diff options
-rw-r--r-- | docs/configuration/container/index.rst | 74 | ||||
-rw-r--r-- | docs/configuration/service/pppoe-server.rst | 534 |
2 files changed, 447 insertions, 161 deletions
diff --git a/docs/configuration/container/index.rst b/docs/configuration/container/index.rst index adccd92b..e63ac2c9 100644 --- a/docs/configuration/container/index.rst +++ b/docs/configuration/container/index.rst @@ -11,16 +11,16 @@ a deamonless container engine. Configuration ************* -.. cfgcmd:: set container name <name> image - +.. cfgcmd:: set container name <name> image + Sets the image name in the hub registry .. code-block:: none set container name mysql-server image mysql:8.0 - If a registry is not specified, Docker.io will be used as the container - registry unless an alternative registry is specified using + If a registry is not specified, Docker.io will be used as the container + registry unless an alternative registry is specified using **set container registry <name>** or the registry is included in the image name .. code-block:: none @@ -28,21 +28,21 @@ Configuration set container name mysql-server image quay.io/mysql:8.0 .. cfgcmd:: set container name <name> allow-host-networks - - Allow host networking in a container. The network stack of the container is + + Allow host networking in a container. The network stack of the container is not isolated from the host and will use the host IP. The following commands translate to "--net host" when the container - is created + is created .. note:: **allow-host-networks** cannot be used with **network** -.. cfgcmd:: set container name <name> network <networkname> +.. cfgcmd:: set container name <name> network <networkname> Attaches user-defined network to a container. Only one network must be specified and must already exist. -.. cfgcmd:: set container name <name> network <networkname> address <address> +.. cfgcmd:: set container name <name> network <networkname> address <address> Optionally set a specific static IPv4 or IPv6 address for the container. This address must be within the named network prefix. @@ -58,7 +58,7 @@ Configuration Add custom environment variables. Multiple environment variables are allowed. The following commands translate to "-e key=value" when the container - is created. + is created. .. code-block:: none @@ -88,7 +88,7 @@ Configuration set container name coredns volume 'corefile' source /config/coredns/Corefile set container name coredns volume 'corefile' destination /etc/Corefile - + .. cfgcmd:: set container name <name> volume <volumename> mode <ro | rw> Volume is either mounted as rw (read-write - default) or ro (read-only) @@ -107,9 +107,9 @@ Configuration - **always**: Restart containers when they exit, regardless of status, retrying indefinitely .. cfgcmd:: set container name <name> memory <MB> - + Constrain the memory available to the container. - + Default is 512 MB. Use 0 MB for unlimited memory. .. cfgcmd:: set container name <name> device <devicename> source <path> @@ -129,18 +129,49 @@ Configuration - **sys-time**: Permission to set system clock .. cfgcmd:: set container name <name> disable - + Disable a container. -.. cfgcmd:: set container network <networkname> +Container Networks +================== + +.. cfgcmd:: set container network <name> Creates a named container network +.. cfgcmd:: set container network <name> description + + A brief description what this network is all about. + +.. cfgcmd:: set container network <name> prefix <ipv4|ipv6> + + Define IPv4 or IPv6 prefix for a given network name. Only one IPv4 and + one IPv6 prefix can be used per network name. + +.. cfgcmd:: set container network <name> vrf <nme> + + Bind container network to a given VRF instance. + +Container Registry +================== + .. cfgcmd:: set container registry <name> Adds registry to list of unqualified-search-registries. By default, for any - image that does not include the registry in the image name, Vyos will use - docker.io as the container registry. + image that does not include the registry in the image name, VyOS will use + docker.io and quay.io as the container registry. + +.. cfgcmd:: set container registry <name> disable + + Disable a given container registry + +.. cfgcmd:: set container registry <name> authentication username +.. cfgcmd:: set container registry <name> authentication password + + Some container registries require credentials to be used. + + Credentials can be defined here and will only be used when adding a + container image to the system. ****************** @@ -148,7 +179,7 @@ Operation Commands ****************** .. opcmd:: add container image <containername> - + Pull a new image for container .. opcmd:: show container @@ -156,7 +187,7 @@ Operation Commands Show the list of all active containers. .. opcmd:: show container image - + Show the local container images. .. opcmd:: show container log <containername> @@ -175,7 +206,10 @@ Operation Commands Update container image +.. opcmd:: delete container image [image id|all] + Delete a particular container image based on it's image ID. + You can also delete all container images at once. ********************* Example Configuration @@ -196,7 +230,7 @@ Example Configuration set container name mysql-server environment 'MYSQL_DATABASE' value 'zabbix' set container name mysql-server environment 'MYSQL_USER' value 'zabbix' set container name mysql-server environment 'MYSQL_PASSWORD' value 'zabbix_pwd' - set container name mysql-server environment 'MYSQL_ROOT_PASSWORD' value 'root_pwd' + set container name mysql-server environment 'MYSQL_ROOT_PASSWORD' value 'root_pwd' set container name zabbix-java-gateway image zabbix/zabbix-java-gateway:alpine-5.2-latest set container name zabbix-java-gateway network zabbix diff --git a/docs/configuration/service/pppoe-server.rst b/docs/configuration/service/pppoe-server.rst index 56fcb968..04113666 100644 --- a/docs/configuration/service/pppoe-server.rst +++ b/docs/configuration/service/pppoe-server.rst @@ -13,13 +13,20 @@ be used with local authentication or a connected RADIUS server. changes/commits will restart the ppp daemon and will reset existing PPPoE connections from connected users, in order to become effective. -Configuration -============= +************************ +Configuring PPPoE Server +************************ +.. code-block:: none -First steps ------------ - + set service pppoe-server access-concentrator PPPoE-Server + set service pppoe-server authentication mode local + set service pppoe-server authentication local-users username test password 'test' + set service pppoe-server client-ip-pool PPPOE-POOL range 192.168.255.2-192.168.255.254 + set service pppoe-server default-pool 'PPPOE-POOL' + set service pppoe-server outside-address 192.0.2.2 + set service pppoe-server gateway-address 192.168.255.1 + set service pppoe-server interface eth0 .. cfgcmd:: set service pppoe-server access-concentrator <name> @@ -28,14 +35,30 @@ First steps .. cfgcmd:: set service pppoe-server authentication mode <local | radius> - Use this command to define whether your PPPoE clients will locally - authenticate in your VyOS system or in RADIUS server. + Set authentication backend. The configured authentication backend is used + for all queries. + + * **radius**: All authentication queries are handled by a configured RADIUS + server. + * **local**: All authentication queries are handled locally. + * **noauth**: Authentication disabled. .. cfgcmd:: set service pppoe-server authentication local-users username <name> password <password> - Use this command to configure the username and the password of a - locally configured user. + Create `<user>` for local authentication on this system. The users password + will be set to `<pass>`. + +.. cfgcmd:: set service pppoe-server client-ip-pool <POOL-NAME> range <x.x.x.x-x.x.x.x | x.x.x.x/x> + + Use this command to define the first IP address of a pool of + addresses to be given to pppoe clients. If notation ``x.x.x.x-x.x.x.x``, + it must be within a /24 subnet. If notation ``x.x.x.x/x`` is + used there is possibility to set host/netmask. + +.. cfgcmd:: set service pppoe-server default-pool <POOL-NAME> + + Use this command to define default address pool name. .. cfgcmd:: set service pppoe-server interface <interface> @@ -44,124 +67,170 @@ First steps .. cfgcmd:: set service pppoe-server gateway-address <address> - Use this command to configure the local gateway IP address. + Specifies single `<gateway>` IP address to be used as local address of PPP + interfaces. -.. cfgcmd:: set service pppoe-server name-server <address> - Use this command to set the IPv4 or IPv6 address of every Doman Name - Server you want to configure. They will be propagated to PPPoE - clients. +********************************* +Configuring RADIUS authentication +********************************* +To enable RADIUS based authentication, the authentication mode needs to be +changed within the configuration. Previous settings like the local users, still +exists within the configuration, however they are not used if the mode has been +changed from local to radius. Once changed back to local, it will use all local +accounts again. -Client Address Pools --------------------- +.. code-block:: none -To automatically assign the client an IP address as tunnel endpoint, a -client IP pool is needed. The source can be either RADIUS or a -named pool. There is possibility to create multiple named pools. -Each named pool can include only one address range. To use multiple -address ranges configure ``next-pool`` option. + set service pppoe-server authentication mode radius +.. cfgcmd:: set service pppoe-server authentication radius server <server> key <secret> -**Client IP address via IP range definition** + Configure RADIUS `<server>` and its required shared `<secret>` for + communicating with the RADIUS server. -.. cfgcmd:: set service pppoe-server client-ip-pool <POOL-NAME> range <x.x.x.x-x.x.x.x | x.x.x.x/x> +Since the RADIUS server would be a single point of failure, multiple RADIUS +servers can be setup and will be used subsequentially. +For example: - Use this command to define the IP address range to be given - to PPPoE clients. If notation ``x.x.x.x-x.x.x.x``, - it must be within a /24 subnet. If notation ``x.x.x.x/x`` is - used there is possibility to set host/netmask. +.. code-block:: none -.. cfgcmd:: set service pppoe-server client-ip-pool <POOL-NAME> next-pool <NEXT-POOL-NAME> + set service pppoe-server authentication radius server 10.0.0.1 key 'foo' + set service pppoe-server authentication radius server 10.0.0.2 key 'foo' - Use this command to define the next address pool name. +.. note:: Some RADIUS severs use an access control list which allows or denies + queries, make sure to add your VyOS router to the allowed client list. -.. cfgcmd:: set service pppoe-server default-pool <POOL-NAME> +RADIUS source address +===================== - Use this command to define default address pool name. +If you are using OSPF as IGP, always the closest interface connected to the +RADIUS server is used. With VyOS 1.2 you can bind all outgoing RADIUS requests +to a single source IP e.g. the loopback interface. -.. code-block:: none +.. cfgcmd:: set service pppoe-server authentication radius source-address <address> - set service pppoe-server client-ip-pool IP-POOL next-pool 'IP-POOL2' - set service pppoe-server client-ip-pool IP-POOL range '10.0.10.5/24' - set service pppoe-server client-ip-pool IP-POOL2 range '10.0.0.10-10.0.0.12' - set service pppoe-server default-pool 'IP-POOL' + Source IPv4 address used in all RADIUS server queires. +.. note:: The ``source-address`` must be configured on one of VyOS interface. + Best practice would be a loopback or dummy interface. -**RADIUS based IP pools (Framed-IP-Address)** +RADIUS advanced options +======================= -To use a radius server, you need to switch to authentication mode RADIUS -and then configure it. +.. cfgcmd:: set service pppoe-server authentication radius server <server> port <port> -.. cfgcmd:: set service pppoe-server authentication radius server <address> - key <secret> + Configure RADIUS `<server>` and its required port for authentication requests. - Use this command to configure the IP address and the shared secret - key of your RADIUS server. You can have multiple RADIUS servers - configured if you wish to achieve redundancy. +.. cfgcmd:: set service pppoe-server authentication radius server <server> fail-time <time> + Mark RADIUS server as offline for this given `<time>` in seconds. -.. code-block:: none +.. cfgcmd:: set service pppoe-server authentication radius server <server> disable - set service pppoe-server access-concentrator 'ACN' - set service pppoe-server authentication mode 'radius' - set service pppoe-server authentication radius server 10.1.100.1 key 'secret' - set service pppoe-server interface 'eth1' - set service pppoe-server gateway-address '10.1.1.2' + Temporary disable this RADIUS server. -RADIUS provides the IP addresses in the example above via -Framed-IP-Address. +.. cfgcmd:: set service pppoe-server authentication radius acct-timeout <timeout> -**RADIUS sessions management DM/CoA** + Timeout to wait reply for Interim-Update packets. (default 3 seconds) -.. cfgcmd:: set service pppoe-server authentication radius dynamic-author - <key | port | server> +.. cfgcmd:: set service pppoe-server authentication radius dynamic-author server <address> - Use this command to configure Dynamic Authorization Extensions to - RADIUS so that you can remotely disconnect sessions and change some - authentication parameters. + Specifies IP address for Dynamic Authorization Extension server (DM/CoA) -.. code-block:: none +.. cfgcmd:: set service pppoe-server authentication radius dynamic-author port <port> - set service pppoe-server authentication radius dynamic-author key 'secret123' - set service pppoe-server authentication radius dynamic-author port '3799' - set service pppoe-server authentication radius dynamic-author server '10.1.1.2' + Port for Dynamic Authorization Extension server (DM/CoA) +.. cfgcmd:: set service pppoe-server authentication radius dynamic-author key <secret> -Example, from radius-server send command for disconnect client with -username test + Secret for Dynamic Authorization Extension server (DM/CoA) -.. code-block:: none +.. cfgcmd:: set service pppoe-server authentication radius max-try <number> - root@radius-server:~# echo "User-Name=test" | radclient -x 10.1.1.2:3799 - disconnect secret123 + Maximum number of tries to send Access-Request/Accounting-Request queries -You can also use another attributes for identify client for disconnect, -like Framed-IP-Address, Acct-Session-Id, etc. Result commands appears in -log. +.. cfgcmd:: set service pppoe-server authentication radius timeout <timeout> -.. code-block:: none + Timeout to wait response from server (seconds) - show log | match Disconnect* +.. cfgcmd:: set service pppoe-server authentication radius nas-identifier <identifier> -Example for changing rate-limit via RADIUS CoA. + Value to send to RADIUS server in NAS-Identifier attribute and to be matched + in DM/CoA requests. -.. code-block:: none +.. cfgcmd:: set service pppoe-server authentication radius nas-ip-address <address> + + Value to send to RADIUS server in NAS-IP-Address attribute and to be matched + in DM/CoA requests. Also DM/CoA server will bind to that address. + +.. cfgcmd:: set service pppoe-server authentication radius source-address <address> + + Source IPv4 address used in all RADIUS server queires. + +.. cfgcmd:: set service pppoe-server authentication radius rate-limit attribute <attribute> + + Specifies which RADIUS server attribute contains the rate limit information. + The default attribute is ``Filter-Id``. - echo "User-Name=test,Filter-Id=5000/4000" | radclient 10.1.1.2:3799 coa - secret123 +.. note:: If you set a custom RADIUS attribute you must define it on both + dictionaries at RADIUS server and client. -Filter-Id=5000/4000 (means 5000Kbit down-stream rate and 4000Kbit -up-stream rate) If attribute Filter-Id redefined, replace it in RADIUS -CoA request. +.. cfgcmd:: set service pppoe-server authentication radius rate-limit enable + + Enables bandwidth shaping via RADIUS. + +.. cfgcmd:: set service pppoe-server authentication radius rate-limit vendor + + Specifies the vendor dictionary, dictionary needs to be in + /usr/share/accel-ppp/radius. + +Received RADIUS attributes have a higher priority than parameters defined within +the CLI configuration, refer to the explanation below. + +Allocation clients ip addresses by RADIUS +========================================= + +If the RADIUS server sends the attribute ``Framed-IP-Address`` then this IP +address will be allocated to the client and the option ``default-pool`` within the CLI +config is being ignored. + +If the RADIUS server sends the attribute ``Framed-Pool``, IP address will be allocated +from a predefined IP pool whose name equals the attribute value. + +If the RADIUS server sends the attribute ``Stateful-IPv6-Address-Pool``, IPv6 address +will be allocated from a predefined IPv6 pool ``prefix`` whose name equals the attribute value. + +If the RADIUS server sends the attribute ``Delegated-IPv6-Prefix-Pool``, IPv6 +delegation pefix will be allocated from a predefined IPv6 pool ``delegate`` +whose name equals the attribute value. +.. note:: ``Stateful-IPv6-Address-Pool`` and ``Delegated-IPv6-Prefix-Pool`` are defined in + RFC6911. If they are not defined in your RADIUS server, add new dictionary_. + +User interface can be put to VRF context via RADIUS Access-Accept packet, or change +it via RADIUS CoA. ``Accel-VRF-Name`` is used from these purposes. It is custom `ACCEL-PPP attribute`_. +Define it in your RADIUS server. + +Renaming clients interfaces by RADIUS +===================================== + +If the RADIUS server uses the attribute ``NAS-Port-Id``, ppp tunnels will be +renamed. + +.. note:: The value of the attribute ``NAS-Port-Id`` must be less than 16 + characters, otherwise the interface won't be renamed. + + +*********************** Automatic VLAN Creation ------------------------ +*********************** .. cfgcmd:: set service pppoe-server interface <interface> vlan <id | range> VLAN's can be created by Accel-ppp on the fly via the use of a Kernel module - named `vlan_mon`, which is monitoring incoming vlans and creates the + named ``vlan_mon``, which is monitoring incoming vlans and creates the necessary VLAN if required and allowed. VyOS supports the use of either VLAN ID's or entire ranges, both values can be defined at the same time for an interface. @@ -177,21 +246,26 @@ Automatic VLAN Creation set service pppoe-server interface eth3 vlan 500-1000 set service pppoe-server interface eth3 vlan 2000-3000 - +***************** Bandwidth Shaping ------------------ +***************** Bandwidth rate limits can be set for local users or RADIUS based attributes. For Local Users -^^^^^^^^^^^^^^^ +=============== + +.. cfgcmd:: set service pppoe-server authentication local-users username <user> rate-limit + download <bandwidth> + + Download bandwidth limit in kbit/s for `<user>`. -.. cfgcmd:: set service pppoe-server authentication local-users username <name> - rate-limit <download | upload> +.. cfgcmd:: set service pppoe-server authentication local-users username <user> rate-limit + upload <bandwidth> + + Upload bandwidth limit in kbit/s for `<user>`. - Use this command to configure a data-rate limit to PPPOoE clients for - traffic download or upload. The rate-limit is set in kbit/sec. .. code-block:: none @@ -209,7 +283,7 @@ For Local Users Once the user is connected, the user session is using the set limits and -can be displayed via 'show pppoe-server sessions'. +can be displayed via ``show pppoe-server sessions``. .. code-block:: none @@ -220,9 +294,9 @@ can be displayed via 'show pppoe-server sessions'. For RADIUS users -^^^^^^^^^^^^^^^^ +================ -The current attribute 'Filter-Id' is being used as default and can be +The current attribute ``Filter-Id`` is being used as default and can be setup within RADIUS: Filter-Id=2000/3000 (means 2000Kbit down-stream rate and 3000Kbit @@ -238,9 +312,9 @@ setup and is working. Other attributes can be used, but they have to be in one of the dictionaries in */usr/share/accel-ppp/radius*. - +************** Load Balancing --------------- +************** .. cfgcmd:: set service pppoe-server pado-delay <number-of-ms> @@ -262,71 +336,222 @@ allows other PPPoE servers send PADO faster and clients will connect to other servers. Last command says that this PPPoE server can serve only 3000 clients. - +**** IPv6 ----- +**** -IPv6 client's prefix -^^^^^^^^^^^^^^^^^^^^ +.. cfgcmd:: set service pppoe-server ppp-options ipv6 <require | prefer | allow | deny> -.. cfgcmd:: set service pppoe-server client-ipv6-pool <IPv6-POOL-NAME> - prefix <address> mask <number-of-bits> + Specifies IPv6 negotiation preference. - Use this comand to set the IPv6 address pool from which a PPPoE - client will get an IPv6 prefix of your defined length (mask) to - terminate the PPPoE endpoint at their side. The mask length can be - set from 48 to 128 bit long, the default value is 64. + * **require** - Require IPv6 negotiation + * **prefer** - Ask client for IPv6 negotiation, do not fail if it rejects + * **allow** - Negotiate IPv6 only if client requests + * **deny** - Do not negotiate IPv6 (default value) +.. cfgcmd:: set service pppoe-server client-ipv6-pool <IPv6-POOL-NAME> prefix <address> + mask <number-of-bits> -IPv6 Prefix Delegation -^^^^^^^^^^^^^^^^^^^^^^ + Use this comand to set the IPv6 address pool from which an l2tp client + will get an IPv6 prefix of your defined length (mask) to terminate the + l2tp endpoint at their side. The mask length can be set from 48 to 128 + bit long, the default value is 64. -.. cfgcmd:: set service pppoe-server client-ipv6-pool <IPv6-POOL-NAME> - delegate <address> delegation-prefix <number-of-bits> +.. cfgcmd:: set service pppoe-server client-ipv6-pool <IPv6-POOL-NAME> delegate <address> + delegation-prefix <number-of-bits> - Use this command to configure DHCPv6 Prefix Delegation (RFC3633). You - will have to set your IPv6 pool and the length of the delegation - prefix. From the defined IPv6 pool you will be handing out networks - of the defined length (delegation-prefix). The length of the - delegation prefix can be set from 32 to 64 bit long. + Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on + l2tp. You will have to set your IPv6 pool and the length of the + delegation prefix. From the defined IPv6 pool you will be handing out + networks of the defined length (delegation-prefix). The length of the + delegation prefix can be set from 32 to 64 bit long. +.. cfgcmd:: set service pppoe-server default-ipv6-pool <IPv6-POOL-NAME> -IPv6 default client's pool assignment -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + Use this command to define default IPv6 address pool name. -.. cfgcmd:: set service pppoe-server default-ipv6-pool <POOL-NAME> +.. code-block:: none - Use this command to define default IPv6 address pool name. + set service pppoe-server ppp-options ipv6 allow + set service pppoe-server client-ipv6-pool IPv6-POOL delegate '2001:db8:8003::/48' delegation-prefix '56' + set service pppoe-server client-ipv6-pool IPV6-POOL prefix '2001:db8:8002::/48' mask '64' + set service pppoe-server default-ipv6-pool IPv6-POOL +IPv6 Advanced Options +===================== +.. cfgcmd:: set service pppoe-server ppp-options ipv6-accept-peer-interface-id -Maintenance mode -================ + Accept peer interface identifier. By default is not defined. + +.. cfgcmd:: set service pppoe-server ppp-options ipv6-interface-id <random | x:x:x:x> + + Specifies fixed or random interface identifier for IPv6. + By default is fixed. + + * **random** - Random interface identifier for IPv6 + * **x:x:x:x** - Specify interface identifier for IPv6 + +.. cfgcmd:: set service pppoe-server ppp-options ipv6-interface-id <random | x:x:x:x> + + Specifies peer interface identifier for IPv6. By default is fixed. + + * **random** - Random interface identifier for IPv6 + * **x:x:x:x** - Specify interface identifier for IPv6 + * **ipv4-addr** - Calculate interface identifier from IPv4 address. + * **calling-sid** - Calculate interface identifier from calling-station-id. + +********* +Scripting +********* -.. opcmd:: set pppoe-server maintenance-mode <enable | disable> +.. cfgcmd:: set service pppoe-server extended-scripts on-change <path_to_script> - For network maintenance, it's a good idea to direct users to a backup - server so that the primary server can be safely taken out of service. - It's possible to switch your PPPoE server to maintenance mode where - it maintains already established connections, but refuses new - connection attempts. + Script to run when session interface changed by RADIUS CoA handling +.. cfgcmd:: set service pppoe-server extended-scripts on-down <path_to_script> -Checking connections + Script to run when session interface going to terminate + +.. cfgcmd:: set service pppoe-server extended-scripts on-pre-up <path_to_script> + + Script to run before session interface comes up + +.. cfgcmd:: set service pppoe-server extended-scripts on-up <path_to_script> + + Script to run when session interface is completely configured and started + +**************** +Advanced Options +**************** + +Authentication Advanced Options +=============================== + +.. cfgcmd:: set service pppoe-server authentication local-users username <user> disable + + Disable `<user>` account. + +.. cfgcmd:: set service pppoe-server authentication local-users username <user> static-ip + <address> + + Assign static IP address to `<user>` account. + +.. cfgcmd:: set service pppoe-server authentication protocols + <pap | chap | mschap | mschap-v2> + + Require the peer to authenticate itself using one of the following protocols: + pap, chap, mschap, mschap-v2. + +Client IP Pool Advanced Options +=============================== + +.. cfgcmd:: set service pppoe-server client-ip-pool <POOL-NAME> next-pool <NEXT-POOL-NAME> + + Use this command to define the next address pool name. + +PPP Advanced Options ==================== -.. opcmd:: show pppoe-server sessions +.. cfgcmd:: set service pppoe-server ppp-options disable-ccp - Use this command to locally check the active sessions in the PPPoE - server. + Disable Compression Control Protocol (CCP). + CCP is enabled by default. +.. cfgcmd:: set service pppoe-server ppp-options interface-cache <number> -.. code-block:: none + Specifies number of interfaces to keep in cache. It means that don’t + destroy interface after corresponding session is destroyed, instead + place it to cache and use it later for new sessions repeatedly. + This should reduce kernel-level interface creation/deletion rate lack. + Default value is **0**. - show pppoe-server sessions - ifname | username | ip | calling-sid | rate-limit | state | uptime | rx-bytes | tx-bytes - -------+----------+------------+-------------------+-------------+--------+----------+----------+---------- - ppp0 | foo | 10.1.1.100 | 00:53:00:ba:db:15 | 20480/10240 | active | 00:00:11 | 214 B | 76 B +.. cfgcmd:: set service pppoe-server ppp-options ipv4 <require | prefer | allow | deny> + + Specifies IPv4 negotiation preference. + + * **require** - Require IPv4 negotiation + * **prefer** - Ask client for IPv4 negotiation, do not fail if it rejects + * **allow** - Negotiate IPv4 only if client requests (Default value) + * **deny** - Do not negotiate IPv4 + +.. cfgcmd:: set service pppoe-server ppp-options lcp-echo-failure <number> + + Defines the maximum `<number>` of unanswered echo requests. Upon reaching the + value `<number>`, the session will be reset. Default value is **3**. + +.. cfgcmd:: set service pppoe-server ppp-options lcp-echo-interval <interval> + + If this option is specified and is greater than 0, then the PPP module will + send LCP pings of the echo request every `<interval>` seconds. + Default value is **30**. + +.. cfgcmd:: set service pppoe-server ppp-options lcp-echo-timeout + + Specifies timeout in seconds to wait for any peer activity. If this option + specified it turns on adaptive lcp echo functionality and "lcp-echo-failure" + is not used. Default value is **0**. + +.. cfgcmd:: set service pppoe-server ppp-options min-mtu <number> + + Defines minimum acceptable MTU. If client will try to negotiate less then + specified MTU then it will be NAKed or disconnected if rejects greater MTU. + Default value is **100**. + +.. cfgcmd:: set service pppoe-server ppp-options mppe <require | prefer | deny> + + Specifies :abbr:`MPPE (Microsoft Point-to-Point Encryption)` negotiation + preference. + * **require** - ask client for mppe, if it rejects drop connection + * **prefer** - ask client for mppe, if it rejects don't fail. (Default value) + * **deny** - deny mppe + + Default behavior - don't ask client for mppe, but allow it if client wants. + Please note that RADIUS may override this option by MS-MPPE-Encryption-Policy + attribute. + +.. cfgcmd:: set service pppoe-server ppp-options mru <number> + + Defines preferred MRU. By default is not defined. + +Global Advanced options +======================= + +.. cfgcmd:: set service pppoe-server description <description> + + Set description. + +.. cfgcmd:: set service pppoe-server limits burst <value> + + Burst count + +.. cfgcmd:: set service pppoe-server limits connection-limit <value> + + Acceptable rate of connections (e.g. 1/min, 60/sec) + +.. cfgcmd:: set service pppoe-server limits timeout <value> + + Timeout in seconds + +.. cfgcmd:: set service pppoe-server mtu + + Maximum Transmission Unit (MTU) (default: **1492**) + +.. cfgcmd:: set service pppoe-server max-concurrent-sessions + + Maximum number of concurrent session start attempts + +.. cfgcmd:: set service pppoe-server name-server <address> + + Connected client should use `<address>` as their DNS server. This + command accepts both IPv4 and IPv6 addresses. Up to two nameservers + can be configured for IPv4, up to three for IPv6. + +.. cfgcmd:: set service pppoe-server service-name <names> + + Specifies Service-Name to respond. If absent any Service-Name is + acceptable and client’s Service-Name will be sent back. Also possible + set multiple service-names: `sn1,sn2,sn3` Per default the user session is being replaced if a second authentication request succeeds. Such session requests can be either @@ -335,23 +560,48 @@ user in the latter case. If it is denied, the second session is being rejected even if the authentication succeeds, the user has to terminate its first session and can then authentication again. -.. code-block:: none +.. cfgcmd:: set service pppoe-server session-control + + * **disable**: Disables session control. + * **deny**: Deny second session authorization. + * **replace**: Terminate first session when second is authorized **(default)** + +.. cfgcmd:: set service pppoe-server shaper fwmark <1-2147483647> - vyos@# set service pppoe-server session-control - Possible completions: - disable Disables session control - deny Deny second session authorization + Match firewall mark value +.. cfgcmd:: set service pppoe-server snmp master-agent + Enable SNMP +.. cfgcmd:: set service pppoe-server wins-server <address> + Windows Internet Name Service (WINS) servers propagated to client + +********** +Monitoring +********** + +.. opcmd:: show pppoe-server sessions + + Use this command to locally check the active sessions in the PPPoE + server. + + +.. code-block:: none + + show pppoe-server sessions + ifname | username | ip | calling-sid | rate-limit | state | uptime | rx-bytes | tx-bytes + -------+----------+------------+-------------------+-------------+--------+----------+----------+---------- + ppp0 | foo | 10.1.1.100 | 00:53:00:ba:db:15 | 20480/10240 | active | 00:00:11 | 214 B | 76 B +******** Examples -======== +******** IPv4 ----- +==== The example below uses ACN as access-concentrator name, assigns an address from the pool 10.1.1.100-111, terminates at the local endpoint @@ -372,7 +622,7 @@ address from the pool 10.1.1.100-111, terminates at the local endpoint Dual-Stack IPv4/IPv6 provisioning with Prefix Delegation --------------------------------------------------------- +======================================================== The example below covers a dual-stack configuration via pppoe-server. @@ -403,3 +653,5 @@ a /56 subnet for the clients internal use. ppp0 | test | 192.168.0.1 | 2001:db8:8002:0:200::/64 | 2001:db8:8003::1/56 | 00:53:00:12:42:eb | | active | 00:00:49 | 875 B | 2.1 KiB .. include:: /_include/common-references.txt +.. _dictionary: https://github.com/accel-ppp/accel-ppp/blob/master/accel-pppd/radius/dict/dictionary.rfc6911 +.. _`ACCEL-PPP attribute`: https://github.com/accel-ppp/accel-ppp/blob/master/accel-pppd/radius/dict/dictionary.accel
\ No newline at end of file |