diff options
Diffstat (limited to 'docs/appendix')
-rw-r--r-- | docs/appendix/commandtree/configmode.rst | 524 | ||||
-rw-r--r-- | docs/appendix/commandtree/index.rst | 17 | ||||
-rw-r--r-- | docs/appendix/commandtree/operationmode.rst | 444 | ||||
-rw-r--r-- | docs/appendix/examples/dmvpn.rst | 105 | ||||
-rw-r--r-- | docs/appendix/examples/index.rst | 13 | ||||
-rw-r--r-- | docs/appendix/examples/zone-policy.rst | 379 | ||||
-rw-r--r-- | docs/appendix/releasenotes.rst | 50 | ||||
-rw-r--r-- | docs/appendix/troubleshooting.rst | 341 | ||||
-rw-r--r-- | docs/appendix/vyos-on-baremetal.rst | 72 |
9 files changed, 1945 insertions, 0 deletions
diff --git a/docs/appendix/commandtree/configmode.rst b/docs/appendix/commandtree/configmode.rst new file mode 100644 index 00000000..abb20f98 --- /dev/null +++ b/docs/appendix/commandtree/configmode.rst @@ -0,0 +1,524 @@ +.. _commandtree_configmode: + +Configuration mode +------------------ + +.. code-block:: sh + + confirm Confirm prior commit-confirm + comment Add comment to this configuration element + commit Commit the current set of changes + commit-confirm Commit the current set of changes with 'confirm' required + compare Compare configuration revisions + copy Copy a configuration element + delete Delete a configuration element + discard Discard uncommitted changes + edit Edit a sub-element + exit Exit from this configuration level + load Load configuration from a file and replace running configuration + loadkey Load user SSH key from a file + merge Load configuration from a file and merge running configuration + rename Rename a configuration element + rollback Rollback to a prior config revision (requires reboot) + run Run an operational-mode command + save Save configuration to a file + set Set the value of a parameter or create a new element + show Show the configuration (default values may be suppressed) + + +Confirm +^^^^^^^ + +The ``confirm`` command confirms the prior ``commit-confirm``. + +Comment +^^^^^^^ + +The ``comment`` commands allow you to insert a comment above the current configuration section. +The command cannot be used at the top of the configuration hierarchy, only on subsections. Comments needs to be commited, just like other config changes. + +To add a comment to a section, while being already at the proper section level: + +.. code-block:: sh + + [edit <section>] + vyos@vyos# comment "Type Comment Here" + +To add a comment directly to a section, from the top or a higher section: + +.. code-block:: sh + + [edit] + vyos@vyos# comment <section> "Type Comment Here" + +To remove a comment, add a blank comment to overwrite: + +.. code-block:: sh + + [edit <section>] + vyos@vyos# comment "" + +Examples +******** + +To add a comment to the "interfaces" section: + +.. code-block:: sh + + [edit] + vyos@vyos# edit interfaces + [edit interfaces] + vyos@vyos# comment "Here is a comment" + [edit interfaces] + vyos@vyos# commit + +The comment would then appear like this: + +.. code-block:: sh + + [edit] + vyos@vyos# show + /* Here is a comment */ + interfaces { + ethernet eth0 { + [...] + + +An important thing to note is that since the comment is added on top of the section, it will not appear if the ``show <section>`` command is used. With the above example, the ``show interfaces`` command would return starting after the "interfaces {" line, hiding the comment: + +.. code-block:: sh + + [edit] + vyos@vyos# show interfaces + ethernet eth0 { + [...] + + +To add a comment to the interfaces section from the top: + +.. code-block:: sh + + [edit] + vyos@vyos# comment interfaces "test" + + +The comment can be added to any node that already exists, even if it's multiple levels lower: + +.. code-block:: sh + + [edit] + vyos@vyos# comment interfaces ethernet eth0 vif 222 address "Far down comment" + + +Commit +^^^^^^ + +The ``commit`` command commits the proposed changes to the configuration file. +Every changes done in the configuration session is only applied when the configuration is committed. To view the changes that will be applied, use the show command. +To discard the changes without committing, use the ``discard`` command. The ``commit`` command doesn't save the configuration, you need to manually use the ``save`` command. + +The confirm keyword can be added, see ``commit-confirm``. A comment can be entered, it will appear in the commit log. + +.. code-block:: sh + + [edit] + vyos@vyos# commit + Possible completions: + <Enter> Commit working configuration + comment Comment for commit log + +Commit-confirm +^^^^^^^^^^^^^^ + +The ``commit-confirm`` command commits the proposed changes to the configuration file and starts a timer. +If the ``confirm`` command is not entered before the timer expiration, the configuration will be rolled back and VyOS will reboot. +The default timer value is 10 minutes, but a custom value can be entered. + +.. code-block:: sh + + [edit] + vyos@vyos# commit-confirm + Possible completions: + <Enter> Commit, rollback/reboot in 10 minutes if no confirm + <N> Commit, rollback/reboot in N minutes if no confirm + comment Comment for commit log + + +Compare +^^^^^^^ + +VyOS maintains backups of previous configurations. To compare configuration revisions in configuration mode, use the compare command: + +.. code-block:: sh + + [edit] + vyos@vyos# compare + Possible completions: + <Enter> Compare working & active configurations + saved Compare working & saved configurations + <N> Compare working with revision N + <N> <M> Compare revision N with M + + Revisions: + 0 2019-03-20 20:57:22 root by boot-config-loader + 1 2019-03-15 20:00:04 root by boot-config-loader + 2 2019-03-05 01:58:39 vyos by cli + 3 2019-03-05 01:54:59 vyos by cli + 4 2019-03-05 01:53:08 vyos by cli + 5 2019-03-05 01:52:21 vyos by cli + 6 2019-02-24 21:01:24 root by boot-config-loader + 7 2019-02-21 22:00:12 vyos by cli + 8 2019-02-21 21:56:49 vyos by cli + + +Copy +^^^^ + +The ``copy`` command allows you to copy a configuration object. + +Copy the configuration entrys from a firewall name WAN rule 1 to rule 2. + +.. code-block:: sh + + [edit firewall name WAN] + vyos@vyos# show + rule 1 { + action accept + source { + address 10.1.0.0/24 + } + } + [edit firewall name WAN] + vyos@vyos# copy rule 1 to rule 2 + [edit firewall name WAN] + vyos@vyos# show + rule 1 { + action accept + source { + address 10.1.0.0/24 + } + } + +rule 2 { + + action accept + + source { + + address 10.1.0.0/24 + + } + +} + +Delete +^^^^^^ + +The ``delte`` command is to delete a configuration entry. + +This Example delete the hole ``service tftp-server`` section. + +.. code-block:: sh + + delete service tftp-server + +Discard +^^^^^^^ + +The ``discard`` command removes all pending configuration changes. + +.. code-block:: sh + + [edit] + vyos@vyos# discard + + Changes have been discarded + +Edit +^^^^ + +The ``edit`` command allows you to navigate down into the configuration tree. +To get back to an upper level, use the ``up`` command or use the ``top`` command to get back to the upper most level. +The ``[edit]`` text displays where the user is located in the configuration tree. + +.. code-block:: sh + + [edit] + vyos@vyos# edit interfaces + [edit interfaces] + vyos@vyos# edit ethernet eth0 + [edit interfaces ethernet eth0] + +Exit +^^^^ + +The ``exit`` command exits the current configuration mode. If the current configuration level isn't the top-most, then the configuration level is put back to the top-most level. +If the configuration level is at the top-most level, then it exits the configuration mode and returns to operational mode. +The ``exit`` command cannot be used if uncommitted changes exists in the configuration file. To exit with uncommitted changes, you either need to use the ``exit discard`` command or you need to commit the changes before exiting. +The ``exit`` command doesn't save the configuration, only the ``save`` command does. A warning will be given when exiting with unsaved changes. Using the ``exit`` command in operational mode will logout the session. + + +Exiting from a configuration level: + + +.. code-block:: sh + + [edit interfaces ethernet eth0] + vyos@vyos# exit + [edit] + vyos@vyos# + +Exiting from configuration mode: + +.. code-block:: sh + + [edit] + vyos@vyos# exit + exit + vyos@vyos:~$ + +Exiting from operational mode: + +.. code-block:: sh + + vyos@vyos:~$ exit + logout + +Error message when trying to exit with uncommitted changes: + +.. code-block:: sh + + vyos@vyos# exit + Cannot exit: configuration modified. + Use 'exit discard' to discard the changes and exit. + [edit] + vyos@vyos# + + +Warning message when exiting with unsaved changes: + +.. code-block:: sh + + [edit] + vyos@vyos# exit + Warning: configuration changes have not been saved. + exit + vyos@vyos:~$ + +Load +^^^^ + +The ``load`` command load a configuration from a local or remote file. You have to be use ``commit`` to make the change active + +.. code-block:: sh + + <Enter> Load from system config file + <file> Load from file on local machine + scp://<user>:<passwd>@<host>/<file> Load from file on remote machine + sftp://<user>:<passwd>@<host>/<file> Load from file on remote machine + ftp://<user>:<passwd>@<host>/<file> Load from file on remote machine + http://<host>/<file> Load from file on remote machine + https://<host>/<file> Load from file on remote machine + tftp://<host>/<file> Load from file on remote machine + + +.. code-block:: sh + + [edit] + vyos@vyos# load + Loading configuration from '/config/config.boot'... + + Load complete. Use 'commit' to make changes active. + + +Loadkey +^^^^^^^^ + +Copies the content of a public key to the ~/.ssh/authorized_keys file. + +.. code-block:: sh + + loadkey <username> [tab] + + <file> Load from file on local machine + scp://<user>@<host>/<file> Load from file on remote machine + sftp://<user>@<host>/<file> Load from file on remote machine + ftp://<user>@<host>/<file> Load from file on remote machine + http://<host>/<file> Load from file on remote machine + tftp://<host>/<file> Load from file on remote machine + +Merge +^^^^^ + +The ``merge`` command merge the config from a local or remote file with the running config. + +In the example below exist a ``default-firewall.config`` file with some common firewall rules you saved earlier. + +.. code-block:: sh + + [edit] + vyos@vyos# show firewall + Configuration under specified path is empty + [edit] + vyos@vyos# merge default-firewall.config + Loading configuration from '/config/default-firewall.config'... + + Merge complete. Use 'commit' to make changes active. + [edit] + vyos@vyos# + + vyos@vyos# show firewall + +all-ping enable + +broadcast-ping disable + +config-trap disable + +ipv6-receive-redirects disable + +ipv6-src-route disable + +ip-src-route disable + +log-martians enable + +name WAN { + + default-action drop + + rule 1 { + + action accept + + source { + + address 10.1.0.0/24 + + } + + } + + rule 2 { + + action accept + + source { + + address 10.1.0.0/24 + + } + ...... + + +Rename +^^^^^^ + +The ``rename`` command allows you to rename or move a configuration object. + +See here how to move the configuration entrys from vlanid 3 to 2 + +.. code-block:: sh + + [edit interfaces ethernet eth1] + vyos@vyos# show + duplex auto + hw-id 08:00:27:81:c6:59 + smp-affinity auto + speed auto + vif 3 { + address 10.4.4.4/32 + } + [edit interfaces ethernet eth1] + vyos@vyos# rename vif 3 to vif 2 + [edit interfaces ethernet eth1] + vyos@vyos# show + duplex auto + hw-id 08:00:27:81:c6:59 + smp-affinity auto + speed auto + +vif 2 { + + address 10.4.4.4/32 + +} + -vif 3 { + - address 10.4.4.4/32 + -} + [edit interfaces ethernet eth1] + vyos@vyos# + + +Rollback +^^^^^^^^ + +You can ``rollback`` configuration using the rollback command, however this command will currently trigger a system reboot. +Use the compare command to verify the configuration you want to rollback to. + +.. code-block:: sh + + vyos@vyos# compare 1 + [edit system] + >host-name vyos-1 + [edit] + vyos@vyos# rollback 1 + Proceed with reboot? [confirm][y] + + Broadcast message from root@vyos-1 (pts/0) (Tue Dec 17 21:07:45 2018): + + The system is going down for reboot NOW! + [edit] + vyos@vyos# + +Run +^^^ + +The ``run`` command allows you to execute any operational mode commands without exiting the configuration session. + +.. code-block:: sh + + [edit] + vyos@vyos# run show interfaces + Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down + Interface IP Address S/L Description + --------- ---------- --- ----------- + eth0 10.1.1.1/24 u/u + + +Save +^^^^ + +The ``save`` command saves the current configuration to non-volatile storage. VyOS also supports saving and loading configuration remotely using SCP, FTP, or TFTP. + +.. code-block:: sh + + <Enter> Save to system config file + <file> Save to file on local machine + scp://<user>:<passwd>@<host>/<file> Save to file on remote machine + sftp://<user>:<passwd>@<host>/<file> Save to file on remote machine + ftp://<user>:<passwd>@<host>/<file> Save to file on remote machine + tftp://<host>/<file> Save to file on remote machine + +Set +^^^ + +The ``set`` command create all configuration entrys + +.. code-block:: sh + + [edit] + vyos@vyos# set protocols static route 0.0.0.0/0 next-hop 192.168.1.1 + +Show +^^^^ + +The ``show`` command in the configuration mode displays the configuration and show uncommitted changes. + +Show the hole config, the address and description of eth1 is moving to vlan 2 if you commit the changes. + +.. code-block:: sh + + [edit] + vyos@vyos# show + interfaces { + dummy dum0 { + address 10.3.3.3/24 + } + ethernet eth0 { + address dhcp + duplex auto + hw-id 08:00:27:2b:c0:0b + smp-affinity auto + speed auto + } + ethernet eth1 { + - address 10.1.1.1/32 + - description "MGMT Interface" + duplex auto + hw-id 08:00:27:81:c6:59 + smp-affinity auto + speed auto + + vif 2 { + + address 10.1.1.1/32 + + description "MGMT Interface" + + } + } + loopback lo { + } + } + service { + ssh { + port 22 + ......
\ No newline at end of file diff --git a/docs/appendix/commandtree/index.rst b/docs/appendix/commandtree/index.rst new file mode 100644 index 00000000..c3bca008 --- /dev/null +++ b/docs/appendix/commandtree/index.rst @@ -0,0 +1,17 @@ +.. _commandtree: + +Command tree +============ + +See the the full Command tree in Operational mode and Configuration mode + + + +.. toctree:: + :maxdepth: 2 + :hidden: + + + operationmode + configmode + diff --git a/docs/appendix/commandtree/operationmode.rst b/docs/appendix/commandtree/operationmode.rst new file mode 100644 index 00000000..487df032 --- /dev/null +++ b/docs/appendix/commandtree/operationmode.rst @@ -0,0 +1,444 @@ +.. _commandtree_operationmode: + +Operational mode +---------------- + +Operational mode allows for commands to perform operational system tasks and view system and service status. +After this is the first view after the login. +Please see :ref:`cli` for navigation in the CLI + + +.. code-block:: sh + + + vyos@vyos:~$ [tab] + Possible completions: + add Add an object to a service + clear Clear system information + clone Clone an object + configure Enter configure mode + connect Establish a connection + copy Copy an object + delete Delete an object + disconnect Take down a connection + force Force an operation + format Format a device + generate Generate an object + install Install a new system + monitor Monitor system information + ping Send IPv4 or IPv6 ICMP (Internet Control Message Protocol) echo requests + poweroff Poweroff the system + reboot Reboot the system + release Release specified variable + rename Rename an object + renew Renew specified variable + reset Reset a service + restart Restart a service + set Set operational options + show Show system information + telnet Telnet to a node + traceroute Track network path to node + update Update data for a service + + +Add +^^^ + +.. code-block:: sh + + raid Add a RAID set element + system Add an item to a system facility + +Clear +^^^^^ + +.. code-block:: sh + + console Clear screen + firewall Clear firewall statistics + flow-accounting Clear flow accounting + interfaces Clear interface information + ip Clear Internet Protocol (IP) statistics or status + ipv6 Clear Internet Protocol (IPv6) statistics or status + nat Clear network address translation (NAT) tables + policy Clear policy statistics + + +Clone +^^^^^ +The ``clone`` command allows you to clone a configuration from a system image to another one, or from the running config to another system image. +To clone the running config to a system image: + +.. code-block:: sh + + clone system config <system-image> from running + +To clone from system image A to system image B: + +.. code-block:: sh + + clone system config <system-image-B> from <system-image-A> + + +Configure +^^^^^^^^^ + +The ``configure`` command allows you to enter configuration mode. + +.. code-block:: sh + + vyos@vyos:~$ configure + [edit] + vyos@vyos# + + +Connect +^^^^^^^ + +The ``connect`` command allows you to bring up a connection oriented interface, like a pppoe interface. + +.. code-block:: sh + + connect interface <interface> + +Copy +^^^^ + +The ``copy`` command allows you to copy a file to your running config or over images. + +It can look like this example: + +.. code-block:: sh + + vyos@vyos:~$ copy file [tab] + Possible completions: + http://<user>:<passwd>@<host>/<file> + Copy files from specified source + scp://<user>:<passwd>@<host>/<file> + ftp://<user>:<passwd>@<host>/<file> + tftp://<host>/<file> + 1.2.0://config/ + 1.2.0-rolling+201902251818://config/ + 1.2.0-rolling+201902201040://config/ + 1.2.0-rolling+201902080337://config/ + 1.2.0-H4://config/ + running://config/ + + +To copy from file A to file B: + +.. code-block:: sh + + copy <file A> to <file B> + + +Delete +^^^^^^ + +.. code-block:: sh + + conntrack Delete Conntrack entries + file Delete files in a particular image + log Delete a log file + raid Remove a RAID set element + system Delete system objects + + +Disconnect +^^^^^^^^^^ + +The ``disconnect`` command allows you to take down a connection oriented interface, like a pppoe interface. + +.. code-block:: sh + + disconnect interface <interface> + +Force +^^^^^ + +.. code-block:: sh + + arp Send gratuitous ARP request or reply + cluster Force a cluster state transition + + +Format +^^^^^^ + +The ``format`` command allows you to format a disk the same way as another one. + +.. code-block:: sh + + format disk <target> like <source> + +Generate +^^^^^^^^ + +.. code-block:: sh + + openvpn OpenVPN key generation tool + ssh-server-key + Regenerate the host SSH keys and restart the SSH server + tech-support Generate tech-support archive + vpn VPN key generation utility + wireguard wireguard key generation utility + +Install +^^^^^^^ + +The ``install`` command allows you to install the system image on the disk. + +.. code-block:: sh + + install image + + +Monitor +^^^^^^^ + +``monitor`` can be used to continually view what is happening on the router. + +.. code-block:: sh + + bandwidth Monitor interface bandwidth in real time + bandwidth-test + Initiate or wait for bandwidth test + cluster Monitor clustering service + command Monitor an operational mode command (refreshes every 2 seconds) + conntrack-sync + Monitor conntrack-sync + content-inspection + Monitor Content-Inspection + dhcp Monitor Dynamic Host Control Protocol (DHCP) + dns Monitor a Domain Name Service (DNS) daemon + firewall Monitor Firewall + https Monitor the Secure Hypertext Transfer Protocol (HTTPS) service + lldp Monitor Link Layer Discovery Protocol (LLDP) daemon + log Monitor last lines of messages file + nat Monitor network address translation (NAT) + openvpn Monitor OpenVPN + protocol Monitor routing protocols + snmp Monitor Simple Network Management Protocol (SNMP) daemon + stop-all Stop all current background monitoring processes + traceroute Monitor the path to a destination in realtime + traffic Monitor traffic dumps + vpn Monitor VPN + vrrp Monitor Virtual Router Redundancy Protocol (VRRP) + webproxy Monitor Webproxy service + + +Ping +^^^^ + +The ``ping`` command allows you to send an ICMP-EchoRequest packet and display the ICMP-EchoReply received. + +.. code-block:: sh + + <hostname> Send Internet Control Message Protocol (ICMP) echo request + <x.x.x.x> + <h:h:h:h:h:h:h:h> + + +Poweroff +^^^^^^^^ + +The ``poweroff`` command allows you to properly shut down the VyOS instance. Without any modifier, the command is executed immediately. + +.. code-block:: sh + + <Enter> Execute the current command + at Poweroff at a specific time + cancel Cancel a pending poweroff + in Poweroff in X minutes + now Poweroff the system without confirmation + +Reboot +^^^^^^ +The ``reboot`` command allows you to properly restart the VyOS instance. Without any modifier, the command is executed immediately. + +.. code-block:: sh + + <Enter> Execute the current command + at Poweroff at a specific time + cancel Cancel a pending poweroff + in Poweroff in X minutes + now Poweroff the system without confirmation + +Release +^^^^^^^ + +The ``release`` command allows you to release a DHCP or DHCPv6 lease. + +.. code-block:: sh + + vyos@vyos:~$ release dhcp interface <int> + vyos@vyos:~$ release dhcpv6 interface <int> + + +Rename +^^^^^^ + +The ``rename`` command allows you to rename a system image. + +.. code-block:: sh + + rename system image <currentname> <newname> + + +Renew +^^^^^ + +The ``renew`` command allows you to renew a DHCP or DHCPv6 lease. + +.. code-block:: sh + + vyos@vyos:~$ renew dhcp interface <int> + vyos@vyos:~$ renew dhcpv6 interface <int> + +Reset +^^^^^ + +.. code-block:: sh + + conntrack Reset all currently tracked connections + conntrack-sync + Reset connection syncing parameters + dns Reset a DNS service state + firewall reset a firewall group + ip Reset Internet Protocol (IP) parameters + ipv6 Reset Internet Protocol version 6 (IPv6) parameters + nhrp Clear/Purge NHRP entries + openvpn Reset OpenVPN + terminal Reset terminal + vpn Reset Virtual Private Network (VPN) information + +Restart +^^^^^^^ + +.. code-block:: sh + + cluster Restart cluster node + conntrack-sync + Restart connection tracking synchronization service + dhcp Restart DHCP processes + dhcpv6 Restart DHCPv6 processes + dns Restart a DNS service + flow-accounting + Restart flow-accounting service + https Restart https server + vpn Restart IPsec VPN + vrrp Restart the VRRP (Virtual Router Redundancy Protocol) process + wan-load-balance + Restart WAN load balancing + webproxy Restart webproxy service + +Set +^^^ + +.. code-block:: sh + + <OPTION> Bash builtin set command + console Control console behaviors + date Set system date and time + system Set system operational parameters + terminal Control terminal behaviors + +Show +^^^^ + +.. code-block:: sh + + arp Show Address Resolution Protocol (ARP) information + bridge Show bridging information + cluster Show clustering information + configuration Show available saved configurations + conntrack Show conntrack entries in the conntrack table + conntrack-sync + Show connection syncing information + date Show system time and date + dhcp Show DHCP (Dynamic Host Configuration Protocol) information + dhcpv6 Show DHCPv6 (IPv6 Dynamic Host Configuration Protocol) information + disk Show status of disk device + dns Show DNS information + file Show files for a particular image + firewall Show firewall information + flow-accounting + Show flow accounting statistics + hardware Show system hardware details + history show command history + host Show host information + incoming Show ethernet input-policy information + interfaces Show network interface information + ip Show IPv4 routing information + ipv6 Show IPv6 routing information + license Show VyOS license information + lldp Show lldp + log Show contents of current master log file + login Show current login credentials + monitoring Show currently monitored services + nat Show Network Address Translation (NAT) information + nhrp Show NHRP info + ntp Show peer status of NTP daemon + openvpn Show OpenVPN information + policy Show policy information + poweroff Show scheduled poweroff + pppoe-server show pppoe-server status + queueing Show ethernet queueing information + raid Show statis of RAID set + reboot Show scheduled reboot + remote-config Show remote side config + route-map Show route-map information + snmp Show status of SNMP on localhost + system Show system information + system-integrity + checks the integrity of the system + table Show routing table + tech-support Show consolidated tech-support report (private information removed) + users Show user information + version Show system version information + vpn Show Virtual Private Network (VPN) information + vrrp Show VRRP (Virtual Router Redundancy Protocol) information + wan-load-balance + Show Wide Area Network (WAN) load-balancing information + webproxy Show webproxy information + wireguard Show wireguard properties + zone-policy Show summary of zone policy for a specific zone + +Telnet +^^^^^^ +In the past the ``telnet`` command allowed you to connect remotely to another device using the telnet protocol. +Telnet is unencrypted and should not use anymore. But its nice to test if an TCP Port to a host is open. + + +.. code-block:: sh + + vyos@vyos:~$ telnet 192.168.1.3 443 + Trying 192.168.1.3... + telnet: Unable to connect to remote host: Network is unreachable + + vyos@vyos:~$ telnet 192.168.1.4 443 + Trying 192.168.1.4... + Connected to 192.168.1.4. + Escape character is '^]'. + +Traceroute +^^^^^^^^^^ + +The ``traceroute`` command allows you to trace the path taken to a particular device. + +.. code-block:: sh + + <hostname> Track network path to specified node + <x.x.x.x> + <h:h:h:h:h:h:h:h> + ipv4 Track network path to <hostname|IPv4 address> + ipv6 Track network path to <hostname|IPv6 address> + + +Update +^^^^^^ + +.. code-block:: sh + + dns Update DNS information + webproxy Update webproxy
\ No newline at end of file diff --git a/docs/appendix/examples/dmvpn.rst b/docs/appendix/examples/dmvpn.rst new file mode 100644 index 00000000..d3bf45c7 --- /dev/null +++ b/docs/appendix/examples/dmvpn.rst @@ -0,0 +1,105 @@ + +.. _examples-dmvpn: + +VyOS DMVPN Hub +-------------- + +General infomration can be found in the :ref:`vpn-dmvpn` chapter. + +Configuration +^^^^^^^^^^^^^ + +.. code-block:: sh + + set interfaces tunnel tun100 address '172.16.253.134/29' + set interfaces tunnel tun100 encapsulation 'gre' + set interfaces tunnel tun100 local-ip '11.22.33.44' + set interfaces tunnel tun100 multicast 'enable' + set interfaces tunnel tun100 parameters ip key '1' + + set protocols nhrp tunnel tun100 cisco-authentication '<nhrp secret key>' + set protocols nhrp tunnel tun100 holding-time '300' + set protocols nhrp tunnel tun100 multicast 'dynamic' + set protocols nhrp tunnel tun100 redirect + set protocols nhrp tunnel tun100 shortcut + + set vpn ipsec esp-group ESP-HUB compression 'disable' + set vpn ipsec esp-group ESP-HUB lifetime '1800' + set vpn ipsec esp-group ESP-HUB mode 'tunnel' + set vpn ipsec esp-group ESP-HUB pfs 'dh-group2' + set vpn ipsec esp-group ESP-HUB proposal 1 encryption 'aes256' + set vpn ipsec esp-group ESP-HUB proposal 1 hash 'sha1' + set vpn ipsec esp-group ESP-HUB proposal 2 encryption '3des' + set vpn ipsec esp-group ESP-HUB proposal 2 hash 'md5' + set vpn ipsec ike-group IKE-HUB ikev2-reauth 'no' + set vpn ipsec ike-group IKE-HUB key-exchange 'ikev1' + set vpn ipsec ike-group IKE-HUB lifetime '3600' + set vpn ipsec ike-group IKE-HUB proposal 1 dh-group '2' + set vpn ipsec ike-group IKE-HUB proposal 1 encryption 'aes256' + set vpn ipsec ike-group IKE-HUB proposal 1 hash 'sha1' + set vpn ipsec ike-group IKE-HUB proposal 2 dh-group '2' + set vpn ipsec ike-group IKE-HUB proposal 2 encryption 'aes128' + set vpn ipsec ike-group IKE-HUB proposal 2 hash 'sha1' + set vpn ipsec ipsec-interfaces interface 'eth0' + + set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret' + set vpn ipsec profile NHRPVPN authentication pre-shared-secret '<secretkey>' + set vpn ipsec profile NHRPVPN bind tunnel 'tun100' + set vpn ipsec profile NHRPVPN esp-group 'ESP-HUB' + set vpn ipsec profile NHRPVPN ike-group 'IKE-HUB' + +Cisco IOS Spoke +^^^^^^^^^^^^^^^ + +This example is verified with a Cisco 2811 platform running IOS 15.1(4)M9 and +VyOS 1.1.7 (helium) up to VyOS 1.2 (Crux). + +.. code-block:: sh + + Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 15.1(4)M9, RELEASE SOFTWARE (fc3) + Technical Support: http://www.cisco.com/techsupport + Copyright (c) 1986-2014 by Cisco Systems, Inc. + Compiled Fri 12-Sep-14 10:45 by prod_rel_team + + ROM: System Bootstrap, Version 12.3(8r)T7, RELEASE SOFTWARE (fc1) + +Use this configuration on your Cisco device: + +.. code-block:: sh + + crypto pki token default removal timeout 0 + crypto keyring DMVPN + pre-shared-key address 1.2.3.4 key <secretkey> + ! + crypto isakmp policy 10 + encr aes 256 + authentication pre-share + group 2 + ! + crypto isakmp invalid-spi-recovery + crypto isakmp keepalive 30 30 periodic + crypto isakmp profile DMVPN + keyring DMVPN + match identity address 11.22.33.44 255.255.255.255 + ! + crypto ipsec transform-set DMVPN-AES256 esp-aes 256 esp-sha-hmac + mode transport + ! + crypto ipsec profile DMVPN + set security-association idle-time 720 + set transform-set DMVPN-AES256 + ! + interface Tunnel10 + description Tunnel to DMVPN HUB + ip address 172.16.253.129 255.255.255.248 + no ip redirects + ip nhrp authentication <nhrp secret key> + ip nhrp map multicast 11.22.33.44 + ip nhrp map 172.16.253.134 11.22.33.44 + ip nhrp network-id 1 + ip nhrp holdtime 600 + ip nhrp nhs 172.16.253.134 + ip nhrp registration timeout 75 + tunnel source Dialer1 + tunnel mode gre multipoint + tunnel key 1 diff --git a/docs/appendix/examples/index.rst b/docs/appendix/examples/index.rst new file mode 100644 index 00000000..c6e10eeb --- /dev/null +++ b/docs/appendix/examples/index.rst @@ -0,0 +1,13 @@ +.. _examples: + +Configuration Examples +====================== + +This chapter contains various configuration Examples + + +.. toctree:: + :maxdepth: 2 + + dmvpn + zone-policy diff --git a/docs/appendix/examples/zone-policy.rst b/docs/appendix/examples/zone-policy.rst new file mode 100644 index 00000000..d159d02d --- /dev/null +++ b/docs/appendix/examples/zone-policy.rst @@ -0,0 +1,379 @@ +.. _examples-zone-policy: + +Zone-Policy example +------------------- + +Native IPv4 and IPv6 +^^^^^^^^^^^^^^^^^^^^ + +We have three networks. + +.. code-block:: sh + + WAN - 172.16.10.0/24, 2001:0DB8:0:9999::0/64 + LAN - 192.168.100.0/24, 2001:0DB8:0:AAAA::0/64 + DMZ - 192.168.200.0/24, 2001:0DB8:0:BBBB::0/64 + + +This specific example is for a router on a stick, but is very easily adapted +for however many NICs you have. + +[http://imgur.com/Alz1J.png Topology Image] + +The VyOS interface is assigned the .1/:1 address of their respective networks. +WAN is on VLAN 10, LAN on VLAN 20, and DMZ on VLAN 30. + +It will look something like this: + +.. code-block:: sh + + interfaces { + ethernet eth0 { + duplex auto + hw-id 00:0c:29:6e:2a:92 + smp_affinity auto + speed auto + vif 10 { + address 172.16.10.1/24 + address 2001:db8:0:9999::1/64 + } + vif 20 { + address 192.168.100.1/24 + address 2001:db8:0:AAAA::1/64 + } + vif 30 { + address 192.168.200.1/24 + address 2001:db8:0:BBBB::1/64 + } + } + loopback lo { + } + } + + +Zones Basics +^^^^^^^^^^^^ + +Each interface is assigned to a zone. The interface can be physical or virtual +such as tunnels (VPN, pptp, gre, etc) and are treated exactly the same. + +Traffic flows from zone A to zone B. That flow is what I refer to as a +zone-pair-direction. eg. A->B and B->A are two zone-pair-destinations. + +Ruleset are created per zone-pair-direction. + +I name rule sets to indicate which zone-pair-direction they represent. eg. +ZoneA-ZoneB or ZoneB-ZoneA. LAN-DMZ, DMZ-LAN. + +In VyOS, you have to have unique Ruleset names. In the event of overlap, I +add a "-6" to the end of v6 rulesets. eg. LAN-DMZ, LAN-DMZ-6. This allows for +each auto-completion and uniqueness. + +In this example we have 4 zones. LAN, WAN, DMZ, Local. The local zone is the +firewall itself. + +If your computer is on the LAN and you need to SSH into your VyOS box, you +would need a rule to allow it in the LAN-Local ruleset. If you want to access +a webpage from your VyOS box, you need a rule to allow it in the Local-LAN +ruleset. + +In rules, it is good to keep them named consistently. As the number of rules +you have grows, the more consistency you have, the easier your life will be. + +.. code-block:: sh + + Rule 1 - State Established, Related + Rule 2 - State Invalid + Rule 100 - ICMP + Rule 200 - Web + Rule 300 - FTP + Rule 400 - NTP + Rule 500 - SMTP + Rule 600 - DNS + Rule 700 - DHCP + Rule 800 - SSH + Rule 900 - IMAPS + +The first two rules are to deal with the idiosyncrasies of VyOS and iptables. + +Zones and Rulesets both have a default action statement. When using +Zone-Policies, the default action is set by the zone-policy statement and is +represented by rule 10000. + +It is good practice to log both accepted and denied traffic. It can save you +significant headaches when trying to troubleshoot a connectivity issue. + +To add logging to the default rule, do: + +.. code-block:: sh + + set firewall name <ruleSet> enable-default-log + + +By default, iptables does not allow traffic for established session to return, +so you must explicitly allow this. I do this by adding two rules to every +ruleset. 1 allows established and related state packets through and rule 2 +drops and logs invalid state packets. We place the established/related rule at +the top because the vast majority of traffic on a network is established and +the invalid rule to prevent invalid state packets from mistakenly being matched +against other rules. Having the most matched rule listed first reduces CPU load +in high volume environments. Note: I have filed a bug to have this added as a +default action as well. + +''It is important to note, that you do not want to add logging to the +established state rule as you will be logging both the inbound and outbound +packets for each session instead of just the initiation of the session. +Your logs will be massive in a very short period of time.'' + +In VyOS you must have the interfaces created before you can apply it to the +zone and the rulesets must be created prior to applying it to a zone-policy. + +I create/configure the interfaces first. Build out the rulesets for each +zone-pair-direction which includes at least the three state rules. Then I setup +the zone-policies. + +Zones do not allow for a default action of accept; either drop or reject. +It is important to remember this because if you apply an interface to a zone +and commit, any active connections will be dropped. Specifically, if you are +SSH’d into VyOS and add local or the interface you are connecting through to a +zone and do not have rulesets in place to allow SSH and established sessions, +you will not be able to connect. + +The following are the rules that were created for this example +(may not be complete), both in IPv4 and IPv6. If there is no IP specified, +then the source/destination address is not explicit. + +.. code-block:: sh + + WAN – DMZ:192.168.200.200 – tcp/80 + WAN – DMZ:192.168.200.200 – tcp/443 + WAN – DMZ:192.168.200.200 – tcp/25 + WAN – DMZ:192.168.200.200 – tcp/53 + WAN – DMZ:2001:0DB8:0:BBBB::200 – tcp/80 + WAN – DMZ:2001:0DB8:0:BBBB::200 – tcp/443 + WAN – DMZ:2001:0DB8:0:BBBB::200 – tcp/25 + WAN – DMZ:2001:0DB8:0:BBBB::200 – tcp/53 + + DMZ - Local - tcp/53 + DMZ - Local - tcp/123 + DMZ - Local - tcp/67,68 + + LAN - Local - tcp/53 + LAN - Local - tcp/123 + LAN - Local - tcp/67,68 + LAN:192.168.100.10 - Local - tcp/22 + LAN:2001:0DB8:0:AAAA::10 - Local - tcp/22 + + LAN - WAN - tcp/80 + LAN - WAN - tcp/443 + LAN - WAN - tcp/22 + LAN - WAN - tcp/20,21 + + DMZ - WAN - tcp/80 + DMZ - WAN - tcp/443 + DMZ - WAN - tcp/22 + DMZ - WAN - tcp/20,21 + DMZ - WAN - tcp/53 + DMZ - WAN - udp/53 + + Local - WAN - tcp/80 + Local - WAN - tcp/443 + Local - WAN - tcp/20,21 + + Local - DMZ - tcp/25 + Local - DMZ - tcp/67,68 + Local - DMZ - tcp/53 + Local - DMZ - udp/53 + + Local - LAN - tcp/67,68 + + LAN - DMZ - tcp/80 + LAN - DMZ - tcp/443 + LAN - DMZ - tcp/993 + LAN:2001:0DB8:0:AAAA::10 - DMZ:2001:0DB8:0:BBBB::200 - tcp/22 + LAN:192.168.100.10 - DMZ:192.168.200.200 - tcp/22 + +Since we have 4 zones, we need to setup the following rulesets. + +.. code-block:: sh + + Lan-wan + Lan-local + Lan-dmz + Wan-lan + Wan-local + Wan-dmz + Local-lan + Local-wan + Local-dmz + Dmz-lan + Dmz-wan + Dmz-local + +Even if the two zones will never communicate, it is a good idea to create the +zone-pair-direction rulesets and set enable-default-log. This will allow you to +log attempts to access the networks. Without it, you will never see the +connection attempts. + +This is an example of the three base rules. + +.. code-block:: sh + + name wan-lan { + default-action drop + enable-default-log + rule 1 { + action accept + state { + established enable + related enable + } + } + rule 2 { + action drop + log enable + state { + invalid enable + } + } + } + + +Here is an example of an IPv6 DMZ-WAN ruleset. + +.. code-block:: sh + + ipv6-name dmz-wan-6 { + default-action drop + enable-default-log + rule 1 { + action accept + state { + established enable + related enable + } + } + rule 2 { + action drop + log enable + state { + invalid enable + } + rule 100 { + action accept + log enable + protocol ipv6-icmp + } + rule 200 { + action accept + destination { + port 80,443 + } + log enable + protocol tcp + } + rule 300 { + action accept + destination { + port 20,21 + } + log enable + protocol tcp + } + rule 500 { + action accept + destination { + port 25 + } + log enable + protocol tcp + source { + address 2001:db8:0:BBBB::200 + } + } + rule 600 { + action accept + destination { + port 53 + } + log enable + protocol tcp_udp + source { + address 2001:db8:0:BBBB::200 + } + } + rule 800 { + action accept + destination { + port 22 + } + log enable + protocol tcp + } + } + +Once you have all of your rulesets built, then you need to create your +zone-policy. + +Start by setting the interface and default action for each zone. + +.. code-block:: sh + + set zone-policy zone dmz default-action drop + set zone-policy zone dmz interface eth0.30 + +In this case, we are setting the v6 ruleset that represents traffic sourced +from the LAN, destined for the DMZ. +Because the zone-policy firewall syntax is a little awkward, I keep it straight +by thinking of it backwards. + + set zone-policy zone dmz from lan firewall ipv6-name lan-dmz-6 + +dmz-lan policy is lan-dmz. You can get a rhythm to it when you build out a bunch at one time. + +In the end, you will end up with something like this config. I took out everything but the Firewall, Interfaces, and zone-policy sections. It is long enough as is. +== IPv6 Tunnel == + +If you are using a IPv6 tunnel from HE.net or someone else, the basis is the same except you have two WAN interface. One for v4 and one for v6. + +You would have 5 zones instead of just 4 and you would configure your v6 ruleset between your tunnel interface and your LAN/DMZ zones instead of to the WAN. + +LAN, WAN, DMZ, local and TUN (tunnel) + +v6 pairs would be: + +.. code-block:: sh + + lan-tun + lan-local + lan-dmz + tun-lan + tun-local + tun-dmz + local-lan + local-tun + local-dmz + dmz-lan + dmz-tun + dmz-local + +Notice, none go to WAN since WAN wouldn't have a v6 address on it. + +You would have to add a couple of rules on your wan-local ruleset to allow protocol 41 in. + +Something like: + +.. code-block:: sh + + rule 400 { + action accept + destination { + address 172.16.10.1 + } + log enable + protocol 41 + source { + address ip.of.tunnel.broker + } + } + diff --git a/docs/appendix/releasenotes.rst b/docs/appendix/releasenotes.rst new file mode 100644 index 00000000..a2d9616e --- /dev/null +++ b/docs/appendix/releasenotes.rst @@ -0,0 +1,50 @@ +.. _releasenotes: + +Release notes +############# + +1.2 (Crux) +========== + +1.2.1 +----- + +VyOS 1.2.1 is a maintenance release made in April 2019. + +Resolved issues +^^^^^^^^^^^^^^^ + +* Package updates: kernel 4.19.32, open-vm-tools 10.3, latest Intel NIC drivers. +* The kernel now includes drivers for various USB serial adapters, which allows people to add a serial console to a machine without onboard RS232, or connect to something else from the router (`T1326 <https://phabricator.vyos.net/T1326>`_). +* The collection of network card firmware is now much more extensive. +* VRRP now correctly uses a virtual rather than physical MAC addresses in the RFC-compliant mode (`T1271 <https://phabricator.vyos.net/T1271>`_). +* DHCP WPAD URL option works correctly again (`T1330 <https://phabricator.vyos.net/T1330>`_) +* Many to many NAT rules now can use source/destination and translation networks of non-matching size (`T1312 <https://phabricator.vyos.net/T1312>`_). If 1:1 network bits translation is desired, it’s now user’s responsibility to check if prefix length matches. +* IPv6 network prefix translation is fixed (`T1290 <https://phabricator.vyos.net/T1290>`_). +* Non-alphanumeric characters such as “>” can now be safely used in PPPoE passwords (`T1308 <https://phabricator.vyos.net/T1308>`_). +* “show | commands” no longer fails when a config section ends with a leaf node such as “timezone” in “show system | commands” (`T1305 <https://phabricator.vyos.net/T1305>`_). +* “show | commands” correctly works in config mode now (`T1235 <https://phabricator.vyos.net/T1235>`_). +* VTI is now compatible with the DHCP-interface IPsec option (`T1298 <https://phabricator.vyos.net/T1298>`_). +* “show dhcp server statistics” command was broken in latest Crux (`T1277 <https://phabricator.vyos.net/T1277>`_). +* An issue with TFTP server refusing to listen on addresses other than loopback was fixed (`T1261 <https://phabricator.vyos.net/T1261>`_). +* Template issue that might cause UDP broadcast relay fail to start is fixed (`T1224 <https://phabricator.vyos.net/T1224>`_). +* VXLAN value validation is improved (`T1067 <https://phabricator.vyos.net/T1067>`_). +* Blank hostnames in DHCP updates no longer can crash DNS forwarding (`T1211 <https://phabricator.vyos.net/T1211>`_). +* Correct configuration is now generated for DHCPv6 relays with more than one upstream interface (`T1322 <https://phabricator.vyos.net/T1322>`_). +* “relay-agents-packets” option works correctly now (`T1234 <https://phabricator.vyos.net/T1234>`_). +* Dynamic DNS data is now cleaned on configuration change (`T1231 <https://phabricator.vyos.net/T1231>`_). +* Remote Syslog can now use a fully qualified domain name (`T1282 <https://phabricator.vyos.net/T1282>`_). +* ACPI power off works again (`T1279 <https://phabricator.vyos.net/T1279>`_). +* Negation in WAN load balancing rules works again (`T1247 <https://phabricator.vyos.net/T1247>`_). +* FRR’s staticd now starts on boot correctly (`T1218 <https://phabricator.vyos.net/T1218>`_). +* The installer now correctly detects SD card devices (`T1296 <https://phabricator.vyos.net/T1296>`_). +* Wireguard peers can be disabled now (`T1225 <https://phabricator.vyos.net/T1225>`_). +* The issue with wireguard interfaces impossible to delete is fixed (`T1217 <https://phabricator.vyos.net/T1217>`_). +* Unintended IPv6 access is fixed in SNMP configuration (`T1160 <https://phabricator.vyos.net/T1160>`_). +* It’s now possible to exclude hosts from the transparent web proxy (`T1060 <https://phabricator.vyos.net/T1060>`_). +* An issue with rules impossible to delete from the zone-based firewall is fixed (`T484 <https://phabricator.vyos.net/T484>`_). + +Earlier releases +================ + +See `the wiki <https://wiki.vyos.net/wiki/1.2.0/release_notes>`_. diff --git a/docs/appendix/troubleshooting.rst b/docs/appendix/troubleshooting.rst new file mode 100644 index 00000000..e5b9b7a9 --- /dev/null +++ b/docs/appendix/troubleshooting.rst @@ -0,0 +1,341 @@ +.. _troubleshooting: + +Troubleshooting +=============== + +Sometimes things break or don't work as expected. This section describes +several troubleshooting tools provided by VyOS that can help when something +goes wrong. + +Basic Connectivity Verification +------------------------------- + +Verifying connectivity can be done with the familiar `ping` and `traceroute` +commands. The options for each are shown (the options for each command were +displayed using the built-in help as described in the :ref:`cli` +section and are omitted from the output here): + +.. code-block:: sh + + vyos@vyos:~$ ping + Possible completions: + <hostname> Send Internet Control Message Protocol (ICMP) echo request + <x.x.x.x> + <h:h:h:h:h:h:h:h> + +Several options are available when more extensive troubleshooting is needed: + +.. code-block:: sh + + vyos@vyos:~$ ping 8.8.8.8 + Possible completions: + <Enter> Execute the current command + adaptive Ping options + allow-broadcast + audible + bypass-route + count + deadline + flood + interface + interval + mark + no-loopback + numeric + pattern + quiet + record-route + size + timestamp + tos + ttl + verbose + +.. code-block:: sh + + vyos@vyos:~$ traceroute + Possible completions: + <hostname> Track network path to specified node + <x.x.x.x> + <h:h:h:h:h:h:h:h> + ipv4 Track network path to <hostname|IPv4 address> + ipv6 Track network path to <hostname|IPv6 address> + +However, another tool, mtr_, is available which combines ping and traceroute +into a single tool. An example of its output is shown: + +.. code-block:: sh + + vyos@vyos:~$ mtr 10.62.212.12 + + My traceroute [v0.85] + vyos (0.0.0.0) + Keys: Help Display mode Restart statistics Order of fields quit + Packets Pings + Host Loss% Snt Last Avg Best Wrst StDev + 1. 10.11.110.4 0.0% 34 0.5 0.5 0.4 0.8 0.1 + 2. 10.62.255.184 0.0% 34 1.1 1.0 0.9 1.4 0.1 + 3. 10.62.255.71 0.0% 34 1.4 1.4 1.3 2.0 0.1 + 4. 10.62.212.12 0.0% 34 1.6 1.6 1.6 1.7 0.0 + +.. note:: The output of ``mtr`` consumes the screen and will replace your + command prompt. + +Several options are available for changing the display output. Press `h` to +invoke the built in help system. To quit, just press `q` and you'll be returned +to the VyOS command prompt. + +Monitoring +---------- + +Network Interfaces +^^^^^^^^^^^^^^^^^^ + +It's possible to monitor network traffic, either at the flow level or protocol +level. This can be useful when troubleshooting a variety of protocols and +configurations. The following interface types can be monitored: + +.. code-block:: sh + + vyos@vyos:~$ monitor interfaces + Possible completions: + <Enter> Execute the current command + bonding Monitor a bonding interface + bridge Monitor a bridge interface + ethernet Monitor a ethernet interface + loopback Monitor a loopback interface + openvpn Monitor an openvpn interface + pppoe Monitor pppoe interface + pseudo-ethernet + Monitor a pseudo-ethernet interface + tunnel Monitor a tunnel interface + vrrp Monitor a vrrp interface + vti Monitor a vti interface + wireless Monitor wireless interface + +To monitor traffic flows, issue the :code:`monitor interfaces <type> <name> flow` +command, replacing `<type>` and `<name>` with your desired interface type and +name, respectively. Output looks like the following: + +.. code-block:: sh + + 12.5Kb 25.0Kb 37.5Kb 50.0Kb 62.5Kb + ???????????????????????????????????????????????????????????????????????????????????????????????????? + 10.11.111.255 => 10.11.110.37 0b 0b 0b + <= 624b 749b 749b + 10.11.110.29 => 10.62.200.11 0b 198b 198b + <= 0b 356b 356b + 255.255.255.255 => 10.11.110.47 0b 0b 0b + <= 724b 145b 145b + 10.11.111.255 => 10.11.110.47 0b 0b 0b + <= 724b 145b 145b + 10.11.111.255 => 10.11.110.255 0b 0b 0b + <= 680b 136b 136b + ???????????????????????????????????????????????????????????????????????????????????????????????????? + TX: cumm: 26.7KB peak: 40.6Kb rates: 23.2Kb 21.4Kb 21.4Kb + RX: 67.5KB 63.6Kb 54.6Kb 54.0Kb 54.0Kb + TOTAL: 94.2KB 104Kb 77.8Kb 75.4Kb 75.4Kb + +Several options are available for changing the display output. Press `h` to +invoke the built in help system. To quit, just press `q` and you'll be returned +to the VyOS command prompt. + +To monitor interface traffic, issue the :code:`monitor interfaces <type> <name> +traffic` command, replacing `<type>` and `<name>` with your desired interface +type and name, respectively. This command invokes the familiar tshark_ utility +and the following options are available: + +.. code-block:: sh + + vyos@vyos:~$ monitor interfaces ethernet eth0 traffic + Possible completions: + <Enter> Execute the current command + detail Monitor detailed traffic for the specified ethernet interface + filter Monitor filtered traffic for the specified ethernet interface + save Save monitored traffic to a file + unlimited Monitor traffic for the specified ethernet interface + +To quit monitoring, press `Ctrl-c` and you'll be returned to the VyOS command +prompt. The `detail` keyword provides verbose output of the traffic seen on +the monitored interface. The `filter` keyword accepts valid `PCAP filter +expressions`_, enclosed in single or double quotes (e.g. "port 25" or "port 161 +and udp"). The `save` keyword allows you to save the traffic dump to a file. +The `unlimited` keyword is used to specify that an unlimited number of packets +can be captured (by default, 1,000 packets are captured and you're returned to +the VyOS command prompt). + +Interface Bandwith +^^^^^^^^^^^^^^^^^^ + +to take a quick view on the used bandwith of an interface use the ``monitor bandwith`` command + +.. code-block:: sh + + vyos@vyos:~$ monitor bandwidth interface eth0 + +show the following: + +.. code-block:: sh + + eth0 bmon 3.5 + Interfaces │ RX bps pps %│ TX bps pps % + >eth0 │ 141B 2 │ 272B 1 + ───────────────────────────────┴───────────────────────┴──────────────────────────────────────────────────────────────── + B (RX Bytes/second) + 198.00 .|....|..................................................... + 165.00 .|....|..................................................... + 132.00 ||..|.|..................................................... + 99.00 ||..|.|..................................................... + 66.00 |||||||..................................................... + 33.00 |||||||..................................................... + 1 5 10 15 20 25 30 35 40 45 50 55 60 + KiB (TX Bytes/second) + 3.67 ......|..................................................... + 3.06 ......|..................................................... + 2.45 ......|..................................................... + 1.84 ......|..................................................... + 1.22 ......|..................................................... + 0.61 :::::||..................................................... + 1 5 10 15 20 25 30 35 40 45 50 55 60 + + ───────────────────────────────────────── Press d to enable detailed statistics ──────────────────────────────────────── + ─────────────────────────────────────── Press i to enable additional information ─────────────────────────────────────── + Wed Apr 3 14:46:59 2019 Press ? for help + +| Press ``d`` for more detailed informations or ``i`` for additional information. +| To exit press ``q`` and than ``y`` + +Interface performance +^^^^^^^^^^^^^^^^^^^^^ + +To take a look on the network bandwith between two nodes, the ``monitor bandwidth-test`` command is used to run iperf. + +.. code-block:: sh + + vyos@vyos:~$ monitor bandwidth-test + Possible completions: + accept Wait for bandwidth test connections (port TCP/5001) + initiate Initiate a bandwidth test + +| The ``accept`` command open a listen iperf server on TCP Port 5001 +| The ``initiate`` command conncet to this server. + +.. code-block:: sh + + vyos@vyos:~$ monitor bandwidth-test initiate + Possible completions: + <hostname> Initiate a bandwidth test to specified host (port TCP/5001) + <x.x.x.x> + <h:h:h:h:h:h:h:h> + + +Monitor command +^^^^^^^^^^^^^^^ + +The ``monitor command`` command allows you to repeatedly run a command to view a continuously refreshed output. +The command is run and output every 2 seconds, allowing you to monitor the output continuously without having to re-run the command. This can be useful to follow routing adjacency formation. + +.. code-block:: sh + + vyos@router:~$ monitor command "show interfaces" + +Will clear the screen and show you the output of ``show interfaces`` every 2 seconds. + +.. code-block:: sh + + Every 2.0s: /opt/vyatta/bin/vyatta-op-cmd-wrapper s... Sun Mar 26 02:49:46 2019 + + Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down + Interface IP Address S/L Description + --------- ---------- --- ----------- + eth0 192.168.1.1/24 u/u + eth0.5 198.51.100.4/24 u/u WAN + lo 127.0.0.1/8 u/u + ::1/128 + vti0 172.32.254.2/30 u/u + vti1 172.32.254.9/30 u/u + +Clear Command +------------- + +Sometimes you need to clear counters or statistics to troubleshoot better. + +To do this use the ``clear`` command in Operational mode. + +to clear the console output + +.. code-block:: sh + + vyos@vyos:~$ clear console + +to clear interface counters + +.. code-block:: sh + + # clear all interfaces + vyos@vyos:~$ clear interface ethernet counters + # clear specific interface + vyos@vyos:~$ clear interface ehternet eth0 counters + +The command follow the same logic as the ``set`` command in configuration mode. + +.. code-block:: sh + + # clear all counters of a interface type + vyos@vyos:~$ clear interface <interface_type> counters + # clear counter of a interface in interface_type + vyos@vyos:~$ clear interface <interface_type> <interace_name> counters + + +to clear counters on firewall rulesets or single rules + +.. code-block:: sh + + vyos@vyos:~$ clear firewall name <ipv4 ruleset name> counters + vyos@vyos:~$ clear firewall name <ipv4 ruleset name> rule <rule#> counters + + vyos@vyos:~$ clear firewall ipv6-name <ipv6 ruleset name> counters + vyos@vyos:~$ clear firewall ipv6-name <ipv6 ruleset name> rule <rule#> counters + + +Basic System Information +------------------------ + +Boot steps +^^^^^^^^^^ + +VyOS 1.2.0+ uses `Debian Jessie`_ as the base Linux operating system. +Jessie was the first version of Debian that uses `systemd`_ as the default init system. + +These are the boot steps for VyOS 1.2.0+ + +1. The BIOS loads Grub (or isolinux for the Live CD) +2. Grub then starts the Linux boot and loads the Linux Kernel ``/boot/vmlinuz`` +3. Kernel Launches Systemd ``/lib/systemd/systemd`` +4. Systemd loads the VyOS service file ``/lib/systemd/system/vyos-router.service`` +5. The service file launches the VyOS router init script ``/usr/libexec/vyos/init/vyos-router`` - this is part of the `vyatta-cfg`_ Debian package + + 1. Starts FRR_ - successor to `GNU Zebra`_ and `Quagga`_ + + 2. Initialises the boot configuration file - copies over ``config.boot.default`` if there is no configuration + 3. Runs the configuration migration, if the configuration is for an older version of VyOS + 4. Runs The pre-config script, if there is one ``/config/scripts/vyos-preconfig-bootup.script`` + 5. If the config file was upgraded, runs any post upgrade scripts ``/config/scripts/post-upgrade.d`` + 6. Starts **rl-system** and **firewall** + 7. Mounts the ``/boot`` partition + 8. The boot configuration file is then applied by ``/opt/vyatta/sbin/vyatta-boot-config-loader /opt/vyatta/etc/config/config.boot`` + + 1. The config loader script writes log entries to ``/var/log/vyatta-config-loader.log`` + + 10. Runs ``telinit q`` to tell the init system to reload ``/etc/inittab`` + 11. Finally it runs the post-config script ``/config/scripts/vyos-postconfig-bootup.script`` + +.. _Quagga: http://www.quagga.net/ +.. _`GNU Zebra`: https://www.gnu.org/software/zebra/ +.. _FRR: https://frrouting.org/ +.. _vyatta-cfg: https://github.com/vyos/vyatta-cfg +.. _systemd: _https://freedesktop.org/wiki/Software/systemd/ +.. _`Debian Jessie`: https://www.debian.org/releases/jessie/ +.. _mtr: http://www.bitwizard.nl/mtr/ +.. _tshark: https://www.wireshark.org/docs/man-pages/tshark.html +.. _`PCAP filter expressions`: http://www.tcpdump.org/manpages/pcap-filter.7.html diff --git a/docs/appendix/vyos-on-baremetal.rst b/docs/appendix/vyos-on-baremetal.rst new file mode 100644 index 00000000..bda81116 --- /dev/null +++ b/docs/appendix/vyos-on-baremetal.rst @@ -0,0 +1,72 @@ +.. _vyosonbaremetal: + +Running on Bare Metal +##################### + +Intel Atom C3000 +**************** + +I opted to get one of the new Intel Atom C3000 CPUs to spawn VyOS on it. +Running VyOS on an UEFI only device is supported as of VyOS release 1.2. + +Shopping Card +------------- + +* 1x Supermicro CSE-505-203B (19" 1U chassis, inkl. 200W PSU) +* 1x Supermicro MCP-260-00085-0B (I/O Shield for A2SDi-2C-HLN4F) +* 1x Supermicro A2SDi-2C-HLN4F (Intel Atom C3338, 2C/2T, 4MB cache, Quad LAN with + Intel C3000 SoC 1GbE) +* 1x Crucial CT4G4DFS824A (4GB DDR4 RAM 2400 MT/s, PC4-19200) +* 1x SanDisk Ultra Fit 32GB (USB-A 3.0 SDCZ43-032G-G46 mass storage for OS) +* 1x Supermicro MCP-320-81302-0B (optional FAN tray) + +Optional (10GE) +--------------- +If you wan't to get additional ethernet ports or even 10GE connectivity +the following optional parts will be required: + +* 1x Supermicro RSC-RR1U-E8 (Riser Card) +* 1x Supermicro MCP-120-00063-0N (Riser Card Bracket) + +Latest VyOS rolling releases boot without any problem on this board. You also +receive a nice IPMI interface realized with an ASPEED AST2400 BMC (no information +about [OpenBMC](https://www.openbmc.org/)) so far on this motherboard. + +Pictures +-------- + +.. figure:: /_static/images/1u_vyos_back.jpg + :scale: 25 % + :alt: CSE-505-203B Back + +.. figure:: /_static/images/1u_vyos_front.jpg + :scale: 25 % + :alt: CSE-505-203B Front + +.. figure:: /_static/images/1u_vyos_front_open_1.jpg + :scale: 25 % + :alt: CSE-505-203B Open 1 + +.. figure:: /_static/images/1u_vyos_front_open_2.jpg + :scale: 25 % + :alt: CSE-505-203B Open 2 + +.. figure:: /_static/images/1u_vyos_front_open_3.jpg + :scale: 25 % + :alt: CSE-505-203B Open 3 + +.. figure:: /_static/images/1u_vyos_front_10ge_open_1.jpg + :scale: 25 % + :alt: CSE-505-203B w/ 10GE Open 1 + +.. figure:: /_static/images/1u_vyos_front_10ge_open_2.jpg + :scale: 25 % + :alt: CSE-505-203B w/ 10GE Open 2 + +.. figure:: /_static/images/1u_vyos_front_10ge_open_3.jpg + :scale: 25 % + :alt: CSE-505-203B w/ 10GE Open 3 + +.. figure:: /_static/images/1u_vyos_front_10ge_open_4.jpg + :scale: 25 % + :alt: CSE-505-203B w/ 10GE Open |