diff options
Diffstat (limited to 'docs/configuration')
| -rw-r--r-- | docs/configuration/highavailability/index.rst | 114 | ||||
| -rw-r--r-- | docs/configuration/policy/route.rst | 133 |
2 files changed, 180 insertions, 67 deletions
diff --git a/docs/configuration/highavailability/index.rst b/docs/configuration/highavailability/index.rst index 7a7b4473..4a279213 100644 --- a/docs/configuration/highavailability/index.rst +++ b/docs/configuration/highavailability/index.rst @@ -53,6 +53,18 @@ IPv6 support The ``address`` parameter can be either an IPv4 or IPv6 address, but you can not mix IPv4 and IPv6 in the same group, and will need to create groups with different VRIDs specially for IPv4 and IPv6. +If you want to use IPv4 + IPv6 address you can use option ``excluded-address`` + +Address +------- +The ``address`` can be configured either on the VRRP interface or on not VRRP +interface. + +.. code-block:: none + + set high-availability vrrp group Foo address 192.0.2.1/24 + set high-availability vrrp group Foo address 203.0.113.22/24 interface eth2 + set high-availability vrrp group Foo address 198.51.100.33/24 interface eth3 Disabling a VRRP group ---------------------- @@ -67,6 +79,19 @@ A disabled group will be removed from the VRRP process and your router will not participate in VRRP for that VRID. It will disappear from operational mode commands output, rather than enter the backup state. +Exclude address +--------------- + +Exclude IP addresses from ``VRRP packets``. This option ``excluded-address`` is +used when you want to set IPv4 + IPv6 addresses on the same virtual interface +or when used more than 20 IP addresses. + +.. code-block:: none + + set high-availability vrrp group Foo excluded-address '203.0.113.254/24' + set high-availability vrrp group Foo excluded-address '2001:db8:aa::1/64' + set high-availability vrrp group Foo excluded-address '2001:db8:22::1/64' + Setting VRRP group priority --------------------------- @@ -142,6 +167,23 @@ seconds, use: set high-availability vrrp group Foo preempt-delay 180 +Track +----- + +Track option to track non VRRP interface states. VRRP changes status to +``FAULT`` if one of the track interfaces in state ``down``. + +.. code-block:: none + + set high-availability vrrp group Foo track interface eth0 + set high-availability vrrp group Foo track interface eth1 + +Ignore VRRP main interface faults + +.. code-block:: none + + set high-availability vrrp group Foo track exclude-vrrp-interface + Unicast VRRP ------------ @@ -217,3 +259,75 @@ and the ``/config/scripts/vrrp-master.sh`` when the router becomes the master: set high-availability vrrp group Foo transition-script master "/config/scripts/vrrp-master.sh Foo" To know more about scripting, check the :ref:`command-scripting` section. + +Virtual-server +-------------- +.. include:: /_include/need_improvement.txt + +Virtual Server allows to Load-balance traffic destination virtual-address:port +between several real servers. + +Algorithm +^^^^^^^^^ +Load-balancing schedule algorithm: + +* round-robin +* weighted-round-robin +* least-connection +* weighted-least-connection +* source-hashing +* destination-hashing +* locality-based-least-connection + +.. code-block:: none + + set high-availability virtual-server 203.0.113.1 algorithm 'least-connection' + +Forward method +^^^^^^^^^^^^^^ +* NAT +* direct +* tunnel + +.. code-block:: none + + set high-availability virtual-server 203.0.113.1 forward-method 'nat' + + +Real server +^^^^^^^^^^^ +Real server IP address and port + +.. code-block:: none + + set high-availability virtual-server 203.0.113.1 real-server 192.0.2.11 port '80' + + +Example +^^^^^^^ +Virtual-server can be configured with VRRP virtual address or without VRRP. + +In the next example all traffic destined to ``203.0.113.1`` and port ``8280`` +protocol TCP is balanced between 2 real servers ``192.0.2.11`` and +``192.0.2.12`` to port ``80`` + +Real server is auto-excluded if port check with this server fail. + +.. code-block:: none + + set interfaces ethernet eth0 address '203.0.113.11/24' + set interfaces ethernet eth1 address '192.0.2.1/24' + set high-availability vrrp group FOO interface 'eth0' + set high-availability vrrp group FOO no-preempt + set high-availability vrrp group FOO priority '150' + set high-availability vrrp group FOO address '203.0.113.1/24' + set high-availability vrrp group FOO vrid '10' + + set high-availability virtual-server 203.0.113.1 algorithm 'source-hashing' + set high-availability virtual-server 203.0.113.1 delay-loop '10' + set high-availability virtual-server 203.0.113.1 forward-method 'nat' + set high-availability virtual-server 203.0.113.1 persistence-timeout '180' + set high-availability virtual-server 203.0.113.1 port '8280' + set high-availability virtual-server 203.0.113.1 protocol 'tcp' + set high-availability virtual-server 203.0.113.1 real-server 192.0.2.11 port '80' + set high-availability virtual-server 203.0.113.1 real-server 192.0.2.12 port '80' diff --git a/docs/configuration/policy/route.rst b/docs/configuration/policy/route.rst index ffbe85b2..0aa43232 100644 --- a/docs/configuration/policy/route.rst +++ b/docs/configuration/policy/route.rst @@ -12,27 +12,27 @@ Configuration Route ===== -.. cfgcmd:: set policy route <text> +.. cfgcmd:: set policy route <name> This command creates a new route policy, identified by <text>. -.. cfgcmd:: set policy route <text> description <text> +.. cfgcmd:: set policy route <name> description <text> Set description for the route policy. -.. cfgcmd:: set policy route <text> enable-default-log +.. cfgcmd:: set policy route <name> enable-default-log Option to log packets hitting default-action. -.. cfgcmd:: set policy route <text> rule <1-9999> description <text> +.. cfgcmd:: set policy route <name> rule <n> description <text> Set description for rule in route policy. -.. cfgcmd:: set policy route <text> rule <1-9999> action drop +.. cfgcmd:: set policy route <name> rule <n> action drop Set rule action to drop. -.. cfgcmd:: set policy route <text> rule <1-9999> destination address +.. cfgcmd:: set policy route <name> rule <n> destination address <match_criteria> Set match criteria based on destination address, where <match_criteria> @@ -45,13 +45,13 @@ Route * !<x.x.x.x/x>: Match everything except the specified subnet. * !<x.x.x.x>-<x.x.x.x>: Match everything except the specified range. -.. cfgcmd:: set policy route <text> rule <1-9999> destination group +.. cfgcmd:: set policy route <name> rule <n> destination group <address-group|network-group|port-group> <text> Set destination match criteria based on groups, where <text> would be the group name/identifier. -.. cfgcmd:: set policy route <text> rule <1-9999> destination port +.. cfgcmd:: set policy route <name> rule <n> destination port <match_criteria> Set match criteria based on destination port, where <match_criteria> could @@ -65,11 +65,11 @@ Route whole list can also be "negated" using '!'. For example: '!22,telnet,http,123,1001-1005' -.. cfgcmd:: set policy route <text> rule <1-9999> disable +.. cfgcmd:: set policy route <name> rule <n> disable Option to disable rule. -.. cfgcmd:: set policy route <text> rule <1-9999> fragment +.. cfgcmd:: set policy route <name> rule <n> fragment <match-grag|match-non-frag> Set IP fragment match, where: @@ -77,12 +77,12 @@ Route * match-frag: Second and further fragments of fragmented packets. * match-non-frag: Head fragments or unfragmented packets. -.. cfgcmd:: set policy route <text> rule <1-9999> icmp <code|type|type-name> +.. cfgcmd:: set policy route <name> rule <n> icmp <code|type|type-name> Set ICMP match criterias, based on code and/or types. Types could be referenced by number or by name. -.. cfgcmd:: set policy route <text> rule <1-9999> ipsec +.. cfgcmd:: set policy route <name> rule <n> ipsec <match-ipsec|match-none> Set IPSec inbound match criterias, where: @@ -90,54 +90,54 @@ Route * match-ipsec: match inbound IPsec packets. * match-none: match inbound non-IPsec packets. -.. cfgcmd:: set policy route <text> rule <1-9999> limit burst <0-4294967295> +.. cfgcmd:: set policy route <name> rule <n> limit burst <0-4294967295> Set maximum number of packets to alow in excess of rate -.. cfgcmd:: set policy route <text> rule <1-9999> limit rate <text> +.. cfgcmd:: set policy route <name> rule <n> limit rate <text> Set maximum average matching rate. Format for rate: integer/time_unit, where time_unit could be any one of second, minute, hour or day.For example 1/second implies rule to be matched at an average of once per second. -.. cfgcmd:: set policy route <text> rule <1-9999> log <enable|disable> +.. cfgcmd:: set policy route <name> rule <n> log <enable|disable> Option to enable or disable log matching rule. -.. cfgcmd:: set policy route <text> rule <1-9999> log <text> +.. cfgcmd:: set policy route <name> rule <n> log <text> Option to log matching rule. -.. cfgcmd:: set policy route <text> rule <1-9999> protocol +.. cfgcmd:: set policy route <name> rule <n> protocol <text|0-255|tcp_udp|all|!protocol> Set protocol to match. Protocol name in /etc/protocols or protocol number, or "tcp_udp" or "all". Also, protocol could be denied by using !. -.. cfgcmd:: set policy route <text> rule <1-9999> recent <count|time> +.. cfgcmd:: set policy route <name> rule <n> recent <count|time> <1-255|0-4294967295> Set parameters for matching recently seen sources. This match could be used by seeting count (source address seen more than <1-255> times) and/or time (source address seen in the last <0-4294967295> seconds). -.. cfgcmd:: set policy route <text> rule <1-9999> set dscp <0-63> +.. cfgcmd:: set policy route <name> rule <n> set dscp <0-63> Set packet modifications: Packet Differentiated Services Codepoint (DSCP) -.. cfgcmd:: set policy route <text> rule <1-9999> set mark <1-2147483647> +.. cfgcmd:: set policy route <name> rule <n> set mark <1-2147483647> Set packet modifications: Packet marking -.. cfgcmd:: set policy route <text> rule <1-9999> set table <main|1-200> +.. cfgcmd:: set policy route <name> rule <n> set table <main|1-200> Set packet modifications: Routing table to forward packet with. -.. cfgcmd:: set policy route <text> rule <1-9999> set tcp-mss <500-1460> +.. cfgcmd:: set policy route <name> rule <n> set tcp-mss <500-1460> Set packet modifications: Explicitly set TCP Maximum segment size value. -.. cfgcmd:: set policy route <text> rule <1-9999> source address +.. cfgcmd:: set policy route <name> rule <n> source address <match_criteria> Set match criteria based on source address, where <match_criteria> could be: @@ -149,13 +149,13 @@ Route * !<x.x.x.x/x>: Match everything except the specified subnet. * !<x.x.x.x>-<x.x.x.x>: Match everything except the specified range. -.. cfgcmd:: set policy route <text> rule <1-9999> source group +.. cfgcmd:: set policy route <name> rule <n> source group <address-group|network-group|port-group> <text> Set source match criteria based on groups, where <text> would be the group name/identifier. -.. cfgcmd:: set policy route <text> rule <1-9999> source port <match_criteria> +.. cfgcmd:: set policy route <name> rule <n> source port <match_criteria> Set match criteria based on source port, where <match_criteria> could be: @@ -167,52 +167,52 @@ Route list can also be "negated" using '!'. For example: '!22,telnet,http,123,1001-1005' -.. cfgcmd:: set policy route <text> rule <1-9999> state +.. cfgcmd:: set policy route <name> rule <n> state <established|invalid|new|related> <disable|enable> Set match criteria based on session state. -.. cfgcmd:: set policy route <text> rule <1-9999> tcp flags <text> +.. cfgcmd:: set policy route <name> rule <n> tcp flags <text> Set match criteria based on tcp flags. Allowed values for TCP flags: SYN ACK FIN RST URG PSH ALL. When specifying more than one flag, flags should be comma-separated. For example : value of 'SYN,!ACK,!FIN,!RST' will only match packets with the SYN flag set, and the ACK, FIN and RST flags unset. -.. cfgcmd:: set policy route <text> rule <1-9999> time monthdays <text> +.. cfgcmd:: set policy route <name> rule <n> time monthdays <text> Set monthdays to match rule on. Format for monthdays: 2,12,21. To negate add ! at the front eg. !2,12,21 -.. cfgcmd:: set policy route <text> rule <1-9999> time startdate <text> +.. cfgcmd:: set policy route <name> rule <n> time startdate <text> Set date to start matching rule. Format for date: yyyy-mm-dd. To specify time of date with startdate, append 'T' to date followed by time in 24 hour notation hh:mm:ss. For eg startdate value of 2009-01-21T13:30:00 refers to 21st Jan 2009 with time 13:30:00. -.. cfgcmd:: set policy route <text> rule <1-9999> time starttime <text> +.. cfgcmd:: set policy route <name> rule <n> time starttime <text> Set time of day to start matching rule. Format of time: hh:mm:ss using 24 hours notation. -.. cfgcmd:: set policy route <text> rule <1-9999> time stopdate <text> +.. cfgcmd:: set policy route <name> rule <n> time stopdate <text> Set date to stop matching rule. Format for date: yyyy-mm-dd. To specify time of date with stopdate, append 'T' to date followed by time in 24 hour notation hh:mm:ss. For eg startdate value of 2009-01-21T13:30:00 refers to 21st Jan 2009 with time 13:30:00. -.. cfgcmd:: set policy route <text> rule <1-9999> time stoptime <text> +.. cfgcmd:: set policy route <name> rule <n> time stoptime <text> Set time of day to stop matching rule. Format of time: hh:mm:ss using 24 hours notation. -.. cfgcmd:: set policy route <text> rule <1-9999> time utc +.. cfgcmd:: set policy route <name> rule <n> time utc Interpret times for startdate, stopdate, starttime and stoptime to be UTC. -.. cfgcmd:: set policy route <text> rule <1-9999> time weekdays +.. cfgcmd:: set policy route <name> rule <n> time weekdays Weekdays to match rule on. Format for weekdays: Mon,Thu,Sat. To negate add ! at the front eg. !Mon,Thu,Sat. @@ -221,27 +221,27 @@ Route IPv6 Route ========== -.. cfgcmd:: set policy ipv6-route <text> +.. cfgcmd:: set policy route6 <name> This command creates a new IPv6 route policy, identified by <text>. -.. cfgcmd:: set policy ipv6-route <text> description <text> +.. cfgcmd:: set policy route6 <name> description <text> Set description for the IPv6 route policy. -.. cfgcmd:: set policy ipv6-route <text> enable-default-log +.. cfgcmd:: set policy route6 <name> enable-default-log Option to log packets hitting default-action. -.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> action drop +.. cfgcmd:: set policy route6 <name> rule <n> action drop Set rule action to drop. -.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> description <text> +.. cfgcmd:: set policy route6 <name> rule <n> description <text> Set description for rule in IPv6 route policy. -.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> destination address +.. cfgcmd:: set policy route6 <name> rule <n> destination address <match_criteria> Set match criteria based on destination IPv6 address, where <match_criteria> @@ -255,8 +255,7 @@ IPv6 Route * !<h:h:h:h:h:h:h:h>-<h:h:h:h:h:h:h:h>: Match everything except the specified range. -.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> destination port - <match_criteria> +.. cfgcmd:: set policy route6 <name> rule <n> destination port <match_criteria> Set match criteria based on destination port, where <match_criteria> could be: @@ -269,15 +268,15 @@ IPv6 Route whole list can also be "negated" using '!'. For example: '!22,telnet,http,123,1001-1005'. -.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> disable +.. cfgcmd:: set policy route6 <name> rule <n> disable Option to disable rule. -.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> icmpv6 type <icmpv6_typ> +.. cfgcmd:: set policy route6 <name> rule <n> icmpv6 type <icmpv6_typ> Set ICMPv6 match criterias, based on ICMPv6 type/code name. -.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> ipsec +.. cfgcmd:: set policy route6 <name> rule <n> ipsec <match-ipsec|match-none> Set IPSec inbound match criterias, where: @@ -285,59 +284,59 @@ IPv6 Route * match-ipsec: match inbound IPsec packets. * match-none: match inbound non-IPsec packets. -.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> limit burst +.. cfgcmd:: set policy route6 <name> rule <n> limit burst <0-4294967295> Set maximum number of packets to alow in excess of rate -.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> limit rate <text> +.. cfgcmd:: set policy route6 <name> rule <n> limit rate <text> Set maximum average matching rate. Format for rate: integer/time_unit, where time_unit could be any one of second, minute, hour or day.For example 1/second implies rule to be matched at an average of once per second. -.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> log <enable|disable> +.. cfgcmd:: set policy route6 <name> rule <n> log <enable|disable> Option to enable or disable log matching rule. -.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> log <text> +.. cfgcmd:: set policy route6 <name> rule <n> log <text> Option to log matching rule. -.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> protocol +.. cfgcmd:: set policy route6 <name> rule <n> protocol <text|0-255|tcp_udp|all|!protocol> Set IPv6 protocol to match. IPv6 protocol name from /etc/protocols or protocol number, or "tcp_udp" or "all". Also, protocol could be denied by using !. -.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> recent <count|time> +.. cfgcmd:: set policy route6 <name> rule <n> recent <count|time> <1-255|0-4294967295> Set parameters for matching recently seen sources. This match could be used by seeting count (source address seen more than <1-255> times) and/or time (source address seen in the last <0-4294967295> seconds). -.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> set dscp <0-63> +.. cfgcmd:: set policy route6 <name> rule <n> set dscp <0-63> Set packet modifications: Packet Differentiated Services Codepoint (DSCP) -.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> set mark <1-2147483647> +.. cfgcmd:: set policy route6 <name> rule <n> set mark <1-2147483647> Set packet modifications: Packet marking. -.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> set table <main|1-200> +.. cfgcmd:: set policy route6 <name> rule <n> set table <main|1-200> Set packet modifications: Routing table to forward packet with. -.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> set tcp-mss +.. cfgcmd:: set policy route6 <name> rule <n> set tcp-mss <pmtu|500-1460> Set packet modifications: pmtu option automatically set to Path Maximum Transfer Unit minus 60 bytes. Otherwise, expliicitly set TCP MSS value from 500 to 1460. -.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> source address +.. cfgcmd:: set policy route6 <name> rule <n> source address <match_criteria> Set match criteria based on IPv6 source address, where <match_criteria> @@ -351,13 +350,13 @@ IPv6 Route * !<h:h:h:h:h:h:h:h>-<h:h:h:h:h:h:h:h>: Match everything except the specified range -.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> source mac-address +.. cfgcmd:: set policy route6 <name> rule <n> source mac-address <MAC_address|!MAC_address> Set source match criteria based on MAC address. Declare specific MAC address to match, or match everything except the specified MAC. -.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> source port +.. cfgcmd:: set policy route6 <name> rule <n> source port <match_criteria> Set match criteria based on source port, where <match_criteria> could be: @@ -370,52 +369,52 @@ IPv6 Route list can also be "negated" using '!'. For example: '!22,telnet,http,123,1001-1005'. -.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> state +.. cfgcmd:: set policy route6 <name> rule <n> state <established|invalid|new|related> <disable|enable> Set match criteria based on session state. -.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> tcp flags <text> +.. cfgcmd:: set policy route6 <name> rule <n> tcp flags <text> Set match criteria based on tcp flags. Allowed values for TCP flags: SYN ACK FIN RST URG PSH ALL. When specifying more than one flag, flags should be comma-separated. For example : value of 'SYN,!ACK,!FIN,!RST' will only match packets with the SYN flag set, and the ACK, FIN and RST flags unset. -.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> time monthdays <text> +.. cfgcmd:: set policy route6 <name> rule <n> time monthdays <text> Set monthdays to match rule on. Format for monthdays: 2,12,21. To negate add ! at the front eg. !2,12,21 -.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> time startdate <text> +.. cfgcmd:: set policy route6 <name> rule <n> time startdate <text> Set date to start matching rule. Format for date: yyyy-mm-dd. To specify time of date with startdate, append 'T' to date followed by time in 24 hour notation hh:mm:ss. For eg startdate value of 2009-01-21T13:30:00 refers to 21st Jan 2009 with time 13:30:00. -.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> time starttime <text> +.. cfgcmd:: set policy route6 <name> rule <n> time starttime <text> Set time of day to start matching rule. Format of time: hh:mm:ss using 24 hours notation. -.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> time stopdate <text> +.. cfgcmd:: set policy route6 <name> rule <n> time stopdate <text> Set date to stop matching rule. Format for date: yyyy-mm-dd. To specify time of date with stopdate, append 'T' to date followed by time in 24 hour notation hh:mm:ss. For eg startdate value of 2009-01-21T13:30:00 refers to 21st Jan 2009 with time 13:30:00. -.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> time stoptime <text> +.. cfgcmd:: set policy route6 <name> rule <n> time stoptime <text> Set time of day to stop matching rule. Format of time: hh:mm:ss using 24 hours notation. -.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> time utc +.. cfgcmd:: set policy route6 <name> rule <n> time utc Interpret times for startdate, stopdate, starttime and stoptime to be UTC. -.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> time weekdays +.. cfgcmd:: set policy route6 <name> rule <n> time weekdays Weekdays to match rule on. Format for weekdays: Mon,Thu,Sat. To negate add ! at the front eg. !Mon,Thu,Sat. |