diff options
Diffstat (limited to 'docs/appendix')
| -rw-r--r-- | docs/appendix/commandtree/configmode.rst | 524 | ||||
| -rw-r--r-- | docs/appendix/commandtree/index.rst | 17 | ||||
| -rw-r--r-- | docs/appendix/commandtree/operationmode.rst | 444 | ||||
| -rw-r--r-- | docs/appendix/examples/azure-vpn-bgp.rst | 128 | ||||
| -rw-r--r-- | docs/appendix/examples/azure-vpn-dual-bgp.rst | 155 | ||||
| -rw-r--r-- | docs/appendix/examples/bgp-ipv6-unnumbered.rst | 171 | ||||
| -rw-r--r-- | docs/appendix/examples/dhcp-relay-through-gre-bridge.rst | 77 | ||||
| -rw-r--r-- | docs/appendix/examples/dmvpn.rst | 106 | ||||
| -rw-r--r-- | docs/appendix/examples/index.rst | 20 | ||||
| -rw-r--r-- | docs/appendix/examples/ospf-unnumbered.rst | 125 | ||||
| -rw-r--r-- | docs/appendix/examples/tunnelbroker-ipv6.rst | 151 | ||||
| -rw-r--r-- | docs/appendix/examples/wan-load-balancing.rst | 170 | ||||
| -rw-r--r-- | docs/appendix/examples/zone-policy.rst | 379 | ||||
| -rw-r--r-- | docs/appendix/migrate-from-vyatta.rst | 164 | ||||
| -rw-r--r-- | docs/appendix/releasenotes.rst | 358 | ||||
| -rw-r--r-- | docs/appendix/troubleshooting.rst | 385 | ||||
| -rw-r--r-- | docs/appendix/vyos-on-baremetal.rst | 380 | ||||
| -rw-r--r-- | docs/appendix/vyos-on-gns3.rst | 175 | ||||
| -rw-r--r-- | docs/appendix/vyos-on-vmware.rst | 32 |
19 files changed, 0 insertions, 3961 deletions
diff --git a/docs/appendix/commandtree/configmode.rst b/docs/appendix/commandtree/configmode.rst deleted file mode 100644 index d4148c22..00000000 --- a/docs/appendix/commandtree/configmode.rst +++ /dev/null @@ -1,524 +0,0 @@ -.. _commandtree_configmode: - -Configuration mode ------------------- - -.. code-block:: none - - confirm Confirm prior commit-confirm - comment Add comment to this configuration element - commit Commit the current set of changes - commit-confirm Commit the current set of changes with 'confirm' required - compare Compare configuration revisions - copy Copy a configuration element - delete Delete a configuration element - discard Discard uncommitted changes - edit Edit a sub-element - exit Exit from this configuration level - load Load configuration from a file and replace running configuration - loadkey Load user SSH key from a file - merge Load configuration from a file and merge running configuration - rename Rename a configuration element - rollback Rollback to a prior config revision (requires reboot) - run Run an operational-mode command - save Save configuration to a file - set Set the value of a parameter or create a new element - show Show the configuration (default values may be suppressed) - - -Confirm -^^^^^^^ - -The ``confirm`` command confirms the prior ``commit-confirm``. - -Comment -^^^^^^^ - -The ``comment`` commands allow you to insert a comment above the current configuration section. -The command cannot be used at the top of the configuration hierarchy, only on subsections. Comments needs to be commited, just like other config changes. - -To add a comment to a section, while being already at the proper section level: - -.. code-block:: none - - [edit <section>] - vyos@vyos# comment "Type Comment Here" - -To add a comment directly to a section, from the top or a higher section: - -.. code-block:: none - - [edit] - vyos@vyos# comment <section> "Type Comment Here" - -To remove a comment, add a blank comment to overwrite: - -.. code-block:: none - - [edit <section>] - vyos@vyos# comment "" - -Examples -******** - -To add a comment to the "interfaces" section: - -.. code-block:: none - - [edit] - vyos@vyos# edit interfaces - [edit interfaces] - vyos@vyos# comment "Here is a comment" - [edit interfaces] - vyos@vyos# commit - -The comment would then appear like this: - -.. code-block:: none - - [edit] - vyos@vyos# show - /* Here is a comment */ - interfaces { - ethernet eth0 { - [...] - - -An important thing to note is that since the comment is added on top of the section, it will not appear if the ``show <section>`` command is used. With the above example, the ``show interfaces`` command would return starting after the "interfaces {" line, hiding the comment: - -.. code-block:: none - - [edit] - vyos@vyos# show interfaces - ethernet eth0 { - [...] - - -To add a comment to the interfaces section from the top: - -.. code-block:: none - - [edit] - vyos@vyos# comment interfaces "test" - - -The comment can be added to any node that already exists, even if it's multiple levels lower: - -.. code-block:: none - - [edit] - vyos@vyos# comment interfaces ethernet eth0 vif 222 address "Far down comment" - - -Commit -^^^^^^ - -The ``commit`` command commits the proposed changes to the configuration file. -Every changes done in the configuration session is only applied when the configuration is committed. To view the changes that will be applied, use the show command. -To discard the changes without committing, use the ``discard`` command. The ``commit`` command doesn't save the configuration, you need to manually use the ``save`` command. - -The confirm keyword can be added, see ``commit-confirm``. A comment can be entered, it will appear in the commit log. - -.. code-block:: none - - [edit] - vyos@vyos# commit - Possible completions: - <Enter> Commit working configuration - comment Comment for commit log - -Commit-confirm -^^^^^^^^^^^^^^ - -The ``commit-confirm`` command commits the proposed changes to the configuration file and starts a timer. -If the ``confirm`` command is not entered before the timer expiration, the configuration will be rolled back and VyOS will reboot. -The default timer value is 10 minutes, but a custom value can be entered. - -.. code-block:: none - - [edit] - vyos@vyos# commit-confirm - Possible completions: - <Enter> Commit, rollback/reboot in 10 minutes if no confirm - <N> Commit, rollback/reboot in N minutes if no confirm - comment Comment for commit log - - -Compare -^^^^^^^ - -VyOS maintains backups of previous configurations. To compare configuration revisions in configuration mode, use the compare command: - -.. code-block:: none - - [edit] - vyos@vyos# compare - Possible completions: - <Enter> Compare working & active configurations - saved Compare working & saved configurations - <N> Compare working with revision N - <N> <M> Compare revision N with M - - Revisions: - 0 2019-03-20 20:57:22 root by boot-config-loader - 1 2019-03-15 20:00:04 root by boot-config-loader - 2 2019-03-05 01:58:39 vyos by cli - 3 2019-03-05 01:54:59 vyos by cli - 4 2019-03-05 01:53:08 vyos by cli - 5 2019-03-05 01:52:21 vyos by cli - 6 2019-02-24 21:01:24 root by boot-config-loader - 7 2019-02-21 22:00:12 vyos by cli - 8 2019-02-21 21:56:49 vyos by cli - - -Copy -^^^^ - -The ``copy`` command allows you to copy a configuration object. - -Copy the configuration entrys from a firewall name WAN rule 1 to rule 2. - -.. code-block:: none - - [edit firewall name WAN] - vyos@vyos# show - rule 1 { - action accept - source { - address 10.1.0.0/24 - } - } - [edit firewall name WAN] - vyos@vyos# copy rule 1 to rule 2 - [edit firewall name WAN] - vyos@vyos# show - rule 1 { - action accept - source { - address 10.1.0.0/24 - } - } - +rule 2 { - + action accept - + source { - + address 10.1.0.0/24 - + } - +} - -Delete -^^^^^^ - -The ``delte`` command is to delete a configuration entry. - -This Example delete the hole ``service tftp-server`` section. - -.. code-block:: none - - delete service tftp-server - -Discard -^^^^^^^ - -The ``discard`` command removes all pending configuration changes. - -.. code-block:: none - - [edit] - vyos@vyos# discard - - Changes have been discarded - -Edit -^^^^ - -The ``edit`` command allows you to navigate down into the configuration tree. -To get back to an upper level, use the ``up`` command or use the ``top`` command to get back to the upper most level. -The ``[edit]`` text displays where the user is located in the configuration tree. - -.. code-block:: none - - [edit] - vyos@vyos# edit interfaces - [edit interfaces] - vyos@vyos# edit ethernet eth0 - [edit interfaces ethernet eth0] - -Exit -^^^^ - -The ``exit`` command exits the current configuration mode. If the current configuration level isn't the top-most, then the configuration level is put back to the top-most level. -If the configuration level is at the top-most level, then it exits the configuration mode and returns to operational mode. -The ``exit`` command cannot be used if uncommitted changes exists in the configuration file. To exit with uncommitted changes, you either need to use the ``exit discard`` command or you need to commit the changes before exiting. -The ``exit`` command doesn't save the configuration, only the ``save`` command does. A warning will be given when exiting with unsaved changes. Using the ``exit`` command in operational mode will logout the session. - - -Exiting from a configuration level: - - -.. code-block:: none - - [edit interfaces ethernet eth0] - vyos@vyos# exit - [edit] - vyos@vyos# - -Exiting from configuration mode: - -.. code-block:: none - - [edit] - vyos@vyos# exit - exit - vyos@vyos:~$ - -Exiting from operational mode: - -.. code-block:: none - - vyos@vyos:~$ exit - logout - -Error message when trying to exit with uncommitted changes: - -.. code-block:: none - - vyos@vyos# exit - Cannot exit: configuration modified. - Use 'exit discard' to discard the changes and exit. - [edit] - vyos@vyos# - - -Warning message when exiting with unsaved changes: - -.. code-block:: none - - [edit] - vyos@vyos# exit - Warning: configuration changes have not been saved. - exit - vyos@vyos:~$ - -Load -^^^^ - -The ``load`` command load a configuration from a local or remote file. You have to be use ``commit`` to make the change active - -.. code-block:: none - - <Enter> Load from system config file - <file> Load from file on local machine - scp://<user>:<passwd>@<host>/<file> Load from file on remote machine - sftp://<user>:<passwd>@<host>/<file> Load from file on remote machine - ftp://<user>:<passwd>@<host>/<file> Load from file on remote machine - http://<host>/<file> Load from file on remote machine - https://<host>/<file> Load from file on remote machine - tftp://<host>/<file> Load from file on remote machine - - -.. code-block:: none - - [edit] - vyos@vyos# load - Loading configuration from '/config/config.boot'... - - Load complete. Use 'commit' to make changes active. - - -Loadkey -^^^^^^^^ - -Copies the content of a public key to the ~/.ssh/authorized_keys file. - -.. code-block:: none - - loadkey <username> [tab] - - <file> Load from file on local machine - scp://<user>@<host>/<file> Load from file on remote machine - sftp://<user>@<host>/<file> Load from file on remote machine - ftp://<user>@<host>/<file> Load from file on remote machine - http://<host>/<file> Load from file on remote machine - tftp://<host>/<file> Load from file on remote machine - -Merge -^^^^^ - -The ``merge`` command merge the config from a local or remote file with the running config. - -In the example below exist a ``default-firewall.config`` file with some common firewall rules you saved earlier. - -.. code-block:: none - - [edit] - vyos@vyos# show firewall - Configuration under specified path is empty - [edit] - vyos@vyos# merge default-firewall.config - Loading configuration from '/config/default-firewall.config'... - - Merge complete. Use 'commit' to make changes active. - [edit] - vyos@vyos# - - vyos@vyos# show firewall - +all-ping enable - +broadcast-ping disable - +config-trap disable - +ipv6-receive-redirects disable - +ipv6-src-route disable - +ip-src-route disable - +log-martians enable - +name WAN { - + default-action drop - + rule 1 { - + action accept - + source { - + address 10.1.0.0/24 - + } - + } - + rule 2 { - + action accept - + source { - + address 10.1.0.0/24 - + } - ...... - - -Rename -^^^^^^ - -The ``rename`` command allows you to rename or move a configuration object. - -See here how to move the configuration entrys from vlanid 3 to 2 - -.. code-block:: none - - [edit interfaces ethernet eth1] - vyos@vyos# show - duplex auto - hw-id 08:00:27:81:c6:59 - smp-affinity auto - speed auto - vif 3 { - address 10.4.4.4/32 - } - [edit interfaces ethernet eth1] - vyos@vyos# rename vif 3 to vif 2 - [edit interfaces ethernet eth1] - vyos@vyos# show - duplex auto - hw-id 08:00:27:81:c6:59 - smp-affinity auto - speed auto - +vif 2 { - + address 10.4.4.4/32 - +} - -vif 3 { - - address 10.4.4.4/32 - -} - [edit interfaces ethernet eth1] - vyos@vyos# - - -Rollback -^^^^^^^^ - -You can ``rollback`` configuration using the rollback command, however this command will currently trigger a system reboot. -Use the compare command to verify the configuration you want to rollback to. - -.. code-block:: none - - vyos@vyos# compare 1 - [edit system] - >host-name vyos-1 - [edit] - vyos@vyos# rollback 1 - Proceed with reboot? [confirm][y] - - Broadcast message from root@vyos-1 (pts/0) (Tue Dec 17 21:07:45 2018): - - The system is going down for reboot NOW! - [edit] - vyos@vyos# - -Run -^^^ - -The ``run`` command allows you to execute any operational mode commands without exiting the configuration session. - -.. code-block:: none - - [edit] - vyos@vyos# run show interfaces - Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down - Interface IP Address S/L Description - --------- ---------- --- ----------- - eth0 10.1.1.1/24 u/u - - -Save -^^^^ - -The ``save`` command saves the current configuration to non-volatile storage. VyOS also supports saving and loading configuration remotely using SCP, FTP, or TFTP. - -.. code-block:: none - - <Enter> Save to system config file - <file> Save to file on local machine - scp://<user>:<passwd>@<host>/<file> Save to file on remote machine - sftp://<user>:<passwd>@<host>/<file> Save to file on remote machine - ftp://<user>:<passwd>@<host>/<file> Save to file on remote machine - tftp://<host>/<file> Save to file on remote machine - -Set -^^^ - -The ``set`` command create all configuration entrys - -.. code-block:: none - - [edit] - vyos@vyos# set protocols static route 0.0.0.0/0 next-hop 192.168.1.1 - -Show -^^^^ - -The ``show`` command in the configuration mode displays the configuration and show uncommitted changes. - -Show the hole config, the address and description of eth1 is moving to vlan 2 if you commit the changes. - -.. code-block:: none - - [edit] - vyos@vyos# show - interfaces { - dummy dum0 { - address 10.3.3.3/24 - } - ethernet eth0 { - address dhcp - duplex auto - hw-id 08:00:27:2b:c0:0b - smp-affinity auto - speed auto - } - ethernet eth1 { - - address 10.1.1.1/32 - - description "MGMT Interface" - duplex auto - hw-id 08:00:27:81:c6:59 - smp-affinity auto - speed auto - + vif 2 { - + address 10.1.1.1/32 - + description "MGMT Interface" - + } - } - loopback lo { - } - } - service { - ssh { - port 22 - ......
\ No newline at end of file diff --git a/docs/appendix/commandtree/index.rst b/docs/appendix/commandtree/index.rst deleted file mode 100644 index c3bca008..00000000 --- a/docs/appendix/commandtree/index.rst +++ /dev/null @@ -1,17 +0,0 @@ -.. _commandtree: - -Command tree -============ - -See the the full Command tree in Operational mode and Configuration mode - - - -.. toctree:: - :maxdepth: 2 - :hidden: - - - operationmode - configmode - diff --git a/docs/appendix/commandtree/operationmode.rst b/docs/appendix/commandtree/operationmode.rst deleted file mode 100644 index 8092f248..00000000 --- a/docs/appendix/commandtree/operationmode.rst +++ /dev/null @@ -1,444 +0,0 @@ -.. _commandtree_operationmode: - -Operational mode ----------------- - -Operational mode allows for commands to perform operational system tasks and view system and service status. -After this is the first view after the login. -Please see :ref:`cli` for navigation in the CLI - - -.. code-block:: none - - - vyos@vyos:~$ [tab] - Possible completions: - add Add an object to a service - clear Clear system information - clone Clone an object - configure Enter configure mode - connect Establish a connection - copy Copy an object - delete Delete an object - disconnect Take down a connection - force Force an operation - format Format a device - generate Generate an object - install Install a new system - monitor Monitor system information - ping Send IPv4 or IPv6 ICMP (Internet Control Message Protocol) echo requests - poweroff Poweroff the system - reboot Reboot the system - release Release specified variable - rename Rename an object - renew Renew specified variable - reset Reset a service - restart Restart a service - set Set operational options - show Show system information - telnet Telnet to a node - traceroute Track network path to node - update Update data for a service - - -Add -^^^ - -.. code-block:: none - - raid Add a RAID set element - system Add an item to a system facility - -Clear -^^^^^ - -.. code-block:: none - - console Clear screen - firewall Clear firewall statistics - flow-accounting Clear flow accounting - interfaces Clear interface information - ip Clear Internet Protocol (IP) statistics or status - ipv6 Clear Internet Protocol (IPv6) statistics or status - nat Clear network address translation (NAT) tables - policy Clear policy statistics - - -Clone -^^^^^ -The ``clone`` command allows you to clone a configuration from a system image to another one, or from the running config to another system image. -To clone the running config to a system image: - -.. code-block:: none - - clone system config <system-image> from running - -To clone from system image A to system image B: - -.. code-block:: none - - clone system config <system-image-B> from <system-image-A> - - -Configure -^^^^^^^^^ - -The ``configure`` command allows you to enter configuration mode. - -.. code-block:: none - - vyos@vyos:~$ configure - [edit] - vyos@vyos# - - -Connect -^^^^^^^ - -The ``connect`` command allows you to bring up a connection oriented interface, like a pppoe interface. - -.. code-block:: none - - connect interface <interface> - -Copy -^^^^ - -The ``copy`` command allows you to copy a file to your running config or over images. - -It can look like this example: - -.. code-block:: none - - vyos@vyos:~$ copy file [tab] - Possible completions: - http://<user>:<passwd>@<host>/<file> - Copy files from specified source - scp://<user>:<passwd>@<host>/<file> - ftp://<user>:<passwd>@<host>/<file> - tftp://<host>/<file> - 1.2.0://config/ - 1.2.0-rolling+201902251818://config/ - 1.2.0-rolling+201902201040://config/ - 1.2.0-rolling+201902080337://config/ - 1.2.0-H4://config/ - running://config/ - - -To copy from file A to file B: - -.. code-block:: none - - copy <file A> to <file B> - - -Delete -^^^^^^ - -.. code-block:: none - - conntrack Delete Conntrack entries - file Delete files in a particular image - log Delete a log file - raid Remove a RAID set element - system Delete system objects - - -Disconnect -^^^^^^^^^^ - -The ``disconnect`` command allows you to take down a connection oriented interface, like a pppoe interface. - -.. code-block:: none - - disconnect interface <interface> - -Force -^^^^^ - -.. code-block:: none - - arp Send gratuitous ARP request or reply - cluster Force a cluster state transition - - -Format -^^^^^^ - -The ``format`` command allows you to format a disk the same way as another one. - -.. code-block:: none - - format disk <target> like <source> - -Generate -^^^^^^^^ - -.. code-block:: none - - openvpn OpenVPN key generation tool - ssh-server-key - Regenerate the host SSH keys and restart the SSH server - tech-support Generate tech-support archive - vpn VPN key generation utility - wireguard wireguard key generation utility - -Install -^^^^^^^ - -The ``install`` command allows you to install the system image on the disk. - -.. code-block:: none - - install image - - -Monitor -^^^^^^^ - -``monitor`` can be used to continually view what is happening on the router. - -.. code-block:: none - - bandwidth Monitor interface bandwidth in real time - bandwidth-test - Initiate or wait for bandwidth test - cluster Monitor clustering service - command Monitor an operational mode command (refreshes every 2 seconds) - conntrack-sync - Monitor conntrack-sync - content-inspection - Monitor Content-Inspection - dhcp Monitor Dynamic Host Control Protocol (DHCP) - dns Monitor a Domain Name Service (DNS) daemon - firewall Monitor Firewall - https Monitor the Secure Hypertext Transfer Protocol (HTTPS) service - lldp Monitor Link Layer Discovery Protocol (LLDP) daemon - log Monitor last lines of messages file - nat Monitor network address translation (NAT) - openvpn Monitor OpenVPN - protocol Monitor routing protocols - snmp Monitor Simple Network Management Protocol (SNMP) daemon - stop-all Stop all current background monitoring processes - traceroute Monitor the path to a destination in realtime - traffic Monitor traffic dumps - vpn Monitor VPN - vrrp Monitor Virtual Router Redundancy Protocol (VRRP) - webproxy Monitor Webproxy service - - -Ping -^^^^ - -The ``ping`` command allows you to send an ICMP-EchoRequest packet and display the ICMP-EchoReply received. - -.. code-block:: none - - <hostname> Send Internet Control Message Protocol (ICMP) echo request - <x.x.x.x> - <h:h:h:h:h:h:h:h> - - -Poweroff -^^^^^^^^ - -The ``poweroff`` command allows you to properly shut down the VyOS instance. Without any modifier, the command is executed immediately. - -.. code-block:: none - - <Enter> Execute the current command - at Poweroff at a specific time - cancel Cancel a pending poweroff - in Poweroff in X minutes - now Poweroff the system without confirmation - -Reboot -^^^^^^ -The ``reboot`` command allows you to properly restart the VyOS instance. Without any modifier, the command is executed immediately. - -.. code-block:: none - - <Enter> Execute the current command - at Poweroff at a specific time - cancel Cancel a pending poweroff - in Poweroff in X minutes - now Poweroff the system without confirmation - -Release -^^^^^^^ - -The ``release`` command allows you to release a DHCP or DHCPv6 lease. - -.. code-block:: none - - vyos@vyos:~$ release dhcp interface <int> - vyos@vyos:~$ release dhcpv6 interface <int> - - -Rename -^^^^^^ - -The ``rename`` command allows you to rename a system image. - -.. code-block:: none - - rename system image <currentname> <newname> - - -Renew -^^^^^ - -The ``renew`` command allows you to renew a DHCP or DHCPv6 lease. - -.. code-block:: none - - vyos@vyos:~$ renew dhcp interface <int> - vyos@vyos:~$ renew dhcpv6 interface <int> - -Reset -^^^^^ - -.. code-block:: none - - conntrack Reset all currently tracked connections - conntrack-sync - Reset connection syncing parameters - dns Reset a DNS service state - firewall reset a firewall group - ip Reset Internet Protocol (IP) parameters - ipv6 Reset Internet Protocol version 6 (IPv6) parameters - nhrp Clear/Purge NHRP entries - openvpn Reset OpenVPN - terminal Reset terminal - vpn Reset Virtual Private Network (VPN) information - -Restart -^^^^^^^ - -.. code-block:: none - - cluster Restart cluster node - conntrack-sync - Restart connection tracking synchronization service - dhcp Restart DHCP processes - dhcpv6 Restart DHCPv6 processes - dns Restart a DNS service - flow-accounting - Restart flow-accounting service - https Restart https server - vpn Restart IPsec VPN - vrrp Restart the VRRP (Virtual Router Redundancy Protocol) process - wan-load-balance - Restart WAN load balancing - webproxy Restart webproxy service - -Set -^^^ - -.. code-block:: none - - <OPTION> Bash builtin set command - console Control console behaviors - date Set system date and time - system Set system operational parameters - terminal Control terminal behaviors - -Show -^^^^ - -.. code-block:: none - - arp Show Address Resolution Protocol (ARP) information - bridge Show bridging information - cluster Show clustering information - configuration Show available saved configurations - conntrack Show conntrack entries in the conntrack table - conntrack-sync - Show connection syncing information - date Show system time and date - dhcp Show DHCP (Dynamic Host Configuration Protocol) information - dhcpv6 Show DHCPv6 (IPv6 Dynamic Host Configuration Protocol) information - disk Show status of disk device - dns Show DNS information - file Show files for a particular image - firewall Show firewall information - flow-accounting - Show flow accounting statistics - hardware Show system hardware details - history show command history - host Show host information - incoming Show ethernet input-policy information - interfaces Show network interface information - ip Show IPv4 routing information - ipv6 Show IPv6 routing information - license Show VyOS license information - lldp Show lldp - log Show contents of current master log file - login Show current login credentials - monitoring Show currently monitored services - nat Show Network Address Translation (NAT) information - nhrp Show NHRP info - ntp Show peer status of NTP daemon - openvpn Show OpenVPN information - policy Show policy information - poweroff Show scheduled poweroff - pppoe-server show pppoe-server status - queueing Show ethernet queueing information - raid Show statis of RAID set - reboot Show scheduled reboot - remote-config Show remote side config - route-map Show route-map information - snmp Show status of SNMP on localhost - system Show system information - system-integrity - checks the integrity of the system - table Show routing table - tech-support Show consolidated tech-support report (private information removed) - users Show user information - version Show system version information - vpn Show Virtual Private Network (VPN) information - vrrp Show VRRP (Virtual Router Redundancy Protocol) information - wan-load-balance - Show Wide Area Network (WAN) load-balancing information - webproxy Show webproxy information - wireguard Show wireguard properties - zone-policy Show summary of zone policy for a specific zone - -Telnet -^^^^^^ -In the past the ``telnet`` command allowed you to connect remotely to another device using the telnet protocol. -Telnet is unencrypted and should not use anymore. But its nice to test if an TCP Port to a host is open. - - -.. code-block:: none - - vyos@vyos:~$ telnet 192.168.1.3 443 - Trying 192.168.1.3... - telnet: Unable to connect to remote host: Network is unreachable - - vyos@vyos:~$ telnet 192.168.1.4 443 - Trying 192.168.1.4... - Connected to 192.168.1.4. - Escape character is '^]'. - -Traceroute -^^^^^^^^^^ - -The ``traceroute`` command allows you to trace the path taken to a particular device. - -.. code-block:: none - - <hostname> Track network path to specified node - <x.x.x.x> - <h:h:h:h:h:h:h:h> - ipv4 Track network path to <hostname|IPv4 address> - ipv6 Track network path to <hostname|IPv6 address> - - -Update -^^^^^^ - -.. code-block:: none - - dns Update DNS information - webproxy Update webproxy
\ No newline at end of file diff --git a/docs/appendix/examples/azure-vpn-bgp.rst b/docs/appendix/examples/azure-vpn-bgp.rst deleted file mode 100644 index 57f82396..00000000 --- a/docs/appendix/examples/azure-vpn-bgp.rst +++ /dev/null @@ -1,128 +0,0 @@ -.. _examples-azure-vpn-bgp: - -Route-Based Site-to-Site VPN to Azure (BGP over IKEv2/IPsec) ------------------------------------------------------------- - -This guide shows an example of a route-based IKEv2 site-to-site VPN to -Azure using VTI and BGP for dynamic routing updates. - -Prerequisites -^^^^^^^^^^^^^ - -- A pair of Azure VNet Gateways deployed in active-passive - configuration with BGP enabled. - -- A local network gateway deployed in Azure representing - the Vyos device, matching the below Vyos settings except for - address space, which only requires the Vyos private IP, in - this example 10.10.0.5/32 - -- A connection resource deployed in Azure linking the - Azure VNet gateway and the local network gateway representing - the Vyos device. - -Example -^^^^^^^ - -+---------------------------------------+---------------------+ -| WAN Interface | eth0 | -+---------------------------------------+---------------------+ -| On-premises address space | 10.10.0.0/16 | -+---------------------------------------+---------------------+ -| Azure address space | 10.0.0.0/16 | -+---------------------------------------+---------------------+ -| Vyos public IP | 198.51.100.3 | -+---------------------------------------+---------------------+ -| Vyos private IP | 10.10.0.5 | -+---------------------------------------+---------------------+ -| Azure VNet Gateway public IP | 203.0.113.2 | -+---------------------------------------+---------------------+ -| Azure VNet Gateway BGP IP | 10.0.0.4 | -+---------------------------------------+---------------------+ -| Pre-shared key | ch00s3-4-s3cur3-psk | -+---------------------------------------+---------------------+ -| Vyos ASN | 64499 | -+---------------------------------------+---------------------+ -| Azure ASN | 65540 | -+---------------------------------------+---------------------+ - -Vyos configuration -^^^^^^^^^^^^^^^^^^ - -- Configure the IKE and ESP settings to match a subset - of those supported by Azure: - -.. code-block:: none - - set vpn ipsec esp-group AZURE compression 'disable' - set vpn ipsec esp-group AZURE lifetime '3600' - set vpn ipsec esp-group AZURE mode 'tunnel' - set vpn ipsec esp-group AZURE pfs 'dh-group2' - set vpn ipsec esp-group AZURE proposal 1 encryption 'aes256' - set vpn ipsec esp-group AZURE proposal 1 hash 'sha1' - - set vpn ipsec ike-group AZURE dead-peer-detection action 'restart' - set vpn ipsec ike-group AZURE dead-peer-detection interval '15' - set vpn ipsec ike-group AZURE dead-peer-detection timeout '30' - set vpn ipsec ike-group AZURE ikev2-reauth 'yes' - set vpn ipsec ike-group AZURE key-exchange 'ikev2' - set vpn ipsec ike-group AZURE lifetime '28800' - set vpn ipsec ike-group AZURE proposal 1 dh-group '2' - set vpn ipsec ike-group AZURE proposal 1 encryption 'aes256' - set vpn ipsec ike-group AZURE proposal 1 hash 'sha1' - -- Enable IPsec on eth0 - -.. code-block:: none - - set vpn ipsec ipsec-interfaces interface 'eth0' - -- Configure a VTI with a dummy IP address - -.. code-block:: none - - set interfaces vti vti1 address '10.10.1.5/32' - set interfaces vti vti1 description 'Azure Tunnel' - -- Clamp the VTI's MSS to 1350 to avoid PMTU blackholes. - -.. code-block:: none - - set firewall options interface vti1 adjust-mss 1350 - -- Configure the VPN tunnel - -.. code-block:: none - - set vpn ipsec site-to-site peer 203.0.113.2 authentication id '198.51.100.3' - set vpn ipsec site-to-site peer 203.0.113.2 authentication mode 'pre-shared-secret' - set vpn ipsec site-to-site peer 203.0.113.2 authentication pre-shared-secret 'ch00s3-4-s3cur3-psk' - set vpn ipsec site-to-site peer 203.0.113.2 authentication remote-id '203.0.113.2' - set vpn ipsec site-to-site peer 203.0.113.2 connection-type 'respond' - set vpn ipsec site-to-site peer 203.0.113.2 description 'AZURE PRIMARY TUNNEL' - set vpn ipsec site-to-site peer 203.0.113.2 ike-group 'AZURE' - set vpn ipsec site-to-site peer 203.0.113.2 ikev2-reauth 'inherit' - set vpn ipsec site-to-site peer 203.0.113.2 local-address '10.10.0.5' - set vpn ipsec site-to-site peer 203.0.113.2 vti bind 'vti1' - set vpn ipsec site-to-site peer 203.0.113.2 vti esp-group 'AZURE' - -- **Important**: Add an interface route to reach Azure's BGP listener - -.. code-block:: none - - set protocols static interface-route 10.0.0.4/32 next-hop-interface vti1 - -- Configure your BGP settings - -.. code-block:: none - - set protocols bgp 64499 neighbor 10.0.0.4 remote-as '65540' - set protocols bgp 64499 neighbor 10.0.0.4 address-family ipv4-unicast soft-reconfiguration 'inbound' - set protocols bgp 64499 neighbor 10.0.0.4 timers holdtime '30' - set protocols bgp 64499 neighbor 10.0.0.4 timers keepalive '10' - -- **Important**: Disable connected check \ - -.. code-block:: none - - set protocols bgp 64499 neighbor 10.0.0.4 disable-connected-check diff --git a/docs/appendix/examples/azure-vpn-dual-bgp.rst b/docs/appendix/examples/azure-vpn-dual-bgp.rst deleted file mode 100644 index cbe9a4d9..00000000 --- a/docs/appendix/examples/azure-vpn-dual-bgp.rst +++ /dev/null @@ -1,155 +0,0 @@ -.. _examples-azure-vpn-dual-bgp: - -Route-Based Redundant Site-to-Site VPN to Azure (BGP over IKEv2/IPsec) ----------------------------------------------------------------------- - -This guide shows an example of a redundant (active-active) route-based IKEv2 -site-to-site VPN to Azure using VTI -and BGP for dynamic routing updates. - -Prerequisites -^^^^^^^^^^^^^ - -- A pair of Azure VNet Gateways deployed in active-passive - configuration with BGP enabled. - -- A local network gateway deployed in Azure representing - the Vyos device, matching the below Vyos settings except for - address space, which only requires the Vyos private IP, in - this example 10.10.0.5/32 - -- A connection resource deployed in Azure linking the - Azure VNet gateway and the local network gateway representing - the Vyos device. - -Example -^^^^^^^ - -+---------------------------------------+---------------------+ -| WAN Interface | eth0 | -+---------------------------------------+---------------------+ -| On-premises address space | 10.10.0.0/16 | -+---------------------------------------+---------------------+ -| Azure address space | 10.0.0.0/16 | -+---------------------------------------+---------------------+ -| Vyos public IP | 198.51.100.3 | -+---------------------------------------+---------------------+ -| Vyos private IP | 10.10.0.5 | -+---------------------------------------+---------------------+ -| Azure VNet Gateway 1 public IP | 203.0.113.2 | -+---------------------------------------+---------------------+ -| Azure VNet Gateway 2 public IP | 203.0.113.3 | -+---------------------------------------+---------------------+ -| Azure VNet Gateway BGP IP | 10.0.0.4,10.0.0.5 | -+---------------------------------------+---------------------+ -| Pre-shared key | ch00s3-4-s3cur3-psk | -+---------------------------------------+---------------------+ -| Vyos ASN | 64499 | -+---------------------------------------+---------------------+ -| Azure ASN | 65540 | -+---------------------------------------+---------------------+ - -Vyos configuration -^^^^^^^^^^^^^^^^^^ - -- Configure the IKE and ESP settings to match a subset - of those supported by Azure: - -.. code-block:: none - - set vpn ipsec esp-group AZURE compression 'disable' - set vpn ipsec esp-group AZURE lifetime '3600' - set vpn ipsec esp-group AZURE mode 'tunnel' - set vpn ipsec esp-group AZURE pfs 'dh-group2' - set vpn ipsec esp-group AZURE proposal 1 encryption 'aes256' - set vpn ipsec esp-group AZURE proposal 1 hash 'sha1' - - set vpn ipsec ike-group AZURE dead-peer-detection action 'restart' - set vpn ipsec ike-group AZURE dead-peer-detection interval '15' - set vpn ipsec ike-group AZURE dead-peer-detection timeout '30' - set vpn ipsec ike-group AZURE ikev2-reauth 'yes' - set vpn ipsec ike-group AZURE key-exchange 'ikev2' - set vpn ipsec ike-group AZURE lifetime '28800' - set vpn ipsec ike-group AZURE proposal 1 dh-group '2' - set vpn ipsec ike-group AZURE proposal 1 encryption 'aes256' - set vpn ipsec ike-group AZURE proposal 1 hash 'sha1' - -- Enable IPsec on eth0 - -.. code-block:: none - - set vpn ipsec ipsec-interfaces interface 'eth0' - -- Configure two VTIs with a dummy IP address each - -.. code-block:: none - - set interfaces vti vti1 address '10.10.1.5/32' - set interfaces vti vti1 description 'Azure Primary Tunnel' - - set interfaces vti vti2 address '10.10.1.6/32' - set interfaces vti vti2 description 'Azure Secondary Tunnel' - -- Clamp the VTI's MSS to 1350 to avoid PMTU blackholes. - -.. code-block:: none - - set firewall options interface vti1 adjust-mss 1350 - set firewall options interface vti2 adjust-mss 1350 - -- Configure the VPN tunnels - -.. code-block:: none - - set vpn ipsec site-to-site peer 203.0.113.2 authentication id '198.51.100.3' - set vpn ipsec site-to-site peer 203.0.113.2 authentication mode 'pre-shared-secret' - set vpn ipsec site-to-site peer 203.0.113.2 authentication pre-shared-secret 'ch00s3-4-s3cur3-psk' - set vpn ipsec site-to-site peer 203.0.113.2 authentication remote-id '203.0.113.2' - set vpn ipsec site-to-site peer 203.0.113.2 connection-type 'respond' - set vpn ipsec site-to-site peer 203.0.113.2 description 'AZURE PRIMARY TUNNEL' - set vpn ipsec site-to-site peer 203.0.113.2 ike-group 'AZURE' - set vpn ipsec site-to-site peer 203.0.113.2 ikev2-reauth 'inherit' - set vpn ipsec site-to-site peer 203.0.113.2 local-address '10.10.0.5' - set vpn ipsec site-to-site peer 203.0.113.2 vti bind 'vti1' - set vpn ipsec site-to-site peer 203.0.113.2 vti esp-group 'AZURE' - - set vpn ipsec site-to-site peer 203.0.113.3 authentication id '198.51.100.3' - set vpn ipsec site-to-site peer 203.0.113.3 authentication mode 'pre-shared-secret' - set vpn ipsec site-to-site peer 203.0.113.3 authentication pre-shared-secret 'ch00s3-4-s3cur3-psk' - set vpn ipsec site-to-site peer 203.0.113.3 authentication remote-id '203.0.113.3' - set vpn ipsec site-to-site peer 203.0.113.3 connection-type 'respond' - set vpn ipsec site-to-site peer 203.0.113.3 description 'AZURE SECONDARY TUNNEL' - set vpn ipsec site-to-site peer 203.0.113.3 ike-group 'AZURE' - set vpn ipsec site-to-site peer 203.0.113.3 ikev2-reauth 'inherit' - set vpn ipsec site-to-site peer 203.0.113.3 local-address '10.10.0.5' - set vpn ipsec site-to-site peer 203.0.113.3 vti bind 'vti2' - set vpn ipsec site-to-site peer 203.0.113.3 vti esp-group 'AZURE' - -- **Important**: Add an interface route to reach both Azure's BGP listeners - -.. code-block:: none - - set protocols static interface-route 10.0.0.4/32 next-hop-interface vti1 - set protocols static interface-route 10.0.0.5/32 next-hop-interface vti2 - -- Configure your BGP settings - -.. code-block:: none - - set protocols bgp 64499 neighbor 10.0.0.4 remote-as '65540' - set protocols bgp 64499 neighbor 10.0.0.4 address-family ipv4-unicast soft-reconfiguration 'inbound' - set protocols bgp 64499 neighbor 10.0.0.4 timers holdtime '30' - set protocols bgp 64499 neighbor 10.0.0.4 timers keepalive '10' - - set protocols bgp 64499 neighbor 10.0.0.5 remote-as '65540' - set protocols bgp 64499 neighbor 10.0.0.5 address-family ipv4-unicast soft-reconfiguration 'inbound' - set protocols bgp 64499 neighbor 10.0.0.5 timers holdtime '30' - set protocols bgp 64499 neighbor 10.0.0.5 timers keepalive '10' - -- **Important**: Disable connected check, otherwise the routes learned - from Azure will not be imported into the routing table. - -.. code-block:: none - - set protocols bgp 64499 neighbor 10.0.0.4 disable-connected-check - set protocols bgp 64499 neighbor 10.0.0.5 disable-connected-check diff --git a/docs/appendix/examples/bgp-ipv6-unnumbered.rst b/docs/appendix/examples/bgp-ipv6-unnumbered.rst deleted file mode 100644 index 283dcd45..00000000 --- a/docs/appendix/examples/bgp-ipv6-unnumbered.rst +++ /dev/null @@ -1,171 +0,0 @@ -.. _examples-bgp-ipv6-unnumbered: - -VyOS BGP ipv6 unnumbered with extended nexthop ----------------------------------------------- - -General infomration can be found in the :ref:`routing-bgp` chapter. - -Configuration -^^^^^^^^^^^^^ - -- Router A: - -.. code-block:: none - - set protocols bgp 65020 address-family ipv4-unicast redistribute connected - set protocols bgp 65020 address-family ipv6-unicast redistribute connected - set protocols bgp 65020 neighbor eth1 interface v6only - set protocols bgp 65020 neighbor eth1 interface v6only peer-group 'fabric' - set protocols bgp 65020 neighbor eth2 interface v6only - set protocols bgp 65020 neighbor eth2 interface v6only peer-group 'fabric' - set protocols bgp 65020 parameters bestpath as-path multipath-relax - set protocols bgp 65020 parameters bestpath compare-routerid - set protocols bgp 65020 parameters default no-ipv4-unicast - set protocols bgp 65020 parameters router-id '192.168.0.1' - set protocols bgp 65020 peer-group fabric address-family ipv4-unicast - set protocols bgp 65020 peer-group fabric address-family ipv6-unicast - set protocols bgp 65020 peer-group fabric capability extended-nexthop - set protocols bgp 65020 peer-group fabric remote-as 'external' - -- Router B: - -.. code-block:: none - - set protocols bgp 65021 address-family ipv4-unicast redistribute connected - set protocols bgp 65021 address-family ipv6-unicast redistribute connected - set protocols bgp 65021 neighbor eth1 interface v6only - set protocols bgp 65021 neighbor eth1 interface v6only peer-group 'fabric' - set protocols bgp 65021 neighbor eth2 interface v6only - set protocols bgp 65021 neighbor eth2 interface v6only peer-group 'fabric' - set protocols bgp 65021 parameters bestpath as-path multipath-relax - set protocols bgp 65021 parameters bestpath compare-routerid - set protocols bgp 65021 parameters default no-ipv4-unicast - set protocols bgp 65021 parameters router-id '192.168.0.2' - set protocols bgp 65021 peer-group fabric address-family ipv4-unicast - set protocols bgp 65021 peer-group fabric address-family ipv6-unicast - set protocols bgp 65021 peer-group fabric capability extended-nexthop - set protocols bgp 65021 peer-group fabric remote-as 'external' - -Results -^^^^^^^^^^^^^ - -- Router A: - -.. code-block:: none - - vyos@vyos:~$ show interfaces - Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down - Interface IP Address S/L Description - --------- ---------- --- ----------- - eth0 62.104.XXX.XXX/24 u/u - eth1 - u/u - eth2 - u/u - lo 127.0.0.1/8 u/u - 192.168.0.1/32 - ::1/128 - -.. code-block:: none - - vyos@vyos:~$ show ip route - Codes: K - kernel route, C - connected, S - static, R - RIP, - O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, - T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP, - F - PBR, f - OpenFabric, - > - selected route, * - FIB route - - S>* 0.0.0.0/0 [210/0] via 62.104.XXX.XXX, eth0, 03:21:53 - C>* 62.104.56.0/24 is directly connected, eth0, 03:21:53 - C>* 192.168.0.1/32 is directly connected, lo, 03:21:56 - B>* 192.168.0.2/32 [20/0] via fe80::a00:27ff:fe3b:7ed2, eth2, 00:05:07 - * via fe80::a00:27ff:fe7b:4000, eth1, 00:05:07 - -.. code-block:: none - - vyos@vyos:~$ ping 192.168.0.2 - PING 192.168.0.2 (192.168.0.2) 56(84) bytes of data. - 64 bytes from 192.168.0.2: icmp_seq=1 ttl=64 time=0.575 ms - 64 bytes from 192.168.0.2: icmp_seq=2 ttl=64 time=0.628 ms - 64 bytes from 192.168.0.2: icmp_seq=3 ttl=64 time=0.581 ms - 64 bytes from 192.168.0.2: icmp_seq=4 ttl=64 time=0.682 ms - 64 bytes from 192.168.0.2: icmp_seq=5 ttl=64 time=0.597 ms - - --- 192.168.0.2 ping statistics --- - 5 packets transmitted, 5 received, 0% packet loss, time 4086ms - rtt min/avg/max/mdev = 0.575/0.612/0.682/0.047 ms - -.. code-block:: none - - vyos@vyos:~$ show ip bgp summary - - IPv4 Unicast Summary: - BGP router identifier 192.168.0.1, local AS number 65020 vrf-id 0 - BGP table version 4 - RIB entries 5, using 800 bytes of memory - Peers 2, using 41 KiB of memory - Peer groups 1, using 64 bytes of memory - - Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd - eth1 4 65021 13 13 0 0 0 00:05:33 2 - eth2 4 65021 13 14 0 0 0 00:05:29 2 - - Total number of neighbors 2 - -- Router B: - -.. code-block:: none - - vyos@vyos:~$ show interfaces - Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down - Interface IP Address S/L Description - --------- ---------- --- ----------- - eth0 62.104.XXX.XXX/24 u/u - eth1 - u/u - eth2 - u/u - lo 127.0.0.1/8 u/u - 192.168.0.2/32 - ::1/128 - -.. code-block:: none - - vyos@vyos:~$ show ip route - Codes: K - kernel route, C - connected, S - static, R - RIP, - O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, - T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP, - F - PBR, f - OpenFabric, - > - selected route, * - FIB route - - S>* 0.0.0.0/0 [210/0] via 62.104.XXX.XXX, eth0, 00:44:08 - C>* 62.104.56.0/24 is directly connected, eth0, 00:44:09 - B>* 192.168.0.1/32 [20/0] via fe80::a00:27ff:fe2d:205d, eth1, 00:06:18 - * via fe80::a00:27ff:fe93:e142, eth2, 00:06:18 - C>* 192.168.0.2/32 is directly connected, lo, 00:44:11 - -.. code-block:: none - - vyos@vyos:~$ ping 192.168.0.1 - PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data. - 64 bytes from 192.168.0.1: icmp_seq=1 ttl=64 time=0.427 ms - 64 bytes from 192.168.0.1: icmp_seq=2 ttl=64 time=0.471 ms - 64 bytes from 192.168.0.1: icmp_seq=3 ttl=64 time=0.782 ms - 64 bytes from 192.168.0.1: icmp_seq=4 ttl=64 time=0.715 ms - - --- 192.168.0.1 ping statistics --- - 4 packets transmitted, 4 received, 0% packet loss, time 3051ms - rtt min/avg/max/mdev = 0.427/0.598/0.782/0.155 ms - -.. code-block:: none - - vyos@vyos:~$ show ip bgp summary - IPv4 Unicast Summary: - BGP router identifier 192.168.0.2, local AS number 65021 vrf-id 0 - BGP table version 4 - RIB entries 5, using 800 bytes of memory - Peers 2, using 41 KiB of memory - Peer groups 1, using 64 bytes of memory - - Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd - eth1 4 65020 14 14 0 0 0 00:06:40 2 - eth2 4 65020 14 14 0 0 0 00:06:37 2 - - Total number of neighbors 2 - diff --git a/docs/appendix/examples/dhcp-relay-through-gre-bridge.rst b/docs/appendix/examples/dhcp-relay-through-gre-bridge.rst deleted file mode 100644 index f94eb67f..00000000 --- a/docs/appendix/examples/dhcp-relay-through-gre-bridge.rst +++ /dev/null @@ -1,77 +0,0 @@ -.. _examples-dhcp-relay-through-gre-bridge: - - -DHCP Relay through GRE-Bridge ------------------------------ - -Diagram -^^^^^^^ - -.. image:: /_static/images/dhcp-relay-through-gre-bridge.png - :width: 80% - :align: center - :alt: Network Topology Diagram - -Configuration -^^^^^^^^^^^^^ - -DHCP Server -""""""""""" - -.. code-block:: none - - set interfaces ethernet eth0 address '10.0.2.1/24' - set interfaces loopback lo address '3.3.3.3/24' - set interfaces tunnel tun100 address '172.16.0.2/30' - set interfaces tunnel tun100 encapsulation 'gre-bridge' - set interfaces tunnel tun100 local-ip '10.0.2.1' - set interfaces tunnel tun100 remote-ip '192.168.0.1' - set protocols ospf area 0 network '3.3.3.0/24' - set protocols ospf area 0 network '10.0.2.0/24' - set protocols ospf parameters router-id '3.3.3.3' - set protocols static interface-route 10.0.1.2/32 next-hop-interface tun100 - set service dhcp-server shared-network-name asdf authoritative - set service dhcp-server shared-network-name asdf subnet 3.3.3.0/24 range 0 start '3.3.3.30' - set service dhcp-server shared-network-name asdf subnet 3.3.3.0/24 range 0 stop '3.3.3.40' - set service dhcp-server shared-network-name asdf subnet 10.0.1.0/24 default-router '10.0.1.2' - set service dhcp-server shared-network-name asdf subnet 10.0.1.0/24 range 0 start '10.0.1.200' - set service dhcp-server shared-network-name asdf subnet 10.0.1.0/24 range 0 stop '10.0.1.210' - set service dhcp-server shared-network-name asdf subnet 10.2.1.0/24 range 0 start '10.2.1.222' - set service dhcp-server shared-network-name asdf subnet 10.2.1.0/24 range 0 stop '10.2.1.233' - set service dhcp-server shared-network-name asdf subnet 172.16.0.0/30 range 0 start '172.16.0.1' - set service dhcp-server shared-network-name asdf subnet 172.16.0.0/30 range 0 stop '172.16.0.2' - - -In-Between Router -""""""""""""""""" - -.. code-block:: none - - set interfaces ethernet eth0 address '192.168.0.2/24' - set interfaces ethernet eth1 address '10.0.2.2/24' - set protocols ospf area 0 network '192.168.0.0/24' - set protocols ospf area 0 network '10.0.2.0/24' - set protocols ospf parameters router-id '192.168.0.2' - - -DHCP Relay -"""""""""" - -.. code-block:: none - - set interfaces ethernet eth0 address '10.0.1.2/24' - set interfaces ethernet eth1 address '192.168.0.1/24' - set interfaces loopback lo address '1.1.1.1' - set interfaces tunnel tun100 address '172.16.0.1/30' - set interfaces tunnel tun100 encapsulation 'gre-bridge' - set interfaces tunnel tun100 local-ip '192.168.0.1' - set interfaces tunnel tun100 remote-ip '10.0.2.1' - set protocols ospf area 0 network '10.0.1.0/24' - set protocols ospf area 0 network '192.168.0.0/24' - set protocols ospf area 0 network '1.1.1.0/24' - set protocols ospf parameters router-id '1.1.1.1' - set protocols static interface-route 3.3.3.3/32 next-hop-interface tun100 - set service dhcp-relay interface 'eth0' - set service dhcp-relay interface 'tun100' - set service dhcp-relay server '3.3.3.3' - diff --git a/docs/appendix/examples/dmvpn.rst b/docs/appendix/examples/dmvpn.rst deleted file mode 100644 index 30ca8e86..00000000 --- a/docs/appendix/examples/dmvpn.rst +++ /dev/null @@ -1,106 +0,0 @@ - -.. _examples-dmvpn: - -VyOS DMVPN Hub --------------- - -General infomration can be found in the :ref:`vpn-dmvpn` chapter. - -Configuration -^^^^^^^^^^^^^ - -.. code-block:: none - - set interfaces tunnel tun100 address '172.16.253.134/29' - set interfaces tunnel tun100 encapsulation 'gre' - set interfaces tunnel tun100 local-ip '11.22.33.44' - set interfaces tunnel tun100 multicast 'enable' - set interfaces tunnel tun100 parameters ip key '1' - - set protocols nhrp tunnel tun100 cisco-authentication '<nhrp secret key>' - set protocols nhrp tunnel tun100 holding-time '300' - set protocols nhrp tunnel tun100 multicast 'dynamic' - set protocols nhrp tunnel tun100 redirect - set protocols nhrp tunnel tun100 shortcut - - set vpn ipsec esp-group ESP-HUB compression 'disable' - set vpn ipsec esp-group ESP-HUB lifetime '1800' - set vpn ipsec esp-group ESP-HUB mode 'tunnel' - set vpn ipsec esp-group ESP-HUB pfs 'dh-group2' - set vpn ipsec esp-group ESP-HUB proposal 1 encryption 'aes256' - set vpn ipsec esp-group ESP-HUB proposal 1 hash 'sha1' - set vpn ipsec esp-group ESP-HUB proposal 2 encryption '3des' - set vpn ipsec esp-group ESP-HUB proposal 2 hash 'md5' - set vpn ipsec ike-group IKE-HUB ikev2-reauth 'no' - set vpn ipsec ike-group IKE-HUB key-exchange 'ikev1' - set vpn ipsec ike-group IKE-HUB lifetime '3600' - set vpn ipsec ike-group IKE-HUB proposal 1 dh-group '2' - set vpn ipsec ike-group IKE-HUB proposal 1 encryption 'aes256' - set vpn ipsec ike-group IKE-HUB proposal 1 hash 'sha1' - set vpn ipsec ike-group IKE-HUB proposal 2 dh-group '2' - set vpn ipsec ike-group IKE-HUB proposal 2 encryption 'aes128' - set vpn ipsec ike-group IKE-HUB proposal 2 hash 'sha1' - set vpn ipsec ipsec-interfaces interface 'eth0' - - set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret' - set vpn ipsec profile NHRPVPN authentication pre-shared-secret '<secretkey>' - set vpn ipsec profile NHRPVPN bind tunnel 'tun100' - set vpn ipsec profile NHRPVPN esp-group 'ESP-HUB' - set vpn ipsec profile NHRPVPN ike-group 'IKE-HUB' - -Cisco IOS Spoke -^^^^^^^^^^^^^^^ - -This example is verified with a Cisco 2811 platform running IOS 15.1(4)M9 and -VyOS 1.1.7 (helium) up to VyOS 1.2 (Crux). - -.. code-block:: none - - Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 15.1(4)M9, RELEASE SOFTWARE (fc3) - Technical Support: http://www.cisco.com/techsupport - Copyright (c) 1986-2014 by Cisco Systems, Inc. - Compiled Fri 12-Sep-14 10:45 by prod_rel_team - - ROM: System Bootstrap, Version 12.3(8r)T7, RELEASE SOFTWARE (fc1) - -Use this configuration on your Cisco device: - -.. code-block:: none - - crypto pki token default removal timeout 0 - crypto keyring DMVPN - pre-shared-key address 1.2.3.4 key <secretkey> - ! - crypto isakmp policy 10 - encr aes 256 - authentication pre-share - group 2 - ! - crypto isakmp invalid-spi-recovery - crypto isakmp keepalive 30 30 periodic - crypto isakmp profile DMVPN - keyring DMVPN - match identity address 11.22.33.44 255.255.255.255 - ! - crypto ipsec transform-set DMVPN-AES256 esp-aes 256 esp-sha-hmac - mode transport - ! - crypto ipsec profile DMVPN - set security-association idle-time 720 - set transform-set DMVPN-AES256 - set isakmp-profile DMVPN - ! - interface Tunnel10 - description Tunnel to DMVPN HUB - ip address 172.16.253.129 255.255.255.248 - no ip redirects - ip nhrp authentication <nhrp secret key> - ip nhrp map multicast 11.22.33.44 - ip nhrp map 172.16.253.134 11.22.33.44 - ip nhrp network-id 1 - ip nhrp holdtime 600 - ip nhrp nhs 172.16.253.134 - ip nhrp registration timeout 75 - tunnel source Dialer1 - tunnel mode gre multipoint - tunnel key 1 diff --git a/docs/appendix/examples/index.rst b/docs/appendix/examples/index.rst deleted file mode 100644 index 5216b18f..00000000 --- a/docs/appendix/examples/index.rst +++ /dev/null @@ -1,20 +0,0 @@ -.. _examples: - -Configuration Examples -====================== - -This chapter contains various configuration Examples - - -.. toctree:: - :maxdepth: 2 - - dmvpn - zone-policy - bgp-ipv6-unnumbered - ospf-unnumbered - azure-vpn-bgp - azure-vpn-dual-bgp - tunnelbroker-ipv6 - dhcp-relay-through-gre-bridge - wan-load-balancing diff --git a/docs/appendix/examples/ospf-unnumbered.rst b/docs/appendix/examples/ospf-unnumbered.rst deleted file mode 100644 index 84fc691e..00000000 --- a/docs/appendix/examples/ospf-unnumbered.rst +++ /dev/null @@ -1,125 +0,0 @@ -.. _examples-ospf-unnumbered: - -VyOS OSPF unnumbered with ecmp ----------------------------------------------- - -General infomration can be found in the :ref:`routing-ospf` chapter. - -Configuration -^^^^^^^^^^^^^ - -- Router A: - -.. code-block:: none - - set interfaces ethernet eth0 address '10.0.0.1/24' - set interfaces ethernet eth1 address '192.168.0.1/32' - set interfaces ethernet eth1 ip ospf authentication md5 key-id 1 md5-key 'yourpassword' - set interfaces ethernet eth1 ip ospf network 'point-to-point' - set interfaces ethernet eth2 address '192.168.0.1/32' - set interfaces ethernet eth2 ip ospf authentication md5 key-id 1 md5-key 'yourpassword' - set interfaces ethernet eth2 ip ospf network 'point-to-point' - set interfaces loopback lo address '192.168.0.1/32' - set protocols ospf area 0.0.0.0 authentication 'md5' - set protocols ospf area 0.0.0.0 network '192.168.0.1/32' - set protocols ospf parameters router-id '192.168.0.1' - set protocols ospf redistribute connected - -- Router B: - -.. code-block:: none - - set interfaces ethernet eth0 address '10.0.0.2/24' - set interfaces ethernet eth1 address '192.168.0.2/32' - set interfaces ethernet eth1 ip ospf authentication md5 key-id 1 md5-key 'yourpassword' - set interfaces ethernet eth1 ip ospf network 'point-to-point' - set interfaces ethernet eth2 address '192.168.0.2/32' - set interfaces ethernet eth2 ip ospf authentication md5 key-id 1 md5-key 'yourpassword' - set interfaces ethernet eth2 ip ospf network 'point-to-point' - set interfaces loopback lo address '192.168.0.2/32' - set protocols ospf area 0.0.0.0 authentication 'md5' - set protocols ospf area 0.0.0.0 network '192.168.0.2/32' - set protocols ospf parameters router-id '192.168.0.2' - set protocols ospf redistribute connected - - -Results -^^^^^^^^^^^^^ - -- Router A: - -.. code-block:: none - - vyos@vyos:~$ show interfaces - Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down - Interface IP Address S/L Description - --------- ---------- --- ----------- - eth0 10.0.0.1/24 u/u - eth1 192.168.0.1/32 u/u - eth2 192.168.0.1/32 u/u - lo 127.0.0.1/8 u/u - 192.168.0.1/32 - ::1/128 - vyos@vyos:~$ - - -.. code-block:: none - - vyos@vyos:~$ show ip route - Codes: K - kernel route, C - connected, S - static, R - RIP, - O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, - T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP, - F - PBR, f - OpenFabric, - > - selected route, * - FIB route, q - queued route, r - rejected route - - S>* 0.0.0.0/0 [210/0] via 10.0.0.254, eth0, 00:57:34 - O 10.0.0.0/24 [110/20] via 192.168.0.2, eth1 onlink, 00:13:21 - via 192.168.0.2, eth2 onlink, 00:13:21 - C>* 10.0.0.0/24 is directly connected, eth0, 00:57:35 - O 192.168.0.1/32 [110/0] is directly connected, lo, 00:48:53 - C * 192.168.0.1/32 is directly connected, eth2, 00:56:31 - C * 192.168.0.1/32 is directly connected, eth1, 00:56:31 - C>* 192.168.0.1/32 is directly connected, lo, 00:57:36 - O>* 192.168.0.2/32 [110/1] via 192.168.0.2, eth1 onlink, 00:29:03 - * via 192.168.0.2, eth2 onlink, 00:29:03 - vyos@vyos:~$ - - -- Router B: - -.. code-block:: none - - vyos@vyos:~$ show interfaces - Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down - Interface IP Address S/L Description - --------- ---------- --- ----------- - eth0 10.0.0.2/24 u/u - eth1 192.168.0.2/32 u/u - eth2 192.168.0.2/32 u/u - lo 127.0.0.1/8 u/u - 192.168.0.2/32 - ::1/128 - vyos@vyos:~$ - - -.. code-block:: none - - vyos@vyos:~$ show ip route - Codes: K - kernel route, C - connected, S - static, R - RIP, - O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, - T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP, - F - PBR, f - OpenFabric, - > - selected route, * - FIB route, q - queued route, r - rejected route - - S>* 0.0.0.0/0 [210/0] via 10.0.0.254, eth0, 00:57:34 - O 10.0.0.0/24 [110/20] via 192.168.0.1, eth1 onlink, 00:13:21 - via 192.168.0.1, eth2 onlink, 00:13:21 - C>* 10.0.0.0/24 is directly connected, eth0, 00:57:35 - O 192.168.0.2/32 [110/0] is directly connected, lo, 00:48:53 - C * 192.168.0.2/32 is directly connected, eth2, 00:56:31 - C * 192.168.0.2/32 is directly connected, eth1, 00:56:31 - C>* 192.168.0.2/32 is directly connected, lo, 00:57:36 - O>* 192.168.0.1/32 [110/1] via 192.168.0.1, eth1 onlink, 00:29:03 - * via 192.168.0.1, eth2 onlink, 00:29:03 - vyos@vyos:~$ - diff --git a/docs/appendix/examples/tunnelbroker-ipv6.rst b/docs/appendix/examples/tunnelbroker-ipv6.rst deleted file mode 100644 index ca3921ec..00000000 --- a/docs/appendix/examples/tunnelbroker-ipv6.rst +++ /dev/null @@ -1,151 +0,0 @@ -.. _examples-tunnelbroker-ipv6: - -VyOS Tunnelbroker.net IPv6 --------------------------- - -This guides walks through the setup of `Tunnelbroker.net <https://www.tunnelbroker.net/>`_ for an IPv6 Tunnel. - -Prerequisites -^^^^^^^^^^^^^ - -- A public IP address. This does not necessarily need to be static, but you will need to update the tunnel endpoint when/if your IP address changes, which can be done with a script and a scheduled task. -- An account at `Tunnelbroker.net <https://www.tunnelbroker.net/>`_. -- Requested a "Regular Tunnel". You want to choose a location that is closest to your physical location for the best response time. - -Setting up the initial tunnel -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -- Set up the initial IPv6 tunnel. Replace the field below from the fields on the `Tunnelbroker.net <https://www.tunnelbroker.net/>`_ tunnel information page. - -.. code-block:: none - - conf - set interfaces tunnel tun0 address Client_IPv6_from_Tunnelbroker # This will be your VyOS install's public IPv6 address - set interfaces tunnel tun0 description 'HE.NET IPv6 Tunnel' - set interfaces tunnel tun0 encapsulation 'sit' - set interfaces tunnel tun0 local-ip Client_IPv4_from_Tunnelbroker # This is your public IP - set interfaces tunnel tun0 mtu '1472' - set interfaces tunnel tun0 multicast 'disable' - set interfaces tunnel tun0 remote-ip Server_IPv4_from_Tunnelbroker # This is the IP of the Tunnelbroker server - set protocols static interface-route6 ::/0 next-hop-interface tun0 # Tell all traffic to go over this tunnel - commit - -- If your WAN connection is over PPPoE, you may need to set the MTU on the above tunnel lower than 1472. - -- At this point you should be able to ping an IPv6 address. Try pinging Google: - -.. code-block:: none - - ping6 -c2 2001:4860:4860::8888 - - 64 bytes from 2001:4860:4860::8888: icmp_seq=1 ttl=57 time=21.7 ms - 64 bytes from 2001:4860:4860::8888: icmp_seq=2 ttl=57 time=21.1 ms - - --- 2001:4860:4860::8888 ping statistics --- - 2 packets transmitted, 2 received, 0% packet loss, time 1001ms - rtt min/avg/max/mdev = 21.193/21.459/21.726/0.304 ms - -- Assuming the pings are successful, you need to add some DNS servers. Some options: - -.. code-block:: none - - set system name-server 2001:4860:4860::8888 # Google - set system name-server 2001:4860:4860::8844 # Google - set system name-server 2606:4700:4700::1111 # Cloudflare - set system name-server 2606:4700:4700::1001 # Cloudflare - commit - -- You should now be able to ping something by IPv6 DNS name: - -.. code-block:: none - - # ping6 -c2 one.one.one.one - PING one.one.one.one(one.one.one.one) 56 data bytes - 64 bytes from one.one.one.one: icmp_seq=1 ttl=58 time=16.8 ms - 64 bytes from one.one.one.one: icmp_seq=2 ttl=58 time=17.4 ms - - --- one.one.one.one ping statistics --- - 2 packets transmitted, 2 received, 0% packet loss, time 1001ms - rtt min/avg/max/mdev = 16.880/17.153/17.426/0.273 ms - -- Assuming everything works, you can proceed to client configuration - -LAN Configuration -^^^^^^^^^^^^^^^^^ - -At this point your VyOS install should have full IPv6, but now your LAN devices need access. - -With Tunnelbroker.net, you have two options: - -- Routed /64. This is the default assignment. In IPv6-land, it's good for a single "LAN", and is somewhat equivalent to a /24. Example: `2001:470:xxxx:xxxx::/64` -- Routed /48. This is something you can request by clicking the "Assign /48" link in the Tunnelbroker.net tunnel config. It allows you to have up to 65k LANs. Example: `2001:470:xxxx::/48` - -Unlike IPv4, IPv6 is really not designed to be broken up smaller than /64. So if you ever want to have multiple LANs, VLANs, DMZ, etc, you'll want to ignore the assigned /64, and request the /48 and use that. - -Single LAN Setup -^^^^^^^^^^^^^^^^ - -Single LAN setup where eth1 is your LAN interface. Use the /64 (all the xxxx should be replaced with the information from your `Routed /64` tunnel): - -.. code-block:: none - - set interfaces ethernet eth1 address '2001:470:xxxx:xxxx::1/64' - set interfaces ethernet eth1 ipv6 router-advert name-server '2001:4860:4860::8888' - set interfaces ethernet eth1 ipv6 router-advert name-server '2001:4860:4860::8844' - set interfaces ethernet eth1 ipv6 router-advert prefix 2001:470:xxxx:xxxx::/64 autonomous-flag 'true' - set interfaces ethernet eth1 ipv6 router-advert prefix 2001:470:xxxx:xxxx::/64 on-link-flag 'true' - set interfaces ethernet eth1 ipv6 router-advert prefix 2001:470:xxxx:xxxx::/64 valid-lifetime '2592000' - - -- This accomplishes a few things: - - - Sets your LAN interface's IP address - - Enables router advertisements. This is an IPv6 alternative for DHCP (though DHCPv6 can still be used). With RAs, Your devices will automatically find the information they need for routing and DNS. - -Multiple LAN/DMZ Setup -^^^^^^^^^^^^^^^^^^^^^^ - -In this, you use the `Routed /48` information. This allows you to assign a different /64 to every interface, LAN, or even device. Or you could break your network into smaller chunks like /56 or /60. - -The format of these addresses: - -- `2001:470:xxxx::/48`: The whole subnet. xxxx should come from Tunnelbroker. -- `2001:470:xxxx:1::/64`: A subnet suitable for a LAN -- `2001:470:xxxx:2::/64`: Another subnet -- `2001:470:xxxx:ffff:/64`: The last usable /64 subnet. - -In the above examples, 1,2,ffff are all chosen by you. You can use 1-ffff (1-65535). - -So, when your LAN is eth1, your DMZ is eth2, your cameras live on eth3, etc: - -.. code-block:: none - - set interfaces ethernet eth1 address '2001:470:xxxx:1::1/64' - set interfaces ethernet eth1 ipv6 router-advert name-server '2001:4860:4860::8888' - set interfaces ethernet eth1 ipv6 router-advert name-server '2001:4860:4860::8844' - set interfaces ethernet eth1 ipv6 router-advert prefix 2001:470:xxxx:1::/64 autonomous-flag 'true' - set interfaces ethernet eth1 ipv6 router-advert prefix 2001:470:xxxx:1::/64 on-link-flag 'true' - set interfaces ethernet eth1 ipv6 router-advert prefix 2001:470:xxxx:1::/64 valid-lifetime '2592000' - - set interfaces ethernet eth2 address '2001:470:xxxx:2::1/64' - set interfaces ethernet eth2 ipv6 router-advert name-server '2001:4860:4860::8888' - set interfaces ethernet eth2 ipv6 router-advert name-server '2001:4860:4860::8844' - set interfaces ethernet eth2 ipv6 router-advert prefix 2001:470:xxxx:2::/64 autonomous-flag 'true' - set interfaces ethernet eth2 ipv6 router-advert prefix 2001:470:xxxx:2::/64 on-link-flag 'true' - set interfaces ethernet eth2 ipv6 router-advert prefix 2001:470:xxxx:2::/64 valid-lifetime '2592000' - - set interfaces ethernet eth3 address '2001:470:xxxx:3::1/64' - set interfaces ethernet eth3 ipv6 router-advert name-server '2001:4860:4860::8888' - set interfaces ethernet eth3 ipv6 router-advert name-server '2001:4860:4860::8844' - set interfaces ethernet eth3 ipv6 router-advert prefix 2001:470:xxxx:3::/64 autonomous-flag 'true' - set interfaces ethernet eth3 ipv6 router-advert prefix 2001:470:xxxx:3::/64 on-link-flag 'true' - set interfaces ethernet eth3 ipv6 router-advert prefix 2001:470:xxxx:3::/64 valid-lifetime '2592000' - -Firewall -^^^^^^^^ - -Finally, don't forget the :ref:`firewall`. The usage is identical, except for instead of `set firewall name NAME`, you would use `set firewall ipv6-name NAME`. - -Similarly, to attach the firewall, you would use `set interfaces ethernet eth0 firewall in ipv6-name` or `set zone-policy zone LOCAL from WAN firewall ipv6-name` - - diff --git a/docs/appendix/examples/wan-load-balancing.rst b/docs/appendix/examples/wan-load-balancing.rst deleted file mode 100644 index 7093defe..00000000 --- a/docs/appendix/examples/wan-load-balancing.rst +++ /dev/null @@ -1,170 +0,0 @@ -.. _wan-load-balancing: - -WAN Load Balancer examples -========================== - - -Example 1: Distributing load evenly ------------------------------------ - -The setup used in this example is shown in the following diagram: - -.. image:: /_static/images/Wan_load_balancing1.png - :width: 80% - :align: center - :alt: Network Topology Diagram - - -Overview -^^^^^^^^ - * All traffic coming in trough eth2 is balanced between eth0 and eth1 - on the router. - * Pings will be sent to four targets for health testing (33.44.55.66, - 44.55.66.77, 55.66.77.88 and 66.77.88.99). - * All outgoing packets are assigned the source address of the assigned - interface (SNAT). - * eth0 is set to be removed from the load balancer's interface pool - after 5 ping failures, eth1 will be removed after 4 ping failures. - -Create static routes to ping targets -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Create static routes through the two ISPs towards the ping targets and -commit the changes: - -.. code-block:: none - - set protocols static route 33.44.55.66/32 next-hop 11.22.33.1 - set protocols static route 44.55.66.77/32 next-hop 11.22.33.1 - set protocols static route 55.66.77.88/32 next-hop 22.33.44.1 - set protocols static route 66.77.88.99/32 next-hop 22.33.44.1 - -Configure the load balancer -^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Configure the WAN load balancer with the parameters described above: - -.. code-block:: none - - set load-balancing wan interface-health eth0 failure-count 5 - set load-balancing wan interface-health eth0 nexthop 11.22.33.1 - set load-balancing wan interface-health eth0 test 10 type ping - set load-balancing wan interface-health eth0 test 10 target 33.44.55.66 - set load-balancing wan interface-health eth0 test 20 type ping - set load-balancing wan interface-health eth0 test 20 target 44.55.66.77 - set load-balancing wan interface-health eth1 failure-count 4 - set load-balancing wan interface-health eth1 nexthop 22.33.44.1 - set load-balancing wan interface-health eth1 test 10 type ping - set load-balancing wan interface-health eth1 test 10 target 55.66.77.88 - set load-balancing wan interface-health eth1 test 20 type ping - set load-balancing wan interface-health eth1 test 20 target 66.77.88.99 - set load-balancing wan rule 10 inbound-interface eth2 - set load-balancing wan rule 10 interface eth0 - set load-balancing wan rule 10 interface eth1 - -Example 2: Failover based on interface weights ----------------------------------------------- - -This examples uses the failover mode. - -Overview -^^^^^^^^ -In this example eth0 is the primary interface and eth1 is the secondary -interface to provide simple failover functionality. If eth0 fails, eth1 -takes over. - -Create interface weight based configuration -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -The configuration steps are the same as in the previous example, except -rule 10 so we keep the configuration, remove rule 10 and add a new rule -for the failover mode: - -.. code-block:: none - - delete load-balancing wan rule 10 - set load-balancing wan rule 10 failover - set load-balancing wan rule 10 inbound-interface eth2 - set load-balancing wan rule 10 interface eth0 weight 10 - set load-balancing wan rule 10 interface eth1 weight 1 - -Example 3: Failover based on rule order ---------------------------------------- - -The previous example used the failover command to send traffic thorugh -eth1 if eth0 fails. In this example failover functionality is provided -by rule order. - -Overview -^^^^^^^^ -Two rules will be created, the first rule directs traffic coming in -from eth2 to eth0 and the second rule directs the traffic to eth1. If -eth0 fails the first rule is bypassed and the second rule matches, -directing traffic to eth1. - -Create rule order based configuration -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -We keep the configurtation from the previous example, delete rule 10 -and create the two new rules as described: - -.. code-block:: none - - delete load-balancing wan rule 10 - set load-balancing wan rule 10 inbound-interface eth2 - set load-balancing wan rule 10 interface eth0 - set load-balancing wan rule 20 inbound-interface eth2 - set load-balancing wan rule 20 interface eth1 - -Example 4: Failover based on rule order - priority traffic ----------------------------------------------------------- - -A rule order for prioritising traffic is useful in scenarios where the -secondary link has a lower speed and should only carry high priority -traffic. It is assumed for this example that eth1 is connected to a -slower connection than eth0 and should prioritise VoIP traffic. - -Overview -^^^^^^^^ -A rule order for prioritising traffic is useful in scenarios where the -secondary link has a lower speed and should only carry high priority -traffic. It is assumed for this example that eth1 is connected to a -slower connection than eth0 and should prioritise VoIP traffic. - -Create rule order based configuration with low speed secondary link -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -We keep the configuration from the previous example, delete rule 20 and -create a new rule as described: - -.. code-block:: none - - delete load-balancing wan rule 20 - set load-balancing wan rule 20 inbound-interface eth2 - set load-balancing wan rule 20 interface eth1 - set load-balancing wan rule 20 destination port sip - set load-balancing wan rule 20 protocol tcp - set protocols static route 0.0.0.0/0 next-hop 11.22.33.1 - -Example 5: Exclude traffic from load balancing ----------------------------------------------- - -In this example two LAN interfaces exist in different subnets instead -of one like in the previous examples: - -.. image:: /_static/images/Wan_load_balancing_exclude1.png - :width: 80% - :align: center - :alt: Network Topology Diagram - -Adding a rule for the second interface -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -Based on the previous example, another rule for traffic from the second -interface eth3 can be added to the load balancer. However, traffic meant -to flow between the LAN subnets will be sent to eth0 and eth1 as well. -To prevent this, another rule is required. This rule excludes traffic -between the local subnets from the load balancer. It also excludes -locally-sources packets (required for web caching with load balancing). -eth+ is used as an alias that refers to all ethernet interfaces: - -.. code-block:: none - - set load-balancing wan rule 5 exclude - set load-balancing wan rule 5 inbound-interface eth+ - set load-balancing wan rule 5 destination address 10.0.0.0/8 diff --git a/docs/appendix/examples/zone-policy.rst b/docs/appendix/examples/zone-policy.rst deleted file mode 100644 index 7a25d063..00000000 --- a/docs/appendix/examples/zone-policy.rst +++ /dev/null @@ -1,379 +0,0 @@ -.. _examples-zone-policy: - -Zone-Policy example -------------------- - -Native IPv4 and IPv6 -^^^^^^^^^^^^^^^^^^^^ - -We have three networks. - -.. code-block:: none - - WAN - 172.16.10.0/24, 2001:0DB8:0:9999::0/64 - LAN - 192.168.100.0/24, 2001:0DB8:0:AAAA::0/64 - DMZ - 192.168.200.0/24, 2001:0DB8:0:BBBB::0/64 - - -This specific example is for a router on a stick, but is very easily adapted -for however many NICs you have. - -[http://imgur.com/Alz1J.png Topology Image] - -The VyOS interface is assigned the .1/:1 address of their respective networks. -WAN is on VLAN 10, LAN on VLAN 20, and DMZ on VLAN 30. - -It will look something like this: - -.. code-block:: none - - interfaces { - ethernet eth0 { - duplex auto - hw-id 00:0c:29:6e:2a:92 - smp_affinity auto - speed auto - vif 10 { - address 172.16.10.1/24 - address 2001:db8:0:9999::1/64 - } - vif 20 { - address 192.168.100.1/24 - address 2001:db8:0:AAAA::1/64 - } - vif 30 { - address 192.168.200.1/24 - address 2001:db8:0:BBBB::1/64 - } - } - loopback lo { - } - } - - -Zones Basics -^^^^^^^^^^^^ - -Each interface is assigned to a zone. The interface can be physical or virtual -such as tunnels (VPN, pptp, gre, etc) and are treated exactly the same. - -Traffic flows from zone A to zone B. That flow is what I refer to as a -zone-pair-direction. eg. A->B and B->A are two zone-pair-destinations. - -Ruleset are created per zone-pair-direction. - -I name rule sets to indicate which zone-pair-direction they represent. eg. -ZoneA-ZoneB or ZoneB-ZoneA. LAN-DMZ, DMZ-LAN. - -In VyOS, you have to have unique Ruleset names. In the event of overlap, I -add a "-6" to the end of v6 rulesets. eg. LAN-DMZ, LAN-DMZ-6. This allows for -each auto-completion and uniqueness. - -In this example we have 4 zones. LAN, WAN, DMZ, Local. The local zone is the -firewall itself. - -If your computer is on the LAN and you need to SSH into your VyOS box, you -would need a rule to allow it in the LAN-Local ruleset. If you want to access -a webpage from your VyOS box, you need a rule to allow it in the Local-LAN -ruleset. - -In rules, it is good to keep them named consistently. As the number of rules -you have grows, the more consistency you have, the easier your life will be. - -.. code-block:: none - - Rule 1 - State Established, Related - Rule 2 - State Invalid - Rule 100 - ICMP - Rule 200 - Web - Rule 300 - FTP - Rule 400 - NTP - Rule 500 - SMTP - Rule 600 - DNS - Rule 700 - DHCP - Rule 800 - SSH - Rule 900 - IMAPS - -The first two rules are to deal with the idiosyncrasies of VyOS and iptables. - -Zones and Rulesets both have a default action statement. When using -Zone-Policies, the default action is set by the zone-policy statement and is -represented by rule 10000. - -It is good practice to log both accepted and denied traffic. It can save you -significant headaches when trying to troubleshoot a connectivity issue. - -To add logging to the default rule, do: - -.. code-block:: none - - set firewall name <ruleSet> enable-default-log - - -By default, iptables does not allow traffic for established session to return, -so you must explicitly allow this. I do this by adding two rules to every -ruleset. 1 allows established and related state packets through and rule 2 -drops and logs invalid state packets. We place the established/related rule at -the top because the vast majority of traffic on a network is established and -the invalid rule to prevent invalid state packets from mistakenly being matched -against other rules. Having the most matched rule listed first reduces CPU load -in high volume environments. Note: I have filed a bug to have this added as a -default action as well. - -''It is important to note, that you do not want to add logging to the -established state rule as you will be logging both the inbound and outbound -packets for each session instead of just the initiation of the session. -Your logs will be massive in a very short period of time.'' - -In VyOS you must have the interfaces created before you can apply it to the -zone and the rulesets must be created prior to applying it to a zone-policy. - -I create/configure the interfaces first. Build out the rulesets for each -zone-pair-direction which includes at least the three state rules. Then I setup -the zone-policies. - -Zones do not allow for a default action of accept; either drop or reject. -It is important to remember this because if you apply an interface to a zone -and commit, any active connections will be dropped. Specifically, if you are -SSH’d into VyOS and add local or the interface you are connecting through to a -zone and do not have rulesets in place to allow SSH and established sessions, -you will not be able to connect. - -The following are the rules that were created for this example -(may not be complete), both in IPv4 and IPv6. If there is no IP specified, -then the source/destination address is not explicit. - -.. code-block:: none - - WAN – DMZ:192.168.200.200 – tcp/80 - WAN – DMZ:192.168.200.200 – tcp/443 - WAN – DMZ:192.168.200.200 – tcp/25 - WAN – DMZ:192.168.200.200 – tcp/53 - WAN – DMZ:2001:0DB8:0:BBBB::200 – tcp/80 - WAN – DMZ:2001:0DB8:0:BBBB::200 – tcp/443 - WAN – DMZ:2001:0DB8:0:BBBB::200 – tcp/25 - WAN – DMZ:2001:0DB8:0:BBBB::200 – tcp/53 - - DMZ - Local - tcp/53 - DMZ - Local - tcp/123 - DMZ - Local - tcp/67,68 - - LAN - Local - tcp/53 - LAN - Local - tcp/123 - LAN - Local - tcp/67,68 - LAN:192.168.100.10 - Local - tcp/22 - LAN:2001:0DB8:0:AAAA::10 - Local - tcp/22 - - LAN - WAN - tcp/80 - LAN - WAN - tcp/443 - LAN - WAN - tcp/22 - LAN - WAN - tcp/20,21 - - DMZ - WAN - tcp/80 - DMZ - WAN - tcp/443 - DMZ - WAN - tcp/22 - DMZ - WAN - tcp/20,21 - DMZ - WAN - tcp/53 - DMZ - WAN - udp/53 - - Local - WAN - tcp/80 - Local - WAN - tcp/443 - Local - WAN - tcp/20,21 - - Local - DMZ - tcp/25 - Local - DMZ - tcp/67,68 - Local - DMZ - tcp/53 - Local - DMZ - udp/53 - - Local - LAN - tcp/67,68 - - LAN - DMZ - tcp/80 - LAN - DMZ - tcp/443 - LAN - DMZ - tcp/993 - LAN:2001:0DB8:0:AAAA::10 - DMZ:2001:0DB8:0:BBBB::200 - tcp/22 - LAN:192.168.100.10 - DMZ:192.168.200.200 - tcp/22 - -Since we have 4 zones, we need to setup the following rulesets. - -.. code-block:: none - - Lan-wan - Lan-local - Lan-dmz - Wan-lan - Wan-local - Wan-dmz - Local-lan - Local-wan - Local-dmz - Dmz-lan - Dmz-wan - Dmz-local - -Even if the two zones will never communicate, it is a good idea to create the -zone-pair-direction rulesets and set enable-default-log. This will allow you to -log attempts to access the networks. Without it, you will never see the -connection attempts. - -This is an example of the three base rules. - -.. code-block:: none - - name wan-lan { - default-action drop - enable-default-log - rule 1 { - action accept - state { - established enable - related enable - } - } - rule 2 { - action drop - log enable - state { - invalid enable - } - } - } - - -Here is an example of an IPv6 DMZ-WAN ruleset. - -.. code-block:: none - - ipv6-name dmz-wan-6 { - default-action drop - enable-default-log - rule 1 { - action accept - state { - established enable - related enable - } - } - rule 2 { - action drop - log enable - state { - invalid enable - } - rule 100 { - action accept - log enable - protocol ipv6-icmp - } - rule 200 { - action accept - destination { - port 80,443 - } - log enable - protocol tcp - } - rule 300 { - action accept - destination { - port 20,21 - } - log enable - protocol tcp - } - rule 500 { - action accept - destination { - port 25 - } - log enable - protocol tcp - source { - address 2001:db8:0:BBBB::200 - } - } - rule 600 { - action accept - destination { - port 53 - } - log enable - protocol tcp_udp - source { - address 2001:db8:0:BBBB::200 - } - } - rule 800 { - action accept - destination { - port 22 - } - log enable - protocol tcp - } - } - -Once you have all of your rulesets built, then you need to create your -zone-policy. - -Start by setting the interface and default action for each zone. - -.. code-block:: none - - set zone-policy zone dmz default-action drop - set zone-policy zone dmz interface eth0.30 - -In this case, we are setting the v6 ruleset that represents traffic sourced -from the LAN, destined for the DMZ. -Because the zone-policy firewall syntax is a little awkward, I keep it straight -by thinking of it backwards. - - set zone-policy zone dmz from lan firewall ipv6-name lan-dmz-6 - -dmz-lan policy is lan-dmz. You can get a rhythm to it when you build out a bunch at one time. - -In the end, you will end up with something like this config. I took out everything but the Firewall, Interfaces, and zone-policy sections. It is long enough as is. -== IPv6 Tunnel == - -If you are using a IPv6 tunnel from HE.net or someone else, the basis is the same except you have two WAN interface. One for v4 and one for v6. - -You would have 5 zones instead of just 4 and you would configure your v6 ruleset between your tunnel interface and your LAN/DMZ zones instead of to the WAN. - -LAN, WAN, DMZ, local and TUN (tunnel) - -v6 pairs would be: - -.. code-block:: none - - lan-tun - lan-local - lan-dmz - tun-lan - tun-local - tun-dmz - local-lan - local-tun - local-dmz - dmz-lan - dmz-tun - dmz-local - -Notice, none go to WAN since WAN wouldn't have a v6 address on it. - -You would have to add a couple of rules on your wan-local ruleset to allow protocol 41 in. - -Something like: - -.. code-block:: none - - rule 400 { - action accept - destination { - address 172.16.10.1 - } - log enable - protocol 41 - source { - address ip.of.tunnel.broker - } - } - diff --git a/docs/appendix/migrate-from-vyatta.rst b/docs/appendix/migrate-from-vyatta.rst deleted file mode 100644 index eba9dc59..00000000 --- a/docs/appendix/migrate-from-vyatta.rst +++ /dev/null @@ -1,164 +0,0 @@ -.. _migrate_from_vyatta: - -Migrate from Vyatta Core -======================== - -VyOS 1.x line aims to preserve backward compatibility and provide a safe -upgrade path for existing Vyatta Core users. You may think of VyOS 1.0.0 as -VC7.0. - -Vyatta release compatiblity ---------------------------- - -Vyatta Core releases from 6.5 to 6.6 should be 100% compatible. - -Vyatta Core 6.4 and earlier may have incompatibilities. In Vyatta 6.5 the -"modify" firewall was removed and replaced with the ``set policy route`` -command family, old configs can not be automatically converted. You will have -to adapt it to post-6.5 Vyatta syntax manually. - -.. note:: Also, in Vyatta Core 6.5 remote access VPN interfaces have been - renamed from ``pppX`` to ``l2tpX`` and ``pptpX``. If you are using - zone based firewalling in Vyatta Core pre-6.5 versions, make sure to change - interface names in rules for remote access VPN. - -Upgrade procedure ------------------ - -You just use ``add system image``, as if it was a new VC release (see -:ref:`update_vyos` for additional information). The only thing you want to do -is to verify the new images digital signature. You will have to add the public -key manually once as it is not shipped the first time. - -.. code-block:: none - - vyatta@vyatta:~$ wget http://wiki.vyos.net/so3group_maintainers.key - Connecting to vyos.net (x.x.x.x:80) - so3group_maintainers 100% |*************************| 3125 --:--:-- ETA - vyatta@vyatta:~$ sudo apt-key add so3group_maintainers.key - OK - vyatta@vyatta:~$ - -For completion the key below corresponds to the key listed in the URL above. - -.. code-block:: none - - -----BEGIN PGP PUBLIC KEY BLOCK----- - Version: GnuPG v1.4.12 (GNU/Linux) - - mQINBFIIUZwBEADGl+wkZpYytQxd6LnjDZZScziBKYJbjInetYeS0SUrgpqnPkzL - 2CiGfPczLwpYY0zWxpUhTvqjFsE5yDpgs0sPXIgUTFE1qfZQE+WD1I1EUM6sp/38 - 2xKQ9QaNc8oHuYINLYYmNYra6ZjIGtQP9WOX//IDYB3fhdwlmiW2z0hux2OnPWdh - hPZAmSrx5AiXFEEREJ1cAQyvYk7hgIRvM/rdQMUm+u4/z+S4mxCHE10KzlqOGhRv - hA8WQxHCVusMFGwXoKHxYf9OQpV7lsfOCODfXOMP/L9kHQ5/gBsLL5hHst+o/3VG - ec0QuVrVkBBehgrqhfJW2noq+9gTooURGImQHEOyE0xpJdFrrgk5Ii9RqQwdVRzI - ZPbqbo8uuldZIRJRGnfx+vAR9812yo38NVZ/X0P/hkkrx+UeGVgpC/ao5XLRiOzL - 7ZBMWLA6FVmZ7mkpqdzuMXX5548ApACm6EKErULIhTYDGDzFxA3cf6gr5VVi4usD - wglVs+FHuiLehmuuPTMoVcT2R6+Ht44hG3BmQmKzh/SSEa1g9gKgrhZrMdIyK4hu - GvMqLw9z9BgJbWB3BgXOUdlkXLDwBvVpEcWsPJgxSjAvjAbLLE4YkKAdYU8bQ0Pd - JuN485tcXxgQCadFZB0gcipQAvVf4b810HrY88g6FldfauHxiACOlXscZwARAQAB - tDBTTzMgR3JvdXAgTWFpbnRhaW5lcnMgPG1haW50YWluZXJzQHNvM2dyb3VwLm5l - dD6JAjgEEwECACIFAlIIUZwCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJ - ELdE4lqkQubp8GsQAKntoRFG6bWX/4WPw7Vo7kIF5kWcmv3lVb0AQkacscWope7T - Iq0VcgpAycJue2bSS9LAsvNtpVkQmFawbwFjqB3CC5NbPNQ4Kf+gswKa+yaHwejo - 7dkslAwxgXHe5g76DG7CVLMsMg6zVDFYuzeksPywls/OJBIpkuGqeXy9tAHjQzjA - SlZV3Gsx7azESjiVQ73EUBt2OXkwN4TN9TEHAnVsrNIXHwFl1VfFsSG1Q6uZDtkk - CB4DZJKN4RzCY2QSwMAqRRC2OXdwk5IAk8wwCGoFpp0UV6CO9YCeOaqJderEcBA4 - MGHqdiPDIbH5wvckjZzFznU/Paz3MwPwBdtN+WSKvwf+JItSiUqm8Dy2Pl/1cnux - 1g1I4WQlXUVaS/MDusqL7tbS8k5A5a2+YVMxShWH9BhXZwNXzEihl4sm8Hrg5SvZ - givJj2y93WoL69Wq0/86wkkH2xcrz4gsiUcQf5YXU/RHXOLnPR29/pg8TS0L7sST - dv0X23C2IpfqYoqN7YZ3K0Wczhi0yLPCrc27IczuHgjt/8ICda11xhB1t/pUbvnX - oksehaLp8O3uU8GyAsTfUgpijZFc/3jIadOl0L9NGUbYYgPzFeaZTa/njeEbz3wX - PZMn278sbL9UhupI5Hx7eREbKzV4VPVKz81ndKNMXyuJHXv2R0xou3nvuo1WuQIN - BFIIUZwBEADAhoYPDCSogG41Naq+wFkG+IPszqe0dW/UWg0xrZDT0UblwDSd4OGY - 7FATMIhjOUyFxk6+XKA5CDCWP8Npkl0modTL59uVWNxU1vUKincc/j4ipHQeAhE6 - fvZkrprvADD8TYIGesl/3EGNc7bzc5ZqX71hKPHG+autRtgFSOR2PSXD9MlJXIBb - RzHAXxlh72zvsGadcxLJm4pSWXitkR/5Wc3e0IippKdzGwZnCDpNmcBGtSTFgixP - JqyRZFVCPWs7jr/oQeZnq65wJp1KD2HvhhKHJfsPrnNjLSm1SQVh8hXzE9odcv6N - mJB7tNXywuROBt6a01ojBa9J3zuMYQj3iQl2MhxtHylKVBjr7NjZ4evZbLsRMxY1 - hYk7sl+ZxCPFeOZ9D2ppU/CUDXCS095I1x+s+VuiUNf/3yd8ahCWDXVp9nsXyYjm - 2pHIxb2F6r8Vd4AjlD2MQwszECS88INF3l/9ksIHEMKuuW+JAC9FiZ7k4IGcIltv - If/V2TgE6t6qoWIlmLhMTjOyJpwnokY1nIuXHH7yp+HsuqnYnf/dgLnt4czPLeHO - +TdIDHhUym0AKlCcbdgn0C6EJVTnA8BFgFjiIOMAeT0rhATg0W/cND8KQcX4V9wM - nHSEsgSEuP9H+67xuRx5Imuh5ntecrcuCYSNuOneUXWPThDKQPO9lQARAQABiQIf - BBgBAgAJBQJSCFGcAhsMAAoJELdE4lqkQubpc+0P/0IzUx8nTpF0/ii2TA0YCOgj - tviM6PRTVPrFcxijNeXiIMHZYrALYUvXxXGp1IZBP3IcOyuZNp2WLqF/f9a3cIr1 - 9b/LJPrwopGqV3K30lormk7hH0s3IXbhd0ZYWvRj+5kQ8TFRAFfPwjlItzjYJmYX - AGJmM9PxJID/4LgWSfQ/ZfNu7MJ7+2goQLu9b6x7UC1FlE4q1lcjBvHjVPM//S9G - lGAHaysyTjVu88W2wwBpBrO1MQnDvqFRddXPOIWp0jecBMUd4E0fB36yuStsXZT3 - RN4V8vKRBYXuqHhiTwZeh153cHZk2EZBwz5A6DJubMaGdJTesHW5Qf2goph0pmjC - +XuXn8J6tc5nFDf8DP4AFVMtqa3Brj2fodWd0Zzxq3AVsbX144c1oqJUhO4t3+ie - 8fD/6/jx4iuPCQTfyhHG+zGfyUb2LQ+OVLW1WYTxH5tzHaZUmZFdV2I1kuhuvZ1t - WRlmTnHZOnEb3+t8KCRWzRMfweTzXfRRKBC0/QpeX1r5pbaMHH8zF/J5PKmL0+jg - +DS8JSbSfv7Ke6rplf7lHYaDumAFZfxXuQkajzLZbX0E5Xu5BNz4Vq6LGBj7LDXL - gswIK8FFgZB+W8zwOqUV1vjIr9wkdLifXXezKpTeYpFDGLdfsK+uNAtGyvI61TDi - Pr6fWpIruuc7Gg9rUF0L - =VQTr - -----END PGP PUBLIC KEY BLOCK----- - -Next add the VyOS image. - -This example uses VyOS 1.0.0, however, it's better to install the latest -release. - -.. code-block:: none - - vyatta@vyatta:~$ show system image - The system currently has the following image(s) installed: - 1: VC6.6R1 (default boot) (running image) - - vyatta@vyatta:~$ add system image https://downloads.vyos.io/release/legacy/1.0.0/vyos-1.0.0-amd64.iso - Trying to fetch ISO file from https://downloads.vyos.io/release/legacy/1.0.0/vyos-1.0.0-amd64.iso - % Total % Received % Xferd Average Speed Time Time Time Current - Dload Upload Total Spent Left Speed - 100 223M 100 223M 0 0 960k 0 0:03:57 0:03:57 --:--:-- 657k - ISO download succeeded. - Checking for digital signature file... - % Total % Received % Xferd Average Speed Time Time Time Current - Dload Upload Total Spent Left Speed - 100 836 100 836 0 0 4197 0 --:--:-- --:--:-- --:--:-- 4287 - Found it. Checking digital signature... - gpg: directory `/root/.gnupg' created - gpg: new configuration file `/root/.gnupg/gpg.conf' created - gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run - gpg: keyring `/root/.gnupg/pubring.gpg' created - gpg: Signature made Sun Dec 22 16:51:42 2013 GMT using RSA key ID A442E6E9 - gpg: /root/.gnupg/trustdb.gpg: trustdb created - gpg: Good signature from "SO3 Group Maintainers <maintainers@so3group.net>" - gpg: WARNING: This key is not certified with a trusted signature! - gpg: There is no indication that the signature belongs to the owner. - Primary key fingerprint: DD5B B405 35E7 F6E3 4278 1ABF B744 E25A A442 E6E9 - Digital signature is valid. - Checking MD5 checksums of files on the ISO image...OK. - Done! - - What would you like to name this image? [1.0.0]: [return] - OK. This image will be named: 1.0.0 - Installing "1.0.0" image. - Copying new release files... - - Would you like to save the current configuration - directory and config file? (Yes/No) [Yes]: [return] - Copying current configuration... - - Would you like to save the SSH host keys from your - current configuration? (Yes/No) [Yes]: [return] - Copying SSH keys... - Setting up grub configuration... - Done. - - vyatta@vyatta:~$ show system image - The system currently has the following image(s) installed: - - 1: 1.0.0 (default boot) - 2: VC6.6R1 (running image) - -Upon reboot, you should have a working installation of VyOS. - -You can go back to your Vyatta install using the ``set system image -default-boot`` command and selecting the your previous Vyatta Core image. - -.. note:: Future releases of VyOS will break the direct upgrade path from - Vyatta core. Please upgrade through an intermediate VyOS version e.g. VyOS - 1.2. After this you can continue upgrading to newer releases once you bootet - into VyOS 1.2 once. diff --git a/docs/appendix/releasenotes.rst b/docs/appendix/releasenotes.rst deleted file mode 100644 index f08786a0..00000000 --- a/docs/appendix/releasenotes.rst +++ /dev/null @@ -1,358 +0,0 @@ -.. _releasenotes: - -Release notes -############# - -1.2 (Crux) -========== - -1.2.6-S1 --------- - -1.2.6-S1 is a security release release made in September 2020. - -Resolved issues -^^^^^^^^^^^^^^^ - -VyOS 1.2.6 release was found to be suspectible to CVE-2020-10995. It's a low- -impact vulnerability in the PowerDNS recursor that allows an attacker to cause -performance degradation via a specially crafted authoritative DNS server reply. - -* `2899 <https://phabricator.vyos.net/T2899>`_ remote syslog server migration error on update - -1.2.6 ------ - -1.2.6 is a maintenance release made in September 2019. - -Resolved issues -^^^^^^^^^^^^^^^ - -* `103 <https://phabricator.vyos.net/T103>`_ DHCP server prepends shared network name to hostnames -* `125 <https://phabricator.vyos.net/T125>`_ Missing PPPoE interfaces in l2tp configuration -* `1194 <https://phabricator.vyos.net/T1194>`_ cronjob is being setup even if not saved -* `1205 <https://phabricator.vyos.net/T1205>`_ module pcspkr missing -* `1219 <https://phabricator.vyos.net/T1219>`_ Redundant active-active configuration, asymmetric routing and conntrack-sync cache -* `1220 <https://phabricator.vyos.net/T1220>`_ Show transceiver information from plugin modules, e.g SFP+, QSFP -* `1221 <https://phabricator.vyos.net/T1221>`_ BGP - Default route injection is not processed by the specific route-map -* `1241 <https://phabricator.vyos.net/T1241>`_ Remove of policy route throws CLI error -* `1291 <https://phabricator.vyos.net/T1291>`_ Under certain conditions the VTI will stay forever down -* `1463 <https://phabricator.vyos.net/T1463>`_ Missing command `show ip bgp scan` appears in command completion -* `1575 <https://phabricator.vyos.net/T1575>`_ `show snmp mib ifmib` crashes with IndexError -* `1699 <https://phabricator.vyos.net/T1699>`_ Default net.ipv6.route.max_size 32768 is too low -* `1729 <https://phabricator.vyos.net/T1729>`_ PIM (Protocol Independent Multicast) implementation -* `1901 <https://phabricator.vyos.net/T1901>`_ Semicolon in values is interpreted as a part of the shell command by validators -* `1934 <https://phabricator.vyos.net/T1934>`_ Change default hostname when deploy from OVA without params. -* `1938 <https://phabricator.vyos.net/T1938>`_ syslog doesn't start automatically -* `1949 <https://phabricator.vyos.net/T1949>`_ Multihop IPv6 BFD is unconfigurable -* `1953 <https://phabricator.vyos.net/T1953>`_ DDNS service name validation rejects valid service names -* `1956 <https://phabricator.vyos.net/T1956>`_ PPPoE server: support PADO-delay -* `1973 <https://phabricator.vyos.net/T1973>`_ Allow route-map to match on BGP local preference value -* `1974 <https://phabricator.vyos.net/T1974>`_ Allow route-map to set administrative distance -* `1982 <https://phabricator.vyos.net/T1982>`_ Increase rotation for atop.acct -* `1983 <https://phabricator.vyos.net/T1983>`_ Expose route-map when BGP routes are programmed in to FIB -* `1985 <https://phabricator.vyos.net/T1985>`_ pppoe: Enable ipv6 modules without configured ipv6 pools -* `2000 <https://phabricator.vyos.net/T2000>`_ strongSwan does not install routes to table 220 in certain cases -* `2021 <https://phabricator.vyos.net/T2021>`_ OSPFv3 doesn't support decimal area syntax -* `2062 <https://phabricator.vyos.net/T2062>`_ Wrong dhcp-server static route subnet bytes -* `2091 <https://phabricator.vyos.net/T2091>`_ swanctl.conf file is not generated properly is more than one IPsec profile is used -* `2131 <https://phabricator.vyos.net/T2131>`_ Improve syslog remote host CLI definition -* `2224 <https://phabricator.vyos.net/T2224>`_ Update Linux Kernel to v4.19.114 -* `2286 <https://phabricator.vyos.net/T2286>`_ IPoE server vulnerability -* `2303 <https://phabricator.vyos.net/T2303>`_ Unable to delete the image version that came from OVA -* `2305 <https://phabricator.vyos.net/T2305>`_ Add release name to "show version" command -* `2311 <https://phabricator.vyos.net/T2311>`_ Statically configured name servers may not take precedence over ones from DHCP -* `2327 <https://phabricator.vyos.net/T2327>`_ Unable to create syslog server entry with different port -* `2332 <https://phabricator.vyos.net/T2332>`_ Backport node option for a syslog server -* `2342 <https://phabricator.vyos.net/T2342>`_ Bridge l2tpv3 + ethX errors -* `2344 <https://phabricator.vyos.net/T2344>`_ PPPoE server client static IP assignment silently fails -* `2385 <https://phabricator.vyos.net/T2385>`_ salt-minion: improve completion helpers -* `2389 <https://phabricator.vyos.net/T2389>`_ BGP community-list unknown command -* `2398 <https://phabricator.vyos.net/T2398>`_ op-mode "dhcp client leases interface" completion helper misses interfaces -* `2402 <https://phabricator.vyos.net/T2402>`_ Live ISO should warn when configuring that changes won't persist -* `2443 <https://phabricator.vyos.net/T2443>`_ NHRP: Add debugging information to syslog -* `2448 <https://phabricator.vyos.net/T2448>`_ `monitor protocol bgp` subcommands fail with 'command incomplete' -* `2458 <https://phabricator.vyos.net/T2458>`_ Update FRR to 7.3.1 -* `2476 <https://phabricator.vyos.net/T2476>`_ Bond member description change leads to network outage -* `2478 <https://phabricator.vyos.net/T2478>`_ login radius: use NAS-IP-Address if defined source address -* `2482 <https://phabricator.vyos.net/T2482>`_ Update PowerDNS recursor to 4.3.1 for CVE-2020-10995 -* `2517 <https://phabricator.vyos.net/T2517>`_ vyos-container: link_filter: No such file or directory -* `2526 <https://phabricator.vyos.net/T2526>`_ Wake-On-Lan CLI implementation -* `2528 <https://phabricator.vyos.net/T2528>`_ "update dns dynamic" throws FileNotFoundError excepton -* `2536 <https://phabricator.vyos.net/T2536>`_ "show log dns forwarding" still refers to dnsmasq -* `2538 <https://phabricator.vyos.net/T2538>`_ Update Intel NIC drivers to recent release (preparation for Kernel >=5.4) -* `2545 <https://phabricator.vyos.net/T2545>`_ Show physical device offloading capabilities for specified ethernet interface -* `2563 <https://phabricator.vyos.net/T2563>`_ Wrong interface binding for Dell VEP 1445 -* `2605 <https://phabricator.vyos.net/T2605>`_ SNMP service is not disabled by default -* `2625 <https://phabricator.vyos.net/T2625>`_ Provide generic Library for package builds -* `2686 <https://phabricator.vyos.net/T2686>`_ FRR: BGP: large-community configuration is not applied properly after upgrading FRR to 7.3.x series -* `2701 <https://phabricator.vyos.net/T2701>`_ `vpn ipsec pfs enable` doesn't work with IKE groups -* `2728 <https://phabricator.vyos.net/T2728>`_ Protocol option ignored for IPSec peers in transport mode -* `2734 <https://phabricator.vyos.net/T2734>`_ WireGuard: fwmark CLI definition is inconsistent -* `2757 <https://phabricator.vyos.net/T2757>`_ "show system image version" contains additional new-line character breaking output -* `2797 <https://phabricator.vyos.net/T2797>`_ Update Linux Kernel to v4.19.139 -* `2822 <https://phabricator.vyos.net/T2822>`_ Update Linux Kernel to v4.19.141 -* `2829 <https://phabricator.vyos.net/T2829>`_ PPPoE server: mppe setting is implemented as node instead of leafNode -* `2831 <https://phabricator.vyos.net/T2831>`_ Update Linux Kernel to v4.19.142 -* `2852 <https://phabricator.vyos.net/T2852>`_ rename dynamic dns interface breaks ddclient.cache permissions -* `2853 <https://phabricator.vyos.net/T2853>`_ Intel QAT acceleration does not work - - -1.2.5 ------ - -1.2.5 is a maintenance release made in April 2019. - -Resolved issues -^^^^^^^^^^^^^^^ - -* `1020 <https://phabricator.vyos.net/T1020>`_ OSPF Stops distributing default route after a while -* `1228 <https://phabricator.vyos.net/T1228>`_ pppoe default-route force option not working (Rel 1.2.0-rc11) -* `1301 <https://phabricator.vyos.net/T1301>`_ bgp peer-groups don't work when "no-ipv4-unicast" is enabled. -* `1341 <https://phabricator.vyos.net/T1341>`_ Adding rate-limiter for pppoe server users -* `1376 <https://phabricator.vyos.net/T1376>`_ Incorrect DHCP lease counting -* `1392 <https://phabricator.vyos.net/T1392>`_ Large firewall rulesets cause the system to lose configuration and crash at startup -* `1416 <https://phabricator.vyos.net/T1416>`_ 2 dhcp server run in failover mode can't sync hostname with each other -* `1452 <https://phabricator.vyos.net/T1452>`_ accel-pppoe - add vendor option to shaper -* `1490 <https://phabricator.vyos.net/T1490>`_ BGP configuration (is lost|not applied) when updating 1.1.8 -> 1.2.1 -* `1780 <https://phabricator.vyos.net/T1780>`_ Adding ipsec ike closeaction -* `1803 <https://phabricator.vyos.net/T1803>`_ Unbind NTP while it's not requested... -* `1821 <https://phabricator.vyos.net/T1821>`_ "authentication mode radius" has no effect for PPPoE server -* `1827 <https://phabricator.vyos.net/T1827>`_ Increase default gc_thresh -* `1828 <https://phabricator.vyos.net/T1828>`_ Missing completion helper for "set system syslog host 192.0.2.1 facility all protocol" -* `1832 <https://phabricator.vyos.net/T1832>`_ radvd adding feature DNSSL branch.example.com example.com to existing package -* `1837 <https://phabricator.vyos.net/T1837>`_ PPPoE unrecognized option 'replacedefaultroute' -* `1851 <https://phabricator.vyos.net/T1851>`_ wireguard - changing the pubkey on an existing peer seems to destroy the running config. -* `1858 <https://phabricator.vyos.net/T1858>`_ l2tp: Delete depricated outside-nexthop and add gateway-address -* `1864 <https://phabricator.vyos.net/T1864>`_ Lower IPSec DPD timeout lower limit from 10s -> 2s -* `1879 <https://phabricator.vyos.net/T1879>`_ Extend Dynamic DNS XML definition value help strings and validators -* `1881 <https://phabricator.vyos.net/T1881>`_ Execute permissions are removed from custom SNMP scripts at commit time -* `1884 <https://phabricator.vyos.net/T1884>`_ Keeping VRRP transition-script native behaviour and adding stop-script -* `1891 <https://phabricator.vyos.net/T1891>`_ Router announcements broken on boot -* `1900 <https://phabricator.vyos.net/T1900>`_ Enable SNMP for VRRP. -* `1902 <https://phabricator.vyos.net/T1902>`_ Add redistribute non main table in bgp -* `1909 <https://phabricator.vyos.net/T1909>`_ Incorrect behaviour of static routes with overlapping networks -* `1913 <https://phabricator.vyos.net/T1913>`_ "system ipv6 blacklist" command has no effect -* `1914 <https://phabricator.vyos.net/T1914>`_ IPv6 multipath hash policy does not apply -* `1917 <https://phabricator.vyos.net/T1917>`_ Update WireGuard to Debian release 0.0.20191219-1 -* `1934 <https://phabricator.vyos.net/T1934>`_ Change default hostname when deploy from OVA without params. -* `1935 <https://phabricator.vyos.net/T1935>`_ NIC identification and usage problem in Hyper-V environments -* `1936 <https://phabricator.vyos.net/T1936>`_ pppoe-server CLI control features -* `1964 <https://phabricator.vyos.net/T1964>`_ SNMP Script-extensions allows names with spaces, but commit fails -* `1967 <https://phabricator.vyos.net/T1967>`_ BGP parameter "enforce-first-as" does not work anymore -* `1970 <https://phabricator.vyos.net/T1970>`_ Correct adding interfaces on boot -* `1971 <https://phabricator.vyos.net/T1971>`_ Missing modules in initrd.img for PXE boot -* `1998 <https://phabricator.vyos.net/T1998>`_ Update FRR to 7.3 -* `2001 <https://phabricator.vyos.net/T2001>`_ Error when router reboot -* `2032 <https://phabricator.vyos.net/T2032>`_ Monitor bandwidth bits -* `2059 <https://phabricator.vyos.net/T2059>`_ Set source-validation on bond vif don't work -* `2066 <https://phabricator.vyos.net/T2066>`_ PPPoE interface can be created multiple times - last wins -* `2069 <https://phabricator.vyos.net/T2069>`_ PPPoE-client does not works with service-name option -* `2077 <https://phabricator.vyos.net/T2077>`_ ISO build from crux branch is failing -* `2079 <https://phabricator.vyos.net/T2079>`_ Update Linux Kernel to v4.19.106 -* `2087 <https://phabricator.vyos.net/T2087>`_ Add maxfail 0 option to pppoe configuration. -* `2100 <https://phabricator.vyos.net/T2100>`_ BGP route adverisement wih checks rib -* `2120 <https://phabricator.vyos.net/T2120>`_ "reset vpn ipsec-peer" doesn't work with named peers -* `2197 <https://phabricator.vyos.net/T2197>`_ Cant add vif-s interface into a bridge -* `2228 <https://phabricator.vyos.net/T2228>`_ WireGuard does not allow ports < 1024 to be used -* `2252 <https://phabricator.vyos.net/T2252>`_ HTTP API add system image can return '504 Gateway Time-out' -* `2272 <https://phabricator.vyos.net/T2272>`_ Set system flow-accounting disable-imt has syntax error -* `2276 <https://phabricator.vyos.net/T2276>`_ PPPoE server vulnerability - - -1.2.4 ------ - -1.2.4 is a maintenance release made in December 2019. - -Resolved issues -^^^^^^^^^^^^^^^ - -* `T258 <https://phabricator.vyos.net/T258>`_ Can not configure wan load-balancing on vyos-1.2 -* `T818 <https://phabricator.vyos.net/T818>`_ SNMP v3 - remove required engineid from user node -* `T1030 <https://phabricator.vyos.net/T1030>`_ Upgrade ddclient from 3.8.2 to 3.9.0 (support Cloudflare API v4) -* `T1183 <https://phabricator.vyos.net/T1183>`_ BFD Support via FRR -* `T1299 <https://phabricator.vyos.net/T1299>`_ Allow SNMPd to be extended with custom scripts -* `T1351 <https://phabricator.vyos.net/T1351>`_ accel-pppoe adding CIDR based IP pool option -* `T1391 <https://phabricator.vyos.net/T1391>`_ In route-map set community additive -* `T1394 <https://phabricator.vyos.net/T1394>`_ syslog systemd and host_name.py race condition -* `T1401 <https://phabricator.vyos.net/T1401>`_ Copying files with the FTP protocol fails if the password contains special characters -* `T1421 <https://phabricator.vyos.net/T1421>`_ OpenVPN client push-route stopped working, needs added quotes to fix -* `T1447 <https://phabricator.vyos.net/T1447>`_ Python subprocess called without import in host_name.py -* `T1470 <https://phabricator.vyos.net/T1470>`_ improve output of "show dhcpv6 server leases" -* `T1485 <https://phabricator.vyos.net/T1485>`_ Enable 'AdvIntervalOpt' option in for radvd.conf -* `T1496 <https://phabricator.vyos.net/T1496>`_ Separate rolling release and LTS kernel builds -* `T1560 <https://phabricator.vyos.net/T1560>`_ "set load-balancing wan rule 0" causes segfault and prevents load balancing from starting -* `T1568 <https://phabricator.vyos.net/T1568>`_ strip-private command improvement for additional masking of IPv6 and MAC address -* `T1578 <https://phabricator.vyos.net/T1578>`_ completion offers "show table", but show table does not exist -* `T1593 <https://phabricator.vyos.net/T1593>`_ Support ip6gre -* `T1597 <https://phabricator.vyos.net/T1597>`_ /usr/sbin/rsyslogd after deleting "system syslog" -* `T1638 <https://phabricator.vyos.net/T1638>`_ vyos-hostsd not setting system domain name -* `T1678 <https://phabricator.vyos.net/T1678>`_ hostfile-update missing line feed -* `T1694 <https://phabricator.vyos.net/T1694>`_ NTPd: Do not listen on all interfaces by default -* `T1701 <https://phabricator.vyos.net/T1701>`_ Delete domain-name and domain-search won't work -* `T1705 <https://phabricator.vyos.net/T1705>`_ High CPU usage by bgpd when snmp is active -* `T1707 <https://phabricator.vyos.net/T1707>`_ DHCP static mapping and exclude address not working -* `T1708 <https://phabricator.vyos.net/T1708>`_ Update Rolling Release Kernel to 4.19.76 -* `T1709 <https://phabricator.vyos.net/T1709>`_ Update WireGuard to 0.0.20190913 -* `T1716 <https://phabricator.vyos.net/T1716>`_ Update Intel NIC drivers to recent versions -* `T1726 <https://phabricator.vyos.net/T1726>`_ Update Linux Firmware binaries to a more recent version 2019-03-14 -> 2019-10-07 -* `T1728 <https://phabricator.vyos.net/T1728>`_ Update Linux Kernel to 4.19.79 -* `T1737 <https://phabricator.vyos.net/T1737>`_ SNMP tab completion missing -* `T1738 <https://phabricator.vyos.net/T1738>`_ Copy SNMP configuration from node to node raises exception -* `T1740 <https://phabricator.vyos.net/T1740>`_ Broken OSPFv2 virtual-link authentication -* `T1742 <https://phabricator.vyos.net/T1742>`_ NHRP unable to commit. -* `T1745 <https://phabricator.vyos.net/T1745>`_ dhcp-server commit fails with "DHCP range stop address x must be greater or equal to the range start address y!" when static mapping has same IP as range stop -* `T1749 <https://phabricator.vyos.net/T1749>`_ numeric validator doesn't support multiple ranges -* `T1769 <https://phabricator.vyos.net/T1769>`_ Remove complex SNMPv3 Transport Security Model (TSM) -* `T1772 <https://phabricator.vyos.net/T1772>`_ <regex> constraints in XML are partially broken -* `T1778 <https://phabricator.vyos.net/T1778>`_ Kilobits/Megabits difference in configuration Vyos/FRR -* `T1780 <https://phabricator.vyos.net/T1780>`_ Adding ipsec ike closeaction -* `T1786 <https://phabricator.vyos.net/T1786>`_ disable-dhcp-nameservers is missed in current host_name.py implementation -* `T1788 <https://phabricator.vyos.net/T1788>`_ Intel QAT (QuickAssist Technology ) implementation -* `T1792 <https://phabricator.vyos.net/T1792>`_ Update WireGuard to Debian release 0.0.20191012-1 -* `T1800 <https://phabricator.vyos.net/T1800>`_ Update Linux Kernel to v4.19.84 -* `T1809 <https://phabricator.vyos.net/T1809>`_ Wireless: SSID scan does not work in AP mode -* `T1811 <https://phabricator.vyos.net/T1811>`_ Upgrade from 1.1.8: Config file migration failed: module=l2tp -* `T1812 <https://phabricator.vyos.net/T1812>`_ DHCP: hostnames of clients not resolving after update v1.2.3 -> 1.2-rolling -* `T1819 <https://phabricator.vyos.net/T1819>`_ Reboot kills SNMPv3 configuration -* `T1822 <https://phabricator.vyos.net/T1822>`_ Priority inversion wireless interface dhcpv6 -* `T1836 <https://phabricator.vyos.net/T1836>`_ import-conf-mode-commands in vyos-1x/scripts fails to create an xml -* `T1839 <https://phabricator.vyos.net/T1839>`_ LLDP shows "VyOS unknown" instead of "VyOS" -* `T1841 <https://phabricator.vyos.net/T1841>`_ PPP ipv6-up.d direcotry missing -* `T1893 <https://phabricator.vyos.net/T1893>`_ igmp-proxy: Do not allow adding unknown interface -* `T1904 <https://phabricator.vyos.net/T1904>`_ update eth1 and eth2 link files for the vep4600 - - -1.2.3 ------ - -1.2.3 is a maintenance and feature backport release made in September 2019. - -New features -^^^^^^^^^^^^ - -* HTTP API -* "set service dns forwarding allow-from <IPv4 net|IPv6 net>" option for limiting queries to specific client networks (T1524) -* Functions for checking if a commit is in progress (T1503) -* "set system contig-mangement commit-archive source-address" option (T1543) -* Intel NIC drivers now support receive side scaling and multiqueue (T1554) - -Resolved issues -^^^^^^^^^^^^^^^ - -* OSPF max-metric values over 100 no longer causes commit errors (T1209) -* Fixes issue with DNS forwarding not performing recursive lookups on domain specific forwarders (T1333) -* Special characters in VRRP passwords are handled correctly (T1362) -* BGP weight is applied properly (T1377) -* Fixed permission for log files (T1420) -* Wireguard interfaces now support /31 addresses (T1425) -* Wireguard correctly handles firewall marks (T1428) -* DHCPv6 static mappings now work correctly (T1439) -* Flood ping commands now works correctly (T1450) -* Op mode "show firewall" commands now support counters longer than 8 digits (T1460) -* Fixed priority inversion in VTI commands (T1465) -* Fixed remote-as check in the BGP route-reflector-client option (T1468) -* It's now possible to re-create VRRP groups with RFC compatibility mode enabled (T1472) -* Fixed a typo in DHCPv6 server help strings (T1527) -* Unnumbered BGP peers now support VLAN interfaces (T1529) -* Fixed "set system syslog global archive file" command (T1530) -* Multiple fixes in cluster configuration scripts (T1531) -* Fixed missing help text for "service dns" (T1537) -* Fixed input validation in DHCPv6 relay options (T1541) -* It's now possible to create a QinQ interface and a firewall assigned to it in one commit (T1551) -* URL filtering now uses correct rule database path and works again (T1559) -* "show log vpn ipsec" command works again (T1579) -* "show arp interface <intf>" command works again (T1576) -* Fixed regression in L2TP/IPsec server (T1605) -* Netflow/sFlow captures IPv6 traffic correctly (T1613) -* "renew dhcpv6" command now works from op mode (T1616) -* BGP remove-private-as option iBGP vs eBGP check works correctly now (T1642) -* Multiple improvements in name servers and hosts configuration handling (T1540, T1360, T1264, T1623) - -Internals -^^^^^^^^^ - -/etc/resolv.conf and /etc/hosts files are now managed by the vyos-hostsd service that listens on a ZMQ socket for update messages. - -1.2.2 ------ - -1.2.2 is a maintenance release made in July 2019. - -New features -^^^^^^^^^^^^ - -* Options for per-interface MSS clamping. -* BGP extended next-hop capability -* Relaxed BGP multipath option -* Internal and external options for "remote-as" (accept any AS as long as it's the same to this router or different, respectively) -* "Unnumbered" (interface-based) BGP peers -* BGP no-prepend option -* Additive BGP community option -* OSPFv3 network type option -* Custom arguments for VRRP scripts -* A script for querying values from config files - -Resolved issues -^^^^^^^^^^^^^^^ - -* Linux kernel 4.19.54, including a fix for the TCP SACK vulnerability -* VRRP health-check scripts now can use arguments (T1371) -* DNS server addresses coming from a DHCP server are now correctly propagated to resolv.conf (T1497) -* Domain-specific name servers in DNS forwarding are now used for recursive queries (T1469) -* “run show dhcpv6 server leases” now display leases correctly (T1433) -* Deleting “firewall options” node no longer causes errors (T1461) -* Correct hostname is sent to remote syslog again (T1458) -* Board serial number from DMI is correctly displayed in “show version” (T1438) -* Multiple corrections in remote syslog config (T1358, T1355, T1294) -* Fixed missing newline in /etc/hosts (T1255) -* “system domain-name” is correctly included in /etc/resolv.conf (T1174) -* Fixed priority inversion in “interfaces vti vtiX ip” settings (T1465) -* Fixed errors when installing with RAID1 on UEFI machines (T1446) -* Fixed an error on disabling an interfaces that has no address (T1387) -* Fixed deleting VLAN interface with non-default MTU (T1367) -* vyos.config return_effective_values() function now correctly returns a list rather than a string (T1505) - -1.2.1 ------ - -VyOS 1.2.1 is a maintenance release made in April 2019. - -Resolved issues -^^^^^^^^^^^^^^^ - -* Package updates: kernel 4.19.32, open-vm-tools 10.3, latest Intel NIC drivers. -* The kernel now includes drivers for various USB serial adapters, which allows people to add a serial console to a machine without onboard RS232, or connect to something else from the router (`T1326 <https://phabricator.vyos.net/T1326>`_). -* The collection of network card firmware is now much more extensive. -* VRRP now correctly uses a virtual rather than physical MAC addresses in the RFC-compliant mode (`T1271 <https://phabricator.vyos.net/T1271>`_). -* DHCP WPAD URL option works correctly again (`T1330 <https://phabricator.vyos.net/T1330>`_) -* Many to many NAT rules now can use source/destination and translation networks of non-matching size (`T1312 <https://phabricator.vyos.net/T1312>`_). If 1:1 network bits translation is desired, it’s now user’s responsibility to check if prefix length matches. -* IPv6 network prefix translation is fixed (`T1290 <https://phabricator.vyos.net/T1290>`_). -* Non-alphanumeric characters such as “>” can now be safely used in PPPoE passwords (`T1308 <https://phabricator.vyos.net/T1308>`_). -* “show | commands” no longer fails when a config section ends with a leaf node such as “timezone” in “show system | commands” (`T1305 <https://phabricator.vyos.net/T1305>`_). -* “show | commands” correctly works in config mode now (`T1235 <https://phabricator.vyos.net/T1235>`_). -* VTI is now compatible with the DHCP-interface IPsec option (`T1298 <https://phabricator.vyos.net/T1298>`_). -* “show dhcp server statistics” command was broken in latest Crux (`T1277 <https://phabricator.vyos.net/T1277>`_). -* An issue with TFTP server refusing to listen on addresses other than loopback was fixed (`T1261 <https://phabricator.vyos.net/T1261>`_). -* Template issue that might cause UDP broadcast relay fail to start is fixed (`T1224 <https://phabricator.vyos.net/T1224>`_). -* VXLAN value validation is improved (`T1067 <https://phabricator.vyos.net/T1067>`_). -* Blank hostnames in DHCP updates no longer can crash DNS forwarding (`T1211 <https://phabricator.vyos.net/T1211>`_). -* Correct configuration is now generated for DHCPv6 relays with more than one upstream interface (`T1322 <https://phabricator.vyos.net/T1322>`_). -* “relay-agents-packets” option works correctly now (`T1234 <https://phabricator.vyos.net/T1234>`_). -* Dynamic DNS data is now cleaned on configuration change (`T1231 <https://phabricator.vyos.net/T1231>`_). -* Remote Syslog can now use a fully qualified domain name (`T1282 <https://phabricator.vyos.net/T1282>`_). -* ACPI power off works again (`T1279 <https://phabricator.vyos.net/T1279>`_). -* Negation in WAN load balancing rules works again (`T1247 <https://phabricator.vyos.net/T1247>`_). -* FRR’s staticd now starts on boot correctly (`T1218 <https://phabricator.vyos.net/T1218>`_). -* The installer now correctly detects SD card devices (`T1296 <https://phabricator.vyos.net/T1296>`_). -* Wireguard peers can be disabled now (`T1225 <https://phabricator.vyos.net/T1225>`_). -* The issue with wireguard interfaces impossible to delete is fixed (`T1217 <https://phabricator.vyos.net/T1217>`_). -* Unintended IPv6 access is fixed in SNMP configuration (`T1160 <https://phabricator.vyos.net/T1160>`_). -* It’s now possible to exclude hosts from the transparent web proxy (`T1060 <https://phabricator.vyos.net/T1060>`_). -* An issue with rules impossible to delete from the zone-based firewall is fixed (`T484 <https://phabricator.vyos.net/T484>`_). - -Earlier releases -================ - -See `the wiki <https://wiki.vyos.net/wiki/1.2.0/release_notes>`_. diff --git a/docs/appendix/troubleshooting.rst b/docs/appendix/troubleshooting.rst deleted file mode 100644 index b1ae27ae..00000000 --- a/docs/appendix/troubleshooting.rst +++ /dev/null @@ -1,385 +0,0 @@ -.. _troubleshooting: - -Troubleshooting -=============== - -Sometimes things break or don't work as expected. This section describes -several troubleshooting tools provided by VyOS that can help when something -goes wrong. - -Basic Connectivity Verification -------------------------------- - -Verifying connectivity can be done with the familiar `ping` and `traceroute` -commands. The options for each are shown (the options for each command were -displayed using the built-in help as described in the :ref:`cli` -section and are omitted from the output here): - -.. code-block:: none - - vyos@vyos:~$ ping - Possible completions: - <hostname> Send Internet Control Message Protocol (ICMP) echo request - <x.x.x.x> - <h:h:h:h:h:h:h:h> - -Several options are available when more extensive troubleshooting is needed: - -.. code-block:: none - - vyos@vyos:~$ ping 8.8.8.8 - Possible completions: - <Enter> Execute the current command - adaptive Ping options - allow-broadcast - audible - bypass-route - count - deadline - flood - interface - interval - mark - no-loopback - numeric - pattern - quiet - record-route - size - timestamp - tos - ttl - verbose - -.. code-block:: none - - vyos@vyos:~$ traceroute - Possible completions: - <hostname> Track network path to specified node - <x.x.x.x> - <h:h:h:h:h:h:h:h> - ipv4 Track network path to <hostname|IPv4 address> - ipv6 Track network path to <hostname|IPv6 address> - -However, another tool, mtr_, is available which combines ping and traceroute -into a single tool. An example of its output is shown: - -.. code-block:: none - - vyos@vyos:~$ mtr 10.62.212.12 - - My traceroute [v0.85] - vyos (0.0.0.0) - Keys: Help Display mode Restart statistics Order of fields quit - Packets Pings - Host Loss% Snt Last Avg Best Wrst StDev - 1. 10.11.110.4 0.0% 34 0.5 0.5 0.4 0.8 0.1 - 2. 10.62.255.184 0.0% 34 1.1 1.0 0.9 1.4 0.1 - 3. 10.62.255.71 0.0% 34 1.4 1.4 1.3 2.0 0.1 - 4. 10.62.212.12 0.0% 34 1.6 1.6 1.6 1.7 0.0 - -.. note:: The output of ``mtr`` consumes the screen and will replace your - command prompt. - -Several options are available for changing the display output. Press `h` to -invoke the built in help system. To quit, just press `q` and you'll be returned -to the VyOS command prompt. - - - -Interface names ---------------- - -If you find the names of your interfaces have changed, this could be -because your MAC addresses have changed. - -* For example, you have a VyOS VM with 4 Ethernet interfaces named - eth0, eth1, eth2 and eth3. Then, you migrate your VyOS VM to a different host and find your interfaces now are eth4, eth5, eth6 and eth7. - - One way to fix this issue **taking control of the MAC addresses** is: - - Log into VyOS and run this command to display your interface settings. - - .. code-block:: none - - show interfaces detail - - Take note of MAC addresses. - - Now, in order to update a MAC address in the configuration, run this - command specifying the interface name and MAC address you want. - - .. code-block:: none - - set interfaces eth0 hw-id 00:0c:29:da:a4:fe - - If it is a VM, go into the settings of the host and set the MAC - address to the settings found in the config.boot file. You can also - set the MAC to static if the host allows so. - - -* Another example could be when cloning VyOS VMs in GNS3 and you get - into the same issue: interface names have changed. - - And **a more generic way to fix it** is just deleting every MAC - address at the configuration file of the cloned machine. They will be - correctly regenerated automatically. - - - -Monitoring ----------- - -Network Interfaces -^^^^^^^^^^^^^^^^^^ - -It's possible to monitor network traffic, either at the flow level or protocol -level. This can be useful when troubleshooting a variety of protocols and -configurations. The following interface types can be monitored: - -.. code-block:: none - - vyos@vyos:~$ monitor interfaces - Possible completions: - <Enter> Execute the current command - bonding Monitor a bonding interface - bridge Monitor a bridge interface - ethernet Monitor a ethernet interface - loopback Monitor a loopback interface - openvpn Monitor an openvpn interface - pppoe Monitor pppoe interface - pseudo-ethernet - Monitor a pseudo-ethernet interface - tunnel Monitor a tunnel interface - vrrp Monitor a vrrp interface - vti Monitor a vti interface - wireless Monitor wireless interface - -To monitor traffic flows, issue the :code:`monitor interfaces <type> <name> flow` -command, replacing `<type>` and `<name>` with your desired interface type and -name, respectively. Output looks like the following: - -.. code-block:: none - - 12.5Kb 25.0Kb 37.5Kb 50.0Kb 62.5Kb - ???????????????????????????????????????????????????????????????????????????????????????????????????? - 10.11.111.255 => 10.11.110.37 0b 0b 0b - <= 624b 749b 749b - 10.11.110.29 => 10.62.200.11 0b 198b 198b - <= 0b 356b 356b - 255.255.255.255 => 10.11.110.47 0b 0b 0b - <= 724b 145b 145b - 10.11.111.255 => 10.11.110.47 0b 0b 0b - <= 724b 145b 145b - 10.11.111.255 => 10.11.110.255 0b 0b 0b - <= 680b 136b 136b - ???????????????????????????????????????????????????????????????????????????????????????????????????? - TX: cumm: 26.7KB peak: 40.6Kb rates: 23.2Kb 21.4Kb 21.4Kb - RX: 67.5KB 63.6Kb 54.6Kb 54.0Kb 54.0Kb - TOTAL: 94.2KB 104Kb 77.8Kb 75.4Kb 75.4Kb - -Several options are available for changing the display output. Press `h` to -invoke the built in help system. To quit, just press `q` and you'll be returned -to the VyOS command prompt. - -To monitor interface traffic, issue the :code:`monitor interfaces <type> <name> -traffic` command, replacing `<type>` and `<name>` with your desired interface -type and name, respectively. This command invokes the familiar tshark_ utility -and the following options are available: - -.. code-block:: none - - vyos@vyos:~$ monitor interfaces ethernet eth0 traffic - Possible completions: - <Enter> Execute the current command - detail Monitor detailed traffic for the specified ethernet interface - filter Monitor filtered traffic for the specified ethernet interface - save Save monitored traffic to a file - unlimited Monitor traffic for the specified ethernet interface - -To quit monitoring, press `Ctrl-c` and you'll be returned to the VyOS command -prompt. The `detail` keyword provides verbose output of the traffic seen on -the monitored interface. The `filter` keyword accepts valid `PCAP filter -expressions`_, enclosed in single or double quotes (e.g. "port 25" or "port 161 -and udp"). The `save` keyword allows you to save the traffic dump to a file. -The `unlimited` keyword is used to specify that an unlimited number of packets -can be captured (by default, 1,000 packets are captured and you're returned to -the VyOS command prompt). - -Interface Bandwith -^^^^^^^^^^^^^^^^^^ - -to take a quick view on the used bandwith of an interface use the ``monitor bandwith`` command - -.. code-block:: none - - vyos@vyos:~$ monitor bandwidth interface eth0 - -show the following: - -.. code-block:: none - - eth0 bmon 3.5 - Interfaces │ RX bps pps %│ TX bps pps % - >eth0 │ 141B 2 │ 272B 1 - ───────────────────────────────┴───────────────────────┴──────────────────────────────────────────────────────────────── - B (RX Bytes/second) - 198.00 .|....|..................................................... - 165.00 .|....|..................................................... - 132.00 ||..|.|..................................................... - 99.00 ||..|.|..................................................... - 66.00 |||||||..................................................... - 33.00 |||||||..................................................... - 1 5 10 15 20 25 30 35 40 45 50 55 60 - KiB (TX Bytes/second) - 3.67 ......|..................................................... - 3.06 ......|..................................................... - 2.45 ......|..................................................... - 1.84 ......|..................................................... - 1.22 ......|..................................................... - 0.61 :::::||..................................................... - 1 5 10 15 20 25 30 35 40 45 50 55 60 - - ───────────────────────────────────────── Press d to enable detailed statistics ──────────────────────────────────────── - ─────────────────────────────────────── Press i to enable additional information ─────────────────────────────────────── - Wed Apr 3 14:46:59 2019 Press ? for help - -| Press ``d`` for more detailed informations or ``i`` for additional information. -| To exit press ``q`` and than ``y`` - -Interface performance -^^^^^^^^^^^^^^^^^^^^^ - -To take a look on the network bandwith between two nodes, the ``monitor bandwidth-test`` command is used to run iperf. - -.. code-block:: none - - vyos@vyos:~$ monitor bandwidth-test - Possible completions: - accept Wait for bandwidth test connections (port TCP/5001) - initiate Initiate a bandwidth test - -| The ``accept`` command open a listen iperf server on TCP Port 5001 -| The ``initiate`` command conncet to this server. - -.. code-block:: none - - vyos@vyos:~$ monitor bandwidth-test initiate - Possible completions: - <hostname> Initiate a bandwidth test to specified host (port TCP/5001) - <x.x.x.x> - <h:h:h:h:h:h:h:h> - - -Monitor command -^^^^^^^^^^^^^^^ - -The ``monitor command`` command allows you to repeatedly run a command to view a continuously refreshed output. -The command is run and output every 2 seconds, allowing you to monitor the output continuously without having to re-run the command. This can be useful to follow routing adjacency formation. - -.. code-block:: none - - vyos@router:~$ monitor command "show interfaces" - -Will clear the screen and show you the output of ``show interfaces`` every 2 seconds. - -.. code-block:: none - - Every 2.0s: /opt/vyatta/bin/vyatta-op-cmd-wrapper s... Sun Mar 26 02:49:46 2019 - - Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down - Interface IP Address S/L Description - --------- ---------- --- ----------- - eth0 192.168.1.1/24 u/u - eth0.5 198.51.100.4/24 u/u WAN - lo 127.0.0.1/8 u/u - ::1/128 - vti0 172.32.254.2/30 u/u - vti1 172.32.254.9/30 u/u - -Clear Command -------------- - -Sometimes you need to clear counters or statistics to troubleshoot better. - -To do this use the ``clear`` command in Operational mode. - -to clear the console output - -.. code-block:: none - - vyos@vyos:~$ clear console - -to clear interface counters - -.. code-block:: none - - # clear all interfaces - vyos@vyos:~$ clear interface ethernet counters - # clear specific interface - vyos@vyos:~$ clear interface ehternet eth0 counters - -The command follow the same logic as the ``set`` command in configuration mode. - -.. code-block:: none - - # clear all counters of a interface type - vyos@vyos:~$ clear interface <interface_type> counters - # clear counter of a interface in interface_type - vyos@vyos:~$ clear interface <interface_type> <interace_name> counters - - -to clear counters on firewall rulesets or single rules - -.. code-block:: none - - vyos@vyos:~$ clear firewall name <ipv4 ruleset name> counters - vyos@vyos:~$ clear firewall name <ipv4 ruleset name> rule <rule#> counters - - vyos@vyos:~$ clear firewall ipv6-name <ipv6 ruleset name> counters - vyos@vyos:~$ clear firewall ipv6-name <ipv6 ruleset name> rule <rule#> counters - - -Basic System Information ------------------------- - -.. _boot-steps: - -Boot steps -^^^^^^^^^^ - -VyOS 1.2.0+ uses `Debian Jessie`_ as the base Linux operating system. -Jessie was the first version of Debian that uses `systemd`_ as the default init system. - -These are the boot steps for VyOS 1.2.0+ - -1. The BIOS loads Grub (or isolinux for the Live CD) -2. Grub then starts the Linux boot and loads the Linux Kernel ``/boot/vmlinuz`` -3. Kernel Launches Systemd ``/lib/systemd/systemd`` -4. Systemd loads the VyOS service file ``/lib/systemd/system/vyos-router.service`` -5. The service file launches the VyOS router init script ``/usr/libexec/vyos/init/vyos-router`` - this is part of the `vyatta-cfg`_ Debian package - - 1. Starts FRR_ - successor to `GNU Zebra`_ and `Quagga`_ - - 2. Initialises the boot configuration file - copies over ``config.boot.default`` if there is no configuration - 3. Runs the configuration migration, if the configuration is for an older version of VyOS - 4. Runs The pre-config script, if there is one ``/config/scripts/vyos-preconfig-bootup.script`` - 5. If the config file was upgraded, runs any post upgrade scripts ``/config/scripts/post-upgrade.d`` - 6. Starts **rl-system** and **firewall** - 7. Mounts the ``/boot`` partition - 8. The boot configuration file is then applied by ``/opt/vyatta/sbin/vyatta-boot-config-loader /opt/vyatta/etc/config/config.boot`` - - 1. The config loader script writes log entries to ``/var/log/vyatta-config-loader.log`` - - 10. Runs ``telinit q`` to tell the init system to reload ``/etc/inittab`` - 11. Finally it runs the post-config script ``/config/scripts/vyos-postconfig-bootup.script`` - -.. _Quagga: http://www.quagga.net/ -.. _`GNU Zebra`: https://www.gnu.org/software/zebra/ -.. _FRR: https://frrouting.org/ -.. _vyatta-cfg: https://github.com/vyos/vyatta-cfg -.. _systemd: _https://freedesktop.org/wiki/Software/systemd/ -.. _`Debian Jessie`: https://www.debian.org/releases/jessie/ -.. _mtr: http://www.bitwizard.nl/mtr/ -.. _tshark: https://www.wireshark.org/docs/man-pages/tshark.html -.. _`PCAP filter expressions`: http://www.tcpdump.org/manpages/pcap-filter.7.html diff --git a/docs/appendix/vyos-on-baremetal.rst b/docs/appendix/vyos-on-baremetal.rst deleted file mode 100644 index 14ba2adf..00000000 --- a/docs/appendix/vyos-on-baremetal.rst +++ /dev/null @@ -1,380 +0,0 @@ -.. _vyosonbaremetal: - -Running on Bare Metal -##################### - -Intel Atom C3000 -**************** - -I opted to get one of the new Intel Atom C3000 CPUs to spawn VyOS on it. -Running VyOS on an UEFI only device is supported as of VyOS release 1.2. - -Shopping Cart -------------- - -* 1x Supermicro CSE-505-203B (19" 1U chassis, inkl. 200W PSU) -* 1x Supermicro MCP-260-00085-0B (I/O Shield for A2SDi-2C-HLN4F) -* 1x Supermicro A2SDi-2C-HLN4F (Intel Atom C3338, 2C/2T, 4MB cache, Quad LAN with - Intel C3000 SoC 1GbE) -* 1x Crucial CT4G4DFS824A (4GB DDR4 RAM 2400 MT/s, PC4-19200) -* 1x SanDisk Ultra Fit 32GB (USB-A 3.0 SDCZ43-032G-G46 mass storage for OS) -* 1x Supermicro MCP-320-81302-0B (optional FAN tray) - -Optional (10GE) ---------------- -If you wan't to get additional ethernet ports or even 10GE connectivity -the following optional parts will be required: - -* 1x Supermicro RSC-RR1U-E8 (Riser Card) -* 1x Supermicro MCP-120-00063-0N (Riser Card Bracket) - -Latest VyOS rolling releases boot without any problem on this board. You also -receive a nice IPMI interface realized with an ASPEED AST2400 BMC (no information -about `OpenBMC <https://www.openbmc.org/>`_ so far on this motherboard). - -Pictures --------- - -.. figure:: /_static/images/1u_vyos_back.jpg - :scale: 25 % - :alt: CSE-505-203B Back - -.. figure:: /_static/images/1u_vyos_front.jpg - :scale: 25 % - :alt: CSE-505-203B Front - -.. figure:: /_static/images/1u_vyos_front_open_1.jpg - :scale: 25 % - :alt: CSE-505-203B Open 1 - -.. figure:: /_static/images/1u_vyos_front_open_2.jpg - :scale: 25 % - :alt: CSE-505-203B Open 2 - -.. figure:: /_static/images/1u_vyos_front_open_3.jpg - :scale: 25 % - :alt: CSE-505-203B Open 3 - -.. figure:: /_static/images/1u_vyos_front_10ge_open_1.jpg - :scale: 25 % - :alt: CSE-505-203B w/ 10GE Open 1 - -.. figure:: /_static/images/1u_vyos_front_10ge_open_2.jpg - :scale: 25 % - :alt: CSE-505-203B w/ 10GE Open 2 - -.. figure:: /_static/images/1u_vyos_front_10ge_open_3.jpg - :scale: 25 % - :alt: CSE-505-203B w/ 10GE Open 3 - -.. figure:: /_static/images/1u_vyos_front_10ge_open_4.jpg - :scale: 25 % - :alt: CSE-505-203B w/ 10GE Open - - -PC Engines APU4 -*************** - -As this platform seems to be quiet common in terms of noise, cost, power and -performance it makes sense to write a small installation manual. - -This guide was developed using an APU4C4 board with the following specs: - -* AMD Embedded G series GX-412TC, 1 GHz quad Jaguar core with 64 bit and AES-NI - support, 32K data + 32K instruction cache per core, shared 2MB L2 cache. -* 4 GB DDR3-1333 DRAM, with optional ECC support -* About 6 to 10W of 12V DC power depending on CPU load -* 2 miniPCI express (one with SIM socket for 3G modem). -* 4 Gigabit Ethernet channels using Intel i211AT NICs - -The board can be powered via 12V from the front or via a 5V onboard connector. - -Shopping Cart -------------- - -* 1x apu4c4 = 4 i211AT LAN / AMD GX-412TC CPU / 4 GB DRAM / dual SIM -* 1x Kingston SUV500MS/120G -* 1x VARIA Group Item 326745 19" dual rack rack for APU4 -* 1x Compex WLE900VX (Optional mini PCIe WiFi module) - -The 19" enclosure can accomodate up to two APU4 boards - there is a single and -dual front cover. - -.. note:: Compex WLE900VX is only supported in mPCIe slot 1. - -VyOS 1.2 (crux) ---------------- - -Depending on the VyOS versions you intend to install there is a difference in -the serial port settings (T1327_). - -Create a bootable USB pendrive using e.g. Rufus_ on a Windows machine. - -Connect serial port to a PC through null modem cable (RXD / TXD crossed over). -Set terminal emulator to 115200 8N1. - -.. code-block:: none - - PC Engines apu4 - coreboot build 20171130 - BIOS version v4.6.4 - 4080 MB ECC DRAM - SeaBIOS (version rel-1.11.0.1-0-g90da88d) - - Press F10 key now for boot menu: - - Select boot device: - - 1. ata0-0: KINGSTON SUV500MS120G ATA-11 Hard-Disk (111 GiBytes) - 2. USB MSC Drive Generic Flash Disk 8.07 - 3. Payload [memtest] - 4. Payload [setup] - -Now boot from the ``USB MSC Drive Generic Flash Disk 8.07`` media by pressing -``2``, the VyOS boot menu will appear, just wait 10 seconds or press ``Enter`` -to continue. - -.. code-block:: none - - lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk - x VyOS - Boot Menu x - tqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqu - x Live (amd64-vyos) x - x Live (amd64-vyos failsafe) x - x x - mqqqqqqPress ENAutomatic boot in 10 seconds...nu entryqqqqqqqj - -The image will be loaded and the last lines you will get will be: - -.. code-block:: none - - Loading /live/vmlinuz... ok - Loading /live/initrd.img... - -The Kernel will now spin up using a different console setting. Set terminal -emulator to 9600 8N1 and after a while your console will show: - -.. code-block:: none - - Loading /live/vmlinuz... ok - Loading /live/initrd.img... - Welcome to VyOS - vyos ttyS0 - - vyos login: - -You can now proceed with a regular image installation as described in -:ref:`installation`. - -As the APU board itself still used a serial setting of 115200 8N1 it is strongly -recommended that you change the VyOS serial interface settings after your first -successful boot. - -Use the following command to adjust the :ref:`serial-console` settings: - -.. code-block:: none - - set system console device ttyS0 speed 115200 - -.. note:: Once you ``commit`` the above changes access to the serial interface - is lost until you set your terminal emulator to 115200 8N1 again. - -.. code-block:: none - - vyos@vyos# show system console - device ttyS0 { - speed 115200 - } - -VyOS 1.2 (rolling) ------------------- - -Installing the rolling release on an APU2 board does not require any change -on the serial console from your host side as T1327_ was successfully -implemented. - -Simply proceed with a regular image installation as described in :ref:`installation`. - -Pictures --------- - -.. note:: Both device types operate without any moving parts and emit zero noise. - -Rack Mount -^^^^^^^^^^ - -.. figure:: /_static/images/apu4c4_rack_1.jpg - :scale: 25 % - :alt: APU4C4 rack closed - -.. figure:: /_static/images/apu4c4_rack_2.jpg - :scale: 25 % - :alt: APU4C4 rack front - -.. figure:: /_static/images/apu4c4_rack_3.jpg - :scale: 25 % - :alt: APU4C4 rack module #1 - -.. figure:: /_static/images/apu4c4_rack_4.jpg - :scale: 25 % - :alt: APU4C4 rack module #2 - -.. figure:: /_static/images/apu4c4_rack_5.jpg - :scale: 25 % - :alt: APU4C4 rack module #3 with PSU - - -Desktop -^^^^^^^ - -.. figure:: /_static/images/apu4c4_desk_1.jpg - :scale: 25 % - :alt: APU4C4 desktop closed - -.. figure:: /_static/images/apu4c4_desk_2.jpg - :scale: 25 % - :alt: APU4C4 desktop closed - -.. figure:: /_static/images/apu4c4_desk_3.jpg - :scale: 25 % - :alt: APU4C4 desktop back - -.. figure:: /_static/images/apu4c4_desk_4.jpg - :scale: 25 % - :alt: APU4C4 desktop back - -.. _Rufus: https://rufus.ie/ -.. _T1327: https://phabricator.vyos.net/T1327 - - -Qotom Q355G4 -************ - -The install on this Q355G4 box is pretty much plug and play. The port numbering -the OS does might differ from the labels on the outside, but the UEFI firmware -has a port blink test built in with MAC adresses so you can very quickly identify -which is which. MAC labels are on the inside as well, and this test can be done -from VyOS or plain Linux too. Default settings in the UEFI will make it boot, -but depending on your installation wishes (i.e. storage type, boot type, console -type) you might want to adjust them. This Qotom company seems to be the real -OEM/ODM for many other relabelling companies like Protectli. - -Hardware --------- - -There are a number of other options, but they all seem to be close to Intel -reference designs, with added features like more serial ports, more network -interfaces and the likes. Because they don't deviate too much from standard -designs all the hardware is well-supported by mainline. It accepts one LPDDR3 -SO-DIMM, but chances are that if you need more than that, you'll also want -something even beefier than an i5. There are options for antenna holes, and SIM -slots, so you could in theory add an LTE/Cell modem (not tested so far). - -The chassis is a U-shaped alu extrusion with removable I/O plates and removable -bottom plate. Cooling is completely passive with a heatsink on the SoC with -internal and external fins, a flat interface surface, thermal pad on top of that, -which then directly attaches to the chassis, which has fins as well. It comes -with mounting hardware and rubber feet, so you could place it like a desktop -model or mount it on a VESA mount, or even wall mount it with the provided -mounting plate. The closing plate doubles as internal 2.5" mounting place for -an HDD or SSD, and comes supplied with a small SATA cable and SATA power cable. - -Power supply is a 12VDC barrel jack, and included switching power supply, which -is why SATA power regulation is on-board. Internally it has a NUC-board-style -on-board 12V input header as well, the molex locking style. - -There are WDT options and auto-boot on power enable, which is great for remote -setups. Firmware is reasonably secure (no backdoors found, BootGuard is enabled -in enforcement mode, which is good but also means no coreboot option), yet has -most options available to configure (so it's not locked out like most firmwares -are). - -An external RS232 serial port is available, internally a GPIO header as well. -It does have Realtek based audio on board for some reason, but you can disable -that. Booting works on both USB2 and USB3 ports. Switching between serial BIOS -mode and HDMI BIOS mode depends on what is connected at startup; it goes into -serial mode if you disconnect HDMI and plug in serial, in all other cases it's -HDMI mode. - -Partaker i5 -*********** - -.. figure:: ../_static/images/600px-Partaker-i5.jpg - -I believe this is actually the same hardware as the Protectli. I purchased it -from `Amazon <https://www.amazon.com/gp/product/B073F9GHKL/>`_ in June 2018. -It came pre-loaded with pfSense. - -`Manufacturer product page <http://www.inctel.com.cn/product/detail/338.html>`_. - -Installation ------------- - -* Write VyOS ISO to USB drive of some sort -* Plug in VGA, power, USB keyboard, and USB drive -* Press "SW" button on the front (this is the power button; I don't know what - "SW" is supposed to mean). -* Begin rapidly pressing delete on the keyboard. The boot prompt is very quick, - but with a few tries you should be able to get into the BIOS. -* Chipset > South Bridge > USB Configuration: set XHCI to Disabled and USB 2.0 - (EHCI) to Enabled. Without doing this, the USB drive won't boot. -* Boot to the VyOS installer and install as usual. - -Warning the interface labels on my device are backwards; the left-most "LAN4" -port is eth0 and the right-most "LAN1" port is eth3. - -Acrosser AND-J190N1 -******************* - -.. figure:: ../_static/images/480px-Acrosser_ANDJ190N1_Front.jpg - -.. figure:: ../_static/images/480px-Acrosser_ANDJ190N1_Back.jpg - -11/22/2016. This microbox network appliance was build to create OpenVPN bridges. -It can saturate a 100Mbps link. - -It is a small (serial console only) PC with 6 Gb LAN -http://www.acrosser.com/upload/AND-J190_J180N1-2.pdf - -You may have to add your own RAM and HDD/SSD. There is no VGA connector. But -Acrosser provides a DB25 adapter for the VGA header on the motherboard (not used). - -BIOS Settings: --------------- - -First thing you want to do is getting a more user friendly console to configure -BIOS. Default VT100 brings a lot of issues. Configure VT100+ instead. - -For practical issues change speed from 115200 to 9600. 9600 is the default speed -at which both linux kernel and VyOS will reconfigure the serial port when loading. - -Connect to serial (115200bps). Power on the appliance and press Del in the console -when requested to enter BIOS settings. - -Advanced > Serial Port Console Redirection > Console Redirection Settings: - -* Terminal Type : VT100+ -* Bits per second : 9600 - -Save, reboot and change serial speed to 9600 on your client. - -Some options have to be changed for VyOS to boot correctly. With XHCI enabled -the installer can’t access the USB key. Enable EHCI instead. - -Reboot into BIOS, Chipset > South Bridge > USB Configuration: - -* Disable XHCI -* Enable USB 2.0 (EHCI) Support - -Install VyOS: -------------- - -Create a VyOS bootable USB key. I used the 64-bit ISO (VyOS 1.1.7) and `LinuxLive -USB Creator <http://www.linuxliveusb.com/>`_. - -I'm not sure if it helps the process but I changed default option to live-serial -(line “default xxxx”) on the USB key under syslinux/syslinux.cfg. - -I connected the key to one black USB port on the back and powered on. The first -VyOS screen has some readability issues. Press :kbd:`Enter` to continue. - -Then VyOS should boot and you can perform the ``install image`` diff --git a/docs/appendix/vyos-on-gns3.rst b/docs/appendix/vyos-on-gns3.rst deleted file mode 100644 index f17715b2..00000000 --- a/docs/appendix/vyos-on-gns3.rst +++ /dev/null @@ -1,175 +0,0 @@ -.. _vyos-on-gns3: - -VyOS on GNS3 -############ - -Sometimes you may want to test VyOS in a lab environment. -`GNS3 <http://www.gns3.com>`__ is a network emulation software you -might use for it. - -This guide will provide the necessary steps for installing -and setting up VyOS on GNS3. - -Requirements ------------- - -The following items are required: - -* A VyOS installation image (.iso file). - `Here <https://docs.vyos.io/en/latest/install.html#download>`__ you - can find how to get it. - -* A working GNS3 installation. For further information see the - `GNS3 documentation <https://docs.gns3.com/>`__. - -.. _vm_setup: - -VM setup --------- - -First, a virtual machine (VM) for the VyOS installation must be created -in GNS3. - -Go to the GNS3 **File** menu, click **New template** and choose select -**Manually create a new Template**. - -.. figure:: /_static/images/gns3-01.png - -Select **Quemu VMs** and then click on the ``New`` button. - -.. figure:: /_static/images/gns3-02.png - -Write a name for your VM, for instance "VyOS", and click ``Next``. - -.. figure:: /_static/images/gns3-03.png - -Select **qemu-system-x86_64** as Quemu binary, then **512MB** of RAM -and click ``Next``. - -.. figure:: /_static/images/gns3-04.png - -Select **telnet** as your console type and click ``Next``. - -.. figure:: /_static/images/gns3-05.png - -Select **New image** for the base disk image of your VM and click -``Create``. - -.. figure:: /_static/images/gns3-06.png - -Use the defaults in the **Binary and format** window and click -``Next``. - -.. figure:: /_static/images/gns3-07.png - -Use the defaults in the **Qcow2 options** window and click ``Next``. - -.. figure:: /_static/images/gns3-08.png - -Set the disk size to 2000 MiB, and click ``Finish`` to end the **Quemu -image creator**. - -.. figure:: /_static/images/gns3-09.png - -Click ``Finish`` to end the **New QEMU VM template** wizard. - -.. figure:: /_static/images/gns3-10.png - -Now the VM settings have to be edited. - -Being again at the **Preferences** window, having **Qemu VMs** -selected and having our new VM selected, click the ``Edit`` button. - -.. figure:: /_static/images/gns3-11.png - -In the **General settings** tab of your **QEMU VM template -configuration**, do the following: - -* Click on the ``Browse...`` button to choose the **Symbol** you want to - have representing your VM. -* In **Category** select in which group you want to find your VM. -* Set the **Boot priority** to **CD/DVD-ROM**. - -.. figure:: /_static/images/gns3-12.png - -At the **HDD** tab, change the Disk interface to **sata** to speed up -the boot process. - -.. figure:: /_static/images/gns3-13.png - -At the **CD/DVD** tab click on ``Browse...`` and locate the VyOS image -you want to install. - -.. figure:: /_static/images/gns3-14.png - -.. note:: You probably will want to accept to copy the .iso file to your - default image directory when you are asked. - -In the **Network** tab, set **0** as the number of adapters, set the -**Name format** to **eth{0}** and the **Type** to **Paravirtualized -Network I/O (virtio-net-pci)**. - -.. figure:: /_static/images/gns3-15.png - -In the **Advanced** tab, unmark the checkbox **Use as a linked base -VM** and click ``OK``, which will save and close the **QEMU VM template -configuration** window. - -.. figure:: /_static/images/gns3-16.png - -At the general **Preferences** window, click ``OK`` to save and close. - -.. figure:: /_static/images/gns3-17.png - - -.. _vyos_installation: - -VyOS installation ------------------ - -* Create a new project. -* Drag the newly created VyOS VM into it. -* Start the VM. -* Open a console. - The console should show the system booting. It will ask for the login - credentials, you are at the VyOS live system. -* `Install VyOS <https://docs.vyos.io/en/latest/install.html#install>`__ - as normal (that is, using the ``install image`` command). - -* After a successful installation, shutdown the VM with the ``poweroff`` - command. - -* **Delete the VM** from the GNS3 project. - -The *VyOS-hda.qcow2* file now contains a working VyOS image and can be -used as a template. But it still needs some fixes before we can deploy -VyOS in our labs. - -.. _vyos_vm_configuration: - -VyOS VM configuration ---------------------- - -To turn the template into a working VyOS machine, further steps are -necessary as outlined below: - -**General settings** tab: Set the boot priority to **HDD** - -.. figure:: /_static/images/gns3-20.png - -**CD/DVD** tab: Unmount the installation image file by clearing the -**Image** entry field. - -.. figure:: /_static/images/gns3-21.png - -Set the number of required network adapters, for example **4**. - -.. figure:: /_static/images/gns3-215.png - -**Advanced** settings tab: Mark the checkbox **Use as a linked -base VM** and click ``OK`` to save the changes. - -.. figure:: /_static/images/gns3-22.png - -The VyOS VM is now ready to be deployed. - diff --git a/docs/appendix/vyos-on-vmware.rst b/docs/appendix/vyos-on-vmware.rst deleted file mode 100644 index 6feb95ba..00000000 --- a/docs/appendix/vyos-on-vmware.rst +++ /dev/null @@ -1,32 +0,0 @@ -.. _vyosonvmware:
-
-Running on VMWare ESXi
-######################
-
-ESXi 5.5 or later
-*****************
-
-.ova files are available for supporting users, and a VyOS can also be stood up using a generic Linux instance, and attaching the bootable ISO file and installing from the ISO
-using the normal process around `install image`.
-
-.. NOTE:: There have been previous documented issues with GRE/IPSEC tunneling using the E1000 adapter on the VyOS guest, and use of the VMXNET3 has been advised.
-
-Memory Contention Considerations
---------------------------------
-When the underlying ESXi host is approaching ~92% memory utilisation it will start the balloon process in s a 'soft' state to start reclaiming memory from guest operating systems.
-This causes an artifical pressure using the vmmemctl driver on memory usage on the virtual guest. As VyOS by default does not have a swap file, this vmmemctl pressure is unable to
-force processes to move in memory data to the paging file, and blindly consumes memory forcing the virtual guest into a low memory state with no way to escape. The balloon can expand to 65% of
-guest allocated memory, so a VyOS guest running >35% of memory usage, can encounter an out of memory situation, and trigger the kernel oom_kill process. At this point a weighted
-lottery favouring memory hungry processes will be run with the unlucky winner being terminated by the kernel.
-
-It is advised that VyOS routers are configured in a resource group with adequate memory reservations so that ballooning is not inflicted on virtual VyOS guests.
-
-
-
-
-
-References
-----------
-
-https://muralidba.blogspot.com/2018/03/how-does-linux-out-of-memory-oom-killer.html
-
|