diff options
Diffstat (limited to 'docs/configuration/service')
| -rw-r--r-- | docs/configuration/service/conntrack-sync.rst | 4 | ||||
| -rw-r--r-- | docs/configuration/service/dns.rst | 198 | ||||
| -rw-r--r-- | docs/configuration/service/router-advert.rst | 63 |
3 files changed, 138 insertions, 127 deletions
diff --git a/docs/configuration/service/conntrack-sync.rst b/docs/configuration/service/conntrack-sync.rst index 468b39d9..d43f2385 100644 --- a/docs/configuration/service/conntrack-sync.rst +++ b/docs/configuration/service/conntrack-sync.rst @@ -98,6 +98,10 @@ Configuration This diable the external cache and directly injects the flow-states into the in-kernel Connection Tracking System of the backup firewall. +.. cfgcmd:: set service conntrack-sync disable-syslog + + Disable connection logging via Syslog. + ********* Operation ********* diff --git a/docs/configuration/service/dns.rst b/docs/configuration/service/dns.rst index e430dc73..c6deb179 100644 --- a/docs/configuration/service/dns.rst +++ b/docs/configuration/service/dns.rst @@ -143,33 +143,6 @@ avoid being tracked by the provider of your upstream DNS server. 168.192.in-addr.arpa, 16-31.172.in-addr.arpa, which enabling upstream DNS server(s) to be used for reverse lookups of these zones. -.. cfgcmd:: set service dns forwarding serve-stale-extension <0-65535> - - Maximum number of times an expired record’s TTL is extended by 30s when - serving stale. Extension only occurs if a record cannot be refreshed. A - value of 0 means the Serve Stale mechanism is not used. To allow records - becoming stale to be served for an hour, use a value of 120. - -.. cfgcmd:: set service dns forwarding exclude-throttle-address <ip|prefix> - - When an authoritative server does not answer a query or sends a reply the - recursor does not like, it is throttled. Any servers matching the supplied - netmasks will never be throttled. - -.. cfgcmd:: set service dns forwarding options ecs-add-for <address> - - The requestor netmask for which the requestor IP Address should be used as the - EDNS Client Subnet for outgoing queries. - -.. cfgcmd:: set service dns forwarding options ecs-ipv4-bits <number> - - Number of bits of client IPv4 address to pass when sending EDNS Client Subnet - address information. - -.. cfgcmd:: set service dns forwarding options edns-subnet-allow-list <address|domain> - - The netmask or domain that EDNS Client Subnet should be enabled for in outgoing queries. - Example ======= @@ -231,8 +204,8 @@ this only one purpose. ddclient_ uses two methods to update a DNS record. The first one will send updates directly to the DNS daemon, in compliance with :rfc:`2136`. The second -one involves a third party service, like DynDNS.com or any other similar -website. This method uses HTTP requests to transmit the new IP address. You +one involves a third party service, like DynDNS.com or any other such +service provider. This method uses HTTP requests to transmit the new IP address. You can configure both in VyOS. .. _dns:dynmaic_config: @@ -243,46 +216,43 @@ Configuration :rfc:`2136` Based ----------------- -.. cfgcmd:: set service dns dynamic address <interface> rfc2136 <service-name> +.. cfgcmd:: set service dns dynamic name <service-name> address interface <interface> - Create new :rfc:`2136` DNS update configuration which will update the IP + Create new dynamic DNS update configuration which will update the IP address assigned to `<interface>` on the service you configured under `<service-name>`. -.. cfgcmd:: set service dns dynamic address <interface> rfc2136 <service-name> - key <keyfile> +.. cfgcmd:: set service dns dynamic name <service-name> description <text> + + Set description `<text>` for dynamic DNS service being configured. + +.. cfgcmd:: set service dns dynamic name <service-name> key <filename> - File identified by `<keyfile>` containing the secret RNDC key shared with - remote DNS server. + File identified by `<filename>` containing the TSIG authentication key for RFC2136 + nsupdate on remote DNS server. -.. cfgcmd:: set service dns dynamic address <interface> rfc2136 <service-name> - server <server> +.. cfgcmd:: set service dns dynamic name <service-name> server <server> Configure the DNS `<server>` IP/FQDN used when updating this dynamic assignment. -.. cfgcmd:: set service dns dynamic address <interface> rfc2136 <service-name> - zone <zone> +.. cfgcmd:: set service dns dynamic name <service-name> zone <zone> Configure DNS `<zone>` to be updated. -.. cfgcmd:: set service dns dynamic address <interface> rfc2136 <service-name> - record <record> +.. cfgcmd:: set service dns dynamic name <service-name> host-name <record> - Configure DNS `<record>` which should be updated. This can be set multiple - times. + Configure DNS `<record>` which should be updated. This can be set multiple times. -.. cfgcmd:: set service dns dynamic address <interface> rfc2136 <service-name> - ttl <ttl> +.. cfgcmd:: set service dns dynamic name <service-name> ttl <ttl> Configure optional TTL value on the given resource record. This defaults to 600 seconds. -.. cfgcmd:: set service dns dynamic timeout <60-3600> +.. cfgcmd:: set service dns dynamic interval <60-3600> - Specify timeout / update interval to check if IP address changed. - - This defaults to 300 seconds. + Specify interval in seconds to wait between Dynamic DNS updates. + The default is 300 seconds. .. _dns:dynmaic_example: @@ -295,32 +265,48 @@ Example .. code-block:: none + # Configuration commands entered: + # + set service dns dynamic name 'VyOS-DNS' address interface 'eth0' + set service dns dynamic name 'VyOS-DNS' description 'RFC 2136 dynamic dns service' + set service dns dynamic name 'VyOS-DNS' key '/config/auth/my.key' + set service dns dynamic name 'VyOS-DNS' server 'ns1.vyos.io' + set service dns dynamic name 'VyOS-DNS' zone 'vyos.io' + set service dns dynamic name 'VyOS-DNS' host-name 'example.vyos.io' + set service dns dynamic name 'VyOS-DNS' protocol 'nsupdate' + set service dns dynamic name 'VyOS-DNS' ttl '300' + + # Resulting config: + # vyos@vyos# show service dns dynamic - interface eth0.7 { - rfc2136 VyOS-DNS { - key /config/auth/my.key - record example.vyos.io - server ns1.vyos.io - ttl 300 - zone vyos.io + name VyOS-DNS { + address { + interface eth0 } + description "RFC 2136 dynamic dns service" + host-name example.vyos.io + key /config/auth/my.key + protocol nsupdate + server ns1.vyos.io + ttl 300 + zone vyos.io } This will render the following ddclient_ configuration entry: .. code-block:: none + # ddclient configuration for interface "eth0": # - # ddclient configuration for interface "eth0.7": - # - use=if, if=eth0.7 - - # RFC2136 dynamic DNS configuration for example.vyos.io.vyos.io - server=ns1.vyos.io - protocol=nsupdate - password=/config/auth/my.key - ttl=300 - zone=vyos.io + + # Web service dynamic DNS configuration for VyOS-DNS: [nsupdate, example.vyos.io] + use=if, \ + if=eth0, \ + protocol=nsupdate, \ + server=ns1.vyos.io, \ + zone=vyos.io, \ + password='/config/auth/my.key', \ + ttl=300 \ example.vyos.io .. note:: You can also keep different DNS zone updated. Just create a new @@ -335,40 +321,43 @@ VyOS is also able to use any service relying on protocols supported by ddclient. To use such a service, one must define a login, password, one or multiple hostnames, protocol and server. -.. cfgcmd:: set service dns dynamic address <interface> service <service> - host-name <hostname> +.. cfgcmd:: set service dns dynamic name <service-name> address interface <interface> + + Create new dynamic DNS update configuration which will update the IP + address assigned to `<interface>` on the service you configured under + `<service-name>`. + +.. cfgcmd:: set service dns dynamic name <service-name> description <text> + + Set description `<text>` for dynamic DNS service being configured. + +.. cfgcmd:: set service dns dynamic name <service-name> host-name <hostname> Setup the dynamic DNS hostname `<hostname>` associated with the DynDNS - provider identified by `<service>` when the IP address on address - `<interface>` changes. + provider identified by `<service-name>`. -.. cfgcmd:: set service dns dynamic address <interface> service <service> - username <username> +.. cfgcmd:: set service dns dynamic name <service-name> username <username> Configure `<username>` used when authenticating the update request for - DynDNS service identified by `<service>`. - For Namecheap, set the <domain> you wish to update. + DynDNS service identified by `<service-name>`. -.. cfgcmd:: set service dns dynamic address <interface> service <service> - password <password> +.. cfgcmd:: set service dns dynamic name <service-name> password <password> Configure `<password>` used when authenticating the update request for - DynDNS service identified by `<service>`. + DynDNS service identified by `<service-name>`. -.. cfgcmd:: set service dns dynamic address <interface> service <service> - protocol <protocol> +.. cfgcmd:: set service dns dynamic name <service-name> protocol <protocol> - When a ``custom`` DynDNS provider is used the protocol used for communicating + When a ``custom`` DynDNS provider is used, the protocol used for communicating to the provider must be specified under `<protocol>`. See the embedded - completion helper for available protocols. + completion helper when entering above command for available protocols. -.. cfgcmd:: set service dns dynamic address <interface> service <service> - server <server> +.. cfgcmd:: set service dns dynamic name <service-name> server <server> When a ``custom`` DynDNS provider is used the `<server>` where update requests are being sent to must be specified. -.. cfgcmd:: set service dns dynamic address <interface> ipv6-enable +.. cfgcmd:: set service dns dynamic name <service-name> ip-version 'ipv6' Allow explicit IPv6 address for the interface. @@ -376,14 +365,17 @@ hostnames, protocol and server. Example: ^^^^^^^^ -Use DynDNS as your preferred provider: +Use deSEC (dedyn.io) as your preferred provider: .. code-block:: none - set service dns dynamic address eth0 service dyndns - set service dns dynamic address eth0 service dyndns username my-login - set service dns dynamic address eth0 service dyndns password my-password - set service dns dynamic address eth0 service dyndns host-name my-dyndns-hostname + set service dns dynamic name dedyn description 'deSEC dynamic dns service' + set service dns dynamic name dedyn username 'myusername' + set service dns dynamic name dedyn password 'mypassword' + set service dns dynamic name dedyn host-name 'myhostname.dedyn.io' + set service dns dynamic name dedyn protocol 'dyndns2' + set service dns dynamic name dedyn server 'update.dedyn.io' + set service dns dynamic name dedyn address interface 'eth0' .. note:: Multiple services can be used per interface. Just specify as many services per interface as you like! @@ -393,12 +385,14 @@ Example IPv6 only: .. code-block:: none - set service dns dynamic address eth0 ipv6-enable - set service dns dynamic address eth0 service dyndns6 username my-login - set service dns dynamic address eth0 service dyndns6 password my-password - set service dns dynamic address eth0 service dyndns6 host-name my-dyndns-hostname - set service dns dynamic address eth0 service dyndns6 protocol dyndns2 - set service dns dynamic address eth0 service dyndns6 server dyndns-v6-server + set service dns dynamic name dedyn description 'deSEC ipv6 dynamic dns service' + set service dns dynamic name dedyn username 'myusername' + set service dns dynamic name dedyn password 'mypassword' + set service dns dynamic name dedyn host-name 'myhostname.dedyn.io' + set service dns dynamic name dedyn protocol 'dyndns2' + set service dns dynamic name dedyn ip-version 'ipv6' + set service dns dynamic name dedyn server 'update6.dedyn.io' + set service dns dynamic name dedyn address interface 'eth0' Running Behind NAT @@ -408,21 +402,15 @@ By default, ddclient_ will update a dynamic dns record using the IP address directly attached to the interface. If your VyOS instance is behind NAT, your record will be updated to point to your internal IP. -Above, command syntax isn noted to configure dynamic dns on a specific interface. -It is possible to overlook the additional address option, web, when completeing -those commands. ddclient_ has another way to determine the WAN IP address, using -a web-based url to determine the external IP. Each of the commands above will -need to be modified to use 'web' as the 'interface' specified if this functionality -is to be utilized. - -This functionality is controlled by adding the following configuration: +ddclient_ has another way to determine the WAN IP address. This is controlled +by: -.. cfgcmd:: set service dns dynamic address web web-options url <url> +.. cfgcmd:: set service dns dynamic name <service-name> address web <url> Use configured `<url>` to determine your IP address. ddclient_ will load `<url>` and tries to extract your IP address from the response. -.. cfgcmd:: set service dns dynamic address web web-options skip <pattern> +.. cfgcmd:: set service dns dynamic name <service-name> address web skip <pattern> ddclient_ will skip any address located before the string set in `<pattern>`. diff --git a/docs/configuration/service/router-advert.rst b/docs/configuration/service/router-advert.rst index f179153a..ca558b6a 100644 --- a/docs/configuration/service/router-advert.rst +++ b/docs/configuration/service/router-advert.rst @@ -13,6 +13,7 @@ Supported interface types: * bonding * bridge * ethernet + * geneve * l2tpv3 * openvpn * pseudo-ethernet @@ -22,9 +23,9 @@ Supported interface types: * wireless * wwan - -Enabling Advertisments -~~~~~~~~~~~~~~~~~~~~~~~ +************* +Configuration +************* .. cfgcmd:: set service router-advert interface <interface> ... @@ -50,7 +51,7 @@ Enabling Advertisments Advertising a Prefix -'''''''''''''''''''' +-------------------- .. cfgcmd:: set service router-advert interface <interface> prefix <prefix/mask> @@ -73,30 +74,48 @@ Advertising a Prefix .. start_vyoslinter +Advertising a NAT64 Prefix +-------------------------- + +.. cfgcmd:: set service router-advert interface <interface> nat64prefix <prefix/mask> + + Enable PREF64 option as outlined in :rfc:`8781`. + + NAT64 prefix mask must be one of: /32, /40, /48, /56, /64 or 96. + + .. note:: The well known NAT64 prefix is ``64:ff9b::/96`` + +.. stop_vyoslinter + +.. csv-table:: + :header: "VyOS Field", "Description" + :widths: 10,30 + + "valid-lifetime","Time in seconds that the prefix will remain valid (default: 65528 seconds)" + +.. start_vyoslinter + Disabling Advertisements -~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------ To disable advertisements without deleting the configuration: .. cfgcmd:: set service router-advert interface <interface> no-send-advert -Example Configuration -~~~~~~~~~~~~~~~~~~~~~ + +******* +Example +******* + +Your LAN connected on eth0 uses prefix ``2001:db8:beef:2::/64`` with the router +beeing ``2001:db8:beef:2::1`` .. code-block:: none - interface eth0.2 { - default-preference high - hop-limit 64 - interval { - max 600 - } - name-server 2001:db8::1 - name-server 2001:db8::2 - other-config-flag - prefix 2001:db8:beef:2::/64 { - valid-lifetime 2592000 - } - reachable-time 0 - retrans-timer 0 - } + set interfaces ethernet eth0 address 2001:db8:beef:2::1/64 + + set service router-advert interface eth0 default-preference 'high' + set service router-advert interface eth0 name-server '2001:db8::1' + set service router-advert interface eth0 name-server '2001:db8::2' + set service router-advert interface eth0 other-config-flag + set service router-advert interface eth0 prefix 2001:db8:beef:2::/64 |