summaryrefslogtreecommitdiff
path: root/docs/appendix
diff options
context:
space:
mode:
Diffstat (limited to 'docs/appendix')
-rw-r--r--docs/appendix/commandtree/configmode.rst524
-rw-r--r--docs/appendix/commandtree/index.rst17
-rw-r--r--docs/appendix/commandtree/operationmode.rst444
-rw-r--r--docs/appendix/examples/dmvpn.rst105
-rw-r--r--docs/appendix/examples/index.rst13
-rw-r--r--docs/appendix/examples/zone-policy.rst379
-rw-r--r--docs/appendix/releasenotes.rst50
-rw-r--r--docs/appendix/troubleshooting.rst341
-rw-r--r--docs/appendix/vyos-on-baremetal.rst72
9 files changed, 1945 insertions, 0 deletions
diff --git a/docs/appendix/commandtree/configmode.rst b/docs/appendix/commandtree/configmode.rst
new file mode 100644
index 00000000..abb20f98
--- /dev/null
+++ b/docs/appendix/commandtree/configmode.rst
@@ -0,0 +1,524 @@
+.. _commandtree_configmode:
+
+Configuration mode
+------------------
+
+.. code-block:: sh
+
+ confirm Confirm prior commit-confirm
+ comment Add comment to this configuration element
+ commit Commit the current set of changes
+ commit-confirm Commit the current set of changes with 'confirm' required
+ compare Compare configuration revisions
+ copy Copy a configuration element
+ delete Delete a configuration element
+ discard Discard uncommitted changes
+ edit Edit a sub-element
+ exit Exit from this configuration level
+ load Load configuration from a file and replace running configuration
+ loadkey Load user SSH key from a file
+ merge Load configuration from a file and merge running configuration
+ rename Rename a configuration element
+ rollback Rollback to a prior config revision (requires reboot)
+ run Run an operational-mode command
+ save Save configuration to a file
+ set Set the value of a parameter or create a new element
+ show Show the configuration (default values may be suppressed)
+
+
+Confirm
+^^^^^^^
+
+The ``confirm`` command confirms the prior ``commit-confirm``.
+
+Comment
+^^^^^^^
+
+The ``comment`` commands allow you to insert a comment above the current configuration section.
+The command cannot be used at the top of the configuration hierarchy, only on subsections. Comments needs to be commited, just like other config changes.
+
+To add a comment to a section, while being already at the proper section level:
+
+.. code-block:: sh
+
+ [edit <section>]
+ vyos@vyos# comment "Type Comment Here"
+
+To add a comment directly to a section, from the top or a higher section:
+
+.. code-block:: sh
+
+ [edit]
+ vyos@vyos# comment <section> "Type Comment Here"
+
+To remove a comment, add a blank comment to overwrite:
+
+.. code-block:: sh
+
+ [edit <section>]
+ vyos@vyos# comment ""
+
+Examples
+********
+
+To add a comment to the "interfaces" section:
+
+.. code-block:: sh
+
+ [edit]
+ vyos@vyos# edit interfaces
+ [edit interfaces]
+ vyos@vyos# comment "Here is a comment"
+ [edit interfaces]
+ vyos@vyos# commit
+
+The comment would then appear like this:
+
+.. code-block:: sh
+
+ [edit]
+ vyos@vyos# show
+ /* Here is a comment */
+ interfaces {
+ ethernet eth0 {
+ [...]
+
+
+An important thing to note is that since the comment is added on top of the section, it will not appear if the ``show <section>`` command is used. With the above example, the ``show interfaces`` command would return starting after the "interfaces {" line, hiding the comment:
+
+.. code-block:: sh
+
+ [edit]
+ vyos@vyos# show interfaces
+ ethernet eth0 {
+ [...]
+
+
+To add a comment to the interfaces section from the top:
+
+.. code-block:: sh
+
+ [edit]
+ vyos@vyos# comment interfaces "test"
+
+
+The comment can be added to any node that already exists, even if it's multiple levels lower:
+
+.. code-block:: sh
+
+ [edit]
+ vyos@vyos# comment interfaces ethernet eth0 vif 222 address "Far down comment"
+
+
+Commit
+^^^^^^
+
+The ``commit`` command commits the proposed changes to the configuration file.
+Every changes done in the configuration session is only applied when the configuration is committed. To view the changes that will be applied, use the show command.
+To discard the changes without committing, use the ``discard`` command. The ``commit`` command doesn't save the configuration, you need to manually use the ``save`` command.
+
+The confirm keyword can be added, see ``commit-confirm``. A comment can be entered, it will appear in the commit log.
+
+.. code-block:: sh
+
+ [edit]
+ vyos@vyos# commit
+ Possible completions:
+ <Enter> Commit working configuration
+ comment Comment for commit log
+
+Commit-confirm
+^^^^^^^^^^^^^^
+
+The ``commit-confirm`` command commits the proposed changes to the configuration file and starts a timer.
+If the ``confirm`` command is not entered before the timer expiration, the configuration will be rolled back and VyOS will reboot.
+The default timer value is 10 minutes, but a custom value can be entered.
+
+.. code-block:: sh
+
+ [edit]
+ vyos@vyos# commit-confirm
+ Possible completions:
+ <Enter> Commit, rollback/reboot in 10 minutes if no confirm
+ <N> Commit, rollback/reboot in N minutes if no confirm
+ comment Comment for commit log
+
+
+Compare
+^^^^^^^
+
+VyOS maintains backups of previous configurations. To compare configuration revisions in configuration mode, use the compare command:
+
+.. code-block:: sh
+
+ [edit]
+ vyos@vyos# compare
+ Possible completions:
+ <Enter> Compare working & active configurations
+ saved Compare working & saved configurations
+ <N> Compare working with revision N
+ <N> <M> Compare revision N with M
+
+ Revisions:
+ 0 2019-03-20 20:57:22 root by boot-config-loader
+ 1 2019-03-15 20:00:04 root by boot-config-loader
+ 2 2019-03-05 01:58:39 vyos by cli
+ 3 2019-03-05 01:54:59 vyos by cli
+ 4 2019-03-05 01:53:08 vyos by cli
+ 5 2019-03-05 01:52:21 vyos by cli
+ 6 2019-02-24 21:01:24 root by boot-config-loader
+ 7 2019-02-21 22:00:12 vyos by cli
+ 8 2019-02-21 21:56:49 vyos by cli
+
+
+Copy
+^^^^
+
+The ``copy`` command allows you to copy a configuration object.
+
+Copy the configuration entrys from a firewall name WAN rule 1 to rule 2.
+
+.. code-block:: sh
+
+ [edit firewall name WAN]
+ vyos@vyos# show
+ rule 1 {
+ action accept
+ source {
+ address 10.1.0.0/24
+ }
+ }
+ [edit firewall name WAN]
+ vyos@vyos# copy rule 1 to rule 2
+ [edit firewall name WAN]
+ vyos@vyos# show
+ rule 1 {
+ action accept
+ source {
+ address 10.1.0.0/24
+ }
+ }
+ +rule 2 {
+ + action accept
+ + source {
+ + address 10.1.0.0/24
+ + }
+ +}
+
+Delete
+^^^^^^
+
+The ``delte`` command is to delete a configuration entry.
+
+This Example delete the hole ``service tftp-server`` section.
+
+.. code-block:: sh
+
+ delete service tftp-server
+
+Discard
+^^^^^^^
+
+The ``discard`` command removes all pending configuration changes.
+
+.. code-block:: sh
+
+ [edit]
+ vyos@vyos# discard
+
+ Changes have been discarded
+
+Edit
+^^^^
+
+The ``edit`` command allows you to navigate down into the configuration tree.
+To get back to an upper level, use the ``up`` command or use the ``top`` command to get back to the upper most level.
+The ``[edit]`` text displays where the user is located in the configuration tree.
+
+.. code-block:: sh
+
+ [edit]
+ vyos@vyos# edit interfaces
+ [edit interfaces]
+ vyos@vyos# edit ethernet eth0
+ [edit interfaces ethernet eth0]
+
+Exit
+^^^^
+
+The ``exit`` command exits the current configuration mode. If the current configuration level isn't the top-most, then the configuration level is put back to the top-most level.
+If the configuration level is at the top-most level, then it exits the configuration mode and returns to operational mode.
+The ``exit`` command cannot be used if uncommitted changes exists in the configuration file. To exit with uncommitted changes, you either need to use the ``exit discard`` command or you need to commit the changes before exiting.
+The ``exit`` command doesn't save the configuration, only the ``save`` command does. A warning will be given when exiting with unsaved changes. Using the ``exit`` command in operational mode will logout the session.
+
+
+Exiting from a configuration level:
+
+
+.. code-block:: sh
+
+ [edit interfaces ethernet eth0]
+ vyos@vyos# exit
+ [edit]
+ vyos@vyos#
+
+Exiting from configuration mode:
+
+.. code-block:: sh
+
+ [edit]
+ vyos@vyos# exit
+ exit
+ vyos@vyos:~$
+
+Exiting from operational mode:
+
+.. code-block:: sh
+
+ vyos@vyos:~$ exit
+ logout
+
+Error message when trying to exit with uncommitted changes:
+
+.. code-block:: sh
+
+ vyos@vyos# exit
+ Cannot exit: configuration modified.
+ Use 'exit discard' to discard the changes and exit.
+ [edit]
+ vyos@vyos#
+
+
+Warning message when exiting with unsaved changes:
+
+.. code-block:: sh
+
+ [edit]
+ vyos@vyos# exit
+ Warning: configuration changes have not been saved.
+ exit
+ vyos@vyos:~$
+
+Load
+^^^^
+
+The ``load`` command load a configuration from a local or remote file. You have to be use ``commit`` to make the change active
+
+.. code-block:: sh
+
+ <Enter> Load from system config file
+ <file> Load from file on local machine
+ scp://<user>:<passwd>@<host>/<file> Load from file on remote machine
+ sftp://<user>:<passwd>@<host>/<file> Load from file on remote machine
+ ftp://<user>:<passwd>@<host>/<file> Load from file on remote machine
+ http://<host>/<file> Load from file on remote machine
+ https://<host>/<file> Load from file on remote machine
+ tftp://<host>/<file> Load from file on remote machine
+
+
+.. code-block:: sh
+
+ [edit]
+ vyos@vyos# load
+ Loading configuration from '/config/config.boot'...
+
+ Load complete. Use 'commit' to make changes active.
+
+
+Loadkey
+^^^^^^^^
+
+Copies the content of a public key to the ~/.ssh/authorized_keys file.
+
+.. code-block:: sh
+
+ loadkey <username> [tab]
+
+ <file> Load from file on local machine
+ scp://<user>@<host>/<file> Load from file on remote machine
+ sftp://<user>@<host>/<file> Load from file on remote machine
+ ftp://<user>@<host>/<file> Load from file on remote machine
+ http://<host>/<file> Load from file on remote machine
+ tftp://<host>/<file> Load from file on remote machine
+
+Merge
+^^^^^
+
+The ``merge`` command merge the config from a local or remote file with the running config.
+
+In the example below exist a ``default-firewall.config`` file with some common firewall rules you saved earlier.
+
+.. code-block:: sh
+
+ [edit]
+ vyos@vyos# show firewall
+ Configuration under specified path is empty
+ [edit]
+ vyos@vyos# merge default-firewall.config
+ Loading configuration from '/config/default-firewall.config'...
+
+ Merge complete. Use 'commit' to make changes active.
+ [edit]
+ vyos@vyos#
+
+ vyos@vyos# show firewall
+ +all-ping enable
+ +broadcast-ping disable
+ +config-trap disable
+ +ipv6-receive-redirects disable
+ +ipv6-src-route disable
+ +ip-src-route disable
+ +log-martians enable
+ +name WAN {
+ + default-action drop
+ + rule 1 {
+ + action accept
+ + source {
+ + address 10.1.0.0/24
+ + }
+ + }
+ + rule 2 {
+ + action accept
+ + source {
+ + address 10.1.0.0/24
+ + }
+ ......
+
+
+Rename
+^^^^^^
+
+The ``rename`` command allows you to rename or move a configuration object.
+
+See here how to move the configuration entrys from vlanid 3 to 2
+
+.. code-block:: sh
+
+ [edit interfaces ethernet eth1]
+ vyos@vyos# show
+ duplex auto
+ hw-id 08:00:27:81:c6:59
+ smp-affinity auto
+ speed auto
+ vif 3 {
+ address 10.4.4.4/32
+ }
+ [edit interfaces ethernet eth1]
+ vyos@vyos# rename vif 3 to vif 2
+ [edit interfaces ethernet eth1]
+ vyos@vyos# show
+ duplex auto
+ hw-id 08:00:27:81:c6:59
+ smp-affinity auto
+ speed auto
+ +vif 2 {
+ + address 10.4.4.4/32
+ +}
+ -vif 3 {
+ - address 10.4.4.4/32
+ -}
+ [edit interfaces ethernet eth1]
+ vyos@vyos#
+
+
+Rollback
+^^^^^^^^
+
+You can ``rollback`` configuration using the rollback command, however this command will currently trigger a system reboot.
+Use the compare command to verify the configuration you want to rollback to.
+
+.. code-block:: sh
+
+ vyos@vyos# compare 1
+ [edit system]
+ >host-name vyos-1
+ [edit]
+ vyos@vyos# rollback 1
+ Proceed with reboot? [confirm][y]
+
+ Broadcast message from root@vyos-1 (pts/0) (Tue Dec 17 21:07:45 2018):
+
+ The system is going down for reboot NOW!
+ [edit]
+ vyos@vyos#
+
+Run
+^^^
+
+The ``run`` command allows you to execute any operational mode commands without exiting the configuration session.
+
+.. code-block:: sh
+
+ [edit]
+ vyos@vyos# run show interfaces
+ Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
+ Interface IP Address S/L Description
+ --------- ---------- --- -----------
+ eth0 10.1.1.1/24 u/u
+
+
+Save
+^^^^
+
+The ``save`` command saves the current configuration to non-volatile storage. VyOS also supports saving and loading configuration remotely using SCP, FTP, or TFTP.
+
+.. code-block:: sh
+
+ <Enter> Save to system config file
+ <file> Save to file on local machine
+ scp://<user>:<passwd>@<host>/<file> Save to file on remote machine
+ sftp://<user>:<passwd>@<host>/<file> Save to file on remote machine
+ ftp://<user>:<passwd>@<host>/<file> Save to file on remote machine
+ tftp://<host>/<file> Save to file on remote machine
+
+Set
+^^^
+
+The ``set`` command create all configuration entrys
+
+.. code-block:: sh
+
+ [edit]
+ vyos@vyos# set protocols static route 0.0.0.0/0 next-hop 192.168.1.1
+
+Show
+^^^^
+
+The ``show`` command in the configuration mode displays the configuration and show uncommitted changes.
+
+Show the hole config, the address and description of eth1 is moving to vlan 2 if you commit the changes.
+
+.. code-block:: sh
+
+ [edit]
+ vyos@vyos# show
+ interfaces {
+ dummy dum0 {
+ address 10.3.3.3/24
+ }
+ ethernet eth0 {
+ address dhcp
+ duplex auto
+ hw-id 08:00:27:2b:c0:0b
+ smp-affinity auto
+ speed auto
+ }
+ ethernet eth1 {
+ - address 10.1.1.1/32
+ - description "MGMT Interface"
+ duplex auto
+ hw-id 08:00:27:81:c6:59
+ smp-affinity auto
+ speed auto
+ + vif 2 {
+ + address 10.1.1.1/32
+ + description "MGMT Interface"
+ + }
+ }
+ loopback lo {
+ }
+ }
+ service {
+ ssh {
+ port 22
+ ...... \ No newline at end of file
diff --git a/docs/appendix/commandtree/index.rst b/docs/appendix/commandtree/index.rst
new file mode 100644
index 00000000..c3bca008
--- /dev/null
+++ b/docs/appendix/commandtree/index.rst
@@ -0,0 +1,17 @@
+.. _commandtree:
+
+Command tree
+============
+
+See the the full Command tree in Operational mode and Configuration mode
+
+
+
+.. toctree::
+ :maxdepth: 2
+ :hidden:
+
+
+ operationmode
+ configmode
+
diff --git a/docs/appendix/commandtree/operationmode.rst b/docs/appendix/commandtree/operationmode.rst
new file mode 100644
index 00000000..487df032
--- /dev/null
+++ b/docs/appendix/commandtree/operationmode.rst
@@ -0,0 +1,444 @@
+.. _commandtree_operationmode:
+
+Operational mode
+----------------
+
+Operational mode allows for commands to perform operational system tasks and view system and service status.
+After this is the first view after the login.
+Please see :ref:`cli` for navigation in the CLI
+
+
+.. code-block:: sh
+
+
+ vyos@vyos:~$ [tab]
+ Possible completions:
+ add Add an object to a service
+ clear Clear system information
+ clone Clone an object
+ configure Enter configure mode
+ connect Establish a connection
+ copy Copy an object
+ delete Delete an object
+ disconnect Take down a connection
+ force Force an operation
+ format Format a device
+ generate Generate an object
+ install Install a new system
+ monitor Monitor system information
+ ping Send IPv4 or IPv6 ICMP (Internet Control Message Protocol) echo requests
+ poweroff Poweroff the system
+ reboot Reboot the system
+ release Release specified variable
+ rename Rename an object
+ renew Renew specified variable
+ reset Reset a service
+ restart Restart a service
+ set Set operational options
+ show Show system information
+ telnet Telnet to a node
+ traceroute Track network path to node
+ update Update data for a service
+
+
+Add
+^^^
+
+.. code-block:: sh
+
+ raid Add a RAID set element
+ system Add an item to a system facility
+
+Clear
+^^^^^
+
+.. code-block:: sh
+
+ console Clear screen
+ firewall Clear firewall statistics
+ flow-accounting Clear flow accounting
+ interfaces Clear interface information
+ ip Clear Internet Protocol (IP) statistics or status
+ ipv6 Clear Internet Protocol (IPv6) statistics or status
+ nat Clear network address translation (NAT) tables
+ policy Clear policy statistics
+
+
+Clone
+^^^^^
+The ``clone`` command allows you to clone a configuration from a system image to another one, or from the running config to another system image.
+To clone the running config to a system image:
+
+.. code-block:: sh
+
+ clone system config <system-image> from running
+
+To clone from system image A to system image B:
+
+.. code-block:: sh
+
+ clone system config <system-image-B> from <system-image-A>
+
+
+Configure
+^^^^^^^^^
+
+The ``configure`` command allows you to enter configuration mode.
+
+.. code-block:: sh
+
+ vyos@vyos:~$ configure
+ [edit]
+ vyos@vyos#
+
+
+Connect
+^^^^^^^
+
+The ``connect`` command allows you to bring up a connection oriented interface, like a pppoe interface.
+
+.. code-block:: sh
+
+ connect interface <interface>
+
+Copy
+^^^^
+
+The ``copy`` command allows you to copy a file to your running config or over images.
+
+It can look like this example:
+
+.. code-block:: sh
+
+ vyos@vyos:~$ copy file [tab]
+ Possible completions:
+ http://<user>:<passwd>@<host>/<file>
+ Copy files from specified source
+ scp://<user>:<passwd>@<host>/<file>
+ ftp://<user>:<passwd>@<host>/<file>
+ tftp://<host>/<file>
+ 1.2.0://config/
+ 1.2.0-rolling+201902251818://config/
+ 1.2.0-rolling+201902201040://config/
+ 1.2.0-rolling+201902080337://config/
+ 1.2.0-H4://config/
+ running://config/
+
+
+To copy from file A to file B:
+
+.. code-block:: sh
+
+ copy <file A> to <file B>
+
+
+Delete
+^^^^^^
+
+.. code-block:: sh
+
+ conntrack Delete Conntrack entries
+ file Delete files in a particular image
+ log Delete a log file
+ raid Remove a RAID set element
+ system Delete system objects
+
+
+Disconnect
+^^^^^^^^^^
+
+The ``disconnect`` command allows you to take down a connection oriented interface, like a pppoe interface.
+
+.. code-block:: sh
+
+ disconnect interface <interface>
+
+Force
+^^^^^
+
+.. code-block:: sh
+
+ arp Send gratuitous ARP request or reply
+ cluster Force a cluster state transition
+
+
+Format
+^^^^^^
+
+The ``format`` command allows you to format a disk the same way as another one.
+
+.. code-block:: sh
+
+ format disk <target> like <source>
+
+Generate
+^^^^^^^^
+
+.. code-block:: sh
+
+ openvpn OpenVPN key generation tool
+ ssh-server-key
+ Regenerate the host SSH keys and restart the SSH server
+ tech-support Generate tech-support archive
+ vpn VPN key generation utility
+ wireguard wireguard key generation utility
+
+Install
+^^^^^^^
+
+The ``install`` command allows you to install the system image on the disk.
+
+.. code-block:: sh
+
+ install image
+
+
+Monitor
+^^^^^^^
+
+``monitor`` can be used to continually view what is happening on the router.
+
+.. code-block:: sh
+
+ bandwidth Monitor interface bandwidth in real time
+ bandwidth-test
+ Initiate or wait for bandwidth test
+ cluster Monitor clustering service
+ command Monitor an operational mode command (refreshes every 2 seconds)
+ conntrack-sync
+ Monitor conntrack-sync
+ content-inspection
+ Monitor Content-Inspection
+ dhcp Monitor Dynamic Host Control Protocol (DHCP)
+ dns Monitor a Domain Name Service (DNS) daemon
+ firewall Monitor Firewall
+ https Monitor the Secure Hypertext Transfer Protocol (HTTPS) service
+ lldp Monitor Link Layer Discovery Protocol (LLDP) daemon
+ log Monitor last lines of messages file
+ nat Monitor network address translation (NAT)
+ openvpn Monitor OpenVPN
+ protocol Monitor routing protocols
+ snmp Monitor Simple Network Management Protocol (SNMP) daemon
+ stop-all Stop all current background monitoring processes
+ traceroute Monitor the path to a destination in realtime
+ traffic Monitor traffic dumps
+ vpn Monitor VPN
+ vrrp Monitor Virtual Router Redundancy Protocol (VRRP)
+ webproxy Monitor Webproxy service
+
+
+Ping
+^^^^
+
+The ``ping`` command allows you to send an ICMP-EchoRequest packet and display the ICMP-EchoReply received.
+
+.. code-block:: sh
+
+ <hostname> Send Internet Control Message Protocol (ICMP) echo request
+ <x.x.x.x>
+ <h:h:h:h:h:h:h:h>
+
+
+Poweroff
+^^^^^^^^
+
+The ``poweroff`` command allows you to properly shut down the VyOS instance. Without any modifier, the command is executed immediately.
+
+.. code-block:: sh
+
+ <Enter> Execute the current command
+ at Poweroff at a specific time
+ cancel Cancel a pending poweroff
+ in Poweroff in X minutes
+ now Poweroff the system without confirmation
+
+Reboot
+^^^^^^
+The ``reboot`` command allows you to properly restart the VyOS instance. Without any modifier, the command is executed immediately.
+
+.. code-block:: sh
+
+ <Enter> Execute the current command
+ at Poweroff at a specific time
+ cancel Cancel a pending poweroff
+ in Poweroff in X minutes
+ now Poweroff the system without confirmation
+
+Release
+^^^^^^^
+
+The ``release`` command allows you to release a DHCP or DHCPv6 lease.
+
+.. code-block:: sh
+
+ vyos@vyos:~$ release dhcp interface <int>
+ vyos@vyos:~$ release dhcpv6 interface <int>
+
+
+Rename
+^^^^^^
+
+The ``rename`` command allows you to rename a system image.
+
+.. code-block:: sh
+
+ rename system image <currentname> <newname>
+
+
+Renew
+^^^^^
+
+The ``renew`` command allows you to renew a DHCP or DHCPv6 lease.
+
+.. code-block:: sh
+
+ vyos@vyos:~$ renew dhcp interface <int>
+ vyos@vyos:~$ renew dhcpv6 interface <int>
+
+Reset
+^^^^^
+
+.. code-block:: sh
+
+ conntrack Reset all currently tracked connections
+ conntrack-sync
+ Reset connection syncing parameters
+ dns Reset a DNS service state
+ firewall reset a firewall group
+ ip Reset Internet Protocol (IP) parameters
+ ipv6 Reset Internet Protocol version 6 (IPv6) parameters
+ nhrp Clear/Purge NHRP entries
+ openvpn Reset OpenVPN
+ terminal Reset terminal
+ vpn Reset Virtual Private Network (VPN) information
+
+Restart
+^^^^^^^
+
+.. code-block:: sh
+
+ cluster Restart cluster node
+ conntrack-sync
+ Restart connection tracking synchronization service
+ dhcp Restart DHCP processes
+ dhcpv6 Restart DHCPv6 processes
+ dns Restart a DNS service
+ flow-accounting
+ Restart flow-accounting service
+ https Restart https server
+ vpn Restart IPsec VPN
+ vrrp Restart the VRRP (Virtual Router Redundancy Protocol) process
+ wan-load-balance
+ Restart WAN load balancing
+ webproxy Restart webproxy service
+
+Set
+^^^
+
+.. code-block:: sh
+
+ <OPTION> Bash builtin set command
+ console Control console behaviors
+ date Set system date and time
+ system Set system operational parameters
+ terminal Control terminal behaviors
+
+Show
+^^^^
+
+.. code-block:: sh
+
+ arp Show Address Resolution Protocol (ARP) information
+ bridge Show bridging information
+ cluster Show clustering information
+ configuration Show available saved configurations
+ conntrack Show conntrack entries in the conntrack table
+ conntrack-sync
+ Show connection syncing information
+ date Show system time and date
+ dhcp Show DHCP (Dynamic Host Configuration Protocol) information
+ dhcpv6 Show DHCPv6 (IPv6 Dynamic Host Configuration Protocol) information
+ disk Show status of disk device
+ dns Show DNS information
+ file Show files for a particular image
+ firewall Show firewall information
+ flow-accounting
+ Show flow accounting statistics
+ hardware Show system hardware details
+ history show command history
+ host Show host information
+ incoming Show ethernet input-policy information
+ interfaces Show network interface information
+ ip Show IPv4 routing information
+ ipv6 Show IPv6 routing information
+ license Show VyOS license information
+ lldp Show lldp
+ log Show contents of current master log file
+ login Show current login credentials
+ monitoring Show currently monitored services
+ nat Show Network Address Translation (NAT) information
+ nhrp Show NHRP info
+ ntp Show peer status of NTP daemon
+ openvpn Show OpenVPN information
+ policy Show policy information
+ poweroff Show scheduled poweroff
+ pppoe-server show pppoe-server status
+ queueing Show ethernet queueing information
+ raid Show statis of RAID set
+ reboot Show scheduled reboot
+ remote-config Show remote side config
+ route-map Show route-map information
+ snmp Show status of SNMP on localhost
+ system Show system information
+ system-integrity
+ checks the integrity of the system
+ table Show routing table
+ tech-support Show consolidated tech-support report (private information removed)
+ users Show user information
+ version Show system version information
+ vpn Show Virtual Private Network (VPN) information
+ vrrp Show VRRP (Virtual Router Redundancy Protocol) information
+ wan-load-balance
+ Show Wide Area Network (WAN) load-balancing information
+ webproxy Show webproxy information
+ wireguard Show wireguard properties
+ zone-policy Show summary of zone policy for a specific zone
+
+Telnet
+^^^^^^
+In the past the ``telnet`` command allowed you to connect remotely to another device using the telnet protocol.
+Telnet is unencrypted and should not use anymore. But its nice to test if an TCP Port to a host is open.
+
+
+.. code-block:: sh
+
+ vyos@vyos:~$ telnet 192.168.1.3 443
+ Trying 192.168.1.3...
+ telnet: Unable to connect to remote host: Network is unreachable
+
+ vyos@vyos:~$ telnet 192.168.1.4 443
+ Trying 192.168.1.4...
+ Connected to 192.168.1.4.
+ Escape character is '^]'.
+
+Traceroute
+^^^^^^^^^^
+
+The ``traceroute`` command allows you to trace the path taken to a particular device.
+
+.. code-block:: sh
+
+ <hostname> Track network path to specified node
+ <x.x.x.x>
+ <h:h:h:h:h:h:h:h>
+ ipv4 Track network path to <hostname|IPv4 address>
+ ipv6 Track network path to <hostname|IPv6 address>
+
+
+Update
+^^^^^^
+
+.. code-block:: sh
+
+ dns Update DNS information
+ webproxy Update webproxy \ No newline at end of file
diff --git a/docs/appendix/examples/dmvpn.rst b/docs/appendix/examples/dmvpn.rst
new file mode 100644
index 00000000..d3bf45c7
--- /dev/null
+++ b/docs/appendix/examples/dmvpn.rst
@@ -0,0 +1,105 @@
+
+.. _examples-dmvpn:
+
+VyOS DMVPN Hub
+--------------
+
+General infomration can be found in the :ref:`vpn-dmvpn` chapter.
+
+Configuration
+^^^^^^^^^^^^^
+
+.. code-block:: sh
+
+ set interfaces tunnel tun100 address '172.16.253.134/29'
+ set interfaces tunnel tun100 encapsulation 'gre'
+ set interfaces tunnel tun100 local-ip '11.22.33.44'
+ set interfaces tunnel tun100 multicast 'enable'
+ set interfaces tunnel tun100 parameters ip key '1'
+
+ set protocols nhrp tunnel tun100 cisco-authentication '<nhrp secret key>'
+ set protocols nhrp tunnel tun100 holding-time '300'
+ set protocols nhrp tunnel tun100 multicast 'dynamic'
+ set protocols nhrp tunnel tun100 redirect
+ set protocols nhrp tunnel tun100 shortcut
+
+ set vpn ipsec esp-group ESP-HUB compression 'disable'
+ set vpn ipsec esp-group ESP-HUB lifetime '1800'
+ set vpn ipsec esp-group ESP-HUB mode 'tunnel'
+ set vpn ipsec esp-group ESP-HUB pfs 'dh-group2'
+ set vpn ipsec esp-group ESP-HUB proposal 1 encryption 'aes256'
+ set vpn ipsec esp-group ESP-HUB proposal 1 hash 'sha1'
+ set vpn ipsec esp-group ESP-HUB proposal 2 encryption '3des'
+ set vpn ipsec esp-group ESP-HUB proposal 2 hash 'md5'
+ set vpn ipsec ike-group IKE-HUB ikev2-reauth 'no'
+ set vpn ipsec ike-group IKE-HUB key-exchange 'ikev1'
+ set vpn ipsec ike-group IKE-HUB lifetime '3600'
+ set vpn ipsec ike-group IKE-HUB proposal 1 dh-group '2'
+ set vpn ipsec ike-group IKE-HUB proposal 1 encryption 'aes256'
+ set vpn ipsec ike-group IKE-HUB proposal 1 hash 'sha1'
+ set vpn ipsec ike-group IKE-HUB proposal 2 dh-group '2'
+ set vpn ipsec ike-group IKE-HUB proposal 2 encryption 'aes128'
+ set vpn ipsec ike-group IKE-HUB proposal 2 hash 'sha1'
+ set vpn ipsec ipsec-interfaces interface 'eth0'
+
+ set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret'
+ set vpn ipsec profile NHRPVPN authentication pre-shared-secret '<secretkey>'
+ set vpn ipsec profile NHRPVPN bind tunnel 'tun100'
+ set vpn ipsec profile NHRPVPN esp-group 'ESP-HUB'
+ set vpn ipsec profile NHRPVPN ike-group 'IKE-HUB'
+
+Cisco IOS Spoke
+^^^^^^^^^^^^^^^
+
+This example is verified with a Cisco 2811 platform running IOS 15.1(4)M9 and
+VyOS 1.1.7 (helium) up to VyOS 1.2 (Crux).
+
+.. code-block:: sh
+
+ Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 15.1(4)M9, RELEASE SOFTWARE (fc3)
+ Technical Support: http://www.cisco.com/techsupport
+ Copyright (c) 1986-2014 by Cisco Systems, Inc.
+ Compiled Fri 12-Sep-14 10:45 by prod_rel_team
+
+ ROM: System Bootstrap, Version 12.3(8r)T7, RELEASE SOFTWARE (fc1)
+
+Use this configuration on your Cisco device:
+
+.. code-block:: sh
+
+ crypto pki token default removal timeout 0
+ crypto keyring DMVPN
+ pre-shared-key address 1.2.3.4 key <secretkey>
+ !
+ crypto isakmp policy 10
+ encr aes 256
+ authentication pre-share
+ group 2
+ !
+ crypto isakmp invalid-spi-recovery
+ crypto isakmp keepalive 30 30 periodic
+ crypto isakmp profile DMVPN
+ keyring DMVPN
+ match identity address 11.22.33.44 255.255.255.255
+ !
+ crypto ipsec transform-set DMVPN-AES256 esp-aes 256 esp-sha-hmac
+ mode transport
+ !
+ crypto ipsec profile DMVPN
+ set security-association idle-time 720
+ set transform-set DMVPN-AES256
+ !
+ interface Tunnel10
+ description Tunnel to DMVPN HUB
+ ip address 172.16.253.129 255.255.255.248
+ no ip redirects
+ ip nhrp authentication <nhrp secret key>
+ ip nhrp map multicast 11.22.33.44
+ ip nhrp map 172.16.253.134 11.22.33.44
+ ip nhrp network-id 1
+ ip nhrp holdtime 600
+ ip nhrp nhs 172.16.253.134
+ ip nhrp registration timeout 75
+ tunnel source Dialer1
+ tunnel mode gre multipoint
+ tunnel key 1
diff --git a/docs/appendix/examples/index.rst b/docs/appendix/examples/index.rst
new file mode 100644
index 00000000..c6e10eeb
--- /dev/null
+++ b/docs/appendix/examples/index.rst
@@ -0,0 +1,13 @@
+.. _examples:
+
+Configuration Examples
+======================
+
+This chapter contains various configuration Examples
+
+
+.. toctree::
+ :maxdepth: 2
+
+ dmvpn
+ zone-policy
diff --git a/docs/appendix/examples/zone-policy.rst b/docs/appendix/examples/zone-policy.rst
new file mode 100644
index 00000000..d159d02d
--- /dev/null
+++ b/docs/appendix/examples/zone-policy.rst
@@ -0,0 +1,379 @@
+.. _examples-zone-policy:
+
+Zone-Policy example
+-------------------
+
+Native IPv4 and IPv6
+^^^^^^^^^^^^^^^^^^^^
+
+We have three networks.
+
+.. code-block:: sh
+
+ WAN - 172.16.10.0/24, 2001:0DB8:0:9999::0/64
+ LAN - 192.168.100.0/24, 2001:0DB8:0:AAAA::0/64
+ DMZ - 192.168.200.0/24, 2001:0DB8:0:BBBB::0/64
+
+
+This specific example is for a router on a stick, but is very easily adapted
+for however many NICs you have.
+
+[http://imgur.com/Alz1J.png Topology Image]
+
+The VyOS interface is assigned the .1/:1 address of their respective networks.
+WAN is on VLAN 10, LAN on VLAN 20, and DMZ on VLAN 30.
+
+It will look something like this:
+
+.. code-block:: sh
+
+ interfaces {
+ ethernet eth0 {
+ duplex auto
+ hw-id 00:0c:29:6e:2a:92
+ smp_affinity auto
+ speed auto
+ vif 10 {
+ address 172.16.10.1/24
+ address 2001:db8:0:9999::1/64
+ }
+ vif 20 {
+ address 192.168.100.1/24
+ address 2001:db8:0:AAAA::1/64
+ }
+ vif 30 {
+ address 192.168.200.1/24
+ address 2001:db8:0:BBBB::1/64
+ }
+ }
+ loopback lo {
+ }
+ }
+
+
+Zones Basics
+^^^^^^^^^^^^
+
+Each interface is assigned to a zone. The interface can be physical or virtual
+such as tunnels (VPN, pptp, gre, etc) and are treated exactly the same.
+
+Traffic flows from zone A to zone B. That flow is what I refer to as a
+zone-pair-direction. eg. A->B and B->A are two zone-pair-destinations.
+
+Ruleset are created per zone-pair-direction.
+
+I name rule sets to indicate which zone-pair-direction they represent. eg.
+ZoneA-ZoneB or ZoneB-ZoneA. LAN-DMZ, DMZ-LAN.
+
+In VyOS, you have to have unique Ruleset names. In the event of overlap, I
+add a "-6" to the end of v6 rulesets. eg. LAN-DMZ, LAN-DMZ-6. This allows for
+each auto-completion and uniqueness.
+
+In this example we have 4 zones. LAN, WAN, DMZ, Local. The local zone is the
+firewall itself.
+
+If your computer is on the LAN and you need to SSH into your VyOS box, you
+would need a rule to allow it in the LAN-Local ruleset. If you want to access
+a webpage from your VyOS box, you need a rule to allow it in the Local-LAN
+ruleset.
+
+In rules, it is good to keep them named consistently. As the number of rules
+you have grows, the more consistency you have, the easier your life will be.
+
+.. code-block:: sh
+
+ Rule 1 - State Established, Related
+ Rule 2 - State Invalid
+ Rule 100 - ICMP
+ Rule 200 - Web
+ Rule 300 - FTP
+ Rule 400 - NTP
+ Rule 500 - SMTP
+ Rule 600 - DNS
+ Rule 700 - DHCP
+ Rule 800 - SSH
+ Rule 900 - IMAPS
+
+The first two rules are to deal with the idiosyncrasies of VyOS and iptables.
+
+Zones and Rulesets both have a default action statement. When using
+Zone-Policies, the default action is set by the zone-policy statement and is
+represented by rule 10000.
+
+It is good practice to log both accepted and denied traffic. It can save you
+significant headaches when trying to troubleshoot a connectivity issue.
+
+To add logging to the default rule, do:
+
+.. code-block:: sh
+
+ set firewall name <ruleSet> enable-default-log
+
+
+By default, iptables does not allow traffic for established session to return,
+so you must explicitly allow this. I do this by adding two rules to every
+ruleset. 1 allows established and related state packets through and rule 2
+drops and logs invalid state packets. We place the established/related rule at
+the top because the vast majority of traffic on a network is established and
+the invalid rule to prevent invalid state packets from mistakenly being matched
+against other rules. Having the most matched rule listed first reduces CPU load
+in high volume environments. Note: I have filed a bug to have this added as a
+default action as well.
+
+''It is important to note, that you do not want to add logging to the
+established state rule as you will be logging both the inbound and outbound
+packets for each session instead of just the initiation of the session.
+Your logs will be massive in a very short period of time.''
+
+In VyOS you must have the interfaces created before you can apply it to the
+zone and the rulesets must be created prior to applying it to a zone-policy.
+
+I create/configure the interfaces first. Build out the rulesets for each
+zone-pair-direction which includes at least the three state rules. Then I setup
+the zone-policies.
+
+Zones do not allow for a default action of accept; either drop or reject.
+It is important to remember this because if you apply an interface to a zone
+and commit, any active connections will be dropped. Specifically, if you are
+SSH’d into VyOS and add local or the interface you are connecting through to a
+zone and do not have rulesets in place to allow SSH and established sessions,
+you will not be able to connect.
+
+The following are the rules that were created for this example
+(may not be complete), both in IPv4 and IPv6. If there is no IP specified,
+then the source/destination address is not explicit.
+
+.. code-block:: sh
+
+ WAN – DMZ:192.168.200.200 – tcp/80
+ WAN – DMZ:192.168.200.200 – tcp/443
+ WAN – DMZ:192.168.200.200 – tcp/25
+ WAN – DMZ:192.168.200.200 – tcp/53
+ WAN – DMZ:2001:0DB8:0:BBBB::200 – tcp/80
+ WAN – DMZ:2001:0DB8:0:BBBB::200 – tcp/443
+ WAN – DMZ:2001:0DB8:0:BBBB::200 – tcp/25
+ WAN – DMZ:2001:0DB8:0:BBBB::200 – tcp/53
+
+ DMZ - Local - tcp/53
+ DMZ - Local - tcp/123
+ DMZ - Local - tcp/67,68
+
+ LAN - Local - tcp/53
+ LAN - Local - tcp/123
+ LAN - Local - tcp/67,68
+ LAN:192.168.100.10 - Local - tcp/22
+ LAN:2001:0DB8:0:AAAA::10 - Local - tcp/22
+
+ LAN - WAN - tcp/80
+ LAN - WAN - tcp/443
+ LAN - WAN - tcp/22
+ LAN - WAN - tcp/20,21
+
+ DMZ - WAN - tcp/80
+ DMZ - WAN - tcp/443
+ DMZ - WAN - tcp/22
+ DMZ - WAN - tcp/20,21
+ DMZ - WAN - tcp/53
+ DMZ - WAN - udp/53
+
+ Local - WAN - tcp/80
+ Local - WAN - tcp/443
+ Local - WAN - tcp/20,21
+
+ Local - DMZ - tcp/25
+ Local - DMZ - tcp/67,68
+ Local - DMZ - tcp/53
+ Local - DMZ - udp/53
+
+ Local - LAN - tcp/67,68
+
+ LAN - DMZ - tcp/80
+ LAN - DMZ - tcp/443
+ LAN - DMZ - tcp/993
+ LAN:2001:0DB8:0:AAAA::10 - DMZ:2001:0DB8:0:BBBB::200 - tcp/22
+ LAN:192.168.100.10 - DMZ:192.168.200.200 - tcp/22
+
+Since we have 4 zones, we need to setup the following rulesets.
+
+.. code-block:: sh
+
+ Lan-wan
+ Lan-local
+ Lan-dmz
+ Wan-lan
+ Wan-local
+ Wan-dmz
+ Local-lan
+ Local-wan
+ Local-dmz
+ Dmz-lan
+ Dmz-wan
+ Dmz-local
+
+Even if the two zones will never communicate, it is a good idea to create the
+zone-pair-direction rulesets and set enable-default-log. This will allow you to
+log attempts to access the networks. Without it, you will never see the
+connection attempts.
+
+This is an example of the three base rules.
+
+.. code-block:: sh
+
+ name wan-lan {
+ default-action drop
+ enable-default-log
+ rule 1 {
+ action accept
+ state {
+ established enable
+ related enable
+ }
+ }
+ rule 2 {
+ action drop
+ log enable
+ state {
+ invalid enable
+ }
+ }
+ }
+
+
+Here is an example of an IPv6 DMZ-WAN ruleset.
+
+.. code-block:: sh
+
+ ipv6-name dmz-wan-6 {
+ default-action drop
+ enable-default-log
+ rule 1 {
+ action accept
+ state {
+ established enable
+ related enable
+ }
+ }
+ rule 2 {
+ action drop
+ log enable
+ state {
+ invalid enable
+ }
+ rule 100 {
+ action accept
+ log enable
+ protocol ipv6-icmp
+ }
+ rule 200 {
+ action accept
+ destination {
+ port 80,443
+ }
+ log enable
+ protocol tcp
+ }
+ rule 300 {
+ action accept
+ destination {
+ port 20,21
+ }
+ log enable
+ protocol tcp
+ }
+ rule 500 {
+ action accept
+ destination {
+ port 25
+ }
+ log enable
+ protocol tcp
+ source {
+ address 2001:db8:0:BBBB::200
+ }
+ }
+ rule 600 {
+ action accept
+ destination {
+ port 53
+ }
+ log enable
+ protocol tcp_udp
+ source {
+ address 2001:db8:0:BBBB::200
+ }
+ }
+ rule 800 {
+ action accept
+ destination {
+ port 22
+ }
+ log enable
+ protocol tcp
+ }
+ }
+
+Once you have all of your rulesets built, then you need to create your
+zone-policy.
+
+Start by setting the interface and default action for each zone.
+
+.. code-block:: sh
+
+ set zone-policy zone dmz default-action drop
+ set zone-policy zone dmz interface eth0.30
+
+In this case, we are setting the v6 ruleset that represents traffic sourced
+from the LAN, destined for the DMZ.
+Because the zone-policy firewall syntax is a little awkward, I keep it straight
+by thinking of it backwards.
+
+ set zone-policy zone dmz from lan firewall ipv6-name lan-dmz-6
+
+dmz-lan policy is lan-dmz. You can get a rhythm to it when you build out a bunch at one time.
+
+In the end, you will end up with something like this config. I took out everything but the Firewall, Interfaces, and zone-policy sections. It is long enough as is.
+== IPv6 Tunnel ==
+
+If you are using a IPv6 tunnel from HE.net or someone else, the basis is the same except you have two WAN interface. One for v4 and one for v6.
+
+You would have 5 zones instead of just 4 and you would configure your v6 ruleset between your tunnel interface and your LAN/DMZ zones instead of to the WAN.
+
+LAN, WAN, DMZ, local and TUN (tunnel)
+
+v6 pairs would be:
+
+.. code-block:: sh
+
+ lan-tun
+ lan-local
+ lan-dmz
+ tun-lan
+ tun-local
+ tun-dmz
+ local-lan
+ local-tun
+ local-dmz
+ dmz-lan
+ dmz-tun
+ dmz-local
+
+Notice, none go to WAN since WAN wouldn't have a v6 address on it.
+
+You would have to add a couple of rules on your wan-local ruleset to allow protocol 41 in.
+
+Something like:
+
+.. code-block:: sh
+
+ rule 400 {
+ action accept
+ destination {
+ address 172.16.10.1
+ }
+ log enable
+ protocol 41
+ source {
+ address ip.of.tunnel.broker
+ }
+ }
+
diff --git a/docs/appendix/releasenotes.rst b/docs/appendix/releasenotes.rst
new file mode 100644
index 00000000..a2d9616e
--- /dev/null
+++ b/docs/appendix/releasenotes.rst
@@ -0,0 +1,50 @@
+.. _releasenotes:
+
+Release notes
+#############
+
+1.2 (Crux)
+==========
+
+1.2.1
+-----
+
+VyOS 1.2.1 is a maintenance release made in April 2019.
+
+Resolved issues
+^^^^^^^^^^^^^^^
+
+* Package updates: kernel 4.19.32, open-vm-tools 10.3, latest Intel NIC drivers.
+* The kernel now includes drivers for various USB serial adapters, which allows people to add a serial console to a machine without onboard RS232, or connect to something else from the router (`T1326 <https://phabricator.vyos.net/T1326>`_).
+* The collection of network card firmware is now much more extensive.
+* VRRP now correctly uses a virtual rather than physical MAC addresses in the RFC-compliant mode (`T1271 <https://phabricator.vyos.net/T1271>`_).
+* DHCP WPAD URL option works correctly again (`T1330 <https://phabricator.vyos.net/T1330>`_)
+* Many to many NAT rules now can use source/destination and translation networks of non-matching size (`T1312 <https://phabricator.vyos.net/T1312>`_). If 1:1 network bits translation is desired, it’s now user’s responsibility to check if prefix length matches.
+* IPv6 network prefix translation is fixed (`T1290 <https://phabricator.vyos.net/T1290>`_).
+* Non-alphanumeric characters such as “>” can now be safely used in PPPoE passwords (`T1308 <https://phabricator.vyos.net/T1308>`_).
+* “show | commands” no longer fails when a config section ends with a leaf node such as “timezone” in “show system | commands” (`T1305 <https://phabricator.vyos.net/T1305>`_).
+* “show | commands” correctly works in config mode now (`T1235 <https://phabricator.vyos.net/T1235>`_).
+* VTI is now compatible with the DHCP-interface IPsec option (`T1298 <https://phabricator.vyos.net/T1298>`_).
+* “show dhcp server statistics” command was broken in latest Crux (`T1277 <https://phabricator.vyos.net/T1277>`_).
+* An issue with TFTP server refusing to listen on addresses other than loopback was fixed (`T1261 <https://phabricator.vyos.net/T1261>`_).
+* Template issue that might cause UDP broadcast relay fail to start is fixed (`T1224 <https://phabricator.vyos.net/T1224>`_).
+* VXLAN value validation is improved (`T1067 <https://phabricator.vyos.net/T1067>`_).
+* Blank hostnames in DHCP updates no longer can crash DNS forwarding (`T1211 <https://phabricator.vyos.net/T1211>`_).
+* Correct configuration is now generated for DHCPv6 relays with more than one upstream interface (`T1322 <https://phabricator.vyos.net/T1322>`_).
+* “relay-agents-packets” option works correctly now (`T1234 <https://phabricator.vyos.net/T1234>`_).
+* Dynamic DNS data is now cleaned on configuration change (`T1231 <https://phabricator.vyos.net/T1231>`_).
+* Remote Syslog can now use a fully qualified domain name (`T1282 <https://phabricator.vyos.net/T1282>`_).
+* ACPI power off works again (`T1279 <https://phabricator.vyos.net/T1279>`_).
+* Negation in WAN load balancing rules works again (`T1247 <https://phabricator.vyos.net/T1247>`_).
+* FRR’s staticd now starts on boot correctly (`T1218 <https://phabricator.vyos.net/T1218>`_).
+* The installer now correctly detects SD card devices (`T1296 <https://phabricator.vyos.net/T1296>`_).
+* Wireguard peers can be disabled now (`T1225 <https://phabricator.vyos.net/T1225>`_).
+* The issue with wireguard interfaces impossible to delete is fixed (`T1217 <https://phabricator.vyos.net/T1217>`_).
+* Unintended IPv6 access is fixed in SNMP configuration (`T1160 <https://phabricator.vyos.net/T1160>`_).
+* It’s now possible to exclude hosts from the transparent web proxy (`T1060 <https://phabricator.vyos.net/T1060>`_).
+* An issue with rules impossible to delete from the zone-based firewall is fixed (`T484 <https://phabricator.vyos.net/T484>`_).
+
+Earlier releases
+================
+
+See `the wiki <https://wiki.vyos.net/wiki/1.2.0/release_notes>`_.
diff --git a/docs/appendix/troubleshooting.rst b/docs/appendix/troubleshooting.rst
new file mode 100644
index 00000000..e5b9b7a9
--- /dev/null
+++ b/docs/appendix/troubleshooting.rst
@@ -0,0 +1,341 @@
+.. _troubleshooting:
+
+Troubleshooting
+===============
+
+Sometimes things break or don't work as expected. This section describes
+several troubleshooting tools provided by VyOS that can help when something
+goes wrong.
+
+Basic Connectivity Verification
+-------------------------------
+
+Verifying connectivity can be done with the familiar `ping` and `traceroute`
+commands. The options for each are shown (the options for each command were
+displayed using the built-in help as described in the :ref:`cli`
+section and are omitted from the output here):
+
+.. code-block:: sh
+
+ vyos@vyos:~$ ping
+ Possible completions:
+ <hostname> Send Internet Control Message Protocol (ICMP) echo request
+ <x.x.x.x>
+ <h:h:h:h:h:h:h:h>
+
+Several options are available when more extensive troubleshooting is needed:
+
+.. code-block:: sh
+
+ vyos@vyos:~$ ping 8.8.8.8
+ Possible completions:
+ <Enter> Execute the current command
+ adaptive Ping options
+ allow-broadcast
+ audible
+ bypass-route
+ count
+ deadline
+ flood
+ interface
+ interval
+ mark
+ no-loopback
+ numeric
+ pattern
+ quiet
+ record-route
+ size
+ timestamp
+ tos
+ ttl
+ verbose
+
+.. code-block:: sh
+
+ vyos@vyos:~$ traceroute
+ Possible completions:
+ <hostname> Track network path to specified node
+ <x.x.x.x>
+ <h:h:h:h:h:h:h:h>
+ ipv4 Track network path to <hostname|IPv4 address>
+ ipv6 Track network path to <hostname|IPv6 address>
+
+However, another tool, mtr_, is available which combines ping and traceroute
+into a single tool. An example of its output is shown:
+
+.. code-block:: sh
+
+ vyos@vyos:~$ mtr 10.62.212.12
+
+ My traceroute [v0.85]
+ vyos (0.0.0.0)
+ Keys: Help Display mode Restart statistics Order of fields quit
+ Packets Pings
+ Host Loss% Snt Last Avg Best Wrst StDev
+ 1. 10.11.110.4 0.0% 34 0.5 0.5 0.4 0.8 0.1
+ 2. 10.62.255.184 0.0% 34 1.1 1.0 0.9 1.4 0.1
+ 3. 10.62.255.71 0.0% 34 1.4 1.4 1.3 2.0 0.1
+ 4. 10.62.212.12 0.0% 34 1.6 1.6 1.6 1.7 0.0
+
+.. note:: The output of ``mtr`` consumes the screen and will replace your
+ command prompt.
+
+Several options are available for changing the display output. Press `h` to
+invoke the built in help system. To quit, just press `q` and you'll be returned
+to the VyOS command prompt.
+
+Monitoring
+----------
+
+Network Interfaces
+^^^^^^^^^^^^^^^^^^
+
+It's possible to monitor network traffic, either at the flow level or protocol
+level. This can be useful when troubleshooting a variety of protocols and
+configurations. The following interface types can be monitored:
+
+.. code-block:: sh
+
+ vyos@vyos:~$ monitor interfaces
+ Possible completions:
+ <Enter> Execute the current command
+ bonding Monitor a bonding interface
+ bridge Monitor a bridge interface
+ ethernet Monitor a ethernet interface
+ loopback Monitor a loopback interface
+ openvpn Monitor an openvpn interface
+ pppoe Monitor pppoe interface
+ pseudo-ethernet
+ Monitor a pseudo-ethernet interface
+ tunnel Monitor a tunnel interface
+ vrrp Monitor a vrrp interface
+ vti Monitor a vti interface
+ wireless Monitor wireless interface
+
+To monitor traffic flows, issue the :code:`monitor interfaces <type> <name> flow`
+command, replacing `<type>` and `<name>` with your desired interface type and
+name, respectively. Output looks like the following:
+
+.. code-block:: sh
+
+ 12.5Kb 25.0Kb 37.5Kb 50.0Kb 62.5Kb
+ ????????????????????????????????????????????????????????????????????????????????????????????????????
+ 10.11.111.255 => 10.11.110.37 0b 0b 0b
+ <= 624b 749b 749b
+ 10.11.110.29 => 10.62.200.11 0b 198b 198b
+ <= 0b 356b 356b
+ 255.255.255.255 => 10.11.110.47 0b 0b 0b
+ <= 724b 145b 145b
+ 10.11.111.255 => 10.11.110.47 0b 0b 0b
+ <= 724b 145b 145b
+ 10.11.111.255 => 10.11.110.255 0b 0b 0b
+ <= 680b 136b 136b
+ ????????????????????????????????????????????????????????????????????????????????????????????????????
+ TX: cumm: 26.7KB peak: 40.6Kb rates: 23.2Kb 21.4Kb 21.4Kb
+ RX: 67.5KB 63.6Kb 54.6Kb 54.0Kb 54.0Kb
+ TOTAL: 94.2KB 104Kb 77.8Kb 75.4Kb 75.4Kb
+
+Several options are available for changing the display output. Press `h` to
+invoke the built in help system. To quit, just press `q` and you'll be returned
+to the VyOS command prompt.
+
+To monitor interface traffic, issue the :code:`monitor interfaces <type> <name>
+traffic` command, replacing `<type>` and `<name>` with your desired interface
+type and name, respectively. This command invokes the familiar tshark_ utility
+and the following options are available:
+
+.. code-block:: sh
+
+ vyos@vyos:~$ monitor interfaces ethernet eth0 traffic
+ Possible completions:
+ <Enter> Execute the current command
+ detail Monitor detailed traffic for the specified ethernet interface
+ filter Monitor filtered traffic for the specified ethernet interface
+ save Save monitored traffic to a file
+ unlimited Monitor traffic for the specified ethernet interface
+
+To quit monitoring, press `Ctrl-c` and you'll be returned to the VyOS command
+prompt. The `detail` keyword provides verbose output of the traffic seen on
+the monitored interface. The `filter` keyword accepts valid `PCAP filter
+expressions`_, enclosed in single or double quotes (e.g. "port 25" or "port 161
+and udp"). The `save` keyword allows you to save the traffic dump to a file.
+The `unlimited` keyword is used to specify that an unlimited number of packets
+can be captured (by default, 1,000 packets are captured and you're returned to
+the VyOS command prompt).
+
+Interface Bandwith
+^^^^^^^^^^^^^^^^^^
+
+to take a quick view on the used bandwith of an interface use the ``monitor bandwith`` command
+
+.. code-block:: sh
+
+ vyos@vyos:~$ monitor bandwidth interface eth0
+
+show the following:
+
+.. code-block:: sh
+
+ eth0 bmon 3.5
+ Interfaces │ RX bps pps %│ TX bps pps %
+ >eth0 │ 141B 2 │ 272B 1
+ ───────────────────────────────┴───────────────────────┴────────────────────────────────────────────────────────────────
+ B (RX Bytes/second)
+ 198.00 .|....|.....................................................
+ 165.00 .|....|.....................................................
+ 132.00 ||..|.|.....................................................
+ 99.00 ||..|.|.....................................................
+ 66.00 |||||||.....................................................
+ 33.00 |||||||.....................................................
+ 1 5 10 15 20 25 30 35 40 45 50 55 60
+ KiB (TX Bytes/second)
+ 3.67 ......|.....................................................
+ 3.06 ......|.....................................................
+ 2.45 ......|.....................................................
+ 1.84 ......|.....................................................
+ 1.22 ......|.....................................................
+ 0.61 :::::||.....................................................
+ 1 5 10 15 20 25 30 35 40 45 50 55 60
+
+ ───────────────────────────────────────── Press d to enable detailed statistics ────────────────────────────────────────
+ ─────────────────────────────────────── Press i to enable additional information ───────────────────────────────────────
+ Wed Apr 3 14:46:59 2019 Press ? for help
+
+| Press ``d`` for more detailed informations or ``i`` for additional information.
+| To exit press ``q`` and than ``y``
+
+Interface performance
+^^^^^^^^^^^^^^^^^^^^^
+
+To take a look on the network bandwith between two nodes, the ``monitor bandwidth-test`` command is used to run iperf.
+
+.. code-block:: sh
+
+ vyos@vyos:~$ monitor bandwidth-test
+ Possible completions:
+ accept Wait for bandwidth test connections (port TCP/5001)
+ initiate Initiate a bandwidth test
+
+| The ``accept`` command open a listen iperf server on TCP Port 5001
+| The ``initiate`` command conncet to this server.
+
+.. code-block:: sh
+
+ vyos@vyos:~$ monitor bandwidth-test initiate
+ Possible completions:
+ <hostname> Initiate a bandwidth test to specified host (port TCP/5001)
+ <x.x.x.x>
+ <h:h:h:h:h:h:h:h>
+
+
+Monitor command
+^^^^^^^^^^^^^^^
+
+The ``monitor command`` command allows you to repeatedly run a command to view a continuously refreshed output.
+The command is run and output every 2 seconds, allowing you to monitor the output continuously without having to re-run the command. This can be useful to follow routing adjacency formation.
+
+.. code-block:: sh
+
+ vyos@router:~$ monitor command "show interfaces"
+
+Will clear the screen and show you the output of ``show interfaces`` every 2 seconds.
+
+.. code-block:: sh
+
+ Every 2.0s: /opt/vyatta/bin/vyatta-op-cmd-wrapper s... Sun Mar 26 02:49:46 2019
+
+ Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
+ Interface IP Address S/L Description
+ --------- ---------- --- -----------
+ eth0 192.168.1.1/24 u/u
+ eth0.5 198.51.100.4/24 u/u WAN
+ lo 127.0.0.1/8 u/u
+ ::1/128
+ vti0 172.32.254.2/30 u/u
+ vti1 172.32.254.9/30 u/u
+
+Clear Command
+-------------
+
+Sometimes you need to clear counters or statistics to troubleshoot better.
+
+To do this use the ``clear`` command in Operational mode.
+
+to clear the console output
+
+.. code-block:: sh
+
+ vyos@vyos:~$ clear console
+
+to clear interface counters
+
+.. code-block:: sh
+
+ # clear all interfaces
+ vyos@vyos:~$ clear interface ethernet counters
+ # clear specific interface
+ vyos@vyos:~$ clear interface ehternet eth0 counters
+
+The command follow the same logic as the ``set`` command in configuration mode.
+
+.. code-block:: sh
+
+ # clear all counters of a interface type
+ vyos@vyos:~$ clear interface <interface_type> counters
+ # clear counter of a interface in interface_type
+ vyos@vyos:~$ clear interface <interface_type> <interace_name> counters
+
+
+to clear counters on firewall rulesets or single rules
+
+.. code-block:: sh
+
+ vyos@vyos:~$ clear firewall name <ipv4 ruleset name> counters
+ vyos@vyos:~$ clear firewall name <ipv4 ruleset name> rule <rule#> counters
+
+ vyos@vyos:~$ clear firewall ipv6-name <ipv6 ruleset name> counters
+ vyos@vyos:~$ clear firewall ipv6-name <ipv6 ruleset name> rule <rule#> counters
+
+
+Basic System Information
+------------------------
+
+Boot steps
+^^^^^^^^^^
+
+VyOS 1.2.0+ uses `Debian Jessie`_ as the base Linux operating system.
+Jessie was the first version of Debian that uses `systemd`_ as the default init system.
+
+These are the boot steps for VyOS 1.2.0+
+
+1. The BIOS loads Grub (or isolinux for the Live CD)
+2. Grub then starts the Linux boot and loads the Linux Kernel ``/boot/vmlinuz``
+3. Kernel Launches Systemd ``/lib/systemd/systemd``
+4. Systemd loads the VyOS service file ``/lib/systemd/system/vyos-router.service``
+5. The service file launches the VyOS router init script ``/usr/libexec/vyos/init/vyos-router`` - this is part of the `vyatta-cfg`_ Debian package
+
+ 1. Starts FRR_ - successor to `GNU Zebra`_ and `Quagga`_
+
+ 2. Initialises the boot configuration file - copies over ``config.boot.default`` if there is no configuration
+ 3. Runs the configuration migration, if the configuration is for an older version of VyOS
+ 4. Runs The pre-config script, if there is one ``/config/scripts/vyos-preconfig-bootup.script``
+ 5. If the config file was upgraded, runs any post upgrade scripts ``/config/scripts/post-upgrade.d``
+ 6. Starts **rl-system** and **firewall**
+ 7. Mounts the ``/boot`` partition
+ 8. The boot configuration file is then applied by ``/opt/vyatta/sbin/vyatta-boot-config-loader /opt/vyatta/etc/config/config.boot``
+
+ 1. The config loader script writes log entries to ``/var/log/vyatta-config-loader.log``
+
+ 10. Runs ``telinit q`` to tell the init system to reload ``/etc/inittab``
+ 11. Finally it runs the post-config script ``/config/scripts/vyos-postconfig-bootup.script``
+
+.. _Quagga: http://www.quagga.net/
+.. _`GNU Zebra`: https://www.gnu.org/software/zebra/
+.. _FRR: https://frrouting.org/
+.. _vyatta-cfg: https://github.com/vyos/vyatta-cfg
+.. _systemd: _https://freedesktop.org/wiki/Software/systemd/
+.. _`Debian Jessie`: https://www.debian.org/releases/jessie/
+.. _mtr: http://www.bitwizard.nl/mtr/
+.. _tshark: https://www.wireshark.org/docs/man-pages/tshark.html
+.. _`PCAP filter expressions`: http://www.tcpdump.org/manpages/pcap-filter.7.html
diff --git a/docs/appendix/vyos-on-baremetal.rst b/docs/appendix/vyos-on-baremetal.rst
new file mode 100644
index 00000000..bda81116
--- /dev/null
+++ b/docs/appendix/vyos-on-baremetal.rst
@@ -0,0 +1,72 @@
+.. _vyosonbaremetal:
+
+Running on Bare Metal
+#####################
+
+Intel Atom C3000
+****************
+
+I opted to get one of the new Intel Atom C3000 CPUs to spawn VyOS on it.
+Running VyOS on an UEFI only device is supported as of VyOS release 1.2.
+
+Shopping Card
+-------------
+
+* 1x Supermicro CSE-505-203B (19" 1U chassis, inkl. 200W PSU)
+* 1x Supermicro MCP-260-00085-0B (I/O Shield for A2SDi-2C-HLN4F)
+* 1x Supermicro A2SDi-2C-HLN4F (Intel Atom C3338, 2C/2T, 4MB cache, Quad LAN with
+ Intel C3000 SoC 1GbE)
+* 1x Crucial CT4G4DFS824A (4GB DDR4 RAM 2400 MT/s, PC4-19200)
+* 1x SanDisk Ultra Fit 32GB (USB-A 3.0 SDCZ43-032G-G46 mass storage for OS)
+* 1x Supermicro MCP-320-81302-0B (optional FAN tray)
+
+Optional (10GE)
+---------------
+If you wan't to get additional ethernet ports or even 10GE connectivity
+the following optional parts will be required:
+
+* 1x Supermicro RSC-RR1U-E8 (Riser Card)
+* 1x Supermicro MCP-120-00063-0N (Riser Card Bracket)
+
+Latest VyOS rolling releases boot without any problem on this board. You also
+receive a nice IPMI interface realized with an ASPEED AST2400 BMC (no information
+about [OpenBMC](https://www.openbmc.org/)) so far on this motherboard.
+
+Pictures
+--------
+
+.. figure:: /_static/images/1u_vyos_back.jpg
+ :scale: 25 %
+ :alt: CSE-505-203B Back
+
+.. figure:: /_static/images/1u_vyos_front.jpg
+ :scale: 25 %
+ :alt: CSE-505-203B Front
+
+.. figure:: /_static/images/1u_vyos_front_open_1.jpg
+ :scale: 25 %
+ :alt: CSE-505-203B Open 1
+
+.. figure:: /_static/images/1u_vyos_front_open_2.jpg
+ :scale: 25 %
+ :alt: CSE-505-203B Open 2
+
+.. figure:: /_static/images/1u_vyos_front_open_3.jpg
+ :scale: 25 %
+ :alt: CSE-505-203B Open 3
+
+.. figure:: /_static/images/1u_vyos_front_10ge_open_1.jpg
+ :scale: 25 %
+ :alt: CSE-505-203B w/ 10GE Open 1
+
+.. figure:: /_static/images/1u_vyos_front_10ge_open_2.jpg
+ :scale: 25 %
+ :alt: CSE-505-203B w/ 10GE Open 2
+
+.. figure:: /_static/images/1u_vyos_front_10ge_open_3.jpg
+ :scale: 25 %
+ :alt: CSE-505-203B w/ 10GE Open 3
+
+.. figure:: /_static/images/1u_vyos_front_10ge_open_4.jpg
+ :scale: 25 %
+ :alt: CSE-505-203B w/ 10GE Open