summaryrefslogtreecommitdiff
path: root/docs/configexamples
diff options
context:
space:
mode:
Diffstat (limited to 'docs/configexamples')
-rw-r--r--docs/configexamples/azure-vpn-bgp.rst2
-rw-r--r--docs/configexamples/azure-vpn-dual-bgp.rst2
-rw-r--r--docs/configexamples/bgp-ipv6-unnumbered.rst2
-rw-r--r--docs/configexamples/dhcp-relay-through-gre-bridge.rst5
-rw-r--r--docs/configexamples/ha.rst46
-rw-r--r--docs/configexamples/ospf-unnumbered.rst2
-rw-r--r--docs/configexamples/pppoe-ipv6-basic.rst24
-rw-r--r--docs/configexamples/tunnelbroker-ipv6.rst10
-rw-r--r--docs/configexamples/wan-load-balancing.rst25
-rw-r--r--docs/configexamples/zone-policy.rst6
10 files changed, 69 insertions, 55 deletions
diff --git a/docs/configexamples/azure-vpn-bgp.rst b/docs/configexamples/azure-vpn-bgp.rst
index c40e1b76..7dc2f332 100644
--- a/docs/configexamples/azure-vpn-bgp.rst
+++ b/docs/configexamples/azure-vpn-bgp.rst
@@ -1,3 +1,5 @@
+:lastproofread: 2021-06-28
+
.. _examples-azure-vpn-bgp:
Route-Based Site-to-Site VPN to Azure (BGP over IKEv2/IPsec)
diff --git a/docs/configexamples/azure-vpn-dual-bgp.rst b/docs/configexamples/azure-vpn-dual-bgp.rst
index 6df5d2ff..8cf2c0ef 100644
--- a/docs/configexamples/azure-vpn-dual-bgp.rst
+++ b/docs/configexamples/azure-vpn-dual-bgp.rst
@@ -1,3 +1,5 @@
+:lastproofread: 2021-06-28
+
.. _examples-azure-vpn-dual-bgp:
Route-Based Redundant Site-to-Site VPN to Azure (BGP over IKEv2/IPsec)
diff --git a/docs/configexamples/bgp-ipv6-unnumbered.rst b/docs/configexamples/bgp-ipv6-unnumbered.rst
index 12ce2bd6..d8965b6b 100644
--- a/docs/configexamples/bgp-ipv6-unnumbered.rst
+++ b/docs/configexamples/bgp-ipv6-unnumbered.rst
@@ -1,3 +1,5 @@
+:lastproofread: 2021-06-28
+
.. _examples-bgp-ipv6-unnumbered:
#########################################
diff --git a/docs/configexamples/dhcp-relay-through-gre-bridge.rst b/docs/configexamples/dhcp-relay-through-gre-bridge.rst
index 10184970..16d8488b 100644
--- a/docs/configexamples/dhcp-relay-through-gre-bridge.rst
+++ b/docs/configexamples/dhcp-relay-through-gre-bridge.rst
@@ -1,7 +1,4 @@
-
-
-
-
+:lastproofread: 2021-06-28
.. _examples-dhcp-relay-through-gre-bridge:
diff --git a/docs/configexamples/ha.rst b/docs/configexamples/ha.rst
index 401d7b9f..12c431f0 100644
--- a/docs/configexamples/ha.rst
+++ b/docs/configexamples/ha.rst
@@ -1,24 +1,26 @@
+:lastproofread: 2021-06-28
+
#############################
High Availability Walkthrough
#############################
This document walks you through a complete HA setup of two VyOS machines. This
-design is based on a VM as the primary router, and a physical machine as a
-backup, using VRRP, BGP, OSPF and conntrack sharing.
+design is based on a VM as the primary router and a physical machine as a
+backup, using VRRP, BGP, OSPF, and conntrack sharing.
-The aim of this document is to walk you through setting everything up, so
+This document aims to walk you through setting everything up, so
at a point where you can reboot any machine and not lose more than a few
seconds worth of connectivity.
Design
======
-This is based on a real life, in production design. One of the complex issues
+This is based on a real-life production design. One of the complex issues
is ensuring you have redundant data INTO your network. We do this with a pair
-of Cisco Nexus switches, and using Virtual PortChannels that are spanned across
-them. This as an added bonus, also allows for complete switch failure without
-an outage. How you achieve this yourself is left as an exercise to the reader
-but our setup is documented here.
+of Cisco Nexus switches and using Virtual PortChannels that are spanned across
+them. As a bonus, this also allows for complete switch failure without
+an outage. How you achieve this yourself is left as an exercise to the reader.
+But our setup is documented here.
Walkthrough suggestion
----------------------
@@ -31,7 +33,7 @@ If you are following through this document, it is strongly suggested you
complete the entire document, ONLY doing the virtual router1 steps, and then
come back and walk through it AGAIN on the backup hardware router.
-This ensures you don't go to fast, or miss a step. However, it will make your
+This ensures you don't go too fast or miss a step. However, it will make your
life easier to configure the fixed IP address and default route now on the
hardware router.
@@ -43,7 +45,7 @@ provider, which we are publishing on VLAN100.
They want us to establish a BGP session to their routers on 192.0.2.11 and
192.0.2.12 from our routers 192.0.2.21 and 192.0.2.22. They are AS 65550 and
-we are AS65551.
+we are AS 65551.
Our routers are going to have a floating IP address of 203.0.113.1, and use
.2 and .3 as their fixed IPs.
@@ -54,13 +56,13 @@ When traffic is originated from the 10.200.201.0/24 network, it will be
masqueraded to 203.0.113.1
For connection between sites, we are running a WireGuard link to two REMOTE
-routers, and using OSPF over those links to distribute routes. That remote
+routers and using OSPF over those links to distribute routes. That remote
site is expected to send traffic from anything in 10.201.0.0/16
VLANs
-----
-These are the vlans we wll be using:
+These are the vlans we will be using:
* 50: Upstream, using the 192.0.2.0/24 network allocated by them.
* 100: 'Public' network, using our 203.0.113.0/24 network.
@@ -95,7 +97,7 @@ of scope of this.
.. note:: Our implementation uses VMware's Distributed Port Groups, which allows
VMware to use LACP. This is a part of the ENTERPRISE licence, and is not
- available on a Free licence. If you are implementing this and do not have
+ available on a free licence. If you are implementing this and do not have
access to DPGs, you should not use VMware, and use some other virtualization
platform instead.
@@ -103,7 +105,7 @@ of scope of this.
Basic Setup (via console)
=========================
-Create your router1 VM so it is able to withstand a VM Host failing, or a
+Create your router1 VM. So it can withstand a VM Host failing or a
network link failing. Using VMware, this is achieved by enabling vSphere DRS,
vSphere Availability, and creating a Distributed Port Group that uses LACP.
@@ -177,7 +179,7 @@ Enable SSH so you can now SSH into the routers, rather than using the console.
commit
save
-At this point you should be able to SSH into both of them, and will no longer
+At this point, you should be able to SSH into both of them, and will no longer
need access to the console (unless you break something!)
@@ -417,9 +419,9 @@ Make sure you can ping 10.254.60.1 and .2 from both routers.
Create Export Filter
--------------------
-We only want to export the networks we know we should be exporting. Always
-whitelist your route filters, both importing and exporting. A good rule of
-thumb is **'If you are not the default router for a network, don't advertise
+We only want to export the networks we know. Always do a whitelist on your route
+filters, both importing and exporting. A good rule of thumb is
+**'If you are not the default router for a network, don't advertise
it'**. This means we explicitly do not want to advertise the 192.0.2.0/24
network (but do want to advertise 10.200.201.0 and 203.0.113.0, which we ARE
the default route for). This filter is applied to ``redistribute connected``.
@@ -448,7 +450,7 @@ default again. This is called 'flapping'.
Create Import Filter
--------------------
-We only want to import networks we know about. Our OSPF peer should only be
+We only want to import networks we know. Our OSPF peer should only be
advertising networks in the 10.201.0.0/16 range. Note that this is an INVERSE
MATCH. You deny in access-list 100 to accept the route.
@@ -491,7 +493,7 @@ Test OSPF
When you have enabled OSPF on both routers, you should be able to see each
other with the command ``show ip ospf neighbour``. The state must be 'Full'
-or '2-Way', if it is not then there is a network connectivity issue between the
+or '2-Way'. If it is not, then there is a network connectivity issue between the
hosts. This is often caused by NAT or MTU issues. You should not see any new
routes (unless this is the second pass) in the output of ``show ip route``
@@ -514,8 +516,8 @@ You should now be able to see the advertised network on the other host.
Duplicate configuration
-----------------------
-At this pont you now need to create the X link between all four routers. Use a
-different /30 for each link.
+At this point, you now need to create the X link between all four routers.
+Use amdifferent /30 for each link.
Priorities
----------
diff --git a/docs/configexamples/ospf-unnumbered.rst b/docs/configexamples/ospf-unnumbered.rst
index dfb4eec1..6a5a1bb4 100644
--- a/docs/configexamples/ospf-unnumbered.rst
+++ b/docs/configexamples/ospf-unnumbered.rst
@@ -1,3 +1,5 @@
+:lastproofread: 2021-06-29
+
.. _examples-ospf-unnumbered:
#########################
diff --git a/docs/configexamples/pppoe-ipv6-basic.rst b/docs/configexamples/pppoe-ipv6-basic.rst
index 451d2b09..f569d9c3 100644
--- a/docs/configexamples/pppoe-ipv6-basic.rst
+++ b/docs/configexamples/pppoe-ipv6-basic.rst
@@ -1,3 +1,5 @@
+:lastproofread: 2021-06-29
+
.. _examples-pppoe-ipv6-basic:
#######################################
@@ -5,9 +7,9 @@ PPPoE IPv6 Basic Setup for Home Network
#######################################
This document is to describe a basic setup using PPPoE with DHCPv6-PD +
-SLAAC to construct a typical home network. The user can follow steps described
-here to quickly setup a working network and use this as a starting point to
-further configure or fine tune other settings.
+SLAAC to construct a typical home network. The user can follow the steps
+described here to quickly setup a working network and use this as a starting
+point to further configure or fine-tune other settings.
To achieve this, your ISP is required to support DHCPv6-PD. If you're not sure,
please contact your ISP for more information.
@@ -40,8 +42,8 @@ DHCPv6-PD Setup
---------------
During address configuration, in addition to assigning an address to the WAN
-interface, ISP also provides a prefix to allow router to configure addresses of
-LAN interface and other nodes connecting to LAN, which is called prefix
+interface, ISP also provides a prefix to allow the router to configure addresses
+of LAN interface and other nodes connecting to LAN, which is called prefix
delegation (PD).
.. code-block:: none
@@ -49,8 +51,8 @@ delegation (PD).
set interfaces pppoe pppoe0 ipv6 address autoconf
set interfaces pppoe pppoe0 dhcpv6-options pd 0 interface eth1 address '100'
-* Here we use prefix to configure the address of eth1 (LAN) to form ``<prefix>::64``,
- where ``64`` is hexadecimal of address 100.
+* Here we use the prefix to configure the address of eth1 (LAN) to form
+ ``<prefix>::64``, where ``64`` is hexadecimal of address 100.
* For home network users, most of time ISP only provides /64 prefix, hence
there is no need to set SLA ID and prefix length. See :ref:`pppoe-interface`
for more information.
@@ -59,7 +61,7 @@ Router Advertisement
--------------------
We need to enable router advertisement for LAN network so that PC can receive
-the prefix and use SLAAC to configure address automatically.
+the prefix and use SLAAC to configure the address automatically.
.. code-block:: none
@@ -68,8 +70,8 @@ the prefix and use SLAAC to configure address automatically.
set service router-advert interface eth1 prefix ::/64 valid-lifetime '172800'
* Set MTU in advertisement to 1492 because of PPPoE header overhead.
-* Set DNS server address in advertisement so that clients can obtain it by using
- RDNSS option. Most operating systems (Windows, Linux, Mac) should
+* Set DNS server address in the advertisement so that clients can obtain it by
+ using RDNSS option. Most operating systems (Windows, Linux, Mac) should
already support it.
* Here we set the prefix to ``::/64`` to indicate advertising any /64 prefix
the LAN interface is assigned.
@@ -106,5 +108,5 @@ To have basic protection while keeping IPv6 network functional, we need to:
set interfaces pppoe pppoe0 firewall in ipv6-name 'WAN_IN'
set interfaces pppoe pppoe0 firewall local ipv6-name 'WAN_LOCAL'
-Note to allow router to receive DHCPv6 response from ISP, we need to allow
+Note to allow the router to receive DHCPv6 response from ISP. We need to allow
packets with source port 547 (server) and destination port 546 (client).
diff --git a/docs/configexamples/tunnelbroker-ipv6.rst b/docs/configexamples/tunnelbroker-ipv6.rst
index 9317912a..b3f8d5e1 100644
--- a/docs/configexamples/tunnelbroker-ipv6.rst
+++ b/docs/configexamples/tunnelbroker-ipv6.rst
@@ -1,3 +1,5 @@
+:lastproofread: 2021-06-29
+
.. _examples-tunnelbroker-ipv6:
.. stop_vyoslinter
@@ -6,7 +8,7 @@
Tunnelbroker.net (IPv6)
#######################
-This guides walks through the setup of https://www.tunnelbroker.net/ for an
+This guide walks through the setup of https://www.tunnelbroker.net/ for an
IPv6 Tunnel.
Prerequisites
@@ -78,12 +80,12 @@ You should now be able to ping something by IPv6 DNS name:
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 16.880/17.153/17.426/0.273 ms
-Assuming everything works, you can proceed to client configuration
+Assuming everything works, you can proceed to the client configuration
LAN Configuration
=================
-At this point your VyOS install should have full IPv6, but now your LAN devices
+At this point, your VyOS install should have full IPv6, but now your LAN devices
need access.
With Tunnelbroker.net, you have two options:
@@ -140,7 +142,7 @@ The format of these addresses:
In the above examples, 1,2,ffff are all chosen by you. You can use 1-ffff
(1-65535).
-So, when your LAN is eth1, your DMZ is eth2, your cameras live on eth3, etc:
+So, when your LAN is eth1, your DMZ is eth2, your cameras are on eth3, etc:
.. code-block:: none
diff --git a/docs/configexamples/wan-load-balancing.rst b/docs/configexamples/wan-load-balancing.rst
index cd150121..ace9a981 100644
--- a/docs/configexamples/wan-load-balancing.rst
+++ b/docs/configexamples/wan-load-balancing.rst
@@ -1,3 +1,5 @@
+:lastproofread: 2021-06-29
+
.. _wan-load-balancing:
.. stop_vyoslinter # pictures and text have to change
@@ -65,21 +67,20 @@ Configure the WAN load balancer with the parameters described above:
Example 2: Failover based on interface weights
----------------------------------------------
-This examples uses the failover mode.
-
+This example uses the failover mode.
.. _wan:example2_overwiew:
Overview
^^^^^^^^
-In this example eth0 is the primary interface and eth1 is the secondary
-interface to provide simple failover functionality. If eth0 fails, eth1
+In this example, eth0 is the primary interface and eth1 is the secondary
+interface. To provide simple failover functionality. If eth0 fails, eth1
takes over.
Create interface weight based configuration
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
The configuration steps are the same as in the previous example, except
-rule 10 so we keep the configuration, remove rule 10 and add a new rule
+rule 10. So we keep the configuration, remove rule 10 and add a new rule
for the failover mode:
.. code-block:: none
@@ -93,8 +94,8 @@ for the failover mode:
Example 3: Failover based on rule order
---------------------------------------
-The previous example used the failover command to send traffic thorugh
-eth1 if eth0 fails. In this example failover functionality is provided
+The previous example used the failover command to send traffic through
+eth1 if eth0 fails. In this example, failover functionality is provided
by rule order.
.. _wan:example3_overwiew:
@@ -108,7 +109,7 @@ directing traffic to eth1.
Create rule order based configuration
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-We keep the configurtation from the previous example, delete rule 10
+We keep the configuration from the previous example, delete rule 10
and create the two new rules as described:
.. code-block:: none
@@ -122,20 +123,20 @@ and create the two new rules as described:
Example 4: Failover based on rule order - priority traffic
----------------------------------------------------------
-A rule order for prioritising traffic is useful in scenarios where the
+A rule order for prioritizing traffic is useful in scenarios where the
secondary link has a lower speed and should only carry high priority
traffic. It is assumed for this example that eth1 is connected to a
-slower connection than eth0 and should prioritise VoIP traffic.
+slower connection than eth0 and should prioritize VoIP traffic.
.. _wan:example4_overwiew:
Overview
^^^^^^^^
-A rule order for prioritising traffic is useful in scenarios where the
+A rule order for prioritizing traffic is useful in scenarios where the
secondary link has a lower speed and should only carry high priority
traffic. It is assumed for this example that eth1 is connected to a
-slower connection than eth0 and should prioritise VoIP traffic.
+slower connection than eth0 and should prioritize VoIP traffic.
Create rule order based configuration with low speed secondary link
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
diff --git a/docs/configexamples/zone-policy.rst b/docs/configexamples/zone-policy.rst
index bfe77c2e..cf11a01e 100644
--- a/docs/configexamples/zone-policy.rst
+++ b/docs/configexamples/zone-policy.rst
@@ -1,3 +1,5 @@
+:lastproofread: 2021-06-29
+
.. _examples-zone-policy:
Zone-Policy example
@@ -132,7 +134,7 @@ To add logging to the default rule, do:
set firewall name <ruleSet> enable-default-log
-By default, iptables does not allow traffic for established session to
+By default, iptables does not allow traffic for established sessions to
return, so you must explicitly allow this. I do this by adding two rules
to every ruleset. 1 allows established and related state packets through
and rule 2 drops and logs invalid state packets. We place the
@@ -367,7 +369,7 @@ IPv6 Tunnel
^^^^^^^^^^^
If you are using a IPv6 tunnel from HE.net or someone else, the basis is
-the same except you have two WAN interface. One for v4 and one for v6.
+the same except you have two WAN interfaces. One for v4 and one for v6.
You would have 5 zones instead of just 4 and you would configure your v6
ruleset between your tunnel interface and your LAN/DMZ zones instead of
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-27 02:31:49 +0000