+Example
+=======
+
+Please see the :ref:`dhcp-dns-quick-start` configuration.
+
+Failover
+--------
+
+Configuration of a DHCP failover pair
+
+* Setup DHCP failover for network 192.0.2.0/24
+* Default gateway and DNS server is at `192.0.2.254`
+* The primary DHCP server uses address `192.168.189.252`
+* The secondary DHCP server uses address `192.168.189.253`
+* DHCP range spans from `192.168.189.10` - `192.168.189.250`
+
+Common configuration, valid for both primary and secondary node.
+
+.. code-block:: none
+
+  set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 default-router '192.0.2.254'
+  set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 dns-server '192.0.2.254'
+  set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 domain-name 'vyos.net'
+  set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 range 0 start '192.0.2.10'
+  set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 range 0 stop '192.0.2.250'
+
+
+**Primary**
+
+.. code-block:: none
+
+  set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 failover local-address '192.168.189.252'
+  set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 failover name 'NET-VYOS'
+  set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 failover peer-address '192.168.189.253'
+  set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 failover status 'primary'
+
+**Secondary**
+
+.. code-block:: none
+
+  set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 failover local-address '192.168.189.253'
+  set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 failover name 'NET-VYOS'
+  set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 failover peer-address '192.168.189.252'
+  set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 failover status 'primary'
+
+
+Raw Parameters
+--------------
+
+* Override static-mapping's dns-server with a custom one that will be sent only
+  to this host.
+* An option that takes a quoted string is set by replacing all quote characters
+  with the string ``&quot;`` inside the static-mapping-parameters value.
+  The resulting line in dhcpd.conf will be
+  ``option pxelinux.configfile "pxelinux.cfg/01-00-15-17-44-2d-aa";``.
+
+
+.. code-block:: none
+
+  set service dhcp-server shared-network-name dhcpexample subnet 192.0.2.0/24 static-mapping example static-mapping-parameters "option domain-name-servers 192.0.2.11, 192.0.2.12;"
+  set service dhcp-server shared-network-name dhcpexample subnet 192.0.2.0/24 static-mapping example static-mapping-parameters "option pxelinux.configfile &quot;pxelinux.cfg/01-00-15-17-44-2d-aa&quot;;"
+
+
+Operation Mode
+==============
+
+.. opcmd:: restart dhcp server
+
+   Restart the DHCP server
+
+.. opcmd:: show dhcp server statistics
+
+   Show the DHCP server statistics:
+
+.. code-block:: none
+
+  vyos@vyos:~$ show dhcp server statistics
+  Pool           Size    Leases    Available  Usage
+  -----------  ------  --------  -----------  -------
+  dhcpexample      99         2           97  2%
+
+.. opcmd:: show dhcp server statistics pool <pool>
+
+   Show the DHCP server statistics for the specified pool.
+
+.. opcmd:: show dhcp server leases
+
+   Show statuses of all active leases:
+
+.. code-block:: none
+
+  vyos@vyos:~$ show dhcp server leases
+  IP address      Hardware address    State    Lease start          Lease expiration     Remaining   Pool         Hostname
+  --------------  ------------------  -------  -------------------  -------------------  ----------  -----------  ---------
+  192.0.2.104     00:53:01:dd:ee:ff   active   2019/12/05 14:24:23  2019/12/06 02:24:23  6:05:35     dhcpexample  test1
+  192.0.2.115     00:53:01:ae:af:bf   active   2019/12/05 18:02:37  2019/12/06 06:02:37  9:43:49     dhcpexample  test2
+
+.. hint:: Static mappings aren't shown. To show all states, use
+   ``show dhcp server leases state all``.
+
+.. opcmd:: show dhcp server leases pool <pool>
+
+   Show only leases in the specified pool.
+
+.. opcmd:: show dhcp server leases sort <key>
+
+   Sort the output by the specified key. Possible keys: ip, hardware_address,
+   state, start, end, remaining, pool, hostname (default = ip)
+
+.. opcmd:: show dhcp server leases state <state>
+
+   Show only leases with the specified state. Possible states: all, active,
+   free, expired, released, abandoned, reset, backup (default = active)
+
+***********
+IPv6 server
+***********
+
+VyOS also provides DHCPv6 server functionality which is described in this
+section.
+
+Configuration
+=============
+
+.. cfgcmd:: set service dhcpv6-server preference <preference value>
+
+   Clients receiving advertise messages from multiple servers choose the server
+   with the highest preference value. The range for this value is ``0...255``.
+
+.. cfgcmd:: set service dhcpv6-server shared-network-name <name> subnet
+   <prefix> lease-time {default | maximum | minimum}
+
+   The default lease time for DHCPv6 leases is 24 hours. This can be changed by
+   supplying a ``default-time``, ``maximum-time`` and ``minimum-time``. All
+   values need to be supplied in seconds.
+
+.. cfgcmd:: set service dhcpv6-server shared-network-name <name> subnet
+   <prefix> nis-domain <domain-name>
+
+   A :abbr:`NIS (Network Information Service)` domain can be set to be used for
+   DHCPv6 clients.
+
+.. cfgcmd:: set service dhcpv6-server shared-network-name <name> subnet
+   <prefix> nisplus-domain <domain-name>
+
+   The procedure to specify a :abbr:`NIS+ (Network Information Service Plus)`
+   domain is similar to the NIS domain one:
+
+.. cfgcmd:: set service dhcpv6-server shared-network-name <name> subnet
+   <prefix> nis-server <address>
+
+   Specify a NIS server address for DHCPv6 clients.
+
+.. cfgcmd:: set service dhcpv6-server shared-network-name <name> subnet
+   <prefix> nisplus-server <address>
+
+   Specify a NIS+ server address for DHCPv6 clients.
+
+.. cfgcmd:: set service dhcpv6-server shared-network-name <name> subnet
+   <prefix> sip-server <address | fqdn>
+
+   Specify a :abbr:`SIP (Session Initiation Protocol)` server by IPv6
+   address of Fully Qualified Domain Name for all DHCPv6 clients.
+
+.. cfgcmd:: set service dhcpv6-server shared-network-name <name> subnet
+   <prefix> sntp-server-address <address>
+
+   A SNTP server address can be specified for DHCPv6 clients.
+
+Prefix Delegation
+-----------------
+
+To hand out individual prefixes to your clients the following configuration is
+used:
+
+
+.. cfgcmd:: set service dhcpv6-server shared-network-name <name> subnet
+   <prefix> prefix-delegation start <address> prefix-length <length>
+
+   Hand out prefixes of size `<length>` to clients in subnet `<prefix>` when
+   they request for prefix delegation.
+
+.. cfgcmd:: set service dhcpv6-server shared-network-name <name> subnet
+   <prefix> prefix-delegation start <address> stop <address>
+
+   Delegate prefixes from the range indicated by the start and stop qualifier.
+
+Address pools
+-------------
+
+DHCPv6 address pools must be configured for the system to act as a DHCPv6
+server. The following example describes a common scenario.
+
+**Example:**
+
+* A shared network named ``NET1`` serves subnet ``2001:db8::/64``
+* It is connected to ``eth1``
+* DNS server is located at ``2001:db8::ffff``
+* Address pool shall be ``2001:db8::100`` through ``2001:db8::199``.
+* Lease time will be left at the default value which is 24 hours
+
+.. code-block:: none
+
+  set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 address-range start 2001:db8::100 stop 2001:db8::199
+  set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 name-server 2001:db8::ffff
+
+The configuration will look as follows:
+
+.. code-block:: none
+
+  show service dhcpv6-server
+      shared-network-name NET1 {
+          subnet 2001:db8::/64 {
+             address-range {
+                start 2001:db8::100 {
+                   stop 2001:db8::199
+                }
+             }
+             name-server 2001:db8::ffff
+          }
+      }
+
+Static mappings
+---------------
+
+In order to map specific IPv6 addresses to specific hosts static mappings can
+be created. The following example explains the process.
+
+**Example:**
+
+* IPv6 address ``2001:db8::101`` shall be statically mapped
+* Host specific mapping shall be named ``client1``
+
+.. hint:: The identifier is the device's DUID: colon-separated hex list (as
+   used by isc-dhcp option dhcpv6.client-id). If the device already has a
+   dynamic lease from the DHCPv6 server, its DUID can be found with ``show
+   service dhcpv6 server leases``. The DUID begins at the 5th octet (after the
+   4th colon) of IAID_DUID.
+
+.. code-block:: none
+
+  set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 static-mapping client1 ipv6-address 2001:db8::101
+  set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 static-mapping client1 identifier 00:01:00:01:12:34:56:78:aa:bb:cc:dd:ee:ff
+
+The configuration will look as follows:
+
+.. stop_vyoslinter (00:01:00:01:12:34:56:78:aa:bb:cc:dd:ee:ff false positive)
+
+.. code-block:: none
+
+  show service dhcp-server shared-network-name NET1
+     shared-network-name NET1 {
+         subnet 2001:db8::/64 {
+            name-server 2001:db8:111::111
+            address-range {
+                start 2001:db8::100 {
+                   stop 2001:db8::199 {
+                }
+            }
+            static-mapping client1 {
+               ipv6-address 2001:db8::101
+               identifier 00:01:00:01:12:34:56:78:aa:bb:cc:dd:ee:ff
+            }
+         }
+      }
+
+.. start_vyoslinter
+
+Operation Mode
+==============
+
+.. opcmd:: restart dhcpv6 server
+
+   To restart the DHCPv6 server
+
+.. opcmd:: show dhcpv6 server status
+
+   To show the current status of the DHCPv6 server.
+
+.. opcmd:: show dhcpv6 server leases
+
+   Show statuses of all assigned leases:
+
+.. code-block:: none
+
+  vyos@vyos:~$ show dhcpv6 server leases
+  IPv6 address   State    Last communication    Lease expiration     Remaining    Type           Pool   IAID_DUID
+  -------------  -------  --------------------  -------------------  -----------  -------------  -----  --------------------------------------------
+  2001:db8::101  active   2019/12/05 19:40:10   2019/12/06 07:40:10  11:45:21     non-temporary  NET1   98:76:54:32:00:01:00:01:12:34:56:78:aa:bb:cc:dd:ee:ff
+  2001:db8::102  active   2019/12/05 14:01:23   2019/12/06 02:01:23  6:06:34      non-temporary  NET1   87:65:43:21:00:01:00:01:11:22:33:44:fa:fb:fc:fd:fe:ff
+
+.. hint:: Static mappings aren't shown. To show all states, use ``show dhcp
+   server leases state all``.
+
+.. opcmd:: show dhcpv6 server leases pool <pool>
+
+   Show only leases in the specified pool.
+
+.. opcmd:: show dhcpv6 server leases sort <key>
+
+   Sort the output by the specified key. Possible keys: expires, iaid_duid, ip,
+   last_comm, pool, remaining, state, type (default = ip)
+
+.. opcmd:: show dhcpv6 server leases state <state>
+
+   Show only leases with the specified state. Possible states: abandoned,
+   active, all, backup, expired, free, released, reset (default = active)
diff --git a/docs/configuration/service/dns.rst b/docs/configuration/service/dns.rst
new file mode 100644
index 00000000..0a65161b
--- /dev/null
+++ b/docs/configuration/service/dns.rst
@@ -0,0 +1,328 @@
+.. _dns-forwarding:
+
+##############
+DNS Forwarding
+##############
+
+Configuration
+=============
+
+VyOS provides DNS infrastructure for small networks. It is designed to be
+lightweight and have a small footprint, suitable for resource constrained
+routers and firewalls. For this we utilize PowerDNS recursor.
+
+The VyOS DNS forwarder does not require an upstream DNS server. It can serve as
+a full recursive DNS server - but it can also forward queries to configurable
+upstream DNS servers. By not configuring any upstream DNS servers you also
+avoid being tracked by the provider of your upstream DNS server.
+
+.. cfgcmd:: set service dns forwarding system
+
+   Forward incoming DNS queries to the DNS servers configured under the ``system
+   name-server`` nodes.
+
+.. cfgcmd:: set service dns forwarding name-server <address>
+
+   Send all DNS queries to the IPv4/IPv6 DNS server specified under `<address>`.
+   You can configure multiple nameservers here.
+
+.. cfgcmd:: set service dns forwarding domain <domain-name> server <address>
+
+   Forward received queries for a particular domain
+   (specified via `domain-name`) to a given nameserver. Multiple nameservers
+   can be specified. You can use this feature for a DNS split-horizon
+   configuration.
+
+   .. note:: This also works for reverse-lookup zones (``18.172.in-addr.arpa``).
+
+.. cfgcmd:: set service dns forwarding allow-from <network>
+
+   Given the fact that open DNS recursors could be used on DDoS amplification
+   attacks, you must configure the networks which are allowed to use this
+   recursor. A network of ``0.0.0.0/0`` or ``::/0`` would allow all IPv4 and
+   IPv6 networks to query this server. This is generally a bad idea.
+
+.. cfgcmd:: set service dns forwarding dnssec
+   <off | process-no-validate | process | log-fail | validate>
+
+   The PowerDNS recursor has 5 different levels of DNSSEC processing, which can
+   be set with the dnssec setting. In order from least to most processing, these
+   are:
+
+   * **off** In this mode, no DNSSEC processing takes place. The recursor will
+     not set the DNSSEC OK (DO) bit in the outgoing queries and will ignore the
+     DO and AD bits in queries.
+
+   * **process-no-validate** In this mode the recursor acts as a "security
+     aware, non-validating" nameserver, meaning it will set the DO-bit on
+     outgoing queries and will provide DNSSEC related RRsets (NSEC, RRSIG) to
+     clients that ask for them (by means of a DO-bit in the query), except for
+     zones provided through the auth-zones setting. It will not do any
+     validation in this mode, not even when requested by the client.
+
+   * **process** When dnssec is set to process the behavior is similar to
+     process-no-validate. However, the recursor will try to validate the data
+     if at least one of the DO or AD bits is set in the query; in that case,
+     it will set the AD-bit in the response when the data is validated
+     successfully, or send SERVFAIL when the validation comes up bogus.
+
+   * **log-fail** In this mode, the recursor will attempt to validate all data
+     it retrieves from authoritative servers, regardless of the client's DNSSEC
+     desires, and will log the validation result. This mode can be used to
+     determine the extra load and amount of possibly bogus answers before
+     turning on full-blown validation. Responses to client queries are the same
+     as with process.
+
+   * **validate** The highest mode of DNSSEC processing. In this mode, all
+     queries will be validated and will be answered with a SERVFAIL in case of
+     bogus data, regardless of the client's request.
+
+   .. note:: The popular Unix/Linux ``dig`` tool sets the AD-bit in the query.
+      This might lead to unexpected query results when testing. Set ``+noad``
+      on the ``dig`` command line when this is the case.
+
+   .. note:: The ``CD``-bit is honored correctly for process and validate. For
+      log-fail, failures will be logged too.
+
+.. cfgcmd:: set service dns forwarding ignore-hosts-file
+
+   Do not use the local ``/etc/hosts`` file in name resolution. VyOS DHCP
+   server will use this file to add resolvers to assigned addresses.
+
+.. cfgcmd:: set service dns forwarding max-cache-entries
+
+   Maximum number of DNS cache entries. 1 million per CPU core will generally
+   suffice for most installations.
+
+.. cfgcmd:: set service dns forwarding negative-ttl
+
+   A query for which there is authoritatively no answer is cached to quickly
+   deny a record's existence later on, without putting a heavy load on the
+   remote server. In practice, caches can become saturated with hundreds of
+   thousands of hosts which are tried only once. This setting, which defaults
+   to 3600 seconds, puts a maximum on the amount of time negative entries are
+   cached.
+
+.. cfgcmd:: set service dns forwarding listen-address
+
+   The local IPv4 or IPv6 addresses to bind the DNS forwarder to. The forwarder
+   will listen on this address for incoming connections.
+
+Example
+=======
+
+A VyOS router with two interfaces - eth0 (WAN) and eth1 (LAN) - is required to
+implement a split-horizon DNS configuration for example.com.
+
+In this scenario:
+
+* All DNS requests for example.com must be forwarded to a DNS server
+  at 192.0.2.254 and 2001:db8:cafe::1
+* All other DNS requests will be forwarded to a different set of DNS servers at
+  192.0.2.1, 192.0.2.2, 2001:db8::1:ffff and 2001:db8::2:ffff
+* The VyOS DNS forwarder will only listen for requests on the eth1 (LAN)
+  interface addresses - 192.168.1.254 for IPv4 and 2001:db8::ffff for IPv6
+* The VyOS DNS forwarder will only accept lookup requests from the
+  LAN subnets - 192.168.1.0/24 and 2001:db8::/64
+
+.. code-block:: none
+
+  set service dns forwarding domain example.com server 192.0.2.254
+  set service dns forwarding domain example.com server 2001:db8:cafe::1
+  set service dns forwarding name-server 192.0.2.1
+  set service dns forwarding name-server 192.0.2.2
+  set service dns forwarding name-server 2001:db8::1:ffff
+  set service dns forwarding name-server 2001:db8::2:ffff
+  set service dns forwarding listen-address 192.168.1.254
+  set service dns forwarding listen-address 2001:db8::ffff
+  set service dns forwarding allow-from 192.168.1.0/24
+  set service dns forwarding allow-from 2001:db8::/64
+
+Operation
+=========
+
+.. opcmd:: reset dns forwarding <all | domain>
+
+   Resets the local DNS forwarding cache database. You can reset the cache
+   for all entries or only for entries to a specific domain.
+
+.. opcmd:: restart dns forwarding
+
+   Restarts the DNS recursor process. This also invalidates the local DNS
+   forwarding cache.
+
+
+.. _dynamic-dns:
+
+###########
+Dynamic DNS
+###########
+
+VyOS is able to update a remote DNS record when an interface gets a new IP
+address. In order to do so, VyOS includes ddclient_, a Perl script written for
+this only one purpose.
+
+ddclient_ uses two methods to update a DNS record. The first one will send
+updates directly to the DNS daemon, in compliance with :rfc:`2136`. The second
+one involves a third party service, like DynDNS.com or any other similar
+website. This method uses HTTP requests to transmit the new IP address. You
+can configure both in VyOS.
+
+Configuration
+=============
+
+:rfc:`2136` Based
+-----------------
+
+.. cfgcmd:: set service dns dynamic interface <interface> rfc2136 <service-name>
+
+   Create new :rfc:`2136` DNS update configuration which will update the IP
+   address assigned to `<interface>` on the service you configured under
+   `<service-name>`.
+
+.. cfgcmd:: set service dns dynamic interface <interface> rfc2136 <service-name>
+   key <keyfile>
+
+   File identified by `<keyfile>` containing the secret RNDC key shared with
+   remote DNS server.
+
+.. cfgcmd:: set service dns dynamic interface <interface> rfc2136 <service-name>
+   server <server>
+
+   Configure the DNS `<server>` IP/FQDN used when updating this dynamic
+   assignment.
+
+.. cfgcmd:: set service dns dynamic interface <interface> rfc2136 <service-name>
+   zone <zone>
+
+   Configure DNS `<zone>` to be updated.
+
+.. cfgcmd:: set service dns dynamic interface <interface> rfc2136 <service-name>
+   record <record>
+
+   Configure DNS `<record>` which should be updated. This can be set multiple
+   times.
+
+.. cfgcmd:: set service dns dynamic interface <interface> rfc2136 <service-name>
+   ttl <ttl>
+
+   Configure optional TTL value on the given resource record. This defaults to
+   600 seconds.
+
+Example
+^^^^^^^
+
+* Register DNS record ``example.vyos.io`` on DNS server ``ns1.vyos.io``
+* Use auth key file at ``/config/auth/my.key``
+* Set TTL to 300 seconds
+
+.. code-block:: none
+
+  vyos@vyos# show service dns dynamic
+   interface eth0.7 {
+       rfc2136 VyOS-DNS {
+           key /config/auth/my.key
+           record example.vyos.io
+           server ns1.vyos.io
+           ttl 300
+           zone vyos.io
+       }
+   }
+
+This will render the following ddclient_ configuration entry:
+
+.. code-block:: none
+
+  #
+  # ddclient configuration for interface "eth0.7":
+  #
+  use=if, if=eth0.7
+
+  # RFC2136 dynamic DNS configuration for example.vyos.io.vyos.io
+  server=ns1.vyos.io
+  protocol=nsupdate
+  password=/config/auth/my.key
+  ttl=300
+  zone=vyos.io
+  example.vyos.io
+
+.. note:: You can also keep different DNS zone updated. Just create a new
+   config node: ``set service dns dynamic interface <interface> rfc2136
+   <other-service-name>``
+
+HTTP based services
+-------------------
+
+VyOS is also able to use any service relying on protocols supported by ddclient.
+
+To use such a service, one must define a login, password, one or multiple
+hostnames, protocol and server.
+
+.. cfgcmd:: set service dns dynamic interface <interface> service <service>
+   host-name <hostname>
+
+   Setup the dynamic DNS hostname `<hostname>` associated with the DynDNS
+   provider identified by `<service>` when the IP address on interface
+   `<interface>` changes.
+
+.. cfgcmd:: set service dns dynamic interface <interface> service <service>
+   login <username>
+
+   Configure `<username>` used when authenticating the update request for
+   DynDNS service identified by `<service>`.
+   For Namecheap, set the <domain> you wish to update.
+
+.. cfgcmd:: set service dns dynamic interface <interface> service <service>
+   password <password>
+
+   Configure `<password>` used when authenticating the update request for
+   DynDNS service identified by `<service>`.
+
+.. cfgcmd:: set service dns dynamic interface <interface> service <service>
+   protocol <protocol>
+
+   When a ``custom`` DynDNS provider is used the protocol used for communicating
+   to the provider must be specified under `<protocol>`. See the embedded
+   completion helper for available protocols.
+
+.. cfgcmd:: set service dns dynamic interface <interface> service <service>
+   server <server>
+
+   When a ``custom`` DynDNS provider is used the `<server>` where update
+   requests are being sent to must be specified.
+
+Example:
+^^^^^^^^
+
+Use DynDNS as your preferred provider:
+
+.. code-block:: none
+
+  set service dns dynamic interface eth0 service dyndns
+  set service dns dynamic interface eth0 service dyndns login my-login
+  set service dns dynamic interface eth0 service dyndns password my-password
+  set service dns dynamic interface eth0 service dyndns host-name my-dyndns-hostname
+
+.. note:: Multiple services can be used per interface. Just specify as many
+   services per interface as you like!
+
+Running Behind NAT
+------------------
+
+By default, ddclient_ will update a dynamic dns record using the IP address
+directly attached to the interface. If your VyOS instance is behind NAT, your
+record will be updated to point to your internal IP.
+
+ddclient_ has another way to determine the WAN IP address. This is controlled
+by:
+
+.. cfgcmd:: set service dns dynamic interface <interface> use-web url <url>
+
+   Use configured `<url>` to determine your IP address. ddclient_ will load
+   `<url>` and tries to extract your IP address from the response.
+
+.. cfgcmd:: set service dns dynamic interface <interface> use-web skip <pattern>
+
+   ddclient_ will skip any address located before the string set in `<pattern>`.
+
+.. _ddclient: https://github.com/ddclient/ddclient
diff --git a/docs/configuration/service/https.rst b/docs/configuration/service/https.rst
new file mode 100644
index 00000000..b9c691da
--- /dev/null
+++ b/docs/configuration/service/https.rst
@@ -0,0 +1,181 @@
+.. _http-api:
+
+########
+HTTP-API
+########
+
+Enabling HTTP-API
+-----------------
+
+VyOS HTTP API can be enabled through the ``set service https api`` command.
+
+.. code-block:: none
+
+  set service https api debug
+  set service https api keys id MY-HTTP-API-ID key MY-HTTP-API-PLAINTEXT-KEY
+
+The local API process listens on localhost:8080, and nginx exposes it on all
+virtual servers, by default. For the purpose of illustration below, we will
+assume nginx is running at https://192.168.122.127.
+
+One can limit proxying to specific listen addresses/ports/server-names by
+defining a ``service https virtual-host <id>``, and setting ``service https
+api-restrict virtual-host <id>``.
+
+.. code-block:: none
+
+  set service https virtual-host example listen-address 192.168.122.127
+  set service https virtual-host example listen-port 44302
+  set service https virtual-host example server-name example.net
+
+  set service https api-restrict virtual-host example
+
+In this example, nginx will proxy only those requests to
+192.168.122.127:44302 or example.net:44302 (assuming the DNS record is
+viable). Omitting any of listen-address, listen-port, or server-name, will
+leave appropriate defaults in the nginx directive. Multiple instances of
+``service https api-restrict virtual-host`` may be set.
+
+Configuration mode requests
+---------------------------
+
+In our example, we are creating a dummy interface and assigning an address to
+it:
+
+.. code-block:: none
+
+  curl -k -X POST -F data='{"op": "set", "path": ["interfaces", "dummy", "dum1", "address"], "value": "203.0.113.76/32"}' -F key=MY-HTTP-API-PLAINTEXT-KEY https://192.168.122.127/configure
+
+The ``/configure`` endpoint takes a request serialized in JSON. The only HTTP
+method it uses is POST. Request data is passed in the ``data=`` field and the
+API key is passed in the ``key=`` field. Key identifiers from the config are
+purely informational and the application doesn't need to know them, they only
+appear in the server logs to avoid exposing keys in log files, you only need
+the key itself.
+
+Since internally there is no distinction between a path and a value, you can
+omit the value field and include the value in the path like it's done in the
+shell commands:
+
+.. code-block:: none
+
+  curl -k -X POST -F data='{"op": "set", "path": ["interfaces", "dummy", "dum10", "address", "203.0.113.99/32"]}' -F key=MY-HTTP-API-PLAINTEXT-KEY https://192.168.122.127/configure
+
+Separate value field make the semantics more clear though, and also makes it
+easier to create a command template once and update it with different values
+as needed.
+
+You can pass the ``set``, ``delete`` or ``comment`` command to it.
+The API will push the command to the session and commit.
+
+To retrieve a value:
+
+.. code-block:: none
+
+  curl -k -X POST -F data='{"op": "returnValue", "path": ["interfaces", "dummy", "dum1", "address"]}' -F key=MY-HTTP-API-PLAINTEXT-KEY https://192.168.122.127/retrieve
+
+Use ``returnValues`` for multi-valued nodes.
+
+
+Show config
+"""""""""""
+
+To retrieve the full config under a path:
+
+.. code-block:: none
+
+  # curl -k -X POST -F data='{"op": "showConfig", "path": ["interfaces", "dummy"]}' -F key=MY-HTTP-API-PLAINTEXT-KEY https://192.168.122.127/retrieve
+
+It will return:
+
+.. code-block:: none
+
+  {"success": true, "data": {"dummy": {"dum1": {"address": "203.0.113.76/32"}}}, "error": null}
+
+Passing an empty path will return the full config:
+
+.. code-block:: none
+
+  # curl -k -X POST -F data='{"op": "showConfig", "path": []}' -F key=MY-HTTP-API-PLAINTEXT-KEY https://192.168.122.127/retrieve
+
+
+Configuration management requests
+---------------------------------
+
+When saving or loading a configuration, the endpoint is ``/config-file`` and
+you can pass the ``save`` or ``load`` command.
+
+If you don't specify the file when saving, it saves to ``/config/config.boot``.
+Here's an example:
+
+.. code-block:: none
+
+  # curl -k -X POST -F key=MY-HTTP-API-PLAINTEXT-KEY -Fdata='{"op": "save", "file": "/config/config.boot"}' https://192.168.122.127/config-file
+
+Image management requests
+-------------------------
+
+One may ``add`` or ``delete`` a system image using the endpoint ``/image``.
+Here are the respective examples:
+
+``add`` from ``url``. Here we use the URL of the latest rolling release:
+
+.. code-block:: none
+
+  # curl -k -X POST -F data='{"op": "add", "url": "https://downloads.vyos.io/rolling/current/amd64/vyos-rolling-latest.iso"}' -F key=MY-HTTP-API-PLAINTEXT-KEY https://192.168.122.127/image
+
+``delete`` by image ``name``. For example:
+
+.. code-block:: none
+
+  # curl -k -X POST -F data='{"op": "delete", "name": "1.3-rolling-202006070117"}' -F key=MY-HTTP-API-PLAINTEXT-KEY https://192.168.122.127/image
+
+To list the available system images by name, one may use the operational mode
+request ``show`` discussed in the next section; in this setting it would be:
+
+.. code-block:: none
+
+  # curl -k -X POST -F data='{"op": "show", "path": ["system", "image"]}' -F key=MY-HTTP-API-PLAINTEXT-KEY https://192.168.122.127/show
+
+Operational mode requests
+-------------------------
+
+It is possible to run ``show`` and ``generate`` commands:
+
+
+Request:
+
+.. code-block:: none
+
+  curl -k -X POST -F data='{"op": "generate", "path": ["wireguard", "default-keypair"]}' -F key=MY-HTTP-API-PLAINTEXT-KEY https://192.168.122.127/generate
+
+Response:
+
+.. code-block:: none
+
+  {"success": true, "data": "", "error": null}
+
+Request:
+
+.. code-block:: none
+
+  curl -k -X POST -F data='{"op": "show", "path": ["wireguard", "keypairs", "pubkey", "default"]}' -F key=MY-HTTP-API-PLAINTEXT-KEY https://192.168.122.127/show
+
+Response:
+
+.. code-block:: none
+
+  {"success": true, "data": "<some pubkey>=\n", "error": null}
+
+Request:
+
+.. code-block:: none
+
+  curl -k -X POST -F data='{"op": "show", "path": ["ip", "route"]}' -F key=MY-HTTP-API-PLAINTEXT-KEY https://192.168.122.127/show
+
+Response:
+
+.. code-block:: none
+
+  {"success": true, "data": "Codes: K - kernel route, C - connected, S - static, R - RIP,\n       O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,\n       T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,\n       F - PBR, f - OpenFabric,\n       > - selected route, * - FIB route, q - queued route, r - rejected route\n\nS>* 0.0.0.0/0 [210/0] via 192.168.100.1, eth0, 01:41:05\nC>* 192.168.0.0/24 is directly connected, eth1, 01:41:09\nC>* 192.168.100.0/24 is directly connected, eth0, 01:41:05\nC>* 203.0.113.76/32 is directly connected, dum1, 01:38:40\n", "error": null}
+
diff --git a/docs/configuration/service/index.rst b/docs/configuration/service/index.rst
new file mode 100644
index 00000000..fb194239
--- /dev/null
+++ b/docs/configuration/service/index.rst
@@ -0,0 +1,25 @@
+#######
+Service
+#######
+
+
+.. toctree::
+   :maxdepth: 1
+   :includehidden:
+
+   broadcast-relay
+   conntrack-sync
+   console-server
+   dhcp-relay
+   dhcp-server
+   dns
+   https
+   ipoe-server
+   lldp
+   mdns
+   pppoe-server
+   router-advert
+   snmp
+   ssh
+   tftp-server
+   webproxy
diff --git a/docs/configuration/service/ipoe-server.rst b/docs/configuration/service/ipoe-server.rst
new file mode 100644
index 00000000..7858ff19
--- /dev/null
+++ b/docs/configuration/service/ipoe-server.rst
@@ -0,0 +1,149 @@
+.. include:: /_include/need_improvement.txt
+
+.. _ipoe_server:
+
+###########
+IPoE Server
+###########
+
+VyOS utilizes `accel-ppp`_ to provide :abbr:`IPoE (Internet Protocol over
+Ethernet)` server functionality. It can be used with local authentication
+(mac-address) or a connected RADIUS server.
+
+IPoE is a method of delivering an IP payload over an Ethernet-based access
+network or an access network using bridged Ethernet over Asynchronous Transfer
+Mode (ATM) without using PPPoE. It directly encapsulates the IP datagrams in
+Ethernet frames, using the standard :rfc:`894` encapsulation.
+
+The use of IPoE addresses the disadvantage that PPP is unsuited for multicast
+delivery to multiple users. Typically, IPoE uses Dynamic Host Configuration
+Protocol and Extensible Authentication Protocol to provide the same
+functionality as PPPoE, but in a less robust manner.
+
+.. note:: Please be aware, due to an upstream bug, config changes/commits
+   will restart the ppp daemon and will reset existing IPoE sessions,
+   in order to become effective.
+
+Configuration
+=============
+
+IPoE can be configure on different interfaces, it will depend on each specific
+situation which interface will provide IPoE to clients. The clients mac address
+and the incoming interface is being used as control parameter, to authenticate
+a client.
+
+The example configuration below will assign an IP to the client on the incoming
+interface eth2 with the client mac address 08:00:27:2f:d8:06. Other DHCP
+discovery requests will be ignored, unless the client mac has been enabled in
+the configuration.
+
+.. code-block:: none
+
+  set service ipoe-server authentication interface eth2 mac-address 08:00:27:2f:d8:06
+  set service ipoe-server authentication mode 'local'
+  set service ipoe-server dns-server server-1 '10.10.1.1'
+  set service ipoe-server dns-server server-2 '10.10.1.2'
+  set service ipoe-server interface eth2 client-subnet '192.168.0.0/24'
+
+
+The first address of the parameter ``client-subnet``, will be used as the
+default gateway. Connected sessions can be checked via the ``show ipoe-server
+sessions`` command.
+
+.. code-block:: none
+
+  vyos@vyos:~$ show ipoe-server sessions
+
+  ifname | called-sid |    calling-sid    |     ip      | ip6 | ip6-dp | rate-limit | state  |  uptime  |        sid
+  -------+------------+-------------------+-------------+-----+--------+------------+--------+----------+------------------
+  ipoe0  | eth2       | 08:00:27:2f:d8:06 | 192.168.0.2 |     |        |            | active | 00:45:05 | dccc870fd3134612
+
+
+IPv6 SLAAC and IA-PD
+--------------------
+
+To configure IPv6 assignments for clients, two options need to be configured.
+A global prefix which is terminated on the clients cpe and a delegated prefix,
+the client can use for devices routed via the clients cpe.
+
+IPv6 DNS addresses are optional.
+
+.. code-block:: none
+
+  set service ipoe-server authentication interface eth3 mac-address 08:00:27:2F:D8:06
+  set service ipoe-server authentication mode 'local'
+  set service ipoe-server client-ipv6-pool delegate-prefix '2001:db8:1::/48,56'
+  set service ipoe-server client-ipv6-pool prefix '2001:db8::/48,64'
+  set service ipoe-server dnsv6-server server-1 '2001:db8::'
+  set service ipoe-server dnsv6-server server-2 '2001:db8:aaa::'
+  set service ipoe-server dnsv6-server server-3 '2001:db8:bbb::'
+  set service ipoe-server interface eth3 client-subnet '192.168.1.0/24'
+
+.. code-block:: none
+
+  vyos@ipoe-server# run sh ipoe-server sessions
+  ifname | called-sid |    calling-sid    |     ip      |               ip6               | ip6-dp          | rate-limit | state  |  uptime  |        sid
+  -------+------------+-------------------+-------------+---------------------------------+-----------------+------------+--------+----------+------------------
+  ipoe0  | eth3       | 08:00:27:2f:d8:06 | 192.168.1.2 | 2001:db8::a00:27ff:fe2f:d806/64 | 2001:db8:1::/56 |            | active | 01:02:59 | 4626faf71b12cc25
+
+
+The clients :abbr:`CPE (Customer Premises Equipment)` can now communicate via
+IPv4 or IPv6. All devices behind ``2001:db8::a00:27ff:fe2f:d806/64`` can use
+addresses from ``2001:db8:1::/56`` and can globally communicate without the
+need of any NAT rules.
+
+Automatic VLAN creation
+-----------------------
+
+To create VLANs per user during runtime, the following settings are required on
+a per interface basis. VLAN ID and VLAN range can be present in the
+configuration at the same time.
+
+.. code-block:: none
+
+  set service ipoe-server interface eth2 network vlan
+  set service ipoe-server interface eth2 vlan-id 100
+  set service ipoe-server interface eth2 vlan-id 200
+  set service ipoe-server interface eth2 vlan-range 1000-2000
+  set service ipoe-server interface eth2 vlan-range 2500-2700
+
+RADIUS Setup
+------------
+
+To use a RADIUS server for authentication and bandwidth-shaping, the following
+example configuration can be used.
+
+.. code-block:: none
+
+  set service ipoe-server authentication mode 'radius'
+  set service ipoe-server authentication radius-server 10.100.100.1 secret 'password'
+
+Bandwidth Shaping
+=================
+
+Bandwidth rate limits can be set for local users within the configuration or
+via RADIUS based attributes.
+
+Bandwidth Shaping for local users
+---------------------------------
+
+The rate-limit is set in kbit/sec.
+
+.. code-block:: none
+
+  set service ipoe-server authentication interface eth2 mac-address 08:00:27:2f:d8:06 rate-limit download '500'
+  set service ipoe-server authentication interface eth2 mac-address 08:00:27:2f:d8:06 rate-limit upload '500'
+  set service ipoe-server authentication mode 'local'
+  set service ipoe-server dns-server server-1 '10.10.1.1'
+  set service ipoe-server dns-server server-2 '10.10.1.2'
+  set service ipoe-server interface eth2 client-subnet '192.168.0.0/24'
+
+.. code-block:: none
+
+  vyos@vyos# run show ipoe-server sessions
+
+  ifname | called-sid |    calling-sid    |     ip      | ip6 | ip6-dp | rate-limit | state  |  uptime  |        sid
+  -------+------------+-------------------+-------------+-----+--------+------------+--------+----------+------------------
+  ipoe0  | eth2       | 08:00:27:2f:d8:06 | 192.168.0.2 |     |        | 500/500    | active | 00:00:05 | dccc870fd31349fb
+
+.. include:: /_include/common-references.txt
diff --git a/docs/configuration/service/lldp.rst b/docs/configuration/service/lldp.rst
new file mode 100644
index 00000000..aa357211
--- /dev/null
+++ b/docs/configuration/service/lldp.rst
@@ -0,0 +1,142 @@
+.. _lldp:
+
+####
+LLDP
+####
+
+:abbr:`LLDP (Link Layer Discovery Protocol)` is a vendor-neutral link layer
+protocol in the Internet Protocol Suite used by network devices for advertising
+their identity, capabilities, and neighbors on an IEEE 802 local area network,
+principally wired Ethernet. The protocol is formally referred to by the IEEE
+as Station and Media Access Control Connectivity Discovery specified in IEEE
+802.1AB and IEEE 802.3-2012 section 6 clause 79.
+
+LLDP performs functions similar to several proprietary protocols, such as
+:abbr:`CDP (Cisco Discovery Protocol)`,
+:abbr:`FDP (Foundry Discovery Protocol)`,
+:abbr:`NDP (Nortel Discovery Protocol)` and :abbr:`LLTD (Link Layer Topology
+Discovery)`.
+
+Information gathered with LLDP is stored in the device as a :abbr:`MIB
+(Management Information Database)` and can be queried with :abbr:`SNMP (Simple
+Network Management Protocol)` as specified in :rfc:`2922`. The topology of an
+LLDP-enabled network can be discovered by crawling the hosts and querying this
+database. Information that may be retrieved include:
+
+* System Name and Description
+* Port name and description
+* VLAN name
+* IP management address
+* System capabilities (switching, routing, etc.)
+* MAC/PHY information
+* MDI power
+* Link aggregation
+
+Configuration
+=============
+
+.. cfgcmd:: set service lldp
+
+   Enable LLDP service
+
+.. cfgcmd:: set service lldp management-address <address>
+
+   Define IPv4/IPv6 management address transmitted via LLDP. Multiple addresses
+   can be defined. Only addresses connected to the system will be transmitted.
+
+.. cfgcmd:: set service lldp interface <interface>
+
+   Enable transmission of LLDP information on given `<interface>`. You can also
+   say ``all`` here so LLDP is turned on on every interface.
+
+.. cfgcmd:: set service lldp interface <interface> disable
+
+   Disable transmit of LLDP frames on given `<interface>`. Useful to exclude
+   certain interfaces from LLDP when ``all`` have been enabled.
+
+.. cfgcmd:: set service lldp snmp enable
+
+   Enable SNMP queries of the LLDP database
+
+.. cfgcmd:: set service lldp legacy-protocols <cdp|edp|fdp|sonmp>
+
+   Enable given legacy protocol on this LLDP instance. Legacy protocols include:
+
+   * ``cdp`` - Listen for CDP for Cisco routers/switches
+   * ``edp`` - Listen for EDP for Extreme routers/switches
+   * ``fdp`` - Listen for FDP for Foundry routers/switches
+   * ``sonmp`` - Listen for SONMP for Nortel routers/switches
+
+Operation
+=========
+
+.. opcmd:: show lldp neighbors
+
+   Displays information about all neighbors discovered via LLDP.
+
+   .. code-block:: none
+
+     vyos@vyos:~$ show lldp neighbors
+     Capability Codes: R - Router, B - Bridge, W - Wlan r - Repeater, S - Station
+                       D - Docsis, T - Telephone, O - Other
+
+     Device ID                 Local     Proto  Cap   Platform             Port ID
+     ---------                 -----     -----  ---   --------             -------
+     BR2.vyos.net              eth0      LLDP   R     VyOS 1.2.4           eth1
+     BR3.vyos.net              eth0      LLDP   RB    VyOS 1.2.4           eth2
+     SW1.vyos.net              eth0      LLDP   B     Cisco IOS Software   GigabitEthernet0/6
+
+.. opcmd:: show lldp neighbors detail
+
+   Get detailed information about LLDP neighbors.
+
+   .. code-block:: none
+
+     vyos@vyos:~$ show lldp neighbors detail
+     -------------------------------------------------------------------------------
+     LLDP neighbors:
+     -------------------------------------------------------------------------------
+     Interface:    eth0, via: LLDP, RID: 28, Time: 0 day, 00:24:33
+       Chassis:
+         ChassisID:    mac 00:53:00:01:02:c9
+         SysName:      BR2.vyos.net
+         SysDescr:     VyOS 1.3-rolling-201912230217
+         MgmtIP:       192.0.2.1
+         MgmtIP:       2001:db8::ffff
+         Capability:   Bridge, on
+         Capability:   Router, on
+         Capability:   Wlan, off
+         Capability:   Station, off
+       Port:
+         PortID:       mac 00:53:00:01:02:c9
+         PortDescr:    eth0
+         TTL:          120
+         PMD autoneg:  supported: no, enabled: no
+           MAU oper type: 10GigBaseCX4 - X copper over 8 pair 100-Ohm balanced cable
+       VLAN:         201 eth0.201
+       VLAN:         205 eth0.205
+       LLDP-MED:
+         Device Type:  Network Connectivity Device
+         Capability:   Capabilities, yes
+         Capability:   Policy, yes
+         Capability:   Location, yes
+         Capability:   MDI/PSE, yes
+         Capability:   MDI/PD, yes
+         Capability:   Inventory, yes
+         Inventory:
+           Hardware Revision: None
+           Software Revision: 4.19.89-amd64-vyos
+           Firmware Revision: 6.00
+           Serial Number: VMware-42 1d 83 b9 fe c1 bd b2-7
+           Manufacturer: VMware, Inc.
+           Model:        VMware Virtual Platform
+           Asset ID:     No Asset Tag
+     -------------------------------------------------------------------------------
+
+.. opcmd:: show lldp neighbors interface <interface>
+
+   Show LLDP neighbors connected via interface `<interface>`.
+
+.. opcmd:: show log lldp
+
+   Used for troubleshooting.
diff --git a/docs/configuration/service/mdns.rst b/docs/configuration/service/mdns.rst
new file mode 100644
index 00000000..9d6a292a
--- /dev/null
+++ b/docs/configuration/service/mdns.rst
@@ -0,0 +1,44 @@
+mDNS Repeater
+-------------
+
+Starting with VyOS 1.2 a :abbr:`mDNS (Multicast DNS)` repeater functionality is
+provided. Additional information can be obtained from
+https://en.wikipedia.org/wiki/Multicast_DNS.
+
+Multicast DNS uses the 224.0.0.251 address, which is "administratively scoped"
+and does not leave the subnet. It retransmits mDNS packets from one interface
+to other interfaces. This enables support for e.g. Apple Airplay devices across
+multiple VLANs.
+
+Since the mDNS protocol sends the AA records in the packet itself, the repeater
+does not need to forge the source address. Instead, the source address is of
+the interface that repeats the packet.
+
+Configuration
+=============
+
+.. cfgcmd:: set service mdns repeater interface <interface>
+
+   To enable mDNS repeater you need to configure at least two interfaces. To
+   re-broadcast all incoming mDNS packets from any interface configured here to
+   any other interface configured under this section.
+
+.. cfgcmd:: set service mdns repeater disable
+
+   mDNS repeater can be temporarily disabled without deleting the service using
+
+.. note:: You can not run this in a VRRP setup, if multiple mDNS repeaters
+   are launched in a subnet you will experience the mDNS packet storm death!
+
+Example
+=======
+
+To listen on both `eth0` and `eth1` mDNS packets and also repeat packets
+received on `eth0` to `eth1` (and vice-versa) use the following commands:
+
+.. code-block:: none
+
+  set service mdns repeater interface 'eth0'
+  set service mdns repeater interface 'eth1'
+
+.. _`Multicast DNS`: https://en.wikipedia.org/wiki/Multicast_DNS
diff --git a/docs/configuration/service/pppoe-advert.disable b/docs/configuration/service/pppoe-advert.disable
new file mode 100644
index 00000000..bbb82202
--- /dev/null
+++ b/docs/configuration/service/pppoe-advert.disable
@@ -0,0 +1,2 @@
+pppoe-advert
+############
\ No newline at end of file
diff --git a/docs/configuration/service/pppoe-server.rst b/docs/configuration/service/pppoe-server.rst
new file mode 100644
index 00000000..8d895f9d
--- /dev/null
+++ b/docs/configuration/service/pppoe-server.rst
@@ -0,0 +1,407 @@
+.. _pppoe-server:
+
+############
+PPPoE Server
+############
+
+VyOS utilizes `accel-ppp`_ to provide PPPoE server functionality. It can
+be used with local authentication or a connected RADIUS server.
+
+.. note:: Please be aware, due to an upstream bug, config
+   changes/commits will restart the ppp daemon and will reset existing
+   PPPoE connections from connected users, in order to become effective.
+
+Configuration
+=============
+
+
+First steps
+-----------
+
+
+.. cfgcmd:: set service pppoe-server access-concentrator <name>
+
+   Use this command to set a name for this PPPoE-server access
+   concentrator.
+
+.. cfgcmd:: set service pppoe-server authentication mode <local | radius>
+
+   Use this command to define whether your PPPoE clients will locally
+   authenticate in your VyOS system or in RADIUS server.
+
+.. cfgcmd:: set service pppoe-server authentication local-users username
+   <name> password <password>
+
+   Use this command to configure the username and the password of a
+   locally configured user.
+
+.. cfgcmd:: set service pppoe-server interface <interface>
+
+   Use this command to define the interface the PPPoE server will use to
+   listen for PPPoE clients.
+
+.. cfgcmd:: set service pppoe-server gateway-address <address>
+
+   Use this command to configure the local gateway IP address.
+
+.. cfgcmd:: set service pppoe-server name-server <address>
+
+   Use this command to set the IPv4 or IPv6 address of every Doman Name
+   Server you want to configure. They will be propagated to PPPoE
+   clients.
+
+
+Client Address Pools
+--------------------
+
+To automatically assign the client an IP address as tunnel endpoint, a
+client IP pool is needed. The source can be either RADIUS or a local
+subnet or IP range definition.
+
+Once the local tunnel endpoint ``set service pppoe-server gateway-address
+'10.1.1.2'`` has been defined, the client IP pool can be either defined
+as a range or as subnet using CIDR notation. If the CIDR notation is
+used, multiple subnets can be setup which are used sequentially.
+
+
+**Client IP address via IP range definition**
+
+.. cfgcmd:: set service pppoe-server client-ip-pool start <address>
+
+   Use this command to define the first IP address of a pool of
+   addresses to be given to PPPoE clients. It must be within a /24
+   subnet.
+
+.. cfgcmd:: set service pppoe-server client-ip-pool stop <address>
+
+   Use this command to define the last IP address of a pool of
+   addresses to be given to PPPoE clients. It must be within a /24
+   subnet.
+
+.. code-block:: none
+
+  set service pppoe-server client-ip-pool start '10.1.1.100'
+  set service pppoe-server client-ip-pool stop '10.1.1.111'
+
+
+**Client IP subnets via CIDR notation**
+
+.. cfgcmd:: set service pppoe-server client-ip-pool subnet <address>
+
+   Use this command for every pool of client IP addresses you want to
+   define. The addresses of this pool will be given to PPPoE clients.
+   You must use CIDR notation and it must be within a /24 subnet.
+
+.. code-block:: none
+
+  set service pppoe-server client-ip-pool subnet '10.1.1.0/24'
+  set service pppoe-server client-ip-pool subnet '10.1.2.0/24'
+  set service pppoe-server client-ip-pool subnet '10.1.3.0/24'
+
+
+**RADIUS based IP pools (Framed-IP-Address)**
+
+To use a radius server, you need to switch to authentication mode RADIUS
+and then configure it.
+
+.. cfgcmd:: set service pppoe-server authentication radius server <address>
+   key <secret>
+  
+   Use this command to configure the IP address and the shared secret
+   key of your RADIUS server.  You can have multiple RADIUS servers
+   configured if you wish to achieve redundancy. 
+
+
+.. code-block:: none
+
+  set service pppoe-server access-concentrator 'ACN'
+  set service pppoe-server authentication mode 'radius'
+  set service pppoe-server authentication radius server 10.1.100.1 key 'secret'
+  set service pppoe-server interface 'eth1'
+  set service pppoe-server gateway-address '10.1.1.2'
+
+RADIUS provides the IP addresses in the example above via
+Framed-IP-Address.
+
+**RADIUS sessions management DM/CoA**
+
+.. cfgcmd:: set service pppoe-server authentication radius dynamic-author
+   <key | port | server>
+
+   Use this command to configure Dynamic Authorization Extensions to
+   RADIUS so that you can remotely disconnect sessions and change some
+   authentication parameters.
+
+.. code-block:: none
+
+  set service pppoe-server authentication radius dynamic-author key 'secret123'
+  set service pppoe-server authentication radius dynamic-author port '3799'
+  set service pppoe-server authentication radius dynamic-author server '10.1.1.2'
+
+
+Example, from radius-server send command for disconnect client with
+username test
+
+.. code-block:: none
+
+  root@radius-server:~# echo "User-Name=test" | radclient -x 10.1.1.2:3799
+  disconnect secret123
+
+You can also use another attributes for identify client for disconnect,
+like Framed-IP-Address, Acct-Session-Id, etc. Result commands appears in
+log.
+
+.. code-block:: none
+
+  show log | match Disconnect*
+
+Example for changing rate-limit via RADIUS CoA.
+
+.. code-block:: none
+
+  echo "User-Name=test,Filter-Id=5000/4000" | radclient 10.1.1.2:3799 coa
+  secret123
+
+Filter-Id=5000/4000 (means 5000Kbit down-stream rate and 4000Kbit
+up-stream rate) If attribute Filter-Id redefined, replace it in RADIUS
+CoA request.
+
+Automatic VLAN Creation
+-----------------------
+
+.. cfgcmd:: set service pppoe-server interface <interface>
+   <vlan-id | vlan range> <text>
+
+   VLAN's can be created by accel-ppp on the fly via the use of a Kernel
+   module named `vlan_mon`, which is monitoring incoming vlans and
+   creates the necessary VLAN if required and allowed. VyOS supports the
+   use of either VLAN ID's or entire ranges, both values can be defined
+   at the same time for an interface. When configured, the PPPoE will
+   create the necessary VLANs when required. Once the user session has
+   been cancelled and the VLAN is not needed anymore, VyOS will remove
+   it again.
+
+.. code-block:: none
+
+  set service pppoe-server interface eth3 vlan-id 100
+  set service pppoe-server interface eth3 vlan-id 200
+  set service pppoe-server interface eth3 vlan-range 500-1000
+  set service pppoe-server interface eth3 vlan-range 2000-3000
+
+
+
+Bandwidth Shaping
+-----------------
+
+Bandwidth rate limits can be set for local users or RADIUS based
+attributes.
+
+For Local Users
+^^^^^^^^^^^^^^^
+
+.. cfgcmd:: set service pppoe-server authentication local-users username <name>
+   rate-limit <download | upload>
+  
+   Use this command to configure a data-rate limit to PPPOoE clients for
+   traffic download or upload. The rate-limit is set in kbit/sec.
+
+.. code-block:: none
+
+  set service pppoe-server access-concentrator 'ACN'
+  set service pppoe-server authentication local-users username foo password 'bar'
+  set service pppoe-server authentication local-users username foo rate-limit download '20480'
+  set service pppoe-server authentication local-users username foo rate-limit upload '10240'
+  set service pppoe-server authentication mode 'local'
+  set service pppoe-server client-ip-pool start '10.1.1.100'
+  set service pppoe-server client-ip-pool stop '10.1.1.111'
+  set service pppoe-server name-server '10.100.100.1'
+  set service pppoe-server name-server '10.100.200.1'
+  set service pppoe-server interface 'eth1'
+  set service pppoe-server gateway-address '10.1.1.2'
+
+
+Once the user is connected, the user session is using the set limits and
+can be displayed via 'show pppoe-server sessions'.
+
+.. code-block:: none
+
+  show pppoe-server sessions
+  ifname | username |     ip     |    calling-sid    | rate-limit  | state  |  uptime  | rx-bytes | tx-bytes
+  -------+----------+------------+-------------------+-------------+--------+----------+----------+----------
+  ppp0   | foo      | 10.1.1.100 | 00:53:00:ba:db:15 | 20480/10240 | active | 00:00:11 | 214 B    | 76 B
+
+
+For RADIUS users
+^^^^^^^^^^^^^^^^
+
+The current attribute 'Filter-Id' is being used as default and can be
+setup within RADIUS:
+
+Filter-Id=2000/3000 (means 2000Kbit down-stream rate and 3000Kbit
+up-stream rate)
+
+The command below enables it, assuming the RADIUS connection has been
+setup and is working.
+
+.. cfgcmd:: set service pppoe-server authentication radius rate-limit enable
+
+   Use this command to enable bandwidth shaping via RADIUS.
+
+Other attributes can be used, but they have to be in one of the
+dictionaries in */usr/share/accel-ppp/radius*.
+
+
+Load Balancing
+--------------
+
+
+.. cfgcmd:: set service pppoe-server pado-delay <number-of-ms>
+   sessions <number-of-sessions>
+
+   Use this command to enable the delay of PADO (PPPoE Active Discovery
+   Offer) packets, which can be used as a session balancing mechanism
+   with other PPPoE servers.
+
+.. code-block:: none
+
+  set service pppoe-server pado-delay 50 sessions '500'
+  set service pppoe-server pado-delay 100 sessions '1000'
+  set service pppoe-server pado-delay 300 sessions '3000'
+
+In the example above, the first 499 sessions connect without delay. PADO
+packets will be delayed 50 ms for connection from 500 to 999, this trick
+allows other PPPoE servers send PADO faster and clients will connect to
+other servers. Last command says that this PPPoE server can serve only
+3000 clients.
+
+
+IPv6
+----
+
+IPv6 client's prefix assignment
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+.. cfgcmd:: set service pppoe-server client-ipv6-pool prefix <address>
+   mask <number-of-bits>
+
+   Use this comand to set the IPv6 address pool from which a PPPoE
+   client will get an IPv6 prefix of your defined length (mask) to
+   terminate the PPPoE endpoint at their side. The mask length can be
+   set from 48 to 128 bit long, the default value is 64.
+
+
+IPv6 Prefix Delegation
+^^^^^^^^^^^^^^^^^^^^^^
+
+.. cfgcmd:: set service pppoe-server client-ipv6-pool delegate <address>
+   delegation-prefix <number-of-bits>
+
+   Use this command to configure DHCPv6 Prefix Delegation (RFC3633). You
+   will have to set your IPv6 pool and the length of the delegation
+   prefix. From the defined IPv6 pool you will be handing out networks
+   of the defined length (delegation-prefix). The length of the
+   delegation prefix can be set from 32 to 64 bit long.
+
+
+Maintenance mode
+================
+
+.. opcmd:: set pppoe-server maintenance-mode <enable | disable>
+
+   For network maintenance, it's a good idea to direct users to a backup
+   server so that the primary server can be safely taken out of service.
+   It's possible to switch your PPPoE server to maintenance mode where
+   it maintains already established connections, but refuses new
+   connection attempts.
+
+
+Checking connections
+====================
+
+.. opcmd:: show pppoe-server sessions
+
+   Use this command to locally check the active sessions in the PPPoE
+   server.
+
+
+.. code-block:: none
+
+  show pppoe-server sessions
+  ifname | username |     ip     |    calling-sid    | rate-limit  | state  |  uptime  | rx-bytes | tx-bytes
+  -------+----------+------------+-------------------+-------------+--------+----------+----------+----------
+  ppp0   | foo      | 10.1.1.100 | 00:53:00:ba:db:15 | 20480/10240 | active | 00:00:11 | 214 B    | 76 B
+
+
+Per default the user session is being replaced if a second
+authentication request succeeds. Such session requests can be either
+denied or allowed entirely, which would allow multiple sessions for a
+user in the latter case. If it is denied, the second session is being
+rejected even if the authentication succeeds, the user has to terminate
+its first session and can then authentication again.
+
+.. code-block:: none
+
+  vyos@# set service pppoe-server session-control
+    Possible completions:
+    disable      Disables session control
+    deny         Deny second session authorization
+
+
+
+
+
+
+Examples
+========
+
+IPv4
+----
+
+The example below uses ACN as access-concentrator name, assigns an
+address from the pool 10.1.1.100-111, terminates at the local endpoint
+10.1.1.1 and serves requests only on eth1.
+
+.. code-block:: none
+
+  set service pppoe-server access-concentrator 'ACN'
+  set service pppoe-server authentication local-users username foo password 'bar'
+  set service pppoe-server authentication mode 'local'
+  set service pppoe-server client-ip-pool start '10.1.1.100'
+  set service pppoe-server client-ip-pool stop '10.1.1.111'
+  set service pppoe-server interface eth1
+  set service pppoe-server gateway-address '10.1.1.2'
+  set service pppoe-server name-server '10.100.100.1'
+  set service pppoe-server name-server '10.100.200.1'
+
+
+
+Dual-Stack IPv4/IPv6 provisioning with Prefix Delegation
+--------------------------------------------------------
+
+The example below covers a dual-stack configuration via pppoe-server.
+
+.. code-block:: none
+
+  set service pppoe-server authentication local-users username test password 'test'
+  set service pppoe-server authentication mode 'local'
+  set service pppoe-server client-ip-pool start '192.168.0.1'
+  set service pppoe-server client-ip-pool stop '192.168.0.10'
+  set service pppoe-server client-ipv6-pool delegate '2001:db8:8003::/48' delegation-prefix '56'
+  set service pppoe-server client-ipv6-pool prefix '2001:db8:8002::/48' mask '64'
+  set service pppoe-server name-server '10.1.1.1'
+  set service pppoe-server name-server '2001:db8:4860::8888'
+  set service pppoe-server interface 'eth2'
+  set service pppoe-server gateway-address '10.100.100.1'
+
+The client, once successfully authenticated, will receive an IPv4 and an
+IPv6 /64 address to terminate the pppoe endpoint on the client side and
+a /56 subnet for the clients internal use.
+
+.. code-block:: none
+
+  vyos@pppoe-server:~$ sh pppoe-server sessions
+   ifname | username |     ip      |            ip6           |       ip6-dp        |    calling-sid    | rate-limit | state  |  uptime  | rx-bytes | tx-bytes
+  --------+----------+-------------+--------------------------+---------------------+-------------------+------------+--------+----------+----------+----------
+   ppp0   | test     | 192.168.0.1 | 2001:db8:8002:0:200::/64 | 2001:db8:8003::1/56 | 00:53:00:12:42:eb |            | active | 00:00:49 | 875 B    | 2.1 KiB
+
+.. include:: /_include/common-references.txt
diff --git a/docs/configuration/service/router-advert.rst b/docs/configuration/service/router-advert.rst
new file mode 100644
index 00000000..36fa600d
--- /dev/null
+++ b/docs/configuration/service/router-advert.rst
@@ -0,0 +1,97 @@
+.. _router-advert:
+
+#####################
+Router Advertisements
+#####################
+
+:abbr:`RAs (Router advertisements)` are described in :rfc:`4861#section-4.6.2`.
+They are part of what is known as :abbr:`SLAAC (Stateless Address
+Autoconfiguration)`.
+
+
+Supported interface types:
+
+    * bonding
+    * bridge
+    * ethernet
+    * l2tpv3
+    * openvpn
+    * pseudo-ethernet
+    * tunnel
+    * vxlan
+    * wireguard
+    * wireless
+    * wirelessmodem
+
+
+Enabling Advertisments
+~~~~~~~~~~~~~~~~~~~~~~~
+
+.. cfgcmd:: set service router-advert interface <interface> ....
+
+.. stop_vyoslinter
+
+.. csv-table:: 
+   :header: "Field", "VyOS Option", "Description"
+   :widths: 10, 10, 20
+
+   "Cur Hop Limit", "hop-limit", "Hop count field of the outgoing RA packets"
+   """Managed address configuration"" flag", "managed-flag", "Tell hosts to use the administered stateful protocol (i.e. DHCP) for autoconfiguration"
+   """Other configuration"" flag", "other-config-flag", "Tell hosts to use the administered (stateful) protocol (i.e. DHCP) for autoconfiguration of other (non-address) information"
+   "MTU","link-mtu","Link MTU value placed in RAs, exluded in RAs if unset"
+   "Router Lifetime","default-lifetime","Lifetime associated with the default router in units of seconds"
+   "Reachable Time","reachable-time","Time, in milliseconds, that a node assumes a neighbor is reachable after having received a reachability confirmation"
+   "Retransmit Timer","retrans-timer","Time in milliseconds between retransmitted Neighbor Solicitation messages"
+   "Default Router Preference","default-preference","Preference associated with the default router"
+   "Interval", "interval", "Min and max intervals between unsolicited multicast RAs"
+   "DNSSL", "dnssl", "DNS search list to advertise"
+   "Name Server", "name-server", "Advertise DNS server per https://tools.ietf.org/html/rfc6106"
+
+.. start_vyoslinter
+
+
+Advertising a Prefix
+''''''''''''''''''''
+
+.. cfgcmd:: set service router-advert interface <interface> prefix 2001:DB8::/32
+
+.. stop_vyoslinter
+
+.. csv-table::
+    :header: "VyOS Field", "Description"
+    :widths: 10,30
+
+    "no-autonomous-flag","Prefix can not be used for stateless address auto-configuration"
+    "no-on-link-flag","Prefix can not be used for on-link determination"
+    "preferred-lifetime","Time in seconds that the prefix will remain preferred (default 4 hours)"
+    "valid-lifetime","Time in seconds that the prefix will remain valid (default: 30 days)"
+
+.. start_vyoslinter
+
+Disabling Advertisements
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+To disable advertisements without deleting the configuration:
+
+.. cfgcmd:: set service router-advert interface <interface> no-send-advert
+
+Example Configuration
+~~~~~~~~~~~~~~~~~~~~~
+
+.. code-block:: none
+
+     interface eth0.2 {
+        default-preference high
+        hop-limit 64
+        interval {
+            max 600
+        }
+        name-server 2001:db8::1
+        name-server 2001:db8::2
+        other-config-flag
+        prefix 2001:db8:beef:2::/64 {
+            valid-lifetime 2592000
+        }
+        reachable-time 0
+        retrans-timer 0
+     }
diff --git a/docs/configuration/service/salt-minion.disable b/docs/configuration/service/salt-minion.disable
new file mode 100644
index 00000000..63df57a4
--- /dev/null
+++ b/docs/configuration/service/salt-minion.disable
@@ -0,0 +1,2 @@
+salt-minion
+###########
\ No newline at end of file
diff --git a/docs/configuration/service/snmp.rst b/docs/configuration/service/snmp.rst
new file mode 100644
index 00000000..e962c1c5
--- /dev/null
+++ b/docs/configuration/service/snmp.rst
@@ -0,0 +1,273 @@
+.. _snmp:
+
+####
+SNMP
+####
+
+:abbr:`SNMP (Simple Network Management Protocol)` is an Internet Standard
+protocol for collecting and organizing information about managed devices on
+IP networks and for modifying that information to change device behavior.
+Devices that typically support SNMP include cable modems, routers, switches,
+servers, workstations, printers, and more.
+
+SNMP is widely used in network management for network monitoring. SNMP exposes
+management data in the form of variables on the managed systems organized in
+a management information base (MIB_) which describe the system status and
+configuration. These variables can then be remotely queried (and, in some
+circumstances, manipulated) by managing applications.
+
+Three significant versions of SNMP have been developed and deployed. SNMPv1 is
+the original version of the protocol. More recent versions, SNMPv2c and SNMPv3,
+feature improvements in performance, flexibility and security.
+
+SNMP is a component of the Internet Protocol Suite as defined by the Internet
+Engineering Task Force (IETF). It consists of a set of standards for network
+management, including an application layer protocol, a database schema, and a
+set of data objects.
+
+Overview and basic concepts
+===========================
+
+In typical uses of SNMP, one or more administrative computers called managers
+have the task of monitoring or managing a group of hosts or devices on a
+computer network. Each managed system executes a software component called an
+agent which reports information via SNMP to the manager.
+
+An SNMP-managed network consists of three key components:
+
+* Managed devices
+* Agent - software which runs on managed devices
+* Network management station (NMS) - software which runs on the manager
+
+A managed device is a network node that implements an SNMP interface that
+allows unidirectional (read-only) or bidirectional (read and write) access to
+node-specific information. Managed devices exchange node-specific information
+with the NMSs. Sometimes called network elements, the managed devices can be
+any type of device, including, but not limited to, routers, access servers,
+switches, cable modems, bridges, hubs, IP telephones, IP video cameras,
+computer hosts, and printers.
+
+An agent is a network-management software module that resides on a managed
+device. An agent has local knowledge of management information and translates
+that information to or from an SNMP-specific form.
+
+A network management station executes applications that monitor and control
+managed devices. NMSs provide the bulk of the processing and memory resources
+required for network management. One or more NMSs may exist on any managed
+network.
+
+.. figure:: /_static/images/service_snmp_communication_principles_diagram.png
+   :scale: 20 %
+   :alt: Principle of SNMP Communication
+
+   Image thankfully borrowed from
+   https://en.wikipedia.org/wiki/File:SNMP_communication_principles_diagram.PNG
+   which is under the GNU Free Documentation License
+
+.. note:: VyOS SNMP supports both IPv4 and IPv6.
+
+SNMP Protocol Versions
+======================
+
+VyOS itself supports SNMPv2_ (version 2) and SNMPv3_ (version 3) where the
+later is recommended because of improved security (optional authentication and
+encryption).
+
+SNMPv2
+------
+
+SNMPv2 is the original and most commonly used version. For authorizing clients,
+SNMP uses the concept of communities. Communities may have authorization set
+to read only (this is most common) or to read and write (this option is not
+actively used in VyOS).
+
+SNMP can work synchronously or asynchronously. In synchronous communication,
+the monitoring system queries the router periodically. In asynchronous, the
+router sends notification to the "trap" (the monitoring host).
+
+SNMPv2 does not support any authentication mechanisms, other than client source
+address, so you should specify addresses of clients allowed to monitor the
+router. Note that SNMPv2 also supports no encryption and always sends data in
+plain text.
+
+Example
+^^^^^^^
+
+.. code-block:: none
+
+  # Define a community
+  set service snmp community routers authorization ro
+
+  # Allow monitoring access from the entire network
+  set service snmp community routers network 192.0.2.0/24
+  set service snmp community routers network 2001::db8:ffff:eeee::/64
+
+  # Allow monitoring access from specific addresses
+  set service snmp community routers client 203.0.113.10
+  set service snmp community routers client 203.0.113.20
+
+  # Define optional router information
+  set service snmp location "UK, London"
+  set service snmp contact "admin@example.com"
+
+  # Trap target if you want asynchronous communication
+  set service snmp trap-target 203.0.113.10
+
+  # Listen only on specific IP addresses (port defaults to 161)
+  set service snmp listen-address 172.16.254.36 port 161
+  set service snmp listen-address 2001:db8::f00::1
+
+
+SNMPv3
+------
+
+SNMPv3 (version 3 of the SNMP protocol) introduced a whole slew of new security
+related features that have been missing from the previous versions. Security
+was one of the biggest weakness of SNMP until v3. Authentication in SNMP
+Versions 1 and 2 amounts to nothing more than a password (community string)
+sent in clear text between a manager and agent. Each SNMPv3 message contains
+security parameters which are encoded as an octet string. The meaning of these
+security parameters depends on the security model being used.
+
+The securityapproach in v3 targets:
+
+* Confidentiality – Encryption of packets to prevent snooping by an
+  unauthorized source.
+
+* Integrity – Message integrity to ensure that a packet has not been tampered
+  while in transit including an optional packet replay protection mechanism.
+
+* Authentication – to verify that the message is from a valid source.
+
+Example
+^^^^^^^
+
+* Let SNMP daemon listen only on IP address 192.0.2.1
+* Configure new SNMP user named "vyos" with password "vyos12345678"
+* New user will use SHA/AES for authentication and privacy
+
+.. code-block:: none
+
+  set service snmp listen-address 192.0.2.1
+  set service snmp location 'VyOS Datacenter'
+  set service snmp v3 engineid '000000000000000000000002'
+  set service snmp v3 group default mode 'ro'
+  set service snmp v3 group default view 'default'
+  set service snmp v3 user vyos auth plaintext-password 'vyos12345678'
+  set service snmp v3 user vyos auth type 'sha'
+  set service snmp v3 user vyos group 'default'
+  set service snmp v3 user vyos privacy plaintext-password 'vyos12345678'
+  set service snmp v3 user vyos privacy type 'aes'
+  set service snmp v3 view default oid 1
+
+After commit the plaintext passwords will be hashed and stored in your
+configuration. The resulting LCI config will look like:
+
+.. code-block:: none
+
+  vyos@vyos# show service snmp
+   listen-address 172.18.254.201 {
+   }
+   location "Wuerzburg, Dr.-Georg-Fuchs-Str. 8"
+   v3 {
+       engineid 000000000000000000000002
+       group default {
+           mode ro
+           view default
+       }
+       user vyos {
+           auth {
+               encrypted-password 4e52fe55fd011c9c51ae2c65f4b78ca93dcafdfe
+               type sha
+           }
+           group default
+           privacy {
+               encrypted-password 4e52fe55fd011c9c51ae2c65f4b78ca93dcafdfe
+               type aes
+           }
+       }
+       view default {
+           oid 1 {
+           }
+       }
+   }
+
+You can test the SNMPv3 functionality from any linux based system, just run the
+following command: ``snmpwalk -v 3 -u vyos -a SHA -A vyos12345678 -x AES
+-X vyos12345678 -l authPriv 192.0.2.1 .1``
+
+VyOS MIBs
+=========
+
+All SNMP MIBs are located in each image of VyOS here: ``/usr/share/snmp/mibs/``
+
+you are be able to download the files with the a activate ssh service like this
+
+.. code-block:: none
+
+  scp -r vyos@your_router:/usr/share/snmp/mibs /your_folder/mibs
+
+SNMP Extensions
+===============
+
+To extend SNMP agent functionality, custom scripts can be executed every time
+the agent is being called. This can be achieved by using
+``arbitrary extensioncommands``. The first step is to create a functional
+script of course, then upload it to your VyOS instance via the command
+``scp your_script.sh vyos@your_router:/config/user-data``.
+Once the script is uploaded, it needs to be configured via the command below.
+
+
+.. code-block:: none
+
+  set service snmp script-extensions extension-name my-extension script your_script.sh
+  commit
+
+.. stop_vyoslinter
+
+The OID ``.1.3.6.1.4.1.8072.1.3.2.3.1.1.4.116.101.115.116``, once called, will
+contain the output of the extension.
+
+.. start_vyoslinter
+
+.. code-block:: none
+
+  root@vyos:/home/vyos# snmpwalk -v2c  -c public 127.0.0.1 nsExtendOutput1
+  NET-SNMP-EXTEND-MIB::nsExtendOutput1Line."my-extension" = STRING: hello
+  NET-SNMP-EXTEND-MIB::nsExtendOutputFull."my-extension" = STRING: hello
+  NET-SNMP-EXTEND-MIB::nsExtendOutNumLines."my-extension" = INTEGER: 1
+  NET-SNMP-EXTEND-MIB::nsExtendResult."my-extension" = INTEGER: 0
+
+SolarWinds
+==========
+
+If you happen to use SolarWinds Orion as NMS you can also use the Device
+Templates Management. A template for VyOS can be easily imported.
+
+.. stop_vyoslinter
+
+Create a file named ``VyOS-1.3.6.1.4.1.44641.ConfigMgmt-Commands`` using the
+following content:
+
+
+.. code-block:: none
+
+  <Configuration-Management Device="VyOS" SystemOID="1.3.6.1.4.1.44641">
+      <Commands>
+          <Command Name="Reset" Value="set terminal width 0${CRLF}set terminal length 0"/>
+          <Command Name="Reboot" Value="reboot${CRLF}Yes"/>
+          <Command Name="EnterConfigMode" Value="configure"/>
+          <Command Name="ExitConfigMode" Value="commit${CRLF}exit"/>
+          <Command Name="DownloadConfig" Value="show configuration commands"/>
+          <Command Name="SaveConfig" Value="commit${CRLF}save"/>
+          <Command Name="Version" Value="show version"/>
+          <Command Name="MenuBased" Value="False"/>
+          <Command Name="VirtualPrompt" Value=":~"/>
+      </Commands>
+  </Configuration-Management>
+
+.. _MIB: https://en.wikipedia.org/wiki/Management_information_base
+.. _SNMPv2: https://en.wikipedia.org/wiki/Simple_Network_Management_Protocol#Version_2
+.. _SNMPv3: https://en.wikipedia.org/wiki/Simple_Network_Management_Protocol#Version_3
+
+.. start_vyoslinter
\ No newline at end of file
diff --git a/docs/configuration/service/ssh.rst b/docs/configuration/service/ssh.rst
new file mode 100644
index 00000000..94249766
--- /dev/null
+++ b/docs/configuration/service/ssh.rst
@@ -0,0 +1,157 @@
+.. _ssh:
+
+###
+SSH
+###
+
+:abbr:`SSH (Secure Shell)` is a cryptographic network protocol for operating
+network services securely over an unsecured network. The standard TCP port for
+SSH is 22. The best known example application is for remote login to computer
+systems by users.
+
+SSH provides a secure channel over an unsecured network in a client-server
+architecture, connecting an SSH client application with an SSH server. Common
+applications include remote command-line login and remote command execution,
+but any network service can be secured with SSH. The protocol specification
+distinguishes between two major versions, referred to as SSH-1 and SSH-2.
+
+The most visible application of the protocol is for access to shell accounts
+on Unix-like operating systems, but it sees some limited use on Windows as
+well. In 2015, Microsoft announced that they would include native support for
+SSH in a future release.
+
+SSH was designed as a replacement for Telnet and for unsecured remote shell
+protocols such as the Berkeley rlogin, rsh, and rexec protocols.
+Those protocols send information, notably passwords, in plaintext,
+rendering them susceptible to interception and disclosure using packet
+analysis. The encryption used by SSH is intended to provide confidentiality
+and integrity of data over an unsecured network, such as the Internet.
+
+.. note:: VyOS 1.1 supported login as user ``root``. This has been removed due
+   to tighter security in VyOS 1.2.
+
+.. seealso:: SSH :ref:`ssh_key_based_authentication`
+
+Configuration
+=============
+
+.. cfgcmd:: set service ssh port <port>
+
+  Enabling SSH only requires you to specify the port ``<port>`` you want SSH to
+  listen on. By default, SSH runs on port 22.
+
+.. cfgcmd:: set service ssh listen-address <address>
+
+  Specify IPv4/IPv6 listen address of SSH server. Multiple addresses can be
+  defined.
+
+.. cfgcmd:: set service ssh ciphers <cipher>
+
+  Define allowed ciphers used for the SSH connection. A number of allowed
+  ciphers can be specified, use multiple occurrences to allow multiple ciphers.
+
+  List of supported ciphers: ``3des-cbc``, ``aes128-cbc``, ``aes192-cbc``,
+  ``aes256-cbc``, ``aes128-ctr``, ``aes192-ctr``, ``aes256-ctr``,
+  ``arcfour128``, ``arcfour256``, ``arcfour``, ``blowfish-cbc``, ``cast128-cbc``
+
+.. cfgcmd:: set service ssh disable-password-authentication
+
+  Disable password based authentication. Login via SSH keys only. This hardens
+  security!
+
+.. cfgcmd:: set service ssh disable-host-validation
+
+  Disable the host validation through reverse DNS lookups - can speedup login
+  time when reverse lookup is not possible.
+
+.. cfgcmd:: set service ssh macs <mac>
+
+  Specifies the available :abbr:`MAC (Message Authentication Code)` algorithms.
+  The MAC algorithm is used in protocol version 2 for data integrity protection.
+  Multiple algorithms can be provided.
+
+  List of supported MACs: ``hmac-md5``, ``hmac-md5-96``, ``hmac-ripemd160``,
+  ``hmac-sha1``, ``hmac-sha1-96``, ``hmac-sha2-256``, ``hmac-sha2-512``,
+  ``umac-64@openssh.com``, ``umac-128@openssh.com``,
+  ``hmac-md5-etm@openssh.com``, ``hmac-md5-96-etm@openssh.com``,
+  ``hmac-ripemd160-etm@openssh.com``, ``hmac-sha1-etm@openssh.com``,
+  ``hmac-sha1-96-etm@openssh.com``, ``hmac-sha2-256-etm@openssh.com``,
+  ``hmac-sha2-512-etm@openssh.com``, ``umac-64-etm@openssh.com``,
+  ``umac-128-etm@openssh.com``
+
+.. cfgcmd:: set service ssh access-control <allow | deny> <group | user> <name>
+
+  Add access-control directive to allow or deny users and groups. Directives
+  are processed in the following order of precedence: ``deny-users``,
+  ``allow-users``, ``deny-groups`` and ``allow-groups``.
+
+.. cfgcmd:: set service ssh client-keepalive-interval <interval>
+
+  Specify timeout interval for keepalive message in seconds.
+
+.. cfgcmd:: set service ssh key-exchange <kex>
+
+  Specify allowed :abbr:`KEX (Key Exchange)` algorithms.
+
+  List of supported algorithms: ``diffie-hellman-group1-sha1``,
+  ``diffie-hellman-group14-sha1``, ``diffie-hellman-group14-sha256``,
+  ``diffie-hellman-group16-sha512``, ``diffie-hellman-group18-sha512``,
+  ``diffie-hellman-group-exchange-sha1``,
+  ``diffie-hellman-group-exchange-sha256``,
+  ``ecdh-sha2-nistp256``, ``ecdh-sha2-nistp384``, ``ecdh-sha2-nistp521``,
+  ``curve25519-sha256`` and ``curve25519-sha256@libssh.org``.
+
+.. cfgcmd:: set service ssh loglevel <quiet | fatal | error | info | verbose>
+
+  Set the ``sshd`` log level. The default is ``info``.
+
+.. cfgcmd:: set service ssh vrf <name>
+
+  Specify name of the :abbr:`VRF (Virtual Routing and Forwarding)` instance.
+
+Operation
+=========
+
+.. opcmd:: restart ssh
+
+  Restart the SSH daemon process, the current session is not affected, only the
+  background daemon is restarted.
+
+.. opcmd:: generate ssh server-key
+
+  Re-generated the public/private keyportion which SSH uses to secure
+  connections.
+
+  .. note:: Already learned known_hosts files of clients need an update as the
+     public key will change.
+
+.. opcmd:: generate ssh client-key /path/to/private_key
+
+  Re-generated a known pub/private keyfile which can e.g. used to connect to
+  other services (RPKI cache).
+
+  Example:
+
+  .. code-block:: none
+
+    vyos@vyos:~$ generate ssh client-key /config/auth/id_rsa_rpki
+    Generating public/private rsa key pair.
+    Your identification has been saved in /config/auth/id_rsa_rpki.
+    Your public key has been saved in /config/auth/id_rsa_rpki.pub.
+    The key fingerprint is:
+    SHA256:XGv2PpdOzVCzpmEzJZga8hTRq7B/ZYL3fXaioLFLS5Q cpo@LR1.wue3
+    The key's randomart image is:
+    +---[RSA 2048]----+
+    |         oo      |
+    |          ..o    |
+    |       . o.o.. o.|
+    |       o+ooo  o.o|
+    |        Eo*  =.o |
+    |       o = +.o*+ |
+    |        = o *.o.o|
+    |       o * +.o+.+|
+    |        =.. o=.oo|
+    +----[SHA256]-----+
+
+  Two new files ``/config/auth/id_rsa_rpki`` and ``/config/auth/id_rsa_rpki.pub``
+  will be created.
diff --git a/docs/configuration/service/tftp-server.rst b/docs/configuration/service/tftp-server.rst
new file mode 100644
index 00000000..276ce5fb
--- /dev/null
+++ b/docs/configuration/service/tftp-server.rst
@@ -0,0 +1,54 @@
+.. _tftp-server:
+
+###########
+TFTP Server
+###########
+
+:abbr:`TFTP (Trivial File Transfer Protocol)` is a simple, lockstep file
+transfer protocol which allows a client to get a file from or put a file onto
+a remote host. One of its primary uses is in the early stages of nodes booting
+from a local area network. TFTP has been used for this application because it
+is very simple to implement.
+
+Configuration
+=============
+
+.. cfgcmd:: set service tftp-server directory <directory>
+
+Enable TFTP service by specifying the `<directory>` which will be used to serve
+files.
+
+.. hint:: Choose your ``directory`` location carefully or you will loose the
+   content on image upgrades. Any directory under ``/config`` is save at this
+   will be migrated.
+
+.. cfgcmd:: set service tftp-server listen-address <address>
+
+Configure the IPv4 or IPv6 listen address of the TFTP server. Multiple IPv4 and
+IPv6 addresses can be given. There will be one TFTP server instances listening
+on each IP address.
+
+.. note:: Configuring a listen-address is essential for the service to work.
+
+.. cfgcmd:: set service tftp-server allow-upload
+
+Optional, if you want to enable uploads, else TFTP server will act as read-only
+server.
+
+Example
+-------
+
+Provide TFTP server listening on both IPv4 and IPv6 addresses ``192.0.2.1`` and
+``2001:db8::1`` serving the content from ``/config/tftpboot``. Uploading via
+TFTP to this server is not allowed!
+
+The resulting configuration will look like:
+
+.. code-block:: none
+
+  vyos@vyos# show service
+   tftp-server {
+      directory /config/tftpboot
+      listen-address 2001:db8::1
+      listen-address 192.0.2.1
+   }
diff --git a/docs/configuration/service/webproxy.rst b/docs/configuration/service/webproxy.rst
new file mode 100644
index 00000000..e8f6423e
--- /dev/null
+++ b/docs/configuration/service/webproxy.rst
@@ -0,0 +1,434 @@
+.. _webproxy:
+
+########
+Webproxy
+########
+
+The proxy service in VyOS is based on Squid_ and some related modules.
+
+Squid_ is a caching and forwarding HTTP web proxy. It has a wide variety of
+uses, including speeding up a web server by caching repeated requests, caching
+web, DNS and other computer network lookups for a group of people sharing
+network resources, and aiding security by filtering traffic. Although primarily
+used for HTTP and FTP, Squid includes limited support for several other
+protocols including Internet Gopher, SSL,[6] TLS and HTTPS. Squid does not
+support the SOCKS protocol.
+
+URL Filtering is provided by SquidGuard_.
+
+*************
+Configuration
+*************
+
+.. cfgcmd:: set service webproxy append-domain <domain>
+
+  Use this command to specify a domain name to be appended to domain-names
+  within URLs that do not include a dot ``.`` the domain is appended.
+
+  Example: to be appended is set to ``vyos.net`` and the URL received is
+  ``www/foo.html``, the system will use the generated, final URL of
+  ``www.vyos.net/foo.html``.
+
+  .. code-block:: none
+
+    set service webproxy append-domain vyos.net
+
+.. cfgcmd:: set service webproxy cache-size <size>
+
+  The size of the on-disk Proxy cache is user configurable. The Proxies default
+  cache-size is configured to 100 MB.
+
+  Unit of this command is MB.
+
+  .. code-block:: none
+
+    set service webproxy cache-size 1024
+
+.. cfgcmd:: set service webproxy default-port <port>
+
+  Specify the port used on which the proxy service is listening for requests.
+  This port is the default port used for the specified listen-address.
+
+  Default port is 3128.
+
+  .. code-block:: none
+
+    set service webproxy default-port 8080
+
+.. cfgcmd:: set service webproxy domain-block <domain>
+
+  Used to block specific domains by the Proxy. Specifying "vyos.net" will block
+  all access to vyos.net, and specifying ".xxx" will block all access to URLs
+  having an URL ending on .xxx.
+
+  .. code-block:: none
+
+    set service webproxy domain-block vyos.net
+
+.. cfgcmd:: set service webproxy domain-noncache <domain>
+
+  Allow access to sites in a domain without retrieving them from the Proxy
+  cache. Specifying "vyos.net" will allow access to vyos.net but the pages
+  accessed will not be cached. It useful for working around problems with
+  "If-Modified-Since" checking at certain sites.
+
+  .. code-block:: none
+
+    set service webproxy domain-noncache vyos.net
+
+.. cfgcmd:: set service webproxy listen-address <address>
+
+  Specifies proxy service listening address. The listen address is the IP
+  address on which the web proxy service listens for client requests.
+
+  For security, the listen address should only be used on internal/trusted
+  networks!
+
+  .. code-block:: none
+
+    set service webproxy listen-address 192.0.2.1
+
+.. cfgcmd:: set service webproxy listen-address <address> disable-transparent
+
+  Disables web proxy transparent mode at a listening address.
+
+  In transparent proxy mode, all traffic arriving on port 80 and destined for
+  the Internet is automatically forwarded through the proxy. This allows
+  immediate proxy forwarding without configuring client browsers.
+
+  Non-transparent proxying requires that the client browsers be configured with
+  the proxy settings before requests are redirected. The advantage of this is
+  that the client web browser can detect that a proxy is in use and can behave
+  accordingly. In addition, web-transmitted malware can sometimes be blocked by
+  a non-transparent web proxy, since they are not aware of the proxy settings.
+
+  .. code-block:: none
+
+    set service webproxy listen-address 192.0.2.1 disable-transparent
+
+.. cfgcmd:: set service webproxy listen-address <address> port <port>
+
+  Sets the listening port for a listening address. This overrides the default
+  port of 3128 on the specific listen address.
+
+  .. code-block:: none
+
+    set service webproxy listen-address 192.0.2.1 port 8080
+
+
+.. cfgcmd:: set service webproxy reply-block-mime <mime>
+
+  Used to block a specific mime-type.
+
+  .. code-block:: none
+
+    # block all PDFs
+    set service webproxy reply-block-mime application/pdf
+
+
+.. cfgcmd:: set service webproxy reply-body-max-size <size>
+
+  Specifies the maximum size of a reply body in KB, used to limit the reply
+  size.
+
+  All reply sizes are accepted by default.
+
+  .. code-block:: none
+
+    set service webproxy reply-body-max-size 2048
+
+Authentication
+==============
+
+The embedded Squid proxy can use LDAP to authenticate users against a company
+wide directory. The following configuration is an example of how to use Active
+Directory as authentication backend. Queries are done via LDAP.
+
+.. cfgcmd:: set service webproxy authentication children <number>
+
+  Maximum number of authenticator processes to spawn. If you start too few
+  Squid will have to wait for them to process a backlog of credential
+  verifications, slowing it down. When password verifications are done via a
+  (slow) network you are likely to need lots of authenticator processes.
+
+  This defaults to 5.
+
+  .. code-block:: none
+
+    set service webproxy authentication children 10
+
+.. cfgcmd:: set service webproxy authentication credentials-ttl <time>
+
+  Specifies how long squid assumes an externally validated username:password
+  pair is valid for - in other words how often the helper program is called for
+  that user. Set this low to force revalidation with short lived passwords.
+
+  Time is in minutes and defaults to 60.
+
+  .. code-block:: none
+
+    set service webproxy authentication credentials-ttl 120
+
+
+.. cfgcmd:: set service webproxy authentication method <ldap>
+
+  Proxy authentication method, currently only LDAP is supported.
+
+  .. code-block:: none
+
+    set service webproxy authentication method ldap
+
+.. cfgcmd:: set service webproxy authentication realm
+
+  Specifies the protection scope (aka realm name) which is to be reported to
+  the client for the authentication scheme. It is commonly part of the text
+  the user will see when prompted for their username and password.
+
+  .. code-block:: none
+
+    set service webproxy authentication realm "VyOS proxy auth"
+
+LDAP
+----
+
+.. cfgcmd:: set service webproxy authentication ldap base-dn <base-dn>
+
+  Specifies the base DN under which the users are located.
+
+  .. code-block:: none
+
+    set service webproxy authentication ldap base-dn DC=vyos,DC=net
+
+
+.. cfgcmd:: set service webproxy authentication ldap bind-dn <bind-dn>
+
+  The DN and password to bind as while performing searches.
+
+  .. code-block:: none
+
+    set service webproxy authentication ldap bind-dn CN=proxyuser,CN=Users,DC=vyos,DC=net
+
+.. cfgcmd:: set service webproxy authentication ldap filter-expression <expr>
+
+  LDAP search filter to locate the user DN. Required if the users are in a
+  hierarchy below the base DN, or if the login name is not what builds the user
+  specific part of the users DN.
+
+  The search filter can contain up to 15 occurrences of %s which will be
+  replaced by the username, as in "uid=%s" for :rfc:`2037` directories. For a
+  detailed description of LDAP search filter syntax see :rfc:`2254`.
+
+  .. code-block:: none
+
+    set service webproxy authentication ldap filter-expression (cn=%s)
+
+.. cfgcmd:: set service webproxy authentication ldap password <password>
+
+  The DN and password to bind as while performing searches. As the password
+  needs to be printed in plain text in your Squid configuration it is strongly
+  recommended to use a account with minimal associated privileges. This to limit
+  the damage in case someone could get hold of a copy of your Squid
+  configuration file.
+
+  .. code-block:: none
+
+    set service webproxy authentication ldap password vyos
+
+.. cfgcmd:: set service webproxy authentication ldap persistent-connection
+
+  Use a persistent LDAP connection. Normally the LDAP connection is only open
+  while validating a username to preserve resources at the LDAP server. This
+  option causes the LDAP connection to be kept open, allowing it to be reused
+  for further user validations.
+
+  Recommended for larger installations.
+
+  .. code-block:: none
+
+    set service webproxy authentication ldap persistent-connection
+
+.. cfgcmd:: set service webproxy authentication ldap port <port>
+
+  Specify an alternate TCP port where the ldap server is listening if other than
+  the default LDAP port 389.
+
+  .. code-block:: none
+
+    set service webproxy authentication ldap port 389
+
+.. cfgcmd:: set service webproxy authentication ldap server <server>
+
+  Specify the LDAP server to connect to.
+
+  .. code-block:: none
+
+    set service webproxy authentication ldap server ldap.vyos.net
+
+
+.. cfgcmd:: set service webproxy authentication ldap use-ssl
+
+  Use TLS encryption.
+
+  .. code-block:: none
+
+    set service webproxy authentication ldap use-ssl
+
+
+.. cfgcmd:: set service webproxy authentication ldap username-attribute <attr>
+
+  Specifies the name of the DN attribute that contains the username/login.
+  Combined with the base DN to construct the users DN when no search filter is
+  specified (`filter-expression`).
+
+  Defaults to 'uid'
+
+  .. note:: This can only be done if all your users are located directly under
+    the same position in the LDAP tree and the login name is used for naming
+    each user object. If your LDAP tree does not match these criterias or if you
+    want to filter who are valid users then you need to use a search filter to
+    search for your users DN (`filter-expression`).
+
+  .. code-block:: none
+
+    set service webproxy authentication ldap username-attribute uid
+
+.. cfgcmd:: set service webproxy authentication ldap version <2 | 3>
+
+  LDAP protocol version. Defaults to 3 if not specified.
+
+  .. code-block:: none
+
+    set service webproxy authentication ldap version 2
+
+URL filtering
+=============
+
+.. include:: /_include/need_improvement.txt
+
+
+.. cfgcmd:: set service webproxy url-filtering disable
+
+  Disables web filtering without discarding configuration.
+
+  .. code-block:: none
+
+    set service webproxy url-filtering disable
+
+*********
+Operation
+*********
+
+.. include:: /_include/need_improvement.txt
+
+Filtering
+=========
+
+Update
+------
+
+If you want to use existing blacklists you have to create/download a database
+first. Otherwise you will not be able to commit the config changes.
+
+
+.. opcmd:: update webproxy blacklists
+
+  Download/Update complete blacklist
+
+  .. code-block:: none
+
+    vyos@vyos:~$ update webproxy blacklists
+    Warning: No url-filtering blacklist installed
+    Would you like to download a default blacklist? [confirm][y]
+    Connecting to ftp.univ-tlse1.fr (193.49.48.249:21)
+    blacklists.gz        100% |*************************************************************************************************************| 17.0M  0:00:00 ETA
+    Uncompressing blacklist...
+    Checking permissions...
+    Skip link for   [ads] -> [publicite]
+    Building DB for [adult/domains] - 2467177 entries
+    Building DB for [adult/urls] - 67798 entries
+    Skip link for   [aggressive] -> [agressif]
+    Building DB for [agressif/domains] - 348 entries
+    Building DB for [agressif/urls] - 36 entries
+    Building DB for [arjel/domains] - 69 entries
+    ...
+
+    Building DB for [webmail/domains] - 374 entries
+    Building DB for [webmail/urls] - 9 entries
+
+    The webproxy daemon must be restarted
+    Would you like to restart it now? [confirm][y]
+
+    [ ok ] Restarting squid (via systemctl): squid.service.
+    vyos@vyos:~$
+
+.. opcmd:: update webproxy blacklists category <category>
+
+  Download/Update partial blacklist.
+
+  Use tab completion to get a list of categories.
+
+* To auto update the blacklist files
+
+  :code:`set service webproxy url-filtering squidguard auto-update
+  update-hour 23`
+
+* To configure blocking add the following to the configuration
+
+  :code:`set service webproxy url-filtering squidguard block-category ads`
+
+  :code:`set service webproxy url-filtering squidguard block-category malware`
+
+Bypassing the webproxy
+----------------------
+
+.. include:: /_include/need_improvement.txt
+
+Some services don't work correctly when being handled via a web proxy.
+So sometimes it is useful to bypass a transparent proxy:
+
+* To bypass the proxy for every request that is directed to a specific
+  destination:
+
+  :code:`set service webproxy whitelist destination-address 198.51.100.33`
+
+  :code:`set service webproxy whitelist destination-address 192.0.2.0/24`
+
+
+* To bypass the proxy for every request that is coming from a specific source:
+
+  :code:`set service webproxy whitelist source-address 192.168.1.2`
+
+  :code:`set service webproxy whitelist source-address 192.168.2.0/24`
+
+  (This can be useful when a called service has many and/or often changing
+  destination addresses - e.g. Netflix.)
+
+********
+Examples
+********
+
+.. code-block:: none
+
+  vyos@vyos# show service webproxy
+   authentication {
+       children 5
+       credentials-ttl 60
+       ldap {
+           base-dn DC=example,DC=local
+           bind-dn CN=proxyuser,CN=Users,DC=example,DC=local
+           filter-expression (cn=%s)
+           password Qwert1234
+           server ldap.example.local
+           username-attribute cn
+       }
+       method ldap
+       realm "VyOS Webproxy"
+   }
+   cache-size 100
+   default-port 3128
+   listen-address 192.168.188.103 {
+       disable-transparent
+   }
+
+.. _Squid: http://www.squid-cache.org/
+.. _SquidGuard: http://www.squidguard.org/