diff options
Diffstat (limited to 'docs/configuration/service')
| -rw-r--r-- | docs/configuration/service/conntrack-sync.rst | 4 | ||||
| -rw-r--r-- | docs/configuration/service/dns.rst | 198 | ||||
| -rw-r--r-- | docs/configuration/service/ipoe-server.rst | 472 | ||||
| -rw-r--r-- | docs/configuration/service/pppoe-server.rst | 538 | ||||
| -rw-r--r-- | docs/configuration/service/router-advert.rst | 8 |
5 files changed, 861 insertions, 359 deletions
diff --git a/docs/configuration/service/conntrack-sync.rst b/docs/configuration/service/conntrack-sync.rst index 468b39d9..d43f2385 100644 --- a/docs/configuration/service/conntrack-sync.rst +++ b/docs/configuration/service/conntrack-sync.rst @@ -98,6 +98,10 @@ Configuration This diable the external cache and directly injects the flow-states into the in-kernel Connection Tracking System of the backup firewall. +.. cfgcmd:: set service conntrack-sync disable-syslog + + Disable connection logging via Syslog. + ********* Operation ********* diff --git a/docs/configuration/service/dns.rst b/docs/configuration/service/dns.rst index e430dc73..c6deb179 100644 --- a/docs/configuration/service/dns.rst +++ b/docs/configuration/service/dns.rst @@ -143,33 +143,6 @@ avoid being tracked by the provider of your upstream DNS server. 168.192.in-addr.arpa, 16-31.172.in-addr.arpa, which enabling upstream DNS server(s) to be used for reverse lookups of these zones. -.. cfgcmd:: set service dns forwarding serve-stale-extension <0-65535> - - Maximum number of times an expired record’s TTL is extended by 30s when - serving stale. Extension only occurs if a record cannot be refreshed. A - value of 0 means the Serve Stale mechanism is not used. To allow records - becoming stale to be served for an hour, use a value of 120. - -.. cfgcmd:: set service dns forwarding exclude-throttle-address <ip|prefix> - - When an authoritative server does not answer a query or sends a reply the - recursor does not like, it is throttled. Any servers matching the supplied - netmasks will never be throttled. - -.. cfgcmd:: set service dns forwarding options ecs-add-for <address> - - The requestor netmask for which the requestor IP Address should be used as the - EDNS Client Subnet for outgoing queries. - -.. cfgcmd:: set service dns forwarding options ecs-ipv4-bits <number> - - Number of bits of client IPv4 address to pass when sending EDNS Client Subnet - address information. - -.. cfgcmd:: set service dns forwarding options edns-subnet-allow-list <address|domain> - - The netmask or domain that EDNS Client Subnet should be enabled for in outgoing queries. - Example ======= @@ -231,8 +204,8 @@ this only one purpose. ddclient_ uses two methods to update a DNS record. The first one will send updates directly to the DNS daemon, in compliance with :rfc:`2136`. The second -one involves a third party service, like DynDNS.com or any other similar -website. This method uses HTTP requests to transmit the new IP address. You +one involves a third party service, like DynDNS.com or any other such +service provider. This method uses HTTP requests to transmit the new IP address. You can configure both in VyOS. .. _dns:dynmaic_config: @@ -243,46 +216,43 @@ Configuration :rfc:`2136` Based ----------------- -.. cfgcmd:: set service dns dynamic address <interface> rfc2136 <service-name> +.. cfgcmd:: set service dns dynamic name <service-name> address interface <interface> - Create new :rfc:`2136` DNS update configuration which will update the IP + Create new dynamic DNS update configuration which will update the IP address assigned to `<interface>` on the service you configured under `<service-name>`. -.. cfgcmd:: set service dns dynamic address <interface> rfc2136 <service-name> - key <keyfile> +.. cfgcmd:: set service dns dynamic name <service-name> description <text> + + Set description `<text>` for dynamic DNS service being configured. + +.. cfgcmd:: set service dns dynamic name <service-name> key <filename> - File identified by `<keyfile>` containing the secret RNDC key shared with - remote DNS server. + File identified by `<filename>` containing the TSIG authentication key for RFC2136 + nsupdate on remote DNS server. -.. cfgcmd:: set service dns dynamic address <interface> rfc2136 <service-name> - server <server> +.. cfgcmd:: set service dns dynamic name <service-name> server <server> Configure the DNS `<server>` IP/FQDN used when updating this dynamic assignment. -.. cfgcmd:: set service dns dynamic address <interface> rfc2136 <service-name> - zone <zone> +.. cfgcmd:: set service dns dynamic name <service-name> zone <zone> Configure DNS `<zone>` to be updated. -.. cfgcmd:: set service dns dynamic address <interface> rfc2136 <service-name> - record <record> +.. cfgcmd:: set service dns dynamic name <service-name> host-name <record> - Configure DNS `<record>` which should be updated. This can be set multiple - times. + Configure DNS `<record>` which should be updated. This can be set multiple times. -.. cfgcmd:: set service dns dynamic address <interface> rfc2136 <service-name> - ttl <ttl> +.. cfgcmd:: set service dns dynamic name <service-name> ttl <ttl> Configure optional TTL value on the given resource record. This defaults to 600 seconds. -.. cfgcmd:: set service dns dynamic timeout <60-3600> +.. cfgcmd:: set service dns dynamic interval <60-3600> - Specify timeout / update interval to check if IP address changed. - - This defaults to 300 seconds. + Specify interval in seconds to wait between Dynamic DNS updates. + The default is 300 seconds. .. _dns:dynmaic_example: @@ -295,32 +265,48 @@ Example .. code-block:: none + # Configuration commands entered: + # + set service dns dynamic name 'VyOS-DNS' address interface 'eth0' + set service dns dynamic name 'VyOS-DNS' description 'RFC 2136 dynamic dns service' + set service dns dynamic name 'VyOS-DNS' key '/config/auth/my.key' + set service dns dynamic name 'VyOS-DNS' server 'ns1.vyos.io' + set service dns dynamic name 'VyOS-DNS' zone 'vyos.io' + set service dns dynamic name 'VyOS-DNS' host-name 'example.vyos.io' + set service dns dynamic name 'VyOS-DNS' protocol 'nsupdate' + set service dns dynamic name 'VyOS-DNS' ttl '300' + + # Resulting config: + # vyos@vyos# show service dns dynamic - interface eth0.7 { - rfc2136 VyOS-DNS { - key /config/auth/my.key - record example.vyos.io - server ns1.vyos.io - ttl 300 - zone vyos.io + name VyOS-DNS { + address { + interface eth0 } + description "RFC 2136 dynamic dns service" + host-name example.vyos.io + key /config/auth/my.key + protocol nsupdate + server ns1.vyos.io + ttl 300 + zone vyos.io } This will render the following ddclient_ configuration entry: .. code-block:: none + # ddclient configuration for interface "eth0": # - # ddclient configuration for interface "eth0.7": - # - use=if, if=eth0.7 - - # RFC2136 dynamic DNS configuration for example.vyos.io.vyos.io - server=ns1.vyos.io - protocol=nsupdate - password=/config/auth/my.key - ttl=300 - zone=vyos.io + + # Web service dynamic DNS configuration for VyOS-DNS: [nsupdate, example.vyos.io] + use=if, \ + if=eth0, \ + protocol=nsupdate, \ + server=ns1.vyos.io, \ + zone=vyos.io, \ + password='/config/auth/my.key', \ + ttl=300 \ example.vyos.io .. note:: You can also keep different DNS zone updated. Just create a new @@ -335,40 +321,43 @@ VyOS is also able to use any service relying on protocols supported by ddclient. To use such a service, one must define a login, password, one or multiple hostnames, protocol and server. -.. cfgcmd:: set service dns dynamic address <interface> service <service> - host-name <hostname> +.. cfgcmd:: set service dns dynamic name <service-name> address interface <interface> + + Create new dynamic DNS update configuration which will update the IP + address assigned to `<interface>` on the service you configured under + `<service-name>`. + +.. cfgcmd:: set service dns dynamic name <service-name> description <text> + + Set description `<text>` for dynamic DNS service being configured. + +.. cfgcmd:: set service dns dynamic name <service-name> host-name <hostname> Setup the dynamic DNS hostname `<hostname>` associated with the DynDNS - provider identified by `<service>` when the IP address on address - `<interface>` changes. + provider identified by `<service-name>`. -.. cfgcmd:: set service dns dynamic address <interface> service <service> - username <username> +.. cfgcmd:: set service dns dynamic name <service-name> username <username> Configure `<username>` used when authenticating the update request for - DynDNS service identified by `<service>`. - For Namecheap, set the <domain> you wish to update. + DynDNS service identified by `<service-name>`. -.. cfgcmd:: set service dns dynamic address <interface> service <service> - password <password> +.. cfgcmd:: set service dns dynamic name <service-name> password <password> Configure `<password>` used when authenticating the update request for - DynDNS service identified by `<service>`. + DynDNS service identified by `<service-name>`. -.. cfgcmd:: set service dns dynamic address <interface> service <service> - protocol <protocol> +.. cfgcmd:: set service dns dynamic name <service-name> protocol <protocol> - When a ``custom`` DynDNS provider is used the protocol used for communicating + When a ``custom`` DynDNS provider is used, the protocol used for communicating to the provider must be specified under `<protocol>`. See the embedded - completion helper for available protocols. + completion helper when entering above command for available protocols. -.. cfgcmd:: set service dns dynamic address <interface> service <service> - server <server> +.. cfgcmd:: set service dns dynamic name <service-name> server <server> When a ``custom`` DynDNS provider is used the `<server>` where update requests are being sent to must be specified. -.. cfgcmd:: set service dns dynamic address <interface> ipv6-enable +.. cfgcmd:: set service dns dynamic name <service-name> ip-version 'ipv6' Allow explicit IPv6 address for the interface. @@ -376,14 +365,17 @@ hostnames, protocol and server. Example: ^^^^^^^^ -Use DynDNS as your preferred provider: +Use deSEC (dedyn.io) as your preferred provider: .. code-block:: none - set service dns dynamic address eth0 service dyndns - set service dns dynamic address eth0 service dyndns username my-login - set service dns dynamic address eth0 service dyndns password my-password - set service dns dynamic address eth0 service dyndns host-name my-dyndns-hostname + set service dns dynamic name dedyn description 'deSEC dynamic dns service' + set service dns dynamic name dedyn username 'myusername' + set service dns dynamic name dedyn password 'mypassword' + set service dns dynamic name dedyn host-name 'myhostname.dedyn.io' + set service dns dynamic name dedyn protocol 'dyndns2' + set service dns dynamic name dedyn server 'update.dedyn.io' + set service dns dynamic name dedyn address interface 'eth0' .. note:: Multiple services can be used per interface. Just specify as many services per interface as you like! @@ -393,12 +385,14 @@ Example IPv6 only: .. code-block:: none - set service dns dynamic address eth0 ipv6-enable - set service dns dynamic address eth0 service dyndns6 username my-login - set service dns dynamic address eth0 service dyndns6 password my-password - set service dns dynamic address eth0 service dyndns6 host-name my-dyndns-hostname - set service dns dynamic address eth0 service dyndns6 protocol dyndns2 - set service dns dynamic address eth0 service dyndns6 server dyndns-v6-server + set service dns dynamic name dedyn description 'deSEC ipv6 dynamic dns service' + set service dns dynamic name dedyn username 'myusername' + set service dns dynamic name dedyn password 'mypassword' + set service dns dynamic name dedyn host-name 'myhostname.dedyn.io' + set service dns dynamic name dedyn protocol 'dyndns2' + set service dns dynamic name dedyn ip-version 'ipv6' + set service dns dynamic name dedyn server 'update6.dedyn.io' + set service dns dynamic name dedyn address interface 'eth0' Running Behind NAT @@ -408,21 +402,15 @@ By default, ddclient_ will update a dynamic dns record using the IP address directly attached to the interface. If your VyOS instance is behind NAT, your record will be updated to point to your internal IP. -Above, command syntax isn noted to configure dynamic dns on a specific interface. -It is possible to overlook the additional address option, web, when completeing -those commands. ddclient_ has another way to determine the WAN IP address, using -a web-based url to determine the external IP. Each of the commands above will -need to be modified to use 'web' as the 'interface' specified if this functionality -is to be utilized. - -This functionality is controlled by adding the following configuration: +ddclient_ has another way to determine the WAN IP address. This is controlled +by: -.. cfgcmd:: set service dns dynamic address web web-options url <url> +.. cfgcmd:: set service dns dynamic name <service-name> address web <url> Use configured `<url>` to determine your IP address. ddclient_ will load `<url>` and tries to extract your IP address from the response. -.. cfgcmd:: set service dns dynamic address web web-options skip <pattern> +.. cfgcmd:: set service dns dynamic name <service-name> address web skip <pattern> ddclient_ will skip any address located before the string set in `<pattern>`. diff --git a/docs/configuration/service/ipoe-server.rst b/docs/configuration/service/ipoe-server.rst index ed4ade1a..64048552 100644 --- a/docs/configuration/service/ipoe-server.rst +++ b/docs/configuration/service/ipoe-server.rst @@ -1,5 +1,3 @@ -.. include:: /_include/need_improvement.txt - .. _ipoe_server: ########### @@ -24,8 +22,9 @@ functionality as PPPoE, but in a less robust manner. will restart the ppp daemon and will reset existing IPoE sessions, in order to become effective. -Configuration -============= +*********************** +Configuring IPoE Server +*********************** IPoE can be configure on different interfaces, it will depend on each specific situation which interface will provide IPoE to clients. The clients mac address @@ -39,158 +38,413 @@ the configuration. .. code-block:: none - set service ipoe-server authentication interface eth2 mac 08:00:27:2f:d8:06 - set service ipoe-server authentication mode 'local' - set service ipoe-server name-server '10.10.1.1' - set service ipoe-server name-server '10.10.1.2' - set service ipoe-server interface eth2 client-subnet '192.168.0.0/24' + set interfaces ethernet eth1 address '192.168.0.1/24' + set service ipoe-server authentication interface eth1.100 mac 00:50:79:66:68:00 + set service ipoe-server authentication interface eth1.101 mac 00:50:79:66:68:01 + set service ipoe-server authentication mode 'local' + set service ipoe-server client-ip-pool IPOE-POOL range '192.168.0.2-192.168.0.254' + set service ipoe-server default-pool 'IPOE-POOL' + set service ipoe-server gateway-address '192.168.0.1/24' + set service ipoe-server interface eth1 mode 'l2' + set service ipoe-server interface eth1 network 'vlan' + set service ipoe-server interface eth1 vlan '100-200' -The first address of the parameter ``client-subnet``, will be used as the -default gateway. Connected sessions can be checked via the ``show ipoe-server -sessions`` command. +.. cfgcmd:: set service ipoe-server authentication interface <interface> mac <MAC> -.. code-block:: none + Creates local IPoE user with username=**<interface>** and + password=**<MAC>** (mac-address) - vyos@vyos:~$ show ipoe-server sessions +.. cfgcmd:: set service ipoe-server authentication mode <local | radius> - ifname | called-sid | calling-sid | ip | ip6 | ip6-dp | rate-limit | state | uptime | sid - -------+------------+-------------------+-------------+-----+--------+------------+--------+----------+------------------ - ipoe0 | eth2 | 08:00:27:2f:d8:06 | 192.168.0.2 | | | | active | 00:45:05 | dccc870fd3134612 + Set authentication backend. The configured authentication backend is used + for all queries. + * **radius**: All authentication queries are handled by a configured RADIUS + server. + * **local**: All authentication queries are handled locally. + * **noauth**: Authentication disabled -IPv6 SLAAC and IA-PD --------------------- +.. cfgcmd:: set service ipoe-server client-ip-pool <POOL-NAME> range <x.x.x.x-x.x.x.x | x.x.x.x/x> -To configure IPv6 assignments for clients, two options need to be configured. -A global prefix which is terminated on the clients cpe and a delegated prefix, -the client can use for devices routed via the clients cpe. + Use this command to define the first IP address of a pool of + addresses to be given to IPoE clients. If notation ``x.x.x.x-x.x.x.x``, + it must be within a /24 subnet. If notation ``x.x.x.x/x`` is + used there is possibility to set host/netmask. -IPv6 DNS addresses are optional. +.. cfgcmd:: set service ipoe-server default-pool <POOL-NAME> -.. code-block:: none + Use this command to define default address pool name. - set service ipoe-server authentication interface eth3 mac 08:00:27:2F:D8:06 - set service ipoe-server authentication mode 'local' - set service ipoe-server client-ipv6-pool IPv6-POOL delegate '2001:db8:1::/48' delegation-prefix '56' - set service ipoe-server client-ipv6-pool IPv6-POOL prefix '2001:db8::/48' mask '64' - set service ipoe-server default-ipv6-pool IPv6-POOL - set service ipoe-server name-server '2001:db8::' - set service ipoe-server name-server '2001:db8:aaa::' - set service ipoe-server name-server '2001:db8:bbb::' - set service ipoe-server interface eth3 client-subnet '192.168.1.0/24' +.. cfgcmd:: set service ipoe-server gateway-address <x.x.x.x/x> + + Specifies address to be used as server ip address if radius can assign + only client address. In such case if client address is matched network + and mask then specified address and mask will be used. You can specify + multiple such options. + +.. cfgcmd:: set service ipoe-server interface <interface> mode <l2 | l3> + + Set authentication backend. The configured authentication backend is used + for all queries. + + * **l2**: It means that clients are on same network where interface + is.**(default)** + * **local**: It means that client are behind some router. + +.. cfgcmd:: set service ipoe-server interface <interface> network <shared | vlan> + + Specify where interface is shared by multiple users or it is vlan-per-user. + + * **shared**: Multiple clients share the same network. **(default)** + * **vlan**: One VLAN per client. .. code-block:: none - vyos@ipoe-server# run sh ipoe-server sessions - ifname | called-sid | calling-sid | ip | ip6 | ip6-dp | rate-limit | state | uptime | sid - -------+------------+-------------------+-------------+---------------------------------+-----------------+------------+--------+----------+------------------ - ipoe0 | eth3 | 08:00:27:2f:d8:06 | 192.168.1.2 | 2001:db8::a00:27ff:fe2f:d806/64 | 2001:db8:1::/56 | | active | 01:02:59 | 4626faf71b12cc25 + vyos@vyos:~$ show ipoe-server sessions + ifname | username | calling-sid | ip | rate-limit | type | comp | state | uptime + --------+----------+-------------------+-------------+------------+------+------+--------+---------- + ipoe0 | eth1.100 | 00:50:79:66:68:00 | 192.168.0.2 | | ipoe | | active | 00:04:55 + ipoe1 | eth1.101 | 00:50:79:66:68:01 | 192.168.0.3 | | ipoe | | active | 00:04:44 -The clients :abbr:`CPE (Customer Premises Equipment)` can now communicate via -IPv4 or IPv6. All devices behind ``2001:db8::a00:27ff:fe2f:d806/64`` can use -addresses from ``2001:db8:1::/56`` and can globally communicate without the -need of any NAT rules. -Automatic VLAN creation ------------------------ +********************************* +Configuring RADIUS authentication +********************************* -To create VLANs per user during runtime, the following settings are required on -a per interface basis. VLAN ID and VLAN range can be present in the -configuration at the same time. +To enable RADIUS based authentication, the authentication mode needs to be +changed within the configuration. Previous settings like the local users, still +exists within the configuration, however they are not used if the mode has been +changed from local to radius. Once changed back to local, it will use all local +accounts again. .. code-block:: none - set service ipoe-server interface eth2 network vlan - set service ipoe-server interface eth2 vlan-id 100 - set service ipoe-server interface eth2 vlan-id 200 - set service ipoe-server interface eth2 vlan-range 1000-2000 - set service ipoe-server interface eth2 vlan-range 2500-2700 + set service ipoe-server authentication mode radius + +.. cfgcmd:: set service ipoe-server authentication radius server <server> key <secret> -RADIUS Setup ------------- + Configure RADIUS `<server>` and its required shared `<secret>` for + communicating with the RADIUS server. -To use a RADIUS server for authentication and bandwidth-shaping, the following -example configuration can be used. +Since the RADIUS server would be a single point of failure, multiple RADIUS +servers can be setup and will be used subsequentially. +For example: .. code-block:: none - set service ipoe-server authentication mode 'radius' - set service ipoe-server authentication radius server 10.100.100.1 key 'password' + set service ipoe-server authentication radius server 10.0.0.1 key 'foo' + set service ipoe-server authentication radius server 10.0.0.2 key 'foo' -Bandwidth Shaping -================= +.. note:: Some RADIUS severs use an access control list which allows or denies + queries, make sure to add your VyOS router to the allowed client list. -Bandwidth rate limits can be set for local users within the configuration or -via RADIUS based attributes. +RADIUS source address +===================== -Bandwidth Shaping for local users ---------------------------------- +If you are using OSPF as IGP, always the closest interface connected to the +RADIUS server is used. With VyOS 1.2 you can bind all outgoing RADIUS requests +to a single source IP e.g. the loopback interface. -The rate-limit is set in kbit/sec. +.. cfgcmd:: set service ipoe-server authentication radius source-address <address> -.. code-block:: none + Source IPv4 address used in all RADIUS server queires. + +.. note:: The ``source-address`` must be configured on one of VyOS interface. + Best practice would be a loopback or dummy interface. + +RADIUS advanced options +======================= + +.. cfgcmd:: set service ipoe-server authentication radius server <server> port <port> + + Configure RADIUS `<server>` and its required port for authentication requests. + +.. cfgcmd:: set service ipoe-server authentication radius server <server> fail-time <time> + + Mark RADIUS server as offline for this given `<time>` in seconds. + +.. cfgcmd:: set service ipoe-server authentication radius server <server> disable + + Temporary disable this RADIUS server. + +.. cfgcmd:: set service ipoe-server authentication radius acct-timeout <timeout> + + Timeout to wait reply for Interim-Update packets. (default 3 seconds) + +.. cfgcmd:: set service ipoe-server authentication radius dynamic-author server <address> + + Specifies IP address for Dynamic Authorization Extension server (DM/CoA) + +.. cfgcmd:: set service ipoe-server authentication radius dynamic-author port <port> + + Port for Dynamic Authorization Extension server (DM/CoA) + +.. cfgcmd:: set service ipoe-server authentication radius dynamic-author key <secret> + + Secret for Dynamic Authorization Extension server (DM/CoA) + +.. cfgcmd:: set service ipoe-server authentication radius max-try <number> + + Maximum number of tries to send Access-Request/Accounting-Request queries + +.. cfgcmd:: set service ipoe-server authentication radius timeout <timeout> + + Timeout to wait response from server (seconds) + +.. cfgcmd:: set service ipoe-server authentication radius nas-identifier <identifier> + + Value to send to RADIUS server in NAS-Identifier attribute and to be matched + in DM/CoA requests. + +.. cfgcmd:: set service ipoe-server authentication radius nas-ip-address <address> + + Value to send to RADIUS server in NAS-IP-Address attribute and to be matched + in DM/CoA requests. Also DM/CoA server will bind to that address. + +.. cfgcmd:: set service ipoe-server authentication radius source-address <address> + + Source IPv4 address used in all RADIUS server queires. + +.. cfgcmd:: set service ipoe-server authentication radius rate-limit attribute <attribute> + + Specifies which RADIUS server attribute contains the rate limit information. + The default attribute is `Filter-Id`. + +.. note:: If you set a custom RADIUS attribute you must define it on both + dictionaries at RADIUS server and client. + +.. cfgcmd:: set service ipoe-server authentication radius rate-limit enable + + Enables bandwidth shaping via RADIUS. + +.. cfgcmd:: set service ipoe-server authentication radius rate-limit vendor + + Specifies the vendor dictionary, dictionary needs to be in + /usr/share/accel-ppp/radius. + +Received RADIUS attributes have a higher priority than parameters defined within +the CLI configuration, refer to the explanation below. + +Allocation clients ip addresses by RADIUS +========================================= + +If the RADIUS server sends the attribute ``Framed-IP-Address`` then this IP +address will be allocated to the client and the option ``default-pool`` within the CLI +config is being ignored. + +If the RADIUS server sends the attribute ``Framed-Pool``, IP address will be allocated +from a predefined IP pool whose name equals the attribute value. + +If the RADIUS server sends the attribute ``Stateful-IPv6-Address-Pool``, IPv6 address +will be allocated from a predefined IPv6 pool ``prefix`` whose name equals the attribute value. + +If the RADIUS server sends the attribute ``Delegated-IPv6-Prefix-Pool``, IPv6 +delegation pefix will be allocated from a predefined IPv6 pool ``delegate`` +whose name equals the attribute value. + +.. note:: ``Stateful-IPv6-Address-Pool`` and ``Delegated-IPv6-Prefix-Pool`` are defined in + RFC6911. If they are not defined in your RADIUS server, add new dictionary_. - set service ipoe-server authentication interface eth2 mac 08:00:27:2f:d8:06 rate-limit download '500' - set service ipoe-server authentication interface eth2 mac 08:00:27:2f:d8:06 rate-limit upload '500' - set service ipoe-server authentication mode 'local' - set service ipoe-server name-server '10.10.1.1' - set service ipoe-server name-server '10.10.1.2' - set service ipoe-server interface eth2 client-subnet '192.168.0.0/24' +User interface can be put to VRF context via RADIUS Access-Accept packet, or change +it via RADIUS CoA. ``Accel-VRF-Name`` is used from these purposes. It is custom `ACCEL-PPP attribute`_. +Define it in your RADIUS server. + +**** +IPv6 +**** + +.. cfgcmd:: set service ipoe-server client-ipv6-pool <IPv6-POOL-NAME> prefix <address> + mask <number-of-bits> + + Use this comand to set the IPv6 address pool from which an IPoE client + will get an IPv6 prefix of your defined length (mask) to terminate the + IPoE endpoint at their side. The mask length can be set from 48 to 128 + bit long, the default value is 64. + +.. cfgcmd:: set service ipoe-server client-ipv6-pool <IPv6-POOL-NAME> delegate <address> + delegation-prefix <number-of-bits> + + Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on + IPoE. You will have to set your IPv6 pool and the length of the + delegation prefix. From the defined IPv6 pool you will be handing out + networks of the defined length (delegation-prefix). The length of the + delegation prefix can be set from 32 to 64 bit long. + +.. cfgcmd:: set service ipoe-server default-ipv6-pool <IPv6-POOL-NAME> + + Use this command to define default IPv6 address pool name. .. code-block:: none - vyos@vyos# run show ipoe-server sessions + set service ipoe-server client-ipv6-pool IPv6-POOL delegate '2001:db8:8003::/48' delegation-prefix '56' + set service ipoe-server client-ipv6-pool IPV6-POOL prefix '2001:db8:8002::/48' mask '64' + set service ipoe-server default-ipv6-pool IPv6-POOL + +********* +Scripting +********* + +.. cfgcmd:: set service ipoe-server extended-scripts on-change <path_to_script> + + Script to run when session interface changed by RADIUS CoA handling + +.. cfgcmd:: set service ipoe-server extended-scripts on-down <path_to_script> + + Script to run when session interface going to terminate + +.. cfgcmd:: set service ipoe-server extended-scripts on-pre-up <path_to_script> + + Script to run before session interface comes up + +.. cfgcmd:: set service ipoe-server extended-scripts on-up <path_to_script> + + Script to run when session interface is completely configured and started + +**************** +Advanced Options +**************** + +Authentication Advanced Options +=============================== + +.. cfgcmd:: set service ipoe-server authentication interface <interface> mac <MAC> vlan + <vlan-id> + + VLAN monitor for automatic creation of VLAN interfaces for specific user on specific <interface> + +.. cfgcmd:: set service ipoe-server authentication interface <interface> mac <MAC> rate-limit + download <bandwidth> + + Download bandwidth limit in kbit/s for user on interface `<interface>`. + +.. cfgcmd:: set service ipoe-server authentication interface <interface> mac <MAC> rate-limit + upload <bandwidth> + + Upload bandwidth limit in kbit/s for for user on interface `<interface>`. + +Client IP Pool Advanced Options +=============================== + +.. cfgcmd:: set service ipoe-server client-ip-pool <POOL-NAME> next-pool <NEXT-POOL-NAME> - ifname | called-sid | calling-sid | ip | ip6 | ip6-dp | rate-limit | state | uptime | sid - -------+------------+-------------------+-------------+-----+--------+------------+--------+----------+------------------ - ipoe0 | eth2 | 08:00:27:2f:d8:06 | 192.168.0.2 | | | 500/500 | active | 00:00:05 | dccc870fd31349fb + Use this command to define the next address pool name. -Example -======= +Advanced Interface Options +============================== -* IPoE server will listen on interfaces eth1.50 and eth1.51 -* There are rate-limited and non rate-limited users (MACs) +.. cfgcmd:: set service ipoe-server interface <interface> client-subnet <x.x.x.x/x> -Server configuration --------------------- + Specify local range of ip address to give to dhcp clients. First IP in range is router IP. + If you need more customization use `client-ip-pool` + +.. cfgcmd:: set service ipoe-server interface <interface> external-dhcp dhcp-relay <x.x.x.x> + + Specify DHCPv4 relay IP address to pass requests to. If specified giaddr is also needed. + +.. cfgcmd:: set service ipoe-server interface <interface> external-dhcp giaddr <x.x.x.x> + + Specifies relay agent IP addre + + +Global Advanced options +======================= + +.. cfgcmd:: set service ipoe-server description <description> + + Set description. + +.. cfgcmd:: set service ipoe-server limits burst <value> + + Burst count + +.. cfgcmd:: set service ipoe-server limits connection-limit <value> + + Acceptable rate of connections (e.g. 1/min, 60/sec) + +.. cfgcmd:: set service ipoe-server limits timeout <value> + + Timeout in seconds + +.. cfgcmd:: set service ipoe-server max-concurrent-sessions + + Maximum number of concurrent session start attempts + +.. cfgcmd:: set service ipoe-server name-server <address> + + Connected client should use `<address>` as their DNS server. This + command accepts both IPv4 and IPv6 addresses. Up to two nameservers + can be configured for IPv4, up to three for IPv6. + +.. cfgcmd:: set service ipoe-server shaper fwmark <1-2147483647> + + Match firewall mark value + +.. cfgcmd:: set service ipoe-server snmp master-agent + + Enable SNMP + +********** +Monitoring +********** + +.. opcmd:: show ipoe-server sessions + + Use this command to locally check the active sessions in the IPoE + server. .. code-block:: none - set interfaces dummy dum1000 address 100.64.0.1/32 - set interfaces dummy dum1000 address 2001:db8::1/128 + vyos@vyos:~$ show ipoe-server sessions + ifname | username | calling-sid | ip | rate-limit | type | comp | state | uptime + ----------+----------+-------------------+-------------+------------+------+------+--------+---------- + eth1.100 | eth1.100 | 0c:98:bd:b8:00:01 | 192.168.0.3 | | ipoe | | active | 03:03:58 - set interfaces ethernet eth1 description 'IPoE' - set interfaces ethernet eth1 vif 50 - set interfaces ethernet eth1 vif 51 +.. code-block:: none - set service ipoe-server authentication interface eth1.50 mac 00:0c:29:b7:49:a7 - set service ipoe-server authentication interface eth1.50 mac 00:0c:29:f0:be:4c rate-limit download '5000' - set service ipoe-server authentication interface eth1.50 mac 00:0c:29:f0:be:4c rate-limit upload '5000' - set service ipoe-server authentication interface eth1.51 mac 00:0c:29:b7:49:a7 rate-limit download '50000' - set service ipoe-server authentication interface eth1.51 mac 00:0c:29:b7:49:a7 rate-limit upload '50000' - set service ipoe-server authentication mode 'local' - - set service ipoe-server client-ipv6-pool IPv6-POOL delegate 2001:db8:ffff::/48 delegation-prefix '56' - set service ipoe-server client-ipv6-pool IPv6-POOL prefix 2001:db8:fffe::/48 mask '64' - set service ipoe-server default-ipv6-pool IPv6-POOL - set service ipoe-server interface eth1.50 client-subnet '100.64.50.0/24' - set service ipoe-server interface eth1.50 mode 'l2' - set service ipoe-server interface eth1.51 client-subnet '100.64.51.0/24' - set service ipoe-server interface eth1.51 mode 'l2' - set service ipoe-server name-server '100.64.0.1' - set service ipoe-server name-server '2001:db8::1' - -Client configuration --------------------- + vyos@vyos:~$ show ipoe-server statistics + uptime: 0.03:31:36 + cpu: 0% + mem(rss/virt): 6044/101360 kB + core: + mempool_allocated: 148628 + mempool_available: 144748 + thread_count: 1 + thread_active: 1 + context_count: 10 + context_sleeping: 0 + context_pending: 0 + md_handler_count: 6 + md_handler_pending: 0 + timer_count: 1 + timer_pending: 0 + sessions: + starting: 0 + active: 1 + finishing: 0 + ipoe: + starting: 0 + active: 1 + delayed: 0 + +************** +Toubleshooting +************** .. code-block:: none - set interfaces ethernet eth0 mac '00:0c:29:b7:49:a7' + vyos@vyos:~$sudo journalctl -u accel-ppp@ipoe -b 0 - set interfaces ethernet eth0 vif 50 address 'dhcp' - set interfaces ethernet eth0 vif 50 address 'dhcpv6' - set interfaces ethernet eth0 vif 50 dhcpv6-options pd 0 interface eth1 sla-id '1' + Feb 27 14:29:27 vyos accel-ipoe[2262]: eth1.100:: recv [DHCPv4 Discover xid=55df9228 chaddr=0c:98:bd:b8:00:01 <Message-Type Discover> <Request-IP 192.168.0.3> <Host-Name vyos> <Request-List Subnet,Broadcast,Router,DNS,Classless-Route,Domain-Name,MTU>] + Feb 27 14:29:27 vyos accel-ipoe[2262]: eth1.100:eth1.100: eth1.100: authentication succeeded + Feb 27 14:29:27 vyos accel-ipoe[2262]: eth1.100:eth1.100: send [DHCPv4 Offer xid=55df9228 yiaddr=192.168.0.4 chaddr=0c:98:bd:b8:00:01 <Message-Type Offer> <Server-ID 192.168.0.1> <Lease-Time 600> <T1 300> <T2 525> <Router 192.168.0.1> <Subnet 255.255.255.0>] + Feb 27 14:29:27 vyos accel-ipoe[2262]: eth1.100:eth1.100: recv [DHCPv4 Request xid=55df9228 chaddr=0c:98:bd:b8:00:01 <Message-Type Request> <Server-ID 192.168.0.1> <Request-IP 192.168.0.4> <Host-Name vyos> <Request-List Subnet,Broadcast,Router,DNS,Classless-Route,Domain-Name,MTU>] + Feb 27 14:29:27 vyos accel-ipoe[2262]: eth1.100:eth1.100: ipoe: activate session + Feb 27 14:29:27 vyos accel-ipoe[2262]: eth1.100:eth1.100: ipoe: no free IPv6 address + Feb 27 14:29:27 vyos accel-ipoe[2262]: eth1.100:eth1.100: ipoe: session started + Feb 27 14:29:27 vyos accel-ipoe[2262]: eth1.100:eth1.100: send [DHCPv4 Ack xid=55df9228 yiaddr=192.168.0.4 chaddr=0c:98:bd:b8:00:01 <Message-Type Ack> <Server-ID 192.168.0.1> <Lease-Time 600> <T1 300> <T2 525> <Router 192.168.0.1> <Subnet 255.255.255.0>] .. include:: /_include/common-references.txt +.. _dictionary: https://github.com/accel-ppp/accel-ppp/blob/master/accel-pppd/radius/dict/dictionary.rfc6911 +.. _`ACCEL-PPP attribute`: https://github.com/accel-ppp/accel-ppp/blob/master/accel-pppd/radius/dict/dictionary.accel
\ No newline at end of file diff --git a/docs/configuration/service/pppoe-server.rst b/docs/configuration/service/pppoe-server.rst index 56fcb968..99b3fbb5 100644 --- a/docs/configuration/service/pppoe-server.rst +++ b/docs/configuration/service/pppoe-server.rst @@ -13,13 +13,20 @@ be used with local authentication or a connected RADIUS server. changes/commits will restart the ppp daemon and will reset existing PPPoE connections from connected users, in order to become effective. -Configuration -============= +************************ +Configuring PPPoE Server +************************ +.. code-block:: none -First steps ------------ - + set service pppoe-server access-concentrator PPPoE-Server + set service pppoe-server authentication mode local + set service pppoe-server authentication local-users username test password 'test' + set service pppoe-server client-ip-pool PPPOE-POOL range 192.168.255.2-192.168.255.254 + set service pppoe-server default-pool 'PPPOE-POOL' + set service pppoe-server outside-address 192.0.2.2 + set service pppoe-server gateway-address 192.168.255.1 + set service pppoe-server interface eth0 .. cfgcmd:: set service pppoe-server access-concentrator <name> @@ -28,14 +35,30 @@ First steps .. cfgcmd:: set service pppoe-server authentication mode <local | radius> - Use this command to define whether your PPPoE clients will locally - authenticate in your VyOS system or in RADIUS server. + Set authentication backend. The configured authentication backend is used + for all queries. + + * **radius**: All authentication queries are handled by a configured RADIUS + server. + * **local**: All authentication queries are handled locally. + * **noauth**: Authentication disabled. .. cfgcmd:: set service pppoe-server authentication local-users username <name> password <password> - Use this command to configure the username and the password of a - locally configured user. + Create `<user>` for local authentication on this system. The users password + will be set to `<pass>`. + +.. cfgcmd:: set service pppoe-server client-ip-pool <POOL-NAME> range <x.x.x.x-x.x.x.x | x.x.x.x/x> + + Use this command to define the first IP address of a pool of + addresses to be given to pppoe clients. If notation ``x.x.x.x-x.x.x.x``, + it must be within a /24 subnet. If notation ``x.x.x.x/x`` is + used there is possibility to set host/netmask. + +.. cfgcmd:: set service pppoe-server default-pool <POOL-NAME> + + Use this command to define default address pool name. .. cfgcmd:: set service pppoe-server interface <interface> @@ -44,124 +67,170 @@ First steps .. cfgcmd:: set service pppoe-server gateway-address <address> - Use this command to configure the local gateway IP address. + Specifies single `<gateway>` IP address to be used as local address of PPP + interfaces. -.. cfgcmd:: set service pppoe-server name-server <address> - Use this command to set the IPv4 or IPv6 address of every Doman Name - Server you want to configure. They will be propagated to PPPoE - clients. +********************************* +Configuring RADIUS authentication +********************************* +To enable RADIUS based authentication, the authentication mode needs to be +changed within the configuration. Previous settings like the local users, still +exists within the configuration, however they are not used if the mode has been +changed from local to radius. Once changed back to local, it will use all local +accounts again. -Client Address Pools --------------------- +.. code-block:: none -To automatically assign the client an IP address as tunnel endpoint, a -client IP pool is needed. The source can be either RADIUS or a -named pool. There is possibility to create multiple named pools. -Each named pool can include only one address range. To use multiple -address ranges configure ``next-pool`` option. + set service pppoe-server authentication mode radius +.. cfgcmd:: set service pppoe-server authentication radius server <server> key <secret> -**Client IP address via IP range definition** + Configure RADIUS `<server>` and its required shared `<secret>` for + communicating with the RADIUS server. -.. cfgcmd:: set service pppoe-server client-ip-pool <POOL-NAME> range <x.x.x.x-x.x.x.x | x.x.x.x/x> +Since the RADIUS server would be a single point of failure, multiple RADIUS +servers can be setup and will be used subsequentially. +For example: - Use this command to define the IP address range to be given - to PPPoE clients. If notation ``x.x.x.x-x.x.x.x``, - it must be within a /24 subnet. If notation ``x.x.x.x/x`` is - used there is possibility to set host/netmask. +.. code-block:: none -.. cfgcmd:: set service pppoe-server client-ip-pool <POOL-NAME> next-pool <NEXT-POOL-NAME> + set service pppoe-server authentication radius server 10.0.0.1 key 'foo' + set service pppoe-server authentication radius server 10.0.0.2 key 'foo' - Use this command to define the next address pool name. +.. note:: Some RADIUS severs use an access control list which allows or denies + queries, make sure to add your VyOS router to the allowed client list. -.. cfgcmd:: set service pppoe-server default-pool <POOL-NAME> +RADIUS source address +===================== - Use this command to define default address pool name. +If you are using OSPF as IGP, always the closest interface connected to the +RADIUS server is used. With VyOS 1.2 you can bind all outgoing RADIUS requests +to a single source IP e.g. the loopback interface. -.. code-block:: none +.. cfgcmd:: set service pppoe-server authentication radius source-address <address> - set service pppoe-server client-ip-pool IP-POOL next-pool 'IP-POOL2' - set service pppoe-server client-ip-pool IP-POOL range '10.0.10.5/24' - set service pppoe-server client-ip-pool IP-POOL2 range '10.0.0.10-10.0.0.12' - set service pppoe-server default-pool 'IP-POOL' + Source IPv4 address used in all RADIUS server queires. +.. note:: The ``source-address`` must be configured on one of VyOS interface. + Best practice would be a loopback or dummy interface. -**RADIUS based IP pools (Framed-IP-Address)** +RADIUS advanced options +======================= -To use a radius server, you need to switch to authentication mode RADIUS -and then configure it. +.. cfgcmd:: set service pppoe-server authentication radius server <server> port <port> -.. cfgcmd:: set service pppoe-server authentication radius server <address> - key <secret> + Configure RADIUS `<server>` and its required port for authentication requests. - Use this command to configure the IP address and the shared secret - key of your RADIUS server. You can have multiple RADIUS servers - configured if you wish to achieve redundancy. +.. cfgcmd:: set service pppoe-server authentication radius server <server> fail-time <time> + Mark RADIUS server as offline for this given `<time>` in seconds. -.. code-block:: none +.. cfgcmd:: set service pppoe-server authentication radius server <server> disable - set service pppoe-server access-concentrator 'ACN' - set service pppoe-server authentication mode 'radius' - set service pppoe-server authentication radius server 10.1.100.1 key 'secret' - set service pppoe-server interface 'eth1' - set service pppoe-server gateway-address '10.1.1.2' + Temporary disable this RADIUS server. -RADIUS provides the IP addresses in the example above via -Framed-IP-Address. +.. cfgcmd:: set service pppoe-server authentication radius acct-timeout <timeout> -**RADIUS sessions management DM/CoA** + Timeout to wait reply for Interim-Update packets. (default 3 seconds) -.. cfgcmd:: set service pppoe-server authentication radius dynamic-author - <key | port | server> +.. cfgcmd:: set service pppoe-server authentication radius dynamic-author server <address> - Use this command to configure Dynamic Authorization Extensions to - RADIUS so that you can remotely disconnect sessions and change some - authentication parameters. + Specifies IP address for Dynamic Authorization Extension server (DM/CoA) -.. code-block:: none +.. cfgcmd:: set service pppoe-server authentication radius dynamic-author port <port> - set service pppoe-server authentication radius dynamic-author key 'secret123' - set service pppoe-server authentication radius dynamic-author port '3799' - set service pppoe-server authentication radius dynamic-author server '10.1.1.2' + Port for Dynamic Authorization Extension server (DM/CoA) +.. cfgcmd:: set service pppoe-server authentication radius dynamic-author key <secret> -Example, from radius-server send command for disconnect client with -username test + Secret for Dynamic Authorization Extension server (DM/CoA) -.. code-block:: none +.. cfgcmd:: set service pppoe-server authentication radius max-try <number> - root@radius-server:~# echo "User-Name=test" | radclient -x 10.1.1.2:3799 - disconnect secret123 + Maximum number of tries to send Access-Request/Accounting-Request queries -You can also use another attributes for identify client for disconnect, -like Framed-IP-Address, Acct-Session-Id, etc. Result commands appears in -log. +.. cfgcmd:: set service pppoe-server authentication radius timeout <timeout> -.. code-block:: none + Timeout to wait response from server (seconds) - show log | match Disconnect* +.. cfgcmd:: set service pppoe-server authentication radius nas-identifier <identifier> -Example for changing rate-limit via RADIUS CoA. + Value to send to RADIUS server in NAS-Identifier attribute and to be matched + in DM/CoA requests. -.. code-block:: none +.. cfgcmd:: set service pppoe-server authentication radius nas-ip-address <address> + + Value to send to RADIUS server in NAS-IP-Address attribute and to be matched + in DM/CoA requests. Also DM/CoA server will bind to that address. + +.. cfgcmd:: set service pppoe-server authentication radius source-address <address> + + Source IPv4 address used in all RADIUS server queires. + +.. cfgcmd:: set service pppoe-server authentication radius rate-limit attribute <attribute> + + Specifies which RADIUS server attribute contains the rate limit information. + The default attribute is ``Filter-Id``. - echo "User-Name=test,Filter-Id=5000/4000" | radclient 10.1.1.2:3799 coa - secret123 +.. note:: If you set a custom RADIUS attribute you must define it on both + dictionaries at RADIUS server and client. -Filter-Id=5000/4000 (means 5000Kbit down-stream rate and 4000Kbit -up-stream rate) If attribute Filter-Id redefined, replace it in RADIUS -CoA request. +.. cfgcmd:: set service pppoe-server authentication radius rate-limit enable + + Enables bandwidth shaping via RADIUS. + +.. cfgcmd:: set service pppoe-server authentication radius rate-limit vendor + + Specifies the vendor dictionary, dictionary needs to be in + /usr/share/accel-ppp/radius. + +Received RADIUS attributes have a higher priority than parameters defined within +the CLI configuration, refer to the explanation below. + +Allocation clients ip addresses by RADIUS +========================================= + +If the RADIUS server sends the attribute ``Framed-IP-Address`` then this IP +address will be allocated to the client and the option ``default-pool`` within the CLI +config is being ignored. + +If the RADIUS server sends the attribute ``Framed-Pool``, IP address will be allocated +from a predefined IP pool whose name equals the attribute value. + +If the RADIUS server sends the attribute ``Stateful-IPv6-Address-Pool``, IPv6 address +will be allocated from a predefined IPv6 pool ``prefix`` whose name equals the attribute value. + +If the RADIUS server sends the attribute ``Delegated-IPv6-Prefix-Pool``, IPv6 +delegation pefix will be allocated from a predefined IPv6 pool ``delegate`` +whose name equals the attribute value. +.. note:: ``Stateful-IPv6-Address-Pool`` and ``Delegated-IPv6-Prefix-Pool`` are defined in + RFC6911. If they are not defined in your RADIUS server, add new dictionary_. + +User interface can be put to VRF context via RADIUS Access-Accept packet, or change +it via RADIUS CoA. ``Accel-VRF-Name`` is used from these purposes. It is custom `ACCEL-PPP attribute`_. +Define it in your RADIUS server. + +Renaming clients interfaces by RADIUS +===================================== + +If the RADIUS server uses the attribute ``NAS-Port-Id``, ppp tunnels will be +renamed. + +.. note:: The value of the attribute ``NAS-Port-Id`` must be less than 16 + characters, otherwise the interface won't be renamed. + + +*********************** Automatic VLAN Creation ------------------------ +*********************** .. cfgcmd:: set service pppoe-server interface <interface> vlan <id | range> VLAN's can be created by Accel-ppp on the fly via the use of a Kernel module - named `vlan_mon`, which is monitoring incoming vlans and creates the + named ``vlan_mon``, which is monitoring incoming vlans and creates the necessary VLAN if required and allowed. VyOS supports the use of either VLAN ID's or entire ranges, both values can be defined at the same time for an interface. @@ -177,21 +246,26 @@ Automatic VLAN Creation set service pppoe-server interface eth3 vlan 500-1000 set service pppoe-server interface eth3 vlan 2000-3000 - +***************** Bandwidth Shaping ------------------ +***************** Bandwidth rate limits can be set for local users or RADIUS based attributes. For Local Users -^^^^^^^^^^^^^^^ +=============== + +.. cfgcmd:: set service pppoe-server authentication local-users username <user> rate-limit + download <bandwidth> + + Download bandwidth limit in kbit/s for `<user>`. -.. cfgcmd:: set service pppoe-server authentication local-users username <name> - rate-limit <download | upload> +.. cfgcmd:: set service pppoe-server authentication local-users username <user> rate-limit + upload <bandwidth> + + Upload bandwidth limit in kbit/s for `<user>`. - Use this command to configure a data-rate limit to PPPOoE clients for - traffic download or upload. The rate-limit is set in kbit/sec. .. code-block:: none @@ -209,7 +283,7 @@ For Local Users Once the user is connected, the user session is using the set limits and -can be displayed via 'show pppoe-server sessions'. +can be displayed via ``show pppoe-server sessions``. .. code-block:: none @@ -220,9 +294,9 @@ can be displayed via 'show pppoe-server sessions'. For RADIUS users -^^^^^^^^^^^^^^^^ +================ -The current attribute 'Filter-Id' is being used as default and can be +The current attribute ``Filter-Id`` is being used as default and can be setup within RADIUS: Filter-Id=2000/3000 (means 2000Kbit down-stream rate and 3000Kbit @@ -238,9 +312,9 @@ setup and is working. Other attributes can be used, but they have to be in one of the dictionaries in */usr/share/accel-ppp/radius*. - +************** Load Balancing --------------- +************** .. cfgcmd:: set service pppoe-server pado-delay <number-of-ms> @@ -262,71 +336,222 @@ allows other PPPoE servers send PADO faster and clients will connect to other servers. Last command says that this PPPoE server can serve only 3000 clients. - +**** IPv6 ----- +**** -IPv6 client's prefix -^^^^^^^^^^^^^^^^^^^^ +.. cfgcmd:: set service pppoe-server ppp-options ipv6 <require | prefer | allow | deny> -.. cfgcmd:: set service pppoe-server client-ipv6-pool <IPv6-POOL-NAME> - prefix <address> mask <number-of-bits> + Specifies IPv6 negotiation preference. - Use this comand to set the IPv6 address pool from which a PPPoE - client will get an IPv6 prefix of your defined length (mask) to - terminate the PPPoE endpoint at their side. The mask length can be - set from 48 to 128 bit long, the default value is 64. + * **require** - Require IPv6 negotiation + * **prefer** - Ask client for IPv6 negotiation, do not fail if it rejects + * **allow** - Negotiate IPv6 only if client requests + * **deny** - Do not negotiate IPv6 (default value) +.. cfgcmd:: set service pppoe-server client-ipv6-pool <IPv6-POOL-NAME> prefix <address> + mask <number-of-bits> -IPv6 Prefix Delegation -^^^^^^^^^^^^^^^^^^^^^^ + Use this comand to set the IPv6 address pool from which an PPPoE client + will get an IPv6 prefix of your defined length (mask) to terminate the + PPPoE endpoint at their side. The mask length can be set from 48 to 128 + bit long, the default value is 64. -.. cfgcmd:: set service pppoe-server client-ipv6-pool <IPv6-POOL-NAME> - delegate <address> delegation-prefix <number-of-bits> +.. cfgcmd:: set service pppoe-server client-ipv6-pool <IPv6-POOL-NAME> delegate <address> + delegation-prefix <number-of-bits> - Use this command to configure DHCPv6 Prefix Delegation (RFC3633). You - will have to set your IPv6 pool and the length of the delegation - prefix. From the defined IPv6 pool you will be handing out networks - of the defined length (delegation-prefix). The length of the - delegation prefix can be set from 32 to 64 bit long. + Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on + PPPoE. You will have to set your IPv6 pool and the length of the + delegation prefix. From the defined IPv6 pool you will be handing out + networks of the defined length (delegation-prefix). The length of the + delegation prefix can be set from 32 to 64 bit long. +.. cfgcmd:: set service pppoe-server default-ipv6-pool <IPv6-POOL-NAME> -IPv6 default client's pool assignment -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + Use this command to define default IPv6 address pool name. -.. cfgcmd:: set service pppoe-server default-ipv6-pool <POOL-NAME> +.. code-block:: none - Use this command to define default IPv6 address pool name. + set service pppoe-server ppp-options ipv6 allow + set service pppoe-server client-ipv6-pool IPv6-POOL delegate '2001:db8:8003::/48' delegation-prefix '56' + set service pppoe-server client-ipv6-pool IPV6-POOL prefix '2001:db8:8002::/48' mask '64' + set service pppoe-server default-ipv6-pool IPv6-POOL +IPv6 Advanced Options +===================== +.. cfgcmd:: set service pppoe-server ppp-options ipv6-accept-peer-interface-id -Maintenance mode -================ + Accept peer interface identifier. By default is not defined. + +.. cfgcmd:: set service pppoe-server ppp-options ipv6-interface-id <random | x:x:x:x> + + Specifies fixed or random interface identifier for IPv6. + By default is fixed. + + * **random** - Random interface identifier for IPv6 + * **x:x:x:x** - Specify interface identifier for IPv6 + +.. cfgcmd:: set service pppoe-server ppp-options ipv6-interface-id <random | x:x:x:x> + + Specifies peer interface identifier for IPv6. By default is fixed. + + * **random** - Random interface identifier for IPv6 + * **x:x:x:x** - Specify interface identifier for IPv6 + * **ipv4-addr** - Calculate interface identifier from IPv4 address. + * **calling-sid** - Calculate interface identifier from calling-station-id. + +********* +Scripting +********* -.. opcmd:: set pppoe-server maintenance-mode <enable | disable> +.. cfgcmd:: set service pppoe-server extended-scripts on-change <path_to_script> - For network maintenance, it's a good idea to direct users to a backup - server so that the primary server can be safely taken out of service. - It's possible to switch your PPPoE server to maintenance mode where - it maintains already established connections, but refuses new - connection attempts. + Script to run when session interface changed by RADIUS CoA handling +.. cfgcmd:: set service pppoe-server extended-scripts on-down <path_to_script> -Checking connections + Script to run when session interface going to terminate + +.. cfgcmd:: set service pppoe-server extended-scripts on-pre-up <path_to_script> + + Script to run before session interface comes up + +.. cfgcmd:: set service pppoe-server extended-scripts on-up <path_to_script> + + Script to run when session interface is completely configured and started + +**************** +Advanced Options +**************** + +Authentication Advanced Options +=============================== + +.. cfgcmd:: set service pppoe-server authentication local-users username <user> disable + + Disable `<user>` account. + +.. cfgcmd:: set service pppoe-server authentication local-users username <user> static-ip + <address> + + Assign static IP address to `<user>` account. + +.. cfgcmd:: set service pppoe-server authentication protocols + <pap | chap | mschap | mschap-v2> + + Require the peer to authenticate itself using one of the following protocols: + pap, chap, mschap, mschap-v2. + +Client IP Pool Advanced Options +=============================== + +.. cfgcmd:: set service pppoe-server client-ip-pool <POOL-NAME> next-pool <NEXT-POOL-NAME> + + Use this command to define the next address pool name. + +PPP Advanced Options ==================== -.. opcmd:: show pppoe-server sessions +.. cfgcmd:: set service pppoe-server ppp-options disable-ccp - Use this command to locally check the active sessions in the PPPoE - server. + Disable Compression Control Protocol (CCP). + CCP is enabled by default. +.. cfgcmd:: set service pppoe-server ppp-options interface-cache <number> -.. code-block:: none + Specifies number of interfaces to keep in cache. It means that don’t + destroy interface after corresponding session is destroyed, instead + place it to cache and use it later for new sessions repeatedly. + This should reduce kernel-level interface creation/deletion rate lack. + Default value is **0**. - show pppoe-server sessions - ifname | username | ip | calling-sid | rate-limit | state | uptime | rx-bytes | tx-bytes - -------+----------+------------+-------------------+-------------+--------+----------+----------+---------- - ppp0 | foo | 10.1.1.100 | 00:53:00:ba:db:15 | 20480/10240 | active | 00:00:11 | 214 B | 76 B +.. cfgcmd:: set service pppoe-server ppp-options ipv4 <require | prefer | allow | deny> + + Specifies IPv4 negotiation preference. + + * **require** - Require IPv4 negotiation + * **prefer** - Ask client for IPv4 negotiation, do not fail if it rejects + * **allow** - Negotiate IPv4 only if client requests (Default value) + * **deny** - Do not negotiate IPv4 + +.. cfgcmd:: set service pppoe-server ppp-options lcp-echo-failure <number> + + Defines the maximum `<number>` of unanswered echo requests. Upon reaching the + value `<number>`, the session will be reset. Default value is **3**. + +.. cfgcmd:: set service pppoe-server ppp-options lcp-echo-interval <interval> + + If this option is specified and is greater than 0, then the PPP module will + send LCP pings of the echo request every `<interval>` seconds. + Default value is **30**. + +.. cfgcmd:: set service pppoe-server ppp-options lcp-echo-timeout + + Specifies timeout in seconds to wait for any peer activity. If this option + specified it turns on adaptive lcp echo functionality and "lcp-echo-failure" + is not used. Default value is **0**. + +.. cfgcmd:: set service pppoe-server ppp-options min-mtu <number> + + Defines minimum acceptable MTU. If client will try to negotiate less then + specified MTU then it will be NAKed or disconnected if rejects greater MTU. + Default value is **100**. + +.. cfgcmd:: set service pppoe-server ppp-options mppe <require | prefer | deny> + + Specifies :abbr:`MPPE (Microsoft Point-to-Point Encryption)` negotiation + preference. + * **require** - ask client for mppe, if it rejects drop connection + * **prefer** - ask client for mppe, if it rejects don't fail. (Default value) + * **deny** - deny mppe + + Default behavior - don't ask client for mppe, but allow it if client wants. + Please note that RADIUS may override this option by MS-MPPE-Encryption-Policy + attribute. + +.. cfgcmd:: set service pppoe-server ppp-options mru <number> + + Defines preferred MRU. By default is not defined. + +Global Advanced options +======================= + +.. cfgcmd:: set service pppoe-server description <description> + + Set description. + +.. cfgcmd:: set service pppoe-server limits burst <value> + + Burst count + +.. cfgcmd:: set service pppoe-server limits connection-limit <value> + + Acceptable rate of connections (e.g. 1/min, 60/sec) + +.. cfgcmd:: set service pppoe-server limits timeout <value> + + Timeout in seconds + +.. cfgcmd:: set service pppoe-server mtu + + Maximum Transmission Unit (MTU) (default: **1492**) + +.. cfgcmd:: set service pppoe-server max-concurrent-sessions + + Maximum number of concurrent session start attempts + +.. cfgcmd:: set service pppoe-server name-server <address> + + Connected client should use `<address>` as their DNS server. This + command accepts both IPv4 and IPv6 addresses. Up to two nameservers + can be configured for IPv4, up to three for IPv6. + +.. cfgcmd:: set service pppoe-server service-name <names> + + Specifies Service-Name to respond. If absent any Service-Name is + acceptable and client’s Service-Name will be sent back. Also possible + set multiple service-names: `sn1,sn2,sn3` Per default the user session is being replaced if a second authentication request succeeds. Such session requests can be either @@ -335,23 +560,48 @@ user in the latter case. If it is denied, the second session is being rejected even if the authentication succeeds, the user has to terminate its first session and can then authentication again. -.. code-block:: none +.. cfgcmd:: set service pppoe-server session-control + + * **disable**: Disables session control. + * **deny**: Deny second session authorization. + * **replace**: Terminate first session when second is authorized **(default)** + +.. cfgcmd:: set service pppoe-server shaper fwmark <1-2147483647> - vyos@# set service pppoe-server session-control - Possible completions: - disable Disables session control - deny Deny second session authorization + Match firewall mark value +.. cfgcmd:: set service pppoe-server snmp master-agent + Enable SNMP +.. cfgcmd:: set service pppoe-server wins-server <address> + Windows Internet Name Service (WINS) servers propagated to client + +********** +Monitoring +********** + +.. opcmd:: show pppoe-server sessions + + Use this command to locally check the active sessions in the PPPoE + server. + + +.. code-block:: none + + show pppoe-server sessions + ifname | username | ip | calling-sid | rate-limit | state | uptime | rx-bytes | tx-bytes + -------+----------+------------+-------------------+-------------+--------+----------+----------+---------- + ppp0 | foo | 10.1.1.100 | 00:53:00:ba:db:15 | 20480/10240 | active | 00:00:11 | 214 B | 76 B +******** Examples -======== +******** IPv4 ----- +==== The example below uses ACN as access-concentrator name, assigns an address from the pool 10.1.1.100-111, terminates at the local endpoint @@ -372,9 +622,9 @@ address from the pool 10.1.1.100-111, terminates at the local endpoint Dual-Stack IPv4/IPv6 provisioning with Prefix Delegation --------------------------------------------------------- +======================================================== -The example below covers a dual-stack configuration via pppoe-server. +The example below covers a dual-stack configuration. .. code-block:: none @@ -392,7 +642,7 @@ The example below covers a dual-stack configuration via pppoe-server. set service pppoe-server gateway-address '10.100.100.1' The client, once successfully authenticated, will receive an IPv4 and an -IPv6 /64 address to terminate the pppoe endpoint on the client side and +IPv6 /64 address to terminate the PPPoE endpoint on the client side and a /56 subnet for the clients internal use. .. code-block:: none @@ -403,3 +653,5 @@ a /56 subnet for the clients internal use. ppp0 | test | 192.168.0.1 | 2001:db8:8002:0:200::/64 | 2001:db8:8003::1/56 | 00:53:00:12:42:eb | | active | 00:00:49 | 875 B | 2.1 KiB .. include:: /_include/common-references.txt +.. _dictionary: https://github.com/accel-ppp/accel-ppp/blob/master/accel-pppd/radius/dict/dictionary.rfc6911 +.. _`ACCEL-PPP attribute`: https://github.com/accel-ppp/accel-ppp/blob/master/accel-pppd/radius/dict/dictionary.accel
\ No newline at end of file diff --git a/docs/configuration/service/router-advert.rst b/docs/configuration/service/router-advert.rst index eb1a6844..f179153a 100644 --- a/docs/configuration/service/router-advert.rst +++ b/docs/configuration/service/router-advert.rst @@ -26,7 +26,7 @@ Supported interface types: Enabling Advertisments ~~~~~~~~~~~~~~~~~~~~~~~ -.. cfgcmd:: set service router-advert interface <interface> .... +.. cfgcmd:: set service router-advert interface <interface> ... .. stop_vyoslinter @@ -52,7 +52,11 @@ Enabling Advertisments Advertising a Prefix '''''''''''''''''''' -.. cfgcmd:: set service router-advert interface <interface> prefix 2001:DB8::/32 +.. cfgcmd:: set service router-advert interface <interface> prefix <prefix/mask> + + .. note:: You can also opt for using `::/64` as prefix for your :abbr:`RAs (Router + Advertisements)`. This will take the IPv6 GUA prefix assigned to the interface, + which comes in handy when using DHCPv6-PD. .. stop_vyoslinter |