diff options
82 files changed, 646 insertions, 646 deletions
diff --git a/docs/appendix/commandtree/configmode.rst b/docs/appendix/commandtree/configmode.rst index 2eaa96fc..d4148c22 100644 --- a/docs/appendix/commandtree/configmode.rst +++ b/docs/appendix/commandtree/configmode.rst @@ -3,7 +3,7 @@ Configuration mode ------------------ -.. code-block:: console +.. code-block:: none confirm Confirm prior commit-confirm comment Add comment to this configuration element @@ -39,21 +39,21 @@ The command cannot be used at the top of the configuration hierarchy, only on su To add a comment to a section, while being already at the proper section level: -.. code-block:: console +.. code-block:: none [edit <section>] vyos@vyos# comment "Type Comment Here" To add a comment directly to a section, from the top or a higher section: -.. code-block:: console +.. code-block:: none [edit] vyos@vyos# comment <section> "Type Comment Here" To remove a comment, add a blank comment to overwrite: -.. code-block:: console +.. code-block:: none [edit <section>] vyos@vyos# comment "" @@ -63,7 +63,7 @@ Examples To add a comment to the "interfaces" section: -.. code-block:: console +.. code-block:: none [edit] vyos@vyos# edit interfaces @@ -74,7 +74,7 @@ To add a comment to the "interfaces" section: The comment would then appear like this: -.. code-block:: console +.. code-block:: none [edit] vyos@vyos# show @@ -86,7 +86,7 @@ The comment would then appear like this: An important thing to note is that since the comment is added on top of the section, it will not appear if the ``show <section>`` command is used. With the above example, the ``show interfaces`` command would return starting after the "interfaces {" line, hiding the comment: -.. code-block:: console +.. code-block:: none [edit] vyos@vyos# show interfaces @@ -96,7 +96,7 @@ An important thing to note is that since the comment is added on top of the sect To add a comment to the interfaces section from the top: -.. code-block:: console +.. code-block:: none [edit] vyos@vyos# comment interfaces "test" @@ -104,7 +104,7 @@ To add a comment to the interfaces section from the top: The comment can be added to any node that already exists, even if it's multiple levels lower: -.. code-block:: console +.. code-block:: none [edit] vyos@vyos# comment interfaces ethernet eth0 vif 222 address "Far down comment" @@ -119,7 +119,7 @@ To discard the changes without committing, use the ``discard`` command. The ``co The confirm keyword can be added, see ``commit-confirm``. A comment can be entered, it will appear in the commit log. -.. code-block:: console +.. code-block:: none [edit] vyos@vyos# commit @@ -134,7 +134,7 @@ The ``commit-confirm`` command commits the proposed changes to the configuration If the ``confirm`` command is not entered before the timer expiration, the configuration will be rolled back and VyOS will reboot. The default timer value is 10 minutes, but a custom value can be entered. -.. code-block:: console +.. code-block:: none [edit] vyos@vyos# commit-confirm @@ -149,7 +149,7 @@ Compare VyOS maintains backups of previous configurations. To compare configuration revisions in configuration mode, use the compare command: -.. code-block:: console +.. code-block:: none [edit] vyos@vyos# compare @@ -178,7 +178,7 @@ The ``copy`` command allows you to copy a configuration object. Copy the configuration entrys from a firewall name WAN rule 1 to rule 2. -.. code-block:: console +.. code-block:: none [edit firewall name WAN] vyos@vyos# show @@ -212,7 +212,7 @@ The ``delte`` command is to delete a configuration entry. This Example delete the hole ``service tftp-server`` section. -.. code-block:: console +.. code-block:: none delete service tftp-server @@ -221,7 +221,7 @@ Discard The ``discard`` command removes all pending configuration changes. -.. code-block:: console +.. code-block:: none [edit] vyos@vyos# discard @@ -235,7 +235,7 @@ The ``edit`` command allows you to navigate down into the configuration tree. To get back to an upper level, use the ``up`` command or use the ``top`` command to get back to the upper most level. The ``[edit]`` text displays where the user is located in the configuration tree. -.. code-block:: console +.. code-block:: none [edit] vyos@vyos# edit interfaces @@ -255,7 +255,7 @@ The ``exit`` command doesn't save the configuration, only the ``save`` command d Exiting from a configuration level: -.. code-block:: console +.. code-block:: none [edit interfaces ethernet eth0] vyos@vyos# exit @@ -264,7 +264,7 @@ Exiting from a configuration level: Exiting from configuration mode: -.. code-block:: console +.. code-block:: none [edit] vyos@vyos# exit @@ -273,14 +273,14 @@ Exiting from configuration mode: Exiting from operational mode: -.. code-block:: console +.. code-block:: none vyos@vyos:~$ exit logout Error message when trying to exit with uncommitted changes: -.. code-block:: console +.. code-block:: none vyos@vyos# exit Cannot exit: configuration modified. @@ -291,7 +291,7 @@ Error message when trying to exit with uncommitted changes: Warning message when exiting with unsaved changes: -.. code-block:: console +.. code-block:: none [edit] vyos@vyos# exit @@ -304,7 +304,7 @@ Load The ``load`` command load a configuration from a local or remote file. You have to be use ``commit`` to make the change active -.. code-block:: console +.. code-block:: none <Enter> Load from system config file <file> Load from file on local machine @@ -316,7 +316,7 @@ The ``load`` command load a configuration from a local or remote file. You have tftp://<host>/<file> Load from file on remote machine -.. code-block:: console +.. code-block:: none [edit] vyos@vyos# load @@ -330,7 +330,7 @@ Loadkey Copies the content of a public key to the ~/.ssh/authorized_keys file. -.. code-block:: console +.. code-block:: none loadkey <username> [tab] @@ -348,7 +348,7 @@ The ``merge`` command merge the config from a local or remote file with the runn In the example below exist a ``default-firewall.config`` file with some common firewall rules you saved earlier. -.. code-block:: console +.. code-block:: none [edit] vyos@vyos# show firewall @@ -392,7 +392,7 @@ The ``rename`` command allows you to rename or move a configuration object. See here how to move the configuration entrys from vlanid 3 to 2 -.. code-block:: console +.. code-block:: none [edit interfaces ethernet eth1] vyos@vyos# show @@ -427,7 +427,7 @@ Rollback You can ``rollback`` configuration using the rollback command, however this command will currently trigger a system reboot. Use the compare command to verify the configuration you want to rollback to. -.. code-block:: console +.. code-block:: none vyos@vyos# compare 1 [edit system] @@ -447,7 +447,7 @@ Run The ``run`` command allows you to execute any operational mode commands without exiting the configuration session. -.. code-block:: console +.. code-block:: none [edit] vyos@vyos# run show interfaces @@ -462,7 +462,7 @@ Save The ``save`` command saves the current configuration to non-volatile storage. VyOS also supports saving and loading configuration remotely using SCP, FTP, or TFTP. -.. code-block:: console +.. code-block:: none <Enter> Save to system config file <file> Save to file on local machine @@ -476,7 +476,7 @@ Set The ``set`` command create all configuration entrys -.. code-block:: console +.. code-block:: none [edit] vyos@vyos# set protocols static route 0.0.0.0/0 next-hop 192.168.1.1 @@ -488,7 +488,7 @@ The ``show`` command in the configuration mode displays the configuration and sh Show the hole config, the address and description of eth1 is moving to vlan 2 if you commit the changes. -.. code-block:: console +.. code-block:: none [edit] vyos@vyos# show diff --git a/docs/appendix/commandtree/operationmode.rst b/docs/appendix/commandtree/operationmode.rst index 96c7a631..8092f248 100644 --- a/docs/appendix/commandtree/operationmode.rst +++ b/docs/appendix/commandtree/operationmode.rst @@ -8,7 +8,7 @@ After this is the first view after the login. Please see :ref:`cli` for navigation in the CLI -.. code-block:: console +.. code-block:: none vyos@vyos:~$ [tab] @@ -44,7 +44,7 @@ Please see :ref:`cli` for navigation in the CLI Add ^^^ -.. code-block:: console +.. code-block:: none raid Add a RAID set element system Add an item to a system facility @@ -52,7 +52,7 @@ Add Clear ^^^^^ -.. code-block:: console +.. code-block:: none console Clear screen firewall Clear firewall statistics @@ -69,13 +69,13 @@ Clone The ``clone`` command allows you to clone a configuration from a system image to another one, or from the running config to another system image. To clone the running config to a system image: -.. code-block:: console +.. code-block:: none clone system config <system-image> from running To clone from system image A to system image B: -.. code-block:: console +.. code-block:: none clone system config <system-image-B> from <system-image-A> @@ -85,7 +85,7 @@ Configure The ``configure`` command allows you to enter configuration mode. -.. code-block:: console +.. code-block:: none vyos@vyos:~$ configure [edit] @@ -97,7 +97,7 @@ Connect The ``connect`` command allows you to bring up a connection oriented interface, like a pppoe interface. -.. code-block:: console +.. code-block:: none connect interface <interface> @@ -108,7 +108,7 @@ The ``copy`` command allows you to copy a file to your running config or over im It can look like this example: -.. code-block:: console +.. code-block:: none vyos@vyos:~$ copy file [tab] Possible completions: @@ -127,7 +127,7 @@ It can look like this example: To copy from file A to file B: -.. code-block:: console +.. code-block:: none copy <file A> to <file B> @@ -135,7 +135,7 @@ To copy from file A to file B: Delete ^^^^^^ -.. code-block:: console +.. code-block:: none conntrack Delete Conntrack entries file Delete files in a particular image @@ -149,14 +149,14 @@ Disconnect The ``disconnect`` command allows you to take down a connection oriented interface, like a pppoe interface. -.. code-block:: console +.. code-block:: none disconnect interface <interface> Force ^^^^^ -.. code-block:: console +.. code-block:: none arp Send gratuitous ARP request or reply cluster Force a cluster state transition @@ -167,14 +167,14 @@ Format The ``format`` command allows you to format a disk the same way as another one. -.. code-block:: console +.. code-block:: none format disk <target> like <source> Generate ^^^^^^^^ -.. code-block:: console +.. code-block:: none openvpn OpenVPN key generation tool ssh-server-key @@ -188,7 +188,7 @@ Install The ``install`` command allows you to install the system image on the disk. -.. code-block:: console +.. code-block:: none install image @@ -198,7 +198,7 @@ Monitor ``monitor`` can be used to continually view what is happening on the router. -.. code-block:: console +.. code-block:: none bandwidth Monitor interface bandwidth in real time bandwidth-test @@ -232,7 +232,7 @@ Ping The ``ping`` command allows you to send an ICMP-EchoRequest packet and display the ICMP-EchoReply received. -.. code-block:: console +.. code-block:: none <hostname> Send Internet Control Message Protocol (ICMP) echo request <x.x.x.x> @@ -244,7 +244,7 @@ Poweroff The ``poweroff`` command allows you to properly shut down the VyOS instance. Without any modifier, the command is executed immediately. -.. code-block:: console +.. code-block:: none <Enter> Execute the current command at Poweroff at a specific time @@ -256,7 +256,7 @@ Reboot ^^^^^^ The ``reboot`` command allows you to properly restart the VyOS instance. Without any modifier, the command is executed immediately. -.. code-block:: console +.. code-block:: none <Enter> Execute the current command at Poweroff at a specific time @@ -269,7 +269,7 @@ Release The ``release`` command allows you to release a DHCP or DHCPv6 lease. -.. code-block:: console +.. code-block:: none vyos@vyos:~$ release dhcp interface <int> vyos@vyos:~$ release dhcpv6 interface <int> @@ -280,7 +280,7 @@ Rename The ``rename`` command allows you to rename a system image. -.. code-block:: console +.. code-block:: none rename system image <currentname> <newname> @@ -290,7 +290,7 @@ Renew The ``renew`` command allows you to renew a DHCP or DHCPv6 lease. -.. code-block:: console +.. code-block:: none vyos@vyos:~$ renew dhcp interface <int> vyos@vyos:~$ renew dhcpv6 interface <int> @@ -298,7 +298,7 @@ The ``renew`` command allows you to renew a DHCP or DHCPv6 lease. Reset ^^^^^ -.. code-block:: console +.. code-block:: none conntrack Reset all currently tracked connections conntrack-sync @@ -315,7 +315,7 @@ Reset Restart ^^^^^^^ -.. code-block:: console +.. code-block:: none cluster Restart cluster node conntrack-sync @@ -335,7 +335,7 @@ Restart Set ^^^ -.. code-block:: console +.. code-block:: none <OPTION> Bash builtin set command console Control console behaviors @@ -346,7 +346,7 @@ Set Show ^^^^ -.. code-block:: console +.. code-block:: none arp Show Address Resolution Protocol (ARP) information bridge Show bridging information @@ -410,7 +410,7 @@ In the past the ``telnet`` command allowed you to connect remotely to another de Telnet is unencrypted and should not use anymore. But its nice to test if an TCP Port to a host is open. -.. code-block:: console +.. code-block:: none vyos@vyos:~$ telnet 192.168.1.3 443 Trying 192.168.1.3... @@ -426,7 +426,7 @@ Traceroute The ``traceroute`` command allows you to trace the path taken to a particular device. -.. code-block:: console +.. code-block:: none <hostname> Track network path to specified node <x.x.x.x> @@ -438,7 +438,7 @@ The ``traceroute`` command allows you to trace the path taken to a particular de Update ^^^^^^ -.. code-block:: console +.. code-block:: none dns Update DNS information webproxy Update webproxy
\ No newline at end of file diff --git a/docs/appendix/examples/azure-vpn-bgp.rst b/docs/appendix/examples/azure-vpn-bgp.rst index 896f43d4..57f82396 100644 --- a/docs/appendix/examples/azure-vpn-bgp.rst +++ b/docs/appendix/examples/azure-vpn-bgp.rst @@ -52,7 +52,7 @@ Vyos configuration - Configure the IKE and ESP settings to match a subset of those supported by Azure: -.. code-block:: console +.. code-block:: none set vpn ipsec esp-group AZURE compression 'disable' set vpn ipsec esp-group AZURE lifetime '3600' @@ -73,26 +73,26 @@ Vyos configuration - Enable IPsec on eth0 -.. code-block:: console +.. code-block:: none set vpn ipsec ipsec-interfaces interface 'eth0' - Configure a VTI with a dummy IP address -.. code-block:: console +.. code-block:: none set interfaces vti vti1 address '10.10.1.5/32' set interfaces vti vti1 description 'Azure Tunnel' - Clamp the VTI's MSS to 1350 to avoid PMTU blackholes. -.. code-block:: console +.. code-block:: none set firewall options interface vti1 adjust-mss 1350 - Configure the VPN tunnel -.. code-block:: console +.. code-block:: none set vpn ipsec site-to-site peer 203.0.113.2 authentication id '198.51.100.3' set vpn ipsec site-to-site peer 203.0.113.2 authentication mode 'pre-shared-secret' @@ -108,13 +108,13 @@ Vyos configuration - **Important**: Add an interface route to reach Azure's BGP listener -.. code-block:: console +.. code-block:: none set protocols static interface-route 10.0.0.4/32 next-hop-interface vti1 - Configure your BGP settings -.. code-block:: console +.. code-block:: none set protocols bgp 64499 neighbor 10.0.0.4 remote-as '65540' set protocols bgp 64499 neighbor 10.0.0.4 address-family ipv4-unicast soft-reconfiguration 'inbound' @@ -123,6 +123,6 @@ Vyos configuration - **Important**: Disable connected check \ -.. code-block:: console +.. code-block:: none set protocols bgp 64499 neighbor 10.0.0.4 disable-connected-check diff --git a/docs/appendix/examples/azure-vpn-dual-bgp.rst b/docs/appendix/examples/azure-vpn-dual-bgp.rst index 27007709..cbe9a4d9 100644 --- a/docs/appendix/examples/azure-vpn-dual-bgp.rst +++ b/docs/appendix/examples/azure-vpn-dual-bgp.rst @@ -55,7 +55,7 @@ Vyos configuration - Configure the IKE and ESP settings to match a subset of those supported by Azure: -.. code-block:: console +.. code-block:: none set vpn ipsec esp-group AZURE compression 'disable' set vpn ipsec esp-group AZURE lifetime '3600' @@ -76,13 +76,13 @@ Vyos configuration - Enable IPsec on eth0 -.. code-block:: console +.. code-block:: none set vpn ipsec ipsec-interfaces interface 'eth0' - Configure two VTIs with a dummy IP address each -.. code-block:: console +.. code-block:: none set interfaces vti vti1 address '10.10.1.5/32' set interfaces vti vti1 description 'Azure Primary Tunnel' @@ -92,14 +92,14 @@ Vyos configuration - Clamp the VTI's MSS to 1350 to avoid PMTU blackholes. -.. code-block:: console +.. code-block:: none set firewall options interface vti1 adjust-mss 1350 set firewall options interface vti2 adjust-mss 1350 - Configure the VPN tunnels -.. code-block:: console +.. code-block:: none set vpn ipsec site-to-site peer 203.0.113.2 authentication id '198.51.100.3' set vpn ipsec site-to-site peer 203.0.113.2 authentication mode 'pre-shared-secret' @@ -127,14 +127,14 @@ Vyos configuration - **Important**: Add an interface route to reach both Azure's BGP listeners -.. code-block:: console +.. code-block:: none set protocols static interface-route 10.0.0.4/32 next-hop-interface vti1 set protocols static interface-route 10.0.0.5/32 next-hop-interface vti2 - Configure your BGP settings -.. code-block:: console +.. code-block:: none set protocols bgp 64499 neighbor 10.0.0.4 remote-as '65540' set protocols bgp 64499 neighbor 10.0.0.4 address-family ipv4-unicast soft-reconfiguration 'inbound' @@ -149,7 +149,7 @@ Vyos configuration - **Important**: Disable connected check, otherwise the routes learned from Azure will not be imported into the routing table. -.. code-block:: console +.. code-block:: none set protocols bgp 64499 neighbor 10.0.0.4 disable-connected-check set protocols bgp 64499 neighbor 10.0.0.5 disable-connected-check diff --git a/docs/appendix/examples/bgp-ipv6-unnumbered.rst b/docs/appendix/examples/bgp-ipv6-unnumbered.rst index 6049e0c1..283dcd45 100644 --- a/docs/appendix/examples/bgp-ipv6-unnumbered.rst +++ b/docs/appendix/examples/bgp-ipv6-unnumbered.rst @@ -10,7 +10,7 @@ Configuration - Router A: -.. code-block:: console +.. code-block:: none set protocols bgp 65020 address-family ipv4-unicast redistribute connected set protocols bgp 65020 address-family ipv6-unicast redistribute connected @@ -29,7 +29,7 @@ Configuration - Router B: -.. code-block:: console +.. code-block:: none set protocols bgp 65021 address-family ipv4-unicast redistribute connected set protocols bgp 65021 address-family ipv6-unicast redistribute connected @@ -51,7 +51,7 @@ Results - Router A: -.. code-block:: console +.. code-block:: none vyos@vyos:~$ show interfaces Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down @@ -64,7 +64,7 @@ Results 192.168.0.1/32 ::1/128 -.. code-block:: console +.. code-block:: none vyos@vyos:~$ show ip route Codes: K - kernel route, C - connected, S - static, R - RIP, @@ -79,7 +79,7 @@ Results B>* 192.168.0.2/32 [20/0] via fe80::a00:27ff:fe3b:7ed2, eth2, 00:05:07 * via fe80::a00:27ff:fe7b:4000, eth1, 00:05:07 -.. code-block:: console +.. code-block:: none vyos@vyos:~$ ping 192.168.0.2 PING 192.168.0.2 (192.168.0.2) 56(84) bytes of data. @@ -93,7 +93,7 @@ Results 5 packets transmitted, 5 received, 0% packet loss, time 4086ms rtt min/avg/max/mdev = 0.575/0.612/0.682/0.047 ms -.. code-block:: console +.. code-block:: none vyos@vyos:~$ show ip bgp summary @@ -112,7 +112,7 @@ Results - Router B: -.. code-block:: console +.. code-block:: none vyos@vyos:~$ show interfaces Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down @@ -125,7 +125,7 @@ Results 192.168.0.2/32 ::1/128 -.. code-block:: console +.. code-block:: none vyos@vyos:~$ show ip route Codes: K - kernel route, C - connected, S - static, R - RIP, @@ -140,7 +140,7 @@ Results * via fe80::a00:27ff:fe93:e142, eth2, 00:06:18 C>* 192.168.0.2/32 is directly connected, lo, 00:44:11 -.. code-block:: console +.. code-block:: none vyos@vyos:~$ ping 192.168.0.1 PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data. @@ -153,7 +153,7 @@ Results 4 packets transmitted, 4 received, 0% packet loss, time 3051ms rtt min/avg/max/mdev = 0.427/0.598/0.782/0.155 ms -.. code-block:: console +.. code-block:: none vyos@vyos:~$ show ip bgp summary IPv4 Unicast Summary: diff --git a/docs/appendix/examples/dmvpn.rst b/docs/appendix/examples/dmvpn.rst index 4ccce3d9..30ca8e86 100644 --- a/docs/appendix/examples/dmvpn.rst +++ b/docs/appendix/examples/dmvpn.rst @@ -9,7 +9,7 @@ General infomration can be found in the :ref:`vpn-dmvpn` chapter. Configuration ^^^^^^^^^^^^^ -.. code-block:: console +.. code-block:: none set interfaces tunnel tun100 address '172.16.253.134/29' set interfaces tunnel tun100 encapsulation 'gre' @@ -54,7 +54,7 @@ Cisco IOS Spoke This example is verified with a Cisco 2811 platform running IOS 15.1(4)M9 and VyOS 1.1.7 (helium) up to VyOS 1.2 (Crux). -.. code-block:: console +.. code-block:: none Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 15.1(4)M9, RELEASE SOFTWARE (fc3) Technical Support: http://www.cisco.com/techsupport @@ -65,7 +65,7 @@ VyOS 1.1.7 (helium) up to VyOS 1.2 (Crux). Use this configuration on your Cisco device: -.. code-block:: console +.. code-block:: none crypto pki token default removal timeout 0 crypto keyring DMVPN diff --git a/docs/appendix/examples/ospf-unnumbered.rst b/docs/appendix/examples/ospf-unnumbered.rst index 13e5f961..84fc691e 100644 --- a/docs/appendix/examples/ospf-unnumbered.rst +++ b/docs/appendix/examples/ospf-unnumbered.rst @@ -10,7 +10,7 @@ Configuration - Router A: -.. code-block:: console +.. code-block:: none set interfaces ethernet eth0 address '10.0.0.1/24' set interfaces ethernet eth1 address '192.168.0.1/32' @@ -27,7 +27,7 @@ Configuration - Router B: -.. code-block:: console +.. code-block:: none set interfaces ethernet eth0 address '10.0.0.2/24' set interfaces ethernet eth1 address '192.168.0.2/32' @@ -48,7 +48,7 @@ Results - Router A: -.. code-block:: console +.. code-block:: none vyos@vyos:~$ show interfaces Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down @@ -63,7 +63,7 @@ Results vyos@vyos:~$ -.. code-block:: console +.. code-block:: none vyos@vyos:~$ show ip route Codes: K - kernel route, C - connected, S - static, R - RIP, @@ -87,7 +87,7 @@ Results - Router B: -.. code-block:: console +.. code-block:: none vyos@vyos:~$ show interfaces Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down @@ -102,7 +102,7 @@ Results vyos@vyos:~$ -.. code-block:: console +.. code-block:: none vyos@vyos:~$ show ip route Codes: K - kernel route, C - connected, S - static, R - RIP, diff --git a/docs/appendix/examples/tunnelbroker-ipv6.rst b/docs/appendix/examples/tunnelbroker-ipv6.rst index 234d9cf1..ca3921ec 100644 --- a/docs/appendix/examples/tunnelbroker-ipv6.rst +++ b/docs/appendix/examples/tunnelbroker-ipv6.rst @@ -17,7 +17,7 @@ Setting up the initial tunnel - Set up the initial IPv6 tunnel. Replace the field below from the fields on the `Tunnelbroker.net <https://www.tunnelbroker.net/>`_ tunnel information page. -.. code-block:: console +.. code-block:: none conf set interfaces tunnel tun0 address Client_IPv6_from_Tunnelbroker # This will be your VyOS install's public IPv6 address @@ -34,7 +34,7 @@ Setting up the initial tunnel - At this point you should be able to ping an IPv6 address. Try pinging Google: -.. code-block:: console +.. code-block:: none ping6 -c2 2001:4860:4860::8888 @@ -47,7 +47,7 @@ Setting up the initial tunnel - Assuming the pings are successful, you need to add some DNS servers. Some options: -.. code-block:: console +.. code-block:: none set system name-server 2001:4860:4860::8888 # Google set system name-server 2001:4860:4860::8844 # Google @@ -57,7 +57,7 @@ Setting up the initial tunnel - You should now be able to ping something by IPv6 DNS name: -.. code-block:: console +.. code-block:: none # ping6 -c2 one.one.one.one PING one.one.one.one(one.one.one.one) 56 data bytes @@ -87,7 +87,7 @@ Single LAN Setup Single LAN setup where eth1 is your LAN interface. Use the /64 (all the xxxx should be replaced with the information from your `Routed /64` tunnel): -.. code-block:: console +.. code-block:: none set interfaces ethernet eth1 address '2001:470:xxxx:xxxx::1/64' set interfaces ethernet eth1 ipv6 router-advert name-server '2001:4860:4860::8888' @@ -118,7 +118,7 @@ In the above examples, 1,2,ffff are all chosen by you. You can use 1-ffff (1-65 So, when your LAN is eth1, your DMZ is eth2, your cameras live on eth3, etc: -.. code-block:: console +.. code-block:: none set interfaces ethernet eth1 address '2001:470:xxxx:1::1/64' set interfaces ethernet eth1 ipv6 router-advert name-server '2001:4860:4860::8888' diff --git a/docs/appendix/examples/zone-policy.rst b/docs/appendix/examples/zone-policy.rst index 66cc3338..7a25d063 100644 --- a/docs/appendix/examples/zone-policy.rst +++ b/docs/appendix/examples/zone-policy.rst @@ -8,7 +8,7 @@ Native IPv4 and IPv6 We have three networks. -.. code-block:: console +.. code-block:: none WAN - 172.16.10.0/24, 2001:0DB8:0:9999::0/64 LAN - 192.168.100.0/24, 2001:0DB8:0:AAAA::0/64 @@ -25,7 +25,7 @@ WAN is on VLAN 10, LAN on VLAN 20, and DMZ on VLAN 30. It will look something like this: -.. code-block:: console +.. code-block:: none interfaces { ethernet eth0 { @@ -80,7 +80,7 @@ ruleset. In rules, it is good to keep them named consistently. As the number of rules you have grows, the more consistency you have, the easier your life will be. -.. code-block:: console +.. code-block:: none Rule 1 - State Established, Related Rule 2 - State Invalid @@ -105,7 +105,7 @@ significant headaches when trying to troubleshoot a connectivity issue. To add logging to the default rule, do: -.. code-block:: console +.. code-block:: none set firewall name <ruleSet> enable-default-log @@ -143,7 +143,7 @@ The following are the rules that were created for this example (may not be complete), both in IPv4 and IPv6. If there is no IP specified, then the source/destination address is not explicit. -.. code-block:: console +.. code-block:: none WAN – DMZ:192.168.200.200 – tcp/80 WAN – DMZ:192.168.200.200 – tcp/443 @@ -195,7 +195,7 @@ then the source/destination address is not explicit. Since we have 4 zones, we need to setup the following rulesets. -.. code-block:: console +.. code-block:: none Lan-wan Lan-local @@ -217,7 +217,7 @@ connection attempts. This is an example of the three base rules. -.. code-block:: console +.. code-block:: none name wan-lan { default-action drop @@ -241,7 +241,7 @@ This is an example of the three base rules. Here is an example of an IPv6 DMZ-WAN ruleset. -.. code-block:: console +.. code-block:: none ipv6-name dmz-wan-6 { default-action drop @@ -317,7 +317,7 @@ zone-policy. Start by setting the interface and default action for each zone. -.. code-block:: console +.. code-block:: none set zone-policy zone dmz default-action drop set zone-policy zone dmz interface eth0.30 @@ -342,7 +342,7 @@ LAN, WAN, DMZ, local and TUN (tunnel) v6 pairs would be: -.. code-block:: console +.. code-block:: none lan-tun lan-local @@ -363,7 +363,7 @@ You would have to add a couple of rules on your wan-local ruleset to allow proto Something like: -.. code-block:: console +.. code-block:: none rule 400 { action accept diff --git a/docs/appendix/migrate-from-vyatta.rst b/docs/appendix/migrate-from-vyatta.rst index 3ac75167..eba9dc59 100644 --- a/docs/appendix/migrate-from-vyatta.rst +++ b/docs/appendix/migrate-from-vyatta.rst @@ -30,7 +30,7 @@ You just use ``add system image``, as if it was a new VC release (see is to verify the new images digital signature. You will have to add the public key manually once as it is not shipped the first time. -.. code-block:: console +.. code-block:: none vyatta@vyatta:~$ wget http://wiki.vyos.net/so3group_maintainers.key Connecting to vyos.net (x.x.x.x:80) @@ -41,7 +41,7 @@ key manually once as it is not shipped the first time. For completion the key below corresponds to the key listed in the URL above. -.. code-block:: console +.. code-block:: none -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.12 (GNU/Linux) @@ -101,7 +101,7 @@ Next add the VyOS image. This example uses VyOS 1.0.0, however, it's better to install the latest release. -.. code-block:: console +.. code-block:: none vyatta@vyatta:~$ show system image The system currently has the following image(s) installed: diff --git a/docs/appendix/troubleshooting.rst b/docs/appendix/troubleshooting.rst index cf0361ee..27cb0d01 100644 --- a/docs/appendix/troubleshooting.rst +++ b/docs/appendix/troubleshooting.rst @@ -15,7 +15,7 @@ commands. The options for each are shown (the options for each command were displayed using the built-in help as described in the :ref:`cli` section and are omitted from the output here): -.. code-block:: console +.. code-block:: none vyos@vyos:~$ ping Possible completions: @@ -25,7 +25,7 @@ section and are omitted from the output here): Several options are available when more extensive troubleshooting is needed: -.. code-block:: console +.. code-block:: none vyos@vyos:~$ ping 8.8.8.8 Possible completions: @@ -51,7 +51,7 @@ Several options are available when more extensive troubleshooting is needed: ttl verbose -.. code-block:: console +.. code-block:: none vyos@vyos:~$ traceroute Possible completions: @@ -64,7 +64,7 @@ Several options are available when more extensive troubleshooting is needed: However, another tool, mtr_, is available which combines ping and traceroute into a single tool. An example of its output is shown: -.. code-block:: console +.. code-block:: none vyos@vyos:~$ mtr 10.62.212.12 @@ -95,7 +95,7 @@ It's possible to monitor network traffic, either at the flow level or protocol level. This can be useful when troubleshooting a variety of protocols and configurations. The following interface types can be monitored: -.. code-block:: console +.. code-block:: none vyos@vyos:~$ monitor interfaces Possible completions: @@ -117,7 +117,7 @@ To monitor traffic flows, issue the :code:`monitor interfaces <type> <name> flow command, replacing `<type>` and `<name>` with your desired interface type and name, respectively. Output looks like the following: -.. code-block:: console +.. code-block:: none 12.5Kb 25.0Kb 37.5Kb 50.0Kb 62.5Kb ???????????????????????????????????????????????????????????????????????????????????????????????????? @@ -145,7 +145,7 @@ traffic` command, replacing `<type>` and `<name>` with your desired interface type and name, respectively. This command invokes the familiar tshark_ utility and the following options are available: -.. code-block:: console +.. code-block:: none vyos@vyos:~$ monitor interfaces ethernet eth0 traffic Possible completions: @@ -169,13 +169,13 @@ Interface Bandwith to take a quick view on the used bandwith of an interface use the ``monitor bandwith`` command -.. code-block:: console +.. code-block:: none vyos@vyos:~$ monitor bandwidth interface eth0 show the following: -.. code-block:: console +.. code-block:: none eth0 bmon 3.5 Interfaces │ RX bps pps %│ TX bps pps % @@ -210,7 +210,7 @@ Interface performance To take a look on the network bandwith between two nodes, the ``monitor bandwidth-test`` command is used to run iperf. -.. code-block:: console +.. code-block:: none vyos@vyos:~$ monitor bandwidth-test Possible completions: @@ -220,7 +220,7 @@ To take a look on the network bandwith between two nodes, the ``monitor bandwidt | The ``accept`` command open a listen iperf server on TCP Port 5001 | The ``initiate`` command conncet to this server. -.. code-block:: console +.. code-block:: none vyos@vyos:~$ monitor bandwidth-test initiate Possible completions: @@ -235,13 +235,13 @@ Monitor command The ``monitor command`` command allows you to repeatedly run a command to view a continuously refreshed output. The command is run and output every 2 seconds, allowing you to monitor the output continuously without having to re-run the command. This can be useful to follow routing adjacency formation. -.. code-block:: console +.. code-block:: none vyos@router:~$ monitor command "show interfaces" Will clear the screen and show you the output of ``show interfaces`` every 2 seconds. -.. code-block:: console +.. code-block:: none Every 2.0s: /opt/vyatta/bin/vyatta-op-cmd-wrapper s... Sun Mar 26 02:49:46 2019 @@ -264,13 +264,13 @@ To do this use the ``clear`` command in Operational mode. to clear the console output -.. code-block:: console +.. code-block:: none vyos@vyos:~$ clear console to clear interface counters -.. code-block:: console +.. code-block:: none # clear all interfaces vyos@vyos:~$ clear interface ethernet counters @@ -279,7 +279,7 @@ to clear interface counters The command follow the same logic as the ``set`` command in configuration mode. -.. code-block:: console +.. code-block:: none # clear all counters of a interface type vyos@vyos:~$ clear interface <interface_type> counters @@ -289,7 +289,7 @@ The command follow the same logic as the ``set`` command in configuration mode. to clear counters on firewall rulesets or single rules -.. code-block:: console +.. code-block:: none vyos@vyos:~$ clear firewall name <ipv4 ruleset name> counters vyos@vyos:~$ clear firewall name <ipv4 ruleset name> rule <rule#> counters diff --git a/docs/appendix/vyos-on-baremetal.rst b/docs/appendix/vyos-on-baremetal.rst index 2ace97c5..14ba2adf 100644 --- a/docs/appendix/vyos-on-baremetal.rst +++ b/docs/appendix/vyos-on-baremetal.rst @@ -113,7 +113,7 @@ Create a bootable USB pendrive using e.g. Rufus_ on a Windows machine. Connect serial port to a PC through null modem cable (RXD / TXD crossed over). Set terminal emulator to 115200 8N1. -.. code-block:: console +.. code-block:: none PC Engines apu4 coreboot build 20171130 @@ -134,7 +134,7 @@ Now boot from the ``USB MSC Drive Generic Flash Disk 8.07`` media by pressing ``2``, the VyOS boot menu will appear, just wait 10 seconds or press ``Enter`` to continue. -.. code-block:: console +.. code-block:: none lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk x VyOS - Boot Menu x @@ -146,7 +146,7 @@ to continue. The image will be loaded and the last lines you will get will be: -.. code-block:: console +.. code-block:: none Loading /live/vmlinuz... ok Loading /live/initrd.img... @@ -154,7 +154,7 @@ The image will be loaded and the last lines you will get will be: The Kernel will now spin up using a different console setting. Set terminal emulator to 9600 8N1 and after a while your console will show: -.. code-block:: console +.. code-block:: none Loading /live/vmlinuz... ok Loading /live/initrd.img... @@ -171,14 +171,14 @@ successful boot. Use the following command to adjust the :ref:`serial-console` settings: -.. code-block:: console +.. code-block:: none set system console device ttyS0 speed 115200 .. note:: Once you ``commit`` the above changes access to the serial interface is lost until you set your terminal emulator to 115200 8N1 again. -.. code-block:: console +.. code-block:: none vyos@vyos# show system console device ttyS0 { diff --git a/docs/cli.rst b/docs/cli.rst index ef8ef84e..89030ddc 100644 --- a/docs/cli.rst +++ b/docs/cli.rst @@ -17,7 +17,7 @@ For example typing `sh` followed by the **[tab]** key will complete to `show`. Pressing **[tab]** a second time will display the possible sub-commands of the `show` command. -.. code-block:: console +.. code-block:: none vyos@vyos:~$ s[tab] set show @@ -25,7 +25,7 @@ Pressing **[tab]** a second time will display the possible sub-commands of the Example showing possible show commands: -.. code-block:: console +.. code-block:: none vyos@vyos:~$ show [tab] Possible completions: @@ -69,7 +69,7 @@ When viewing in page mode the following commands are available: To enter configuration mode use the `configure` command: -.. code-block:: console +.. code-block:: none vyos@vyos:~$ configure [edit] @@ -77,7 +77,7 @@ To enter configuration mode use the `configure` command: .. note:: Prompt changes from `$` to `#`. To exit configuration mode, type `exit`. -.. code-block:: console +.. code-block:: none vyos@vyos:~# exit exit diff --git a/docs/clustering.rst b/docs/clustering.rst index 3462ee73..97678445 100644 --- a/docs/clustering.rst +++ b/docs/clustering.rst @@ -17,7 +17,7 @@ General cluster configuration In the general cluster configuration the network interfaces used for monitoring and negotiation of the cluster health is defined. Additionally, the communication interval settings, multicast group (for sending/receiving heartbeat messages), and pre-shared secret used in this monitoring is defined. -.. code-block:: console +.. code-block:: none vyos@vyos# set cluster Possible completions: @@ -35,7 +35,7 @@ Cluster group configuration For the cluster group configuration, the group name must be defined before the groups configuration can be set (See Example below). After the group name is defined, the specific service to be clustered between primary and secondary nodes is configured. -.. code-block:: console +.. code-block:: none vyos@vyos# set cluster group GROUPNAME Possible completions: @@ -48,7 +48,7 @@ After the group name is defined, the specific service to be clustered between pr Review cluster status --------------------- -.. code-block:: console +.. code-block:: none vyos@vyos:~$ show cluster status @@ -58,7 +58,7 @@ Example In the example below SSH is clustered between two nodes. -.. code-block:: console +.. code-block:: none cluster { dead-interval 20000 diff --git a/docs/commandscripting.rst b/docs/commandscripting.rst index 195ad237..98e97d3c 100644 --- a/docs/commandscripting.rst +++ b/docs/commandscripting.rst @@ -8,7 +8,7 @@ VyOS supports executing configuration and operational commands non-interactively To include VyOS-specific functions and aliases you need to ``source /opt/vyatta/etc/functions/script-template`` files at the top of your script. -.. code-block:: console +.. code-block:: none #!/bin/vbash source /opt/vyatta/etc/functions/script-template @@ -22,7 +22,7 @@ Configuration commands are executed just like from a normal config session. For example, if you want to disable a BGP peer on VRRP transition to backup: -.. code-block:: console +.. code-block:: none #!/bin/vbash source /opt/vyatta/etc/functions/script-template @@ -41,7 +41,7 @@ Run operational commands Unlike a normal configuration sessions, all operational commands must be prepended with ``run``, even if you haven't created a session with configure. -.. code-block:: console +.. code-block:: none #!/bin/vbash source /opt/vyatta/etc/functions/script-template @@ -65,7 +65,7 @@ Here is a simple example: print "set firewall group address-group somehosts address '1.1.1.2'" -.. code-block:: console +.. code-block:: none #!/bin/vbash source /opt/vyatta/etc/functions/script-template @@ -82,7 +82,7 @@ There is a pitfall when working with configuration scripts. It is tempting to ca On VyOS this will cause the following problem: After modifying the configuration via script like this once, it is not possible to manually modify the config anymore: -.. code-block:: console +.. code-block:: none sudo ./myscript.sh # Modifies config configure @@ -93,14 +93,14 @@ On VyOS this will cause the following problem: After modifying the configuration To avoid these problems, the proper way is to call a script with the ``vyattacfg`` group, e.g., by using the ``sg`` (switch group) command: -.. code-block:: console +.. code-block:: none sg vyattacfg -c ./myscript.sh To make sure that a script is not accidentally called without the ``vyattacfg`` group, the script can be safeguarded like this: -.. code-block:: console +.. code-block:: none if [ "$(id -g -n)" != 'vyattacfg' ] ; then exec sg vyattacfg -c "/bin/vbash $(readlink -f $0) $@" @@ -115,7 +115,7 @@ Any modifications done to work around unfixed bugs and implement enhancements wh The default file looks like this: -.. code-block:: console +.. code-block:: none #!/bin/sh # This script is executed at boot time after VyOS configuration is fully applied. diff --git a/docs/configuration-overview.rst b/docs/configuration-overview.rst index c4de884e..593fadfb 100644 --- a/docs/configuration-overview.rst +++ b/docs/configuration-overview.rst @@ -9,7 +9,7 @@ of system configuration. The current active configuration -aka running configuration- can be viewed using the show configuration command. -.. code-block:: console +.. code-block:: none vyos@vyos:~$ show configuration interfaces { @@ -69,7 +69,7 @@ this is only one of the possible ways to display the configuration. When the configuration is generated and the device is configured, changes are added through a collection of `set` and `delete` commands. You can see that collection of commands by entering `show configuration commands`, which is another way of seeing the running configuration. -.. code-block:: console +.. code-block:: none vyos@vyos:~$ show configuration commands set interfaces ethernet eth0 address 'dhcp' @@ -113,7 +113,7 @@ Navigating in Configuration Mode When entering the configuration mode you are navigating inside the tree structure exported in the overview above, to enter configuration mode enter the command `configure` when in operational mode -.. code-block:: console +.. code-block:: none vyos@vyos$ configure [edit] @@ -125,7 +125,7 @@ All commands executed here are relative to the configuration level you have ente To change the current hierarchy level use the command: `edit` -.. code-block:: console +.. code-block:: none [edit] vyos@vyos# edit interfaces ethernet eth0 @@ -141,7 +141,7 @@ The `show` command within configuration mode will show the working configuration indicating line changes with `+` for additions, `>` for replacements and `-` for deletions. -.. code-block:: console +.. code-block:: none vyos@vyos:~$ configure [edit] @@ -174,7 +174,7 @@ indicating line changes with `+` for additions, `>` for replacements and `-` for It is also possible to display all `set` commands within configuration mode using `show | commands` -.. code-block:: console +.. code-block:: none vyos@vyos# show interfaces ethernet eth0 | commands set address dhcp @@ -182,7 +182,7 @@ It is also possible to display all `set` commands within configuration mode usin These commands are also relative to the level you are inside and only relevant configuration blocks will be displayed when entering a sub-level. -.. code-block:: console +.. code-block:: none [edit interfaces ethernet eth0] vyos@vyos# show @@ -191,7 +191,7 @@ These commands are also relative to the level you are inside and only relevant c Exiting from the configuration mode is done via the `exit` command from the top level, executing `exit` from within a sub-level takes you back to the top level. -.. code-block:: console +.. code-block:: none [edit interfaces ethernet eth0] vyos@vyos# exit @@ -210,7 +210,7 @@ Configuration commands are flattened from the tree into 'one-liner' commands sho These commands are also relative to the level where they are executed and all redundant information from the current level is removed from the command entered. -.. code-block:: console +.. code-block:: none [edit] vyos@vyos# set interface ethernet eth0 address 203.0.113.6/24 @@ -223,14 +223,14 @@ These two commands above are essentially the same, just executed from different To delete a configuration entry use the `delete` command, this also deletes all sub-levels under the current level you've specified in the `delete` command. Deleting an entry will also result in the element reverting back to its default value if one exists. -.. code-block:: console +.. code-block:: none [edit interfaces ethernet eth0] vyos@vyos# delete address 203.0.113.6/24 Any change you do on the configuration, will not take effect until committed using the `commit` command in configuration mode. -.. code-block:: console +.. code-block:: none vyos@vyos# commit [edit] @@ -242,7 +242,7 @@ In order to preserve configuration changes upon reboot, the configuration must also be saved once applied. This is done using the `save` command in configuration mode. -.. code-block:: console +.. code-block:: none vyos@vyos# save Saving configuration to '/config/config.boot'... @@ -255,7 +255,7 @@ Configuration mode can not be exited while uncommitted changes exist. To exit configuration mode without applying changes, the exit discard command can be used. -.. code-block:: console +.. code-block:: none vyos@vyos# exit Cannot exit: configuration modified. @@ -267,7 +267,7 @@ used. -.. code-block:: console +.. code-block:: none vyos@vyos# save [tab] Possible completions: @@ -291,7 +291,7 @@ From this command you will have access to everything accessible from operational Command completion and syntax help with `?` and `[tab]` will also work. -.. code-block:: console +.. code-block:: none [edit] vyos@vyos# run show interfaces @@ -313,7 +313,7 @@ Revisions are stored on disk. You can view them, compare them, and rollback to p To view existing revisions, use `show system commit` operational mode command. -.. code-block:: console +.. code-block:: none vyos@vyos-test-2# run show system commit 0 2015-03-30 08:53:03 by vyos via cli @@ -327,7 +327,7 @@ To view existing revisions, use `show system commit` operational mode command. To compare configuration revisions in configuration mode, use the compare command: -.. code-block:: console +.. code-block:: none vyos@vyos# compare [tab] Possible completions: @@ -356,7 +356,7 @@ Comparing Revisions You can compare revisions with `compare X Y` command, where X and Y are revision numbers. The output will describe how the configuration X is when compared to Y, indicating with a plus sign (**+**) the additional parts X has when compared to y, and indicating with a minus sign (**-**) the lacking parts x misses when compared to y. -.. code-block:: console +.. code-block:: none vyos@vyos-test-2# compare 0 6 [edit interfaces] @@ -377,7 +377,7 @@ Rolling Back Changes You can rollback configuration using the rollback command. This command will apply the selected revision and trigger a system reboot. -.. code-block:: console +.. code-block:: none vyos@vyos# compare 1 [edit system] @@ -414,7 +414,7 @@ Wipe config and restore default In the case you want to completely delete your configuration and restore the default one, you can enter the following command in configuration mode: -.. code-block:: console +.. code-block:: none load /opt/vyatta/etc/config.boot.default diff --git a/docs/contributing/build-vyos.rst b/docs/contributing/build-vyos.rst index 23feec84..9f5fc76b 100644 --- a/docs/contributing/build-vyos.rst +++ b/docs/contributing/build-vyos.rst @@ -17,7 +17,7 @@ Docker_. This process has been tested on clean installs of Debian Jessie, Stret Installing Docker_ and prerequisites -.. code-block:: console +.. code-block:: none $ apt-get update $ apt-get install -y apt-transport-https ca-certificates curl \ @@ -48,7 +48,7 @@ the vyos-build repository). The container can always be built directly from source: -.. code-block:: console +.. code-block:: none $ git clone -b crux --single-branch https://github.com/vyos/vyos-build $ docker build -t vyos/vyos-build docker @@ -67,7 +67,7 @@ Build ISO inside container After the container is generated either manually or fetched from DockerHub, a fresh build of the VyOS ISO can begin. -.. code-block:: console +.. code-block:: none $ docker run --rm -it --privileged -v $(pwd):/vyos -w /vyos vyos/vyos-build bash vyos_bld@d4220bb519a0:/vyos# ./configure --architecture amd64 \ @@ -87,7 +87,7 @@ image: This ISO can be customized with the following list of configure options. The full and current list can be generated with ``./configure --help``: -.. code-block:: console +.. code-block:: none -h, --help show this help message and exit --architecture ARCHITECTURE diff --git a/docs/contributing/development.rst b/docs/contributing/development.rst index ae5172c9..547c238b 100644 --- a/docs/contributing/development.rst +++ b/docs/contributing/development.rst @@ -116,7 +116,7 @@ which of the many VyOS packages ship this file. You can determine the VyOS package name in question by using Debians ``dpkg -S`` command of your running VyOS installation. -.. code-block:: console +.. code-block:: none vyos@vyos:~ dpkg -S /opt/vyatta/sbin/vyatta-update-webproxy.pl vyatta-webproxy: /opt/vyatta/sbin/vyatta-update-webproxy.pl @@ -146,7 +146,7 @@ In order to record you as the author of the fix please indentify yourself to Git by setting up your name and email. This can be done local for this one and only repository ``git config`` or globally using ``git config --global``. -.. code-block:: console +.. code-block:: none git config --global user.name "J. Random Hacker" git config --global user.email "jrhacker@example.net" diff --git a/docs/firewall.rst b/docs/firewall.rst index 9f573d90..59bbaa31 100644 --- a/docs/firewall.rst +++ b/docs/firewall.rst @@ -44,14 +44,14 @@ addresses and networks, the network group is recommended. Here is an example of a network group for the IP networks that make up the internal network: -.. code-block:: console +.. code-block:: none set firewall group network-group NET-INSIDE network 192.168.0.0/24 set firewall group network-group NET-INSIDE network 192.168.1.0/24 Groups need to have unique names. Even though some contain IPv4 addresses and others contain IPv6 addresses, they still need to have unique names, so you may want to append "-v4" or "-v6" to your group names. -.. code-block:: console +.. code-block:: none set firewall group network-group NET-INSIDE-v4 network 192.168.1.0/24 set firewall group ipv6-network-group NET-INSIDE-v6 network 2001:db8::/64 @@ -64,7 +64,7 @@ Ranges of ports can be specified by using `-`. Here is an example of a port group a server: -.. code-block:: console +.. code-block:: none set firewall group port-group PORT-TCP-SERVER1 port 80 set firewall group port-group PORT-TCP-SERVER1 port 443 @@ -79,7 +79,7 @@ is matched, and the ability to specify the criteria to match. Example of a rule-set to filter traffic to the internal network: -.. code-block:: console +.. code-block:: none set firewall name INSIDE-OUT default-action drop set firewall name INSIDE-OUT rule 1010 action accept @@ -96,7 +96,7 @@ Once a rule-set is created, it can be applied to an interface. .. note:: Only one rule-set can be applied to each interface for `in`, `out`, or `local` traffic for each protocol (IPv4 and IPv6). -.. code-block:: console +.. code-block:: none set interfaces ethernet eth1 firewall out name INSIDE-OUT @@ -106,7 +106,7 @@ Applying a Rule-Set to a Zone A named rule-set can also be applied to a zone relationship (note, zones must first be created): -.. code-block:: console +.. code-block:: none set zone-policy zone INSIDE from OUTSIDE firewall name INSIDE-OUT @@ -119,13 +119,13 @@ With the firewall you can set rules to accept, drop or reject ICMP in, out or lo .. note:: **firewall all-ping** affects only to LOCAL and it always behaves in the most restrictive way -.. code-block:: console +.. code-block:: none set firewall all-ping enable When the command above is set, VyOS will answer every ICMP echo request addressed to itself, but that will only happen if no other rule is applied droping or rejecting local echo requests. In case of conflict, VyOS will not answer ICMP echo requests. -.. code-block:: console +.. code-block:: none set firewall all-ping disable @@ -134,7 +134,7 @@ When the comand above is set, VyOS will answer no ICMP echo request addressed to Example Partial Config ---------------------- -.. code-block:: console +.. code-block:: none firewall { all-ping enable diff --git a/docs/high-availability.rst b/docs/high-availability.rst index 634b8742..81cc2d44 100644 --- a/docs/high-availability.rst +++ b/docs/high-availability.rst @@ -21,7 +21,7 @@ The required parameters are interface, vrid, and virtual-address. minimal config -.. code-block:: console +.. code-block:: none set high-availability vrrp group Foo vrid 10 set high-availability vrrp group Foo interface eth0 @@ -29,7 +29,7 @@ minimal config You can verify your VRRP group status with the operational mode ``run show vrrp`` command: -.. code-block:: console +.. code-block:: none vyos@vyos# run show vrrp Name Interface VRID State Last Transition @@ -46,7 +46,7 @@ Disabling a VRRP group You can disable a VRRP group with ``disable`` option: -.. code-block:: console +.. code-block:: none set high-availability vrrp group Foo disable @@ -57,7 +57,7 @@ Setting VRRP group priority VRRP priority can be set with ``priority`` option: -.. code-block:: console +.. code-block:: none set high-availability vrrp group Foo priority 200 @@ -68,7 +68,7 @@ Sync groups A sync group allows VRRP groups to transition together. -.. code-block:: console +.. code-block:: none edit high-availability set sync-group MAIN member VLAN9 @@ -76,7 +76,7 @@ A sync group allows VRRP groups to transition together. In the following example, when VLAN9 transitions, VLAN20 will also transition: -.. code-block:: console +.. code-block:: none vrrp { group VLAN9 { @@ -108,13 +108,13 @@ VRRP can use two modes: preemptive and non-preemptive. In the preemptive mode, i By default VRRP uses preemption. You can disable it with the "no-preempt" option: -.. code-block:: console +.. code-block:: none set high-availability vrrp group Foo no-preempt You can also configure the time interval for preemption with the "preempt-delay" option. For example, to set the higher priority router to take over in 180 seconds, use: -.. code-block:: console +.. code-block:: none set high-availability vrrp group Foo preempt-delay 180 @@ -123,7 +123,7 @@ Unicast VRRP By default VRRP uses multicast packets. If your network does not support multicast for whatever reason, you can make VRRP use unicast communication instead. -.. code-block:: console +.. code-block:: none set high-availability vrrp group Foo peer-address 192.0.2.10 set high-availability vrrp group Foo hello-source-address 192.0.2.15 @@ -139,7 +139,7 @@ Health check scripts This setup will make the VRRP process execute the ``/config/scripts/vrrp-check.sh script`` every 60 seconds, and transition the group to the fault state if it fails (i.e. exits with non-zero status) three times: -.. code-block:: console +.. code-block:: none set high-availability vrrp group Foo health-check script /config/scripts/vrrp-check.sh set high-availability vrrp group Foo health-check interval 60 @@ -151,7 +151,7 @@ Transition scripts Transition scripts can help you implement various fixups, such as starting and stopping services, or even modifying the VyOS config on VRRP transition. This setup will make the VRRP process execute the ``/config/scripts/vrrp-fail.sh`` with argument ``Foo`` when VRRP fails, and the ``/config/scripts/vrrp-master.sh`` when the router becomes the master: -.. code-block:: console +.. code-block:: none set high-availability vrrp group Foo transition-script backup "/config/scripts/vrrp-fail.sh Foo" set high-availability vrrp group Foo transition-script fault "/config/scripts/vrrp-fail.sh Foo" diff --git a/docs/image-mgmt.rst b/docs/image-mgmt.rst index 0ac76016..ecef997d 100644 --- a/docs/image-mgmt.rst +++ b/docs/image-mgmt.rst @@ -8,7 +8,7 @@ each image on the storage device selected during the install process. The directory structure of the boot device: -.. code-block:: console +.. code-block:: none / /boot @@ -36,7 +36,7 @@ default-boot` command in operational mode. A list of available images can be shown using the :code:`show system image` command in operational mode. -.. code-block:: console +.. code-block:: none vyos@vyos:~$ show system image The system currently has the following image(s) installed: @@ -69,7 +69,7 @@ process will prompt you to use the current system configuration and SSH security keys, allowing for the new image to boot using the current configuration. -.. code-block:: console +.. code-block:: none vyos@vyos:~$ add system image https://downloads.vyos.io/rolling/current/amd64/vyos-1.2.0-rolling%2B201810030440-amd64.iso Trying to fetch ISO file from https://downloads.vyos.io/rolling/current/amd64/vyos-1.2.0-rolling%2B201810030440-amd64.iso @@ -107,7 +107,7 @@ If you need some files from a previous images - take a look inside a After reboot you might want to verify the version you are running with :code:`show version` -.. code-block:: console +.. code-block:: none vyos@vyos:~$ show version Version: VyOS 1.2.0-rolling+201810030440 diff --git a/docs/install.rst b/docs/install.rst index 87f503a7..410932c0 100644 --- a/docs/install.rst +++ b/docs/install.rst @@ -64,7 +64,7 @@ https://pgp.mit.edu/pks/lookup?op=get&search=0xFD220285A0FE6D7E Or from the following block: -.. code-block:: console +.. code-block:: none -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.12 (GNU/Linux) @@ -126,7 +126,7 @@ The key is then pasted into a new text file and imported into GPG: The import can be verified with: -.. code-block:: console +.. code-block:: none $ gpg --list-keys ... @@ -147,7 +147,7 @@ With the public key imported, the signature for the desired image needs to be do Finally, verify the authencity of the downloaded image: -.. code-block:: console +.. code-block:: none $ gpg2 --verify vyos-1.2.1-amd64.iso.asc vyos-1.2.1-amd64.iso gpg: Signature made So 14 Apr 12:58:07 2019 CEST @@ -166,7 +166,7 @@ The VyOS ISO is a Live CD and will boot to a functional VyOS image. To login to the system, use the default username ``vyos`` with password ``vyos``. -.. code-block:: console +.. code-block:: none The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the @@ -193,7 +193,7 @@ directory for mutable data such as configurations, keys, or custom scripts. To install VyOS, run ``install image``. -.. code-block:: console +.. code-block:: none vyos@vyos:~$ install image Welcome to the VyOS install program. This script @@ -247,7 +247,7 @@ To install VyOS, run ``install image``. After the installation is complete, remove the Live CD and reboot the system: -.. code-block:: console +.. code-block:: none vyos@vyos:~$ reboot Proceed with reboot? (Yes/No) [No] Yes @@ -284,7 +284,7 @@ Configure a DHCP server so that it gives the client In this example we configured an existent VyOS as the DHCP server: -.. code-block:: console +.. code-block:: none vyos@vyos# show service dhcp-server shared-network-name mydhcp { @@ -318,7 +318,7 @@ Configure a TFTP server so that it serves the following: In the example we configured our existent VyOS as the TFTP server too: -.. code-block:: console +.. code-block:: none vyos@vyos# show service tftp-server directory /config/tftpboot @@ -329,7 +329,7 @@ In the example we configured our existent VyOS as the TFTP server too: Example of the contents of the TFTP server: -.. code-block:: console +.. code-block:: none vyos@vyos# ls -hal /config/tftpboot/ total 29M @@ -354,7 +354,7 @@ Example of the contents of the TFTP server: Example of simple (no menu) configuration file: -.. code-block:: console +.. code-block:: none vyos@vyos# cat /config/tftpboot/pxelinux.cfg/default DEFAULT VyOS123 diff --git a/docs/interfaces/addresses.rst b/docs/interfaces/addresses.rst index 188d1c00..6799b027 100644 --- a/docs/interfaces/addresses.rst +++ b/docs/interfaces/addresses.rst @@ -13,7 +13,7 @@ addresses might be: An interface description is assigned using the following command: -.. code-block:: console +.. code-block:: none set interfaces ethernet eth0 description 'OUTSIDE' @@ -29,7 +29,7 @@ PPP. The command is `set interfaces $type $name address $address`. Examples: -.. code-block:: console +.. code-block:: none set interfaces ethernet eth0 address 192.0.2.1/24 set interfaces tunnel tun0 address 10.0.0.1/30 @@ -45,7 +45,7 @@ pseudo-ethernet, wireless). The command is `set interfaces $type $name address dhcp`. Examples: -.. code-block:: console +.. code-block:: none set interfaces ethernet eth0 vif 90 address dhcp set interfaces bridge br0 address dhcp @@ -63,7 +63,7 @@ except :ref:`interfaces-tunnel`. The command is `set interfaces $type $name address $address`. Examples: -.. code-block:: console +.. code-block:: none set interfaces ethernet eth0 address 2001:db8:100::ffff/64 set interfaces tunnel tun0 address 2001:db8::1/64 @@ -79,7 +79,7 @@ pseudo-ethernet, wireless). The command is `set interfaces $type $name address dhcpv6`. Examples: -.. code-block:: console +.. code-block:: none set interfaces bonding bond1 address dhcpv6 set interfaces bridge br0 vif 56 address dhcpv6 @@ -93,7 +93,7 @@ interfaces, and those that are directly connected to a physical interface The command is `set interfaces $type $name ipv6 address autoconf`. Examples: -.. code-block:: console +.. code-block:: none set interfaces ethernet eth0 vif 90 ipv6 address autoconf set interfaces bridge br0 ipv6 address autoconf @@ -111,7 +111,7 @@ MAC address, if you specify the prefix. The command is `set interfaces $type $name ipv6 address eui64 $prefix`. Examples: -.. code-block:: console +.. code-block:: none set interfaces bridge br0 ipv6 address eui64 2001:db8:beef::/64 set interfaces pseudo-ethernet peth0 ipv6 address eui64 2001:db8:aa::/64 @@ -124,14 +124,14 @@ Router advertisements are described in `RFC4861 section 4.2`_. They are part of To enable or disable, use: -.. code-block:: console +.. code-block:: none set interfaces <interface> ipv6 router-advert send-advert <true or false> To set the options described in "Router Advertisement Message Format": -.. code-block:: console +.. code-block:: none vyos@vyos# set interfaces <interface> ipv6 router-advert Possible completions: @@ -154,7 +154,7 @@ To set the options described in "Router Advertisement Message Format": Prefix information is described in `RFC4861 section 4.6.2`_ -.. code-block:: console +.. code-block:: none vyos@vyos# set interfaces <interface> ipv6 router-advert prefix <h:h:h:h:h:h:h:h/x> Possible completions: @@ -167,7 +167,7 @@ Prefix information is described in `RFC4861 section 4.6.2`_ To receive and accept RAs on an interface, you need to enable it with the following configuration command -.. code-block:: console +.. code-block:: none vyos@vyos# set system sysctl custom net.ipv6.conf.<interface name>.accept_ra value 2 diff --git a/docs/interfaces/bonding.rst b/docs/interfaces/bonding.rst index 19d78e4e..76c8714a 100644 --- a/docs/interfaces/bonding.rst +++ b/docs/interfaces/bonding.rst @@ -6,13 +6,13 @@ logical one. It's called bonding, or LAG, or ether-channel, or port-channel. Create interface bondX, where X is just a number: -.. code-block:: console +.. code-block:: none set interfaces bonding bond0 description 'my-sw1 int 23 and 24' You are able to choose a hash policy: -.. code-block:: console +.. code-block:: none vyos@vyos# set interfaces bonding bond0 hash-policy Possible completions: @@ -22,20 +22,20 @@ You are able to choose a hash policy: For example: -.. code-block:: console +.. code-block:: none set interfaces bonding bond0 hash-policy 'layer2' You may want to set IEEE 802.3ad Dynamic link aggregation (802.3ad) AKA LACP (don't forget to setup it on the other end of these links): -.. code-block:: console +.. code-block:: none set interfaces bonding bond0 mode '802.3ad' or some other modes: -.. code-block:: console +.. code-block:: none vyos@vyos# set interfaces bonding bond0 mode Possible completions: @@ -52,7 +52,7 @@ or some other modes: Now bond some physical interfaces into bond0: -.. code-block:: console +.. code-block:: none set interfaces ethernet eth0 bond-group 'bond0' set interfaces ethernet eth0 description 'member of bond0' @@ -64,7 +64,7 @@ change its` duplex, for example) and assign IPs or VIFs on it. You may check the result: -.. code-block:: console +.. code-block:: none vyos@vyos# run sh interfaces bonding Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down diff --git a/docs/interfaces/bridging.rst b/docs/interfaces/bridging.rst index 3c11a64b..8d9c905e 100644 --- a/docs/interfaces/bridging.rst +++ b/docs/interfaces/bridging.rst @@ -7,7 +7,7 @@ Layer-2 traffic. A bridge is created when a bridge interface is defined. In the example below we will be creating a bridge for VLAN 100 and assigning a VIF to the bridge. -.. code-block:: console +.. code-block:: none set interfaces bridge 'br100' ~~set interfaces ethernet eth1 vif 100 bridge-group bridge br100~~ @@ -17,14 +17,14 @@ Interfaces assigned to a bridge-group do not have address configuration. An IP address can be assigned to the bridge interface itself, however, like any normal interface. -.. code-block:: console +.. code-block:: none set interfaces bridge br100 address '192.168.100.1/24' set interfaces bridge br100 address '2001:db8:100::1/64' Example Result: -.. code-block:: console +.. code-block:: none bridge br100 { address 192.168.100.1/24 @@ -49,7 +49,7 @@ Spanning-Tree Protocol. STP is disabled by default. To enable spanning-tree use the `set interfaces bridge <name> stp true` command: -.. code-block:: console +.. code-block:: none set interfaces bridge br100 stp true @@ -63,7 +63,7 @@ configured. The `show bridge` operational command can be used to display configured bridges: -.. code-block:: console +.. code-block:: none vyos@vyos:~$ show bridge bridge name bridge id STP enabled interfaces @@ -72,7 +72,7 @@ bridges: If spanning-tree is enabled, the `show bridge <name> spanning-tree` command can be used to show STP configuration: -.. code-block:: console +.. code-block:: none vyos@vyos:~$ show bridge br100 spanning-tree br100 @@ -98,7 +98,7 @@ can be used to show STP configuration: The MAC address-table for a bridge can be displayed using the `show bridge <name> macs` command: -.. code-block:: console +.. code-block:: none vyos@vyos:~$ show bridge br100 macs port no mac addr is local? ageing timer diff --git a/docs/interfaces/dummy.rst b/docs/interfaces/dummy.rst index 0479cf5e..dea4c387 100644 --- a/docs/interfaces/dummy.rst +++ b/docs/interfaces/dummy.rst @@ -8,7 +8,7 @@ Dummy interfaces can be used as interfaces that always stay up (in the same fash Configuration commands: -.. code-block:: console +.. code-block:: none interfaces dummy <dum[0-999]> diff --git a/docs/interfaces/ethernet.rst b/docs/interfaces/ethernet.rst index 34260fc2..c7744b6c 100644 --- a/docs/interfaces/ethernet.rst +++ b/docs/interfaces/ethernet.rst @@ -6,7 +6,7 @@ Ethernet Interfaces Ethernet interfaces allow for the configuration of speed, duplex, and hw-id (MAC address). Below is an example configuration: -.. code-block:: console +.. code-block:: none set interfaces ethernet eth1 address '192.168.0.1/24' set interfaces ethernet eth1 address '2001:db8:1::ffff/64' @@ -16,7 +16,7 @@ Ethernet interfaces allow for the configuration of speed, duplex, and hw-id Resulting in: -.. code-block:: console +.. code-block:: none ethernet eth1 { address 192.168.0.1/24 @@ -35,7 +35,7 @@ In addition, Ethernet interfaces provide the extended operational commands: Statistics available are driver dependent. -.. code-block:: console +.. code-block:: none vyos@vyos:~$ show interfaces ethernet eth0 physical Settings for eth0: diff --git a/docs/interfaces/index.rst b/docs/interfaces/index.rst index 5d7caf1c..aa8d264e 100644 --- a/docs/interfaces/index.rst +++ b/docs/interfaces/index.rst @@ -6,7 +6,7 @@ Network Interfaces Configured interfaces on a VyOS system can be displayed using the `show interfaces` command. -.. code-block:: console +.. code-block:: none vyos@vyos:~$ show interfaces Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down @@ -21,7 +21,7 @@ Configured interfaces on a VyOS system can be displayed using the A specific interface can be shown using the `show interfaces <type> <name>` command. -.. code-block:: console +.. code-block:: none vyos@vyos:~$ show interfaces ethernet eth0 eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 diff --git a/docs/interfaces/l2tpv3.rst b/docs/interfaces/l2tpv3.rst index a3fe3cd8..4514412d 100644 --- a/docs/interfaces/l2tpv3.rst +++ b/docs/interfaces/l2tpv3.rst @@ -11,7 +11,7 @@ L2TPv3 can transport any traffic including ethernet frames. L2TPv2 is limited to L2TPv3 over IP ^^^^^^^^^^^^^^ -.. code-block:: console +.. code-block:: none # show interfaces l2tpv3 l2tpv3 l2tpeth10 { @@ -35,7 +35,7 @@ UDP mode works better with NAT: * Set local-ip to your local IP (LAN). * Add a forwarding rule matching UDP port on your internet router. -.. code-block:: console +.. code-block:: none # show interfaces l2tpv3 l2tpv3 l2tpeth10 { @@ -61,7 +61,7 @@ This is the LAN extension use case. The eth0 port of the distant VPN peers will IPSec: -.. code-block:: console +.. code-block:: none set vpn ipsec ipsec-interfaces <VPN-interface> set vpn ipsec esp-group test-ESP-1 compression 'disable' @@ -89,7 +89,7 @@ IPSec: Bridge: -.. code-block:: console +.. code-block:: none set interfaces bridge br0 description 'L2 VPN Bridge' # remote side in this example: @@ -100,7 +100,7 @@ Bridge: L2TPv3: -.. code-block:: console +.. code-block:: none set interfaces l2tpv3 l2tpeth0 bridge-group bridge 'br0' set interfaces l2tpv3 l2tpeth0 description 'L2 VPN Tunnel' diff --git a/docs/interfaces/pppoe.rst b/docs/interfaces/pppoe.rst index 803b43fb..d8625722 100644 --- a/docs/interfaces/pppoe.rst +++ b/docs/interfaces/pppoe.rst @@ -22,7 +22,7 @@ Once you have an Ethernet device connected, i.e. eth0, then you can configure it **Here is an example configuration:** -.. code-block:: console +.. code-block:: none set interface ethernet eth0 description "DSL Modem" set interface ethernet eth0 duplex auto @@ -37,7 +37,7 @@ Once you have an Ethernet device connected, i.e. eth0, then you can configure it * You should add a firewall to your configuration above as well by assigning it to the pppoe0 itself as shown here: -.. code-block:: console +.. code-block:: none set interface ethernet eth0 pppoe 0 firewall in name NET-IN set interface ethernet eth0 pppoe 0 firewall local name NET-LOCAL @@ -52,7 +52,7 @@ Handling and troubleshooting You can test connecting and disconnecting with the below commands: -.. code-block:: console +.. code-block:: none disconnect interface 0 connect interface 0 @@ -62,20 +62,20 @@ You can check the PPPoE connection logs with the following: This command shows the current statistics, status and some of the settings (i.e. MTU) for the current connection on pppoe0. -.. code-block:: console +.. code-block:: none show interfaces pppoe 0 This command shows the entire log for the PPPoE connection starting with the oldest data. Scroll down with the <space> key to reach the end where the current data is. -.. code-block:: console +.. code-block:: none show interfaces pppoe 0 log This command shows the same log as without the 'tail' option but only starts with the last few lines and continues to show added lines until you exit with ``Ctrl + x`` -.. code-block:: console +.. code-block:: none show interfaces pppoe 0 log tail diff --git a/docs/interfaces/qinq.rst b/docs/interfaces/qinq.rst index f94ccda4..2049f511 100644 --- a/docs/interfaces/qinq.rst +++ b/docs/interfaces/qinq.rst @@ -14,7 +14,7 @@ The outer tag is the one closer/closest to the Ethernet header; its name is S-TA Configuration commands: -.. code-block:: console +.. code-block:: none interfaces ethernet <eth[0-999]> @@ -48,7 +48,7 @@ Configuration commands: Example: -.. code-block:: console +.. code-block:: none set interfaces ethernet eth0 vif-s 333 set interfaces ethernet eth0 vif-s 333 address 192.0.2.10/32 diff --git a/docs/interfaces/tunnel.rst b/docs/interfaces/tunnel.rst index 2f884270..da452a8b 100644 --- a/docs/interfaces/tunnel.rst +++ b/docs/interfaces/tunnel.rst @@ -18,7 +18,7 @@ It takes an IPv4 packet and sends it as a payload of another IPv4 packet. For th An example: -.. code-block:: console +.. code-block:: none set interfaces tunnel tun0 encapsulation ipip set interfaces tunnel tun0 local-ip 192.0.2.10 @@ -34,7 +34,7 @@ It's not likely that anyone will need it any time soon, but it does exist. An example: -.. code-block:: console +.. code-block:: none set interfaces tunnel tun0 encapsulation ipip set interfaces tunnel tun0 local-ip 2001:db8:aa::1/64 @@ -50,7 +50,7 @@ As the name implies, it's IPv4 encapsulated in IPv6, as simple as that. An example: -.. code-block:: console +.. code-block:: none set interfaces tunnel tun0 encapsulation ipip6 set interfaces tunnel tun0 local-ip 2001:db8:aa::1/64 @@ -68,7 +68,7 @@ The encapsulation overhead is the size of the IPv4 header of 20 bytes, therefore An example: -.. code-block:: console +.. code-block:: none set interfaces tunnel tun0 encapsulation sit set interfaces tunnel tun0 local-ip 192.0.2.10 @@ -96,7 +96,7 @@ The Cisco router defaults to 'gre ip' otherwise it would have to be configured a **VyOS Router:** -.. code-block:: console +.. code-block:: none set interfaces tunnel tun100 address '10.0.0.1/30' set interfaces tunnel tun100 encapsulation 'gre' @@ -105,7 +105,7 @@ The Cisco router defaults to 'gre ip' otherwise it would have to be configured a **Cisco IOS Router:** -.. code-block:: console +.. code-block:: none interface Tunnel100 ip address 10.0.0.2 255.255.255.252 @@ -122,7 +122,7 @@ configurations that are discarding IP protocol 47 or blocking your source/desint **1. Confirm IP connectivity between tunnel local-ip and remote-ip:** -.. code-block:: console +.. code-block:: none vyos@vyos:~$ ping 203.0.113.10 interface 198.51.100.2 count 4 PING 203.0.113.10 (203.0.113.10) from 198.51.100.2 : 56(84) bytes of data. @@ -137,7 +137,7 @@ configurations that are discarding IP protocol 47 or blocking your source/desint **2. Confirm the link type has been set to GRE:** -.. code-block:: console +.. code-block:: none vyos@vyos:~$ show interfaces tunnel tun100 tun100@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1476 qdisc noqueue state UNKNOWN group default qlen 1000 @@ -154,7 +154,7 @@ configurations that are discarding IP protocol 47 or blocking your source/desint **3. Confirm IP connectivity across the tunnel:** -.. code-block:: console +.. code-block:: none vyos@vyos:~$ ping 10.0.0.2 interface 10.0.0.1 count 4 PING 10.0.0.2 (10.0.0.2) from 10.0.0.1 : 56(84) bytes of data. @@ -172,14 +172,14 @@ Virtual Tunnel Interface (VTI) Set Virtual Tunnel Interface -.. code-block:: console +.. code-block:: none set interfaces vti vti0 address 192.168.2.249/30 set interfaces vti vti0 address 2001:db8:2::249/64 Results in: -.. code-block:: console +.. code-block:: none vyos@vyos# show interfaces vti vti vti0 { diff --git a/docs/interfaces/vlan.rst b/docs/interfaces/vlan.rst index cbab0a80..b2f67108 100644 --- a/docs/interfaces/vlan.rst +++ b/docs/interfaces/vlan.rst @@ -7,7 +7,7 @@ term used for this is `vif`. Configuration of a tagged sub-interface is accomplished using the configuration command `set interfaces ethernet <name> vif <vlan-id>`. -.. code-block:: console +.. code-block:: none set interfaces ethernet eth1 vif 100 description 'VLAN 100' set interfaces ethernet eth1 vif 100 address '192.168.100.1/24' @@ -15,7 +15,7 @@ accomplished using the configuration command Resulting in: -.. code-block:: console +.. code-block:: none ethernet eth1 { address 192.168.100.1/24 @@ -33,7 +33,7 @@ Resulting in: VLAN interfaces are shown as `<name>.<vlan-id>`, e.g. `eth1.100`: -.. code-block:: console +.. code-block:: none vyos@vyos:~$ show interfaces Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down diff --git a/docs/interfaces/vxlan.rst b/docs/interfaces/vxlan.rst index a4de5766..e3eb5c43 100644 --- a/docs/interfaces/vxlan.rst +++ b/docs/interfaces/vxlan.rst @@ -44,7 +44,7 @@ support this. Configuration commands ^^^^^^^^^^^^^^^^^^^^^^ -.. code-block:: console +.. code-block:: none interfaces vxlan <vxlan[0-16777215]> @@ -74,7 +74,7 @@ This topology was built using GNS3. Topology: -.. code-block:: console +.. code-block:: none Spine1: fa0/2 towards Leaf2, IP-address: 10.1.2.1/24 @@ -90,7 +90,7 @@ Topology: Spine1 Configuration: -.. code-block:: console +.. code-block:: none conf t ip multicast-routing @@ -113,7 +113,7 @@ from. Leaf2 configuration: -.. code-block:: console +.. code-block:: none set interfaces ethernet eth0 address '10.1.2.2/24' set protocols ospf area 0 network '10.0.0.0/8' @@ -136,7 +136,7 @@ Leaf2 configuration: Leaf3 configuration: -.. code-block:: console +.. code-block:: none set interfaces ethernet eth0 address '10.1.3.3/24' set protocols ospf area 0 network '10.0.0.0/8' @@ -161,7 +161,7 @@ As you can see, Leaf2 and Leaf3 configuration is almost identical. There are lots of commands above, I'll try to into more detail below, command descriptions are placed under the command boxes: -.. code-block:: console +.. code-block:: none set interfaces bridge br241 address '172.16.241.1/24' @@ -173,7 +173,7 @@ so that the Spine will learn how to reach it. To do this you need to change the OSPF network from '10.0.0.0/8' to '0.0.0.0/0' to allow 172.16/12-networks to be advertised. -.. code-block:: console +.. code-block:: none set interfaces ethernet eth1 vif 241 bridge-group bridge 'br241' set interfaces vxlan vxlan241 bridge-group bridge 'br241' @@ -181,28 +181,28 @@ advertised. Binds eth1 vif 241 and vxlan241 to each other by putting them in the same bridge-group. Internal VyOS requirement. -.. code-block:: console +.. code-block:: none set interfaces vxlan vxlan241 group '239.0.0.241' The multicast-group used by all Leafs for this vlan extension. Has to be the same on all Leafs that has this interface. -.. code-block:: console +.. code-block:: none set interfaces vxlan vxlan241 link 'eth0' Sets the interface to listen for multicast packets on. Could be a loopback, not yet tested. -.. code-block:: console +.. code-block:: none set interfaces vxlan vxlan241 vni '241' Sets the unique id for this vxlan-interface. Not sure how it correlates with multicast-address. -.. code-block:: console +.. code-block:: none set interfaces vxlan vxlan241 remote-port 12345 @@ -217,7 +217,7 @@ Older Examples Example for bridging normal L2 segment and vxlan overlay network, and using a vxlan interface as routing interface. -.. code-block:: console +.. code-block:: none interfaces { bridge br0 { @@ -248,7 +248,7 @@ router has a VLAN interface (26) facing the client devices and a VLAN interface can flow between both routers' VLAN 26, but can't escape since there is no L3 gateway. You can add an IP to a bridge-group to create a gateway. -.. code-block:: console +.. code-block:: none interfaces { bridge br0 { @@ -284,7 +284,7 @@ Alternative to multicast, the remote IPv4 address of the VXLAN tunnel can set di Let's change the Multicast example from above: -.. code-block:: console +.. code-block:: none # leaf2 and leaf3 delete interfaces vxlan vxlan241 group '239.0.0.241' diff --git a/docs/interfaces/wireless.rst b/docs/interfaces/wireless.rst index 8bc5d434..a7e796e9 100644 --- a/docs/interfaces/wireless.rst +++ b/docs/interfaces/wireless.rst @@ -9,13 +9,13 @@ If your device is configurable it will appear as `wlan` in `show interfaces`. To be able to use the wireless interfaces you will first need to set a regulatory domain with the country code of your locaion. -.. code-block:: console +.. code-block:: none set system wifi-regulatory-domain SE An example on how to set it up as an access point: -.. code-block:: console +.. code-block:: none set interfaces wireless wlan0 address '192.168.99.1/24' set interfaces wireless wlan0 type access-point @@ -27,7 +27,7 @@ An example on how to set it up as an access point: Resulting in -.. code-block:: console +.. code-block:: none interfaces { [...] diff --git a/docs/load-balancing.rst b/docs/load-balancing.rst index abf399ea..0149ac76 100644 --- a/docs/load-balancing.rst +++ b/docs/load-balancing.rst @@ -15,7 +15,7 @@ In a minimal, configuration the following must be provided: lets assume we have two dhcp WAN interfaces and one LAN (eth2) -.. code-block:: console +.. code-block:: none set load-balancing wan interface-health eth0 nexthop 'dhcp' set load-balancing wan interface-health eth1 nexthop 'dhcp' @@ -32,7 +32,7 @@ If a packet doesn't match any rule it is sent by using the system routing table. Create a load balancing rule, rule can be a number between 1 and 9999: -.. code-block:: console +.. code-block:: none vyos@vyos# set load-balancing wan rule 1 Possible completions: @@ -53,7 +53,7 @@ Interface weight Let's expand the example from above and add a weight to the interfaces. The bandwidth from eth0 is larger than eth1. Per default outbound traffic is distributed randomly across available interfaces. Weights can be assigned to interfaces to influence the balancing. -.. code-block:: console +.. code-block:: none set load-balancing wan rule 1 interface eth0 weight 2 set load-balancing wan rule 1 interface eth1 weight 1 @@ -66,7 +66,7 @@ Rate limit A packet rate limit can be set for a rule to apply the rule to traffic above or below a specified threshold. To configure the rate limiting use: -.. code-block:: console +.. code-block:: none set load-balancing wan rule <rule> limit <parameter> @@ -85,7 +85,7 @@ This has the advantage that packets always arrive in order if links with differe Packet-based balancing can lead to a better balance across interfaces when out of order packets are no issue. Per-packet-based balancing can be set for a balancing rule with: -.. code-block:: console +.. code-block:: none set load-balancing wan rule <rule> per-packet-balancing @@ -94,7 +94,7 @@ Exclude traffic To exclude traffic from load balancing, traffic matching an exclude rule is not balanced but routed through the system routing table instead: -.. code-block:: console +.. code-block:: none set load-balancing wan rule <rule> exclude @@ -105,7 +105,7 @@ Health checks The health of interfaces and paths assigned to the load balancer is periodically checked by sending ICMP packets (ping) to remote destinations, a TTL test or the execution of a user defined script. If an interface fails the health check it is removed from the load balancer's pool of interfaces. To enable health checking for an interface: -.. code-block:: console +.. code-block:: none vyos@vyos# set load-balancing wan interface-health <interface> Possible completions: @@ -116,14 +116,14 @@ If an interface fails the health check it is removed from the load balancer's po Specify nexthop on the path to destination, ``ipv4-address`` can be set to ``dhcp`` -.. code-block:: console +.. code-block:: none set load-balancing wan interface-health <interface> nexthop <ipv4-address> Set the number of health check failures before an interface is marked as unavailable, range for number is 1 to 10, default 1. Or set the number of successful health checks before an interface is added back to the interface pool, range for number is 1 to 10, default 1. -.. code-block:: console +.. code-block:: none set load-balancing wan interface-health <interface> failure-count <number> set load-balancing wan interface-health <interface> success-count <number> @@ -131,7 +131,7 @@ Or set the number of successful health checks before an interface is added back Each health check is configured in its own test, tests are numbered and processed in numeric order. For multi target health checking multiple tests can be defined: -.. code-block:: console +.. code-block:: none vyos@vyos# set load-balancing wan interface-health eth1 test 0 Possible completions: @@ -153,7 +153,7 @@ Source NAT rules Per default, interfaces used in a load balancing pool replace the source IP of each outgoing packet with its own address to ensure that replies arrive on the same interface. This works through automatically generated source NAT (SNAT) rules, these rules are only applied to balanced traffic. In cases where this behaviour is not desired, the automatic generation of SNAT rules can be disabled: -.. code-block:: console +.. code-block:: none set load-balancing wan disable-source-nat @@ -163,7 +163,7 @@ Sticky Connections Upon reception of an incoming packet, when a response is sent, it might be desired to ensure that it leaves from the same interface as the inbound one. This can be achieved by enabling sticky connections in the load balancing: -.. code-block:: console +.. code-block:: none set load-balancing wan sticky-connections inbound @@ -176,13 +176,13 @@ The primary interface is selected based on its weight and health, others become Secondary interfaces to take over a failed primary interface are chosen from the load balancer's interface pool, depending on their weight and health. Interface roles can also be selected based on rule order by including interfaces in balancing rules and ordering those rules accordingly. To put the load balancer in failover mode, create a failover rule: -.. code-block:: console +.. code-block:: none set load-balancing wan rule <number> failover Because existing sessions do not automatically fail over to a new path, the session table can be flushed on each connection state change: -.. code-block:: console +.. code-block:: none set load-balancing wan flush-connections @@ -195,7 +195,7 @@ Script execution A script can be run when an interface state change occurs. Scripts are run from /config/scripts, for a different location specify the full path: -.. code-block:: console +.. code-block:: none set load-balancing wan hook script-name @@ -219,7 +219,7 @@ A character at the start of each line depicts the state of the test * ``-`` failed * a blank indicates that no test has been carried out -.. code-block:: console +.. code-block:: none vyos@vyos:~$ show wan-load-balance Interface: eth0 @@ -240,7 +240,7 @@ A character at the start of each line depicts the state of the test Show connection data of load balanced traffic: -.. code-block:: console +.. code-block:: none vyos@vyos:~$ show wan-load-balance connection conntrack v1.4.2 (conntrack-tools): 3 flow entries have been shown. @@ -252,6 +252,6 @@ Show connection data of load balanced traffic: Restart ******* -.. code-block:: console +.. code-block:: none restart wan-load-balance diff --git a/docs/nat.rst b/docs/nat.rst index 5c598f60..3c663bfe 100644 --- a/docs/nat.rst +++ b/docs/nat.rst @@ -21,7 +21,7 @@ To setup SNAT, we need to know: In the example used for the Quick Start configuration above, we demonstrate the following configuration: -.. code-block:: console +.. code-block:: none set nat source rule 100 outbound-interface 'eth0' set nat source rule 100 source address '192.168.0.0/24' @@ -29,7 +29,7 @@ the following configuration: Which generates the following configuration: -.. code-block:: console +.. code-block:: none rule 100 { outbound-interface eth0 @@ -58,7 +58,7 @@ recommended. A pool of addresses can be defined by using a **-** in the `set nat source rule [n] translation address` statement. -.. code-block:: console +.. code-block:: none set nat source rule 100 translation address '203.0.113.32-203.0.113.63' @@ -108,7 +108,7 @@ To setup a NAT reflection rule, we need to create a rule to NAT connections from the internal network to the same internal network to use the source address of the internal interface. -.. code-block:: console +.. code-block:: none set nat source rule 110 description 'NAT Reflection: INSIDE' set nat source rule 110 destination address '192.168.0.0/24' @@ -118,7 +118,7 @@ address of the internal interface. Which results in a configuration of: -.. code-block:: console +.. code-block:: none rule 110 { description "NAT Reflection: INSIDE" @@ -156,7 +156,7 @@ For other common port numbers, see: http://en.wikipedia.org/wiki/List_of_TCP_and Our configuration commands would be: -.. code-block:: console +.. code-block:: none set nat destination rule 10 description 'Port Forward: HTTP to 192.168.0.100' set nat destination rule 10 destination port '80' @@ -166,7 +166,7 @@ Our configuration commands would be: Which would generate the following NAT destination configuration: -.. code-block:: console +.. code-block:: none nat { destination { @@ -198,7 +198,7 @@ the destination address has already been translated to 192.168.0.100. So in our firewall policy, we want to allow traffic coming in on the outside interface, destined for TCP port 80 and the IP address of 192.168.0.100. -.. code-block:: console +.. code-block:: none set firewall name OUTSIDE-IN rule 20 action 'accept' set firewall name OUTSIDE-IN rule 20 destination address '192.168.0.100' @@ -208,7 +208,7 @@ interface, destined for TCP port 80 and the IP address of 192.168.0.100. This would generate the following configuration: -.. code-block:: console +.. code-block:: none rule 20 { action accept @@ -248,7 +248,7 @@ notion of ports, such as GRE. Here's an extract of a simple 1-to-1 NAT configuration with one internal and one external interface: -.. code-block:: console +.. code-block:: none set interfaces ethernet eth0 address '192.168.1.1/24' set interfaces ethernet eth0 description 'Inside interface' @@ -305,7 +305,7 @@ VyOS Support NPTv6 support has been added in VyOS 1.2 (Crux) and is available through `nat nptv6` configuration nodes. -.. code-block:: console +.. code-block:: none set rule 10 inside-prefix 'fc00:dead:beef::/48' set rule 10 outside-interface 'eth1' @@ -316,7 +316,7 @@ NPTv6 support has been added in VyOS 1.2 (Crux) and is available through Resulting in the following ip6tables rules: -.. code-block:: console +.. code-block:: none Chain VYOS_DNPT_HOOK (1 references) pkts bytes target prot opt in out source destination @@ -368,14 +368,14 @@ but which are not actually assigned to a real network. We only need a single step for this interface: -.. code-block:: console +.. code-block:: none set interfaces dummy dum0 address '172.29.41.89/32' NAT Configuration ***************** -.. code-block:: console +.. code-block:: none set nat source rule 110 description 'Internal to ASP' set nat source rule 110 destination address '172.27.1.0/24' @@ -408,7 +408,7 @@ The ASP has documented their IPSec requirements: Additionally, we want to use VPNs only on our eth1 interface (the external interface in the image above) -.. code-block:: console +.. code-block:: none set vpn ipsec ike-group my-ike ikev2-reauth 'no' set vpn ipsec ike-group my-ike key-exchange 'ikev1' @@ -433,7 +433,7 @@ We'll use the IKE and ESP groups created above for this VPN. Because we need access to 2 different subnets on the far side, we will need two different tunnels. If you changed the names of the ESP group and IKE group in the previous step, make sure you use the correct names here too. -.. code-block:: console +.. code-block:: none set vpn ipsec site-to-site peer 198.51.100.243 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer 198.51.100.243 authentication pre-shared-secret 'PASSWORD IS HERE' @@ -454,7 +454,7 @@ If you've completed all the above steps you no doubt want to see if it's all wor Start by checking for IPSec SAs (Security Associations) with: -.. code-block:: console +.. code-block:: none $ show vpn ipsec sa diff --git a/docs/qos.rst b/docs/qos.rst index d2a6bd2b..14fd7559 100644 --- a/docs/qos.rst +++ b/docs/qos.rst @@ -31,7 +31,7 @@ Such configuration takes place under the `traffic-policy` tree. Available subtrees : -.. code-block:: console +.. code-block:: none set traffic-policy drop-tail NAME set traffic-policy fair-queue NAME @@ -49,7 +49,7 @@ Apply traffic policy to an interface Once a traffic-policy is created, you can apply it to an interface : -.. code-block:: console +.. code-block:: none set interfaces ethernet eth0 traffic-policy in WAN-IN set interfaces etherhet eth0 traffic-policy out WAN-OUT @@ -67,7 +67,7 @@ traffic that needs the bandwidth, the lower-priority traffic can use most of the that the connection can be used fully by whatever wants it, without suffocating real-time traffic or throttling background traffic too much. -.. code-block:: console +.. code-block:: none set traffic-policy shaper download bandwidth '175mbit' set traffic-policy shaper download class 10 bandwidth '10%' @@ -1203,13 +1203,13 @@ Matching traffic A class can have multiple match filters: -.. code-block:: console +.. code-block:: none set traffic-policy <POLICY> <POLICY-NAME> class N match MATCH-FILTER-NAME Example: -.. code-block:: console +.. code-block:: none set traffic-policy shaper SHAPER class 30 match HTTP set traffic-policy shaper SHAPER class 30 match HTTPs @@ -1218,7 +1218,7 @@ A match filter contains multiple criteria and will match traffic if all those cr For example: -.. code-block:: console +.. code-block:: none set traffic-policy shaper SHAPER class 30 match HTTP ip protocol tcp set traffic-policy shaper SHAPER class 30 match HTTP ip source port 80 @@ -1228,14 +1228,14 @@ This will match tcp traffic with source port 80. description *********** -.. code-block:: console +.. code-block:: none set traffic-policy shaper SHAPER class 30 match MATCH description "match filter description" ether ***** -.. code-block:: console +.. code-block:: none edit traffic-policy shaper SHAPER class 30 match MATCH ether @@ -1251,20 +1251,20 @@ source interface ********* -.. code-block:: console +.. code-block:: none edit traffic-policy shaper SHAPER class 30 match MATCH interface <interface-name> ip ** -.. code-block:: console +.. code-block:: none edit traffic-policy shaper SHAPER class 30 match MATCH ip destination ########### -.. code-block:: console +.. code-block:: none set destination address IPv4-SUBNET set destination port U32-PORT @@ -1272,14 +1272,14 @@ destination dscp #### -.. code-block:: console +.. code-block:: none set dscp DSCPVALUE max-length ########## -.. code-block:: console +.. code-block:: none set max-length U32-MAXLEN @@ -1288,14 +1288,14 @@ Will match ipv4 packets with a total length lesser than set value. protocol ######## -.. code-block:: console +.. code-block:: none set protocol <IP PROTOCOL> source ###### -.. code-block:: console +.. code-block:: none set source address IPv4-SUBNET set source port U32-PORT @@ -1308,13 +1308,13 @@ tcp .. note:: This filter will only match packets with an IPv4 header length of 20 bytes (which is the majority of IPv4 packets anyway). -.. code-block:: console +.. code-block:: none set tcp ack Will match tcp packets with ACK flag set. -.. code-block:: console +.. code-block:: none set tcp syn @@ -1323,14 +1323,14 @@ Will match tcp packets with SYN flag set. ipv6 **** -.. code-block:: console +.. code-block:: none edit traffic-policy shaper SHAPER class 30 match MATCH ipv6 destination ########### - .. code-block:: console + .. code-block:: none set destination address IPv6-SUBNET set destination port U32-PORT @@ -1338,14 +1338,14 @@ destination dscp #### -.. code-block:: console +.. code-block:: none set dscp DSCPVALUE max-length ########## -.. code-block:: console +.. code-block:: none set max-length U32-MAXLEN @@ -1354,14 +1354,14 @@ Will match ipv6 packets with a payload length lesser than set value. protocol ######## -.. code-block:: console +.. code-block:: none set protocol IPPROTOCOL source ###### -.. code-block:: console +.. code-block:: none set source address IPv6-SUBNET set source port U32-PORT @@ -1375,13 +1375,13 @@ tcp http://en.wikipedia.org/wiki/IPv6_packet#Extension_headers for no header extension. -.. code-block:: console +.. code-block:: none set tcp ack Will match tcp packets with ACK flag set. -.. code-block:: console +.. code-block:: none set tcp syn @@ -1390,18 +1390,18 @@ Will match tcp packets with SYN flag set. mark **** -.. code-block:: console +.. code-block:: none set traffic-policy shaper SHAPER class 30 match MATCH mark **firewall-mark** vif *** -.. code-block:: console +.. code-block:: none set traffic-policy shaper SHAPER class 30 match MATCH vif **vlan-tag** -.. code-block:: console +.. code-block:: none set interfaces ethernet eth0 traffic-policy out 'WAN-OUT' set interfaces ethernet eth1 traffic-policy out 'LAN-OUT' diff --git a/docs/quick-start.rst b/docs/quick-start.rst index c595a5ad..80074179 100644 --- a/docs/quick-start.rst +++ b/docs/quick-start.rst @@ -8,14 +8,14 @@ for a device with two interfaces. Enter configuration mode: -.. code-block:: console +.. code-block:: none vyos@vyos$ configure vyos@vyos# Configure network interfaces: -.. code-block:: console +.. code-block:: none set interfaces ethernet eth0 address dhcp set interfaces ethernet eth0 description 'OUTSIDE' @@ -24,14 +24,14 @@ Configure network interfaces: Enable SSH for remote management: -.. code-block:: console +.. code-block:: none set service ssh port '22' Configure DHCP Server and DNS ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -.. code-block:: console +.. code-block:: none set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 default-router '192.168.0.1' set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 dns-server '192.168.0.1' @@ -42,7 +42,7 @@ Configure DHCP Server and DNS And a DNS forwarder: -.. code-block:: console +.. code-block:: none set service dns forwarding cache-size '0' set service dns forwarding listen-address '192.168.0.1' @@ -54,7 +54,7 @@ NAT and Firewall Configure Source NAT for our "Inside" network. -.. code-block:: console +.. code-block:: none set nat source rule 100 outbound-interface 'eth0' set nat source rule 100 source address '192.168.0.0/24' @@ -64,7 +64,7 @@ Add a set of firewall policies for our "Outside" interface. This configuration creates a proper stateful firewall that blocks all traffic: -.. code-block:: console +.. code-block:: none set firewall name OUTSIDE-IN default-action 'drop' set firewall name OUTSIDE-IN rule 10 action 'accept' @@ -83,7 +83,7 @@ If you wanted to enable SSH access to your firewall from the the Internet, you c These rules allow SSH traffic and rate limit it to 4 requests per minute. This blocks brute-forcing attempts: -.. code-block:: console +.. code-block:: none set firewall name OUTSIDE-LOCAL rule 30 action 'drop' set firewall name OUTSIDE-LOCAL rule 30 destination port '22' @@ -98,14 +98,14 @@ These rules allow SSH traffic and rate limit it to 4 requests per minute. This b Apply the firewall policies: -.. code-block:: console +.. code-block:: none set interfaces ethernet eth0 firewall in name 'OUTSIDE-IN' set interfaces ethernet eth0 firewall local name 'OUTSIDE-LOCAL' Commit changes, save the configuration, and exit configuration mode: -.. code-block:: console +.. code-block:: none vyos@vyos# commit vyos@vyos# save @@ -124,7 +124,7 @@ One common use of traffic policy is to limit bandwidth for an interface. In the example below we limit bandwidth for our LAN connection to 200 Mbit download and out WAN connection to 50 Mbit upload: -.. code-block:: console +.. code-block:: none set traffic-policy shaper WAN-OUT bandwidth '50Mbit' set traffic-policy shaper WAN-OUT default bandwidth '50%' @@ -137,7 +137,7 @@ and out WAN connection to 50 Mbit upload: Resulting in the following configuration: -.. code-block:: console +.. code-block:: none traffic-policy { shaper WAN-OUT { @@ -161,7 +161,7 @@ Resulting in the following configuration: Once defined, a traffic policy can be applied to each interface using the interface-level traffic-policy directive: -.. code-block:: console +.. code-block:: none set interfaces ethernet eth0 traffic-policy out 'WAN-OUT' set interfaces ethernet eth1 traffic-policy out 'LAN-OUT' @@ -180,14 +180,14 @@ Especially if you are allowing SSH access from the Internet, there are a few add Create a user to replace the default `vyos` user: -.. code-block:: console +.. code-block:: none set system login user myvyosuser level admin set system login user myvyosuser authentication plaintext-password mysecurepassword Set up SSH key based authentication. For example, on Linux you'd want to run `ssh-keygen -t rsa`. Then the contents of `id_rsa.pub` would be used below: -.. code-block:: console +.. code-block:: none set system login user myvyosuser authentication public-keys myusername@mydesktop type ssh-rsa set system login user myvyosuser authentication public-keys myusername@mydesktop key contents_of_id_rsa.pub @@ -198,7 +198,7 @@ Finally, try and ssh into the VyOS install as your new user. Once you have confirmed that your new user can access your server, without a password, delete the original `vyos` user and disable password authentication into SSH: -.. code-block:: console +.. code-block:: none delete system login user vyos set service ssh disable-password-authentication diff --git a/docs/routing/arp.rst b/docs/routing/arp.rst index 7b26d88a..2d08e436 100644 --- a/docs/routing/arp.rst +++ b/docs/routing/arp.rst @@ -8,7 +8,7 @@ To manipulate or display ARP_ table entries, the following commands are implemen adding a static arp entry ^^^^^^^^^^^^^^^^^^^^^^^^^ -.. code-block:: console +.. code-block:: none set protocols static arp 10.1.1.100 hwaddr 08:00:27:de:23:aa commit @@ -16,7 +16,7 @@ adding a static arp entry display arp table entries ^^^^^^^^^^^^^^^^^^^^^^^^^ -.. code-block:: console +.. code-block:: none show protocols static arp @@ -24,7 +24,7 @@ display arp table entries 10.1.1.1 ether 08:00:27:de:23:2e C eth1 10.1.1.100 ether 08:00:27:de:23:aa CM eth1 -.. code-block:: console +.. code-block:: none show protocols static arp interface eth1 Address HWtype HWaddress Flags Mask Iface diff --git a/docs/routing/bgp.rst b/docs/routing/bgp.rst index 453b865d..f0550fd4 100644 --- a/docs/routing/bgp.rst +++ b/docs/routing/bgp.rst @@ -10,7 +10,7 @@ A simple eBGP configuration: **Node 1:** -.. code-block:: console +.. code-block:: none set protocols bgp 65534 neighbor 192.168.0.2 ebgp-multihop '2' set protocols bgp 65534 neighbor 192.168.0.2 remote-as '65535' @@ -20,7 +20,7 @@ A simple eBGP configuration: **Node 2:** -.. code-block:: console +.. code-block:: none set protocols bgp 65535 neighbor 192.168.0.1 ebgp-multihop '2' set protocols bgp 65535 neighbor 192.168.0.1 remote-as '65534' @@ -35,13 +35,13 @@ creating a static route:** **Node 1:** -.. code-block:: console +.. code-block:: none set protocols static route 172.16.0.0/16 blackhole distance '254' **Node 2:** -.. code-block:: console +.. code-block:: none set protocols static route 172.17.0.0/16 blackhole distance '254' @@ -53,7 +53,7 @@ A simple BGP configuration via IPv6. **Node 1:** -.. code-block:: console +.. code-block:: none set protocols bgp 65534 neighbor 2001:db8::2 ebgp-multihop '2' set protocols bgp 65534 neighbor 2001:db8::2 remote-as '65535' @@ -64,7 +64,7 @@ A simple BGP configuration via IPv6. **Node 2:** -.. code-block:: console +.. code-block:: none set protocols bgp 65535 neighbor 2001:db8::1 ebgp-multihop '2' set protocols bgp 65535 neighbor 2001:db8::1 remote-as '65534' @@ -79,13 +79,13 @@ creating a static route:** **Node 1:** -.. code-block:: console +.. code-block:: none set protocols static route6 2001:db8:1::/48 blackhole distance '254' **Node 2:** -.. code-block:: console +.. code-block:: none set protocols static route6 2001:db8:2::/48 blackhole distance '254' @@ -96,7 +96,7 @@ Route filter can be applied using a route-map: **Node1:** -.. code-block:: console +.. code-block:: none set policy prefix-list AS65535-IN rule 10 action 'permit' set policy prefix-list AS65535-IN rule 10 prefix '172.16.0.0/16' @@ -119,7 +119,7 @@ Route filter can be applied using a route-map: **Node2:** -.. code-block:: console +.. code-block:: none set policy prefix-list AS65534-IN rule 10 action 'permit' set policy prefix-list AS65534-IN rule 10 prefix '172.17.0.0/16' diff --git a/docs/routing/igmp-proxy.rst b/docs/routing/igmp-proxy.rst index 3a44ced6..f55323cc 100644 --- a/docs/routing/igmp-proxy.rst +++ b/docs/routing/igmp-proxy.rst @@ -14,7 +14,7 @@ simple example: Interface eth1 LAN is behind NAT. In order to subscribe 10.0.0.0/23 subnet multicast which is in eth0 WAN we need igmp-proxy. -.. code-block:: console +.. code-block:: none # show protocols igmp-proxy interface eth0 { diff --git a/docs/routing/mss-clamp.rst b/docs/routing/mss-clamp.rst index 329910b0..986c5062 100644 --- a/docs/routing/mss-clamp.rst +++ b/docs/routing/mss-clamp.rst @@ -9,7 +9,7 @@ to clamp your TCP MSS value for IPv4 and IPv6. Clamping can be disabled per interface using the `disable` keyword: -.. code-block:: console +.. code-block:: none set firewall options interface pppoe0 disable @@ -19,7 +19,7 @@ IPv4 Clamp outgoing MSS value in a TCP SYN packet to `1452` for `pppoe0` and `1372` for your WireGuard `wg02` tunnel. -.. code-block:: console +.. code-block:: none set firewall options interface pppoe0 adjust-mss '1452' set firewall options interface wg02 adjust-mss '1372' @@ -32,7 +32,7 @@ Clamp outgoing MSS value in a TCP SYN packet to `1280` for both `pppoe0` and To achieve the same for IPv6 please use: -.. code-block:: console +.. code-block:: none set firewall options interface pppoe0 adjust-mss6 '1280' set firewall options interface wg02 adjust-mss6 '1280' diff --git a/docs/routing/ospf.rst b/docs/routing/ospf.rst index 06840214..1e70f644 100644 --- a/docs/routing/ospf.rst +++ b/docs/routing/ospf.rst @@ -17,13 +17,13 @@ OSPFv2 (IPv4) In order to have a VyOS system exchanging routes with OSPF neighbors, you will at least need to configure the area and a network, -.. code-block:: console +.. code-block:: none set protocols ospf area 0 network 192.168.0.0/24 as well as the router ID. -.. code-block:: console +.. code-block:: none set protocols ospf parameters router-id 10.1.1.1 @@ -33,7 +33,7 @@ Below you can see a typical configuration using 2 nodes, redistribute loopback a **Node 1** -.. code-block:: console +.. code-block:: none set interfaces loopback lo address 10.1.1.1/32 set protocols ospf area 0 network 192.168.0.0/24 @@ -50,7 +50,7 @@ Below you can see a typical configuration using 2 nodes, redistribute loopback a **Node 2** -.. code-block:: console +.. code-block:: none set interfaces loopback lo address 10.2.2.2/32 set protocols ospf area 0 network 192.168.0.0/24 @@ -69,7 +69,7 @@ A typical configuration using 2 nodes. **Node 1:** -.. code-block:: console +.. code-block:: none set protocols ospfv3 area 0.0.0.0 interface eth1 set protocols ospfv3 area 0.0.0.0 range 2001:db8:1::/64 @@ -78,7 +78,7 @@ A typical configuration using 2 nodes. **Node 2:** -.. code-block:: console +.. code-block:: none set protocols ospfv3 area 0.0.0.0 interface eth1 set protocols ospfv3 area 0.0.0.0 range 2001:db8:2::/64 @@ -93,7 +93,7 @@ Example configuration for WireGuard interfaces: **Node 1** -.. code-block:: console +.. code-block:: none set interfaces wireguard wg01 address 'fe80::216:3eff:fe51:fd8c/64' set interfaces wireguard wg01 address '192.168.0.1/24' @@ -108,7 +108,7 @@ Example configuration for WireGuard interfaces: **Node 2** -.. code-block:: console +.. code-block:: none set interfaces wireguard wg01 address 'fe80::216:3eff:fe0a:7ada/64' set interfaces wireguard wg01 address '192.168.0.2/24' @@ -123,7 +123,7 @@ Example configuration for WireGuard interfaces: **Status** -.. code-block:: console +.. code-block:: none vyos@ospf01:~$ sh ipv6 ospfv3 neighbor Neighbor ID Pri DeadTime State/IfState Duration I/F[State] diff --git a/docs/routing/pbr.rst b/docs/routing/pbr.rst index a9c94191..b86e1c0b 100644 --- a/docs/routing/pbr.rst +++ b/docs/routing/pbr.rst @@ -13,7 +13,7 @@ Transparent Proxy The following example will show how VyOS can be used to redirect web traffic to an external transparent proxy: -.. code-block:: console +.. code-block:: none set policy route FILTER-WEB rule 1000 destination port 80 set policy route FILTER-WEB rule 1000 protocol tcp @@ -26,7 +26,7 @@ default routing table. To create routing table 100 and add a new default gateway to be used by traffic matching our route policy: -.. code-block:: console +.. code-block:: none set protocols static table 100 route 0.0.0.0/0 next-hop 10.255.0.2 @@ -35,7 +35,7 @@ This can be confirmed using the show ip route table 100 operational command. Finally, to apply the policy route to ingress traffic on our LAN interface, we use: -.. code-block:: console +.. code-block:: none set interfaces ethernet eth1 policy route FILTER-WEB @@ -60,14 +60,14 @@ Routing tables that will be used in this example are: Add default routes for routing ``table 10`` and ``table 11`` -.. code-block:: console +.. code-block:: none set protocols static table 10 route 0.0.0.0/0 next-hop 192.0.1.1 set protocols static table 11 route 0.0.0.0/0 next-hop 192.0.2.2 Add policy route matching VLAN source addresses -.. code-block:: console +.. code-block:: none set policy route PBR rule 20 set table '10' set policy route PBR rule 20 description 'Route VLAN10 traffic to table 10' @@ -79,7 +79,7 @@ Add policy route matching VLAN source addresses Apply routing policy to **inbound** direction of out VLAN interfaces -.. code-block:: console +.. code-block:: none set interfaces ethernet eth0 vif 10 policy route 'PBR' set interfaces ethernet eth0 vif 11 policy route 'PBR' @@ -87,7 +87,7 @@ Apply routing policy to **inbound** direction of out VLAN interfaces **OPTIONAL:** Exclude Inter-VLAN traffic (between VLAN10 and VLAN11) from PBR -.. code-block:: console +.. code-block:: none set policy route PBR rule 10 description 'VLAN10 <-> VLAN11 shortcut' set policy route PBR rule 10 destination address '192.168.188.0/24' diff --git a/docs/routing/rip.rst b/docs/routing/rip.rst index eedb3852..da00e7b1 100644 --- a/docs/routing/rip.rst +++ b/docs/routing/rip.rst @@ -7,7 +7,7 @@ Simple RIP configuration using 2 nodes and redistributing connected interfaces. **Node 1:** -.. code-block:: console +.. code-block:: none set interfaces loopback address 10.1.1.1/32 set protocols rip network 192.168.0.0/24 @@ -15,7 +15,7 @@ Simple RIP configuration using 2 nodes and redistributing connected interfaces. **Node 2:** -.. code-block:: console +.. code-block:: none set interfaces loopback address 10.2.2.2/32 set protocols rip network 192.168.0.0/24 diff --git a/docs/routing/routing-policy.rst b/docs/routing/routing-policy.rst index 4c4a4707..847f3574 100644 --- a/docs/routing/routing-policy.rst +++ b/docs/routing/routing-policy.rst @@ -15,7 +15,7 @@ Routing Policy Example **Policy definition:** -.. code-block:: console +.. code-block:: none #Create policy set policy route-map setmet rule 2 action 'permit' @@ -29,7 +29,7 @@ Routing Policy Example **Routes learned before routing policy applied:** -.. code-block:: console +.. code-block:: none vyos@vos1:~$ show ip bgp BGP table version is 0, local router ID is 192.168.56.101 @@ -44,7 +44,7 @@ Routing Policy Example **Routes learned after routing policy applied:** -.. code-block:: console +.. code-block:: none vyos@vos1:~$ sho ip b BGP table version is 0, local router ID is 192.168.56.101 diff --git a/docs/routing/static.rst b/docs/routing/static.rst index fcfe0bad..01e88988 100644 --- a/docs/routing/static.rst +++ b/docs/routing/static.rst @@ -8,7 +8,7 @@ Static routes are manually configured network routes. A typical use for a static route is a static default route for systems that do not make use of DHCP or dynamic routing protocols: -.. code-block:: console +.. code-block:: none set protocols static route 0.0.0.0/0 next-hop 10.1.1.1 distance '1' @@ -18,7 +18,7 @@ example below, RFC1918_ networks are set as blackhole routes. This prevents these networks leaking out public interfaces, but it does not prevent them from being used as the most specific route has the highest priority. -.. code-block:: console +.. code-block:: none set protocols static route 10.0.0.0/8 blackhole distance '254' set protocols static route 172.16.0.0/12 blackhole distance '254' diff --git a/docs/services/conntrack.rst b/docs/services/conntrack.rst index d40a3dbc..28f16d54 100644 --- a/docs/services/conntrack.rst +++ b/docs/services/conntrack.rst @@ -27,7 +27,7 @@ will be mandatorily defragmented. Configuration ^^^^^^^^^^^^^ -.. code-block:: console +.. code-block:: none # Protocols only for which local conntrack entries will be synced (tcp, udp, icmp, sctp) set service conntrack-sync accept-protocol @@ -69,20 +69,20 @@ The next exemple is a simple configuration of conntrack-sync. First of all, make sure conntrack is enabled by running -.. code-block:: console +.. code-block:: none show conntrack table ipv4 If the table is empty and you have a warning message, it means conntrack is not enabled. To enable conntrack, just create a NAT or a firewall rule. -.. code-block:: console +.. code-block:: none set firewall state-policy established action accept You now should have a conntrack table -.. code-block:: console +.. code-block:: none $ show conntrack table ipv4 TCP state codes: SS - SYN SENT, SR - SYN RECEIVED, ES - ESTABLISHED, @@ -99,7 +99,7 @@ You now should have a conntrack table Now configure conntrack-sync service on ``router1`` **and** ``router2`` -.. code-block:: console +.. code-block:: none set service conntrack-sync accept-protocol 'tcp,udp,icmp' set service conntrack-sync event-listen-queue-size '8' @@ -115,7 +115,7 @@ the external-cache of the standby router On active router run: -.. code-block:: console +.. code-block:: none $ show conntrack-sync statistics diff --git a/docs/services/dhcp-relay.rst b/docs/services/dhcp-relay.rst index e2e4ff85..0b838442 100644 --- a/docs/services/dhcp-relay.rst +++ b/docs/services/dhcp-relay.rst @@ -28,27 +28,27 @@ Configuration Enable DHCP relay for eth1 and eth2: -.. code-block:: console +.. code-block:: none set service dhcp-relay interface eth1 set service dhcp-relay interface eth2 Set the IP address of the DHCP server: -.. code-block:: console +.. code-block:: none set service dhcp-relay server 10.0.1.4 The router should discard DHCP packages already containing relay agent information to ensure that only requests from DHCP clients are forwarded: -.. code-block:: console +.. code-block:: none set service dhcp-relay relay-options relay-agents-packets discard Commit the changes and show the results: -.. code-block:: console +.. code-block:: none commit show service dhcp-relay @@ -61,7 +61,7 @@ Commit the changes and show the results: The DHCP relay agent can be restarted with: -.. code-block:: console +.. code-block:: none restart dhcp relay-agent @@ -83,20 +83,20 @@ Configuration Set eth1 to be the listening interface for the DHCPv6 relay: -.. code-block:: console +.. code-block:: none set service dhcpv6-relay listen-interface eth1 Set eth2 to be the upstream interface and specify the IPv6 address of the DHCPv6 server: -.. code-block:: console +.. code-block:: none set service dhcpv6-relay upstream-interface eth2 address 2001:db8:100::4 Commit the changes and show results: -.. code-block:: console +.. code-block:: none commit show service dhcpv6-relay @@ -108,13 +108,13 @@ Commit the changes and show results: Show the current status of the DHCPv6 relay agent: -.. code-block:: console +.. code-block:: none show dhcpv6 relay-agent status The DHCPv6 relay agent can be restarted with: -.. code-block:: console +.. code-block:: none restart dhcpv6 relay-agent diff --git a/docs/services/dhcp.rst b/docs/services/dhcp.rst index 81a88741..f11d9a7e 100644 --- a/docs/services/dhcp.rst +++ b/docs/services/dhcp.rst @@ -21,13 +21,13 @@ on `pppoe0` Interface Configuration ^^^^^^^^^^^^^^^^^^^^^^^ -.. code-block:: console +.. code-block:: none set interface ethernet eth1 address 172.16.17.1/24 Multiple ranges can be defined and can contain holes. -.. code-block:: console +.. code-block:: none set service dhcp-server shared-network-name dhcpexample authoritative set service dhcp-server shared-network-name dhcpexample subnet 172.16.17.0/24 default-router 172.16.17.1 @@ -86,7 +86,7 @@ Failover VyOS provides support for DHCP failover: -.. code-block:: console +.. code-block:: none set service dhcp-server shared-network-name 'LAN' subnet '192.168.0.0/24' failover local-address '192.168.0.1' set service dhcp-server shared-network-name 'LAN' subnet '192.168.0.0/24' failover name 'foo' @@ -97,13 +97,13 @@ VyOS provides support for DHCP failover: The primary and secondary statements determines whether the server is primary or secondary -.. code-block:: console +.. code-block:: none set service dhcp-server shared-network-name 'LAN' subnet '192.168.0.0/24' failover status 'primary' or -.. code-block:: console +.. code-block:: none set service dhcp-server shared-network-name 'LAN' subnet '192.168.0.0/24' failover status 'secondary' @@ -114,7 +114,7 @@ or Static mappings MAC/IP ^^^^^^^^^^^^^^^^^^^^^^ -.. code-block:: console +.. code-block:: none set service dhcp-server shared-network-name dhcpexample subnet 172.16.17.0/24 static-mapping static-mapping-01 ip-address 172.16.17.10 set service dhcp-server shared-network-name dhcpexample subnet 172.16.17.0/24 static-mapping static-mapping-01 mac-address ff:ff:ff:ff:ff:ff diff --git a/docs/services/dhcpv6.rst b/docs/services/dhcpv6.rst index 799c4332..db566d5f 100644 --- a/docs/services/dhcpv6.rst +++ b/docs/services/dhcpv6.rst @@ -5,25 +5,25 @@ DHCPv6 server VyOS provides DHCPv6 server functionality which is described in this section. In order to use the DHCPv6 server it has to be enabled first: -.. code-block:: console +.. code-block:: none set service dhcpv6-server To restart the DHCPv6 server (operational mode): -.. code-block:: console +.. code-block:: none restart dhcpv6 server To show the current status of the DHCPv6 server use: -.. code-block:: console +.. code-block:: none show dhcpv6 server status Show statuses of all assigned leases: -.. code-block:: console +.. code-block:: none show dhcpv6 server leases @@ -37,19 +37,19 @@ Clients receiving advertise messages from multiple servers choose the server with the highest preference value. The range for this value is `0...255`. Set a preference value for the DHCPv6 server: -.. code-block:: console +.. code-block:: none set service dhcpv6-server preference <preference value> Delete a preference: -.. code-block:: console +.. code-block:: none set service dhcpv6-server preference Show current preference: -.. code-block:: console +.. code-block:: none show service dhcpv6-server preference @@ -60,19 +60,19 @@ The default lease time for DHCPv6 leases is 24 hours. This can be changed by supplying a `default-time`, `maximum-time` and `minimum-time` (all values in seconds): -.. code-block:: console +.. code-block:: none set service dhcpv6-server shared-network-name <name> subnet <ipv6net> lease-time {default <default-time> | maximum <maximum-time> | minimum <minimum-time>} Reset the custom lease times: -.. code-block:: console +.. code-block:: none delete service dhcpv6-server shared-network-name <name> subnet <ipv6net> lease-time {default | maximum | minimum} Show the current configuration: -.. code-block:: console +.. code-block:: none show service dhcpv6-server shared-network-name <name> subnet <ipv6net> lease-time {default | maximum | minimum} @@ -81,19 +81,19 @@ Specify NIS domain A Network Information (NIS) domain can be set to be used for DHCPv6 clients: -.. code-block:: console +.. code-block:: none set service dhcpv6-server shared-network-name <name> subnet <ipv6net> nis-domain <nis-domain-name> To Delete the NIS domain: -.. code-block:: console +.. code-block:: none delete service dhcpv6-server shared-network-name <name> subnet <ipv6net> nis-domain <nis-domain-name> Show a configured NIS domain: -.. code-block:: console +.. code-block:: none show service dhcpv6-server shared-network-name <name> subnet <ipv6net> nis-domain <nis-domain-name> @@ -103,13 +103,13 @@ Specify NIS+ domain The procedure to specify a Network Information Service Plus (NIS+) domain is similar to the NIS domain one: -.. code-block:: console +.. code-block:: none set service dhcpv6-server shared-network-name <name> subnet <ipv6net> nisplus-domain <nisplus-domain-name> To Delete the NIS+ domain: -.. code-block:: console +.. code-block:: none delete service dhcpv6-server shared-network-name <name> subnet <ipv6net> nisplus-domain <nisplus-domain-name> @@ -122,19 +122,19 @@ Specify NIS server address To specify a NIS server address for DHCPv6 clients: -.. code-block:: console +.. code-block:: none set service dhcpv6-server shared-network-name <name> subnet <ipv6net> nis-server <IPv6 address> Delete a specified NIS server address: -.. code-block:: console +.. code-block:: none delete service dhcpv6-server shared-network-name <name> subnet <ipv6net> nis-server <IPv6 address> Show specified NIS server addresses: -.. code-block:: console +.. code-block:: none show service dhcpv6-server shared-network-name <name> subnet <ipv6net> nis-server @@ -143,19 +143,19 @@ Specify NIS+ server address To specify a NIS+ server address for DHCPv6 clients: -.. code-block:: console +.. code-block:: none set service dhcpv6-server shared-network-name <name> subnet <ipv6net> nisplus-server <IPv6 address> Delete a specified NIS+ server address: -.. code-block:: console +.. code-block:: none delete service dhcpv6-server shared-network-name <name> subnet <ipv6net> nisplus-server <IPv6 address> Show specified NIS+ server addresses: -.. code-block:: console +.. code-block:: none show service dhcpv6-server shared-network-name <name> subnet <ipv6net> nisplus-server @@ -169,19 +169,19 @@ By IPv6 address A Session Initiation Protocol (SIP) server address can be specified for DHCPv6 clients: -.. code-block:: console +.. code-block:: none set service dhcpv6-server shared-network-name <name> subnet <ipv6net> sip-server-address <IPv6 address> Delete a specified SIP server address: -.. code-block:: console +.. code-block:: none delete service dhcpv6-server shared-network-name <name> subnet <ipv6net> sip-server-address <IPv6 address> Show specified SIP server addresses: -.. code-block:: console +.. code-block:: none show service dhcpv6-server shared-network-name <name> subnet <ipv6net> sip-server-address @@ -190,19 +190,19 @@ By FQDN A name for SIP server can be specified: -.. code-block:: console +.. code-block:: none set service dhcpv6-server shared-network-name <name> subnet <ipv6net> sip-server-name <sip-server-name> Delete a specified SIP server name: -.. code-block:: console +.. code-block:: none delete service dhcpv6-server shared-network-name <name> subnet <ipv6net> sip-server-name <sip-server-name> Show specified SIP server names: -.. code-block:: console +.. code-block:: none show service dhcpv6-server shared-network-name <name> subnet <ipv6net> sip-server-name @@ -211,19 +211,19 @@ Simple Network Time Protocol (SNTP) server address for DHCPv6 clients A SNTP server address can be specified for DHCPv6 clients: -.. code-block:: console +.. code-block:: none set service dhcpv6-server shared-network-name <name> subnet <ipv6net> sntp-server-address <IPv6 address> Delete a specified SNTP server address: -.. code-block:: console +.. code-block:: none delete service dhcpv6-server shared-network-name <name> subnet <ipv6net> sntp-server-address <IPv6 address> Show specified SNTP server addresses: -.. code-block:: console +.. code-block:: none show service dhcpv6-server shared-network-name <name> subnet <ipv6net> sntp-server-address @@ -241,14 +241,14 @@ connected to `eth1`, a DNS server at `2001:db8:111::111` is used for name services. The range of the address pool shall be `::100` through `::199`. The lease time will be left at the default value which is 24 hours. -.. code-block:: console +.. code-block:: none set service dhcpv6-server shared-network-name NET1 subnet 2001:db8:100::/64 address-range start 2001:db8:100::100 stop 2001:db8:100::199 set service dhcpv6-server shared-network-name NET1 subnet 2001:db8:100::/64 name-server 2001:db8:111::111 Commit the changes and show the configuration: -.. code-block:: console +.. code-block:: none commit show service dhcpv6-server @@ -279,14 +279,14 @@ MAC address `00:15:c5:b7:5e:23`, this host-specific mapping shall be named .. note:: The MAC address identifier is defined by the last 4 byte of the MAC address. -.. code-block:: console +.. code-block:: none set service dhcpv6-server shared-network-name NET1 subnet 2001:db8:100::/64 static-mapping client1 ipv6-address 2001:db8:100::101 set service dhcpv6-server shared-network-name NET1 subnet 2001:db8:100::/64 static-mapping client1 identifier c5b75e23 Commit the changes and show the configuration: -.. code-block:: console +.. code-block:: none show service dhcp-server shared-network-name NET1 shared-network-name NET1 { diff --git a/docs/services/dns-forwarding.rst b/docs/services/dns-forwarding.rst index 2ab04707..84e4fc93 100644 --- a/docs/services/dns-forwarding.rst +++ b/docs/services/dns-forwarding.rst @@ -5,33 +5,33 @@ Use DNS forwarding if you want your router to function as a DNS server for the local network. There are several options, the easiest being 'forward all traffic to the system DNS server(s)' (defined with set system name-server): -.. code-block:: console +.. code-block:: none set service dns forwarding system Manually setting DNS servers for forwarding: -.. code-block:: console +.. code-block:: none set service dns forwarding name-server 8.8.8.8 set service dns forwarding name-server 8.8.4.4 Manually setting DNS servers with IPv6 connectivity: -.. code-block:: console +.. code-block:: none set service dns forwarding name-server 2001:4860:4860::8888 set service dns forwarding name-server 2001:4860:4860::8844 Setting a forwarding DNS server for a specific domain: -.. code-block:: console +.. code-block:: none set service dns forwarding domain example.com server 192.0.2.1 Set which networks or clients are allowed to query the DNS Server. Allow from all: -.. code-block:: console +.. code-block:: none set service dns forwarding allow-from 0.0.0.0/0 @@ -44,7 +44,7 @@ Router with two interfaces eth0 (WAN link) and eth1 (LAN). Split DNS for example * Other DNS requests are forwarded to Google's DNS servers. * The IP address for the LAN interface is 192.168.0.1. -.. code-block:: console +.. code-block:: none set service dns forwarding domain example.com server 192.0.2.1 set service dns forwarding name-server 8.8.8.8 @@ -60,7 +60,7 @@ servers. The IP addresses for the LAN interface are 192.168.0.1 and 2001:db8::1 -.. code-block:: console +.. code-block:: none set service dns forwarding domain example.com server 192.0.2.1 set service dns forwarding name-server 8.8.8.8 diff --git a/docs/services/dynamic-dns.rst b/docs/services/dynamic-dns.rst index a0d75979..6a3c6e28 100644 --- a/docs/services/dynamic-dns.rst +++ b/docs/services/dynamic-dns.rst @@ -16,44 +16,44 @@ VyOS CLI and RFC2136 First, create an RFC2136_ config node : -.. code-block:: console +.. code-block:: none edit service dns dynamic interface eth0 rfc2136 <confignodename> Present your RNDC key to ddclient : -.. code-block:: console +.. code-block:: none set key /config/dyndns/mydnsserver.rndc.key Set the DNS server IP/FQDN : -.. code-block:: console +.. code-block:: none set server dns.mydomain.com Set the NS zone to be updated : -.. code-block:: console +.. code-block:: none set zone mydomain.com Set the records to be updated : -.. code-block:: console +.. code-block:: none set record dyn set record dyn2 You can optionally set a TTL (note : default value is 600 seconds) : -.. code-block:: console +.. code-block:: none set ttl 600 This will generate the following ddclient config blocks: -.. code-block:: console +.. code-block:: none server=dns.mydomain.com protocol=nsupdate @@ -70,7 +70,7 @@ This will generate the following ddclient config blocks: You can also keep a different dns zone updated. Just create a new config node: -.. code-block:: console +.. code-block:: none edit service dns dynamic interface eth0 rfc2136 <confignode2> @@ -83,7 +83,7 @@ by ddclient. To use such a service, you must define a login, a password, one or multiple hostnames, a protocol and a server. -.. code-block:: console +.. code-block:: none edit service dns dynamic interface eth0 service HeNet set login my-login # set password my-password @@ -107,7 +107,7 @@ the services VyOS knows about: To use DynDNS for example: -.. code-block:: console +.. code-block:: none edit service dns dynamic interface eth0 service dyndns set login my-login @@ -116,7 +116,7 @@ To use DynDNS for example: It's possible to use multiple services : -.. code-block:: console +.. code-block:: none edit service dns dynamic interface eth0 service dyndns set login my-login @@ -139,7 +139,7 @@ record will be updated to point to your internal IP. ddclient_ has another way to determine the WAN IP address. This is controlled by these two options: -.. code-block:: console +.. code-block:: none set service dns dynamic interface eth0 use-web url set service dns dynamic interface eth0 use-web skip diff --git a/docs/services/ipoe-server.rst b/docs/services/ipoe-server.rst index 1e5e72dc..eed4cced 100644 --- a/docs/services/ipoe-server.rst +++ b/docs/services/ipoe-server.rst @@ -17,7 +17,7 @@ The clients mac address and the incoming interface is being used as control para The example configuration below will assign an IP to the client on the incoming interface eth2 with the client mac address 08:00:27:2f:d8:06. Other DHCP discovery requests will be ignored, unless the client mac has been enabled in the configuration. -.. code-block:: console +.. code-block:: none set service ipoe-server authentication interface eth2 mac-address 08:00:27:2f:d8:06 set service ipoe-server authentication mode 'local' @@ -29,7 +29,7 @@ Other DHCP discovery requests will be ignored, unless the client mac has been en The first address of the parameter ``client-subnet``, will be used as the default gateway. Connected sessions can be checked via the ``show ipoe-server sessions`` command. -.. code-block:: console +.. code-block:: none vyos@vyos:~$ show ipoe-server sessions @@ -46,7 +46,7 @@ for devices routed via the clients cpe. IPv6 DNS addresses are optional. -.. code-block:: console +.. code-block:: none set service ipoe-server authentication interface eth3 mac-address 08:00:27:2F:D8:06 set service ipoe-server authentication mode 'local' @@ -57,7 +57,7 @@ IPv6 DNS addresses are optional. set service ipoe-server dnsv6-server server-3 '2001:db8:bbb::' set service ipoe-server interface eth3 client-subnet '192.168.1.0/24' -.. code-block:: console +.. code-block:: none vyos@ipoe-server# run sh ipoe-server sessions ifname | called-sid | calling-sid | ip | ip6 | ip6-dp | rate-limit | state | uptime | sid @@ -74,7 +74,7 @@ Automatic VLAN creation To create VLANs per user during runtime, the following settings are required on a per interface basis. VLAN ID and VLAN range can be present in the configuration at the same time. -.. code-block:: console +.. code-block:: none set service ipoe-server interface eth2 network vlan set service ipoe-server interface eth2 vlan-id 100 @@ -88,7 +88,7 @@ RADIUS Setup To use a RADIUS server for authentication and bandwidth-shaping, the following example configuration can be used. -.. code-block:: console +.. code-block:: none set service ipoe-server authentication mode 'radius' set service ipoe-server authentication radius-server 10.100.100.1 secret 'password' @@ -105,7 +105,7 @@ Bandwidth Shaping for local users The rate-limit is set in kbit/sec. -.. code-block:: console +.. code-block:: none set service ipoe-server authentication interface eth2 mac-address 08:00:27:2f:d8:06 rate-limit download '500' set service ipoe-server authentication interface eth2 mac-address 08:00:27:2f:d8:06 rate-limit upload '500' @@ -115,7 +115,7 @@ The rate-limit is set in kbit/sec. set service ipoe-server interface eth2 client-subnet '192.168.0.0/24' -.. code-block:: console +.. code-block:: none vyos@vyos# run show ipoe-server sessions diff --git a/docs/services/lldp.rst b/docs/services/lldp.rst index d58e105e..dccd68fa 100644 --- a/docs/services/lldp.rst +++ b/docs/services/lldp.rst @@ -74,7 +74,7 @@ Display neighbors Exemple: -.. code-block:: console +.. code-block:: none vyos@vyos:~# show lldp neighbors Capability Codes: R - Router, B - Bridge, W - Wlan r - Repeater, S - Station diff --git a/docs/services/mdns-repeater.rst b/docs/services/mdns-repeater.rst index abd3f7ef..22e824ba 100644 --- a/docs/services/mdns-repeater.rst +++ b/docs/services/mdns-repeater.rst @@ -12,14 +12,14 @@ multiple VLANs. To enable mDNS repeater you need to configure at least two interfaces. To re- broadcast all mDNS packets from `eth0` to `eth1` and vice versa run: -.. code-block:: console +.. code-block:: none set service mdns repeater interface eth0 set service mdns repeater interface eth1 mDNS repeater can be temporarily disabled without deleting the service using -.. code-block:: console +.. code-block:: none set service mdns repeater disable diff --git a/docs/services/pppoe-server.rst b/docs/services/pppoe-server.rst index 3f42ceab..8e37a068 100644 --- a/docs/services/pppoe-server.rst +++ b/docs/services/pppoe-server.rst @@ -15,7 +15,7 @@ The example below uses ACN as access-concentrator name, assigns an address from the pool 10.1.1.100-111, terminates at the local endpoint 10.1.1.1 and serves requests only on eth1. -.. code-block:: console +.. code-block:: none set service pppoe-server access-concentrator 'ACN' set service pppoe-server authentication local-users username foo password 'bar' @@ -30,7 +30,7 @@ serves requests only on eth1. Connections can be locally checked via the command -.. code-block:: console +.. code-block:: none show pppoe-server sessions ifname | username | ip | calling-sid | rate-limit | state | uptime | rx-bytes | tx-bytes @@ -48,7 +48,7 @@ If the CIDR notation is used, multiple subnets can be setup which are used seque **Client IP address via IP range definition** -.. code-block:: console +.. code-block:: none set service pppoe-server client-ip-pool start '10.1.1.100' set service pppoe-server client-ip-pool stop '10.1.1.111' @@ -56,7 +56,7 @@ If the CIDR notation is used, multiple subnets can be setup which are used seque **Client IP subnets via CIDR notation** -.. code-block:: console +.. code-block:: none set service pppoe-server client-ip-pool subnet '10.1.1.0/24' set service pppoe-server client-ip-pool subnet '10.1.2.0/24' @@ -70,7 +70,7 @@ To use a radius server, you need to switch to authentication mode radius and of course need to specify an IP for the server. You can have multiple RADIUS server configured, if you wish to achieve redundancy. -.. code-block:: console +.. code-block:: none set service pppoe-server access-concentrator 'ACN' set service pppoe-server authentication mode 'radius' @@ -84,7 +84,7 @@ RADIUS provides the IP addresses in the example above via Framed-IP-Address. For remotely disconnect sessions and change some authentication parameters you can configure dae-server -.. code-block:: console +.. code-block:: none set service pppoe-server authentication radius-settings dae-server ip-address '10.1.1.2' set service pppoe-server authentication radius-settings dae-server port '3799' @@ -92,20 +92,20 @@ For remotely disconnect sessions and change some authentication parameters you c Example, from radius-server send command for disconnect client with username test -.. code-block:: console +.. code-block:: none root@radius-server:~# echo "User-Name=test" | radclient -x 10.1.1.2:3799 disconnect secret123 You can also use another attributes for identify client for disconnect, like Framed-IP-Address, Acct-Session-Id, etc. Result commands appears in log -.. code-block:: console +.. code-block:: none show log | match Disconnect* Example for changing rate-limit via RADIUS CoA -.. code-block:: console +.. code-block:: none echo "User-Name=test,Filter-Id=5000/4000" | radclient 10.1.1.2:3799 coa secret123 @@ -119,7 +119,7 @@ Automatic VLAN creation VLAN's can be created by accel-ppp on the fly if via the use of the kernel module vlan_mon, which is monitoring incoming vlans and creates the necessary VLAN if required and allowed. VyOS supports the use of either VLAN ID's or entire ranges, both values can be defined at the same time for an interface. -.. code-block:: console +.. code-block:: none set service pppoe-server interface eth3 vlan-id 100 set service pppoe-server interface eth3 vlan-id 200 @@ -141,7 +141,7 @@ Bandwidth Shaping for local users The rate-limit is set in kbit/sec. -.. code-block:: console +.. code-block:: none set service pppoe-server access-concentrator 'ACN' set service pppoe-server authentication local-users username foo password 'bar' @@ -158,7 +158,7 @@ The rate-limit is set in kbit/sec. Once the user is connected, the user session is using the set limits and can be displayed via 'show pppoe-server sessions'. -.. code-block:: console +.. code-block:: none show pppoe-server sessions ifname | username | ip | calling-sid | rate-limit | state | uptime | rx-bytes | tx-bytes @@ -175,7 +175,7 @@ Filter-Id=2000/3000 (means 2000Kbit down-stream rate and 3000Kbit up-stream rate The command below enables it, assuming the RADIUS connection has been setup and is working. -.. code-block:: console +.. code-block:: none set service pppoe-server authentication radius-settings rate-limit enable @@ -191,7 +191,7 @@ Dual-stack provisioning with IPv6 PD via pppoe The example below covers a dual-stack configuration via pppoe-server. -.. code-block:: console +.. code-block:: none set service pppoe-server authentication local-users username test password 'test' set service pppoe-server authentication mode 'local' @@ -207,7 +207,7 @@ The example below covers a dual-stack configuration via pppoe-server. The client, once successfully authenticated, will receive an IPv4 and an IPv6 /64 address, to terminate the pppoe endpoint on the client side and a /56 subnet for the clients internal use. -.. code-block:: console +.. code-block:: none vyos@pppoe-server:~$ sh pppoe-server sessions ifname | username | ip | ip6 | ip6-dp | calling-sid | rate-limit | state | uptime | rx-bytes | tx-bytes diff --git a/docs/services/snmp.rst b/docs/services/snmp.rst index 8fd6a21e..6418a516 100644 --- a/docs/services/snmp.rst +++ b/docs/services/snmp.rst @@ -90,7 +90,7 @@ plain text. Example ******* -.. code-block:: console +.. code-block:: none # Define a community set service snmp community routers authorization ro @@ -139,7 +139,7 @@ The securityapproach in v3 targets: Example ******* -.. code-block:: console +.. code-block:: none set service snmp v3 engineid '0x0aa0d6c6f450' set service snmp v3 group defaultgroup mode 'ro' @@ -160,7 +160,7 @@ After commit the resulting configuration will look like: .. note:: SNMPv3 keys won't we stored in plaintext. On ``commit`` the keys will be encrypted and the encrypted key is based on the engineid! -.. code-block:: console +.. code-block:: none vyos@vyos# show service snmp v3 { @@ -200,7 +200,7 @@ vyos@your_router:/config/user-data``. Once the script is uploaded, it needs to be configured via the command below. -.. code-block:: console +.. code-block:: none set service snmp script-extensions extension-name my-extension script your_script.sh commit @@ -209,7 +209,7 @@ be configured via the command below. The OID ``.1.3.6.1.4.1.8072.1.3.2.3.1.1.4.116.101.115.116``, once called, will contain the output of the extension. -.. code-block:: console +.. code-block:: none root@vyos:/home/vyos# snmpwalk -v2c -c public 127.0.0.1 nsExtendOutput1 NET-SNMP-EXTEND-MIB::nsExtendOutput1Line."my-extension" = STRING: hello @@ -226,7 +226,7 @@ Templates Management. A template for VyOS can be easily imported. Create a file named ``VyOS-1.3.6.1.4.1.44641.ConfigMgmt-Commands`` using the following content: -.. code-block:: console +.. code-block:: none <Configuration-Management Device="VyOS" SystemOID="1.3.6.1.4.1.44641"> <Commands> diff --git a/docs/services/ssh.rst b/docs/services/ssh.rst index c770140b..3af71899 100644 --- a/docs/services/ssh.rst +++ b/docs/services/ssh.rst @@ -30,7 +30,7 @@ Configuration Enabling SSH only requires you to add ``service ssh port NN``, where 'NN' is the port you want SSH to listen on. By default, SSH runs on port 22. -.. code-block:: console +.. code-block:: none set service ssh port 22 @@ -130,7 +130,7 @@ line. The third part is simply an identifier, and is for your own reference. Under the user (in this example, ``vyos``), add the public key and the type. The `identifier` is simply a string that is relevant to you. -.. code-block:: console +.. code-block:: none set system login user vyos authentication public-keys 'identifier' key "AAAAB3Nz...." set system login user vyos authentication public-keys 'identifier' type ssh-rsa" @@ -139,7 +139,7 @@ You can assign multiple keys to the same user by changing the identifier. In the following example, both Unicron and xrobau will be able to SSH into VyOS as the ``vyos`` user using their own keys. -.. code-block:: console +.. code-block:: none set system login user vyos authentication public-keys 'Unicron' key "AAAAB3Nz...." set system login user vyos authentication public-keys 'Unicron' type ssh-rsa diff --git a/docs/services/sstp-server.rst b/docs/services/sstp-server.rst index 6a394cc5..428a2e46 100644 --- a/docs/services/sstp-server.rst +++ b/docs/services/sstp-server.rst @@ -22,7 +22,7 @@ Self Signed CA and server certificates To generate the CA, the server private key and certificates the following commands can be used. -.. code-block:: console +.. code-block:: none vyos@vyos:~$ conf [edit] @@ -60,7 +60,7 @@ The example below will answer configuration request for the user user ``foo``. Use <tab> to setup the ``set sstp-settings ssl-certs ...``, it automatically looks for all files and directories in ``/config/user-data/sstp``. -.. code-block:: console +.. code-block:: none edit service sstp-server set authentication local-users username foo password 'bar' diff --git a/docs/services/tftp.rst b/docs/services/tftp.rst index 185e594f..9ce46b02 100644 --- a/docs/services/tftp.rst +++ b/docs/services/tftp.rst @@ -10,7 +10,7 @@ simple to implement. Example ^^^^^^^ -.. code-block:: console +.. code-block:: none # If you want to enable uploads, else TFTP server will act as read-only (optional) set service tftp-server allow-upload @@ -30,7 +30,7 @@ Example The resulting configuration will look like: -.. code-block:: console +.. code-block:: none vyos@vyos# show service tftp-server { diff --git a/docs/services/udp-broadcast-relay.rst b/docs/services/udp-broadcast-relay.rst index 995213fa..40f738e6 100644 --- a/docs/services/udp-broadcast-relay.rst +++ b/docs/services/udp-broadcast-relay.rst @@ -14,7 +14,7 @@ support 99 IDs! Example #1: To forward all broadcast packets received on `UDP port 1900` on `eth3`, `eth4` or `eth5` to all other interfaces in this configuration. -.. code-block:: console +.. code-block:: none set service broadcast-relay id 1 description 'SONOS' set service broadcast-relay id 1 interface 'eth3' @@ -25,7 +25,7 @@ Example #1: To forward all broadcast packets received on `UDP port 1900` on Example #2: To Forward all broadcasts packets received on `UDP port 6969` on `eth3` or `eth4` to the other interface in this configuration. -.. code-block:: console +.. code-block:: none set service broadcast-relay id 2 description 'SONOS MGMT' set service broadcast-relay id 2 interface 'eth3' @@ -38,14 +38,14 @@ Disable Instance(s) Each broadcast relay instance can be individually disabled without deleting the configured node by using the following command: -.. code-block:: console +.. code-block:: none set service broadcast-relay id <n> disable In addition you can also disable the whole service without removing the configuration by: -.. code-block:: console +.. code-block:: none set service broadcast-relay disable diff --git a/docs/services/webproxy.rst b/docs/services/webproxy.rst index 8aca0b85..61546cda 100644 --- a/docs/services/webproxy.rst +++ b/docs/services/webproxy.rst @@ -19,7 +19,7 @@ URL Filtering is provided by Squidguard_. Configuration ^^^^^^^^^^^^^^ -.. code-block:: console +.. code-block:: none # Enable proxy service set service webproxy listen-address 192.168.0.1 @@ -46,7 +46,7 @@ Filtering by category If you wan't to use existing blacklists you have to create/download a database first. Otherwise you will not be able to commit the config changes. -.. code-block:: console +.. code-block:: none vyos@vyos# commit [ service webproxy ] @@ -83,7 +83,7 @@ The embedded Squid proxy can use LDAP to authenticate users against a company wide directory. The following configuration is an example of how to use Active Directory as authentication backend. Queries are done via LDAP. -.. code-block:: console +.. code-block:: none vyos@vyos# show service webproxy authentication { @@ -117,7 +117,7 @@ Adjusting cache size The size of the proxy cache can be adjusted by the user. -.. code-block:: console +.. code-block:: none set service webproxy cache-size Possible completions: diff --git a/docs/system/config-management.rst b/docs/system/config-management.rst index 9c4cc491..34f969e5 100644 --- a/docs/system/config-management.rst +++ b/docs/system/config-management.rst @@ -6,7 +6,7 @@ Config Management The following changes the number of commit revisions. In the default settings, 20 revisions are stored locally. -.. code-block:: console +.. code-block:: none set system config-management commit-revisions 50 @@ -14,7 +14,7 @@ The following changes the number of commit revisions. In the default settings, 2 | If you want to save all config changes to a remote destination. Set the commit-archive location. Every time a commit is successfully the config.boot file will be copied to the defined destinations. -.. code-block:: console +.. code-block:: none set system config-management commit-archive location 'tftp://10.0.0.2' @@ -22,7 +22,7 @@ The following changes the number of commit revisions. In the default settings, 2 A commit look now like this: -.. code-block:: console +.. code-block:: none vyos@vyos-R1# commit Archiving config... diff --git a/docs/system/eventhandler.rst b/docs/system/eventhandler.rst index 31f05f2c..4421e79c 100644 --- a/docs/system/eventhandler.rst +++ b/docs/system/eventhandler.rst @@ -7,7 +7,7 @@ Event handler allows you to execute scripts when a string that matches a regex a It uses "feeds" (output of commands, or a named pipes) and "policies" that define what to execute if a regex is matched. -.. code-block:: console +.. code-block:: none system event-handler @@ -29,7 +29,7 @@ It uses "feeds" (output of commands, or a named pipes) and "policies" that defin In this small example a script runs every time a login failed and an interface goes down -.. code-block:: console +.. code-block:: none vyos@vyos# show system event-handler feed Syslog { diff --git a/docs/system/flowaccounting.rst b/docs/system/flowaccounting.rst index 6caa0d3e..9c876001 100644 --- a/docs/system/flowaccounting.rst +++ b/docs/system/flowaccounting.rst @@ -30,7 +30,7 @@ In order for flow accounting information to be collected and displayed for an interface, the interface must be configured for flow accounting. The following example shows how to configure ``eth0`` and ``bond3`` for flow accounting. -.. code-block:: console +.. code-block:: none set system flow-accounting interface eth0 set system flow-accounting interface bond3 @@ -41,7 +41,7 @@ VyOS supports version 5, 9 and 10 (IPFIX - IP Flow Information Export) NetFlow v5 example: -.. code-block:: console +.. code-block:: none set system flow-accounting netflow engine-id 100 set system flow-accounting netflow version 5 @@ -55,7 +55,7 @@ display captured network traffic information for all configured interfaces. The following op-mode command shows flow accounting for eth0. -.. code-block:: console +.. code-block:: none vyos@vyos:~$ show flow-accounting interface eth0 flow-accounting for [eth0] diff --git a/docs/system/host-information.rst b/docs/system/host-information.rst index b5b16ed0..71209412 100644 --- a/docs/system/host-information.rst +++ b/docs/system/host-information.rst @@ -21,7 +21,7 @@ or over the internet. Set a system host name: -.. code-block:: console +.. code-block:: none set system host-name <hostname> @@ -29,19 +29,19 @@ Set a system host name: Show host name: -.. code-block:: console +.. code-block:: none show system host-name Delete host name: -.. code-block:: console +.. code-block:: none delete system host-name <hostname> Example: Set system hostname to 'RT01': -.. code-block:: console +.. code-block:: none set system host-name RT01 commit @@ -56,7 +56,7 @@ unique. Set the system's domain: -.. code-block:: console +.. code-block:: none set system domain-name <domain> @@ -64,19 +64,19 @@ Set the system's domain: Show domain: -.. code-block:: console +.. code-block:: none show system domain-name Remove domain name: -.. code-block:: console +.. code-block:: none set system delete domain-name <domain> Example: Set system domain to example.com: -.. code-block:: console +.. code-block:: none set system domain-name example.com commit @@ -90,20 +90,20 @@ How to assign IPs to interfaces is described in chapter :ref:`interfaces-addresses`. This section shows how to statically map a system IP to its host name for local (meaning on this VyOS instance) DNS resolution: -.. code-block:: console +.. code-block:: none set system static-host-mapping host-name <hostname> inet <IP address> Show static mapping: -.. code-block:: console +.. code-block:: none show system static-host-mapping Example: Create a static mapping between the system's hostname `RT01` and IP address `10.20.30.41`: -.. code-block:: console +.. code-block:: none set system static-host-mapping host-name RT01 inet 10.20.30.41 commit @@ -117,25 +117,25 @@ Aliases One or more system aliases (static mappings) can be defined: -.. code-block:: console +.. code-block:: none set system static-host-mapping host-name <hostname> alias <alias> Show aliases: -.. code-block:: console +.. code-block:: none show system static-mapping Delete alias: -.. code-block:: console +.. code-block:: none delete system static-host-mapping host-name <hostname> alias <alias> Example: Set alias `router1` for system with hostname `RT01`: -.. code-block:: console +.. code-block:: none set system static-host-mapping host-name RT01 alias router1 commit @@ -154,19 +154,19 @@ existing configurations are migrated to the new CLI commands. It is replaced by inserting a static route into the routing table using: -.. code-block:: console +.. code-block:: none set protocols static route 0.0.0.0/0 next-hop <gateway ip> Delete the default route from the system -.. code-block:: console +.. code-block:: none delete protocols static route 0.0.0.0/0 Show default route: -.. code-block:: console +.. code-block:: none vyos@vyos$ show ip route 0.0.0.0 Routing entry for 0.0.0.0/0 diff --git a/docs/system/login-users.rst b/docs/system/login-users.rst index 3296ff63..c34e41a0 100644 --- a/docs/system/login-users.rst +++ b/docs/system/login-users.rst @@ -16,20 +16,20 @@ Local Create user account `jsmith` and the password `mypassword`. -.. code-block:: console +.. code-block:: none set system login user jsmith full-name "Johan Smith" set system login user jsmith authentication plaintext-password mypassword The command: -.. code-block:: console +.. code-block:: none show system login will show the contents of :code:`system login` configuration node: -.. code-block:: console +.. code-block:: none user jsmith { authentication { @@ -45,7 +45,7 @@ SSH with Public Keys The following command will load the public key `dev.pub` for user `jsmith` -.. code-block:: console +.. code-block:: none loadkey jsmith dev.pub @@ -53,7 +53,7 @@ The following command will load the public key `dev.pub` for user `jsmith` first. As an alternative you can also load the SSH public key directly from a remote system: -.. code-block:: console +.. code-block:: none loadkey jsmith scp://devuser@dev001.vyos.net/home/devuser/.ssh/dev.pub @@ -61,7 +61,7 @@ In addition SSH public keys can be fully added using the CLI. Each key can be given a unique identifier, `calypso` is used oin the example below to id an SSH key. -.. code-block:: console +.. code-block:: none set system login user jsmith authentication public-keys callisto key 'AAAAB3Hso...Q==' set system login user jsmith authentication public-keys callisto type 'ssh-rsa' @@ -75,7 +75,7 @@ The following command sets up two servers for RADIUS authentication, one with a discrete timeout of `5` seconds and a discrete port of `1812` and the other using a default timeout and port. -.. code-block:: console +.. code-block:: none set system login radius-server 192.168.1.2 secret 's3cr3t0815' set system login radius-server 192.168.1.2 timeout '5' @@ -84,7 +84,7 @@ a default timeout and port. This configuration results in: -.. code-block:: console +.. code-block:: none show system login radius-server 192.168.1.2 { @@ -109,7 +109,7 @@ not set incoming connections to the RADIUS server will use the nearest interface address pointing towards the RADIUS server - making it error prone on e.g. OSPF networks when a link fails. -.. code-block:: console +.. code-block:: none set system login radius-source-address 192.168.1.254 @@ -118,7 +118,7 @@ Login Banner You are able to set post-login or pre-login messages with the following lines: -.. code-block:: console +.. code-block:: none set system login banner pre-login "UNAUTHORIZED USE OF THIS SYSTEM IS PROHIBITED\n" set system login banner post-login "Welcome to VyOS" diff --git a/docs/system/ntp.rst b/docs/system/ntp.rst index d9598a6f..95ff0692 100644 --- a/docs/system/ntp.rst +++ b/docs/system/ntp.rst @@ -5,7 +5,7 @@ NTP there are 3 default NTP server set. You are able to change them. -.. code-block:: console +.. code-block:: none set system ntp server 0.pool.ntp.org set system ntp server 1.pool.ntp.org @@ -13,7 +13,7 @@ there are 3 default NTP server set. You are able to change them. To set up VyOS as an NTP responder, you must specify the listen address and optionally the permitted clients. -.. code-block:: console +.. code-block:: none set system ntp listen-address 192.168.199.1 set system ntp allow-clients address 192.168.199.0/24 diff --git a/docs/system/proxy.rst b/docs/system/proxy.rst index 59bf6d52..f89794dd 100644 --- a/docs/system/proxy.rst +++ b/docs/system/proxy.rst @@ -8,14 +8,14 @@ The option allowes to set a HTTP proxy and if necessary, supports `basic auth`_. The code example below sets a proxy for all HTTP, HTTPS and FTP (anonymous ftp) connections, initiated by vyos. -.. code-block:: console +.. code-block:: none set system proxy url http://10.100.100.1 set system proxy port 8080 That enables the update of a system image if the vyos system operates behind a proxy. -.. code-block:: console +.. code-block:: none vyos@vyos:~$ add system image https://downloads.vyos.io/rolling/current/amd64/vyos-rolling-latest.iso Trying to fetch ISO file from https://downloads.vyos.io/rolling/current/amd64/vyos-rolling-latest.iso diff --git a/docs/system/serialconsole.rst b/docs/system/serialconsole.rst index dbb90b7a..730c9da1 100644 --- a/docs/system/serialconsole.rst +++ b/docs/system/serialconsole.rst @@ -8,7 +8,7 @@ Serial console Configuring Console ------------------- -.. code-block:: console +.. code-block:: none vyos@vyos# set system console Possible completions: diff --git a/docs/system/syslog.rst b/docs/system/syslog.rst index 29a9aec5..c9dc8a1c 100644 --- a/docs/system/syslog.rst +++ b/docs/system/syslog.rst @@ -16,14 +16,14 @@ Logging to serial console The below would log all messages to :code:`/dev/console`. -.. code-block:: console +.. code-block:: none set system syslog console facility all level all Use the **[tab]** function to display all facilities and levels which can be configured. -.. code-block:: console +.. code-block:: none vyos@vyos# set system syslog console facility <TAB> Possible completions: @@ -70,7 +70,7 @@ Logging to a custom file Logging to a custom file, rotation size and the number of rotate files left on the system can be configured. -.. code-block:: console +.. code-block:: none set system syslog file <FILENAME> facility <FACILITY> level <LEVEL> set system syslog file <FILENAME> archive file <NUMBER OF FILES> @@ -88,7 +88,7 @@ using either TCP or UDP. The default is sending the messages via UDP. **UDP** -.. code-block:: console +.. code-block:: none set system syslog host 10.1.1.1 facility all level all <optional> @@ -97,7 +97,7 @@ using either TCP or UDP. The default is sending the messages via UDP. **TCP** -.. code-block:: console +.. code-block:: none set system syslog host 10.1.1.2 facility all level all set system syslog host 10.1.1.2 facility all protocol tcp @@ -109,7 +109,7 @@ If logging to a local useraccount is configured, all defined log messages are display on the console if the local user is logged in, if the user is not logged in, no messages are being displayed. -.. code-block:: console +.. code-block:: none set system syslog user <LOCAL_USERNAME> facility <FACILITY> level <LEVEL> @@ -118,7 +118,7 @@ Show logs Display log files on the console -.. code-block:: console +.. code-block:: none vyos@vyos:~$ show log Possible completions: @@ -149,7 +149,7 @@ Show contents of a log file in an image Log messages from a specified image can be displayed on the console: -.. code-block:: console +.. code-block:: none $ show log image <image name> $ show log image <image name> [all | authorization | directory | file <file name> | tail <lines>] diff --git a/docs/system/task-scheduler.rst b/docs/system/task-scheduler.rst index 20a8640c..7fe49988 100644 --- a/docs/system/task-scheduler.rst +++ b/docs/system/task-scheduler.rst @@ -7,7 +7,7 @@ Task scheduler | Task scheduler — allows scheduled task execution. Note that scripts excecuted this way are executed as root user - this may be dangerous. | Together with :ref:`commandscripting` this can be used for automating configuration. -.. code-block:: console +.. code-block:: none system task-scheduler @@ -24,7 +24,7 @@ Interval You are able to set the time as an time interval. -.. code-block:: console +.. code-block:: none set system task-scheduler task <name> interval <value><suffix> @@ -38,14 +38,14 @@ If suffix is omitted, minutes are implied. Or set the execution time in common cron time. -.. code-block:: console +.. code-block:: none set system task-scheduler task TEST crontab-spec "* * * 1 *" Example ******* -.. code-block:: console +.. code-block:: none system task-scheduler diff --git a/docs/system/time-zone.rst b/docs/system/time-zone.rst index 182829db..9e1690e8 100644 --- a/docs/system/time-zone.rst +++ b/docs/system/time-zone.rst @@ -5,7 +5,7 @@ Time Zone To set the system time zone type: -.. code-block:: console +.. code-block:: none [edit] vyos@vyos# set system time-zone [time-zone]
\ No newline at end of file diff --git a/docs/vpn/dmvpn.rst b/docs/vpn/dmvpn.rst index aebbda97..9da6dde2 100644 --- a/docs/vpn/dmvpn.rst +++ b/docs/vpn/dmvpn.rst @@ -47,7 +47,7 @@ can be set to "0.0.0.0". If you do set the `remote-ip` directive at any point, t HUB Configuration ^^^^^^^^^^^^^^^^^ -.. code-block:: console +.. code-block:: none interfaces tunnel <tunN> { @@ -119,7 +119,7 @@ HUB Configuration HUB Example Configuration: -.. code-block:: console +.. code-block:: none set interfaces ethernet eth0 address '198.51.100.41/30' set interfaces ethernet eth1 address '192.168.1.1/24' @@ -171,7 +171,7 @@ SPOKE Configuration SPOKE1 Configuration: -.. code-block:: console +.. code-block:: none interfaces tunnel <tunN> { @@ -248,7 +248,7 @@ SPOKE1 Configuration: SPOKE1 Example Configuration -.. code-block:: console +.. code-block:: none set interfaces ethernet eth0 address 'dhcp' set interfaces ethernet eth1 address '192.168.2.1/24' @@ -294,7 +294,7 @@ SPOKE1 Example Configuration SPOKE2 Configuration -.. code-block:: console +.. code-block:: none interfaces tunnel <tunN> { @@ -371,7 +371,7 @@ SPOKE2 Configuration SPOKE2 Example Configuration -.. code-block:: console +.. code-block:: none set interfaces ethernet eth0 address 'dhcp' set interfaces ethernet eth1 address '192.168.3.1/24' diff --git a/docs/vpn/gre-ipsec.rst b/docs/vpn/gre-ipsec.rst index 3ca36b9f..38849f67 100644 --- a/docs/vpn/gre-ipsec.rst +++ b/docs/vpn/gre-ipsec.rst @@ -40,7 +40,7 @@ and the RIGHT router is 203.0.113.45 On the LEFT: -.. code-block:: console +.. code-block:: none # GRE tunnel set interfaces tunnel tun0 encapsulation gre @@ -90,7 +90,7 @@ RIGHT router has a dynamic address on eth0. On the LEFT: -.. code-block:: console +.. code-block:: none set interfaces loopback lo address 192.168.99.1/32 @@ -101,7 +101,7 @@ On the LEFT: On the RIGHT: -.. code-block:: console +.. code-block:: none set interfaces loopback lo address 192.168.99.2/32 @@ -119,7 +119,7 @@ address, so we'll have to use RSA keys. First, on both routers run the operational command "generate vpn rsa-key bits 2048". You may choose different length than 2048 of course. -.. code-block:: console +.. code-block:: none vyos@left# run generate vpn rsa-key bits 2048 Generating rsa-key to /config/ipsec.d/rsa-keys/localhost.key @@ -131,7 +131,7 @@ First, on both routers run the operational command "generate vpn rsa-key bits Then on the opposite router, add the RSA key to your config. -.. code-block:: console +.. code-block:: none set vpn rsa-keys rsa-key-name LEFT rsa-key KEYGOESHERE @@ -140,7 +140,7 @@ for the peer on the dynamic side. On the LEFT (static address): -.. code-block:: console +.. code-block:: none set vpn rsa-keys rsa-key-name RIGHT rsa-key <PUBLIC KEY FROM THE RIGHT> @@ -165,7 +165,7 @@ On the LEFT (static address): On the RIGHT (dynamic address): -.. code-block:: console +.. code-block:: none set vpn rsa-keys rsa-key-name LEFT rsa-key <PUBLIC KEY FROM THE LEFT> diff --git a/docs/vpn/l2tp.rst b/docs/vpn/l2tp.rst index 3d1a5ee7..a91399e2 100644 --- a/docs/vpn/l2tp.rst +++ b/docs/vpn/l2tp.rst @@ -6,7 +6,7 @@ L2TP over IPsec Example for configuring a simple L2TP over IPsec VPN for remote access (works with native Windows and Mac VPN clients): -.. code-block:: console +.. code-block:: none set vpn ipsec ipsec-interfaces interface eth0 set vpn ipsec nat-traversal enable @@ -36,7 +36,7 @@ for NAT-traversal: Example: -.. code-block:: console +.. code-block:: none set firewall name OUTSIDE-LOCAL rule 40 action 'accept' set firewall name OUTSIDE-LOCAL rule 40 destination port '50' @@ -55,7 +55,7 @@ Example: Also note that if you wish to allow the VPN to be used for external access you will need to add the appropriate source NAT rules to your configuration. -.. code-block:: console +.. code-block:: none set nat source rule 110 outbound-interface 'eth0' set nat source rule 110 source address '192.168.255.0/24' @@ -64,7 +64,7 @@ will need to add the appropriate source NAT rules to your configuration. To be able to resolve when connected to the VPN, the following DNS rules are needed as well. -.. code-block:: console +.. code-block:: none set vpn l2tp remote-access dns-servers server-1 '8.8.8.8' set vpn l2tp remote-access dns-servers server-2 '8.8.4.4' @@ -75,7 +75,7 @@ needed as well. Established sessions can be viewed using the **show vpn remote-access** operational command. -.. code-block:: console +.. code-block:: none vyos@vyos:~$ show vpn remote-access Active remote access VPN sessions: @@ -92,7 +92,7 @@ like RADIUS_ (FreeRADIUS_ or Microsoft `Network Policy Server`_, NPS) is used. VyOS supports either `local` or `radius` user authentication: -.. code-block:: console +.. code-block:: none set vpn l2tp remote-access authentication mode <local|radius> @@ -100,7 +100,7 @@ In addition one or more RADIUS_ servers can be configured to server for user authentication. This is done using the `radius server` and `radius server key` nodes: -.. code-block:: console +.. code-block:: none set vpn l2tp remote-access authentication radius server 1.1.1.1 key 'foo' set vpn l2tp remote-access authentication radius server 2.2.2.2 key 'foo' @@ -116,7 +116,7 @@ If you are using e.g. OSPF as IGP always the nearest interface facing the RADIUS server is used. With VyOS 1.2 you can bind all outgoing RADIUS requests to a single source IP e.g. the loopback interface. -.. code-block:: console +.. code-block:: none set vpn l2tp remote-access authentication radius source-address 3.3.3.3 diff --git a/docs/vpn/openvpn.rst b/docs/vpn/openvpn.rst index 764c991c..ce7dcc44 100644 --- a/docs/vpn/openvpn.rst +++ b/docs/vpn/openvpn.rst @@ -67,7 +67,7 @@ in our configuration. Local Configuration: -.. code-block:: console +.. code-block:: none set interfaces openvpn vtun1 mode site-to-site set interfaces openvpn vtun1 protocol udp @@ -81,7 +81,7 @@ Local Configuration: Remote Configuration: -.. code-block:: console +.. code-block:: none set interfaces openvpn vtun1 mode site-to-site set interfaces openvpn vtun1 protocol udp @@ -99,7 +99,7 @@ weak, but a number of other encryption and hashing algorithms are available: For Encryption: -.. code-block:: console +.. code-block:: none vyos@vyos# set interfaces openvpn vtun1 encryption Possible completions: @@ -113,7 +113,7 @@ For Encryption: For Hashing: -.. code-block:: console +.. code-block:: none vyos@vyos# set interfaces openvpn vtun1 hash Possible completions: @@ -132,13 +132,13 @@ network of 10.1.0.0/16: Local Configuration: -.. code-block:: console +.. code-block:: none set protocols static interface-route 10.1.0.0/16 next-hop-interface vtun1 Remote Configuration: -.. code-block:: console +.. code-block:: none set protocols static interface-route 10.0.0.0/16 next-hop-interface vtun1 @@ -179,7 +179,7 @@ closing on connection resets or daemon reloads. .. note:: Using **openvpn-option -reneg-sec** can be tricky. This option is used to renegotiate data channel after n seconds. When used at both server and client, the lower value will trigger the renegotiation. If you set it to 0 on one side of the connection (to disable it), the chosen value on the other side will determine when the renegotiation will occur. -.. code-block:: console +.. code-block:: none set interfaces openvpn vtun10 mode server set interfaces openvpn vtun10 local-port 1194 @@ -189,7 +189,7 @@ closing on connection resets or daemon reloads. Then we need to specify the location of the cryptographic materials. Suppose you keep the files in `/config/auth/openvpn` -.. code-block:: console +.. code-block:: none set interfaces openvpn vtun10 tls ca-cert-file /config/auth/openvpn/ca.crt set interfaces openvpn vtun10 tls cert-file /config/auth/openvpn/server.crt @@ -202,7 +202,7 @@ specify the subnet for client tunnel endpoints. Since we want clients to access a specific network behind out router, we will use a push-route option for installing that route on clients. -.. code-block:: console +.. code-block:: none set interfaces openvpn vtun10 server push-route 192.168.0.0/16 set interfaces openvpn vtun10 server subnet 10.23.1.0/24 @@ -214,7 +214,7 @@ need configuration for each client to achieve this. .. note:: Clients are identified by the CN field of their x.509 certificates, in this example the CN is ``client0``: -.. code-block:: console +.. code-block:: none set interfaces openvpn vtun10 server client client0 ip 10.23.1.10 set interfaces openvpn vtun10 server client client0 subnet 10.23.2.0/25 @@ -223,7 +223,7 @@ OpenVPN **will not** automatically create routes in the kernel for client subnets when they connect and will only use client-subnet association internally, so we need to create a route to the 10.23.0.0/20 network ourselves: -.. code-block:: console +.. code-block:: none set protocols static interface-route 10.23.0.0/20 next-hop-interface vtun10 @@ -242,13 +242,13 @@ Authentication is done by using the ``openvpn-auth-ldap.so`` plugin which is shipped with every VyOS installation. A dedicated configuration file is required. It is best practise to store it in ``/config`` to survive image updates -.. code-block:: console +.. code-block:: none set interfaces openvpn vtun0 openvpn-option "--plugin /usr/lib/openvpn/openvpn-auth-ldap.so /config/auth/ldap-auth.config" The required config file may look like: -.. code-block:: console +.. code-block:: none <LDAP> # LDAP server URL @@ -275,7 +275,7 @@ Active Directory Despite the fact that AD is a superset of LDAP -.. code-block:: console +.. code-block:: none <LDAP> # LDAP server URL @@ -309,7 +309,7 @@ Despite the fact that AD is a superset of LDAP If you only want to check if the user account is enabled and can authenticate (against the primary group) the following snipped is sufficient: -.. code-block:: console +.. code-block:: none <LDAP> URL ldap://dc01.example.com @@ -328,7 +328,7 @@ If you only want to check if the user account is enabled and can authenticate A complete LDAP auth OpenVPN configuration could look like the following example: -.. code-block:: console +.. code-block:: none vyos@vyos# show interfaces openvpn openvpn vtun0 { @@ -372,7 +372,7 @@ using their CN attribute in the SSL certificate. Server ****** -.. code-block:: console +.. code-block:: none set interfaces openvpn vtun10 encryption 'aes256' set interfaces openvpn vtun10 hash 'sha512' @@ -396,7 +396,7 @@ Server Client ****** -.. code-block:: console +.. code-block:: none set interfaces openvpn vtun10 encryption 'aes256' set interfaces openvpn vtun10 hash 'sha512' @@ -420,7 +420,7 @@ all users can benefit from it. If you are a hacker or want to try on your own we support passing raw OpenVPN options to OpenVPN. -.. code-block:: console +.. code-block:: none set interfaces openvpn vtun10 openvpn-option 'persistent-key' diff --git a/docs/vpn/pptp.rst b/docs/vpn/pptp.rst index 68ded675..72b3feb0 100644 --- a/docs/vpn/pptp.rst +++ b/docs/vpn/pptp.rst @@ -12,7 +12,7 @@ If no gateway-address is set within the configuration, the lowest IP out of the server example ^^^^^^^^^^^^^^ -.. code-block:: console +.. code-block:: none set vpn pptp remote-access authentication local-users username test password 'test' set vpn pptp remote-access authentication mode 'local' @@ -28,7 +28,7 @@ client example (debian 9) Install the client software via apt and execute pptpsetup to generate the configuration. -.. code-block:: console +.. code-block:: none apt-get install pptp-linux pptpsetup --create TESTTUNNEL --server 10.1.1.120 --username test --password test --encrypt @@ -39,7 +39,7 @@ The command pon TESTUNNEL establishes the PPTP tunnel to the remote system. All tunnel sessions can be checked via: -.. code-block:: console +.. code-block:: none run sh pptp-server sessions ifname | username | calling-sid | ip | type | comp | state | uptime diff --git a/docs/vpn/site2site_ipsec.rst b/docs/vpn/site2site_ipsec.rst index 6cbb56c9..bdafd6ce 100644 --- a/docs/vpn/site2site_ipsec.rst +++ b/docs/vpn/site2site_ipsec.rst @@ -116,7 +116,7 @@ Example: * right subnet: `10.0.0.0/24` site2,remote office side * right local_ip: `203.0.113.2` # remote office side WAN IP -.. code-block:: console +.. code-block:: none # server config set vpn ipsec esp-group office-srv-esp compression 'disable' @@ -166,7 +166,7 @@ Example: Show status of new setup: -.. code-block:: console +.. code-block:: none vyos@srv-gw0:~$ show vpn ike sa Peer ID / IP Local ID / IP @@ -186,7 +186,7 @@ Show status of new setup: If there is SNAT rules on eth1, need to add exclude rule -.. code-block:: console +.. code-block:: none # server side set nat source rule 10 destination address '10.0.0.0/24' @@ -203,7 +203,7 @@ If there is SNAT rules on eth1, need to add exclude rule To allow traffic to pass through to clients, you need to add the following rules. (if you used the default configuration at the top of this page) -.. code-block:: console +.. code-block:: none # server side set firewall name OUTSIDE-LOCAL rule 32 action 'accept' @@ -230,7 +230,7 @@ Imagine the following topology **left** -.. code-block:: console +.. code-block:: none set interfaces vti vti10 address '10.0.0.2/31' @@ -264,7 +264,7 @@ Imagine the following topology **right** -.. code-block:: console +.. code-block:: none set interfaces vti vti10 address '10.0.0.3/31' diff --git a/docs/vpn/wireguard.rst b/docs/vpn/wireguard.rst index 1fc2e11f..82c38f69 100644 --- a/docs/vpn/wireguard.rst +++ b/docs/vpn/wireguard.rst @@ -21,7 +21,7 @@ within VyOS. It will be used per default on any configured wireguard interface, even if multiple interfaces are being configured. -.. code-block:: console +.. code-block:: none wg01:~$ configure wg01# run generate wireguard keypair @@ -29,7 +29,7 @@ multiple interfaces are being configured. The public key is being shared with your peer(s), your peer will encrypt all traffic to your system using this public key. -.. code-block:: console +.. code-block:: none wg01# run show wireguard pubkey u41jO3OF73Gq1WARMMFG7tOfk7+r8o8AzPxJ1FZRhzk= @@ -45,7 +45,7 @@ their own keypairs. The commands below will generate 2 keypairs, which are not related to each other. -.. code-block:: console +.. code-block:: none wg01:~$ configure wg01# run generate wireguard named-keypairs KP01 @@ -69,7 +69,7 @@ below is always the public key from your peer, not your local one. **local side** -.. code-block:: console +.. code-block:: none set interfaces wireguard wg01 address '10.1.0.1/24' set interfaces wireguard wg01 description 'VPN-to-wg02' @@ -89,7 +89,7 @@ traffic. To use a named key on an interface, the option private-key needs to be set. -.. code-block:: console +.. code-block:: none set interfaces wireguard wg01 private-key KP01 set interfaces wireguard wg02 private-key KP02 @@ -100,7 +100,7 @@ which needs to be shared with the peer. **remote side** -.. code-block:: console +.. code-block:: none set interfaces wireguard wg01 address '10.2.0.1/24' set interfaces wireguard wg01 description 'VPN-to-wg01' @@ -113,7 +113,7 @@ which needs to be shared with the peer. Assure that your firewall rules allow the traffic, in which case you have a working VPN using wireguard. -.. code-block:: console +.. code-block:: none wg01# ping 10.2.0.1 PING 10.2.0.1 (10.2.0.1) 56(84) bytes of data. @@ -128,7 +128,7 @@ working VPN using wireguard. An additional layer of symmetric-key crypto can be used on top of the asymmetric crypto, which is optional. -.. code-block:: console +.. code-block:: none wg01# run generate wireguard preshared-key rvVDOoc2IYEnV+k5p7TNAmHBMEGTHbPU8Qqg8c/sUqc= @@ -137,7 +137,7 @@ Copy the key, as it is not stored on the local file system. Make sure you distribute that key in a safe manner, it's a symmetric key, so only you and your peer should have knowledge of its content. -.. code-block:: console +.. code-block:: none wg01# set interfaces wireguard wg01 peer to-wg02 preshared-key 'rvVDOoc2IYEnV+k5p7TNAmHBMEGTHbPU8Qqg8c/sUqc=' wg02# set interfaces wireguard wg01 peer to-wg01 preshared-key 'rvVDOoc2IYEnV+k5p7TNAmHBMEGTHbPU8Qqg8c/sUqc=' @@ -147,7 +147,7 @@ Operational commands **Show interface status** -.. code-block:: console +.. code-block:: none vyos@wg01# run show interfaces wireguard wg01 @@ -164,14 +164,14 @@ Operational commands **Show public key of the default key** -.. code-block:: console +.. code-block:: none vyos@wg01# run show wireguard keypair pubkey default FAXCPb6EbTlSH5200J5zTopt9AYXneBthAySPBLbZwM= **Show public key of a named key** -.. code-block:: console +.. code-block:: none vyos@wg01# run show wireguard keypair pubkey KP01 HUtsu198toEnm1poGoRTyqkUKfKUdyh54f45dtcahDM= @@ -179,7 +179,7 @@ Operational commands **Delete wireguard keypairs** -.. code-block:: console +.. code-block:: none vyos@wg01# wireguard keypair default |