diff options
Diffstat (limited to 'docs/configuration')
70 files changed, 6592 insertions, 2283 deletions
diff --git a/docs/configuration/firewall/bridge.rst b/docs/configuration/firewall/bridge.rst new file mode 100644 index 00000000..9fb019c5 --- /dev/null +++ b/docs/configuration/firewall/bridge.rst @@ -0,0 +1,401 @@ +:lastproofread: 2023-11-08 + +.. _firewall-configuration: + +############################# +Bridge Firewall Configuration +############################# + +.. note:: **Documentation under development** + +******** +Overview +******** + +In this section there's useful information of all firewall configuration that +can be done regarding bridge, and appropiate op-mode commands. +Configuration commands covered in this section: + +.. cfgcmd:: set firewall bridge ... + +From main structure defined in :doc:`Firewall Overview</configuration/firewall/index>` +in this section you can find detailed information only for the next part +of the general structure: + +.. code-block:: none + + - set firewall + * bridge + - forward + + filter + - name + + custom_name + +Traffic which is received by the router on an interface which is member of a +bridge is processed on the **Bridge Layer**. A simplified packet flow diagram +for this layer is shown next: + +.. figure:: /_static/images/firewall-bridge-packet-flow.png + +For traffic that needs to be forwared internally by the bridge, base chain is +is **forward**, and it's base command for filtering is ``set firewall bridge +forward filter ...``, which happens in stage 4, highlightened with red color. + +Custom bridge firewall chains can be create with command ``set firewall bridge +name <name> ...``. In order to use such custom chain, a rule with action jump, +and the appropiate target should be defined in a base chain. + +.. note:: **Layer 3 bridge**: + When an IP address is assigned to the bridge interface, and if traffic + is sent to the router to this IP (for example using such IP as + default gateway), then rules defined for **bridge firewall** won't + match, and firewall analysis continues at **IP layer**. + +************ +Bridge Rules +************ + +For firewall filtering, firewall rules needs to be created. Each rule is +numbered, has an action to apply if the rule is matched, and the ability +to specify multiple criteria matchers. Data packets go through the rules +from 1 - 999999, so order is crucial. At the first match the action of the +rule will be executed. + +Actions +======= + +If a rule is defined, then an action must be defined for it. This tells the +firewall what to do if all criteria matchers defined for such rule do match. + +In firewall bridge rules, the action can be: + + * ``accept``: accept the packet. + + * ``continue``: continue parsing next rule. + + * ``drop``: drop the packet. + + * ``jump``: jump to another custom chain. + + * ``return``: Return from the current chain and continue at the next rule + of the last chain. + + * ``queue``: Enqueue packet to userspace. + +.. cfgcmd:: set firewall bridge forward filter rule <1-999999> action + [accept | continue | drop | jump | queue | return] +.. cfgcmd:: set firewall bridge name <name> rule <1-999999> action + [accept | continue | drop | jump | queue | return] + + This required setting defines the action of the current rule. If action is + set to jump, then jump-target is also needed. + +.. cfgcmd:: set firewall bridge forward filter rule <1-999999> + jump-target <text> +.. cfgcmd:: set firewall bridge name <name> rule <1-999999> + jump-target <text> + +.. cfgcmd:: set firewall bridge forward filter rule <1-999999> + queue <0-65535> +.. cfgcmd:: set firewall bridge name <name> rule <1-999999> + queue <0-65535> + + To be used only when action is set to ``queue``. Use this command to specify + queue target to use. Queue range is also supported. + +.. cfgcmd:: set firewall bridge forward filter rule <1-999999> + queue-options bypass +.. cfgcmd:: set firewall bridge name <name> rule <1-999999> + queue-options bypass + + To be used only when action is set to ``queue``. Use this command to let + packet go through firewall when no userspace software is connected to the + queue. + +.. cfgcmd:: set firewall bridge forward filter rule <1-999999> + queue-options fanout +.. cfgcmd:: set firewall bridge name <name> rule <1-999999> + queue-options fanout + + To be used only when action is set to ``queue``. Use this command to + distribute packets between several queues. + +Also, **default-action** is an action that takes place whenever a packet does +not match any rule in it's chain. For base chains, possible options for +**default-action** are **accept** or **drop**. + +.. cfgcmd:: set firewall bridge forward filter default-action + [accept | drop] +.. cfgcmd:: set firewall bridge name <name> default-action + [accept | continue | drop | jump | queue | return] + + This set the default action of the rule-set if no rule matched a packet + criteria. If default-action is set to ``jump``, then + ``default-jump-target`` is also needed. Note that for base chains, default + action can only be set to ``accept`` or ``drop``, while on custom chain, + more actions are available. + +.. cfgcmd:: set firewall bridge name <name> default-jump-target <text> + + To be used only when ``defult-action`` is set to ``jump``. Use this + command to specify jump target for default rule. + +.. note:: **Important note about default-actions:** + If default action for any base chain is not defined, then the default + action is set to **accept** for that chain. For custom chains, if default + action is not defined, then the default-action is set to **drop**. + +Firewall Logs +============= + +Logging can be enable for every single firewall rule. If enabled, other +log options can be defined. + +.. cfgcmd:: set firewall bridge forward filter rule <1-999999> log +.. cfgcmd:: set firewall bridge name <name> rule <1-999999> log + + Enable logging for the matched packet. If this configuration command is not + present, then log is not enabled. + +.. cfgcmd:: set firewall bridge forward filter enable-default-log +.. cfgcmd:: set firewall bridge name <name> enable-default-log + + Use this command to enable the logging of the default action on + the specified chain. + +.. cfgcmd:: set firewall bridge forward filter rule <1-999999> + log-options level [emerg | alert | crit | err | warn | notice + | info | debug] +.. cfgcmd:: set firewall bridge name <name> rule <1-999999> + log-options level [emerg | alert | crit | err | warn | notice + | info | debug] + + Define log-level. Only applicable if rule log is enable. + +.. cfgcmd:: set firewall bridge forward filter rule <1-999999> + log-options group <0-65535> +.. cfgcmd:: set firewall bridge name <name> rule <1-999999> + log-options group <0-65535> + + Define log group to send message to. Only applicable if rule log is enable. + +.. cfgcmd:: set firewall bridge forward filter rule <1-999999> + log-options snapshot-length <0-9000> +.. cfgcmd:: set firewall bridge name <name> rule <1-999999> + log-options snapshot-length <0-9000> + + Define length of packet payload to include in netlink message. Only + applicable if rule log is enable and log group is defined. + +.. cfgcmd:: set firewall bridge forward filter rule <1-999999> + log-options queue-threshold <0-65535> +.. cfgcmd:: set firewall bridge name <name> rule <1-999999> + log-options queue-threshold <0-65535> + + Define number of packets to queue inside the kernel before sending them to + userspace. Only applicable if rule log is enable and log group is defined. + +Firewall Description +==================== + +For reference, a description can be defined for every defined custom chain. + +.. cfgcmd:: set firewall bridge name <name> description <text> + + Provide a rule-set description to a custom firewall chain. + +Rule Status +=========== + +When defining a rule, it is enable by default. In some cases, it is useful to +just disable the rule, rather than removing it. + +.. cfgcmd:: set firewall bridge forward filter rule <1-999999> disable +.. cfgcmd:: set firewall bridge name <name> rule <1-999999> disable + + Command for disabling a rule but keep it in the configuration. + +Matching criteria +================= + +There are a lot of matching criteria against which the packet can be tested. + +.. cfgcmd:: set firewall bridge forward filter rule <1-999999> + destination mac-address <mac-address> +.. cfgcmd:: set firewall bridge name <name> rule <1-999999> + destination mac-address <mac-address> +.. cfgcmd:: set firewall bridge forward filter rule <1-999999> + source mac-address <mac-address> +.. cfgcmd:: set firewall bridge name <name> rule <1-999999> + source mac-address <mac-address> + + Match criteria based on source and/or destination mac-address. + +.. cfgcmd:: set firewall bridge forward filter rule <1-999999> + inbound-interface name <iface> +.. cfgcmd:: set firewall bridge name <name> rule <1-999999> + inbound-interface name <iface> + + Match based on inbound interface. Wilcard ``*`` can be used. + For example: ``eth2*``. Prepending character ``!`` for inverted matching + criteria is also supportd. For example ``!eth2`` + +.. cfgcmd:: set firewall bridge forward filter rule <1-999999> + inbound-interface group <iface_group> +.. cfgcmd:: set firewall bridge name <name> rule <1-999999> + inbound-interface group <iface_group> + + Match based on inbound interface group. Prepending character ``!`` for + inverted matching criteria is also supportd. For example ``!IFACE_GROUP`` + +.. cfgcmd:: set firewall bridge forward filter rule <1-999999> + outbound-interface name <iface> +.. cfgcmd:: set firewall bridge name <name> rule <1-999999> + outbound-interface name <iface> + + Match based on outbound interface. Wilcard ``*`` can be used. + For example: ``eth2*``. Prepending character ``!`` for inverted matching + criteria is also supportd. For example ``!eth2`` + +.. cfgcmd:: set firewall bridge forward filter rule <1-999999> + outbound-interface group <iface_group> +.. cfgcmd:: set firewall bridge name <name> rule <1-999999> + outbound-interface group <iface_group> + + Match based on outbound interface group. Prepending character ``!`` for + inverted matching criteria is also supportd. For example ``!IFACE_GROUP`` + +.. cfgcmd:: set firewall bridge forward filter rule <1-999999> + vlan id <0-4096> +.. cfgcmd:: set firewall bridge name <name> rule <1-999999> + vlan id <0-4096> + + Match based on vlan ID. Range is also supported. + +.. cfgcmd:: set firewall bridge forward filter rule <1-999999> + vlan priority <0-7> +.. cfgcmd:: set firewall bridge name <name> rule <1-999999> + vlan priority <0-7> + + Match based on vlan priority(pcp). Range is also supported. + +*********************** +Operation-mode Firewall +*********************** + +Rule-set overview +================= + +In this section you can find all useful firewall op-mode commands. + +General commands for firewall configuration, counter and statiscits: + +.. opcmd:: show firewall +.. opcmd:: show firewall summary +.. opcmd:: show firewall statistics + +And, to print only bridge firewall information: + +.. opcmd:: show firewall bridge +.. opcmd:: show firewall bridge forward filter +.. opcmd:: show firewall bridge forward filter rule <rule> +.. opcmd:: show firewall bridge name <name> +.. opcmd:: show firewall bridge name <name> rule <rule> + +Show Firewall log +================= + +.. opcmd:: show log firewall +.. opcmd:: show log firewall bridge +.. opcmd:: show log firewall bridge forward +.. opcmd:: show log firewall bridge forward filter +.. opcmd:: show log firewall bridge name <name> +.. opcmd:: show log firewall bridge forward filter rule <rule> +.. opcmd:: show log firewall bridge name <name> rule <rule> + + Show the logs of all firewall; show all bridge firewall logs; show all logs + for forward hook; show all logs for forward hook and priority filter; show + all logs for particular custom chain; show logs for specific Rule-Set. + +Example +======= + +Configuration example: + +.. code-block:: none + + set firewall bridge forward filter default-action 'drop' + set firewall bridge forward filter enable-default-log + set firewall bridge forward filter rule 10 action 'continue' + set firewall bridge forward filter rule 10 inbound-interface name 'eth2' + set firewall bridge forward filter rule 10 vlan id '22' + set firewall bridge forward filter rule 20 action 'drop' + set firewall bridge forward filter rule 20 inbound-interface group 'TRUNK-RIGHT' + set firewall bridge forward filter rule 20 vlan id '60' + set firewall bridge forward filter rule 30 action 'jump' + set firewall bridge forward filter rule 30 jump-target 'TEST' + set firewall bridge forward filter rule 30 outbound-interface name '!eth1' + set firewall bridge forward filter rule 35 action 'accept' + set firewall bridge forward filter rule 35 vlan id '11' + set firewall bridge forward filter rule 40 action 'continue' + set firewall bridge forward filter rule 40 destination mac-address '66:55:44:33:22:11' + set firewall bridge forward filter rule 40 source mac-address '11:22:33:44:55:66' + set firewall bridge name TEST default-action 'accept' + set firewall bridge name TEST enable-default-log + set firewall bridge name TEST rule 10 action 'continue' + set firewall bridge name TEST rule 10 log + set firewall bridge name TEST rule 10 vlan priority '0' + +And op-mode commands: + +.. code-block:: none + + vyos@BRI:~$ show firewall bridge + Rulesets bridge Information + + --------------------------------- + bridge Firewall "forward filter" + + Rule Action Protocol Packets Bytes Conditions + ------- -------- ---------- --------- ------- --------------------------------------------------------------------- + 10 continue all 0 0 iifname "eth2" vlan id 22 continue + 20 drop all 0 0 iifname @I_TRUNK-RIGHT vlan id 60 + 30 jump all 2130 170688 oifname != "eth1" jump NAME_TEST + 35 accept all 2080 168616 vlan id 11 accept + 40 continue all 0 0 ether daddr 66:55:44:33:22:11 ether saddr 11:22:33:44:55:66 continue + default drop all 0 0 + + --------------------------------- + bridge Firewall "name TEST" + + Rule Action Protocol Packets Bytes Conditions + ------- -------- ---------- --------- ------- -------------------------------------------------- + 10 continue all 2130 170688 vlan pcp 0 prefix "[bri-NAM-TEST-10-C]" continue + default accept all 2130 170688 + + vyos@BRI:~$ + vyos@BRI:~$ show firewall bridge name TEST + Ruleset Information + + --------------------------------- + bridge Firewall "name TEST" + + Rule Action Protocol Packets Bytes Conditions + ------- -------- ---------- --------- ------- -------------------------------------------------- + 10 continue all 2130 170688 vlan pcp 0 prefix "[bri-NAM-TEST-10-C]" continue + default accept all 2130 170688 + + vyos@BRI:~$ + +Inspect logs: + +.. code-block:: none + + vyos@BRI:~$ show log firewall bridge + Dec 05 14:37:47 kernel: [bri-NAM-TEST-10-C]IN=eth1 OUT=eth2 ARP HTYPE=1 PTYPE=0x0800 OPCODE=1 MACSRC=50:00:00:04:00:00 IPSRC=10.11.11.101 MACDST=00:00:00:00:00:00 IPDST=10.11.11.102 + Dec 05 14:37:48 kernel: [bri-NAM-TEST-10-C]IN=eth1 OUT=eth2 ARP HTYPE=1 PTYPE=0x0800 OPCODE=1 MACSRC=50:00:00:04:00:00 IPSRC=10.11.11.101 MACDST=00:00:00:00:00:00 IPDST=10.11.11.102 + Dec 05 14:37:49 kernel: [bri-NAM-TEST-10-C]IN=eth1 OUT=eth2 ARP HTYPE=1 PTYPE=0x0800 OPCODE=1 MACSRC=50:00:00:04:00:00 IPSRC=10.11.11.101 MACDST=00:00:00:00:00:00 IPDST=10.11.11.102 + ... + vyos@BRI:~$ show log firewall bridge forward filter + Dec 05 14:42:22 kernel: [bri-FWD-filter-default-D]IN=eth2 OUT=eth1 MAC=33:33:00:00:00:16:50:00:00:06:00:00:86:dd SRC=0000:0000:0000:0000:0000:0000:0000:0000 DST=ff02:0000:0000:0000:0000:0000:0000:0016 LEN=96 TC=0 HOPLIMIT=1 FLOWLBL=0 PROTO=ICMPv6 TYPE=143 CODE=0 + Dec 05 14:42:22 kernel: [bri-FWD-filter-default-D]IN=eth2 OUT=eth1 MAC=33:33:00:00:00:16:50:00:00:06:00:00:86:dd SRC=0000:0000:0000:0000:0000:0000:0000:0000 DST=ff02:0000:0000:0000:0000:0000:0000:0016 LEN=96 TC=0 HOPLIMIT=1 FLOWLBL=0 PROTO=ICMPv6 TYPE=143 CODE=0 diff --git a/docs/configuration/firewall/flowtables.rst b/docs/configuration/firewall/flowtables.rst new file mode 100644 index 00000000..bc7b9212 --- /dev/null +++ b/docs/configuration/firewall/flowtables.rst @@ -0,0 +1,188 @@ +:lastproofread: 2023-12-26 + +.. _firewall-flowtables-configuration: + +################################# +Flowtables Firewall Configuration +################################# + +.. note:: **Documentation under development** + +******** +Overview +******** + +In this section there's useful information of all firewall configuration that +can be done regarding flowtables. + +.. cfgcmd:: set firewall flowtables ... + +From main structure defined in :doc:`Firewall Overview</configuration/firewall/index>` +in this section you can find detailed information only for the next part +of the general structure: + +.. code-block:: none + + - set firewall + * flowtable + - custom_flow_table + + ... + + +Flowtables allows you to define a fastpath through the flowtable datapath. +The flowtable supports for the layer 3 IPv4 and IPv6 and the layer 4 TCP +and UDP protocols. + +.. figure:: /_static/images/firewall-flowtable-packet-flow.png + +Once the first packet of the flow successfully goes through the IP forwarding +path (black circles path), from the second packet on, you might decide to +offload the flow to the flowtable through your ruleset. The flowtable +infrastructure provides a rule action that allows you to specify when to add +a flow to the flowtable (On forward filtering, red circle number 6) + +A packet that finds a matching entry in the flowtable (flowtable hit) is +transmitted to the output netdevice, hence, packets bypass the classic IP +forwarding path and uses the **Fast Path** (orange circles path). The visible +effect is that you do not see these packets from any of the Netfilter +hooks coming after ingress. In case that there is no matching entry in the +flowtable (flowtable miss), the packet follows the classic IP forwarding path. + +.. note:: **Flowtable Reference:** + https://docs.kernel.org/networking/nf_flowtable.html + + +*********************** +Flowtable Configuration +*********************** + +In order to use flowtables, the minimal configuration needed includes: + + * Create flowtable: create flowtable, which includes the interfaces + that are going to be used by the flowtable. + + * Create firewall rule: create a firewall rule, setting action to + ``offload`` and using desired flowtable for ``offload-target``. + +Creating a flow table: + +.. cfgcmd:: set firewall flowtable <flow_table_name> interface <iface> + + Define interfaces to be used in the flowtable. + +.. cfgcmd:: set firewall flowtable <flow_table_name> description <text> + +Provide a description to the flow table. + +.. cfgcmd:: set firewall flowtable <flow_table_name> offload + <hardware | software> + + Define type of offload to be used by the flowtable: ``hardware`` or + ``software``. By default, ``software`` offload is used. + +.. note:: **Hardware offload:** should be supported by the NICs used. + +Creating rules for using flow tables: + +.. cfgcmd:: set firewall [ipv4 | ipv4] forward filter rule <1-999999> + action offload + + Create firewall rule in forward chain, and set action to ``offload``. + +.. cfgcmd:: set firewall [ipv4 | ipv4] forward filter rule <1-999999> + offload-target <flowtable> + + Create firewall rule in forward chain, and define which flowtbale + should be used. Only applicable if action is ``offload``. + +********************* +Configuration Example +********************* + +Things to be considred in this setup: + + * Two interfaces are going to be used in the flowtables: eth0 and eth1 + + * Minumum firewall ruleset is provided, which includes some filtering rules, + and appropiate rules for using flowtable offload capabilities. + +As described, first packet will be evaluated by all the firewall path, so +desired connection should be explicitely accepted. Same thing should be taken +into account for traffic in reverse order. In most cases state policies are +used in order to accept connection in reverse patch. + +We will only accept traffic comming from interface eth0, protocol tcp and +destination port 1122. All other traffic traspassing the router should be +blocked. + +Commands +-------- + +.. code-block:: none + + set firewall flowtable FT01 interface 'eth0' + set firewall flowtable FT01 interface 'eth1' + set firewall ipv4 forward filter default-action 'drop' + set firewall ipv4 forward filter rule 10 action 'offload' + set firewall ipv4 forward filter rule 10 offload-target 'FT01' + set firewall ipv4 forward filter rule 10 state 'established' + set firewall ipv4 forward filter rule 10 state 'related' + set firewall ipv4 forward filter rule 20 action 'accept' + set firewall ipv4 forward filter rule 20 state 'established' + set firewall ipv4 forward filter rule 20 state 'related' + set firewall ipv4 forward filter rule 110 action 'accept' + set firewall ipv4 forward filter rule 110 destination address '192.0.2.100' + set firewall ipv4 forward filter rule 110 destination port '1122' + set firewall ipv4 forward filter rule 110 inbound-interface name 'eth0' + set firewall ipv4 forward filter rule 110 protocol 'tcp' + +Explanation +----------- + +Analysis on what happens for desired connection: + + 1. First packet is received on eht0, with destination address 192.0.2.100, + protocol tcp and destination port 1122. Assume such destination address is + reachable through interface eth1. + + 2. Since this is the first packet, connection status of this connection, + so far is **new**. So neither rule 10 nor 20 are valid. + + 3. Rule 110 is hit, so connection is accepted. + + 4. Once answer from server 192.0.2.100 is seen in opposite direction, + connection state will be triggered to **established**, so this reply is + accepted in rule 10. + + 5. Second packet for this connection is received by the router. Since + connection state is **established**, then rule 10 is hit, and a new entry + in the flowtable FT01 is added for this connection. + + 6. All subsecuent packets will skip traditional path, and will be offloaded + and will use the **Fast Path**. + +Checks +------ + +It's time to check conntrack table, to see if any connection was accepted, +and if was properly offloaded + +.. code-block:: none + + vyos@FlowTables:~$ show firewall ipv4 forward filter + Ruleset Information + + --------------------------------- + ipv4 Firewall "forward filter" + + Rule Action Protocol Packets Bytes Conditions + ------- -------- ---------- --------- ------- ---------------------------------------------------------------- + 10 offload all 8 468 ct state { established, related } flow add @VYOS_FLOWTABLE_FT01 + 20 accept all 8 468 ct state { established, related } accept + 110 accept tcp 2 120 ip daddr 192.0.2.100 tcp dport 1122 iifname "eth0" accept + default drop all 7 420 + + vyos@FlowTables:~$ sudo conntrack -L | grep tcp + conntrack v1.4.6 (conntrack-tools): 5 flow entries have been shown. + tcp 6 src=198.51.100.100 dst=192.0.2.100 sport=41676 dport=1122 src=192.0.2.100 dst=198.51.100.100 sport=1122 dport=41676 [OFFLOAD] mark=0 use=2 + vyos@FlowTables:~$ diff --git a/docs/configuration/firewall/general.rst b/docs/configuration/firewall/general.rst deleted file mode 100644 index c217ba6c..00000000 --- a/docs/configuration/firewall/general.rst +++ /dev/null @@ -1,1047 +0,0 @@ -:lastproofread: 2021-06-29 - -.. _firewall: - -######## -Firewall -######## - -******** -Overview -******** - -VyOS makes use of Linux `netfilter <https://netfilter.org/>`_ for packet -filtering. - -The firewall supports the creation of groups for ports, addresses, and -networks (implemented using netfilter ipset) and the option of interface -or zone based firewall policy. - -.. note:: **Important note on usage of terms:** - The firewall makes use of the terms `in`, `out`, and `local` - for firewall policy. Users experienced with netfilter often confuse - `in` to be a reference to the `INPUT` chain, and `out` the `OUTPUT` - chain from netfilter. This is not the case. These instead indicate - the use of the `FORWARD` chain and either the input or output - interface. The `INPUT` chain, which is used for local traffic to the - OS, is a reference to as `local` with respect to its input interface. - - -*************** -Global settings -*************** - -Some firewall settings are global and have an affect on the whole system. - -.. cfgcmd:: set firewall all-ping [enable | disable] - - By default, when VyOS receives an ICMP echo request packet destined for - itself, it will answer with an ICMP echo reply, unless you avoid it - through its firewall. - - With the firewall you can set rules to accept, drop or reject ICMP in, - out or local traffic. You can also use the general **firewall all-ping** - command. This command affects only to LOCAL (packets destined for your - VyOS system), not to IN or OUT traffic. - - .. note:: **firewall all-ping** affects only to LOCAL and it always - behaves in the most restrictive way - - .. code-block:: none - - set firewall all-ping enable - - When the command above is set, VyOS will answer every ICMP echo request - addressed to itself, but that will only happen if no other rule is - applied dropping or rejecting local echo requests. In case of conflict, - VyOS will not answer ICMP echo requests. - - .. code-block:: none - - set firewall all-ping disable - - When the command above is set, VyOS will answer no ICMP echo request - addressed to itself at all, no matter where it comes from or whether - more specific rules are being applied to accept them. - -.. cfgcmd:: set firewall broadcast-ping [enable | disable] - - This setting enable or disable the response of icmp broadcast - messages. The following system parameter will be altered: - - * ``net.ipv4.icmp_echo_ignore_broadcasts`` - -.. cfgcmd:: set firewall ip-src-route [enable | disable] -.. cfgcmd:: set firewall ipv6-src-route [enable | disable] - - This setting handle if VyOS accept packets with a source route - option. The following system parameter will be altered: - - * ``net.ipv4.conf.all.accept_source_route`` - * ``net.ipv6.conf.all.accept_source_route`` - -.. cfgcmd:: set firewall receive-redirects [enable | disable] -.. cfgcmd:: set firewall ipv6-receive-redirects [enable | disable] - - enable or disable of ICMPv4 or ICMPv6 redirect messages accepted - by VyOS. The following system parameter will be altered: - - * ``net.ipv4.conf.all.accept_redirects`` - * ``net.ipv6.conf.all.accept_redirects`` - -.. cfgcmd:: set firewall send-redirects [enable | disable] - - enable or disable ICMPv4 redirect messages send by VyOS - The following system parameter will be altered: - - * ``net.ipv4.conf.all.send_redirects`` - -.. cfgcmd:: set firewall log-martians [enable | disable] - - enable or disable the logging of martian IPv4 packets. - The following system parameter will be altered: - - * ``net.ipv4.conf.all.log_martians`` - -.. cfgcmd:: set firewall source-validation [strict | loose | disable] - - Set the IPv4 source validation mode. - The following system parameter will be altered: - - * ``net.ipv4.conf.all.rp_filter`` - -.. cfgcmd:: set firewall syn-cookies [enable | disable] - - Enable or Disable if VyOS use IPv4 TCP SYN Cookies. - The following system parameter will be altered: - - * ``net.ipv4.tcp_syncookies`` - -.. cfgcmd:: set firewall twa-hazards-protection [enable | disable] - - Enable or Disable VyOS to be :rfc:`1337` conform. - The following system parameter will be altered: - - * ``net.ipv4.tcp_rfc1337`` - -.. cfgcmd:: set firewall state-policy established action [accept | drop | - reject] - -.. cfgcmd:: set firewall state-policy established log enable - - Set the global setting for an established connection. - -.. cfgcmd:: set firewall state-policy invalid action [accept | drop | reject] - -.. cfgcmd:: set firewall state-policy invalid log enable - - Set the global setting for invalid packets. - -.. cfgcmd:: set firewall state-policy related action [accept | drop | reject] - -.. cfgcmd:: set firewall state-policy related log enable - - Set the global setting for related connections. - - -****** -Groups -****** - -Firewall groups represent collections of IP addresses, networks, ports, -mac addresses or domains. Once created, a group can be referenced by -firewall, nat and policy route rules as either a source or destination -matcher. Members can be added or removed from a group without changes to, -or the need to reload, individual firewall rules. - -Groups need to have unique names. Even though some contain IPv4 -addresses and others contain IPv6 addresses, they still need to have -unique names, so you may want to append "-v4" or "-v6" to your group -names. - - -Address Groups -============== - -In an **address group** a single IP address or IP address ranges are -defined. - -.. cfgcmd:: set firewall group address-group <name> address [address | - address range] -.. cfgcmd:: set firewall group ipv6-address-group <name> address <address> - - Define a IPv4 or a IPv6 address group - - .. code-block:: none - - set firewall group address-group ADR-INSIDE-v4 address 192.168.0.1 - set firewall group address-group ADR-INSIDE-v4 address 10.0.0.1-10.0.0.8 - set firewall group ipv6-address-group ADR-INSIDE-v6 address 2001:db8::1 - -.. cfgcmd:: set firewall group address-group <name> description <text> -.. cfgcmd:: set firewall group ipv6-address-group <name> description <text> - - Provide a IPv4 or IPv6 address group description - -Network Groups -============== - -While **network groups** accept IP networks in CIDR notation, specific -IP addresses can be added as a 32-bit prefix. If you foresee the need -to add a mix of addresses and networks, the network group is -recommended. - -.. cfgcmd:: set firewall group network-group <name> network <CIDR> -.. cfgcmd:: set firewall group ipv6-network-group <name> network <CIDR> - - Define a IPv4 or IPv6 Network group. - - .. code-block:: none - - set firewall group network-group NET-INSIDE-v4 network 192.168.0.0/24 - set firewall group network-group NET-INSIDE-v4 network 192.168.1.0/24 - set firewall group ipv6-network-group NET-INSIDE-v6 network 2001:db8::/64 - -.. cfgcmd:: set firewall group network-group <name> description <text> -.. cfgcmd:: set firewall group ipv6-network-group <name> description <text> - - Provide a IPv4 or IPv6 network group description. - -Port Groups -=========== - -A **port group** represents only port numbers, not the protocol. Port -groups can be referenced for either TCP or UDP. It is recommended that -TCP and UDP groups are created separately to avoid accidentally -filtering unnecessary ports. Ranges of ports can be specified by using -`-`. - -.. cfgcmd:: set firewall group port-group <name> port - [portname | portnumber | startport-endport] - - Define a port group. A port name can be any name defined in - /etc/services. e.g.: http - - .. code-block:: none - - set firewall group port-group PORT-TCP-SERVER1 port http - set firewall group port-group PORT-TCP-SERVER1 port 443 - set firewall group port-group PORT-TCP-SERVER1 port 5000-5010 - -.. cfgcmd:: set firewall group port-group <name> description <text> - - Provide a port group description. - -MAC Groups -========== - -A **mac group** represents a collection of mac addresses. - -.. cfgcmd:: set firewall group mac-group <name> mac-address <mac-address> - - Define a mac group. - -.. code-block:: none - - set firewall group mac-group MAC-G01 mac-address 88:a4:c2:15:b6:4f - set firewall group mac-group MAC-G01 mac-address 4c:d5:77:c0:19:81 - - -Domain Groups -============= - -A **domain group** represents a collection of domains. - -.. cfgcmd:: set firewall group domain-group <name> address <domain> - - Define a domain group. - -.. code-block:: none - - set firewall group domain-group DOM address example.com - - -********* -Rule-Sets -********* - -A rule-set is a named collection of firewall rules that can be applied -to an interface or a zone. Each rule is numbered, has an action to apply -if the rule is matched, and the ability to specify the criteria to -match. Data packets go through the rules from 1 - 999999, at the first match -the action of the rule will be executed. - -.. cfgcmd:: set firewall name <name> description <text> -.. cfgcmd:: set firewall ipv6-name <name> description <text> - - Provide a rule-set description. - -.. cfgcmd:: set firewall name <name> default-action [accept | drop | jump | - reject | return] -.. cfgcmd:: set firewall ipv6-name <name> default-action [accept | drop | - jump | reject | return] - - This set the default action of the rule-set if no rule matched a packet - criteria. If defacult-action is set to ``jump``, then - ``default-jump-target`` is also needed. - -.. cfgcmd:: set firewall name <name> default-jump-target <text> -.. cfgcmd:: set firewall ipv6-name <name> default-jump-target <text> - - To be used only when ``defult-action`` is set to ``jump``. Use this - command to specify jump target for default rule. - -.. cfgcmd:: set firewall name <name> enable-default-log -.. cfgcmd:: set firewall ipv6-name <name> enable-default-log - - Use this command to enable the logging of the default action. - -.. cfgcmd:: set firewall name <name> rule <1-999999> action [accept | drop | - jump | queue | reject | return] -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> action [accept | - drop | jump | queue | reject | return] - - This required setting defines the action of the current rule. If action - is set to ``jump``, then ``jump-target`` is also needed. - -.. cfgcmd:: set firewall name <name> rule <1-999999> jump-target <text> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> jump-target <text> - - To be used only when ``action`` is set to ``jump``. Use this - command to specify jump target. - -.. cfgcmd:: set firewall name <name> rule <1-999999> queue <0-65535> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> queue <0-65535> - - Use this command to set the target to use. Action queue must be defined - to use this setting - -.. cfgcmd:: set firewall name <name> rule <1-999999> queue-options - <bypass-fanout> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> queue-options - <bypass-fanout> - - Options used for queue target. Action queue must be defined to use this - setting - -.. cfgcmd:: set firewall name <name> rule <1-999999> description <text> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> description <text> - - Provide a description for each rule. - -.. cfgcmd:: set firewall name <name> rule <1-999999> log [disable | enable] -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> log [disable | - enable] - - Enable or disable logging for the matched packet. - -.. cfgcmd:: set firewall name <name> rule <1-999999> log-options level - [emerg | alert | crit | err | warn | notice | info | debug] -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> log-options level - [emerg | alert | crit | err | warn | notice | info | debug] - - Define log-level. Only applicable if rule log is enable. - -.. cfgcmd:: set firewall name <name> rule <1-999999> log-options group - <0-65535> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> log-options group - <0-65535> - - Define log group to send message to. Only applicable if rule log is enable. - -.. cfgcmd:: set firewall name <name> rule <1-999999> log-options snaplen - <0-9000> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> log-options snaplen - <0-9000> - - Define length of packet payload to include in netlink message. Only - applicable if rule log is enable and log group is defined. - -.. cfgcmd:: set firewall name <name> rule <1-999999> log-options - queue-threshold <0-65535> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> log-options - queue-threshold <0-65535> - - Define number of packets to queue inside the kernel before sending them to - userspace. Only applicable if rule log is enable and log group is defined. - -.. cfgcmd:: set firewall name <name> rule <1-999999> disable -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> disable - - If you want to disable a rule but let it in the configuration. - -Matching criteria -================= - -There are a lot of matching criteria against which the package can be tested. - -.. cfgcmd:: set firewall name <name> rule <1-999999> connection-status nat - [destination | source] -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> connection-status - nat [destination | source] - - Match criteria based on nat connection status. - -.. cfgcmd:: set firewall name <name> rule <1-999999> connection-mark - <1-2147483647> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> connection-mark - <1-2147483647> - - Match criteria based on connection mark. - -.. cfgcmd:: set firewall name <name> rule <1-999999> source address - [address | addressrange | CIDR] -.. cfgcmd:: set firewall name <name> rule <1-999999> destination address - [address | addressrange | CIDR] -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source address - [address | addressrange | CIDR] -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination address - [address | addressrange | CIDR] - - This is similar to the network groups part, but here you are able to negate - the matching addresses. - - .. code-block:: none - - set firewall name WAN-IN-v4 rule 100 source address 192.0.2.10-192.0.2.11 - # with a '!' the rule match everything except the specified subnet - set firewall name WAN-IN-v4 rule 101 source address !203.0.113.0/24 - set firewall ipv6-name WAN-IN-v6 rule 100 source address 2001:db8::202 - -.. cfgcmd:: set firewall name <name> rule <1-999999> source address-mask - [address] -.. cfgcmd:: set firewall name <name> rule <1-999999> destination address-mask - [address] -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source address-mask - [address] -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination - address-mask [address] - - An arbitrary netmask can be applied to mask addresses to only match against - a specific portion. This is particularly useful with IPv6 and a zone-based - firewall as rules will remain valid if the IPv6 prefix changes and the host - portion of systems IPv6 address is static (for example, with SLAAC or `tokenised IPv6 addresses - <https://datatracker.ietf.org/doc/id/draft-chown-6man-tokenised-ipv6-identifiers-02.txt>`_) - - This functions for both individual addresses and address groups. - - .. code-block:: none - - # Match any IPv6 address with the suffix ::0000:0000:0000:beef - set firewall ipv6-name WAN-LAN-v6 rule 100 destination address ::beef - set firewall ipv6-name WAN-LAN-v6 rule 100 destination address-mask ::ffff:ffff:ffff:ffff - # Match any IPv4 address with `11` as the 2nd octet and `13` as the forth octet - set firewall name WAN-LAN-v4 rule 100 destination address 0.11.0.13 - set firewall name WAN-LAN-v4 rule 100 destination address-mask 0.255.0.255 - # Address groups - set firewall group ipv6-address-group WEBSERVERS address ::1000 - set firewall group ipv6-address-group WEBSERVERS address ::2000 - set firewall name WAN-LAN-v6 rule 200 source group address-group WEBSERVERS - set firewall name WAN-LAN-v6 rule 200 source address-mask ::ffff:ffff:ffff:ffff - -.. cfgcmd:: set firewall name <name> rule <1-999999> source fqdn <fqdn> -.. cfgcmd:: set firewall name <name> rule <1-999999> destination fqdn <fqdn> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source fqdn <fqdn> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination fqdn - <fqdn> - - Specify a Fully Qualified Domain Name as source/destination matcher. Ensure - router is able to resolve such dns query. - -.. cfgcmd:: set firewall name <name> rule <1-999999> source geoip country-code - <country> -.. cfgcmd:: set firewall name <name> rule <1-999999> source geoip inverse-match -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source geoip - country-code <country> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source geoip - inverse-match -.. cfgcmd:: set firewall name <name> rule <1-999999> destination geoip - country-code <country> -.. cfgcmd:: set firewall name <name> rule <1-999999> destination geoip - inverse-match -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination geoip - country-code <country> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination geoip - inverse-match - -Match IP addresses based on its geolocation. -More info: `geoip matching -<https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_matching>`_. - -Use inverse-match to match anything except the given country-codes. - -Data is provided by DB-IP.com under CC-BY-4.0 license. Attribution required, -permits redistribution so we can include a database in images(~3MB -compressed). Includes cron script (manually callable by op-mode update -geoip) to keep database and rules updated. - -.. cfgcmd:: set firewall name <name> rule <1-999999> source mac-address - <mac-address> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source mac-address - <mac-address> - - Only in the source criteria, you can specify a mac-address. - - .. code-block:: none - - set firewall name LAN-IN-v4 rule 100 source mac-address 00:53:00:11:22:33 - set firewall name LAN-IN-v4 rule 101 source mac-address !00:53:00:aa:12:34 - -.. cfgcmd:: set firewall name <name> rule <1-999999> source port - [1-65535 | portname | start-end] -.. cfgcmd:: set firewall name <name> rule <1-999999> destination port - [1-65535 | portname | start-end] -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source port - [1-65535 | portname | start-end] -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination port - [1-65535 | portname | start-end] - - A port can be set with a port number or a name which is here - defined: ``/etc/services``. - - .. code-block:: none - - set firewall name WAN-IN-v4 rule 10 source port '22' - set firewall name WAN-IN-v4 rule 11 source port '!http' - set firewall name WAN-IN-v4 rule 12 source port 'https' - - Multiple source ports can be specified as a comma-separated list. - The whole list can also be "negated" using ``!``. For example: - - .. code-block:: none - - set firewall ipv6-name WAN-IN-v6 rule 10 source port '!22,https,3333-3338' - -.. cfgcmd:: set firewall name <name> rule <1-999999> source group - address-group <name | !name> -.. cfgcmd:: set firewall name <name> rule <1-999999> destination group - address-group <name | !name> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group - address-group <name | !name> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group - address-group <name | !name> - - Use a specific address-group. Prepend character ``!`` for inverted matching - criteria. - -.. cfgcmd:: set firewall name <name> rule <1-999999> source group - network-group <name | !name> -.. cfgcmd:: set firewall name <name> rule <1-999999> destination group - network-group <name | !name> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group - network-group <name | !name> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group - network-group <name | !name> - - Use a specific network-group. Prepend character ``!`` for inverted matching - criteria. - -.. cfgcmd:: set firewall name <name> rule <1-999999> source group - port-group <name | !name> -.. cfgcmd:: set firewall name <name> rule <1-999999> destination group - port-group <name | !name> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group - port-group <name | !name> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group - port-group <name | !name> - - Use a specific port-group. Prepend character ``!`` for inverted matching - criteria. - -.. cfgcmd:: set firewall name <name> rule <1-999999> source group - domain-group <name | !name> -.. cfgcmd:: set firewall name <name> rule <1-999999> destination group - domain-group <name | !name> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group - domain-group <name | !name> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group - domain-group <name | !name> - - Use a specific domain-group. Prepend character ``!`` for inverted matching - criteria. - -.. cfgcmd:: set firewall name <name> rule <1-999999> source group - mac-group <name | !name> -.. cfgcmd:: set firewall name <name> rule <1-999999> destination group - mac-group <name | !name> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group - mac-group <name | !name> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group - mac-group <name | !name> - - Use a specific mac-group. Prepend character ``!`` for inverted matching - criteria. - -.. cfgcmd:: set firewall name <name> rule <1-999999> dscp [0-63 | start-end] -.. cfgcmd:: set firewall name <name> rule <1-999999> dscp-exclude [0-63 | - start-end] -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> dscp [0-63 | - start-end] -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> dscp-exclude [0-63 | - start-end] - - Match based on dscp value. - -.. cfgcmd:: set firewall name <name> rule <1-999999> fragment [match-frag | - match-non-frag] -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> fragment [match-frag - | match-non-frag] - - Match based on fragment criteria. - -.. cfgcmd:: set firewall name <name> rule <1-999999> icmp [code | type] - <0-255> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> icmpv6 [code | type] - <0-255> - - Match based on icmp|icmpv6 code and type. - -.. cfgcmd:: set firewall name <name> rule <1-999999> icmp type-name <text> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> icmpv6 type-name - <text> - - Match based on icmp|icmpv6 type-name criteria. Use tab for information - about what **type-name** criteria are supported. - -.. cfgcmd:: set firewall name <name> rule <1-999999> inbound-interface - <iface> -.. cfgcmd:: set firewall name <name> rule <1-999999> outbound-interface - <iface> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> inbound-interface - <iface> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> outbound-interface - <iface> - - Match based on inbound/outbound interface. Wilcard ``*`` can be used. - For example: ``eth2*`` - -.. cfgcmd:: set firewall name <name> rule <1-999999> ipsec [match-ipsec - | match-none] -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> ipsec [match-ipsec - | match-none] - - Match based on ipsec criteria. - -.. cfgcmd:: set firewall name <name> rule <1-999999> limit burst - <0-4294967295> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> limit burst - <0-4294967295> - - Match based on the maximum number of packets to allow in excess of rate. - -.. cfgcmd:: set firewall name <name> rule <1-999999> limit rate - <text> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> limit rate - <text> - - Match based on the maximum average rate, specified as **integer/unit**. - For example **5/minutes** - -.. cfgcmd:: set firewall name <name> rule <1-999999> packet-length - <text> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> packet-length - <text> -.. cfgcmd:: set firewall name <name> rule <1-999999> packet-length-exclude - <text> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> packet-length-exclude - <text> - - Match based on packet length criteria. Multiple values from 1 to 65535 - and ranges are supported. - -.. cfgcmd:: set firewall name <name> rule <1-999999> packet-type - [broadcast | host | multicast | other] -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> packet-type - [broadcast | host | multicast | other] - - Match based on packet type criteria. - -.. cfgcmd:: set firewall name <name> rule <1-999999> protocol [<text> | - <0-255> | all | tcp_udp] -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> protocol [<text> | - <0-255> | all | tcp_udp] - - Match a protocol criteria. A protocol number or a name which is here - defined: ``/etc/protocols``. - Special names are ``all`` for all protocols and ``tcp_udp`` for tcp and udp - based packets. The ``!`` negate the selected protocol. - - .. code-block:: none - - set firewall name WAN-IN-v4 rule 10 protocol tcp_udp - set firewall name WAN-IN-v4 rule 11 protocol !tcp_udp - set firewall ipv6-name WAN-IN-v6 rule 10 protocol tcp - -.. cfgcmd:: set firewall name <name> rule <1-999999> recent count <1-255> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> recent count <1-255> -.. cfgcmd:: set firewall name <name> rule <1-999999> recent time - [second | minute | hour] -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> recent time - [second | minute | hour] - - Match bases on recently seen sources. - -.. cfgcmd:: set firewall name <name> rule <1-999999> tcp flags <text> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> tcp flags <text> - - Allowed values fpr TCP flags: ``SYN``, ``ACK``, ``FIN``, ``RST``, ``URG``, - ``PSH``, ``ALL`` When specifying more than one flag, flags should be comma - separated. The ``!`` negate the selected protocol. - - .. code-block:: none - - set firewall name WAN-IN-v4 rule 10 tcp flags 'ACK' - set firewall name WAN-IN-v4 rule 12 tcp flags 'SYN' - set firewall name WAN-IN-v4 rule 13 tcp flags 'SYN,!ACK,!FIN,!RST' - -.. cfgcmd:: set firewall name <name> rule <1-999999> state [established | - invalid | new | related] [enable | disable] -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> state [established | - invalid | new | related] [enable | disable] - - Match against the state of a packet. - -.. cfgcmd:: set firewall name <name> rule <1-999999> time startdate <text> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> time startdate <text> -.. cfgcmd:: set firewall name <name> rule <1-999999> time starttime <text> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> time starttime <text> -.. cfgcmd:: set firewall name <name> rule <1-999999> time stopdate <text> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> time stopdate <text> -.. cfgcmd:: set firewall name <name> rule <1-999999> time stoptime <text> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> time stoptime <text> -.. cfgcmd:: set firewall name <name> rule <1-999999> time weekdays <text> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> time weekdays <text> - - Time to match the defined rule. - -.. cfgcmd:: set firewall name <name> rule <1-999999> ttl <eq | gt | lt> <0-255> - - Match time to live parameter, where 'eq' stands for 'equal'; 'gt' stands for - 'greater than', and 'lt' stands for 'less than'. - -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> hop-limit <eq | gt | - lt> <0-255> - - Match hop-limit parameter, where 'eq' stands for 'equal'; 'gt' stands for - 'greater than', and 'lt' stands for 'less than'. - -.. cfgcmd:: set firewall name <name> rule <1-999999> recent count <1-255> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> recent count <1-255> -.. cfgcmd:: set firewall name <name> rule <1-999999> recent time <second | - minute | hour> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> recent time <second | - minute | hour> - - Match when 'count' amount of connections are seen within 'time'. These - matching criteria can be used to block brute-force attempts. - -*********************************** -Applying a Rule-Set to an Interface -*********************************** - -A Rule-Set can be applied to every interface: - -* ``in``: Ruleset for forwarded packets on an inbound interface -* ``out``: Ruleset for forwarded packets on an outbound interface -* ``local``: Ruleset for packets destined for this router - -.. cfgcmd:: set firewall interface <interface> [in | out | local] [name | - ipv6-name] <rule-set> - - - Here are some examples for applying a rule-set to an interface - - .. code-block:: none - - set firewall interface eth1.100 in name LANv4-IN - set firewall interface eth1.100 out name LANv4-OUT - set firewall interface bond0 in name LANv4-IN - set firewall interface vtun1 in name LANv4-IN - set firewall interface eth2* in name LANv4-IN - - .. note:: - As you can see in the example here, you can assign the same rule-set to - several interfaces. An interface can only have one rule-set per chain. - - .. note:: - You can use wildcard ``*`` to match a group of interfaces. - -*********************** -Operation-mode Firewall -*********************** - -Rule-set overview -================= - -.. opcmd:: show firewall - - This will show you a basic firewall overview - - .. code-block:: none - - vyos@vyos:~$ show firewall - - ------------------------ - Firewall Global Settings - ------------------------ - - Firewall state-policy for all IPv4 and Ipv6 traffic - - state action log - ----- ------ --- - invalid accept disabled - established accept disabled - related accept disabled - - ----------------------------- - Rulesets Information - ----------------------------- - -------------------------------------------------------------------------- - IPv4 Firewall "DMZv4-1-IN": - - Active on (eth0,IN) - - rule action proto packets bytes - ---- ------ ----- ------- ----- - 10 accept icmp 0 0 - condition - saddr 10.1.0.0/24 daddr 0.0.0.0/0 LOG enabled - - 10000 drop all 0 0 - condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 LOG enabled - - -------------------------------------------------------------------------- - IPv4 Firewall "DMZv4-1-OUT": - - Active on (eth0,OUT) - - rule action proto packets bytes - ---- ------ ----- ------- ----- - 10 accept tcp_udp 1 60 - condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 match-DST-PORT-GROUP DMZ-Ports /* - DMZv4-1-OUT-10 */LOG enabled - - 11 accept icmp 1 84 - condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 /* DMZv4-1-OUT-11 */LOG enabled - - 10000 drop all 6 360 - condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 LOG enabled - - -------------------------------------------------------------------------- - IPv4 Firewall "LANv4-IN": - - Inactive - Not applied to any interfaces or zones. - - rule action proto packets bytes - ---- ------ ----- ------- ----- - 10 accept all 0 0 - condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 /* LANv4-IN-10 */ - - 10000 drop all 0 0 - condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 - -.. opcmd:: show firewall summary - - This will show you a summary of rule-sets and groups - - .. code-block:: none - - vyos@vyos:~$ show firewall summary - - ------------------------ - Firewall Global Settings - ------------------------ - - Firewall state-policy for all IPv4 and Ipv6 traffic - - state action log - ----- ------ --- - invalid accept disabled - related accept disabled - established accept disabled - - ------------------------ - Firewall Rulesets - ------------------------ - - IPv4 name: - - Rule-set name Description References - ------------- ----------- ---------- - DMZv4-1-OUT (eth0,OUT) - DMZv4-1-IN (eth0,IN) - - ------------------------ - Firewall Groups - ------------------------ - - Port Groups: - - Group name Description References - ---------- ----------- ---------- - DMZ-Ports DMZv4-1-OUT-10-destination - - Network Groups: - - Group name Description References - ---------- ----------- ---------- - LANv4 LANv4-IN-10-source, - DMZv4-1-OUT-10-source, - DMZv4-1-OUT-11-source - -.. opcmd:: show firewall statistics - - This will show you a statistic of all rule-sets since the last boot. - -.. opcmd:: show firewall [name | ipv6name] <name> rule <1-999999> - - This command will give an overview of a rule in a single rule-set - -.. opcmd:: show firewall group <name> - - Overview of defined groups. You see the type, the members, and where the - group is used. - - .. code-block:: none - - vyos@vyos:~$ show firewall group DMZ-Ports - Name : DMZ-Ports - Type : port - References : none - Members : - 80 - 443 - 8080 - 8443 - - vyos@vyos:~$ show firewall group LANv4 - Name : LANv4 - Type : network - References : LANv4-IN-10-source - Members : - 10.10.0.0/16 - -.. opcmd:: show firewall [name | ipv6name] <name> - - This command will give an overview of a single rule-set. - -.. opcmd:: show firewall [name | ipv6name] <name> statistics - - This will show you a rule-set statistic since the last boot. - -.. opcmd:: show firewall [name | ipv6name] <name> rule <1-999999> - - This command will give an overview of a rule in a single rule-set. - - -Zone-Policy Overview -==================== - -.. opcmd:: show zone-policy zone <name> - - Use this command to get an overview of a zone. - - .. code-block:: none - - vyos@vyos:~$ show zone-policy zone DMZ - ------------------- - Name: DMZ - - Interfaces: eth0 eth1 - - From Zone: - name firewall - ---- -------- - LAN DMZv4-1-OUT - - -Show Firewall log -================= - -.. opcmd:: show log firewall [name | ipv6name] <name> - - Show the logs of a specific Rule-Set. - -.. note:: - At the moment it not possible to look at the whole firewall log with VyOS - operational commands. All logs will save to ``/var/logs/messages``. - For example: ``grep '10.10.0.10' /var/log/messages`` - - - -Example Partial Config -====================== - -.. code-block:: none - - firewall { - interface eth0 { - in { - name FROM-INTERNET - } - } - all-ping enable - broadcast-ping disable - config-trap disable - group { - network-group BAD-NETWORKS { - network 198.51.100.0/24 - network 203.0.113.0/24 - } - network-group GOOD-NETWORKS { - network 192.0.2.0/24 - } - port-group BAD-PORTS { - port 65535 - } - } - name FROM-INTERNET { - default-action accept - description "From the Internet" - rule 10 { - action accept - description "Authorized Networks" - protocol all - source { - group { - network-group GOOD-NETWORKS - } - } - } - rule 11 { - action drop - description "Bad Networks" - protocol all - source { - group { - network-group BAD-NETWORKS - } - } - } - rule 30 { - action drop - description "BAD PORTS" - destination { - group { - port-group BAD-PORTS - } - } - log enable - protocol all - } - } - } - interfaces { - ethernet eth1 { - address dhcp - description OUTSIDE - duplex auto - } - } - - -Update geoip database -===================== - -.. opcmd:: update geoip - - Command used to update GeoIP database and firewall sets.
\ No newline at end of file diff --git a/docs/configuration/firewall/global-options.rst b/docs/configuration/firewall/global-options.rst new file mode 100644 index 00000000..455e530b --- /dev/null +++ b/docs/configuration/firewall/global-options.rst @@ -0,0 +1,147 @@ +:lastproofread: 2023-12-026 + +.. _firewall-global-options-configuration: + +##################################### +Global Options Firewall Configuration +##################################### + +******** +Overview +******** + +Some firewall settings are global and have an affect on the whole system. +In this section there's useful information about these global-options that can +be configured using vyos cli. + +Configuration commands covered in this section: + +.. cfgcmd:: set firewall global-options ... + +************* +Configuration +************* + +.. cfgcmd:: set firewall global-options all-ping [enable | disable] + + By default, when VyOS receives an ICMP echo request packet destined for + itself, it will answer with an ICMP echo reply, unless you avoid it + through its firewall. + + With the firewall you can set rules to accept, drop or reject ICMP in, + out or local traffic. You can also use the general **firewall all-ping** + command. This command affects only to LOCAL (packets destined for your + VyOS system), not to IN or OUT traffic. + + .. note:: **firewall global-options all-ping** affects only to LOCAL + and it always behaves in the most restrictive way + + .. code-block:: none + + set firewall global-options all-ping enable + + When the command above is set, VyOS will answer every ICMP echo request + addressed to itself, but that will only happen if no other rule is + applied dropping or rejecting local echo requests. In case of conflict, + VyOS will not answer ICMP echo requests. + + .. code-block:: none + + set firewall global-options all-ping disable + + When the command above is set, VyOS will answer no ICMP echo request + addressed to itself at all, no matter where it comes from or whether + more specific rules are being applied to accept them. + +.. cfgcmd:: set firewall global-options broadcast-ping [enable | disable] + + This setting enable or disable the response of icmp broadcast + messages. The following system parameter will be altered: + + * ``net.ipv4.icmp_echo_ignore_broadcasts`` + +.. cfgcmd:: set firewall global-options ip-src-route [enable | disable] +.. cfgcmd:: set firewall global-options ipv6-src-route [enable | disable] + + This setting handle if VyOS accept packets with a source route + option. The following system parameter will be altered: + + * ``net.ipv4.conf.all.accept_source_route`` + * ``net.ipv6.conf.all.accept_source_route`` + +.. cfgcmd:: set firewall global-options receive-redirects [enable | disable] +.. cfgcmd:: set firewall global-options ipv6-receive-redirects + [enable | disable] + + enable or disable of ICMPv4 or ICMPv6 redirect messages accepted + by VyOS. The following system parameter will be altered: + + * ``net.ipv4.conf.all.accept_redirects`` + * ``net.ipv6.conf.all.accept_redirects`` + +.. cfgcmd:: set firewall global-options send-redirects [enable | disable] + + enable or disable ICMPv4 redirect messages send by VyOS + The following system parameter will be altered: + + * ``net.ipv4.conf.all.send_redirects`` + +.. cfgcmd:: set firewall global-options log-martians [enable | disable] + + enable or disable the logging of martian IPv4 packets. + The following system parameter will be altered: + + * ``net.ipv4.conf.all.log_martians`` + +.. cfgcmd:: set firewall global-options source-validation + [strict | loose | disable] + + Set the IPv4 source validation mode. + The following system parameter will be altered: + + * ``net.ipv4.conf.all.rp_filter`` + +.. cfgcmd:: set firewall global-options syn-cookies [enable | disable] + + Enable or Disable if VyOS use IPv4 TCP SYN Cookies. + The following system parameter will be altered: + + * ``net.ipv4.tcp_syncookies`` + +.. cfgcmd:: set firewall global-options twa-hazards-protection + [enable | disable] + + Enable or Disable VyOS to be :rfc:`1337` conform. + The following system parameter will be altered: + + * ``net.ipv4.tcp_rfc1337`` + +.. cfgcmd:: set firewall global-options state-policy established action + [accept | drop | reject] + +.. cfgcmd:: set firewall global-options state-policy established log + +.. cfgcmd:: set firewall global-options state-policy established log-level + [emerg | alert | crit | err | warn | notice | info | debug] + + Set the global setting for an established connection. + +.. cfgcmd:: set firewall global-options state-policy invalid action + [accept | drop | reject] + +.. cfgcmd:: set firewall global-options state-policy invalid log + +.. cfgcmd:: set firewall global-options state-policy invalid log-level + [emerg | alert | crit | err | warn | notice | info | debug] + + Set the global setting for invalid packets. + +.. cfgcmd:: set firewall global-options state-policy related action + [accept | drop | reject] + +.. cfgcmd:: set firewall global-options state-policy related log + +.. cfgcmd:: set firewall global-options state-policy related log-level + [emerg | alert | crit | err | warn | notice | info | debug] + + Set the global setting for related connections. diff --git a/docs/configuration/firewall/groups.rst b/docs/configuration/firewall/groups.rst new file mode 100644 index 00000000..aee68793 --- /dev/null +++ b/docs/configuration/firewall/groups.rst @@ -0,0 +1,210 @@ +:lastproofread: 2023-11-08 + +.. _firewall-groups-configuration: + +############### +Firewall groups +############### + +************* +Configuration +************* + +Firewall groups represent collections of IP addresses, networks, ports, +mac addresses, domains or interfaces. Once created, a group can be referenced +by firewall, nat and policy route rules as either a source or destination +matcher, and/or as inbound/outbound in the case of interface group. + +Address Groups +============== + +In an **address group** a single IP address or IP address ranges are +defined. + +.. cfgcmd:: set firewall group address-group <name> address [address | + address range] +.. cfgcmd:: set firewall group ipv6-address-group <name> address <address> + + Define a IPv4 or a IPv6 address group + + .. code-block:: none + + set firewall group address-group ADR-INSIDE-v4 address 192.168.0.1 + set firewall group address-group ADR-INSIDE-v4 address 10.0.0.1-10.0.0.8 + set firewall group ipv6-address-group ADR-INSIDE-v6 address 2001:db8::1 + +.. cfgcmd:: set firewall group address-group <name> description <text> +.. cfgcmd:: set firewall group ipv6-address-group <name> description <text> + + Provide a IPv4 or IPv6 address group description + +Network Groups +============== + +While **network groups** accept IP networks in CIDR notation, specific +IP addresses can be added as a 32-bit prefix. If you foresee the need +to add a mix of addresses and networks, the network group is +recommended. + +.. cfgcmd:: set firewall group network-group <name> network <CIDR> +.. cfgcmd:: set firewall group ipv6-network-group <name> network <CIDR> + + Define a IPv4 or IPv6 Network group. + + .. code-block:: none + + set firewall group network-group NET-INSIDE-v4 network 192.168.0.0/24 + set firewall group network-group NET-INSIDE-v4 network 192.168.1.0/24 + set firewall group ipv6-network-group NET-INSIDE-v6 network 2001:db8::/64 + +.. cfgcmd:: set firewall group network-group <name> description <text> +.. cfgcmd:: set firewall group ipv6-network-group <name> description <text> + + Provide an IPv4 or IPv6 network group description. + +Interface Groups +================ + +An **interface group** represents a collection of interfaces. + +.. cfgcmd:: set firewall group interface-group <name> interface <text> + + Define an interface group. Wildcard are accepted too. + +.. code-block:: none + + set firewall group interface-group LAN interface bond1001 + set firewall group interface-group LAN interface eth3* + +.. cfgcmd:: set firewall group interface-group <name> description <text> + + Provide an interface group description + +Port Groups +=========== + +A **port group** represents only port numbers, not the protocol. Port +groups can be referenced for either TCP or UDP. It is recommended that +TCP and UDP groups are created separately to avoid accidentally +filtering unnecessary ports. Ranges of ports can be specified by using +`-`. + +.. cfgcmd:: set firewall group port-group <name> port + [portname | portnumber | startport-endport] + + Define a port group. A port name can be any name defined in + /etc/services. e.g.: http + + .. code-block:: none + + set firewall group port-group PORT-TCP-SERVER1 port http + set firewall group port-group PORT-TCP-SERVER1 port 443 + set firewall group port-group PORT-TCP-SERVER1 port 5000-5010 + +.. cfgcmd:: set firewall group port-group <name> description <text> + + Provide a port group description. + +MAC Groups +========== + +A **mac group** represents a collection of mac addresses. + +.. cfgcmd:: set firewall group mac-group <name> mac-address <mac-address> + + Define a mac group. + +.. code-block:: none + + set firewall group mac-group MAC-G01 mac-address 88:a4:c2:15:b6:4f + set firewall group mac-group MAC-G01 mac-address 4c:d5:77:c0:19:81 + +.. cfgcmd:: set firewall group mac-group <name> description <text> + + Provide a mac group description. + +Domain Groups +============= + +A **domain group** represents a collection of domains. + +.. cfgcmd:: set firewall group domain-group <name> address <domain> + + Define a domain group. + +.. code-block:: none + + set firewall group domain-group DOM address example.com + +.. cfgcmd:: set firewall group domain-group <name> description <text> + + Provide a domain group description. + +******** +Examples +******** + +As said before, once firewall groups are created, they can be referenced +either in firewall, nat, nat66 and/or policy-route rules. + +Here is an example were multiple groups are created: + + .. code-block:: none + + set firewall group address-group SERVERS address 198.51.100.101 + set firewall group address-group SERVERS address 198.51.100.102 + set firewall group network-group TRUSTEDv4 network 192.0.2.0/30 + set firewall group network-group TRUSTEDv4 network 203.0.113.128/25 + set firewall group ipv6-network-group TRUSTEDv6 network 2001:db8::/64 + set firewall group interface-group LAN interface eth2.2001 + set firewall group interface-group LAN interface bon0 + set firewall group port-group PORT-SERVERS port http + set firewall group port-group PORT-SERVERS port 443 + set firewall group port-group PORT-SERVERS port 5000-5010 + +And next, some configuration example where groups are used: + + .. code-block:: none + + set firewall ipv4 input filter rule 10 action accept + set firewall ipv4 input filter rule 10 inbound-interface group !LAN + set firewall ipv4 forward filter rule 20 action accept + set firewall ipv4 forward filter rule 20 source group network-group TRUSTEDv4 + set firewall ipv6 input filter rule 10 action accept + set firewall ipv6 input filter rule 10 source-group network-group TRUSTEDv6 + set nat destination rule 101 inbound-interface group LAN + set nat destination rule 101 destination group address-group SERVERS + set nat destination rule 101 protocol tcp + set nat destination rule 101 destination group port-group PORT-SERVERS + set nat destination rule 101 translation address 203.0.113.250 + set policy route PBR rule 201 destination group port-group PORT-SERVERS + set policy route PBR rule 201 protocol tcp + set policy route PBR rule 201 set table 15 + +************** +Operation-mode +************** + +.. opcmd:: show firewall group <name> + + Overview of defined groups. You see the type, the members, and where the + group is used. + + .. code-block:: none + + vyos@ZBF-15-CLean:~$ show firewall group + Firewall Groups + + Name Type References Members + ------------ ------------------ ---------------------- ---------------- + SERVERS address_group nat-destination-101 198.51.100.101 + 198.51.100.102 + LAN interface_group ipv4-input-filter-10 bon0 + nat-destination-101 eth2.2001 + TRUSTEDv6 ipv6_network_group ipv6-input-filter-10 2001:db8::/64 + TRUSTEDv4 network_group ipv4-forward-filter-20 192.0.2.0/30 + 203.0.113.128/25 + PORT-SERVERS port_group route-PBR-201 443 + nat-destination-101 5000-5010 + http + vyos@ZBF-15-CLean:~$ diff --git a/docs/configuration/firewall/index.rst b/docs/configuration/firewall/index.rst index dfafa606..3887e26a 100644 --- a/docs/configuration/firewall/index.rst +++ b/docs/configuration/firewall/index.rst @@ -1,10 +1,179 @@ +:lastproofread: 2023-11-23 + ######## Firewall ######## +With VyOS being based on top of Linux and its kernel, the Netfilter project +created the iptables and now the successor nftables for the Linux kernel to +work directly on the data flows. This now extends the concept of zone-based +security to allow for manipulating the data at multiple stages once accepted +by the network interface and the driver before being handed off to the +destination (e.g. a web server OR another device). + +A simplified traffic flow, based on Netfilter packet flow, is shown next, in +order to have a full view and understanding of how packets are processed, and +what possible paths can take. + +.. figure:: /_static/images/firewall-gral-packet-flow.png + +Main notes regarding this packet flow and terminology used in VyOS firewall: + + * **Bridge Port?**: choose appropiate path based on if interface were the + packet was received is part of a bridge, or not. + +If interface were the packet was received isn't part of a bridge, then packet +is processed at the **IP Layer**: + + * **Prerouting**: several actions can be done in this stage, and currently + these actions are defined in different parts in vyos configuration. Order + is important, and all these actions are performed before any actions + define under ``firewall`` section. Relevant configuration that acts in + this stage are: + + * **Conntrack Ignore**: rules defined under ``set system conntrack ignore + [ipv4 | ipv6] ...``. + + * **Policy Route**: rules defined under ``set policy [route | route6] + ...``. + + * **Destination NAT**: rules defined under ``set [nat | nat66] + destination...``. + + * **Destination is the router?**: choose appropiate path based on + destination IP address. Transit forward continunes to **forward**, + while traffic that destination IP address is configured on the router + continues to **input**. + + * **Input**: stage where traffic destinated to the router itself can be + filtered and controlled. This is where all rules for securing the router + should take place. This includes ipv4 and ipv6 filtering rules, defined + in: + + * ``set firewall ipv4 input filter ...``. + + * ``set firewall ipv6 input filter ...``. + + * **Forward**: stage where transit traffic can be filtered and controlled. + This includes ipv4 and ipv6 filtering rules, defined in: + + * ``set firewall ipv4 forward filter ...``. + + * ``set firewall ipv6 forward filter ...``. + + * **Output**: stage where traffic that is originated by the router itself + can be filtered and controlled. Bare in mind that this traffic can be a + new connection originted by a internal process running on VyOS router, + such as NTP, or can be a response to traffic received externaly through + **inputt** (for example response to an ssh login attempt to the router). + This includes ipv4 and ipv6 filtering rules, defined in: + + * ``set firewall ipv4 input filter ...``. + + * ``set firewall ipv6 output filter ...``. + + * **Postrouting**: as in **Prerouting**, several actions defined in + different parts of VyOS configuration are performed in this + stage. This includes: + + * **Source NAT**: rules defined under ``set [nat | nat66] + destination...``. + +If interface were the packet was received is part of a bridge, then packet +is processed at the **Bridge Layer**, which contains a ver basic setup where +for bridge filtering: + + * **Forward (Bridge)**: stage where traffic that is trasspasing through the + bridge is filtered and controlled: + + * ``set firewall bridge forward filter ...``. + +Main structure VyOS firewall cli is shown next: + +.. code-block:: none + + - set firewall + * bridge + - forward + + filter + * flowtable + - custom_flow_table + + ... + * global-options + + all-ping + + broadcast-ping + + ... + * group + - address-group + - ipv6-address-group + - network-group + - ipv6-network-group + - interface-group + - mac-group + - port-group + - domain-group + * ipv4 + - forward + + filter + - input + + filter + - output + + filter + - name + + custom_name + * ipv6 + - forward + + filter + - input + + filter + - output + + filter + - ipv6-name + + custom_name + * zone + - custom_zone_name + + ... + +Please, refer to appropiate section for more information about firewall +configuration: + +.. toctree:: + :maxdepth: 1 + :includehidden: + + global-options + groups + bridge + ipv4 + ipv6 + flowtables + +.. note:: **For more information** + of Netfilter hooks and Linux networking packet flows can be + found in `Netfilter-Hooks + <https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks>`_ + + +Zone-based firewall +^^^^^^^^^^^^^^^^^^^ .. toctree:: :maxdepth: 1 :includehidden: - general zone + +With zone-based firewalls a new concept was implemented, in addtion to the +standard in and out traffic flows, a local flow was added. This local was for +traffic originating and destined to the router itself. Which means additional +rules were required to secure the firewall itself from the network, in +addition to the existing inbound and outbound rules from the traditional +concept above. + +To configure VyOS with the +:doc:`zone-based firewall configuration </configuration/firewall/zone>` + +As the example image below shows, the device now needs rules to allow/block +traffic to or from the services running on the device that have open +connections on that interface. + +.. figure:: /_static/images/firewall-zonebased.png diff --git a/docs/configuration/firewall/ipv4.rst b/docs/configuration/firewall/ipv4.rst new file mode 100644 index 00000000..9a683d22 --- /dev/null +++ b/docs/configuration/firewall/ipv4.rst @@ -0,0 +1,1179 @@ +:lastproofread: 2023-11-08 + +.. _firewall-ipv4-configuration: + +########################### +IPv4 Firewall Configuration +########################### + +******** +Overview +******** + +In this section there's useful information of all firewall configuration that +can be done regarding IPv4, and appropiate op-mode commands. +Configuration commands covered in this section: + +.. cfgcmd:: set firewall ipv4 ... + +From main structure defined in :doc:`Firewall Overview</configuration/firewall/index>` +in this section you can find detailed information only for the next part +of the general structure: + +.. code-block:: none + + - set firewall + * ipv4 + - forward + + filter + - input + + filter + - output + + filter + - name + + custom_name + +For transit traffic, which is received by the router and forwarded, base chain +is **forward**. A simplified packet flow diagram for transit traffic is shown +next: + +.. figure:: /_static/images/firewall-fwd-packet-flow.png + +Where firewall base chain to configure firewall filtering rules for transit +traffic is ``set firewall ipv4 forward filter ...``, which happens in stage 5, +highlightened with red color. + +For traffic towards the router itself, base chain is **input**, while traffic +originated by the router, base chain is **output**. +A new simplified packet flow diagram is shown next, which shows the path +for traffic destinated to the router itself, and traffic generated by the +router (starting from circle number 6): + +.. figure:: /_static/images/firewall-input-packet-flow.png + +Base chain is for traffic toward the router is ``set firewall ipv4 input +filter ...`` + +And base chain for traffic generated by the router is ``set firewall ipv4 +output filter ...`` + +.. note:: **Important note about default-actions:** + If default action for any base chain is not defined, then the default + action is set to **accept** for that chain. For custom chains, if default + action is not defined, then the default-action is set to **drop** + +Custom firewall chains can be created, with commands +``set firewall ipv4 name <name> ...``. In order to use +such custom chain, a rule with **action jump**, and the appropiate **target** +should be defined in a base chain. + +********************* +Firewall - IPv4 Rules +********************* + +For firewall filtering, firewall rules needs to be created. Each rule is +numbered, has an action to apply if the rule is matched, and the ability +to specify multiple criteria matchers. Data packets go through the rules +from 1 - 999999, so order is crucial. At the first match the action of the +rule will be executed. + +Actions +======= + +If a rule is defined, then an action must be defined for it. This tells the +firewall what to do if all criteria matchers defined for such rule do match. + +The action can be : + + * ``accept``: accept the packet. + + * ``continue``: continue parsing next rule. + + * ``drop``: drop the packet. + + * ``reject``: reject the packet. + + * ``jump``: jump to another custom chain. + + * ``return``: Return from the current chain and continue at the next rule + of the last chain. + + * ``queue``: Enqueue packet to userspace. + + * ``synproxy``: synproxy the packet. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> action + [accept | continue | drop | jump | queue | reject | return | synproxy] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> action + [accept | continue | drop | jump | queue | reject | return | synproxy] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> action + [accept | continue | drop | jump | queue | reject | return] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> action + [accept | continue | drop | jump | queue | reject | return] + + This required setting defines the action of the current rule. If action is + set to jump, then jump-target is also needed. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + jump-target <text> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + jump-target <text> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + jump-target <text> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + jump-target <text> + + To be used only when action is set to ``jump``. Use this command to specify + jump target. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + queue <0-65535> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + queue <0-65535> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + queue <0-65535> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + queue <0-65535> + + To be used only when action is set to ``queue``. Use this command to specify + queue target to use. Queue range is also supported. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + queue-options bypass +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + queue-options bypass +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + queue-options bypass +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + queue-options bypass + + To be used only when action is set to ``queue``. Use this command to let + packet go through firewall when no userspace software is connected to the + queue. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + queue-options fanout +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + queue-options fanout +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + queue-options fanout +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + queue-options fanout + + To be used only when action is set to ``queue``. Use this command to + distribute packets between several queues. + +Also, **default-action** is an action that takes place whenever a packet does +not match any rule in it's chain. For base chains, possible options for +**default-action** are **accept** or **drop**. + +.. cfgcmd:: set firewall ipv4 forward filter default-action + [accept | drop] +.. cfgcmd:: set firewall ipv4 input filter default-action + [accept | drop] +.. cfgcmd:: set firewall ipv4 output filter default-action + [accept | drop] +.. cfgcmd:: set firewall ipv4 name <name> default-action + [accept | drop | jump | queue | reject | return] + + This set the default action of the rule-set if no rule matched a packet + criteria. If default-action is set to ``jump``, then + ``default-jump-target`` is also needed. Note that for base chains, default + action can only be set to ``accept`` or ``drop``, while on custom chain, + more actions are available. + +.. cfgcmd:: set firewall ipv4 name <name> default-jump-target <text> + + To be used only when ``defult-action`` is set to ``jump``. Use this + command to specify jump target for default rule. + +.. note:: **Important note about default-actions:** + If default action for any base chain is not defined, then the default + action is set to **accept** for that chain. For custom chains, if default + action is not defined, then the default-action is set to **drop**. + +Firewall Logs +============= + +Logging can be enable for every single firewall rule. If enabled, other +log options can be defined. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> log +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> log +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> log +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> log + + Enable logging for the matched packet. If this configuration command is not + present, then log is not enabled. + +.. cfgcmd:: set firewall ipv4 forward filter enable-default-log +.. cfgcmd:: set firewall ipv4 input filter enable-default-log +.. cfgcmd:: set firewall ipv4 output filter enable-default-log +.. cfgcmd:: set firewall ipv4 name <name> enable-default-log + + Use this command to enable the logging of the default action on + the specified chain. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + log-options level [emerg | alert | crit | err | warn | notice + | info | debug] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + log-options level [emerg | alert | crit | err | warn | notice + | info | debug] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + log-options level [emerg | alert | crit | err | warn | notice + | info | debug] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + log-options level [emerg | alert | crit | err | warn | notice + | info | debug] + + Define log-level. Only applicable if rule log is enable. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + log-options group <0-65535> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + log-options group <0-65535> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + log-options group <0-65535> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + log-options group <0-65535> + + Define log group to send message to. Only applicable if rule log is enable. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + log-options snapshot-length <0-9000> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + log-options snapshot-length <0-9000> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + log-options snapshot-length <0-9000> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + log-options snapshot-length <0-9000> + + Define length of packet payload to include in netlink message. Only + applicable if rule log is enable and log group is defined. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + log-options queue-threshold <0-65535> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + log-options queue-threshold <0-65535> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + log-options queue-threshold <0-65535> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + log-options queue-threshold <0-65535> + + Define number of packets to queue inside the kernel before sending them to + userspace. Only applicable if rule log is enable and log group is defined. + +Firewall Description +==================== + +For reference, a description can be defined for every single rule, and for +every defined custom chain. + +.. cfgcmd:: set firewall ipv4 name <name> description <text> + + Provide a rule-set description to a custom firewall chain. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + description <text> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + description <text> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + description <text> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> description <text> + + Provide a description for each rule. + +Rule Status +=========== + +When defining a rule, it is enable by default. In some cases, it is useful to +just disable the rule, rather than removing it. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> disable +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> disable +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> disable +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> disable + + Command for disabling a rule but keep it in the configuration. + +Matching criteria +================= + +There are a lot of matching criteria against which the packet can be tested. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + connection-status nat [destination | source] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + connection-status nat [destination | source] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + connection-status nat [destination | source] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + connection-status nat [destination | source] + + Match criteria based on nat connection status. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + connection-mark <1-2147483647> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + connection-mark <1-2147483647> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + connection-mark <1-2147483647> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + connection-mark <1-2147483647> + + Match criteria based on connection mark. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + source address [address | addressrange | CIDR] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + source address [address | addressrange | CIDR] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + source address [address | addressrange | CIDR] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + source address [address | addressrange | CIDR] + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + destination address [address | addressrange | CIDR] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + destination address [address | addressrange | CIDR] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + destination address [address | addressrange | CIDR] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + destination address [address | addressrange | CIDR] + + Match criteria based on source and/or destination address. This is similar + to the network groups part, but here you are able to negate the matching + addresses. + + .. code-block:: none + + set firewall ipv4 name FOO rule 50 source address 192.0.2.10-192.0.2.11 + # with a '!' the rule match everything except the specified subnet + set firewall ipv4 input filter FOO rule 51 source address !203.0.113.0/24 + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + source address-mask [address] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + source address-mask [address] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + source address-mask [address] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + source address-mask [address] + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + destination address-mask [address] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + destination address-mask [address] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + destination address-mask [address] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + destination address-mask [address] + + An arbitrary netmask can be applied to mask addresses to only match against + a specific portion. + + This functions for both individual addresses and address groups. + + .. code-block:: none + + # Match any IPv4 address with `11` as the 2nd octet and `13` as the forth octet + set firewall ipv4 name FOO rule 100 destination address 0.11.0.13 + set firewall ipv4 name FOO rule 100 destination address-mask 0.255.0.255 + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + source fqdn <fqdn> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + source fqdn <fqdn> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + source fqdn <fqdn> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + source fqdn <fqdn> +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + destination fqdn <fqdn> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + destination fqdn <fqdn> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + destination fqdn <fqdn> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + destination fqdn <fqdn> + + Specify a Fully Qualified Domain Name as source/destination matcher. Ensure + router is able to resolve such dns query. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + source geoip country-code <country> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + source geoip country-code <country> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + source geoip country-code <country> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + source geoip country-code <country> + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + destination geoip country-code <country> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + destination geoip country-code <country> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + destination geoip country-code <country> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + destination geoip country-code <country> + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + source geoip inverse-match +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + source geoip inverse-match +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + source geoip inverse-match +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + source geoip inverse-match + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + destination geoip inverse-match +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + destination geoip inverse-match +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + destination geoip inverse-match +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + destination geoip inverse-match + + Match IP addresses based on its geolocation. More info: `geoip matching + <https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_matching>`_. + Use inverse-match to match anything except the given country-codes. + +Data is provided by DB-IP.com under CC-BY-4.0 license. Attribution required, +permits redistribution so we can include a database in images(~3MB +compressed). Includes cron script (manually callable by op-mode update +geoip) to keep database and rules updated. + + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + source mac-address <mac-address> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + source mac-address <mac-address> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + source mac-address <mac-address> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + source mac-address <mac-address> + + Only in the source criteria, you can specify a mac-address. + + .. code-block:: none + + set firewall ipv4 input filter rule 100 source mac-address 00:53:00:11:22:33 + set firewall ipv4 input filter rule 101 source mac-address !00:53:00:aa:12:34 + + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + source port [1-65535 | portname | start-end] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + source port [1-65535 | portname | start-end] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + source port [1-65535 | portname | start-end] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + source port [1-65535 | portname | start-end] + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + destination port [1-65535 | portname | start-end] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + destination port [1-65535 | portname | start-end] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + destination port [1-65535 | portname | start-end] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + destination port [1-65535 | portname | start-end] + + A port can be set with a port number or a name which is here + defined: ``/etc/services``. + + .. code-block:: none + + set firewall ipv4 forward filter rule 10 source port '22' + set firewall ipv4 forward filter rule 11 source port '!http' + set firewall ipv4 forward filter rule 12 source port 'https' + + Multiple source ports can be specified as a comma-separated list. + The whole list can also be "negated" using ``!``. For example: + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + source group address-group <name | !name> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + source group address-group <name | !name> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + source group address-group <name | !name> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + source group address-group <name | !name> + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + destination group address-group <name | !name> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + destination group address-group <name | !name> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + destination group address-group <name | !name> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + destination group address-group <name | !name> + + Use a specific address-group. Prepend character ``!`` for inverted matching + criteria. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + source group network-group <name | !name> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + source group network-group <name | !name> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + source group network-group <name | !name> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + source group network-group <name | !name> + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + destination group network-group <name | !name> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + destination group network-group <name | !name> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + destination group network-group <name | !name> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + destination group network-group <name | !name> + + Use a specific network-group. Prepend character ``!`` for inverted matching + criteria. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + source group port-group <name | !name> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + source group port-group <name | !name> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + source group port-group <name | !name> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + source group port-group <name | !name> + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + destination group port-group <name | !name> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + destination group port-group <name | !name> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + destination group port-group <name | !name> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + destination group port-group <name | !name> + + Use a specific port-group. Prepend character ``!`` for inverted matching + criteria. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + source group domain-group <name | !name> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + source group domain-group <name | !name> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + source group domain-group <name | !name> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + source group domain-group <name | !name> + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + destination group domain-group <name | !name> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + destination group domain-group <name | !name> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + destination group domain-group <name | !name> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + destination group domain-group <name | !name> + + Use a specific domain-group. Prepend character ``!`` for inverted matching + criteria. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + source group mac-group <name | !name> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + source group mac-group <name | !name> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + source group mac-group <name | !name> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + source group mac-group <name | !name> + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + destination group mac-group <name | !name> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + destination group mac-group <name | !name> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + destination group mac-group <name | !name> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + destination group mac-group <name | !name> + + Use a specific mac-group. Prepend character ``!`` for inverted matching + criteria. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + dscp [0-63 | start-end] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + dscp [0-63 | start-end] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + dscp [0-63 | start-end] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + dscp [0-63 | start-end] + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + dscp-exclude [0-63 | start-end] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + dscp-exclude [0-63 | start-end] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + dscp-exclude [0-63 | start-end] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + dscp-exclude [0-63 | start-end] + + Match based on dscp value. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + fragment [match-frag | match-non-frag] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + fragment [match-frag | match-non-frag] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + fragment [match-frag | match-non-frag] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + fragment [match-frag | match-non-frag] + + Match based on fragment criteria. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + icmp [code | type] <0-255> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + icmp [code | type] <0-255> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + icmp [code | type] <0-255> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + icmp [code | type] <0-255> + + Match based on icmp code and type. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + icmp type-name <text> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + icmp type-name <text> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + icmp type-name <text> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + icmp type-name <text> + + Match based on icmp type-name criteria. Use tab for information + about what **type-name** criteria are supported. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + inbound-interface name <iface> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + inbound-interface name <iface> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + inbound-interface name <iface> + + Match based on inbound interface. Wilcard ``*`` can be used. + For example: ``eth2*``. Prepending character ``!`` for inverted matching + criteria is also supportd. For example ``!eth2`` + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + inbound-interface group <iface_group> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + inbound-interface group <iface_group> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + inbound-interface group <iface_group> + + Match based on inbound interface group. Prepending character ``!`` for + inverted matching criteria is also supportd. For example ``!IFACE_GROUP`` + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + outbound-interface name <iface> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + outbound-interface name <iface> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + outbound-interface name <iface> + + Match based on outbound interface. Wilcard ``*`` can be used. + For example: ``eth2*``. Prepending character ``!`` for inverted matching + criteria is also supportd. For example ``!eth2`` + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + outbound-interface group <iface_group> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + outbound-interface group <iface_group> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + outbound-interface group <iface_group> + + Match based on outbound interface group. Prepending character ``!`` for + inverted matching criteria is also supportd. For example ``!IFACE_GROUP`` + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + ipsec [match-ipsec | match-none] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + ipsec [match-ipsec | match-none] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + ipsec [match-ipsec | match-none] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + ipsec [match-ipsec | match-none] + + Match based on ipsec criteria. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + limit burst <0-4294967295> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + limit burst <0-4294967295> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + limit burst <0-4294967295> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + limit burst <0-4294967295> + + Match based on the maximum number of packets to allow in excess of rate. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + limit rate <text> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + limit rate <text> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + limit rate <text> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + limit rate <text> + + Match based on the maximum average rate, specified as **integer/unit**. + For example **5/minutes** + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + packet-length <text> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + packet-length <text> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + packet-length <text> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + packet-length <text> + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + packet-length-exclude <text> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + packet-length-exclude <text> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + packet-length-exclude <text> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + packet-length-exclude <text> + + Match based on packet length criteria. Multiple values from 1 to 65535 + and ranges are supported. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + packet-type [broadcast | host | multicast | other] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + packet-type [broadcast | host | multicast | other] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + packet-type [broadcast | host | multicast | other] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + packet-type [broadcast | host | multicast | other] + + Match based on packet type criteria. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + protocol [<text> | <0-255> | all | tcp_udp] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + protocol [<text> | <0-255> | all | tcp_udp] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + protocol [<text> | <0-255> | all | tcp_udp] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + protocol [<text> | <0-255> | all | tcp_udp] + + Match a protocol criteria. A protocol number or a name which is here + defined: ``/etc/protocols``. + Special names are ``all`` for all protocols and ``tcp_udp`` for tcp and udp + based packets. The ``!`` negate the selected protocol. + + .. code-block:: none + + set firewall ipv4 forward fitler rule 10 protocol tcp_udp + set firewall ipv4 forward fitler rule 11 protocol !tcp_udp + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + recent count <1-255> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + recent count <1-255> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + recent count <1-255> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + recent count <1-255> + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + recent time [second | minute | hour] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + recent time [second | minute | hour] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + recent time [second | minute | hour] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + recent time [second | minute | hour] + + Match bases on recently seen sources. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + tcp flags [not] <text> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + tcp flags [not] <text> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + tcp flags [not] <text> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + tcp flags [not] <text> + + Allowed values fpr TCP flags: ``ack``, ``cwr``, ``ecn``, ``fin``, ``psh``, + ``rst``, ``syn`` and ``urg``. Multiple values are supported, and for + inverted selection use ``not``, as shown in the example. + + .. code-block:: none + + set firewall ipv4 input filter rule 10 tcp flags 'ack' + set firewall ipv4 input filter rule 12 tcp flags 'syn' + set firewall ipv4 input filter rule 13 tcp flags not 'fin' + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + state [established | invalid | new | related] [enable | disable] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + state [established | invalid | new | related] [enable | disable] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + state [established | invalid | new | related] [enable | disable] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + state [established | invalid | new | related] [enable | disable] + + Match against the state of a packet. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + time startdate <text> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + time startdate <text> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + time startdate <text> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + time startdate <text> +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + time starttime <text> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + time starttime <text> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + time starttime <text> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + time starttime <text> +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + time stopdate <text> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + time stopdate <text> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + time stopdate <text> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + time stopdate <text> +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + time stoptime <text> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + time stoptime <text> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + time stoptime <text> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + time stoptime <text> +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + time weekdays <text> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + time weekdays <text> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + time weekdays <text> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + time weekdays <text> + + Time to match the defined rule. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + ttl <eq | gt | lt> <0-255> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + ttl <eq | gt | lt> <0-255> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + ttl <eq | gt | lt> <0-255> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + ttl <eq | gt | lt> <0-255> + + Match time to live parameter, where 'eq' stands for 'equal'; 'gt' stands for + 'greater than', and 'lt' stands for 'less than'. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + recent count <1-255> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + recent count <1-255> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + recent count <1-255> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + recent count <1-255> + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + recent time <second | minute | hour> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + recent time <second | minute | hour> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + recent time <second | minute | hour> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + recent time <second | minute | hour> + + Match when 'count' amount of connections are seen within 'time'. These + matching criteria can be used to block brute-force attempts. + +******** +Synproxy +******** +Synproxy connections + +.. cfgcmd:: set firewall ipv4 [input | forward] filter rule <1-999999> action synproxy +.. cfgcmd:: set firewall ipv4 [input | forward] filter rule <1-999999> protocol tcp +.. cfgcmd:: set firewall ipv4 [input | forward] filter rule <1-999999> synproxy tcp mss <501-65535> + + Set TCP-MSS (maximum segment size) for the connection + +.. cfgcmd:: set firewall ipv4 [input | forward] filter rule <1-999999> synproxy tcp window-scale <1-14> + + Set the window scale factor for TCP window scaling + +Example synproxy +================ +Requirements to enable synproxy: + + * Traffic must be symmetric + * Synproxy relies on syncookies and TCP timestamps, ensure these are enabled + * Disable conntrack loose track option + +.. code-block:: none + + set system sysctl parameter net.ipv4.tcp_timestamps value '1' + + set system conntrack tcp loose disable + set system conntrack ignore ipv4 rule 10 destination port '8080' + set system conntrack ignore ipv4 rule 10 protocol 'tcp' + set system conntrack ignore ipv4 rule 10 tcp flags syn + + set firewall global-options syn-cookies 'enable' + set firewall ipv4 input filter rule 10 action 'synproxy' + set firewall ipv4 input filter rule 10 destination port '8080' + set firewall ipv4 input filter rule 10 inbound-interface interface-name 'eth1' + set firewall ipv4 input filter rule 10 protocol 'tcp' + set firewall ipv4 input filter rule 10 synproxy tcp mss '1460' + set firewall ipv4 input filter rule 10 synproxy tcp window-scale '7' + set firewall ipv4 input filter rule 1000 action 'drop' + set firewall ipv4 input filter rule 1000 state invalid 'enable' + + +*********************** +Operation-mode Firewall +*********************** + +Rule-set overview +================= + +.. opcmd:: show firewall + + This will show you a basic firewall overview, for all ruleset, and not + only for ipv4 + + .. code-block:: none + + vyos@vyos:~$ show firewall + Rulesets Information + + --------------------------------- + ipv4 Firewall "forward filter" + + Rule Action Protocol Packets Bytes Conditions + ------- -------- ---------- --------- ------- ----------------------------- + 20 accept all 0 0 ip saddr @N_TRUSTEDv4 accept + 21 jump all 0 0 jump NAME_AUX + default accept all 0 0 + + --------------------------------- + ipv4 Firewall "input filter" + + Rule Action Protocol Packets Bytes Conditions + ------- -------- ---------- --------- ------- ------------------------- + 10 accept all 156 14377 iifname != @I_LAN accept + default accept all 0 0 + + --------------------------------- + ipv4 Firewall "name AUX" + + Rule Action Protocol Packets Bytes Conditions + ------ -------- ---------- --------- ------- -------------------------------------------- + 10 accept icmp 0 0 meta l4proto icmp accept + 20 accept udp 0 0 meta l4proto udp ip saddr @A_SERVERS accept + 30 drop all 0 0 ip saddr != @A_SERVERS iifname "eth2" + + --------------------------------- + ipv4 Firewall "output filter" + + Rule Action Protocol Packets Bytes Conditions + ------- -------- ---------- --------- ------- ---------------------------------------- + 10 reject all 0 0 oifname @I_LAN + 20 accept icmp 2 168 meta l4proto icmp oifname "eth0" accept + default accept all 72 9258 + + --------------------------------- + ipv6 Firewall "input filter" + + Rule Action Protocol Packets Bytes Conditions + ------- -------- ---------- --------- ------- ------------------------------- + 10 accept all 0 0 ip6 saddr @N6_TRUSTEDv6 accept + default accept all 2 112 + + vyos@vyos:~$ + +.. opcmd:: show firewall summary + + This will show you a summary of rule-sets and groups + + .. code-block:: none + + vyos@vyos:~$ show firewall summary + Ruleset Summary + + IPv6 Ruleset: + + Ruleset Hook Ruleset Priority Description + -------------- -------------------- ------------------------- + forward filter + input filter + ipv6_name IPV6-VyOS_MANAGEMENT + ipv6_name IPV6-WAN_IN PUBLIC_INTERNET + + IPv4 Ruleset: + + Ruleset Hook Ruleset Priority Description + -------------- ------------------ ------------------------- + forward filter + input filter + name VyOS_MANAGEMENT + name WAN_IN PUBLIC_INTERNET + + Firewall Groups + + Name Type References Members + ----------------------- ------------------ ----------------------- ---------------- + PBX address_group WAN_IN-100 198.51.100.77 + SERVERS address_group WAN_IN-110 192.0.2.10 + WAN_IN-111 192.0.2.11 + WAN_IN-112 192.0.2.12 + WAN_IN-120 + WAN_IN-121 + WAN_IN-122 + SUPPORT address_group VyOS_MANAGEMENT-20 192.168.1.2 + WAN_IN-20 + PHONE_VPN_SERVERS address_group WAN_IN-160 10.6.32.2 + PINGABLE_ADRESSES address_group WAN_IN-170 192.168.5.2 + WAN_IN-171 + PBX ipv6_address_group IPV6-WAN_IN-100 2001:db8::1 + SERVERS ipv6_address_group IPV6-WAN_IN-110 2001:db8::2 + IPV6-WAN_IN-111 2001:db8::3 + IPV6-WAN_IN-112 2001:db8::4 + IPV6-WAN_IN-120 + IPV6-WAN_IN-121 + IPV6-WAN_IN-122 + SUPPORT ipv6_address_group IPV6-VyOS_MANAGEMENT-20 2001:db8::5 + IPV6-WAN_IN-20 + + +.. opcmd:: show firewall ipv4 [forward | input | output] filter + +.. opcmd:: show firewall ipv4 name <name> + + This command will give an overview of a single rule-set. + + .. code-block:: none + + vyos@vyos:~$ show firewall ipv4 input filter + Ruleset Information + + --------------------------------- + IPv4 Firewall "input filter" + + Rule Action Protocol Packets Bytes Conditions + ------- -------- ---------- --------- ------- ----------------------------------------- + 5 jump all 0 0 iifname "eth2" jump NAME_VyOS_MANAGEMENT + default accept all + +.. opcmd:: show firewall ipv4 [forward | input | output] + filter rule <1-999999> +.. opcmd:: show firewall ipv4 name <name> rule <1-999999> + + This command will give an overview of a rule in a single rule-set, plus + information for default action. + +.. code-block:: none + + vyos@vyos:~$show firewall ipv4 output filter rule 20 + Rule Information + + --------------------------------- + ipv4 Firewall "output filter" + + Rule Action Protocol Packets Bytes Conditions + ------- -------- ---------- --------- ------- ---------------------------------------- + 20 accept icmp 2 168 meta l4proto icmp oifname "eth0" accept + default accept all 286 47614 + + vyos@vyos:~$ + + +.. opcmd:: show firewall statistics + + This will show you a statistic of all rule-sets since the last boot. + +Show Firewall log +================= + +.. opcmd:: show log firewall +.. opcmd:: show log firewall ipv4 +.. opcmd:: show log firewall ipv4 [forward | input | output | name] +.. opcmd:: show log firewall ipv4 [forward | input | output] filter +.. opcmd:: show log firewall ipv4 name <name> +.. opcmd:: show log firewall ipv4 [forward | input | output] filter rule <rule> +.. opcmd:: show log firewall ipv4 name <name> rule <rule> + + Show the logs of all firewall; show all ipv4 firewall logs; show all logs + for particular hook; show all logs for particular hook and priority; show all logs + for particular custom chain; show logs for specific Rule-Set. + +Example Partial Config +====================== + +.. code-block:: none + + firewall { + group { + network-group BAD-NETWORKS { + network 198.51.100.0/24 + network 203.0.113.0/24 + } + network-group GOOD-NETWORKS { + network 192.0.2.0/24 + } + port-group BAD-PORTS { + port 65535 + } + } + ipv4 { + forward { + filter { + default-action accept + rule 5 { + action accept + source { + group { + network-group GOOD-NETWORKS + } + } + } + rule 10 { + action drop + description "Bad Networks" + protocol all + source { + group { + network-group BAD-NETWORKS + } + } + } + } + } + } + } + +Update geoip database +===================== + +.. opcmd:: update geoip + + Command used to update GeoIP database and firewall sets. diff --git a/docs/configuration/firewall/ipv6.rst b/docs/configuration/firewall/ipv6.rst new file mode 100644 index 00000000..0aa8a137 --- /dev/null +++ b/docs/configuration/firewall/ipv6.rst @@ -0,0 +1,1195 @@ +:lastproofread: 2023-11-08 + +.. _firewall-ipv6-configuration: + +########################### +IPv6 Firewall Configuration +########################### + +******** +Overview +******** + +In this section there's useful information of all firewall configuration that +can be done regarding IPv6, and appropiate op-mode commands. +Configuration commands covered in this section: + +.. cfgcmd:: set firewall ipv6 ... + +From main structure defined in :doc:`Firewall Overview</configuration/firewall/index>` +in this section you can find detailed information only for the next part +of the general structure: + +.. code-block:: none + + - set firewall + * ipv6 + - forward + + filter + - input + + filter + - output + + filter + - name + + custom_name + +For transit traffic, which is received by the router and forwarded, base chain +is **forward**. A simplified packet flow diagram for transit traffic is shown +next: + +.. figure:: /_static/images/firewall-fwd-packet-flow.png + +Where firewall base chain to configure firewall filtering rules for transit +traffic is ``set firewall ipv6 forward filter ...``, which happens in stage 5, +highlightened with red color. + +For traffic towards the router itself, base chain is **input**, while traffic +originated by the router, base chain is **output**. +A new simplified packet flow diagram is shown next, which shows the path +for traffic destinated to the router itself, and traffic generated by the +router (starting from circle number 6): + +.. figure:: /_static/images/firewall-input-packet-flow.png + +Base chain is for traffic toward the router is ``set firewall ipv6 input +filter ...`` + +And base chain for traffic generated by the router is ``set firewall ipv6 +output filter ...`` + +.. note:: **Important note about default-actions:** + If default action for any base chain is not defined, then the default + action is set to **accept** for that chain. For custom chains, if default + action is not defined, then the default-action is set to **drop** + +Custom firewall chains can be created, with commands +``set firewall ipv6 name <name> ...``. In order to use +such custom chain, a rule with **action jump**, and the appropiate **target** +should be defined in a base chain. + +****************************** +Firewall - IPv6 Rules +****************************** + +For firewall filtering, firewall rules needs to be created. Each rule is +numbered, has an action to apply if the rule is matched, and the ability +to specify multiple criteria matchers. Data packets go through the rules +from 1 - 999999, so order is crucial. At the first match the action of the +rule will be executed. + +Actions +======= + +If a rule is defined, then an action must be defined for it. This tells the +firewall what to do if all criteria matchers defined for such rule do match. + +The action can be : + + * ``accept``: accept the packet. + + * ``continue``: continue parsing next rule. + + * ``drop``: drop the packet. + + * ``reject``: reject the packet. + + * ``jump``: jump to another custom chain. + + * ``return``: Return from the current chain and continue at the next rule + of the last chain. + + * ``queue``: Enqueue packet to userspace. + + * ``synproxy``: synproxy the packet. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> action + [accept | continue | drop | jump | queue | reject | return | synproxy] +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> action + [accept | continue | drop | jump | queue | reject | return | synproxy] +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> action + [accept | continue | drop | jump | queue | reject | return] +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> action + [accept | continue | drop | jump | queue | reject | return] + + This required setting defines the action of the current rule. If action is + set to jump, then jump-target is also needed. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + jump-target <text> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + jump-target <text> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + jump-target <text> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + jump-target <text> + + To be used only when action is set to ``jump``. Use this command to specify + jump target. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + queue <0-65535> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + queue <0-65535> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + queue <0-65535> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + queue <0-65535> + + To be used only when action is set to ``queue``. Use this command to specify + queue target to use. Queue range is also supported. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + queue-options bypass +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + queue-options bypass +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + queue-options bypass +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + queue-options bypass + + To be used only when action is set to ``queue``. Use this command to let + packet go through firewall when no userspace software is connected to the + queue. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + queue-options fanout +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + queue-options fanout +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + queue-options fanout +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + queue-options fanout + + To be used only when action is set to ``queue``. Use this command to + distribute packets between several queues. + +Also, **default-action** is an action that takes place whenever a packet does +not match any rule in it's chain. For base chains, possible options for +**default-action** are **accept** or **drop**. + +.. cfgcmd:: set firewall ipv6 forward filter default-action + [accept | drop] +.. cfgcmd:: set firewall ipv6 input filter default-action + [accept | drop] +.. cfgcmd:: set firewall ipv6 output filter default-action + [accept | drop] +.. cfgcmd:: set firewall ipv6 name <name> default-action + [accept | drop | jump | queue | reject | return] + + This set the default action of the rule-set if no rule matched a packet + criteria. If default-action is set to ``jump``, then + ``default-jump-target`` is also needed. Note that for base chains, default + action can only be set to ``accept`` or ``drop``, while on custom chain, + more actions are available. + +.. cfgcmd:: set firewall ipv6 name <name> default-jump-target <text> + + To be used only when ``defult-action`` is set to ``jump``. Use this + command to specify jump target for default rule. + +.. note:: **Important note about default-actions:** + If default action for any base chain is not defined, then the default + action is set to **accept** for that chain. For custom chains, if default + action is not defined, then the default-action is set to **drop**. + +Firewall Logs +============= + +Logging can be enable for every single firewall rule. If enabled, other +log options can be defined. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> log +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> log +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> log +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> log + + Enable logging for the matched packet. If this configuration command is not + present, then log is not enabled. + +.. cfgcmd:: set firewall ipv6 forward filter enable-default-log +.. cfgcmd:: set firewall ipv6 input filter enable-default-log +.. cfgcmd:: set firewall ipv6 output filter enable-default-log +.. cfgcmd:: set firewall ipv6 name <name> enable-default-log + + Use this command to enable the logging of the default action on + the specified chain. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + log-options level [emerg | alert | crit | err | warn | notice + | info | debug] +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + log-options level [emerg | alert | crit | err | warn | notice + | info | debug] +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + log-options level [emerg | alert | crit | err | warn | notice + | info | debug] +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + log-options level [emerg | alert | crit | err | warn | notice + | info | debug] + + Define log-level. Only applicable if rule log is enable. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + log-options group <0-65535> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + log-options group <0-65535> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + log-options group <0-65535> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + log-options group <0-65535> + + Define log group to send message to. Only applicable if rule log is enable. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + log-options snapshot-length <0-9000> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + log-options snapshot-length <0-9000> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + log-options snapshot-length <0-9000> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + log-options snapshot-length <0-9000> + + Define length of packet payload to include in netlink message. Only + applicable if rule log is enable and log group is defined. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + log-options queue-threshold <0-65535> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + log-options queue-threshold <0-65535> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + log-options queue-threshold <0-65535> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + log-options queue-threshold <0-65535> + + Define number of packets to queue inside the kernel before sending them to + userspace. Only applicable if rule log is enable and log group is defined. + +Firewall Description +==================== + +For reference, a description can be defined for every single rule, and for +every defined custom chain. + +.. cfgcmd:: set firewall ipv6 name <name> description <text> + + Provide a rule-set description to a custom firewall chain. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + description <text> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + description <text> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + description <text> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> description <text> + + Provide a description for each rule. + +Rule Status +=========== + +When defining a rule, it is enable by default. In some cases, it is useful to +just disable the rule, rather than removing it. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> disable +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> disable +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> disable +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> disable + + Command for disabling a rule but keep it in the configuration. + +Matching criteria +================= + +There are a lot of matching criteria against which the packet can be tested. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + connection-status nat [destination | source] +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + connection-status nat [destination | source] +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + connection-status nat [destination | source] +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + connection-status nat [destination | source] + + Match criteria based on nat connection status. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + connection-mark <1-2147483647> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + connection-mark <1-2147483647> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + connection-mark <1-2147483647> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + connection-mark <1-2147483647> + + Match criteria based on connection mark. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + source address [address | addressrange | CIDR] +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + source address [address | addressrange | CIDR] +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + source address [address | addressrange | CIDR] +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + source address [address | addressrange | CIDR] + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + destination address [address | addressrange | CIDR] +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + destination address [address | addressrange | CIDR] +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + destination address [address | addressrange | CIDR] +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + destination address [address | addressrange | CIDR] + + Match criteria based on source and/or destination address. This is similar + to the network groups part, but here you are able to negate the matching + addresses. + + .. code-block:: none + + set firewall ipv6 name FOO rule 100 source address 2001:db8::202 + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + source address-mask [address] +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + source address-mask [address] +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + source address-mask [address] +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + source address-mask [address] + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + destination address-mask [address] +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + destination address-mask [address] +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + destination address-mask [address] +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + destination address-mask [address] + + An arbitrary netmask can be applied to mask addresses to only match against + a specific portion. This is particularly useful with IPv6 as rules will + remain valid if the IPv6 prefix changes and the host + portion of systems IPv6 address is static (for example, with SLAAC or + `tokenised IPv6 addresses + <https://datatracker.ietf.org/doc/id/draft-chown-6man-tokenised-ipv6-identifiers-02.txt>`_) + + This functions for both individual addresses and address groups. + + .. code-block:: none + + # Match any IPv6 address with the suffix ::0000:0000:0000:beef + set firewall ipv6 forward filter rule 100 destination address ::beef + set firewall ipv6 forward filter rule 100 destination address-mask ::ffff:ffff:ffff:ffff + # Address groups + set firewall group ipv6-address-group WEBSERVERS address ::1000 + set firewall group ipv6-address-group WEBSERVERS address ::2000 + set firewall ipv6 forward filter rule 200 source group address-group WEBSERVERS + set firewall ipv6 forward filter rule 200 source address-mask ::ffff:ffff:ffff:ffff + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + source fqdn <fqdn> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + source fqdn <fqdn> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + source fqdn <fqdn> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + source fqdn <fqdn> +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + destination fqdn <fqdn> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + destination fqdn <fqdn> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + destination fqdn <fqdn> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + destination fqdn <fqdn> + + Specify a Fully Qualified Domain Name as source/destination matcher. Ensure + router is able to resolve such dns query. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + source geoip country-code <country> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + source geoip country-code <country> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + source geoip country-code <country> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + source geoip country-code <country> + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + destination geoip country-code <country> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + destination geoip country-code <country> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + destination geoip country-code <country> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + destination geoip country-code <country> + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + source geoip inverse-match +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + source geoip inverse-match +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + source geoip inverse-match +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + source geoip inverse-match + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + destination geoip inverse-match +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + destination geoip inverse-match +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + destination geoip inverse-match +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + destination geoip inverse-match + + Match IP addresses based on its geolocation. More info: `geoip matching + <https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_matching>`_. + Use inverse-match to match anything except the given country-codes. + +Data is provided by DB-IP.com under CC-BY-4.0 license. Attribution required, +permits redistribution so we can include a database in images(~3MB +compressed). Includes cron script (manually callable by op-mode update +geoip) to keep database and rules updated. + + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + source mac-address <mac-address> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + source mac-address <mac-address> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + source mac-address <mac-address> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + source mac-address <mac-address> + + Only in the source criteria, you can specify a mac-address. + + .. code-block:: none + + set firewall ipv6 input filter rule 100 source mac-address 00:53:00:11:22:33 + set firewall ipv6 input filter rule 101 source mac-address !00:53:00:aa:12:34 + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + source port [1-65535 | portname | start-end] +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + source port [1-65535 | portname | start-end] +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + source port [1-65535 | portname | start-end] +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + source port [1-65535 | portname | start-end] + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + destination port [1-65535 | portname | start-end] +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + destination port [1-65535 | portname | start-end] +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + destination port [1-65535 | portname | start-end] +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + destination port [1-65535 | portname | start-end] + + A port can be set with a port number or a name which is here + defined: ``/etc/services``. + + .. code-block:: none + + set firewall ipv6 forward filter rule 10 source port '22' + set firewall ipv6 forward filter rule 11 source port '!http' + set firewall ipv6 forward filter rule 12 source port 'https' + + Multiple source ports can be specified as a comma-separated list. + The whole list can also be "negated" using ``!``. For example: + + .. code-block:: none + + set firewall ipv6 forward filter rule 10 source port '!22,https,3333-3338' + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + source group address-group <name | !name> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + source group address-group <name | !name> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + source group address-group <name | !name> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + source group address-group <name | !name> + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + destination group address-group <name | !name> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + destination group address-group <name | !name> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + destination group address-group <name | !name> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + destination group address-group <name | !name> + + Use a specific address-group. Prepend character ``!`` for inverted matching + criteria. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + source group network-group <name | !name> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + source group network-group <name | !name> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + source group network-group <name | !name> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + source group network-group <name | !name> + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + destination group network-group <name | !name> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + destination group network-group <name | !name> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + destination group network-group <name | !name> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + destination group network-group <name | !name> + + Use a specific network-group. Prepend character ``!`` for inverted matching + criteria. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + source group port-group <name | !name> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + source group port-group <name | !name> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + source group port-group <name | !name> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + source group port-group <name | !name> + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + destination group port-group <name | !name> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + destination group port-group <name | !name> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + destination group port-group <name | !name> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + destination group port-group <name | !name> + + Use a specific port-group. Prepend character ``!`` for inverted matching + criteria. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + source group domain-group <name | !name> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + source group domain-group <name | !name> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + source group domain-group <name | !name> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + source group domain-group <name | !name> + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + destination group domain-group <name | !name> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + destination group domain-group <name | !name> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + destination group domain-group <name | !name> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + destination group domain-group <name | !name> + + Use a specific domain-group. Prepend character ``!`` for inverted matching + criteria. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + source group mac-group <name | !name> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + source group mac-group <name | !name> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + source group mac-group <name | !name> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + source group mac-group <name | !name> + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + destination group mac-group <name | !name> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + destination group mac-group <name | !name> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + destination group mac-group <name | !name> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + destination group mac-group <name | !name> + + Use a specific mac-group. Prepend character ``!`` for inverted matching + criteria. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + dscp [0-63 | start-end] +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + dscp [0-63 | start-end] +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + dscp [0-63 | start-end] +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + dscp [0-63 | start-end] + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + dscp-exclude [0-63 | start-end] +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + dscp-exclude [0-63 | start-end] +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + dscp-exclude [0-63 | start-end] +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + dscp-exclude [0-63 | start-end] + + Match based on dscp value. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + fragment [match-frag | match-non-frag] +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + fragment [match-frag | match-non-frag] +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + fragment [match-frag | match-non-frag] +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + fragment [match-frag | match-non-frag] + + Match based on fragment criteria. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + icmpv6 [code | type] <0-255> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + icmpv6 [code | type] <0-255> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + icmpv6 [code | type] <0-255> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + icmpv6 [code | type] <0-255> + + Match based on icmp|icmpv6 code and type. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + icmpv6 type-name <text> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + icmpv6 type-name <text> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + icmpv6 type-name <text> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + icmpv6 type-name <text> + + Match based on icmpv6 type-name criteria. Use tab for information + about what **type-name** criteria are supported. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + inbound-interface name <iface> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + inbound-interface name <iface> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + inbound-interface name <iface> + + Match based on inbound interface. Wilcard ``*`` can be used. + For example: ``eth2*``. Prepending character ``!`` for inverted matching + criteria is also supportd. For example ``!eth2`` + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + inbound-interface group <iface_group> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + inbound-interface group <iface_group> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + inbound-interface group <iface_group> + + Match based on inbound interface group. Prepending character ``!`` for + inverted matching criteria is also supportd. For example ``!IFACE_GROUP`` + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + outbound-interface name <iface> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + outbound-interface name <iface> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + outbound-interface name <iface> + + Match based on outbound interface. Wilcard ``*`` can be used. + For example: ``eth2*``. Prepending character ``!`` for inverted matching + criteria is also supportd. For example ``!eth2`` + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + outbound-interface group <iface_group> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + outbound-interface group <iface_group> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + outbound-interface group <iface_group> + + Match based on outbound interface group. Prepending character ``!`` for + inverted matching criteria is also supportd. For example ``!IFACE_GROUP`` + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + ipsec [match-ipsec | match-none] +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + ipsec [match-ipsec | match-none] +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + ipsec [match-ipsec | match-none] +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + ipsec [match-ipsec | match-none] + + Match based on ipsec criteria. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + limit burst <0-4294967295> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + limit burst <0-4294967295> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + limit burst <0-4294967295> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + limit burst <0-4294967295> + + Match based on the maximum number of packets to allow in excess of rate. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + limit rate <text> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + limit rate <text> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + limit rate <text> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + limit rate <text> + + Match based on the maximum average rate, specified as **integer/unit**. + For example **5/minutes** + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + packet-length <text> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + packet-length <text> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + packet-length <text> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + packet-length <text> + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + packet-length-exclude <text> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + packet-length-exclude <text> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + packet-length-exclude <text> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + packet-length-exclude <text> + + Match based on packet length criteria. Multiple values from 1 to 65535 + and ranges are supported. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + packet-type [broadcast | host | multicast | other] +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + packet-type [broadcast | host | multicast | other] +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + packet-type [broadcast | host | multicast | other] +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + packet-type [broadcast | host | multicast | other] + + Match based on packet type criteria. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + protocol [<text> | <0-255> | all | tcp_udp] +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + protocol [<text> | <0-255> | all | tcp_udp] +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + protocol [<text> | <0-255> | all | tcp_udp] +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + protocol [<text> | <0-255> | all | tcp_udp] + + Match a protocol criteria. A protocol number or a name which is here + defined: ``/etc/protocols``. + Special names are ``all`` for all protocols and ``tcp_udp`` for tcp and udp + based packets. The ``!`` negate the selected protocol. + + .. code-block:: none + + set firewall ipv6 input filter rule 10 protocol tcp + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + recent count <1-255> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + recent count <1-255> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + recent count <1-255> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + recent count <1-255> + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + recent time [second | minute | hour] +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + recent time [second | minute | hour] +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + recent time [second | minute | hour] +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + recent time [second | minute | hour] + + Match bases on recently seen sources. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + tcp flags [not] <text> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + tcp flags [not] <text> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + tcp flags [not] <text> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + tcp flags [not] <text> + + Allowed values fpr TCP flags: ``ack``, ``cwr``, ``ecn``, ``fin``, ``psh``, + ``rst``, ``syn`` and ``urg``. Multiple values are supported, and for + inverted selection use ``not``, as shown in the example. + + .. code-block:: none + + set firewall ipv6 input filter rule 10 tcp flags 'ack' + set firewall ipv6 input filter rule 12 tcp flags 'syn' + set firewall ipv6 input filter rule 13 tcp flags not 'fin' + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + state [established | invalid | new | related] [enable | disable] +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + state [established | invalid | new | related] [enable | disable] +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + state [established | invalid | new | related] [enable | disable] +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + state [established | invalid | new | related] [enable | disable] + + Match against the state of a packet. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + time startdate <text> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + time startdate <text> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + time startdate <text> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + time startdate <text> +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + time starttime <text> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + time starttime <text> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + time starttime <text> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + time starttime <text> +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + time stopdate <text> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + time stopdate <text> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + time stopdate <text> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + time stopdate <text> +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + time stoptime <text> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + time stoptime <text> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + time stoptime <text> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + time stoptime <text> +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + time weekdays <text> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + time weekdays <text> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + time weekdays <text> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + time weekdays <text> + + Time to match the defined rule. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + hop-limit <eq | gt | lt> <0-255> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + hop-limit <eq | gt | lt> <0-255> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + hop-limit <eq | gt | lt> <0-255> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + hop-limit <eq | gt | lt> <0-255> + + Match hop-limit parameter, where 'eq' stands for 'equal'; 'gt' stands for + 'greater than', and 'lt' stands for 'less than'. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + recent count <1-255> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + recent count <1-255> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + recent count <1-255> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + recent count <1-255> + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + recent time <second | minute | hour> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + recent time <second | minute | hour> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + recent time <second | minute | hour> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + recent time <second | minute | hour> + + Match when 'count' amount of connections are seen within 'time'. These + matching criteria can be used to block brute-force attempts. + +******** +Synproxy +******** +Synproxy connections + +.. cfgcmd:: set firewall ipv6 [input | forward] filter rule <1-999999> action synproxy +.. cfgcmd:: set firewall ipv6 [input | forward] filter rule <1-999999> protocol tcp +.. cfgcmd:: set firewall ipv6 [input | forward] filter rule <1-999999> synproxy tcp mss <501-65535> + + Set TCP-MSS (maximum segment size) for the connection + +.. cfgcmd:: set firewall ipv6 [input | forward] filter rule <1-999999> synproxy tcp window-scale <1-14> + + Set the window scale factor for TCP window scaling + +Example synproxy +================ +Requirements to enable synproxy: + + * Traffic must be symmetric + * Synproxy relies on syncookies and TCP timestamps, ensure these are enabled + * Disable conntrack loose track option + +.. code-block:: none + + set system sysctl parameter net.ipv4.tcp_timestamps value '1' + + set system conntrack tcp loose disable + set system conntrack ignore ipv6 rule 10 destination port '8080' + set system conntrack ignore ipv6 rule 10 protocol 'tcp' + set system conntrack ignore ipv6 rule 10 tcp flags syn + + set firewall global-options syn-cookies 'enable' + set firewall ipv6 input filter rule 10 action 'synproxy' + set firewall ipv6 input filter rule 10 destination port '8080' + set firewall ipv6 input filter rule 10 inbound-interface interface-name 'eth1' + set firewall ipv6 input filter rule 10 protocol 'tcp' + set firewall ipv6 input filter rule 10 synproxy tcp mss '1460' + set firewall ipv6 input filter rule 10 synproxy tcp window-scale '7' + set firewall ipv6 input filter rule 1000 action 'drop' + set firewall ipv6 input filter rule 1000 state invalid 'enable' + +*********************** +Operation-mode Firewall +*********************** + +Rule-set overview +================= + +.. opcmd:: show firewall + + This will show you a basic firewall overview + + .. code-block:: none + + vyos@vyos:~$ show firewall + Rulesets Information + + --------------------------------- + IPv4 Firewall "forward filter" + + Rule Action Protocol Packets Bytes Conditions + ------- -------- ---------- --------- ------- ----------------------------------------- + 5 jump all 0 0 iifname "eth1" jump NAME_VyOS_MANAGEMENT + 10 jump all 0 0 oifname "eth1" jump NAME_WAN_IN + 15 jump all 0 0 iifname "eth3" jump NAME_WAN_IN + default accept all + + --------------------------------- + IPv4 Firewall "name VyOS_MANAGEMENT" + + Rule Action Protocol Packets Bytes Conditions + ------- -------- ---------- --------- ------- -------------------------------- + 5 accept all 0 0 ct state established accept + 10 drop all 0 0 ct state invalid + 20 accept all 0 0 ip saddr @A_GOOD_GUYS accept + 30 accept all 0 0 ip saddr @N_ENTIRE_RANGE accept + 40 accept all 0 0 ip saddr @A_VyOS_SERVERS accept + 50 accept icmp 0 0 meta l4proto icmp accept + default drop all 0 0 + + --------------------------------- + IPv6 Firewall "forward filter" + + Rule Action Protocol + ------- -------- ---------- + 5 jump all + 10 jump all + 15 jump all + default accept all + + --------------------------------- + IPv6 Firewall "input filter" + + Rule Action Protocol + ------- -------- ---------- + 5 jump all + default accept all + + --------------------------------- + IPv6 Firewall "ipv6_name IPV6-VyOS_MANAGEMENT" + + Rule Action Protocol + ------- -------- ---------- + 5 accept all + 10 drop all + 20 accept all + 30 accept all + 40 accept all + 50 accept ipv6-icmp + default drop all + +.. opcmd:: show firewall summary + + This will show you a summary of rule-sets and groups + + .. code-block:: none + + vyos@vyos:~$ show firewall summary + Ruleset Summary + + IPv6 Ruleset: + + Ruleset Hook Ruleset Priority Description + -------------- -------------------- ------------------------- + forward filter + input filter + ipv6_name IPV6-VyOS_MANAGEMENT + ipv6_name IPV6-WAN_IN PUBLIC_INTERNET + + IPv4 Ruleset: + + Ruleset Hook Ruleset Priority Description + -------------- ------------------ ------------------------- + forward filter + input filter + name VyOS_MANAGEMENT + name WAN_IN PUBLIC_INTERNET + + Firewall Groups + + Name Type References Members + ----------------------- ------------------ ----------------------- ---------------- + PBX address_group WAN_IN-100 198.51.100.77 + SERVERS address_group WAN_IN-110 192.0.2.10 + WAN_IN-111 192.0.2.11 + WAN_IN-112 192.0.2.12 + WAN_IN-120 + WAN_IN-121 + WAN_IN-122 + SUPPORT address_group VyOS_MANAGEMENT-20 192.168.1.2 + WAN_IN-20 + PHONE_VPN_SERVERS address_group WAN_IN-160 10.6.32.2 + PINGABLE_ADRESSES address_group WAN_IN-170 192.168.5.2 + WAN_IN-171 + PBX ipv6_address_group IPV6-WAN_IN-100 2001:db8::1 + SERVERS ipv6_address_group IPV6-WAN_IN-110 2001:db8::2 + IPV6-WAN_IN-111 2001:db8::3 + IPV6-WAN_IN-112 2001:db8::4 + IPV6-WAN_IN-120 + IPV6-WAN_IN-121 + IPV6-WAN_IN-122 + SUPPORT ipv6_address_group IPV6-VyOS_MANAGEMENT-20 2001:db8::5 + IPV6-WAN_IN-20 + + +.. opcmd:: show firewall ipv6 [forward | input | output] filter + +.. opcmd:: show firewall ipv6 ipv6-name <name> + + This command will give an overview of a single rule-set. + + .. code-block:: none + + vyos@vyos:~$ show firewall ipv6 input filter + Ruleset Information + + --------------------------------- + ipv6 Firewall "input filter" + + Rule Action Protocol Packets Bytes Conditions + ------- -------- ---------- --------- ------- ------------------------------------------------------------------------------ + 10 jump all 13 1456 iifname "eth1" jump NAME6_INP-ETH1 + 20 accept ipv6-icmp 10 1112 meta l4proto ipv6-icmp iifname "eth0" prefix "[ipv6-INP-filter-20-A]" accept + default accept all 14 1584 + + vyos@vyos:~$ + +.. opcmd:: show firewall ipv6 [forward | input | output] + filter rule <1-999999> + +.. opcmd:: show firewall ipv6 name <name> rule <1-999999> + +.. opcmd:: show firewall ipv6 ipv6-name <name> rule <1-999999> + + This command will give an overview of a rule in a single rule-set + +.. opcmd:: show firewall group <name> + + Overview of defined groups. You see the type, the members, and where the + group is used. + + .. code-block:: none + + vyos@vyos:~$ show firewall group LAN + Firewall Groups + + Name Type References Members + ------------ ------------------ ----------------------- ---------------- + LAN ipv6_network_group IPV6-VyOS_MANAGEMENT-30 2001:db8::0/64 + IPV6-WAN_IN-30 + LAN network_group VyOS_MANAGEMENT-30 192.168.200.0/24 + WAN_IN-30 + + +.. opcmd:: show firewall statistics + + This will show you a statistic of all rule-sets since the last boot. + +Show Firewall log +================= + +.. opcmd:: show log firewall +.. opcmd:: show log firewall ipv6 +.. opcmd:: show log firewall ipv6 [forward | input | output | name] +.. opcmd:: show log firewall ipv6 [forward | input | output] filter +.. opcmd:: show log firewall ipv6 name <name> +.. opcmd:: show log firewall ipv6 [forward | input | output] filter rule <rule> +.. opcmd:: show log firewall ipv6 name <name> rule <rule> + + Show the logs of all firewall; show all ipv6 firewall logs; show all logs + for particular hook; show all logs for particular hook and priority; show all logs + for particular custom chain; show logs for specific Rule-Set. + +Example Partial Config +====================== + +.. code-block:: none + + firewall { + ipv6 { + input { + filter { + rule 10 { + action jump + inbound-interface { + name eth1 + } + jump-target INP-ETH1 + } + rule 20 { + action accept + inbound-interface { + name eth0 + } + log + protocol ipv6-icmp + } + } + } + name INP-ETH1 { + default-action drop + enable-default-log + rule 10 { + action accept + protocol tcp_udp + } + } + } + } + + +Update geoip database +===================== + +.. opcmd:: update geoip + + Command used to update GeoIP database and firewall sets. diff --git a/docs/configuration/firewall/zone.rst b/docs/configuration/firewall/zone.rst index b27e02b9..1ab9c630 100644 --- a/docs/configuration/firewall/zone.rst +++ b/docs/configuration/firewall/zone.rst @@ -1,4 +1,4 @@ -:lastproofread: 2022-09-14 +:lastproofread: 2023-11-01 .. _firewall-zone: @@ -6,9 +6,43 @@ Zone Based Firewall ################### +******** +Overview +******** + +.. note:: Starting from VyOS 1.4-rolling-202308040557, a new firewall + structure can be found on all vyos instalations. Zone based firewall was + removed in that version, but re introduced in VyOS 1.4 and 1.5. All + versions built after 2023-10-22 has this feature. + Documentation for most of the new firewall CLI can be + found in the `firewall + <https://docs.vyos.io/en/latest/configuration/firewall/general.html>`_ + chapter. The legacy firewall is still available for versions before + 1.4-rolling-202308040557 and can be found in the + :doc:`legacy firewall configuration </configuration/firewall/general-legacy>` + chapter. + +In this section there's useful information of all firewall configuration that +is needed for zone-based firewall. +Configuration commands covered in this section: + +.. cfgcmd:: set firewall zone ... + +From main structure defined in +:doc:`Firewall Overview</configuration/firewall/index>` +in this section you can find detailed information only for the next part +of the general structure: + +.. code-block:: none + + - set firewall + * zone + - custom_zone_name + + ... + In zone-based policy, interfaces are assigned to zones, and inspection policy is applied to traffic moving between the zones and acted on according to -firewall rules. A Zone is a group of interfaces that have similar functions or +firewall rules. A zone is a group of interfaces that have similar functions or features. It establishes the security borders of a network. A zone defines a boundary where traffic is subjected to policy restrictions as it crosses to another region of a network. @@ -36,7 +70,7 @@ firewall can be created to simplify configuration when multiple interfaces belong to the same security zone. Instead of applying rule-sets to interfaces, they are applied to source zone-destination zone pairs. -An basic introduction to zone-based firewalls can be found `here +A basic introduction to zone-based firewalls can be found `here <https://support.vyos.io/en/kb/articles/a-primer-to-zone-based-firewall>`_, and an example at :ref:`examples-zone-policy`. diff --git a/docs/configuration/highavailability/index.rst b/docs/configuration/highavailability/index.rst index bc8aad99..7f06faa8 100644 --- a/docs/configuration/highavailability/index.rst +++ b/docs/configuration/highavailability/index.rst @@ -229,8 +229,8 @@ is needed. .. cfgcmd:: set high-availability vrrp global-parameters startup_delay <1-600> -This option specifies a delay in seconds before vrrp instances start up after -keepalived starts. + This option specifies a delay in seconds before vrrp instances start up + after keepalived starts. Gratuitous ARP -------------- @@ -242,20 +242,19 @@ need to configure it. But if necessary, Gratuitous ARP can be configured in .. cfgcmd:: set high-availability vrrp global-parameters garp interval <0.000-1000> -.. cfgcmd:: set high-availability vrrp group <name> garp interval - <0.000-1000> +.. cfgcmd:: set high-availability vrrp group <name> garp interval <0.000-1000> + + Set delay between gratuitous ARP messages sent on an interface. + + 0 if not defined. -Set delay between gratuitous ARP messages sent on an interface. 0 if not -defined. +.. cfgcmd:: set high-availability vrrp global-parameters garp master-delay <1-255> -.. cfgcmd:: set high-availability vrrp global-parameters garp master-delay - <1-255> +.. cfgcmd:: set high-availability vrrp group <name> garp master-delay <1-255> -.. cfgcmd:: set high-availability vrrp group <name> garp master-delay - <1-255> + Set delay for second set of gratuitous ARPs after transition to MASTER. -Set delay for second set of gratuitous ARPs after transition to MASTER. 5 if -not defined. + 5 if not defined. .. cfgcmd:: set high-availability vrrp global-parameters garp master-refresh <1-600> @@ -263,8 +262,9 @@ not defined. .. cfgcmd:: set high-availability vrrp group <name> garp master-refresh <1-600> -Set minimum time interval for refreshing gratuitous ARPs while MASTER. 0 if -not defined, which means no refreshing. + Set minimum time interval for refreshing gratuitous ARPs while MASTER. + + 0 if not defined, which means no refreshing. .. cfgcmd:: set high-availability vrrp global-parameters garp master-refresh-repeat <1-600> @@ -272,8 +272,9 @@ not defined, which means no refreshing. .. cfgcmd:: set high-availability vrrp group <name> garp master-refresh-repeat <1-600> -Set number of gratuitous ARP messages to send at a time while MASTER. 1 if not -defined. + Set number of gratuitous ARP messages to send at a time while MASTER. + + 1 if not defined. .. cfgcmd:: set high-availability vrrp global-parameters garp master-repeat <1-600> @@ -281,8 +282,18 @@ defined. .. cfgcmd:: set high-availability vrrp group <name> garp master-repeat <1-600> -Set number of gratuitous ARP messages to send at a time after transition to -MASTER. 5 if not defined. + Set number of gratuitous ARP messages to send at a time after transition to + MASTER. + + 5 if not defined. + +Version +------- + +.. cfgcmd:: set high-availability vrrp global-parameters version 2|3 + + Set the default VRRP version to use. This defaults to 2, but IPv6 instances + will always use version 3. Scripting --------- @@ -439,7 +450,7 @@ Port "0" is required if multiple ports are used. set high-availability virtual-server vyos real-server 192.0.2.12 health-check script '/config/scripts/check-real-server-second.sh' set high-availability virtual-server vyos real-server 192.0.2.12 port '0' - set nat source rule 100 outbound-interface 'eth0' + set nat source rule 100 outbound-interface name 'eth0' set nat source rule 100 source address '192.0.2.0/24' set nat source rule 100 translation address 'masquerade' diff --git a/docs/configuration/interfaces/bonding.rst b/docs/configuration/interfaces/bonding.rst index 3d30f1a5..3c8ebd0d 100644 --- a/docs/configuration/interfaces/bonding.rst +++ b/docs/configuration/interfaces/bonding.rst @@ -271,13 +271,6 @@ Bond options The maximum number of targets that can be specified is 16. The default value is no IP address. -Offloading ----------- - -.. cmdinclude:: /_include/interface-xdp.txt - :var0: bondinging - :var1: bond0 - VLAN ==== diff --git a/docs/configuration/interfaces/ethernet.rst b/docs/configuration/interfaces/ethernet.rst index 76f02d6d..bbf52112 100644 --- a/docs/configuration/interfaces/ethernet.rst +++ b/docs/configuration/interfaces/ethernet.rst @@ -53,21 +53,6 @@ Ethernet options VyOS default will be `auto`. -.. cfgcmd:: set interfaces ethernet <interface> mirror <interface> - - Use this command to mirror the inbound traffic from one Ethernet interface to - another interface. This feature is typically used to provide a copy of traffic - inbound on one interface to a system running a monitoring or IPS application - on another interface. The benefit of mirroring the traffic is that the - application is isolated from the source traffic and so application processing - does not affect the traffic or the system performance. - - Example: - - .. code-block:: none - - set interfaces ethernet eth0 mirror eth1 - Offloading ---------- @@ -289,26 +274,3 @@ Operation .. stop_vyoslinter -.. opcmd:: show interfaces ethernet <interface> xdp - - Display XDP forwarding statistics - - .. code-block:: none - - vyos@vyos:~$ show interfaces ethernet eth1 xdp - - Collecting stats from BPF map - - BPF map (bpf_map_type:6) id:176 name:xdp_stats_map key_size:4 value_size:16 max_entries:5 - XDP-action - XDP_ABORTED 0 pkts ( 0 pps) 0 Kbytes ( 0 Mbits/s) period:0.250340 - XDP_DROP 0 pkts ( 0 pps) 0 Kbytes ( 0 Mbits/s) period:0.250317 - XDP_PASS 0 pkts ( 0 pps) 0 Kbytes ( 0 Mbits/s) period:0.250314 - XDP_TX 0 pkts ( 0 pps) 0 Kbytes ( 0 Mbits/s) period:0.250313 - XDP_REDIRECT 0 pkts ( 0 pps) 0 Kbytes ( 0 Mbits/s) period:0.250313 - - XDP-action - XDP_ABORTED 0 pkts ( 0 pps) 0 Kbytes ( 0 Mbits/s) period:2.000410 - XDP_DROP 0 pkts ( 0 pps) 0 Kbytes ( 0 Mbits/s) period:2.000414 - XDP_PASS 0 pkts ( 0 pps) 0 Kbytes ( 0 Mbits/s) period:2.000414 - XDP_TX 0 pkts ( 0 pps) 0 Kbytes ( 0 Mbits/s) period:2.000414 - XDP_REDIRECT 0 pkts ( 0 pps) 0 Kbytes ( 0 Mbits/s) period:2.000414 diff --git a/docs/configuration/interfaces/l2tpv3.rst b/docs/configuration/interfaces/l2tpv3.rst index 897e38dc..4fa47199 100644 --- a/docs/configuration/interfaces/l2tpv3.rst +++ b/docs/configuration/interfaces/l2tpv3.rst @@ -24,7 +24,7 @@ not be re-engineered in or on top of L2TPv3 in later products. The protocol overhead of L2TPv3 is also significantly bigger than MPLS. -L2TPv3 is described in :rfc:`3921`. +L2TPv3 is described in :rfc:`3931`. ************* Configuration diff --git a/docs/configuration/interfaces/macsec.rst b/docs/configuration/interfaces/macsec.rst index 60877d73..0c0c052b 100644 --- a/docs/configuration/interfaces/macsec.rst +++ b/docs/configuration/interfaces/macsec.rst @@ -44,6 +44,30 @@ MACsec options A physical interface is required to connect this MACsec instance to. Traffic leaving this interface will now be authenticated/encrypted. +Static Keys +----------- +Static :abbr:`SAK (Secure Authentication Key)` mode can be configured manually on each +device wishing to use MACsec. Keys must be set statically on all devices for traffic +to flow properly. Key rotation is dependent on the administrator updating all keys +manually across connected devices. Static SAK mode can not be used with MKA. + +.. cfgcmd:: set interfaces macsec <interface> security static key <key> + + Set the device's transmit (TX) key. This key must be a hex string that is 16-bytes + (GCM-AES-128) or 32-bytes (GCM-AES-256). + +.. cfgcmd:: set interfaces macsec <interface> security static peer <peer> mac <mac address> + + Set the peer's MAC address + +.. cfgcmd:: set interfaces macsec <interface> security static peer <peer> key <key> + + Set the peer's key used to receive (RX) traffic + +.. cfgcmd:: set interfaces macsec <interface> security static peer <peer> disable + + Disable the peer configuration + Key Management -------------- @@ -188,3 +212,28 @@ the unencrypted but authenticated content. 0x0070: 3031 3233 3435 3637 87d5 eed3 3a39 d52b 01234567....:9.+ 0x0080: a282 c842 5254 ef28 ...BRT.( +**R1 Static Key** + +.. code-block:: none + + set interfaces macsec macsec1 address '192.0.2.1/24' + set interfaces macsec macsec1 address '2001:db8::1/64' + set interfaces macsec macsec1 security cipher 'gcm-aes-128' + set interfaces macsec macsec1 security encrypt + set interfaces macsec macsec1 security static key 'ddd6f4a7be4d8bbaf88b26f10e1c05f7' + set interfaces macsec macsec1 security static peer R2 mac 00:11:22:33:44:02 + set interfaces macsec macsec1 security static peer R2 key 'eadcc0aa9cf203f3ce651b332bd6e6c7' + set interfaces macsec macsec1 source-interface 'eth1' + +**R2 Static Key** + +.. code-block:: none + + set interfaces macsec macsec1 address '192.0.2.2/24' + set interfaces macsec macsec1 address '2001:db8::2/64' + set interfaces macsec macsec1 security cipher 'gcm-aes-128' + set interfaces macsec macsec1 security encrypt + set interfaces macsec macsec1 security static key 'eadcc0aa9cf203f3ce651b332bd6e6c7' + set interfaces macsec macsec1 security static peer R2 mac 00:11:22:33:44:01 + set interfaces macsec macsec1 security static peer R2 key 'ddd6f4a7be4d8bbaf88b26f10e1c05f7' + set interfaces macsec macsec1 source-interface 'eth1'
\ No newline at end of file diff --git a/docs/configuration/interfaces/openvpn.rst b/docs/configuration/interfaces/openvpn.rst index 5850591c..d92ac080 100644 --- a/docs/configuration/interfaces/openvpn.rst +++ b/docs/configuration/interfaces/openvpn.rst @@ -40,30 +40,27 @@ Site-to-Site .. figure:: /_static/images/openvpn_site2site_diagram.jpg -While many are aware of OpenVPN as a Client VPN solution, it is often -overlooked as a site-to-site VPN solution due to lack of support for this mode -in many router platforms. +OpenVPN is popular for client-server setups, but its site-to-site mode +remains a relatively obscure feature, and many router appliances +still don't support it. However, it's very useful for quickly setting up +tunnels between routers. -Site-to-site mode supports x.509 but doesn't require it and can also work with -static keys, which is simpler in many cases. In this example, we'll configure -a simple site-to-site OpenVPN tunnel using a 2048-bit pre-shared key. +As of VyOS 1.4, OpenVPN site-to-site mode can use either pre-shared keys or x.509 certificates. -First, one of the systems generate the key using the :ref:`generate pki openvpn shared-secret<configuration/pki/index:pki>` -command. Once generated, you will need to install this key on the local system, -then copy and install this key to the remote router. +The pre-shared key mode is deprecated and will be removed from future OpenVPN versions, +so VyOS will have to remove support for that option as well. The reason is that using pre-shared keys +is significantly less secure than using TLS. -In our example, we used the key name ``openvpn-1`` which we will reference -in our configuration. +We'll configure OpenVPN using self-signed certificates, and then discuss the legacy +pre-shared key mode. + +In both cases, we will use the following settings: * The public IP address of the local side of the VPN will be 198.51.100.10. * The public IP address of the remote side of the VPN will be 203.0.113.11. * The tunnel will use 10.255.1.1 for the local IP and 10.255.1.2 for the remote. * The local site will have a subnet of 10.0.0.0/16. * The remote site will have a subnet of 10.1.0.0/16. -* Static Routing or other dynamic routing protocols can be used over the vtun interface -* OpenVPN allows for either TCP or UDP. UDP will provide the lowest latency, - while TCP will work better for lossy connections; generally UDP is preferred - when possible. * The official port for OpenVPN is 1194, which we reserve for client VPN; we will use 1195 for site-to-site VPN. * The ``persistent-tunnel`` directive will allow us to configure tunnel-related @@ -73,85 +70,140 @@ in our configuration. ``remote-host`` directive; if unknown, it can be omitted. We will assume a dynamic IP for our remote router. +Setting up certificates +======================= -Local Configuration: +Setting up a full-blown PKI with a CA certificate would arguably defeat the purpose +of site-to-site OpenVPN, since its main goal is supposed to be configuration simplicity, +compared to server setups that need to support multiple clients. -.. code-block:: none +However, since VyOS 1.4, it is possible to verify self-signed certificates using +certificate fingerprints. - run generate pki openvpn shared-secret install openvpn-1 - Configure mode commands to install OpenVPN key: - set pki openvpn shared-secret openvpn-1 key 'generated_key_string' - set pki openvpn shared-secret openvpn-1 version '1' - - set interfaces openvpn vtun1 mode site-to-site - set interfaces openvpn vtun1 protocol udp - set interfaces openvpn vtun1 persistent-tunnel - set interfaces openvpn vtun1 remote-host '203.0.113.11' - set interfaces openvpn vtun1 local-port '1195' - set interfaces openvpn vtun1 remote-port '1195' - set interfaces openvpn vtun1 shared-secret-key openvpn-1 - set interfaces openvpn vtun1 local-address '10.255.1.1' - set interfaces openvpn vtun1 remote-address '10.255.1.2' +On both sides, you need to generate a self-signed certificate, preferrably using the "ec" (elliptic curve) type. +You can generate them by executing command ``run generate pki certificate self-signed install <name>`` in the configuration mode. +Once the command is complete, it will add the certificate to the configuration session, to the ``pki`` subtree. +You can then review the proposed changes and commit them. -Local Configuration - Annotated: +.. code-block:: none + + vyos@vyos# run generate pki certificate self-signed install openvpn-local + Enter private key type: [rsa, dsa, ec] (Default: rsa) ec + Enter private key bits: (Default: 256) + Enter country code: (Default: GB) + Enter state: (Default: Some-State) + Enter locality: (Default: Some-City) + Enter organization name: (Default: VyOS) + Enter common name: (Default: vyos.io) + Do you want to configure Subject Alternative Names? [y/N] + Enter how many days certificate will be valid: (Default: 365) + Enter certificate type: (client, server) (Default: server) + Note: If you plan to use the generated key on this router, do not encrypt the private key. + Do you want to encrypt the private key with a passphrase? [y/N] + 2 value(s) installed. Use "compare" to see the pending changes, and "commit" to apply. + [edit] + + vyos@vyos# compare + [pki] + + certificate openvpn-local { + + certificate "MIICJTCCAcugAwIBAgIUMXLfRNJ5iOjk/ uAZqUe4phW8MdgwCgYIKoZIzj0EAwIwVzELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcMCVNvbWUtQ2l0eTENMAsGA1UECgwEVnlPUzEQMA4GA1UEAwwHdnlvcy5pbzAeFw0yMzA5MDcyMTQzMTNaFw0yNDA5MDYyMTQzMTNaMFcxCzAJBgNVBAYTAkdCMRMwEQYDVQQIDApTb21lLVN0YXRlMRIwEAYDVQQHDAlTb21lLUNpdHkxDTALBgNVBAoMBFZ5T1MxEDAOBgNVBAMMB3Z5b3MuaW8wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASp7D0vE3SKSAWAzr/lw9Eq9Q89r247AJR6ec/GT26AIcVA1bsongV1YaWvRwzTPC/yi5pkzV/PcT/WU7JQIyMWo3UwczAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAdBgNVHQ4EFgQUBrAxRdFppdG/UBRdo7qNyHutaTQwHwYDVR0jBBgwFoAUBrAxRdFppdG/UBRdo7qNyHutaTQwCgYIKoZIzj0EAwIDSAAwRQIhAI2+8C92z9wTcTWkQ/goRxs10EBC+h78O+vgo9k97z5iAiBSeqfaVr5taQTS31+McGTAK3cYWNTg0DlOBI8aKO2oRg==" + + private { + + key "MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgtOeEb0dMb5P/2Exi09WWvk6Cvz0oOBoDuP68ZimS2LShRANCAASp7D0vE3SKSAWAzr/lw9Eq9Q89r247AJR6ec/GT26AIcVA1bsongV1YaWvRwzTPC/yi5pkzV/PcT/WU7JQIyMW" + + } + + } + + [edit] + + vyos@vyos# commit + +You do **not** need to copy the certificate to the other router. Instead, you need to retrieve its SHA-256 fingerprint. +OpenVPN only supports SHA-256 fingerprints at the moment, so you need to use the following command: .. code-block:: none - run generate pki openvpn shared-secret install openvpn-1 # Locally genearated OpenVPN shared secret. - The generated secret is the output to - the console. - Configure mode commands to install OpenVPN key: - set pki openvpn shared-secret openvpn-1 key 'generated_key_string' # Generated secret displayed in the output to - the console. - set pki openvpn shared-secret openvpn-1 version '1' # Generated secret displayed in the output to - the console. + vyos@vyos# run show pki certificate openvpn-local fingerprint sha256 + 5C:B8:09:64:8B:59:51:DC:F4:DF:2C:12:5C:B7:03:D1:68:94:D7:5B:62:C2:E1:83:79:F1:F0:68:B2:81:26:79 - set interfaces openvpn vtun1 mode site-to-site - set interfaces openvpn vtun1 protocol udp - set interfaces openvpn vtun1 persistent-tunnel - set interfaces openvpn vtun1 remote-host '203.0.113.11' # Pub IP of other site - set interfaces openvpn vtun1 local-port '1195' - set interfaces openvpn vtun1 remote-port '1195' - set interfaces openvpn vtun1 shared-secret-key openvpn-1 # Locally generated secret name - set interfaces openvpn vtun1 local-address '10.255.1.1' # Local IP of vtun interface - set interfaces openvpn vtun1 remote-address '10.255.1.2' # Remote IP of vtun interface +Note: certificate names don't matter, we use 'openvpn-local' and 'openvpn-remote' but they can be arbitrary. +Repeat the procedure on the other router. -Remote Configuration: +Setting up OpenVPN +================== + +Local Configuration: .. code-block:: none - set pki openvpn shared-secret openvpn-1 key 'generated_key_string' - set pki openvpn shared-secret openvpn-1 version '1' + Configure the tunnel: set interfaces openvpn vtun1 mode site-to-site set interfaces openvpn vtun1 protocol udp set interfaces openvpn vtun1 persistent-tunnel - set interfaces openvpn vtun1 remote-host '198.51.100.10' + set interfaces openvpn vtun1 remote-host '203.0.113.11' # Public IP of the other side set interfaces openvpn vtun1 local-port '1195' set interfaces openvpn vtun1 remote-port '1195' - set interfaces openvpn vtun1 shared-secret-key openvpn-1 - set interfaces openvpn vtun1 local-address '10.255.1.2' - set interfaces openvpn vtun1 remote-address '10.255.1.1' + set interfaces openvpn vtun1 local-address '10.255.1.1' # Local IP of vtun interface + set interfaces openvpn vtun1 remote-address '10.255.1.2' # Remote IP of vtun interface + set interfaces openvpn vtun1 tls certificate 'openvpn-local' # The self-signed certificate + set interfaces openvpn vtun1 tls peer-fingerprint <remote cert fingerprint> # The output of 'run show pki certificate <name> fingerprint sha256 + on the remote rout -Remote Configuration - Annotated: +Remote Configuration: .. code-block:: none - set pki openvpn shared-secret openvpn-1 key 'generated_key_string' # Locally genearated OpenVPN shared secret - (from the Local Configuration Block). - set pki openvpn shared-secret openvpn-1 version '1' - set interfaces openvpn vtun1 mode site-to-site set interfaces openvpn vtun1 protocol udp set interfaces openvpn vtun1 persistent-tunnel set interfaces openvpn vtun1 remote-host '198.51.100.10' # Pub IP of other site set interfaces openvpn vtun1 local-port '1195' set interfaces openvpn vtun1 remote-port '1195' - set interfaces openvpn vtun1 shared-secret-key openvpn-1 # Locally generated secret name set interfaces openvpn vtun1 local-address '10.255.1.2' # Local IP of vtun interface set interfaces openvpn vtun1 remote-address '10.255.1.1' # Remote IP of vtun interface + set interfaces openvpn vtun1 tls certificate 'openvpn-remote' # The self-signed certificate + set interfaces openvpn vtun1 tls peer-fingerprint <local cert fingerprint> # The output of 'run show pki certificate <name> fingerprint sha256 + on the local router + +Pre-shared keys +=============== + +Until VyOS 1.4, the only option for site-to-site OpenVPN without PKI was to use pre-shared keys. +That option is still available but it is deprecated and will be removed in the future. +However, if you need to set up a tunnel to an older VyOS version or a system with older OpenVPN, +you need to still need to know how to use it. + +First, you need to generate a key by running ``run generate pki openvpn shared-secret install <name>`` from configuration mode. +You can use any name, we will use ``s2s``. + +.. code-block:: none + + vyos@local# run generate pki openvpn shared-secret install s2s + 2 value(s) installed. Use "compare" to see the pending changes, and "commit" to apply. + [edit] + vyos@local# compare + [pki openvpn shared-secret] + + s2s { + + key "7c73046a9da91e874d31c7ad894a32688cda054bde157c64270f28eceebc0bb2f44dbb70335fad45148b0456aaa78cb34a34c0958eeed4f75e75fd99ff519ef940f7029a316c436d2366a2b0fb8ea1d1c792a65f67d10a461af83ef4530adc25d1c872de6d9c7d5f338223d1f3b66dc3311bbbddc0e05228c47b91c817c721aadc7ed18f0662df52ad14f898904372679e3d9697d062b0869d12de47ceb2e626fa12e1926a3119be37dd29c9b0ad81997230f4038926900d5edb78522d2940cfe207f8e2b948e0d459fa137ebb18064ac5982b28dd1899020b4f2b082a20d5d4eb65710fbb1e62b5e061df39620267eab429d3eedd9a1ae85957457c8e4655f3" + + version "1" + + } + [edit] + + vyos@local# commit + [edit] + +Then you need to install the key on the remote router: + +.. code-block:: none + + vyos@remote# set pki openvpn shared-secret s2s key <generated key string> + +Then you need to set the key in your OpenVPN interface settings: + +.. code-block:: none + + set interfaces openvpn vtun1 shared-secret-key s2s Firewall Exceptions =================== @@ -304,8 +356,8 @@ closing on connection resets or daemon reloads. set interfaces openvpn vtun10 persistent-tunnel set interfaces openvpn vtun10 protocol udp -Then we need to generate, add and specify the names of the cryptographic materials. -Each of the install command should be applied to the configuration and commited +Then we need to generate, add and specify the names of the cryptographic materials. +Each of the install command should be applied to the configuration and commited before using under the openvpn interface configuration. .. code-block:: none @@ -314,18 +366,18 @@ before using under the openvpn interface configuration. Configure mode commands to install: set pki ca ca-1 certificate 'generated_cert_string' set pki ca ca-1 private key 'generated_private_key' - + run generate pki certificate sign ca-1 install srv-1 # Follow the instructions to generate server cert. Configure mode commands to install: set pki certificate srv-1 certificate 'generated_server_cert' set pki certificate srv-1 private key 'generated_private_key' - - run generate pki dh install dh-1 # Follow the instructions to generate set of + + run generate pki dh install dh-1 # Follow the instructions to generate set of Diffie-Hellman parameters. Generating parameters... Configure mode commands to install DH parameters: set pki dh dh-1 parameters 'generated_dh_params_set' - + set interfaces openvpn vtun10 tls ca-certificate ca-1 set interfaces openvpn vtun10 tls certificate srv-1 set interfaces openvpn vtun10 tls dh-params dh-1 @@ -361,18 +413,18 @@ internally, so we need to create a route to the 10.23.0.0/20 network ourselves: set protocols static route 10.23.0.0/20 interface vtun10 Additionally, each client needs a copy of ca cert and its own client key and -cert files. The files are plaintext so they may be copied either manually from the CLI. -Client key and cert files should be signed with the proper ca cert and generated on the -server side. +cert files. The files are plaintext so they may be copied either manually from the CLI. +Client key and cert files should be signed with the proper ca cert and generated on the +server side. HQ's router requires the following steps to generate crypto materials for the Branch 1: .. code-block:: none - - run generate pki certificate sign ca-1 install branch-1 # Follow the instructions to generate client + + run generate pki certificate sign ca-1 install branch-1 # Follow the instructions to generate client cert for Branch 1 Configure mode commands to install: - + Branch 1's router might have the following lines: .. code-block:: none @@ -380,7 +432,7 @@ Branch 1's router might have the following lines: set pki ca ca-1 certificate 'generated_cert_string' # CA cert generated on HQ router set pki certificate branch-1 certificate 'generated_branch_cert' # Client cert generated and signed on HQ router set pki certificate branch-1 private key 'generated_private_key' # Client cert key generated on HQ router - + set interfaces openvpn vtun10 tls ca-cert ca-1 set interfaces openvpn vtun10 tls certificate branch-1 @@ -513,6 +565,7 @@ example: } } + ****** Client ****** @@ -600,6 +653,50 @@ Will add ``push "keepalive 1 10"`` to the generated OpenVPN config file. quotes using the ``"`` statement. +********************************** +OpenVPN Data Channel Offload (DCO) +********************************** + +OpenVPN Data Channel Offload (DCO) enables significant performance enhancement +in encrypted OpenVPN data processing. By minimizing context switching for each +packet, DCO effectively reduces overhead. This optimization is achieved by +keeping most data handling tasks within the kernel, avoiding frequent switches +between kernel and user space for encryption and packet handling. + +As a result, the processing of each packet becomes more efficient, potentially +leveraging hardware encryption offloading support available in the kernel. + +.. note:: OpenVPN DCO is not full OpenVPN features supported , is currently + considered experimental. Furthermore, there are certain OpenVPN features and + use cases that remain incompatible with DCO. To get a comprehensive + understanding of the limitations associated with DCO, refer to the list of + known limitations in the documentation. + + https://community.openvpn.net/openvpn/wiki/DataChannelOffload/Features + + +Enabling OpenVPN DCO +==================== + +DCO support is a per-tunnel option and it is not automatically enabled by +default for new or upgraded tunnels. Existing tunnels will continue to function +as they have in the past. + +DCO can be enabled for both new and existing tunnels,VyOS adds an option in each +tunnel configuration where we can enable this function .The current best +practice is to create a new tunnel with DCO to minimize the chance of problems +with existing clients. + +.. cfgcmd:: set interfaces openvpn <name> offload dco + + Enable OpenVPN Data Channel Offload feature by loading the appropriate kernel + module. + + Disabled by default - no kernel module loaded. + + .. note:: Enable this feature causes an interface reset. + + Troubleshooting =============== diff --git a/docs/configuration/interfaces/pppoe.rst b/docs/configuration/interfaces/pppoe.rst index 74a43bb5..b37e95a2 100644 --- a/docs/configuration/interfaces/pppoe.rst +++ b/docs/configuration/interfaces/pppoe.rst @@ -143,6 +143,19 @@ PPPoE options set interfaces pppoe pppoe0 default-route-distance 220 +.. cfgcmd:: set interfaces pppoe <interface> mru <mru> + + Set the :abbr:`MRU (Maximum Receive Unit)` to `mru`. PPPd will ask the peer to + send packets of no more than `mru` bytes. The value of `mru` must be between 128 + and 16384. + + A value of 296 works well on very slow links (40 bytes for TCP/IP header + 256 + bytes of data). + + The default is 1492. + + .. note:: When using the IPv6 protocol, MRU must be at least 1280 bytes. + .. cfgcmd:: set interfaces pppoe <interface> idle-timeout <time> Use this command to set the idle timeout interval to be used with on-demand @@ -245,8 +258,8 @@ IPv6 .. note:: This command was introduced in VyOS 1.4 - it was previously called: ``set firewall options interface <name> adjust-mss <value>`` - .. hint:: MSS value = MTU - 20 (IP header) - 20 (TCP header), resulting in - 1452 bytes on a 1492 byte MTU. + .. hint:: MSS value = MTU - 40 (IPv6 header) - 20 (TCP header), resulting in + 1432 bytes on a 1492 byte MTU. Instead of a numerical MSS value `clamp-mss-to-pmtu` can be used to automatically set the proper value. diff --git a/docs/configuration/interfaces/virtual-ethernet.rst b/docs/configuration/interfaces/virtual-ethernet.rst index a6988318..3324feb6 100644 --- a/docs/configuration/interfaces/virtual-ethernet.rst +++ b/docs/configuration/interfaces/virtual-ethernet.rst @@ -26,6 +26,21 @@ Common interface configuration .. cmdinclude:: /_include/interface-description.txt :var0: virtual-ethernet :var1: veth0 +VLAN +==== + +Regular VLANs (802.1q) +---------------------- +.. cmdinclude:: /_include/interface-vlan-8021q.txt + :var0: virtual-ethernet + :var1: veth0 + +QinQ (802.1ad) +-------------- + +.. cmdinclude:: /_include/interface-vlan-8021ad.txt + :var0: virtual-ethernet + :var1: veth0 .. cmdinclude:: /_include/interface-disable.txt :var0: virtual-ethernet diff --git a/docs/configuration/interfaces/vxlan.rst b/docs/configuration/interfaces/vxlan.rst index 86568686..af00fdec 100644 --- a/docs/configuration/interfaces/vxlan.rst +++ b/docs/configuration/interfaces/vxlan.rst @@ -67,15 +67,36 @@ VXLAN specific options Source IP address used for VXLAN underlay. This is mandatory when using VXLAN via L2VPN/EVPN. -.. cfgcmd:: set interfaces vxlan <interface> external +.. cfgcmd:: set interfaces vxlan <interface> gpe + + Enables the Generic Protocol extension (VXLAN-GPE). Currently, this is only + supported together with the external keyword. + +.. cfgcmd:: set interfaces vxlan <interface> parameters external Specifies whether an external control plane (e.g. BGP L2VPN/EVPN) or the internal FDB should be used. -.. cfgcmd:: set interfaces vxlan <interface> gpe +.. cfgcmd:: set interfaces vxlan <interface> parameters neighbor-suppress - Eenables the Generic Protocol extension (VXLAN-GPE). Currently, this is only - supported together with the external keyword. + In order to minimize the flooding of ARP and ND messages in the VXLAN network, + EVPN includes provisions :rfc:`7432#section-10` that allow participating VTEPs + to suppress such messages in case they know the MAC-IP binding and can reply + on behalf of the remote host. + +.. cfgcmd:: set interfaces vxlan <interface> parameters nolearning + + Specifies if unknown source link layer addresses and IP addresses are entered + into the VXLAN device forwarding database. + +.. cfgcmd:: set interfaces vxlan <interface> parameters vni-filter + + Specifies whether the VXLAN device is capable of vni filtering. + + Only works with a VXLAN device with external flag set. + + .. note:: The device can only receive packets with VNIs configured in + the VNI filtering table. Unicast ^^^^^^^ @@ -132,6 +153,36 @@ For optimal scalability, Multicast shouldn't be used at all, but instead use BGP to signal all connected devices between leaves. Unfortunately, VyOS does not yet support this. +Single VXLAN device (SVD) +========================= + +FRR supports a new way of configuring VLAN-to-VNI mappings for EVPN-VXLAN, when +working with the Linux kernel. In this new way, the mapping of a VLAN to a +:abbr:`VNI (VXLAN Network Identifier (or VXLAN Segment ID))` is configured +against a container VXLAN interface which is referred to as a +:abbr:`SVD (Single VXLAN device)`. + +Multiple VLAN to VNI mappings can be configured against the same SVD. This +allows for a significant scaling of the number of VNIs since a separate VXLAN +interface is no longer required for each VNI. + +.. cfgcmd:: set interfaces vxlan <interface> vlan-to-vni <vlan> vni <vni> + + Maps the VNI to the specified VLAN id. The VLAN can then be consumed by + a bridge. + + Sample configuration of SVD with VLAN to VNI mappings is shown below. + + .. code-block:: none + + set interfaces bridge br0 member interface vxlan0 + set interfaces vxlan vxlan0 parameters external + set interfaces vxlan vxlan0 source-interface 'dum0' + set interfaces vxlan vxlan0 vlan-to-vni 10 vni '10010' + set interfaces vxlan vxlan0 vlan-to-vni 11 vni '10011' + set interfaces vxlan vxlan0 vlan-to-vni 30 vni '10030' + set interfaces vxlan vxlan0 vlan-to-vni 31 vni '10031' + Example ------- @@ -252,7 +303,7 @@ advertised. set interfaces bridge br241 member interface 'eth1.241' set interfaces bridge br241 member interface 'vxlan241' -Binds eth1.241 and vxlan241 to each other by making them both member +Binds eth1.241 and vxlan241 to each other by making them both member interfaces of the same bridge. .. code-block:: none diff --git a/docs/configuration/interfaces/wireguard.rst b/docs/configuration/interfaces/wireguard.rst index 18a888df..885720e1 100644 --- a/docs/configuration/interfaces/wireguard.rst +++ b/docs/configuration/interfaces/wireguard.rst @@ -183,6 +183,10 @@ traffic. The command :opcmd:`show interfaces wireguard wg01 public-key` will then show the public key, which needs to be shared with the peer. +.. cmdinclude:: /_include/interface-per-client-thread.txt + :var0: wireguard + :var1: wg01 + **remote side - commands** .. code-block:: none @@ -194,6 +198,7 @@ traffic. set interfaces wireguard wg01 peer to-wg01 port '51820' set interfaces wireguard wg01 peer to-wg01 public-key 'EKY0dxRrSD98QHjfHOK13mZ5PJ7hnddRZt5woB3szyw=' set interfaces wireguard wg01 port '51820' + set interfaces wireguard wg01 private-key 'OLTQY3HuK5qWDgVs6fJR093SwPgOmCKkDI1+vJLGoFU=' set protocols static route 192.168.1.0/24 interface wg01 @@ -206,18 +211,18 @@ firewall exception. .. code-block:: none - set firewall name OUTSIDE_LOCAL rule 10 action accept - set firewall name OUTSIDE_LOCAL rule 10 description 'Allow established/related' - set firewall name OUTSIDE_LOCAL rule 10 state established enable - set firewall name OUTSIDE_LOCAL rule 10 state related enable - set firewall name OUTSIDE_LOCAL rule 20 action accept - set firewall name OUTSIDE_LOCAL rule 20 description WireGuard_IN - set firewall name OUTSIDE_LOCAL rule 20 destination port 51820 - set firewall name OUTSIDE_LOCAL rule 20 log enable - set firewall name OUTSIDE_LOCAL rule 20 protocol udp - set firewall name OUTSIDE_LOCAL rule 20 source - -You should also ensure that the OUTISDE_LOCAL firewall group is applied to the + set firewall ipv4 name OUTSIDE_LOCAL rule 10 action accept + set firewall ipv4 name OUTSIDE_LOCAL rule 10 description 'Allow established/related' + set firewall ipv4 name OUTSIDE_LOCAL rule 10 state established enable + set firewall ipv4 name OUTSIDE_LOCAL rule 10 state related enable + set firewall ipv4 name OUTSIDE_LOCAL rule 20 action accept + set firewall ipv4 name OUTSIDE_LOCAL rule 20 description WireGuard_IN + set firewall ipv4 name OUTSIDE_LOCAL rule 20 destination port 51820 + set firewall ipv4 name OUTSIDE_LOCAL rule 20 log enable + set firewall ipv4 name OUTSIDE_LOCAL rule 20 protocol udp + set firewall ipv4 name OUTSIDE_LOCAL rule 20 source + +You should also ensure that the OUTSIDE_LOCAL firewall group is applied to the WAN interface and a direction (local). .. code-block:: none @@ -291,6 +296,7 @@ value needs to be lower than the UDP timeout. pubkey BknHcLFo8nOo8Dwq2CjaC/TedchKQ0ebxC7GYn7Al00= } port 2224 + private-key OLTQY3HuK5qWDgVs6fJR093SwPgOmCKkDI1+vJLGoFU= } The following is the config for the iPhone peer above. It's important to @@ -407,7 +413,7 @@ the VyOS CLI. into the VyOS CLI if needed. The supplied ``<name>`` on the CLI will become the peer name in the snippet. - In addition you will specifiy the IP address or FQDN for the client where it + In addition you will specify the IP address or FQDN for the client where it will connect to. The address parameter can be used up to two times and is used to assign the clients specific IPv4 (/32) or IPv6 (/128) address. diff --git a/docs/configuration/interfaces/wireless.rst b/docs/configuration/interfaces/wireless.rst index f45101b5..df153763 100644 --- a/docs/configuration/interfaces/wireless.rst +++ b/docs/configuration/interfaces/wireless.rst @@ -122,6 +122,10 @@ Wireless options * ``station`` - Connects to another access point * ``monitor`` - Passively monitor all packets on the frequency/channel +.. cmdinclude:: /_include/interface-per-client-thread.txt + :var0: wireless + :var1: wlan0 + PPDU ---- @@ -304,6 +308,7 @@ default physical device (``phy0``) is used. set interfaces wireless wlan0 type station set interfaces wireless wlan0 address dhcp + set interfaces wireless wlan0 country-code de set interfaces wireless wlan0 ssid Test set interfaces wireless wlan0 security wpa passphrase '12345678' @@ -315,6 +320,7 @@ Resulting in [...] wireless wlan0 { address dhcp + country-code de security { wpa { passphrase "12345678" @@ -350,6 +356,7 @@ The WAP in this example has the following characteristics: .. code-block:: none set interfaces wireless wlan0 address '192.168.2.1/24' + set interfaces wireless wlan0 country-code de set interfaces wireless wlan0 type access-point set interfaces wireless wlan0 channel 1 set interfaces wireless wlan0 mode n @@ -367,6 +374,7 @@ Resulting in [...] wireless wlan0 { address 192.168.2.1/24 + country-code de channel 1 mode n security { @@ -385,11 +393,6 @@ Resulting in type access-point } } - system { - [...] - wifi-regulatory-domain DE - } - VLAN ==== @@ -559,6 +562,7 @@ The WAP in this example has the following characteristics: set interfaces wireless wlan0 security wpa mode wpa2 set interfaces wireless wlan0 security wpa cipher CCMP set interfaces wireless wlan0 security wpa passphrase '12345678' + set interfaces wireless wlan0 country-code de Resulting in @@ -569,6 +573,7 @@ Resulting in wireless wlan0 { address 192.168.2.1/24 channel 1 + country-code de mode n security { wpa { diff --git a/docs/configuration/loadbalancing/index.rst b/docs/configuration/loadbalancing/index.rst index 18f01347..382bd0d7 100644 --- a/docs/configuration/loadbalancing/index.rst +++ b/docs/configuration/loadbalancing/index.rst @@ -1,315 +1,12 @@ -:lastproofread: 2023-01-27 - .. _load-balancing: -WAN load balancing -================== - -Outbound traffic can be balanced between two or more outbound interfaces. -If a path fails, traffic is balanced across the remaining healthy paths, -a recovered path is automatically added back to the routing table and used by -the load balancer. The load balancer automatically adds routes for each path to -the routing table and balances traffic across the configured interfaces, -determined by interface health and weight. - - -In a minimal configuration, the following must be provided: - - * an interface with a nexthop - * one rule with a LAN (inbound-interface) and the WAN (interface). - -Let's assume we have two DHCP WAN interfaces and one LAN (eth2): - -.. code-block:: none - - set load-balancing wan interface-health eth0 nexthop 'dhcp' - set load-balancing wan interface-health eth1 nexthop 'dhcp' - set load-balancing wan rule 1 inbound-interface 'eth2' - set load-balancing wan rule 1 interface eth0 - set load-balancing wan rule 1 interface eth1 - -.. note:: - - WAN Load Balacing should not be used when dynamic routing protocol is - used/needed. This feature creates customized routing tables and firewall - rules, that makes it incompatible to use with routing protocols. - -Balancing Rules ---------------- - -Interfaces, their weight and the type of traffic to be balanced are defined in -numbered balancing rule sets. The rule sets are executed in numerical order -against outgoing packets. In case of a match the packet is sent through an -interface specified in the matching rule. If a packet doesn't match any rule -it is sent by using the system routing table. Rule numbers can't be changed. - -Create a load balancing rule, it can be a number between 1 and 9999: - -.. code-block:: none - - vyos@vyos# set load-balancing wan rule 1 - Possible completions: - description Description for this rule - > destination Destination - exclude Exclude packets matching this rule from wan load balance - failover Enable failover for packets matching this rule from wan load balance - inbound-interface Inbound interface name (e.g., "eth0") [REQUIRED] - +> interface Interface name [REQUIRED] - > limit Enable packet limit for this rule - per-packet-balancing Option to match traffic per-packet instead of the default, per-flow - protocol Protocol to match - > source Source information - -Interface weight -**************** - -Let's expand the example from above and add weight to the interfaces. -The bandwidth from eth0 is larger than eth1. Per default, outbound traffic is -distributed randomly across available interfaces. Weights can be assigned to -interfaces to influence the balancing. - -.. code-block:: none - - set load-balancing wan rule 1 interface eth0 weight 2 - set load-balancing wan rule 1 interface eth1 weight 1 - -66% of traffic is routed to eth0, eth1 gets 33% of traffic. - -Rate limit -********** - -A packet rate limit can be set for a rule to apply the rule to traffic above or -below a specified threshold. To configure the rate limiting use: - -.. code-block:: none - - set load-balancing wan rule <rule> limit <parameter> - -* ``burst``: Number of packets allowed to overshoot the limit within ``period``. - Default 5. -* ``period``: Time window for rate calculation. Possible values: - ``second`` (one second), ``minute`` (one minute), ``hour`` (one hour). - Default is ``second``. -* ``rate``: Number of packets. Default 5. -* ``threshold``: ``below`` or ``above`` the specified rate limit. - -Flow and packet-based balancing -******************************* - -Outgoing traffic is balanced in a flow-based manner. -A connection tracking table is used to track flows by their source address, -destination address and port. Each flow is assigned to an interface according -to the defined balancing rules and subsequent packets are sent through the -same interface. This has the advantage that packets always arrive in order if -links with different speeds are in use. - -Packet-based balancing can lead to a better balance across interfaces when out -of order packets are no issue. Per-packet-based balancing can be set for a -balancing rule with: - -.. code-block:: none - - set load-balancing wan rule <rule> per-packet-balancing - -Exclude traffic -*************** - -To exclude traffic from load balancing, traffic matching an exclude rule is not -balanced but routed through the system routing table instead: - -.. code-block:: none - - set load-balancing wan rule <rule> exclude - - -Health checks -------------- - -The health of interfaces and paths assigned to the load balancer is -periodically checked by sending ICMP packets (ping) to remote destinations, -a TTL test or the execution of a user defined script. If an interface fails the -health check it is removed from the load balancer's pool of interfaces. -To enable health checking for an interface: - -.. code-block:: none - - vyos@vyos# set load-balancing wan interface-health <interface> - Possible completions: - failure-count Failure count - nexthop Outbound interface nexthop address. Can be 'dhcp or ip address' [REQUIRED] - success-count Success count - +> test Rule number - -Specify nexthop on the path to the destination, ``ipv4-address`` can be set to -``dhcp`` - -.. code-block:: none - - set load-balancing wan interface-health <interface> nexthop <ipv4-address> - -Set the number of health check failures before an interface is marked as -unavailable, range for number is 1 to 10, default 1. Or set the number of -successful health checks before an interface is added back to the interface -pool, range for number is 1 to 10, default 1. - -.. code-block:: none - - set load-balancing wan interface-health <interface> failure-count <number> - set load-balancing wan interface-health <interface> success-count <number> - -Each health check is configured in its own test, tests are numbered and -processed in numeric order. For multi target health checking multiple tests -can be defined: - -.. code-block:: none - - vyos@vyos# set load-balancing wan interface-health eth1 test 0 - Possible completions: - resp-time Ping response time (seconds) - target Health target address - test-script Path to user defined script - ttl-limit Ttl limit (hop count) - type WLB test type - -* ``resp-time``: the maximum response time for ping in seconds. - Range 1...30, default 5 -* ``target``: the target to be sent ICMP packets to, address can be an IPv4 - address or hostname -* ``test-script``: A user defined script must return 0 to be considered - successful and non-zero to fail. Scripts are located in /config/scripts, - for different locations the full path needs to be provided -* ``ttl-limit``: For the UDP TTL limit test the hop count limit must be - specified. The limit must be shorter than the path length, an ICMP time - expired message is needed to be returned for a successful test. default 1 -* ``type``: Specify the type of test. type can be ping, ttl or a user defined - script - -Source NAT rules ----------------- - -Per default, interfaces used in a load balancing pool replace the source IP -of each outgoing packet with its own address to ensure that replies arrive on -the same interface. This works through automatically generated source NAT (SNAT) -rules, these rules are only applied to balanced traffic. In cases where this -behaviour is not desired, the automatic generation of SNAT rules can be -disabled: - -.. code-block:: none - - set load-balancing wan disable-source-nat - -Sticky Connections ------------------- -Inbound connections to a WAN interface can be improperly handled when the reply -is sent back to the client. - -.. image:: /_static/images/sticky-connections.jpg - :width: 80% - :align: center - - -Upon reception of an incoming packet, when a response is sent, it might be -desired to ensure that it leaves from the same interface as the inbound one. -This can be achieved by enabling sticky connections in the load balancing: - -.. code-block:: none - - set load-balancing wan sticky-connections inbound - -Failover --------- - -In failover mode, one interface is set to be the primary interface and other -interfaces are secondary or spare. Instead of balancing traffic across all -healthy interfaces, only the primary interface is used and in case of failure, -a secondary interface selected from the pool of available interfaces takes over. -The primary interface is selected based on its weight and health, others become -secondary interfaces. Secondary interfaces to take over a failed primary -interface are chosen from the load balancer's interface pool, depending -on their weight and health. Interface roles can also be selected based on rule -order by including interfaces in balancing rules and ordering those rules -accordingly. To put the load balancer in failover mode, create a failover rule: - -.. code-block:: none - - set load-balancing wan rule <number> failover - -Because existing sessions do not automatically fail over to a new path, -the session table can be flushed on each connection state change: - -.. code-block:: none - - set load-balancing wan flush-connections - -.. warning:: - - Flushing the session table will cause other connections to fall back from - flow-based to packet-based balancing until each flow is reestablished. - -Script execution ----------------- - -A script can be run when an interface state change occurs. Scripts are run -from /config/scripts, for a different location specify the full path: - -.. code-block:: none - - set load-balancing wan hook script-name - -Two environment variables are available: - -* ``WLB_INTERFACE_NAME=[interfacename]``: Interface to be monitored -* ``WLB_INTERFACE_STATE=[ACTIVE|FAILED]``: Interface state - -.. warning:: - - Blocking call with no timeout. System will become unresponsive if script - does not return! - -Handling and monitoring ------------------------ - - -Show WAN load balancer information including test types and targets. -A character at the start of each line depicts the state of the test - -* ``+`` successful -* ``-`` failed -* a blank indicates that no test has been carried out - -.. code-block:: none - - vyos@vyos:~$ show wan-load-balance - Interface: eth0 - Status: failed - Last Status Change: Tue Jun 11 20:12:19 2019 - -Test: ping Target: - Last Interface Success: 55s - Last Interface Failure: 0s - # Interface Failure(s): 5 - - Interface: eth1 - Status: active - Last Status Change: Tue Jun 11 20:06:42 2019 - +Test: ping Target: - Last Interface Success: 0s - Last Interface Failure: 6m26s - # Interface Failure(s): 0 - -Show connection data of load balanced traffic: - -.. code-block:: none - - vyos@vyos:~$ show wan-load-balance connection - conntrack v1.4.2 (conntrack-tools): 3 flow entries have been shown. - Type State Src Dst Packets Bytes - tcp TIME_WAIT 10.1.1.13:38040 203.0.113.2:80 203.0.113.2 192.168.188.71 - udp 10.1.1.13:41891 198.51.100.3:53 198.51.100.3 192.168.188.71 - udp 10.1.1.13:55437 198.51.100.3:53 198.51.100.3 192.168.188.71 - -Restart -******* +############## +Load-balancing +############## -.. code-block:: none +.. toctree:: + :maxdepth: 1 + :includehidden: - restart wan-load-balance + wan + reverse-proxy diff --git a/docs/configuration/loadbalancing/reverse-proxy.rst b/docs/configuration/loadbalancing/reverse-proxy.rst new file mode 100644 index 00000000..04b612f5 --- /dev/null +++ b/docs/configuration/loadbalancing/reverse-proxy.rst @@ -0,0 +1,289 @@ + +############# +Reverse-proxy +############# + +.. include:: /_include/need_improvement.txt + +VyOS reverse-proxy is balancer and proxy server that provides +high-availability, load balancing and proxying for TCP (level 4) +and HTTP-based (level 7) applications. + +Configuration +============= + + +Service configuration is responsible for binding to a specific port, +while the backend configuration determines the type of load balancing +to be applied and specifies the real servers to be utilized. + +Service +------- + +.. cfgcmd:: set load-balancing reverse-proxy service <name> listen-address + <address> + + Set service to bind on IP address, by default listen on any IPv4 and IPv6 + +.. cfgcmd:: set load-balancing reverse-proxy service <name> port + <port> + + Create service `<name>` to listen on <port> + +.. cfgcmd:: set load-balancing reverse-proxy service <name> mode + <tcp|http> + + Configure service `<name>` mode TCP or HTTP + +.. cfgcmd:: set load-balancing reverse-proxy service <name> backend + <name> + + Configure service `<name>` to use the backend <name> + +.. cfgcmd:: set load-balancing reverse-proxy service <name> ssl + certificate <name> + + Set SSL certeficate <name> for service <name> + + +Rules +^^^^^ +Rules allow to control and route incoming traffic to specific backend based +on predefined conditions. Rules allow to define matching criteria and +perform action accordingly. + +.. cfgcmd:: set load-balancing reverse-proxy service <name> rule <rule> + domain-name <name> + + Match domain name + +.. cfgcmd:: set load-balancing reverse-proxy service <name> rule <rule> + ssl <sni> + + SSL match Server Name Indication (SNI) option: + * ``req-ssl-sni`` SSL Server Name Indication (SNI) request match + * ``ssl-fc-sni`` SSL frontend connection Server Name Indication match + * ``ssl-fc-sni-end`` SSL frontend match end of connection Server Name + + Indication + +.. cfgcmd:: set load-balancing reverse-proxy service <name> rule <rule> + url-path <match> <url> + + Allows to define URL path matching rules for a specific service. + + With this command, you can specify how the URL path should be matched + against incoming requests. + + The available options for <match> are: + * ``begin`` Matches the beginning of the URL path + * ``end`` Matches the end of the URL path. + * ``exact`` Requires an exactly match of the URL path + +.. cfgcmd:: set load-balancing reverse-proxy service <name> rule <rule> + set backend <name> + + Assign a specific backend to a rule + +.. cfgcmd:: set load-balancing reverse-proxy service <name> rule <rule> + redirect-location <url> + + Redirect URL to a new location + + +Backend +------- + +.. cfgcmd:: set load-balancing reverse-proxy backend <name> balance + <balance> + + Load-balancing algorithms to be used for distributind requests among the + vailable servers + + Balance algorithms: + * ``source-address`` Distributes requests based on the source IP address + of the client + * ``round-robin`` Distributes requests in a circular manner, + sequentially sending each request to the next server in line + * ``least-connection`` Distributes requests tp tje server wotj the fewest + active connections + +.. cfgcmd:: set load-balancing reverse-proxy backend <name> mode + <mode> + + Configure backend `<name>` mode TCP or HTTP + +.. cfgcmd:: set load-balancing reverse-proxy backend <name> parameters + http-check + + Enable layer 7 HTTP health check + +.. cfgcmd:: set load-balancing reverse-proxy backend <name> server + <name> address <x.x.x.x> + + Set the address of the backend server to which the incoming traffic will + be forwarded + +.. cfgcmd:: set load-balancing reverse-proxy backend <name> server + <name> port <port> + + Set the address of the backend port + +.. cfgcmd:: set load-balancing reverse-proxy backend <name> server + <name> check + + Active health check backend server + +.. cfgcmd:: set load-balancing reverse-proxy backend <name> server + <name> send-proxy + + Send a Proxy Protocol version 1 header (text format) + +.. cfgcmd:: set load-balancing reverse-proxy backend <name> server + <name> send-proxy-v2 + + Send a Proxy Protocol version 2 header (binary format) + + + +Gloabal +------- + +Global parameters + +.. cfgcmd:: set load-balancing reverse-proxy global-parameters max-connections + <num> + + Limit maximum number of connections + +.. cfgcmd:: set load-balancing reverse-proxy global-parameters ssl-bind-ciphers + <ciphers> + + Limit allowed cipher algorithms used during SSL/TLS handshake + +.. cfgcmd:: set load-balancing reverse-proxy global-parameters tls-version-min + <version> + + Specify the minimum required TLS version 1.2 or 1.3 + + +Redirect HTTP to HTTPS +====================== +Configure the load-balancing reverse-proxy service for HTTP. + +This configuration listen on port 80 and redirect incoming +requests to HTTPS: + +.. code-block:: none + + set load-balancing reverse-proxy service http port '80' + set load-balancing reverse-proxy service http redirect-http-to-https + +The name of the service can be different, in this example it is only for +convenience. + + +Examples +======== + +Level 4 balancing +----------------- + +This configuration enables the TCP reverse proxy for the "my-tcp-api" service. +Incoming TCP connections on port 8888 will be load balanced across the backend +servers (srv01 and srv02) using the round-robin load-balancing algorithm. + +.. code-block:: none + + set load-balancing reverse-proxy service my-tcp-api backend 'bk-01' + set load-balancing reverse-proxy service my-tcp-api mode 'tcp' + set load-balancing reverse-proxy service my-tcp-api port '8888' + + set load-balancing reverse-proxy backend bk-01 balance 'round-robin' + set load-balancing reverse-proxy backend bk-01 mode 'tcp' + + set load-balancing reverse-proxy backend bk-01 server srv01 address '192.0.2.11' + set load-balancing reverse-proxy backend bk-01 server srv01 port '8881' + set load-balancing reverse-proxy backend bk-01 server srv02 address '192.0.2.12' + set load-balancing reverse-proxy backend bk-01 server srv02 port '8882' + +Balancing based on domain name +------------------------------ +The following configuration demonstrates how to use VyOS +to achieve load balancing based on the domain name. + +The HTTP service listen on TCP port 80. + +Rule 10 matches requests with the domain name ``node1.example.com`` forwards +to the backend ``bk-api-01`` + +Rule 20 matches requests with the domain name ``node2.example.com`` forwards +to the backend ``bk-api-02`` + +.. code-block:: none + + set load-balancing reverse-proxy service http description 'bind app listen on 443 port' + set load-balancing reverse-proxy service http mode 'tcp' + set load-balancing reverse-proxy service http port '80' + + set load-balancing reverse-proxy service http rule 10 domain-name 'node1.example.com' + set load-balancing reverse-proxy service http rule 10 set backend 'bk-api-01' + set load-balancing reverse-proxy service http rule 20 domain-name 'node2.example.com' + set load-balancing reverse-proxy service http rule 20 set backend 'bk-api-02' + + set load-balancing reverse-proxy backend bk-api-01 description 'My API-1' + set load-balancing reverse-proxy backend bk-api-01 mode 'tcp' + set load-balancing reverse-proxy backend bk-api-01 server api01 address '127.0.0.1' + set load-balancing reverse-proxy backend bk-api-01 server api01 port '4431' + set load-balancing reverse-proxy backend bk-api-02 description 'My API-2' + set load-balancing reverse-proxy backend bk-api-02 mode 'tcp' + set load-balancing reverse-proxy backend bk-api-02 server api01 address '127.0.0.2' + set load-balancing reverse-proxy backend bk-api-02 server api01 port '4432' + + +Terminate SSL +------------- +The following configuration reverse-proxy terminate SSL. + +The ``http`` service is lestens on port 80 and force redirects from HTTP to +HTTPS. + +The ``https`` service listens on port 443 with backend `bk-default` to +handle HTTPS traffic. It uses certificate named ``cert`` for SSL termination. + +Rule 10 matches requests with the exact URL path ``/.well-known/xxx`` +and redirects to location ``/certs/``. + +Rule 20 matches requests with URL paths ending in ``/mail`` or exact +path ``/email/bar`` redirect to location ``/postfix/``. + +Additional global parameters are set, including the maximum number +connection limit of 4000 and a minimum TLS version of 1.3. + + +.. code-block:: none + + set load-balancing reverse-proxy service http description 'Force redirect to HTTPS' + set load-balancing reverse-proxy service http port '80' + set load-balancing reverse-proxy service http redirect-http-to-https + + set load-balancing reverse-proxy service https backend 'bk-default' + set load-balancing reverse-proxy service https description 'listen on 443 port' + set load-balancing reverse-proxy service https mode 'http' + set load-balancing reverse-proxy service https port '443' + set load-balancing reverse-proxy service https ssl certificate 'cert' + + set load-balancing reverse-proxy service https rule 10 url-path exact '/.well-known/xxx' + set load-balancing reverse-proxy service https rule 10 set redirect-location '/certs/' + set load-balancing reverse-proxy service https rule 20 url-path end '/mail' + set load-balancing reverse-proxy service https rule 20 url-path exact '/email/bar' + set load-balancing reverse-proxy service https rule 20 set redirect-location '/postfix/' + + set load-balancing reverse-proxy backend bk-default description 'Default backend' + set load-balancing reverse-proxy backend bk-default mode 'http' + set load-balancing reverse-proxy backend bk-default server sr01 address '192.0.2.23' + set load-balancing reverse-proxy backend bk-default server sr01 port '80' + + set load-balancing reverse-proxy global-parameters max-connections '4000' + set load-balancing reverse-proxy global-parameters tls-version-min '1.3' + diff --git a/docs/configuration/loadbalancing/wan.rst b/docs/configuration/loadbalancing/wan.rst new file mode 100644 index 00000000..745cd8c2 --- /dev/null +++ b/docs/configuration/loadbalancing/wan.rst @@ -0,0 +1,313 @@ +:lastproofread: 2023-01-27 + +WAN load balancing +================== + +Outbound traffic can be balanced between two or more outbound interfaces. +If a path fails, traffic is balanced across the remaining healthy paths, +a recovered path is automatically added back to the routing table and used by +the load balancer. The load balancer automatically adds routes for each path to +the routing table and balances traffic across the configured interfaces, +determined by interface health and weight. + + +In a minimal configuration, the following must be provided: + + * an interface with a nexthop + * one rule with a LAN (inbound-interface) and the WAN (interface). + +Let's assume we have two DHCP WAN interfaces and one LAN (eth2): + +.. code-block:: none + + set load-balancing wan interface-health eth0 nexthop 'dhcp' + set load-balancing wan interface-health eth1 nexthop 'dhcp' + set load-balancing wan rule 1 inbound-interface 'eth2' + set load-balancing wan rule 1 interface eth0 + set load-balancing wan rule 1 interface eth1 + +.. note:: + + WAN Load Balacing should not be used when dynamic routing protocol is + used/needed. This feature creates customized routing tables and firewall + rules, that makes it incompatible to use with routing protocols. + +Balancing Rules +--------------- + +Interfaces, their weight and the type of traffic to be balanced are defined in +numbered balancing rule sets. The rule sets are executed in numerical order +against outgoing packets. In case of a match the packet is sent through an +interface specified in the matching rule. If a packet doesn't match any rule +it is sent by using the system routing table. Rule numbers can't be changed. + +Create a load balancing rule, it can be a number between 1 and 9999: + +.. code-block:: none + + vyos@vyos# set load-balancing wan rule 1 + Possible completions: + description Description for this rule + > destination Destination + exclude Exclude packets matching this rule from wan load balance + failover Enable failover for packets matching this rule from wan load balance + inbound-interface Inbound interface name (e.g., "eth0") [REQUIRED] + +> interface Interface name [REQUIRED] + > limit Enable packet limit for this rule + per-packet-balancing Option to match traffic per-packet instead of the default, per-flow + protocol Protocol to match + > source Source information + +Interface weight +**************** + +Let's expand the example from above and add weight to the interfaces. +The bandwidth from eth0 is larger than eth1. Per default, outbound traffic is +distributed randomly across available interfaces. Weights can be assigned to +interfaces to influence the balancing. + +.. code-block:: none + + set load-balancing wan rule 1 interface eth0 weight 2 + set load-balancing wan rule 1 interface eth1 weight 1 + +66% of traffic is routed to eth0, eth1 gets 33% of traffic. + +Rate limit +********** + +A packet rate limit can be set for a rule to apply the rule to traffic above or +below a specified threshold. To configure the rate limiting use: + +.. code-block:: none + + set load-balancing wan rule <rule> limit <parameter> + +* ``burst``: Number of packets allowed to overshoot the limit within ``period``. + Default 5. +* ``period``: Time window for rate calculation. Possible values: + ``second`` (one second), ``minute`` (one minute), ``hour`` (one hour). + Default is ``second``. +* ``rate``: Number of packets. Default 5. +* ``threshold``: ``below`` or ``above`` the specified rate limit. + +Flow and packet-based balancing +******************************* + +Outgoing traffic is balanced in a flow-based manner. +A connection tracking table is used to track flows by their source address, +destination address and port. Each flow is assigned to an interface according +to the defined balancing rules and subsequent packets are sent through the +same interface. This has the advantage that packets always arrive in order if +links with different speeds are in use. + +Packet-based balancing can lead to a better balance across interfaces when out +of order packets are no issue. Per-packet-based balancing can be set for a +balancing rule with: + +.. code-block:: none + + set load-balancing wan rule <rule> per-packet-balancing + +Exclude traffic +*************** + +To exclude traffic from load balancing, traffic matching an exclude rule is not +balanced but routed through the system routing table instead: + +.. code-block:: none + + set load-balancing wan rule <rule> exclude + + +Health checks +------------- + +The health of interfaces and paths assigned to the load balancer is +periodically checked by sending ICMP packets (ping) to remote destinations, +a TTL test or the execution of a user defined script. If an interface fails the +health check it is removed from the load balancer's pool of interfaces. +To enable health checking for an interface: + +.. code-block:: none + + vyos@vyos# set load-balancing wan interface-health <interface> + Possible completions: + failure-count Failure count + nexthop Outbound interface nexthop address. Can be 'dhcp or ip address' [REQUIRED] + success-count Success count + +> test Rule number + +Specify nexthop on the path to the destination, ``ipv4-address`` can be set to +``dhcp`` + +.. code-block:: none + + set load-balancing wan interface-health <interface> nexthop <ipv4-address> + +Set the number of health check failures before an interface is marked as +unavailable, range for number is 1 to 10, default 1. Or set the number of +successful health checks before an interface is added back to the interface +pool, range for number is 1 to 10, default 1. + +.. code-block:: none + + set load-balancing wan interface-health <interface> failure-count <number> + set load-balancing wan interface-health <interface> success-count <number> + +Each health check is configured in its own test, tests are numbered and +processed in numeric order. For multi target health checking multiple tests +can be defined: + +.. code-block:: none + + vyos@vyos# set load-balancing wan interface-health eth1 test 0 + Possible completions: + resp-time Ping response time (seconds) + target Health target address + test-script Path to user defined script + ttl-limit Ttl limit (hop count) + type WLB test type + +* ``resp-time``: the maximum response time for ping in seconds. + Range 1...30, default 5 +* ``target``: the target to be sent ICMP packets to, address can be an IPv4 + address or hostname +* ``test-script``: A user defined script must return 0 to be considered + successful and non-zero to fail. Scripts are located in /config/scripts, + for different locations the full path needs to be provided +* ``ttl-limit``: For the UDP TTL limit test the hop count limit must be + specified. The limit must be shorter than the path length, an ICMP time + expired message is needed to be returned for a successful test. default 1 +* ``type``: Specify the type of test. type can be ping, ttl or a user defined + script + +Source NAT rules +---------------- + +Per default, interfaces used in a load balancing pool replace the source IP +of each outgoing packet with its own address to ensure that replies arrive on +the same interface. This works through automatically generated source NAT (SNAT) +rules, these rules are only applied to balanced traffic. In cases where this +behaviour is not desired, the automatic generation of SNAT rules can be +disabled: + +.. code-block:: none + + set load-balancing wan disable-source-nat + +Sticky Connections +------------------ +Inbound connections to a WAN interface can be improperly handled when the reply +is sent back to the client. + +.. image:: /_static/images/sticky-connections.jpg + :width: 80% + :align: center + + +Upon reception of an incoming packet, when a response is sent, it might be +desired to ensure that it leaves from the same interface as the inbound one. +This can be achieved by enabling sticky connections in the load balancing: + +.. code-block:: none + + set load-balancing wan sticky-connections inbound + +Failover +-------- + +In failover mode, one interface is set to be the primary interface and other +interfaces are secondary or spare. Instead of balancing traffic across all +healthy interfaces, only the primary interface is used and in case of failure, +a secondary interface selected from the pool of available interfaces takes over. +The primary interface is selected based on its weight and health, others become +secondary interfaces. Secondary interfaces to take over a failed primary +interface are chosen from the load balancer's interface pool, depending +on their weight and health. Interface roles can also be selected based on rule +order by including interfaces in balancing rules and ordering those rules +accordingly. To put the load balancer in failover mode, create a failover rule: + +.. code-block:: none + + set load-balancing wan rule <number> failover + +Because existing sessions do not automatically fail over to a new path, +the session table can be flushed on each connection state change: + +.. code-block:: none + + set load-balancing wan flush-connections + +.. warning:: + + Flushing the session table will cause other connections to fall back from + flow-based to packet-based balancing until each flow is reestablished. + +Script execution +---------------- + +A script can be run when an interface state change occurs. Scripts are run +from /config/scripts, for a different location specify the full path: + +.. code-block:: none + + set load-balancing wan hook script-name + +Two environment variables are available: + +* ``WLB_INTERFACE_NAME=[interfacename]``: Interface to be monitored +* ``WLB_INTERFACE_STATE=[ACTIVE|FAILED]``: Interface state + +.. warning:: + + Blocking call with no timeout. System will become unresponsive if script + does not return! + +Handling and monitoring +----------------------- + + +Show WAN load balancer information including test types and targets. +A character at the start of each line depicts the state of the test + +* ``+`` successful +* ``-`` failed +* a blank indicates that no test has been carried out + +.. code-block:: none + + vyos@vyos:~$ show wan-load-balance + Interface: eth0 + Status: failed + Last Status Change: Tue Jun 11 20:12:19 2019 + -Test: ping Target: + Last Interface Success: 55s + Last Interface Failure: 0s + # Interface Failure(s): 5 + + Interface: eth1 + Status: active + Last Status Change: Tue Jun 11 20:06:42 2019 + +Test: ping Target: + Last Interface Success: 0s + Last Interface Failure: 6m26s + # Interface Failure(s): 0 + +Show connection data of load balanced traffic: + +.. code-block:: none + + vyos@vyos:~$ show wan-load-balance connection + conntrack v1.4.2 (conntrack-tools): 3 flow entries have been shown. + Type State Src Dst Packets Bytes + tcp TIME_WAIT 10.1.1.13:38040 203.0.113.2:80 203.0.113.2 192.168.188.71 + udp 10.1.1.13:41891 198.51.100.3:53 198.51.100.3 192.168.188.71 + udp 10.1.1.13:55437 198.51.100.3:53 198.51.100.3 192.168.188.71 + +Restart +******* + +.. code-block:: none + + restart wan-load-balance diff --git a/docs/configuration/nat/index.rst b/docs/configuration/nat/index.rst index 90275226..6556b7f9 100644 --- a/docs/configuration/nat/index.rst +++ b/docs/configuration/nat/index.rst @@ -9,4 +9,5 @@ NAT :includehidden: nat44 + nat64 nat66 diff --git a/docs/configuration/nat/nat44.rst b/docs/configuration/nat/nat44.rst index b2ba61af..98b230a9 100644 --- a/docs/configuration/nat/nat44.rst +++ b/docs/configuration/nat/nat44.rst @@ -148,23 +148,35 @@ rule. * **outbound-interface** - applicable only to :ref:`source-nat`. It configures the interface which is used for the outside traffic that - this translation rule applies to. + this translation rule applies to. Interface groups, inverted + selection and wildcard, are also supported. - Example: + Examples: .. code-block:: none - set nat source rule 20 outbound-interface eth0 + set nat source rule 20 outbound-interface name eth0 + set nat source rule 30 outbound-interface name bond1* + set nat source rule 20 outbound-interface name !vtun2 + set nat source rule 20 outbound-interface group GROUP1 + set nat source rule 20 outbound-interface group !GROUP2 + * **inbound-interface** - applicable only to :ref:`destination-nat`. It configures the interface which is used for the inside traffic the - translation rule applies to. + translation rule applies to. Interface groups, inverted + selection and wildcard, are also supported. Example: .. code-block:: none - set nat destination rule 20 inbound-interface eth1 + set nat destination rule 20 inbound-interface name eth0 + set nat destination rule 30 inbound-interface name bond1* + set nat destination rule 20 inbound-interface name !vtun2 + set nat destination rule 20 inbound-interface group GROUP1 + set nat destination rule 20 inbound-interface group !GROUP2 + * **protocol** - specify which types of protocols this translation rule applies to. Only packets matching the specified protocol are NATed. @@ -273,6 +285,42 @@ Example: set nat destination rule 10 translation address 192.0.2.10 +Also, in :ref:`destination-nat`, redirection to localhost is supported. +The redirect statement is a special form of dnat which always translates +the destination address to the local host’s one. + +Example of redirection: + +.. code-block:: none + + set nat destination rule 10 translation redirect port 22 + +NAT Load Balance +---------------- + +Advanced configuration can be used in order to apply source or destination NAT, +and within a single rule, be able to define multiple translated addresses, +so NAT balances the translations among them. + +NAT Load Balance uses an algorithm that generates a hash and based on it, then +it applies corresponding translation. This hash can be generated randomly, or +can use data from the ip header: source-address, destination-address, +source-port and/or destination-port. By default, it will generate the hash +randomly. + +When defining the translated address, called ``backends``, a ``weight`` must +be configured. This lets the user define load balance distribution according +to their needs. Them sum of all the weights defined for the backends should +be equal to 100. In oder words, the weight defined for the backend is the +percentage of the connections that will receive such backend. + +.. cfgcmd:: set nat [source | destination] rule <rule> load-balance hash + [source-address | destination-address | source-port | destination-port + | random] +.. cfgcmd:: set nat [source | destination] rule <rule> load-balance backend + <x.x.x.x> weight <1-100> + + Configuration Examples ====================== @@ -287,7 +335,7 @@ demonstrate the following configuration: .. code-block:: none - set nat source rule 100 outbound-interface 'eth0' + set nat source rule 100 outbound-interface name 'eth0' set nat source rule 100 source address '192.168.0.0/24' set nat source rule 100 translation address 'masquerade' @@ -296,7 +344,9 @@ Which generates the following configuration: .. code-block:: none rule 100 { - outbound-interface eth0 + outbound-interface { + name eth0 + } source { address 192.168.0.0/24 } @@ -388,19 +438,19 @@ Example: set nat destination rule 100 description 'Regular destination NAT from external' set nat destination rule 100 destination port '3389' - set nat destination rule 100 inbound-interface 'pppoe0' + set nat destination rule 100 inbound-interface name 'pppoe0' set nat destination rule 100 protocol 'tcp' set nat destination rule 100 translation address '192.0.2.40' set nat destination rule 110 description 'NAT Reflection: INSIDE' set nat destination rule 110 destination port '3389' - set nat destination rule 110 inbound-interface 'eth0.10' + set nat destination rule 110 inbound-interface name 'eth0.10' set nat destination rule 110 protocol 'tcp' set nat destination rule 110 translation address '192.0.2.40' set nat source rule 110 description 'NAT Reflection: INSIDE' set nat source rule 110 destination address '192.0.2.0/24' - set nat source rule 110 outbound-interface 'eth0.10' + set nat source rule 110 outbound-interface name 'eth0.10' set nat source rule 110 protocol 'tcp' set nat source rule 110 source address '192.0.2.0/24' set nat source rule 110 translation address 'masquerade' @@ -416,7 +466,9 @@ Which results in a configuration of: destination { port 3389 } - inbound-interface pppoe0 + inbound-interface { + name pppoe0 + } protocol tcp translation { address 192.0.2.40 @@ -427,7 +479,9 @@ Which results in a configuration of: destination { port 3389 } - inbound-interface eth0.10 + inbound-interface { + name eth0.10 + } protocol tcp translation { address 192.0.2.40 @@ -440,7 +494,9 @@ Which results in a configuration of: destination { address 192.0.2.0/24 } - outbound-interface eth0.10 + outbound-interface { + name eth0.10 + } protocol tcp source { address 192.0.2.0/24 @@ -479,7 +535,7 @@ Our configuration commands would be: set nat destination rule 10 description 'Port Forward: HTTP to 192.168.0.100' set nat destination rule 10 destination port '80' - set nat destination rule 10 inbound-interface 'eth0' + set nat destination rule 10 inbound-interface name 'eth0' set nat destination rule 10 protocol 'tcp' set nat destination rule 10 translation address '192.168.0.100' @@ -494,7 +550,9 @@ Which would generate the following NAT destination configuration: destination { port 80 } - inbound-interface eth0 + inbound-interface { + name eth0 + } protocol tcp translation { address 192.168.0.100 @@ -510,43 +568,45 @@ Which would generate the following NAT destination configuration: This establishes our Port Forward rule, but if we created a firewall policy it will likely block the traffic. -It is important to note that when creating firewall rules that the DNAT +Firewall rules for Destination NAT +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +It is important to note that when creating firewall rules, the DNAT translation occurs **before** traffic traverses the firewall. In other words, the destination address has already been translated to 192.168.0.100. -So in our firewall policy, we want to allow traffic coming in on the -outside interface, destined for TCP port 80 and the IP address of -192.168.0.100. +So in our firewall ruleset, we want to allow traffic which previously matched +a destination nat rule. In order to avoid creating many rules, one for each +destination nat rule, we can accept all **'dnat'** connections with one simple +rule, using ``connection-status`` matcher: .. code-block:: none - set firewall name OUTSIDE-IN rule 20 action 'accept' - set firewall name OUTSIDE-IN rule 20 destination address '192.168.0.100' - set firewall name OUTSIDE-IN rule 20 destination port '80' - set firewall name OUTSIDE-IN rule 20 protocol 'tcp' - set firewall name OUTSIDE-IN rule 20 state new 'enable' + set firewall ipv4 forward filter rule 10 action accept + set firewall ipv4 forward filter rule 10 connection-status nat destination + set firewall ipv4 forward filter rule 10 state new enable This would generate the following configuration: .. code-block:: none - rule 20 { - action accept - destination { - address 192.168.0.100 - port 80 - } - protocol tcp - state { - new enable + ipv4 { + forward { + filter { + rule 10 { + action accept + connection-status { + nat destination + } + state { + new enable + } + } + } } } -.. note:: - - If you have configured the `INSIDE-OUT` policy, you will need to add - additional rules to permit inbound NAT traffic. 1-to-1 NAT ---------- @@ -574,10 +634,10 @@ and one external interface: set interfaces ethernet eth1 description 'Outside interface' set nat destination rule 2000 description '1-to-1 NAT example' set nat destination rule 2000 destination address '192.0.2.30' - set nat destination rule 2000 inbound-interface 'eth1' + set nat destination rule 2000 inbound-interface name 'eth1' set nat destination rule 2000 translation address '192.168.1.10' set nat source rule 2000 description '1-to-1 NAT example' - set nat source rule 2000 outbound-interface 'eth1' + set nat source rule 2000 outbound-interface name 'eth1' set nat source rule 2000 source address '192.168.1.10' set nat source rule 2000 translation address '192.0.2.30' @@ -592,6 +652,40 @@ provide access to their internal resources, and require that a connecting organisation translate all traffic to the service provider network to a source address provided by the ASP. +Load Balance +------------ +Here we provide two examples on how to apply NAT Load Balance. + +First scenario: apply destination NAT for all HTTP traffic comming through +interface eth0, and user 4 backends. First backend should received 30% of +the request, second backend should get 20%, third 15% and the fourth 35% +We will use source and destination address for hash generation. + +.. code-block:: none + + set nat destination rule 10 inbound-interface name eth0 + set nat destination rule 10 protocol tcp + set nat destination rule 10 destination port 80 + set nat destination rule 10 load-balance hash source-address + set nat destination rule 10 load-balance hash destination-address + set nat destination rule 10 laod-balance backend 198.51.100.101 weight 30 + set nat destination rule 10 laod-balance backend 198.51.100.102 weight 20 + set nat destination rule 10 laod-balance backend 198.51.100.103 weight 15 + set nat destination rule 10 laod-balance backend 198.51.100.104 weight 35 + +Second scenario: apply source NAT for all outgoing connections from +LAN 10.0.0.0/8, using 3 public addresses and equal distribution. +We will generate the hash randomly. + +.. code-block:: none + + set nat source rule 10 outbound-interface name eth0 + set nat source rule 10 source address 10.0.0.0/8 + set nat source rule 10 load-balance hash random + set nat source rule 10 load-balance backend 192.0.2.251 weight 33 + set nat source rule 10 load-balance backend 192.0.2.252 weight 33 + set nat source rule 10 load-balance backend 192.0.2.253 weight 34 + Example Network ^^^^^^^^^^^^^^^ @@ -639,12 +733,10 @@ NAT Configuration set nat source rule 110 description 'Internal to ASP' set nat source rule 110 destination address '172.27.1.0/24' - set nat source rule 110 outbound-interface 'any' set nat source rule 110 source address '192.168.43.0/24' set nat source rule 110 translation address '172.29.41.89' set nat source rule 120 description 'Internal to ASP' set nat source rule 120 destination address '10.125.0.0/16' - set nat source rule 120 outbound-interface 'any' set nat source rule 120 source address '192.168.43.0/24' set nat source rule 120 translation address '172.29.41.89' @@ -670,14 +762,12 @@ external interface in the image above) .. code-block:: none - set vpn ipsec ike-group my-ike ikev2-reauth 'no' set vpn ipsec ike-group my-ike key-exchange 'ikev1' set vpn ipsec ike-group my-ike lifetime '7800' set vpn ipsec ike-group my-ike proposal 1 dh-group '14' set vpn ipsec ike-group my-ike proposal 1 encryption 'aes256' set vpn ipsec ike-group my-ike proposal 1 hash 'sha256' - set vpn ipsec esp-group my-esp compression 'disable' set vpn ipsec esp-group my-esp lifetime '3600' set vpn ipsec esp-group my-esp mode 'tunnel' set vpn ipsec esp-group my-esp pfs 'disable' diff --git a/docs/configuration/nat/nat64.rst b/docs/configuration/nat/nat64.rst new file mode 100644 index 00000000..e8a3a0e6 --- /dev/null +++ b/docs/configuration/nat/nat64.rst @@ -0,0 +1,81 @@ +.. _nat64: + +##### +NAT64 +##### + +:abbr:`NAT64 (IPv6-to-IPv4 Prefix Translation)` is a critical component in +modern networking, facilitating communication between IPv6 and IPv4 networks. +This documentation outlines the setup, configuration, and usage of the NAT64 +feature in your project. Whether you are transitioning to IPv6 or need to +seamlessly connect IPv4 and IPv6 devices. +NAT64 is a stateful translation mechanism that translates IPv6 addresses to +IPv4 addresses and IPv4 addresses to IPv6 addresses. NAT64 is used to enable +IPv6-only clients to contact IPv4 servers using unicast UDP, TCP, or ICMP. + + +Overview +======== + +Different NAT Types +------------------- + +.. _source-nat64: + +SNAT64 +^^^^^^ + +:abbr:`SNAT64 (IPv6-to-IPv4 Source Address Translation)` is a stateful +translation mechanism that translates IPv6 addresses to IPv4 addresses. + +``64:ff9b::/96`` is the well-known prefix for IPv4-embedded IPv6 addresses. +The prefix is used to represent IPv4 addresses in an IPv6 address format. +The IPv4 address is encoded in the low-order 32 bits of the IPv6 address. +The high-order 32 bits are set to the well-known prefix 64:ff9b::/96. + + +Configuration Examples +====================== + +The following examples show how to configure NAT64 on a VyOS router. +The 192.0.2.10 address is used as the IPv4 address for the translation pool. + + +NAT64 server configuration: + +.. code-block:: none + + set interfaces ethernet eth0 address '192.0.2.1/24' + set interfaces ethernet eth0 address '192.0.2.10/24' + set interfaces ethernet eth0 description 'WAN' + set interfaces ethernet eth1 address '2001:db8::1/64' + set interfaces ethernet eth1 description 'LAN' + + set service dns forwarding allow-from '2001:db8::/64' + set service dns forwarding dns64-prefix '64:ff9b::/96' + set service dns forwarding listen-address '2001:db8::1' + + set nat64 source rule 100 source prefix '64:ff9b::/96' + set nat64 source rule 100 translation pool 10 address '192.0.2.10' + set nat64 source rule 100 translation pool 10 port '1-65535' + +NAT64 client configuration: + +.. code-block:: none + + set interfaces ethernet eth1 address '2001:db8::2/64' + set protocols static route6 64:ff9b::/96 next-hop 2001:db8::1 + set system name-server '2001:db8::1' + +Test from the IPv6 only client: + +.. code-block:: none + + vyos@r1:~$ ping 64:ff9b::192.0.2.1 count 2 + PING 64:ff9b::192.0.2.1(64:ff9b::c000:201) 56 data bytes + 64 bytes from 64:ff9b::c000:201: icmp_seq=1 ttl=63 time=0.351 ms + 64 bytes from 64:ff9b::c000:201: icmp_seq=2 ttl=63 time=0.373 ms + + --- 64:ff9b::192.0.2.1 ping statistics --- + 2 packets transmitted, 2 received, 0% packet loss, time 1023ms + rtt min/avg/max/mdev = 0.351/0.362/0.373/0.011 ms diff --git a/docs/configuration/nat/nat66.rst b/docs/configuration/nat/nat66.rst index 93dd3353..66cceb0a 100644 --- a/docs/configuration/nat/nat66.rst +++ b/docs/configuration/nat/nat66.rst @@ -82,7 +82,7 @@ Example: .. code-block:: none - set nat66 source rule 1 outbound-interface 'eth0' + set nat66 source rule 1 outbound-interface name 'eth0' set nat66 source rule 1 source prefix 'fc01::/64' set nat66 source rule 1 translation address 'fc00::/64' @@ -101,7 +101,7 @@ Example: .. code-block:: none - set nat66 destination rule 1 inbound-interface 'eth0' + set nat66 destination rule 1 inbound-interface name 'eth0' set nat66 destination rule 1 destination address 'fc00::/64' set nat66 destination rule 1 translation address 'fc01::/64' @@ -122,9 +122,9 @@ R1: set interfaces ethernet eth0 ipv6 address autoconf set interfaces ethernet eth1 address 'fc01::1/64' set nat66 destination rule 1 destination address 'fc00:470:f1cd:101::/64' - set nat66 destination rule 1 inbound-interface 'eth0' + set nat66 destination rule 1 inbound-interface name 'eth0' set nat66 destination rule 1 translation address 'fc01::/64' - set nat66 source rule 1 outbound-interface 'eth0' + set nat66 source rule 1 outbound-interface name 'eth0' set nat66 source rule 1 source prefix 'fc01::/64' set nat66 source rule 1 translation address 'fc00:470:f1cd:101::/64' diff --git a/docs/configuration/pki/index.rst b/docs/configuration/pki/index.rst index e83272f5..66ad84a3 100644 --- a/docs/configuration/pki/index.rst +++ b/docs/configuration/pki/index.rst @@ -148,11 +148,11 @@ WireGuard ``interface`` is used for the VyOS CLI command to identify the WireGuard interface where this private key is to be used. -.. opcmd:: generate pki wireguard pre-shared-key +.. opcmd:: generate pki wireguard preshared-key Generate a WireGuard pre-shared secret used for peers to communicate. -.. opcmd:: generate pki wireguard pre-shared-key install <peer> +.. opcmd:: generate pki wireguard preshared-key install <peer> Generate a WireGuard pre-shared secret used for peers to communicate. diff --git a/docs/configuration/policy/route-map.rst b/docs/configuration/policy/route-map.rst index cc65d50c..07cfcf02 100644 --- a/docs/configuration/policy/route-map.rst +++ b/docs/configuration/policy/route-map.rst @@ -158,6 +158,22 @@ Route Map Peer IP address to match. +.. cfgcmd:: set policy route-map <text> rule <1-65535> match protocol <protocol> + + Source protocol to match. + * ``babel`` - Babel routing protocol (Babel) + * ``bgp`` - Border Gateway Protocol (BGP) + * ``connected`` - Connected routes (directly attached subnet or host) + * ``isis`` - Intermediate System to Intermediate System (IS-IS) + * ``kernel`` - Kernel routes + * ``ospf`` - Open Shortest Path First (OSPFv2) + * ``ospfv3`` - Open Shortest Path First (IPv6) (OSPFv3) + * ``rip`` - Routing Information Protocol (RIP) + * ``ripng`` - Routing Information Protocol next-generation (IPv6) (RIPng) + * ``static`` - Statically configured routes + * ``table`` - Non-main Kernel Routing Table + * ``vnc`` - Virtual Network Control (VNC) + .. cfgcmd:: set policy route-map <text> rule <1-65535> match rpki <invalid|notfound|valid> @@ -302,10 +318,12 @@ Route Map Set BGP local preference attribute. .. cfgcmd:: set policy route-map <text> rule <1-65535> set metric - <+/-metric|0-4294967295> + <+/-metric|0-4294967295|rtt|+rtt|-rtt> - Set destination routing protocol metric. Add or subtract metric, or set - metric value. + Set the route metric. When used with BGP, set the BGP attribute MED + to a specific value. Use ``+/-`` to add or subtract the specified value + to/from the existing/MED. Use ``rtt`` to set the MED to the round trip + time or ``+rtt/-rtt`` to add/subtract the round trip time to/from the MED. .. cfgcmd:: set policy route-map <text> rule <1-65535> set metric-type <type-1|type-2> diff --git a/docs/configuration/protocols/babel.rst b/docs/configuration/protocols/babel.rst index 58436178..07d1bc86 100644 --- a/docs/configuration/protocols/babel.rst +++ b/docs/configuration/protocols/babel.rst @@ -1,8 +1,8 @@ .. _babel: -#### +##### Babel -#### +##### Babel is a modern routing protocol designed to be robust and efficient both in ordinary wired networks and in wireless mesh networks. diff --git a/docs/configuration/protocols/bfd.rst b/docs/configuration/protocols/bfd.rst index faec71bc..496c0cf9 100644 --- a/docs/configuration/protocols/bfd.rst +++ b/docs/configuration/protocols/bfd.rst @@ -132,4 +132,61 @@ Operational Commands Transmission interval: 300ms Echo transmission interval: 0ms +BFD Static Route Monitoring +=========================== +A monitored static route conditions the installation to the RIB on the BFD +session running state: when BFD session is up the route is installed to RIB, +but when the BFD session is down it is removed from the RIB. + +Configuration +------------- + +.. cfgcmd:: set protocols static route <subnet> next-hop <address> + bfd profile <profile> + + Configure a static route for <subnet> using gateway <address> + and use the gateway address as BFD peer destination address. + +.. cfgcmd:: set protocols static route <subnet> next-hop <address> + bfd multi-hop source <address> profile <profile> + + Configure a static route for <subnet> using gateway <address> + , use source address to indentify the peer when is multi-hop session + and the gateway address as BFD peer destination address. + +.. cfgcmd:: set protocols static route6 <subnet> next-hop <address> + bfd profile <profile> + + Configure a static route for <subnet> using gateway <address> + and use the gateway address as BFD peer destination address. + +.. cfgcmd:: set protocols static route6 <subnet> next-hop <address> + bfd multi-hop source <address> profile <profile> + + Configure a static route for <subnet> using gateway <address> + , use source address to indentify the peer when is multi-hop session + and the gateway address as BFD peer destination address. + + +.. _BFD Operational Commands: + +Operational Commands +==================== + +.. opcmd:: show bfd static routes + + Showing BFD monitored static routes + + .. code-block:: none + + Showing BFD monitored static routes: + + Next hops: + VRF default IPv4 Unicast: + 10.10.13.3/32 peer 192.168.2.3 (status: installed) + 172.16.10.3/32 peer 192.168.10.1 (status: uninstalled) + + VRF default IPv4 Multicast: + + VRF default IPv6 Unicast: diff --git a/docs/configuration/protocols/bgp.rst b/docs/configuration/protocols/bgp.rst index 737e98fa..8fc69111 100644 --- a/docs/configuration/protocols/bgp.rst +++ b/docs/configuration/protocols/bgp.rst @@ -952,7 +952,7 @@ Operational Mode Commands Show ==== -.. opcmd:: show <ip|ipv6> bgp +.. opcmd:: show bgp <ipv4|ipv6> This command displays all entries in BGP routing table. @@ -964,6 +964,7 @@ Show i internal, r RIB-failure, S Stale, R Removed Nexthop codes: @NNN nexthop's vrf id, < announce-nh-self Origin codes: i - IGP, e - EGP, ? - incomplete + RPKI validation codes: V valid, I invalid, N Not found Network Next Hop Metric LocPrf Weight Path *> 198.51.100.0/24 10.0.34.4 0 0 65004 i @@ -971,7 +972,7 @@ Show Displayed 2 routes and 2 total paths -.. opcmd:: show <ip|ipv6> bgp <address|prefix> +.. opcmd:: show bgp <ipv4|ipv6> <address|prefix> This command displays information about the particular entry in the BGP routing table. @@ -991,55 +992,55 @@ Show This command displays routes with classless interdomain routing (CIDR). -.. opcmd:: show <ip|ipv6> bgp community <value> +.. opcmd:: show bgp <ipv4|ipv6> community <value> This command displays routes that belong to specified BGP communities. Valid value is a community number in the range from 1 to 4294967200, or AA:NN (autonomous system-community number/2-byte number), no-export, local-as, or no-advertise. -.. opcmd:: show <ip|ipv6> bgp community-list <name> +.. opcmd:: show bgp <ipv4|ipv6> community-list <name> This command displays routes that are permitted by the BGP community list. -.. opcmd:: show ip bgp dampened-paths +.. opcmd:: show bgp <ipv4|ipv6> dampening dampened-paths This command displays BGP dampened routes. -.. opcmd:: show ip bgp flap-statistics +.. opcmd:: show bgp <ipv4|ipv6> dampening flap-statistics This command displays information about flapping BGP routes. -.. opcmd:: show ip bgp filter-list <name> +.. opcmd:: show bgp <ipv4|ipv6> filter-list <name> This command displays BGP routes allowed by the specified AS Path access list. -.. opcmd:: show <ip|ipv6> bgp neighbors <address> advertised-routes +.. opcmd:: show bgp <ipv4|ipv6> neighbors <address> advertised-routes This command displays BGP routes advertised to a neighbor. -.. opcmd:: show <ip|ipv6> bgp neighbors <address> received-routes +.. opcmd:: show bgp <ipv4|ipv6> neighbors <address> received-routes This command displays BGP routes originating from the specified BGP neighbor before inbound policy is applied. To use this command inbound soft reconfiguration must be enabled. -.. opcmd:: show <ip|ipv6> bgp neighbors <address> routes +.. opcmd:: show bgp <ipv4|ipv6> neighbors <address> routes This command displays BGP received-routes that are accepted after filtering. -.. opcmd:: show <ip|ipv6> bgp neighbors <address> dampened-routes +.. opcmd:: show bgp <ipv4|ipv6> neighbors <address> dampened-routes This command displays dampened routes received from BGP neighbor. -.. opcmd:: show <ip|ipv6> bgp regexp <text> +.. opcmd:: show bgp <ipv4|ipv6> regexp <text> This command displays information about BGP routes whose AS path matches the specified regular expression. -.. opcmd:: show <ip|ipv6> bgp summary +.. opcmd:: show bgp <ipv4|ipv6> summary This command displays the status of all BGP connections. diff --git a/docs/configuration/protocols/failover.rst b/docs/configuration/protocols/failover.rst index 72201ade..daeb65f4 100644 --- a/docs/configuration/protocols/failover.rst +++ b/docs/configuration/protocols/failover.rst @@ -1,5 +1,3 @@ -.. _routing-static: - ######## Failover ######## @@ -34,6 +32,19 @@ Failover Routes Default is ``icmp``. +.. cfgcmd:: set protocols failover route <subnet> next-hop <address> check + policy <policy> + + Policy for checking targets + +* ``all-available`` all checking target addresses must be available to pass + this check + +* ``any-available`` any of the checking target addresses must be available + to pass this check + + Default is ``any-available``. + .. cfgcmd:: set protocols failover route <subnet> next-hop <address> interface <interface> diff --git a/docs/configuration/protocols/igmp-proxy.rst b/docs/configuration/protocols/igmp-proxy.rst new file mode 100644 index 00000000..f62a289e --- /dev/null +++ b/docs/configuration/protocols/igmp-proxy.rst @@ -0,0 +1,77 @@ +:lastproofread: 2023-11-13 + +.. _igmp_proxy: + +########## +IGMP Proxy +########## + +:abbr:`IGMP (Internet Group Management Protocol)` proxy sends IGMP host messages +on behalf of a connected client. The configuration must define one, and only one +upstream interface, and one or more downstream interfaces. + +Configuration +============= + +.. cfgcmd:: set protocols igmp-proxy interface <interface> role + <upstream | downstream> + + * **upstream:** The upstream network interface is the outgoing interface + which is responsible for communicating to available multicast data sources. + There can only be one upstream interface. + + * **downstream:** Downstream network interfaces are the distribution + interfaces to the destination networks, where multicast clients can join + groups and receive multicast data. One or more downstream interfaces must + be configured. + +.. cfgcmd:: set protocols igmp-proxy interface <interface> alt-subnet <network> + + Defines alternate sources for multicasting and IGMP data. The network address + must be on the following format 'a.b.c.d/n'. By default, the router will + accept data from sources on the same network as configured on an interface. + If the multicast source lies on a remote network, one must define from where + traffic should be accepted. + + This is especially useful for the upstream interface, since the source for + multicast traffic is often from a remote location. + + This option can be supplied multiple times. + +.. cfgcmd:: set protocols igmp-proxy disable-quickleave + + Disables quickleave mode. In this mode the daemon will not send a Leave IGMP + message upstream as soon as it receives a Leave message for any downstream + interface. The daemon will not ask for Membership reports on the downstream + interfaces, and if a report is received the group is not joined again the + upstream. + + If it's vital that the daemon should act exactly like a real multicast client + on the upstream interface, this function should be enabled. + + Enabling this function increases the risk of bandwidth saturation. + +.. cfgcmd:: set protocols igmp-proxy disable + + Disable this service. + +.. _igmp:proxy_example: + +Example +------- + +Interface `eth1` LAN is behind NAT. In order to subscribe `10.0.0.0/23` subnet +multicast which is in `eth0` WAN we need to configure igmp-proxy. + +.. code-block:: none + + set protocols igmp-proxy interface eth0 role upstream + set protocols igmp-proxy interface eth0 alt-subnet 10.0.0.0/23 + set protocols igmp-proxy interface eth1 role downstream + +Operation +========= + +.. opcmd:: restart igmp-proxy + + Restart the IGMP proxy process. diff --git a/docs/configuration/protocols/igmp.rst b/docs/configuration/protocols/igmp.rst deleted file mode 100644 index d3492632..00000000 --- a/docs/configuration/protocols/igmp.rst +++ /dev/null @@ -1,249 +0,0 @@ -:lastproofread: 2023-01-27 - -.. _multicast: - -######### -Multicast -######### - -VyOS facilitates IP Multicast by supporting **PIM Sparse Mode**, -**IGMP** and **IGMP-Proxy**. - -************ -PIM and IGMP -************ - -PIM (Protocol Independent Multicast) must be configured in every -interface of every participating router. Every router must also have the -location of the Rendevouz Point manually configured. Then, -unidirectional shared trees rooted at the Rendevouz Point will -automatically be built for multicast distribution. - -Traffic from multicast sources will go to the Rendezvous Point, and -receivers will pull it from a shared tree using IGMP (Internet Group -Management Protocol). - -Multicast receivers will talk IGMP to their local router, so, besides -having PIM configured in every router, IGMP must also be configured in -any router where there could be a multicast receiver locally connected. - -VyOS supports both IGMP version 2 and version 3 (which allows -source-specific multicast). - - -Example -======= - -In the following example we can see a basic multicast setup: - -.. image:: /_static/images/multicast-basic.png - :width: 90% - :align: center - :alt: Network Topology Diagram - - - -**Router 1** - -.. code-block:: none - - set interfaces ethernet eth2 address '172.16.0.2/24' - set interfaces ethernet eth1 address '100.64.0.1/24' - set protocols ospf area 0 network '172.16.0.0/24' - set protocols ospf area 0 network '100.64.0.0/24' - set protocols igmp interface eth1 - set protocols pim interface eth1 - set protocols pim interface eth2 - set protocols pim rp address 172.16.255.1 group '224.0.0.0/4' - -**Router 3** - -.. code-block:: none - - set interfaces dummy dum0 address '172.16.255.1/24' - set interfaces ethernet eth0 address '172.16.0.1/24' - set interfaces ethernet eth1 address '172.16.1.1/24' - set protocols ospf area 0 network '172.16.0.0/24' - set protocols ospf area 0 network '172.16.255.0/24' - set protocols ospf area 0 network '172.16.1.0/24' - set protocols pim interface dum0 - set protocols pim interface eth0 - set protocols pim interface eth1 - set protocols pim rp address 172.16.255.1 group '224.0.0.0/4' - -**Router 2** - -.. code-block:: none - - set interfaces ethernet eth1 address '10.0.0.1/24' - set interfaces ethernet eth2 address '172.16.1.2/24' - set protocols ospf area 0 network '10.0.0.0/24' - set protocols ospf area 0 network '172.16.1.0/24' - set protocols pim interface eth1 - set protocols pim interface eth2 - set protocols pim rp address 172.16.255.1 group '224.0.0.0/4' - - - - - -Basic commands -============== - -These are the commands for a basic setup. - -.. cfgcmd:: set protocols pim interface <interface-name> - - Use this command to enable PIM in the selected interface so that it - can communicate with PIM neighbors. - - -.. cfgcmd:: set protocols pim rp address <address> group - <multicast-address/mask-bits> - - Use this command to manually configure a Rendezvous Point for PIM so - that join messages can be sent there. Set the Rendevouz Point address - and the matching prefix of group ranges covered. These values must - be shared with every router participating in the PIM network. - - -.. cfgcmd:: set protocols igmp interface eth1 - - Use this command to configure an interface with IGMP so that PIM can - receive IGMP reports and query on the selected interface. By default - IGMP version 3 will be used. - - - -Tuning commands -=============== - -You can also tune multicast with the following commands. - -.. cfgcmd:: set protocols pim interface <interface> dr-priority <value> - - Use this PIM command in the selected interface to set the priority - (1-4294967295) you want to influence in the election of a node to - become the Designated Router for a LAN segment. The default priority - is 1, set a higher value to give the router more preference in the - DR election process. - - -.. cfgcmd:: set protocols pim int <interface> hello <seconds> - - Use this command to configure the PIM hello interval in seconds - (1-180) for the selected interface. - - -.. cfgcmd:: set protocols pim rp keep-alive-timer <seconds> - - Use this PIM command to modify the time out value (31-60000 - seconds) for an `(S,G) <https://tools.ietf.org/html/rfc7761#section-4.1>`_ - flow. 31 seconds is chosen for a lower bound as some hardware - platforms cannot see data flowing in better than 30 seconds chunks. - - -.. cfgcmd:: set protocols igmp interface <interface> join <multicast-address> - source <IP-address> - - Use this command to allow the selected interface to join a multicast - group defining the multicast address you want to join and the source - IP address too. - - -.. cfgcmd:: set protocols igmp interface <interface> query-interval <seconds> - - Use this command to configure in the selected interface the IGMP - host query interval (1-1800) in seconds that PIM will use. - - -.. cfgcmd:: set protocols igmp interface <interface> query-max-response-time - <deciseconds> - - Use this command to configure in the selected interface the IGMP - query response timeout value (10-250) in deciseconds. If a report is - not returned in the specified time, it will be assumed the `(S,G) or - (*,G) state <https://tools.ietf.org/html/rfc7761#section-4.1>`_ has - timed out. - - -.. cfgcmd:: set protocols igmp interface <interface> version <version-number> - - Use this command to define in the selected interface whether you - choose IGMP version 2 or 3. The default value is 3. - - - -********** -IGMP Proxy -********** - -:abbr:`IGMP (Internet Group Management Protocol)` proxy sends IGMP host messages -on behalf of a connected client. The configuration must define one, and only one -upstream interface, and one or more downstream interfaces. - -Configuration -============= - -.. cfgcmd:: set protocols igmp-proxy interface <interface> role - <upstream | downstream> - - * **upstream:** The upstream network interface is the outgoing interface - which is responsible for communicating to available multicast data sources. - There can only be one upstream interface. - - * **downstream:** Downstream network interfaces are the distribution - interfaces to the destination networks, where multicast clients can join - groups and receive multicast data. One or more downstream interfaces must - be configured. - -.. cfgcmd:: set protocols igmp-proxy interface <interface> alt-subnet <network> - - Defines alternate sources for multicasting and IGMP data. The network address - must be on the following format 'a.b.c.d/n'. By default, the router will - accept data from sources on the same network as configured on an interface. - If the multicast source lies on a remote network, one must define from where - traffic should be accepted. - - This is especially useful for the upstream interface, since the source for - multicast traffic is often from a remote location. - - This option can be supplied multiple times. - -.. cfgcmd:: set protocols igmp-proxy disable-quickleave - - Disables quickleave mode. In this mode the daemon will not send a Leave IGMP - message upstream as soon as it receives a Leave message for any downstream - interface. The daemon will not ask for Membership reports on the downstream - interfaces, and if a report is received the group is not joined again the - upstream. - - If it's vital that the daemon should act exactly like a real multicast client - on the upstream interface, this function should be enabled. - - Enabling this function increases the risk of bandwidth saturation. - -.. cfgcmd:: set protocols igmp-proxy disable - - Disable this service. - -.. _igmp:proxy_example: - -Example -------- - -Interface `eth1` LAN is behind NAT. In order to subscribe `10.0.0.0/23` subnet -multicast which is in `eth0` WAN we need to configure igmp-proxy. - -.. code-block:: none - - set protocols igmp-proxy interface eth0 role upstream - set protocols igmp-proxy interface eth0 alt-subnet 10.0.0.0/23 - set protocols igmp-proxy interface eth1 role downstream - -Operation -========= - -.. opcmd:: restart igmp-proxy - - Restart the IGMP proxy process. diff --git a/docs/configuration/protocols/index.rst b/docs/configuration/protocols/index.rst index 29dc230f..ea217d3c 100644 --- a/docs/configuration/protocols/index.rst +++ b/docs/configuration/protocols/index.rst @@ -2,7 +2,6 @@ Protocols ######### - .. toctree:: :maxdepth: 1 :includehidden: @@ -11,11 +10,13 @@ Protocols bfd bgp failover - igmp + igmp-proxy isis mpls segment-routing ospf + pim + pim6 rip rpki static diff --git a/docs/configuration/protocols/isis.rst b/docs/configuration/protocols/isis.rst index ef9cc960..1f779d0a 100644 --- a/docs/configuration/protocols/isis.rst +++ b/docs/configuration/protocols/isis.rst @@ -127,6 +127,19 @@ IS-IS Global Configuration level-2 This command will generate a default-route in L2 database. + + +.. cfgcmd:: set protocols isis ldp-sync + + This command will enable IGP-LDP synchronization globally for ISIS. This + requires for LDP to be functional. This is described in :rfc:`5443`. By + default all interfaces operational in IS-IS are enabled for synchronization. + Loopbacks are exempt. + +.. cfgcmd:: set protocols isis ldp-sync holddown <seconds> + + This command will change the hold down value globally for IGP-LDP + synchronization during convergence/interface flap events. Interface Configuration @@ -200,6 +213,15 @@ Interface Configuration This command disables Three-Way Handshake for P2P adjacencies which described in :rfc:`5303`. Three-Way Handshake is enabled by default. +.. cfgcmd:: set protocols isis interface <interface> ldp-sync disable + + This command disables IGP-LDP sync for this specific interface. + +.. cfgcmd:: set protocols isis interface <interface> ldp-sync holddown + <seconds> + + This command will change the hold down value for IGP-LDP synchronization + during convergence/interface flap events, but for this interface only. Route Redistribution -------------------- @@ -280,6 +302,34 @@ Timers control the timing of the execution of SPF calculations in response to IGP events. The process described in :rfc:`8405`. +Loop Free Alternate (LFA) +------------------------- + +.. cfgcmd:: set protocols isis fast-reroute lfa remote prefix-list <name> + <level-1|level-2> + + This command enables IP fast re-routing that is part of :rfc:`5286`. + Specifically this is a prefix list which references a prefix in which + will select eligible PQ nodes for remote LFA backups. + +.. cfgcmd:: set protocols isis fast-reroute lfa local load-sharing disable + <level-1|level-2> + + This command disables the load sharing across multiple LFA backups. + +.. cfgcmd:: set protocols isis fast-reroute lfa local tiebreaker + <downstream|lowest-backup-metric|node-protecting> index <number> + <level-1|level-2> + + This command will configure a tie-breaker for multiple local LFA backups. + The lower index numbers will be processed first. + +.. cfgcmd:: set protocols isis fast-reroute lfa local priority-limit + <medium|high|critical> <level-1|level-2> + + This command will limit LFA backup computation up to the specified + prefix priority. + ******** Examples @@ -401,7 +451,42 @@ Routes on Node 2: I 203.0.113.0/24 [115/10] via 192.0.2.1, eth1, 00:03:42 - +Enable IS-IS and IGP-LDP synchronization +======================================== + +**Node 1:** + +.. code-block:: none + + set interfaces loopback lo address 192.168.255.255/32 + set interfaces ethernet eth0 address 192.0.2.1/24 + + set protocols isis interface eth0 + set protocols isis interface lo passive + set protocols isis ldp-sync + set protocols isis net 49.0001.1921.6825.5255.00 + + set protocols mpls interface eth0 + set protocols mpls ldp discovery transport-ipv4-address 192.168.255.255 + set protocols mpls ldp interface lo + set protocols mpls ldp interface eth0 + set protocols mpls ldp parameters transport-prefer-ipv4 + set protocols mpls ldp router-id 192.168.255.255 + + +This gives us IGP-LDP synchronization for all non-loopback interfaces with +a holddown timer of zero seconds: + + +.. code-block:: none + + Node-1@vyos:~$ show isis mpls ldp-sync + eth0 + LDP-IGP Synchronization enabled: yes + holddown timer in seconds: 0 + State: Sync achieved + + Enable IS-IS with Segment Routing (Experimental) diff --git a/docs/configuration/protocols/ospf.rst b/docs/configuration/protocols/ospf.rst index 60f9c149..9891c77d 100644 --- a/docs/configuration/protocols/ospf.rst +++ b/docs/configuration/protocols/ospf.rst @@ -38,12 +38,12 @@ starts when the first ospf enabled interface is configured. specified in decimal notation in the range from 0 to 4294967295. Or it can be specified in dotted decimal notation similar to ip address. - Prefix length in interface must be equal or bigger (i.e. smaller network) + Prefix length in interface must be equal or bigger (i.e. smaller network) than prefix length in network statement. For example statement above doesn't - enable ospf on interface with address 192.168.1.1/23, but it does on + enable ospf on interface with address 192.168.1.1/23, but it does on interface with address 192.168.1.129/25. - In some cases it may be more convenient to enable OSPF on a per + In some cases it may be more convenient to enable OSPF on a per interface/subnet basis :cfgcmd:`set protocols ospf interface <interface> area <x.x.x.x | x>` @@ -190,6 +190,29 @@ Optional :cfgcmd:`max-holdtime` sets the maximum wait time between two consecutive SPF calculations. The default value is 10000 ms. +.. cfgcmd:: set protocols ospf ldp-sync + + This command will enable IGP-LDP synchronization globally for OSPF. This + requires for LDP to be functional. This is described in :rfc:`5443`. By + default all interfaces operational in OSPF are enabled for synchronization. + Loopbacks are exempt. + +.. cfgcmd:: set protocols ospf ldp-sync holddown <seconds> + + This command will change the hold down value globally for IGP-LDP + synchronization during convergence/interface flap events. + +.. cfgcmd:: set protocols ospf capability opaque + + ospfd supports Opaque LSA :rfc:`2370` as partial support for MPLS Traffic + Engineering LSAs. The opaque-lsa capability must be enabled in the + configuration. + + An alternate command could be "mpls-te on" (Traffic Engineering) + + .. note:: FRR offers only partial support for some of the routing + protocol extensions that are used with MPLS-TE; it does not + support a complete RSVP-TE solution. Area Configuration ------------------ @@ -278,15 +301,15 @@ Area Configuration intra area paths from this range are not advertised into other areas. This command makes sense in ABR only. -.. cfgcmd:: set protocols ospf area <number> export-list <acl_number> +.. cfgcmd:: set protocols ospf area <number> export-list <acl_number> - Filter Type-3 summary-LSAs announced to other areas originated from + Filter Type-3 summary-LSAs announced to other areas originated from intra- area paths from specified area. This command makes sense in ABR only. -.. cfgcmd:: set protocols ospf area <number> import-list <acl_number> +.. cfgcmd:: set protocols ospf area <number> import-list <acl_number> - Same as export-list, but it applies to paths announced into specified + Same as export-list, but it applies to paths announced into specified area as Type-3 summary-LSAs. This command makes sense in ABR only. @@ -437,6 +460,78 @@ Interface Configuration synchronizing process of the router's database with all neighbors. The default value is 1 seconds. The interval range is 3 to 65535. +.. cfgcmd:: set protocols ospf interface <interface> ldp-sync disable + + This command disables IGP-LDP sync for this specific interface. + +.. cfgcmd:: set protocols ospf interface <interface> ldp-sync holddown + <seconds> + + This command will change the hold down value for IGP-LDP synchronization + during convergence/interface flap events, but for this interface only. + +External Route Summarisation +---------------------------- + +This feature summarises originated external LSAs (Type-5 and Type-7). Summary +Route will be originated on-behalf of all matched external LSAs. + +.. cfgcmd:: set protocols ospf aggregation timer <seconds> + + Configure aggregation delay timer interval. + + Summarisation starts only after this delay timer expiry. + +.. cfgcmd:: set protocols ospf summary-address x.x.x.x/y [tag (1-4294967295)] + + This command enable/disables summarisation for the configured address range. + + Tag is the optional parameter. If tag configured Summary route will be + originated with the configured tag. + +.. cfgcmd:: set protocols ospf summary-address x.x.x.x/y no-advertise + + This command to ensure not advertise the summary lsa for the matched + external LSAs. + +Graceful Restart +---------------- + +.. cfgcmd:: set protocols ospf graceful-restart [grace-period (1-1800)] + + Configure Graceful Restart :rfc:`3623` restarting support. When enabled, + the default grace period is 120 seconds. + + To perform a graceful shutdown, the FRR ``graceful-restart prepare ip + ospf`` EXEC-level command needs to be issued before restarting the + ospfd daemon. + +.. cfgcmd:: set protocols ospf graceful-restart helper enable [router-id A.B.C.D] + + Configure Graceful Restart :rfc:`3623` helper support. By default, helper support + is disabled for all neighbours. This config enables/disables helper support + on this router for all neighbours. + + To enable/disable helper support for a specific neighbour, the router-id + (A.B.C.D) has to be specified. + +.. cfgcmd:: set protocols ospf graceful-restart helper no-strict-lsa-checking + + By default `strict-lsa-checking` is configured then the helper will abort + the Graceful Restart when a LSA change occurs which affects the restarting + router. + + This command disables it. + +.. cfgcmd:: set protocols ospf graceful-restart helper supported-grace-time + + Supports as HELPER for configured grace period. + +.. cfgcmd:: set protocols ospf graceful-restart helper planned-only + + It helps to support as HELPER only for planned restarts. + + By default, it supports both planned and unplanned outages. Manual Neighbor Configuration ----------------------------- @@ -603,10 +698,11 @@ Operational Mode Commands Hello due in 4.563s Neighbor Count is 1, Adjacent neighbor count is 1 -.. opcmd:: show ip ospf route +.. opcmd:: show ip ospf route [detail] This command displays the OSPF routing table, as determined by the most - recent SPF calculation. + recent SPF calculation. With the optional :cfgcmd:`detail` argument, + each route item's advertiser router and network attribute will be shown. .. code-block:: none @@ -846,6 +942,43 @@ Enable OSPF with route redistribution of the loopback and default originate: set policy route-map CONNECT rule 10 match interface lo +Enable OSPF and IGP-LDP synchronization: +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +**Node 1:** + +.. code-block:: none + + set interfaces loopback lo address 10.1.1.1/32 + set interfaces ethernet eth0 address 192.168.0.1/24 + + set protocols ospf area 0 network '192.168.0.0/24' + set protocols ospf area 0 network '10.1.1.1/32' + set protocols ospf parameters router-id '10.1.1.1' + set protocols ospf ldp-sync + + set protocols mpls interface eth0 + set protocols mpls ldp discovery transport-ipv4-address 10.1.1.1 + set protocols mpls ldp interface lo + set protocols mpls ldp interface eth0 + set protocols mpls ldp parameters transport-prefer-ipv4 + set protocols mpls ldp router-id 10.1.1.1 + + +This gives us IGP-LDP synchronization for all non-loopback interfaces with +a holddown timer of zero seconds: + + +.. code-block:: none + + Node-1@vyos:~$ show ip ospf mpls ldp-sync + eth0 + LDP-IGP Synchronization enabled: yes + Holddown timer in seconds: 0 + State: Sync achieved + + + Enable OSPF with Segment Routing (Experimental): ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -855,6 +988,7 @@ Enable OSPF with Segment Routing (Experimental): set interfaces loopback lo address 10.1.1.1/32 set interfaces ethernet eth0 address 192.168.0.1/24 + set protocols ospf area 0 network '192.168.0.0/24' set protocols ospf area 0 network '10.1.1.1/32' set protocols ospf parameters opaque-lsa @@ -870,6 +1004,7 @@ Enable OSPF with Segment Routing (Experimental): set interfaces loopback lo address 10.1.1.2/32 set interfaces ethernet eth0 address 192.168.0.2/24 + set protocols ospf area 0 network '192.168.0.0/24' set protocols ospf area 0 network '10.1.1.2/32' set protocols ospf parameters opaque-lsa @@ -948,7 +1083,7 @@ General VyOS does not have a special command to start the OSPFv3 process. The OSPFv3 process starts when the first ospf enabled interface is configured. -.. cfgcmd:: set protocols ospfv3 interface <interface> area <number> +.. cfgcmd:: set protocols ospfv3 interface <interface> area <number> This command specifies the OSPFv3 enabled interface. This command is also used to enable the OSPF process. The area number can be specified in @@ -1069,6 +1204,47 @@ Interface Configuration synchronizing process of the router's database with all neighbors. The default value is 1 seconds. The interval range is 3 to 65535. +.. _ospf:v3_graceful_restart: + +Graceful Restart +---------------- + +.. cfgcmd:: set protocols ospfv3 graceful-restart [grace-period (1-1800)] + + Configure Graceful Restart :rfc:`3623` restarting support. When enabled, + the default grace period is 120 seconds. + + To perform a graceful shutdown, the FRR ``graceful-restart prepare ip + ospf`` EXEC-level command needs to be issued before restarting the + ospfd daemon. + +.. cfgcmd:: set protocols ospfv3 graceful-restart helper enable [router-id A.B.C.D] + + Configure Graceful Restart :rfc:`3623` helper support. By default, helper support + is disabled for all neighbours. This config enables/disables helper support + on this router for all neighbours. + + To enable/disable helper support for a specific neighbour, the router-id + (A.B.C.D) has to be specified. + +.. cfgcmd:: set protocols ospfv3 graceful-restart helper lsa-check-disable + + By default `strict-lsa-checking` is configured then the helper will abort + the Graceful Restart when a LSA change occurs which affects the restarting + router. + + This command disables it. + +.. cfgcmd:: set protocols ospfv3 graceful-restart helper supported-grace-time + + Supports as HELPER for configured grace period. + +.. cfgcmd:: set protocols ospfv3 graceful-restart helper planned-only + + It helps to support as HELPER only for planned restarts. + + By default, it supports both planned and unplanned outages. + .. _ospf:v3_redistribution_config: Redistribution Configuration @@ -1145,7 +1321,7 @@ A typical configuration using 2 nodes. .. code-block:: none - set protocols ospfv3 interface eth1 area 0.0.0.0 + set protocols ospfv3 interface eth1 area 0.0.0.0 set protocols ospfv3 area 0.0.0.0 range 2001:db8:1::/64 set protocols ospfv3 parameters router-id 192.168.1.1 set protocols ospfv3 redistribute connected @@ -1154,7 +1330,7 @@ A typical configuration using 2 nodes. .. code-block:: none - set protocols ospfv3 interface eth1 area 0.0.0.0 + set protocols ospfv3 interface eth1 area 0.0.0.0 set protocols ospfv3 area 0.0.0.0 range 2001:db8:2::/64 set protocols ospfv3 parameters router-id 192.168.2.1 set protocols ospfv3 redistribute connected @@ -1183,7 +1359,7 @@ Example configuration for WireGuard interfaces: set interfaces wireguard wg01 peer ospf02 pubkey 'ie3...=' set interfaces wireguard wg01 port '12345' set protocols ospfv3 parameters router-id 192.168.1.1 - set protocols ospfv3 interface 'wg01' area 0.0.0.0 + set protocols ospfv3 interface 'wg01' area 0.0.0.0 set protocols ospfv3 interface 'lo' area 0.0.0.0 **Node 2** @@ -1198,7 +1374,7 @@ Example configuration for WireGuard interfaces: set interfaces wireguard wg01 peer ospf01 pubkey 'NHI...=' set interfaces wireguard wg01 port '12345' set protocols ospfv3 parameters router-id 192.168.1.2 - set protocols ospfv3 interface 'wg01' area 0.0.0.0 + set protocols ospfv3 interface 'wg01' area 0.0.0.0 set protocols ospfv3 interface 'lo' area 0.0.0.0 **Status** diff --git a/docs/configuration/protocols/pim.disable b/docs/configuration/protocols/pim.disable deleted file mode 100644 index 1dd373d8..00000000 --- a/docs/configuration/protocols/pim.disable +++ /dev/null @@ -1,2 +0,0 @@ -PIM -###
\ No newline at end of file diff --git a/docs/configuration/protocols/pim.rst b/docs/configuration/protocols/pim.rst new file mode 100644 index 00000000..2e881943 --- /dev/null +++ b/docs/configuration/protocols/pim.rst @@ -0,0 +1,266 @@ +:lastproofread: 2023-11-13 + +.. _pim: + +#################################### +PIM – Protocol Independent Multicast +#################################### + +VyOS supports :abbr:`PIM-SM (PIM Sparse Mode)` as well as +:abbr:`IGMP (Internet Group Management Protocol)` v2 and v3 + +:abbr:`PIM (Protocol Independent Multicast)` must be configured in every +interface of every participating router. Every router must also have the +location of the Rendevouz Point manually configured. Then, unidirectional +shared trees rooted at the Rendevouz Point will automatically be built +for multicast distribution. + +Traffic from multicast sources will go to the Rendezvous Point, and +receivers will pull it from a shared tree using :abbr:`IGMP (Internet +Group Management Protocol)`. + +Multicast receivers will talk IGMP to their local router, so, besides +having PIM configured in every router, IGMP must also be configured in +any router where there could be a multicast receiver locally connected. + +VyOS supports both IGMP version 2 and version 3 (which allows +source-specific multicast). + +************************ +PIM-SM - PIM Sparse Mode +************************ + +.. cfgcmd:: set protocols pim ecmp + + If PIM has the a choice of ECMP nexthops for a particular + :abbr:`RPF (Reverse Path Forwarding)`, PIM will cause S,G flows to be + spread out amongst the nexthops. If this command is not specified then + the first nexthop found will be used. + +.. cfgcmd:: set protocols pim ecmp rebalance + + If PIM is using ECMP and an interface goes down, cause PIM to rebalance all + S,G flows across the remaining nexthops. If this command is not configured + PIM only modifies those S,G flows that were using the interface that went + down. + +.. cfgcmd:: set protocols pim join-prune-interval <n> + + Modify the join/prune interval that PIM uses to the new value. Time is + specified in seconds. + + The default time is 60 seconds. + + If you enter a value smaller than 60 seconds be aware that this can and + will affect convergence at scale. + +.. cfgcmd:: set protocols pim keep-alive-timer <n> + + Modify the time out value for a S,G flow from 1-65535 seconds. If choosing + a value below 31 seconds be aware that some hardware platforms cannot see + data flowing in better than 30 second chunks. + +.. cfgcmd:: set protocols pim packets <n> + + When processing packets from a neighbor process the number of packets + incoming at one time before moving on to the next task. + + The default value is 3 packets. + + This command is only useful at scale when you can possibly have a large + number of PIM control packets flowing. + +.. cfgcmd:: set protocols pim register-accept-list <prefix-list> + + When PIM receives a register packet the source of the packet will be compared + to the prefix-list specified, and if a permit is received normal processing + continues. If a deny is returned for the source address of the register packet + a register stop message is sent to the source. + +.. cfgcmd:: set protocols pim register-suppress-time <n> + + Modify the time that pim will register suppress a FHR will send register + notifications to the kernel. + +.. cfgcmd:: set protocols pim rp <address> group <group> + + In order to use PIM, it is necessary to configure a :abbr:`RP (Rendezvous Point)` + for join messages to be sent to. Currently the only methodology to do this is + via static rendezvous point commands. + + All routers in the PIM network must agree on these values. + + The first ip address is the RP's address and the second value is the matching + prefix of group ranges covered. + +.. cfgcmd:: set protocols pim rp keep-alive-timer <n> + + Modify the time out value for a S,G flow from 1-65535 seconds at + :abbr:`RP (Rendezvous Point)`. The normal keepalive period for the KAT(S,G) + defaults to 210 seconds. However, at the :abbr:`RP (Rendezvous Point)`, the + keepalive period must be at least the Register_Suppression_Time, or the RP + may time out the (S,G) state before the next Null-Register arrives. + Thus, the KAT(S,G) is set to max(Keepalive_Period, RP_Keepalive_Period) + when a Register-Stop is sent. + + If choosing a value below 31 seconds be aware that some hardware platforms + cannot see data flowing in better than 30 second chunks. + + See :rfc:`7761#section-4.1` for details. + +.. cfgcmd:: set protocols pim no-v6-secondary + + When sending PIM hello packets tell PIM to not send any v6 secondary + addresses on the interface. This information is used to allow PIM to use v6 + nexthops in it's decision for :abbr:`RPF (Reverse Path Forwarding)` lookup + if this option is not set (default). + +.. cfgcmd:: set protocols pim spt-switchover infinity-and-beyond [prefix-list <list>] + + On the last hop router if it is desired to not switch over to the SPT tree + configure this command. + + Optional parameter prefix-list can be use to control which groups to switch or + not switch. If a group is PERMIT as per the prefix-list, then the SPT switchover + does not happen for it and if it is DENY, then the SPT switchover happens. + +.. cfgcmd:: set protocols pim ssm prefix-list <list> + + Specify a range of group addresses via a prefix-list that forces PIM to never + do :abbr:`SSM (Source-Specific Multicast)` over. + +Interface specific commands +=========================== + +.. cfgcmd:: set protocols pim interface <interface> bfd [profile <name>] + + Automatically create BFD session for each RIP peer discovered in this + interface. When the BFD session monitor signalize that the link is down + the RIP peer is removed and all the learned routes associated with that + peer are removed. + + If optional profile parameter is used, select a BFD profile for the BFD + sessions created via this interface. + +.. cfgcmd:: set protocols pim interface <interface> dr-priority <n> + + Set the :abbr:`DR (Designated Router)` Priority for the interface. + This command is useful to allow the user to influence what node becomes + the DR for a LAN segment. + +.. cfgcmd:: set protocols pim interface <interface> hello <n> + + Set the PIM hello and hold interval for a interface. + +.. cfgcmd:: set protocols pim interface <interface> no-bsm + + Tell PIM that we would not like to use this interface to process + bootstrap messages. + +.. cfgcmd:: set protocols pim interface <interface> no-unicast-bsm + + Tell PIM that we would not like to use this interface to process + unicast bootstrap messages. + +.. cfgcmd:: set protocols pim interface <interface> passive + + Disable sending and receiving PIM control packets on the interface. + + .. cfgcmd:: set protocols pim interface <interface> source-address <ip-address> + + If you have multiple addresses configured on a particular interface and would + like PIM to use a specific source address associated with that interface. + +****************************************** +IGMP - Internet Group Management Protocol) +****************************************** + +.. cfgcmd:: set protocols pim igmp watermark-warning <n> + + Configure watermark warning generation for an IGMP group limit. Generates + warning once the configured group limit is reached while adding new groups. + +.. _pim:igmp_interface_commands: + +Interface specific commands +=========================== + +.. cfgcmd:: set protocols pim interface <interface> igmp + join <multicast-address> source-address <IP-address> + + Use this command to allow the selected interface to join a multicast + group defining the multicast address you want to join and the source + IP address too. + +.. cfgcmd:: set protocols pim interface <interface> igmp + query-interval <seconds> + + Use this command to configure in the selected interface the IGMP + host query interval (1-1800) in seconds that PIM will use. + +.. cfgcmd:: set protocols pim interface <interface> igmp + query-max-response-time <n> + + Use this command to configure in the selected interface the IGMP + query response timeout value (10-250) in deciseconds. If a report is + not returned in the specified time, it will be assumed the (S,G) or + (\*,G) state :rfc:`7761#section-4.1` has timed out. + +.. cfgcmd:: set protocols pim interface <interface> igmp version <version-number> + + Use this command to define in the selected interface whether you + choose IGMP version 2 or 3. + + The default value is 3. + +Example +------- + +In the following example we can see a basic multicast setup: + +.. image:: /_static/images/multicast-basic.png + :width: 90% + :align: center + :alt: Network Topology Diagram + + + +**Router 1** + +.. code-block:: none + + set interfaces ethernet eth2 address '172.16.0.2/24' + set interfaces ethernet eth1 address '100.64.0.1/24' + set protocols ospf area 0 network '172.16.0.0/24' + set protocols ospf area 0 network '100.64.0.0/24' + set protocols igmp interface eth1 + set protocols pim interface eth1 + set protocols pim interface eth2 + set protocols pim rp address 172.16.255.1 group '224.0.0.0/4' + +**Router 3** + +.. code-block:: none + + set interfaces dummy dum0 address '172.16.255.1/24' + set interfaces ethernet eth0 address '172.16.0.1/24' + set interfaces ethernet eth1 address '172.16.1.1/24' + set protocols ospf area 0 network '172.16.0.0/24' + set protocols ospf area 0 network '172.16.255.0/24' + set protocols ospf area 0 network '172.16.1.0/24' + set protocols pim interface dum0 + set protocols pim interface eth0 + set protocols pim interface eth1 + set protocols pim rp address 172.16.255.1 group '224.0.0.0/4' + +**Router 2** + +.. code-block:: none + + set interfaces ethernet eth1 address '10.0.0.1/24' + set interfaces ethernet eth2 address '172.16.1.2/24' + set protocols ospf area 0 network '10.0.0.0/24' + set protocols ospf area 0 network '172.16.1.0/24' + set protocols pim interface eth1 + set protocols pim interface eth2 + set protocols pim rp address 172.16.255.1 group '224.0.0.0/4' diff --git a/docs/configuration/protocols/pim6.rst b/docs/configuration/protocols/pim6.rst new file mode 100644 index 00000000..2b2276a7 --- /dev/null +++ b/docs/configuration/protocols/pim6.rst @@ -0,0 +1,94 @@ +.. _pim6: + +############################################## +PIM6 - Protocol Independent Multicast for IPv6 +############################################## + +VyOS facilitates IPv6 Multicast by supporting **PIMv6** and **MLD**. + +PIMv6 (Protocol Independent Multicast for IPv6) must be configured in every +interface of every participating router. Every router must also have the +location of the Rendevouz Point manually configured. +Then, unidirectional shared trees rooted at the Rendevouz Point will +automatically be built for multicast distribution. + +Traffic from multicast sources will go to the Rendezvous Point, and receivers +will pull it from a shared tree using MLD (Multicast Listener Discovery). + +Multicast receivers will talk MLD to their local router, so, besides having +PIMv6 configured in every router, MLD must also be configured in any router +where there could be a multicast receiver locally connected. + +VyOS supports both MLD version 1 and version 2 +(which allows source-specific multicast). + +Basic commands +============== +These are the commands for a basic setup. + +.. cfgcmd:: set protocols pim6 interface <interface-name> + + Use this command to enable PIMv6 in the selected interface so that it + can communicate with PIMv6 neighbors. This command also enables MLD reports + and query on the interface unless :cfgcmd:`mld disable` is configured. + +.. cfgcmd:: set protocols pim6 interface <interface-name> mld disable + + Disable MLD reports and query on the interface. + + +Tuning commands +=============== +You can also tune multicast with the following commands. + + +.. cfgcmd:: set protocols pim6 interface <interface-name> mld interval <seconds> + + Use this command to configure in the selected interface the MLD + host query interval (1-65535) in seconds that PIM will use. + The default value is 125 seconds. + +.. cfgcmd:: set protocols pim6 interface <interface-name> mld join <multicast-address> + + Use this command to allow the selected interface to join a multicast group. + +.. cfgcmd:: set protocols pim6 interface <interface-name> mld join <multicast-address> source <source-address> + + Use this command to allow the selected interface to join a source-specific multicast + group. + +.. cfgcmd:: set protocols pim6 interface <interface-name> mld last-member-query-count <count> + + Set the MLD last member query count. The default value is 2. + +.. cfgcmd:: set protocols pim6 interface <interface-name> mld last-member-query-interval <milliseconds> + + Set the MLD last member query interval in milliseconds (100-6553500). The default value is 1000 milliseconds. + +.. cfgcmd:: set protocols pim6 interface <interface-name> mld max-response-time <milliseconds> + + Set the MLD query response timeout in milliseconds (100-6553500). The default value is 10000 milliseconds. + +.. cfgcmd:: set protocols pim6 interface <interface-name> mld version <version-number> + + Set the MLD version used on this interface. The default value is 2. + +********************* +Configuration Example +********************* + +To enable MLD reports and query on interfaces `eth0` and `eth1`: + +.. code-block:: none + + set protocols pim6 interface eth0 + set protocols pim6 interface eth1 + +The following configuration explicitly joins multicast group `ff15::1234` on interface `eth1` +and source-specific multicast group `ff15::5678` with source address `2001:db8::1` on interface +`eth1`: + +.. code-block:: none + + set protocols pim6 interface eth0 mld join ff15::1234 + set protocols pim6 interface eth1 mld join ff15::5678 source 2001:db8::1 diff --git a/docs/configuration/protocols/rpki.rst b/docs/configuration/protocols/rpki.rst index 294a91f8..827bfe1a 100644 --- a/docs/configuration/protocols/rpki.rst +++ b/docs/configuration/protocols/rpki.rst @@ -127,8 +127,8 @@ SSH === Connections to the RPKI caching server can not only be established by HTTP/TLS -but you can also rely on a secure SSH session to the server. To enable SSH you -first need to create yoursels an SSH client keypair using ``generate ssh +but you can also rely on a secure SSH session to the server. To enable SSH, +first you need to create an SSH client keypair using ``generate ssh client-key /config/auth/id_rsa_rpki``. Once your key is created you can setup the connection. diff --git a/docs/configuration/service/dhcp-relay.rst b/docs/configuration/service/dhcp-relay.rst index 43abf254..dc45d071 100644 --- a/docs/configuration/service/dhcp-relay.rst +++ b/docs/configuration/service/dhcp-relay.rst @@ -45,6 +45,10 @@ Configuration The router should discard DHCP packages already containing relay agent information to ensure that only requests from DHCP clients are forwarded. +.. cfgcmd:: set service dhcp-relay disable + + Disable dhcp-relay service. + Options ------- @@ -146,6 +150,12 @@ Configuration .. _dhcp-relay:ipv6_options: +.. cfgcmd:: set service dhcpv6-relay disable + + Disable dhcpv6-relay service. + +.. _dhcp_relay:v6_options: + Options ------- diff --git a/docs/configuration/service/dns.rst b/docs/configuration/service/dns.rst index 5fe408f1..2caeb22d 100644 --- a/docs/configuration/service/dns.rst +++ b/docs/configuration/service/dns.rst @@ -31,7 +31,7 @@ avoid being tracked by the provider of your upstream DNS server. on optional port specified under `<port>`. The port defaults to 53. You can configure multiple nameservers here. -.. cfgcmd:: set service dns forwarding domain <domain-name> server <address> +.. cfgcmd:: set service dns forwarding domain <domain-name> name-server <address> Forward received queries for a particular domain (specified via `domain-name`) to a given nameserver. Multiple nameservers @@ -164,8 +164,8 @@ In this scenario: .. code-block:: none - set service dns forwarding domain example.com server 192.0.2.254 - set service dns forwarding domain example.com server 2001:db8:cafe::1 + set service dns forwarding domain example.com name-server 192.0.2.254 + set service dns forwarding domain example.com name-server 2001:db8:cafe::1 set service dns forwarding name-server 192.0.2.1 set service dns forwarding name-server 192.0.2.2 set service dns forwarding name-server 192.0.2.3 port 853 @@ -216,41 +216,47 @@ Configuration :rfc:`2136` Based ----------------- -.. cfgcmd:: set service dns dynamic interface <interface> rfc2136 <service-name> +.. cfgcmd:: set service dns dynamic address <interface> rfc2136 <service-name> Create new :rfc:`2136` DNS update configuration which will update the IP address assigned to `<interface>` on the service you configured under `<service-name>`. -.. cfgcmd:: set service dns dynamic interface <interface> rfc2136 <service-name> +.. cfgcmd:: set service dns dynamic address <interface> rfc2136 <service-name> key <keyfile> File identified by `<keyfile>` containing the secret RNDC key shared with remote DNS server. -.. cfgcmd:: set service dns dynamic interface <interface> rfc2136 <service-name> +.. cfgcmd:: set service dns dynamic address <interface> rfc2136 <service-name> server <server> Configure the DNS `<server>` IP/FQDN used when updating this dynamic assignment. -.. cfgcmd:: set service dns dynamic interface <interface> rfc2136 <service-name> +.. cfgcmd:: set service dns dynamic address <interface> rfc2136 <service-name> zone <zone> Configure DNS `<zone>` to be updated. -.. cfgcmd:: set service dns dynamic interface <interface> rfc2136 <service-name> +.. cfgcmd:: set service dns dynamic address <interface> rfc2136 <service-name> record <record> Configure DNS `<record>` which should be updated. This can be set multiple times. -.. cfgcmd:: set service dns dynamic interface <interface> rfc2136 <service-name> +.. cfgcmd:: set service dns dynamic address <interface> rfc2136 <service-name> ttl <ttl> Configure optional TTL value on the given resource record. This defaults to 600 seconds. +.. cfgcmd:: set service dns dynamic timeout <60-3600> + + Specify timeout / update interval to check if IP address changed. + + This defaults to 300 seconds. + .. _dns:dynmaic_example: Example @@ -302,40 +308,40 @@ VyOS is also able to use any service relying on protocols supported by ddclient. To use such a service, one must define a login, password, one or multiple hostnames, protocol and server. -.. cfgcmd:: set service dns dynamic interface <interface> service <service> +.. cfgcmd:: set service dns dynamic address <interface> service <service> host-name <hostname> Setup the dynamic DNS hostname `<hostname>` associated with the DynDNS - provider identified by `<service>` when the IP address on interface + provider identified by `<service>` when the IP address on address `<interface>` changes. -.. cfgcmd:: set service dns dynamic interface <interface> service <service> - login <username> +.. cfgcmd:: set service dns dynamic address <interface> service <service> + username <username> Configure `<username>` used when authenticating the update request for DynDNS service identified by `<service>`. For Namecheap, set the <domain> you wish to update. -.. cfgcmd:: set service dns dynamic interface <interface> service <service> +.. cfgcmd:: set service dns dynamic address <interface> service <service> password <password> Configure `<password>` used when authenticating the update request for DynDNS service identified by `<service>`. -.. cfgcmd:: set service dns dynamic interface <interface> service <service> +.. cfgcmd:: set service dns dynamic address <interface> service <service> protocol <protocol> When a ``custom`` DynDNS provider is used the protocol used for communicating to the provider must be specified under `<protocol>`. See the embedded completion helper for available protocols. -.. cfgcmd:: set service dns dynamic interface <interface> service <service> +.. cfgcmd:: set service dns dynamic address <interface> service <service> server <server> When a ``custom`` DynDNS provider is used the `<server>` where update requests are being sent to must be specified. -.. cfgcmd:: set service dns dynamic interface <interface> ipv6-enable +.. cfgcmd:: set service dns dynamic address <interface> ipv6-enable Allow explicit IPv6 address for the interface. @@ -347,10 +353,10 @@ Use DynDNS as your preferred provider: .. code-block:: none - set service dns dynamic interface eth0 service dyndns - set service dns dynamic interface eth0 service dyndns login my-login - set service dns dynamic interface eth0 service dyndns password my-password - set service dns dynamic interface eth0 service dyndns host-name my-dyndns-hostname + set service dns dynamic address eth0 service dyndns + set service dns dynamic address eth0 service dyndns username my-login + set service dns dynamic address eth0 service dyndns password my-password + set service dns dynamic address eth0 service dyndns host-name my-dyndns-hostname .. note:: Multiple services can be used per interface. Just specify as many services per interface as you like! @@ -360,12 +366,12 @@ Example IPv6 only: .. code-block:: none - set service dns dynamic interface eth0 ipv6-enable - set service dns dynamic interface eth0 service dyndns6 login my-login - set service dns dynamic interface eth0 service dyndns6 password my-password - set service dns dynamic interface eth0 service dyndns6 host-name my-dyndns-hostname - set service dns dynamic interface eth0 service dyndns6 protocol dyndns2 - set service dns dynamic interface eth0 service dyndns6 server dyndns-v6-server + set service dns dynamic address eth0 ipv6-enable + set service dns dynamic address eth0 service dyndns6 username my-login + set service dns dynamic address eth0 service dyndns6 password my-password + set service dns dynamic address eth0 service dyndns6 host-name my-dyndns-hostname + set service dns dynamic address eth0 service dyndns6 protocol dyndns2 + set service dns dynamic address eth0 service dyndns6 server dyndns-v6-server Running Behind NAT @@ -375,15 +381,21 @@ By default, ddclient_ will update a dynamic dns record using the IP address directly attached to the interface. If your VyOS instance is behind NAT, your record will be updated to point to your internal IP. -ddclient_ has another way to determine the WAN IP address. This is controlled -by: +Above, command syntax isn noted to configure dynamic dns on a specific interface. +It is possible to overlook the additional address option, web, when completeing +those commands. ddclient_ has another way to determine the WAN IP address, using +a web-based url to determine the external IP. Each of the commands above will +need to be modified to use 'web' as the 'interface' specified if this functionality +is to be utilized. + +This functionality is controlled by adding the following configuration: -.. cfgcmd:: set service dns dynamic interface <interface> use-web url <url> +.. cfgcmd:: set service dns dynamic address web web-options url <url> Use configured `<url>` to determine your IP address. ddclient_ will load `<url>` and tries to extract your IP address from the response. -.. cfgcmd:: set service dns dynamic interface <interface> use-web skip <pattern> +.. cfgcmd:: set service dns dynamic address web web-options skip <pattern> ddclient_ will skip any address located before the string set in `<pattern>`. diff --git a/docs/configuration/service/https.rst b/docs/configuration/service/https.rst index 08b16575..eb2e30eb 100644 --- a/docs/configuration/service/https.rst +++ b/docs/configuration/service/https.rst @@ -20,28 +20,19 @@ Configuration .. cfgcmd:: set service https api debug - To enable debug messages. Available via :opcmd:`show log` or + To enable debug messages. Available via :opcmd:`show log` or :opcmd:`monitor log` -.. cfgcmd:: set service https api port - - Set the listen port of the local API, this has no effect on the - webserver. The default is port 8080 - -.. cfgcmd:: set service https api socket - - Use local socket for API - .. cfgcmd:: set service https api strict Enforce strict path checking -.. cfgcmd:: set service https virtual-host <vhost> listen-address +.. cfgcmd:: set service https virtual-host <vhost> listen-address <ipv4 or ipv6 address> Address to listen for HTTPS requests -.. cfgcmd:: set service https virtual-host <vhost> listen-port <1-65535> +.. cfgcmd:: set service https virtual-host <vhost> port <1-65535> Port to listen for HTTPS requests; default 443 @@ -91,6 +82,6 @@ To use this full configuration we asume a public accessible hostname. set service https certificates certbot domain-name rtr01.example.com set service https certificates certbot email mail@example.com set service https virtual-host rtr01 listen-address 198.51.100.2 - set service https virtual-host rtr01 listen-port 11443 + set service https virtual-host rtr01 port 11443 set service https virtual-host rtr01 server-name rtr01.example.com set service https api-restrict virtual-host rtr01 diff --git a/docs/configuration/service/lldp.rst b/docs/configuration/service/lldp.rst index aa357211..12a9e0b6 100644 --- a/docs/configuration/service/lldp.rst +++ b/docs/configuration/service/lldp.rst @@ -54,7 +54,7 @@ Configuration Disable transmit of LLDP frames on given `<interface>`. Useful to exclude certain interfaces from LLDP when ``all`` have been enabled. -.. cfgcmd:: set service lldp snmp enable +.. cfgcmd:: set service lldp snmp Enable SNMP queries of the LLDP database diff --git a/docs/configuration/service/mdns.rst b/docs/configuration/service/mdns.rst index 9d6a292a..51fbf1a1 100644 --- a/docs/configuration/service/mdns.rst +++ b/docs/configuration/service/mdns.rst @@ -5,28 +5,44 @@ Starting with VyOS 1.2 a :abbr:`mDNS (Multicast DNS)` repeater functionality is provided. Additional information can be obtained from https://en.wikipedia.org/wiki/Multicast_DNS. -Multicast DNS uses the 224.0.0.251 address, which is "administratively scoped" -and does not leave the subnet. It retransmits mDNS packets from one interface -to other interfaces. This enables support for e.g. Apple Airplay devices across -multiple VLANs. +Multicast DNS uses the reserved address ``224.0.0.251``, which is +`"administratively scoped"` and does not leave the subnet. mDNS repeater +retransmits mDNS packets from one interface to other interfaces. This enables +support for devices using mDNS discovery (like network printers, Apple Airplay, +Chromecast, various IP based home-automation devices etc) across multiple VLANs. -Since the mDNS protocol sends the AA records in the packet itself, the repeater -does not need to forge the source address. Instead, the source address is of -the interface that repeats the packet. +Since the mDNS protocol sends the :abbr:`AA(Authoritative Answer)` records in +the packet itself, the repeater does not need to forge the source address. +Instead, the source address is of the interface that repeats the packet. Configuration ============= .. cfgcmd:: set service mdns repeater interface <interface> - To enable mDNS repeater you need to configure at least two interfaces. To - re-broadcast all incoming mDNS packets from any interface configured here to - any other interface configured under this section. + To enable mDNS repeater you need to configure at least two interfaces so that + all incoming mDNS packets from one interface configured here can be + re-broadcasted to any other interface(s) configured under this section. .. cfgcmd:: set service mdns repeater disable mDNS repeater can be temporarily disabled without deleting the service using +.. cfgcmd:: set service mdns repeater ip-version <ipv4 | ipv6 | both> + + mDNS repeater can be enabled either on IPv4 socket or on IPv6 socket or both + to re-broadcast. By default, mDNS repeater will listen on both IPv4 and IPv6. + +.. cfgcmd:: set service mdns repeater allow-service <service> + + mDNS repeater can be configured to re-broadcast only specific services. By + default, all services are re-broadcasted. + +.. cfgcmd:: set service mdns repeater browse-domain <domain> + + Allow listing additional custom domains to be browsed (in addition to the + default ``local``) so that they can be reflected. + .. note:: You can not run this in a VRRP setup, if multiple mDNS repeaters are launched in a subnet you will experience the mDNS packet storm death! @@ -41,4 +57,35 @@ received on `eth0` to `eth1` (and vice-versa) use the following commands: set service mdns repeater interface 'eth0' set service mdns repeater interface 'eth1' +To allow only specific services, for example ``_airplay._tcp`` or ``_ipp._tcp``, +(instead of all services) to be re-broadcasted, use the following command: + +.. code-block:: none + + set service mdns repeater allow-service '_airplay._tcp' + set service mdns repeater allow-service '_ipp._tcp' + +To allow listing additional custom domain, for example +``openthread.thread.home.arpa``, so that it can reflected in addition to the +default ``local``, use the following command: + +.. code-block:: none + + set service mdns repeater browse-domain 'openthread.thread.home.arpa' + .. _`Multicast DNS`: https://en.wikipedia.org/wiki/Multicast_DNS + +Operation +========= + +.. opcmd:: restart mdns repeater + + Restart mDNS repeater service. + +.. opcmd:: show log mdns repeater + + Show logs for mDNS repeater service. + +.. opcmd:: monitor log mdns repeater + + Follow the logs for mDNS repeater service. diff --git a/docs/configuration/service/monitoring.rst b/docs/configuration/service/monitoring.rst index 755669e1..0aa93e71 100644 --- a/docs/configuration/service/monitoring.rst +++ b/docs/configuration/service/monitoring.rst @@ -19,7 +19,7 @@ Telegraf output plugin azure-data-explorer_ .. cfgcmd:: set service monitoring telegraf azure-data-explorer database <name> - Remote databe name. + Remote database name. .. cfgcmd:: set service monitoring telegraf azure-data-explorer group-metrics <single-table | table-per-metric> @@ -147,4 +147,4 @@ An example of a configuration that sends ``telegraf`` metrics to remote .. _azure-data-explorer: https://github.com/influxdata/telegraf/tree/master/plugins/outputs/azure_data_explorer .. _prometheus-client: https://github.com/influxdata/telegraf/tree/master/plugins/outputs/prometheus_client -.. _splunk: https://www.splunk.com/en_us/blog/it/splunk-metrics-via-telegraf.html
\ No newline at end of file +.. _splunk: https://www.splunk.com/en_us/blog/it/splunk-metrics-via-telegraf.html diff --git a/docs/configuration/service/pppoe-server.rst b/docs/configuration/service/pppoe-server.rst index 69e357f3..a230d9fe 100644 --- a/docs/configuration/service/pppoe-server.rst +++ b/docs/configuration/service/pppoe-server.rst @@ -57,48 +57,35 @@ Client Address Pools -------------------- To automatically assign the client an IP address as tunnel endpoint, a -client IP pool is needed. The source can be either RADIUS or a local -subnet or IP range definition. - -Once the local tunnel endpoint ``set service pppoe-server gateway-address -'10.1.1.2'`` has been defined, the client IP pool can be either defined -as a range or as subnet using CIDR notation. If the CIDR notation is -used, multiple subnets can be setup which are used sequentially. +client IP pool is needed. The source can be either RADIUS or a +named pool. There is possibility to create multiple named pools. +Each named pool can include only one address range. To use multiple +address ranges configure ``next-pool`` option. **Client IP address via IP range definition** -.. cfgcmd:: set service pppoe-server client-ip-pool start <address> - - Use this command to define the first IP address of a pool of - addresses to be given to PPPoE clients. It must be within a /24 - subnet. - -.. cfgcmd:: set service pppoe-server client-ip-pool stop <address> - - Use this command to define the last IP address of a pool of - addresses to be given to PPPoE clients. It must be within a /24 - subnet. - -.. code-block:: none +.. cfgcmd:: set service pppoe-server client-ip-pool <POOL-NAME> range <x.x.x.x-x.x.x.x | x.x.x.x/x> - set service pppoe-server client-ip-pool start '10.1.1.100' - set service pppoe-server client-ip-pool stop '10.1.1.111' + Use this command to define the IP address range to be given + to PPPoE clients. If notation ``x.x.x.x-x.x.x.x``, + it must be within a /24 subnet. If notation ``x.x.x.x/x`` is + used there is possibility to set host/netmask. +.. cfgcmd:: set service pppoe-server client-ip-pool <POOL-NAME> next-pool <NEXT-POOL-NAME> -**Client IP subnets via CIDR notation** + Use this command to define the next address pool name. -.. cfgcmd:: set service pppoe-server client-ip-pool subnet <address> +.. cfgcmd:: set service pppoe-server default-pool <POOL-NAME> - Use this command for every pool of client IP addresses you want to - define. The addresses of this pool will be given to PPPoE clients. - You must use CIDR notation and it must be within a /24 subnet. + Use this command to define default address pool name. .. code-block:: none - set service pppoe-server client-ip-pool subnet '10.1.1.0/24' - set service pppoe-server client-ip-pool subnet '10.1.2.0/24' - set service pppoe-server client-ip-pool subnet '10.1.3.0/24' + set service pppoe-server client-ip-pool IP-POOL next-pool 'IP-POOL2' + set service pppoe-server client-ip-pool IP-POOL range '10.0.10.5/24' + set service pppoe-server client-ip-pool IP-POOL2 range '10.0.0.10-10.0.0.12' + set service pppoe-server default-pool 'IP-POOL' **RADIUS based IP pools (Framed-IP-Address)** @@ -213,8 +200,8 @@ For Local Users set service pppoe-server authentication local-users username foo rate-limit download '20480' set service pppoe-server authentication local-users username foo rate-limit upload '10240' set service pppoe-server authentication mode 'local' - set service pppoe-server client-ip-pool start '10.1.1.100' - set service pppoe-server client-ip-pool stop '10.1.1.111' + set service pppoe-server client-ip-pool IP-POOL range '10.1.1.100/24' + set service pppoe-server default-pool 'IP-POOL' set service pppoe-server name-server '10.100.100.1' set service pppoe-server name-server '10.100.200.1' set service pppoe-server interface 'eth1' @@ -367,8 +354,8 @@ address from the pool 10.1.1.100-111, terminates at the local endpoint set service pppoe-server access-concentrator 'ACN' set service pppoe-server authentication local-users username foo password 'bar' set service pppoe-server authentication mode 'local' - set service pppoe-server client-ip-pool start '10.1.1.100' - set service pppoe-server client-ip-pool stop '10.1.1.111' + set service pppoe-server client-ip-pool IP-POOL range '10.1.1.100-10.1.1.111' + set service pppoe-server default-pool 'IP-POOL' set service pppoe-server interface eth1 set service pppoe-server gateway-address '10.1.1.2' set service pppoe-server name-server '10.100.100.1' @@ -385,8 +372,8 @@ The example below covers a dual-stack configuration via pppoe-server. set service pppoe-server authentication local-users username test password 'test' set service pppoe-server authentication mode 'local' - set service pppoe-server client-ip-pool start '192.168.0.1' - set service pppoe-server client-ip-pool stop '192.168.0.10' + set service pppoe-server client-ip-pool IP-POOL range '192.168.0.1/24' + set service pppoe-server default-pool 'IP-POOL' set service pppoe-server client-ipv6-pool delegate '2001:db8:8003::/48' delegation-prefix '56' set service pppoe-server client-ipv6-pool prefix '2001:db8:8002::/48' mask '64' set service pppoe-server ppp-options ipv6 allow diff --git a/docs/configuration/service/ssh.rst b/docs/configuration/service/ssh.rst index 15c2390c..efdbc651 100644 --- a/docs/configuration/service/ssh.rst +++ b/docs/configuration/service/ssh.rst @@ -218,3 +218,31 @@ Operation commit save exit + +.. opcmd:: show log ssh + + Show SSH server log. + +.. opcmd:: monitor log ssh + + Follow the SSH server log. + +.. opcmd:: show log ssh dynamic-protection + + Show SSH dynamic-protection log. + +.. opcmd:: monitor log ssh dynamic-protection + + Follow the SSH dynamic-protection log. + +.. opcmd:: show ssh dynamic-protection + + Show list of IPs currently blocked by SSH dynamic-protection. + +.. opcmd:: show ssh fingerprints + + Show SSH server public key fingerprints. + +.. opcmd:: show ssh fingerprints ascii + + Show SSH server public key fingerprints, including a visual ASCII art representation. diff --git a/docs/configuration/system/frr.rst b/docs/configuration/system/frr.rst new file mode 100644 index 00000000..a7f7ff93 --- /dev/null +++ b/docs/configuration/system/frr.rst @@ -0,0 +1,38 @@ +.. _system_frr: + +### +FRR +### + +VyOS uses [FRRouting](https://frrouting.org/) as the control plane for dynamic +and static routing. The routing daemon behavior can be adjusted during runtime, +but require either a restart of the routing daemon, or a reboot of the system. + +.. cfgcmd:: set system frr bmp + + Enable :abbr:`BMP (BGP Monitoring Protocol)` support + +.. cfgcmd:: set system frr descriptors <numer> + + This allows the operator to control the number of open file descriptors + each daemon is allowed to start with. If the operator plans to run bgp with + several thousands of peers then this is where we would modify FRR to allow + this to happen. + +.. cfgcmd:: set system frr irdp + + Enable ICMP Router Discovery Protocol support + +.. cfgcmd:: set system frr snmp <daemon> + + Enable SNMP support for an individual routing daemon. + + Supported daemons: + + - bgpd + - isisd + - ldpd + - ospf6d + - ospfd + - ripd + - zebra diff --git a/docs/configuration/system/index.rst b/docs/configuration/system/index.rst index 23edaa3f..dbb63d09 100644 --- a/docs/configuration/system/index.rst +++ b/docs/configuration/system/index.rst @@ -11,6 +11,7 @@ System conntrack console flow-accounting + frr host-name ip ipv6 @@ -24,6 +25,7 @@ System sysctl task-scheduler time-zone + updates .. toctree:: diff --git a/docs/configuration/system/ip.rst b/docs/configuration/system/ip.rst index 29f46ae9..0f45b7ca 100644 --- a/docs/configuration/system/ip.rst +++ b/docs/configuration/system/ip.rst @@ -27,6 +27,21 @@ System configuration commands Use this command to use Layer 4 information for IPv4 ECMP hashing. +Zebra/Kernel route filtering +^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Zebra supports prefix-lists and Route Mapss to match routes received from +other FRR components. The permit/deny facilities provided by these commands +can be used to filter which routes zebra will install in the kernel. + +.. cfgcmd:: set system ip protocol <protocol> route-map <route-map> + + Apply a route-map filter to routes for the specified protocol. The following + protocols can be used: any, babel, bgp, connected, eigrp, isis, kernel, + ospf, rip, static, table + + .. note:: If you choose any as the option that will cause all protocols that + are sending routes to zebra. Operational commands -------------------- diff --git a/docs/configuration/system/ipv6.rst b/docs/configuration/system/ipv6.rst index 0b9f9cc8..c7308f9d 100644 --- a/docs/configuration/system/ipv6.rst +++ b/docs/configuration/system/ipv6.rst @@ -23,6 +23,21 @@ System configuration commands Use this command to user Layer 4 information for ECMP hashing. +Zebra/Kernel route filtering +^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Zebra supports prefix-lists and Route Mapss to match routes received from +other FRR components. The permit/deny facilities provided by these commands +can be used to filter which routes zebra will install in the kernel. + +.. cfgcmd:: set system ipv6 protocol <protocol> route-map <route-map> + + Apply a route-map filter to routes for the specified protocol. The following + protocols can be used: any, babel, bgp, connected, isis, kernel, ospfv3, + ripng, static, table + + .. note:: If you choose any as the option that will cause all protocols that + are sending routes to zebra. Operational commands -------------------- @@ -66,6 +81,7 @@ Show commands static Show IPv6 static routes summary Show IPv6 routes summary table Show IP routes in policy table + tag Show only routes with tag vrf Show IPv6 routes in VRF @@ -97,33 +113,6 @@ Show commands <Enter> Execute the current command <text> Show specified IPv6 access-list -.. opcmd:: show ipv6 bgp - - Use this command to show IPv6 Border Gateway Protocol information. - - - In addition, you can specify many other parameters to get BGP - information: - - .. code-block:: none - - vyos@vyos:~$ show ipv6 bgp - Possible completions: - <Enter> Execute the current command - <X:X::X:X> Show BGP information for given address or prefix - <X:X::X:X/M> - community Show routes matching the communities - community-list - Show routes matching the community-list - filter-list Show routes conforming to the filter-list - large-community - Show routes matching the large-community-list - large-community-list - neighbors Show detailed information on TCP and BGP neighbor connections - prefix-list Show routes matching the prefix-list - regexp Show routes matching the AS path regular expression - route-map Show BGP routes matching the specified route map - summary Show summary of BGP neighbor status .. opcmd:: show ipv6 ospfv3 diff --git a/docs/configuration/system/login.rst b/docs/configuration/system/login.rst index a5c1b558..98e05cdd 100644 --- a/docs/configuration/system/login.rst +++ b/docs/configuration/system/login.rst @@ -82,8 +82,8 @@ The third part is simply an identifier, and is for your own reference. <identifier> options <options> Set the options for this public key. See the ssh ``authorized_keys`` man - page for details of what you can specify here. To place a ``"`` - character in the options field, use ``"``, for example + page for details of what you can specify here. To place a ``"`` + character in the options field, use ``"``, for example ``from="10.0.0.0/24"`` to restrict where the user may connect from when using this key. @@ -189,7 +189,7 @@ Display OTP key for user To display the configured OTP user key, use the command: -.. cfgcmd:: sh system login authentication user <username> otp +.. cfgcmd:: sh system login authentication user <username> otp <full|key-b32|qrcode|uri> An example: @@ -242,35 +242,122 @@ Configuration .. cfgcmd:: set system login radius server <address> key <secret> - Specify the `<address>` of the RADIUS server user with the pre-shared-secret - given in `<secret>`. Multiple servers can be specified. + Specify the IP `<address>` of the RADIUS server user with the pre-shared-secret + given in `<secret>`. + + Multiple servers can be specified. .. cfgcmd:: set system login radius server <address> port <port> Configure the discrete port under which the RADIUS server can be reached. - This defaults to 1812. -.. cfgcmd:: set system login radius server <address> timeout <timeout> - - Setup the `<timeout>` in seconds when querying the RADIUS server. + This defaults to 1812. .. cfgcmd:: set system login radius server <address> disable Temporary disable this RADIUS server. It won't be queried. +.. cfgcmd:: set system login radius server <address> timeout <timeout> + + Setup the `<timeout>` in seconds when querying the RADIUS server. + .. cfgcmd:: set system login radius source-address <address> RADIUS servers could be hardened by only allowing certain IP addresses to connect. As of this the source address of each RADIUS query can be - configured. If this is not set, incoming connections to the RADIUS server - will use the nearest interface address pointing towards the server - making - it error prone on e.g. OSPF networks when a link fails and a backup route is - taken. + configured. + + If unset, incoming connections to the RADIUS server will use the nearest + interface address pointing towards the server - making it error prone on + e.g. OSPF networks when a link fails and a backup route is taken. + +.. cfgcmd:: set system login radius vrf <name> + + Source all connections to the RADIUS servers from given VRF `<name>`. + +Configuration Example +--------------------- + +.. code-block:: none + + set system login radius server 192.168.0.2 key 'test-vyos' + set system login radius server 192.168.0.2 port '1812' + set system login radius server 192.168.0.2 timeout '5' + set system login radius source-address '192.168.0.1' + + + If there is no communication between VyOS and RADIUS server users can + authenticate from local user accounts. During authentication from the local + accounts users can observe some timeouts. Timeout in seconds depends on + the configured timeout option. .. hint:: If you want to have admin users to authenticate via RADIUS it is essential to sent the ``Cisco-AV-Pair shell:priv-lvl=15`` attribute. Without the attribute you will only get regular, non privilegued, system users. +TACACS+ +======= + +In addition to :abbr:`RADIUS (Remote Authentication Dial-In User Service)`, +:abbr:`TACACS (Terminal Access Controller Access Control System)` can also be +found in large deployments. + +TACACS is defined in :rfc:`8907`. + +.. _TACACS Configuration: + +Configuration +------------- + +.. cfgcmd:: set system login tacas server <address> key <secret> + + Specify the IP `<address>` of the TACACS server user with the pre-shared-secret + given in `<secret>`. + + Multiple servers can be specified. + +.. cfgcmd:: set system login tacas server <address> port <port> + + Configure the discrete port under which the TACACS server can be reached. + + This defaults to 49. + +.. cfgcmd:: set system login tacas server <address> disable + + Temporary disable this TACACS server. It won't be queried. + +.. cfgcmd:: set system login tacas server <address> timeout <timeout> + + Setup the `<timeout>` in seconds when querying the TACACS server. + +.. cfgcmd:: set system login tacas source-address <address> + + TACACS servers could be hardened by only allowing certain IP addresses to + connect. As of this the source address of each TACACS query can be + configured. + + If unset, incoming connections to the TACACS server will use the nearest + interface address pointing towards the server - making it error prone on + e.g. OSPF networks when a link fails and a backup route is taken. + +.. cfgcmd:: set system login tacas vrf <name> + + Source all connections to the TACACS servers from given VRF `<name>`. + +.. _login:tacacs_example: + +Configuration Example +--------------------- + +.. code-block:: none + + set system login tacacs server 192.168.0.2 key 'test-vyos' + set system login tacacs server 192.168.0.2 port '49' + set system login tacacs source-address '192.168.0.1' + + + If there is no communication between VyOS and TACACS server users can + authenticate from local user accounts. Login Banner ============ @@ -290,6 +377,21 @@ information for this system. .. note:: To create a new line in your login message you need to escape the new line character by using ``\\n``. +Limits +====== + +Login limits + +.. cfgcmd:: set system login max-login-session <number> + + Set a limit on the maximum number of concurrent logged-in users on + the system. + + This option must be used with ``timeout`` option. + +.. cfgcmd:: set system login timeout <timeout> + + Configure session timeout after which the user will be logged out. Example ======= @@ -311,3 +413,32 @@ the password. set system login user vyos authentication otp key OHZ3OJ7U2N25BK4G7SOFFJTZDTCFUUE2 set system login user vyos authentication plaintext-password vyos + +TACACS Example +-------------- + +We use a vontainer providing the TACACS serve rin this example. + +Load the container image in op-mode. + +.. code-block:: none + + add container image lfkeitel/tacacs_plus:latest + +.. code-block:: none + + set container network tac-test prefix '100.64.0.0/24' + + set container name tacacs1 image 'lfkeitel/tacacs_plus:latest' + set container name tacacs1 network tac-test address '100.64.0.11' + + set container name tacacs2 image 'lfkeitel/tacacs_plus:latest' + set container name tacacs2 network tac-test address '100.64.0.12' + + set system login tacacs server 100.64.0.11 key 'tac_plus_key' + set system login tacacs server 100.64.0.12 key 'tac_plus_key' + + commit + +You can now SSH into your system using admin/admin as a default user supplied +from the ``lfkeitel/tacacs_plus:latest`` container. diff --git a/docs/configuration/system/sflow.rst b/docs/configuration/system/sflow.rst index b131d8a9..c2cf5a80 100644 --- a/docs/configuration/system/sflow.rst +++ b/docs/configuration/system/sflow.rst @@ -1,5 +1,3 @@ -.. _ntp: - ##### sFlow ##### diff --git a/docs/configuration/system/syslog.rst b/docs/configuration/system/syslog.rst index ab427d99..8755d905 100644 --- a/docs/configuration/system/syslog.rst +++ b/docs/configuration/system/syslog.rst @@ -74,6 +74,11 @@ sending the messages via port 514/UDP. either UDP or TCP. +.. cfgcmd:: set system syslog vrf <name> + + Specify name of the :abbr:`VRF (Virtual Routing and Forwarding)` instance. + + Local User Account ------------------ @@ -238,8 +243,8 @@ Delete Logs Deletes the specified user-defined file <text> in the /var/log/user directory -Note that deleting the log file does not stop the system from logging events. -If you use this command while the system is logging events, old log events -will be deleted, but events after the delete operation will be recorded in -the new file. To delete the file altogether, first delete logging to the -file using system syslog :ref:`custom-file` command, and then delete the file. +Note that deleting the log file does not stop the system from logging events. +If you use this command while the system is logging events, old log events +will be deleted, but events after the delete operation will be recorded in +the new file. To delete the file altogether, first delete logging to the +file using system syslog :ref:`custom-file` command, and then delete the file. diff --git a/docs/configuration/system/updates.rst b/docs/configuration/system/updates.rst new file mode 100644 index 00000000..a55bfa9a --- /dev/null +++ b/docs/configuration/system/updates.rst @@ -0,0 +1,37 @@ +####### +Updates +####### + +VyOS supports online checking for updates + +Configuration +============= + +.. cfgcmd:: set system update-check auto-check + + Configure auto-checking for new images + + +.. cfgcmd:: set system update-check url <url> + + Configure a URL that contains information about images. + + +Example +======= + +.. code-block:: none + + set system update-check auto-check + set system update-check url 'https://raw.githubusercontent.com/vyos/vyos-rolling-nightly-builds/main/version.json' + +Check: + +.. code-block:: none + + vyos@r4:~$ show system updates + Current version: 1.5-rolling-202312220023 + + Update available: 1.5-rolling-202312250024 + Update URL: https://github.com/vyos/vyos-rolling-nightly-builds/releases/download/1.5-rolling-202312250024/1.5-rolling-202312250024-amd64.iso + vyos@r4:~$ diff --git a/docs/configuration/trafficpolicy/index.rst b/docs/configuration/trafficpolicy/index.rst index b008a8d9..93f69f80 100644 --- a/docs/configuration/trafficpolicy/index.rst +++ b/docs/configuration/trafficpolicy/index.rst @@ -130,13 +130,13 @@ configuring it. .. note:: The meaning of the Class ID is not the same for every type of policy. Normally policies just need a meaningless number to identify a class (Class ID), but that does not apply to every policy. - The the number of a class in a Priority Queue it does not only + The number of a class in a Priority Queue it does not only identify it, it also defines its priority. .. code-block:: none - set traffic-policy <policy> <policy-name> class <class-ID> match <class-matching-rule-name> + set qos policy <policy> <policy-name> class <class-ID> match <class-matching-rule-name> In the command above, we set the type of policy we are going to @@ -148,8 +148,8 @@ A class can have multiple match filters: .. code-block:: none - set traffic-policy shaper MY-SHAPER class 30 match HTTP - set traffic-policy shaper MY-SHAPER class 30 match HTTPs + set qos policy shaper MY-SHAPER class 30 match HTTP + set qos policy shaper MY-SHAPER class 30 match HTTPs A match filter can contain multiple criteria and will match traffic if all those criteria are true. @@ -158,8 +158,8 @@ For example: .. code-block:: none - set traffic-policy shaper MY-SHAPER class 30 match HTTP ip protocol tcp - set traffic-policy shaper MY-SHAPER class 30 match HTTP ip source port 80 + set qos policy shaper MY-SHAPER class 30 match HTTP ip protocol tcp + set qos policy shaper MY-SHAPER class 30 match HTTP ip source port 80 This will match TCP traffic with source port 80. @@ -181,13 +181,13 @@ different parameters you can configure. .. code-block:: none - vyos@vyos# set traffic-policy shaper MY-SHAPER class 30 match MY-FIRST-FILTER + vyos@vyos# set qos policy shaper MY-SHAPER class 30 match MY-FIRST-FILTER Possible completions: - description Description for this match + description Description > ether Ethernet header match - interface Interface name for this match + interface Interface to use > ip Match IP protocol header - > ipv6 Match IPV6 header + > ipv6 Match IPV6 protocol header mark Match on mark applied by firewall vif Virtual Local Area Network (VLAN) ID for this match @@ -201,7 +201,7 @@ You can also write a description for a filter: .. code-block:: none - set traffic-policy shaper MY-SHAPER class 30 match MY-FIRST-FILTER description "My filter description" + set qos policy shaper MY-SHAPER class 30 match MY-FIRST-FILTER description "My filter description" @@ -233,25 +233,25 @@ possibilities depending on the Traffic Policy you are configuring. .. code-block:: none - vyos@vyos# set traffic-policy shaper MY-SHAPER class 30 + vyos@vyos# set qos policy shaper MY-SHAPER class 30 Possible completions: - bandwidth Bandwidth used for this class - burst Burst size for this class (default: 15kb) + bandwidth Available bandwidth for this policy (default: auto) + burst Burst size for this class (default: 15k) ceiling Bandwidth limit for this class codel-quantum - fq-codel - Number of bytes used as 'deficit' (default 1514) - description Description for this traffic class - flows fq-codel - Number of flows (default 1024) - interval fq-codel - Interval (milliseconds) used to measure the delay (default 100) + Deficit in the fair queuing algorithm (default 1514) + description Description + flows Number of flows into which the incoming packets are classified(default 1024) + interval Interval used to measure the delay (default 100) +> match Class matching rule name - priority Priority for usage of excess bandwidth - queue-limit Maximum queue size (packets) - queue-type Queue type for this class + priority Priority for rule evaluation + queue-limit Maximum queue size + queue-type Queue type for default traffic (default: fq-codel) set-dscp Change the Differentiated Services (DiffServ) field in the IP header - target fq-codel - Acceptable minimum queue delay (milliseconds) + target Acceptable minimum standing/persistent queue delay (default: 5) -For instance, with :code:`set traffic-policy shaper MY-SHAPER +For instance, with :code:`set qos policy shaper MY-SHAPER class 30 set-dscp EF` you would be modifying the DSCP field value of packets in that class to Expedite Forwarding. @@ -316,9 +316,9 @@ setting. .. code-block:: none - set traffic-policy shaper FQ-SHAPER bandwidth 4gbit - set traffic-policy shaper FQ-SHAPER default bandwidth 100% - set traffic-policy shaper FQ-SHAPER default queue-type fq-codel + set qos policy shaper FQ-SHAPER bandwidth 4gbit + set qos policy shaper FQ-SHAPER default bandwidth 100% + set qos policy shaper FQ-SHAPER default queue-type fq-codel As shown in the last command of the example above, the `queue-type` setting allows these combinations. You will be able to use it @@ -372,7 +372,7 @@ This is the policy that requieres the lowest resources for the same amount of traffic. But **very likely you do not need it as you cannot get much from it. Sometimes it is used just to enable logging.** -.. cfgcmd:: set traffic-policy drop-tail <policy-name> queue-limit +.. cfgcmd:: set qos policy drop-tail <policy-name> queue-limit <number-of-packets> Use this command to configure a drop-tail policy (PFIFO). Choose a @@ -393,7 +393,7 @@ fairness so that each flow is able to send data in turn, preventing any single one from drowning out the rest. -.. cfgcmd:: set traffic-policy fair-queue <policy-name> +.. cfgcmd:: set qos policy fair-queue <policy-name> Use this command to create a Fair-Queue policy and give it a name. It is based on the Stochastic Fairness Queueing and can be applied to @@ -411,7 +411,7 @@ packet reordering to occur. An advisable value could be 10 seconds. One of the uses of Fair Queue might be the mitigation of Denial of Service attacks. -.. cfgcmd:: set traffic-policy fair-queue <policy-name> hash-interval <seconds>` +.. cfgcmd:: set qos policy fair-queue <policy-name> hash-interval <seconds> Use this command to define a Fair-Queue policy, based on the Stochastic Fairness Queueing, and set the number of seconds at which @@ -420,7 +420,7 @@ Service attacks. When dequeuing, each hash-bucket with data is queried in a round robin fashion. You can configure the length of the queue. -.. cfgcmd:: set traffic-policy fair-queue <policy-name> queue-limit <limit> +.. cfgcmd:: set qos policy fair-queue <policy-name> queue-limit <limit> Use this command to define a Fair-Queue policy, based on the Stochastic Fairness Queueing, and set the number of maximum packets @@ -492,33 +492,33 @@ being ok) you may also want to increase `target` to something like 15ms and increase `interval` to something around 150 ms. -.. cfgcmd:: set traffic-policy fq-codel <policy name> codel-quantum <bytes> +.. cfgcmd:: set qos policy fq-codel <policy name> codel-quantum <bytes> Use this command to configure an fq-codel policy, set its name and the maximum number of bytes (default: 1514) to be dequeued from a queue at once. -.. cfgcmd:: set traffic-policy fq-codel <policy name> flows <number-of-flows> +.. cfgcmd:: set qos policy fq-codel <policy name> flows <number-of-flows> Use this command to configure an fq-codel policy, set its name and the number of sub-queues (default: 1024) into which packets are classified. -.. cfgcmd:: set traffic-policy fq-codel <policy name> interval <miliseconds> +.. cfgcmd:: set qos policy fq-codel <policy name> interval <miliseconds> Use this command to configure an fq-codel policy, set its name and the time period used by the control loop of CoDel to detect when a persistent queue is developing, ensuring that the measured minimum delay does not become too stale (default: 100ms). -.. cfgcmd:: set traffic-policy fq-codel <policy-name> queue-limit - <number-of-packets>` +.. cfgcmd:: set qos policy fq-codel <policy-name> queue-limit + <number-of-packets> Use this command to configure an fq-codel policy, set its name, and define a hard limit on the real queue size. When this limit is reached, new packets are dropped (default: 10240 packets). -.. cfgcmd:: set traffic-policy fq-codel <policy-name> target <miliseconds>` +.. cfgcmd:: set qos policy fq-codel <policy-name> target <miliseconds> Use this command to configure an fq-codel policy, set its name, and define the acceptable minimum standing/persistent queue delay. This @@ -534,9 +534,9 @@ A simple example of an FQ-CoDel policy working inside a Shaper one. .. code-block:: none - set traffic-policy shaper FQ-CODEL-SHAPER bandwidth 2gbit - set traffic-policy shaper FQ-CODEL-SHAPER default bandwidth 100% - set traffic-policy shaper FQ-CODEL-SHAPER default queue-type fq-codel + set qos policy shaper FQ-CODEL-SHAPER bandwidth 2gbit + set qos policy shaper FQ-CODEL-SHAPER default bandwidth 100% + set qos policy shaper FQ-CODEL-SHAPER default queue-type fq-codel @@ -565,7 +565,7 @@ the configured classes. **inbound** traffic, check the ingress-shaping_ section. -.. cfgcmd:: set traffic-policy limiter <policy-name> class <class ID> match +.. cfgcmd:: set qos policy limiter <policy-name> class <class ID> match <match-name> description <description> Use this command to configure an Ingress Policer, defining its name, @@ -577,7 +577,7 @@ Once the matching rules are set for a class, you can start configuring how you want matching traffic to behave. -.. cfgcmd:: set traffic-policy limiter <policy-name> class <class-ID> bandwidth +.. cfgcmd:: set qos policy limiter <policy-name> class <class-ID> bandwidth <rate> Use this command to configure an Ingress Policer, defining its name, @@ -585,7 +585,7 @@ how you want matching traffic to behave. this class. -.. cfgcmd:: set traffic-policy limiter <policy-name> class <class-ID> burst +.. cfgcmd:: set qos policy limiter <policy-name> class <class-ID> burst <burst-size> Use this command to configure an Ingress Policer, defining its name, @@ -593,19 +593,19 @@ how you want matching traffic to behave. class (default: 15). -.. cfgcmd:: set traffic-policy limiter <policy-name> default bandwidth <rate> +.. cfgcmd:: set qos policy limiter <policy-name> default bandwidth <rate> Use this command to configure an Ingress Policer, defining its name and the maximum allowed bandwidth for its default policy. -.. cfgcmd:: set traffic-policy limiter <policy-name> default burst <burst-size> +.. cfgcmd:: set qos policy limiter <policy-name> default burst <burst-size> Use this command to configure an Ingress Policer, defining its name and the burst size in bytes (default: 15) for its default policy. -.. cfgcmd:: set traffic-policy limiter <policy-name> class <class ID> priority +.. cfgcmd:: set qos policy limiter <policy-name> class <class ID> priority <value> Use this command to configure an Ingress Policer, defining its name, @@ -629,13 +629,13 @@ This could be helpful if you want to test how an application behaves under certain network conditions. -.. cfgcmd:: set traffic-policy network-emulator <policy-name> bandwidth <rate> +.. cfgcmd:: set qos policy network-emulator <policy-name> bandwidth <rate> Use this command to configure the maximum rate at which traffic will be shaped in a Network Emulator policy. Define the name of the policy and the rate. -.. cfgcmd:: set traffic-policy network-emulator <policy-name> burst <burst-size> +.. cfgcmd:: set qos policy network-emulator <policy-name> burst <burst-size> Use this command to configure the burst size of the traffic in a Network Emulator policy. Define the name of the Network Emulator @@ -643,7 +643,7 @@ under certain network conditions. Token Bucket Filter qdisc). Default:15kb. It will only take effect if you have configured its bandwidth too. -.. cfgcmd:: set traffic-policy network-emulator <policy-name> network-delay +.. cfgcmd:: set qos policy network-emulator <policy-name> delay <delay> Use this command to configure a Network Emulator policy defining its @@ -653,7 +653,7 @@ under certain network conditions. configured its bandwidth too. You can use secs, ms and us. Default: 50ms. -.. cfgcmd:: set traffic-policy network-emulator <policy-name> packet-corruption +.. cfgcmd:: set qos policy network-emulator <policy-name> corruption <percent> Use this command to emulate noise in a Network Emulator policy. Set @@ -661,14 +661,14 @@ under certain network conditions. random error will be introduced in a random position for the chosen percent of packets. -.. cfgcmd:: set traffic-policy network-emulator <policy-name> packet-loss +.. cfgcmd:: set qos policy network-emulator <policy-name> loss <percent> Use this command to emulate packet-loss conditions in a Network Emulator policy. Set the policy name and the percentage of loss packets your traffic will suffer. -.. cfgcmd:: set traffic-policy network-emulator <policy-name> packet-reordering +.. cfgcmd:: set traffic-policy network-emulator <policy-name> reordering <percent> Use this command to emulate packet-reordering conditions in a Network @@ -720,13 +720,13 @@ for your classes: .. code-block:: none - vyos@vyos# set traffic-policy priority-queue MY-PRIO class 3 match MY-MATCH-RULE + vyos@vyos# set qos policy priority-queue MY-PRIO class 3 match MY-MATCH-RULE Possible completions: - description Description for this match + description Description > ether Ethernet header match - interface Interface name for this match + interface Interface to use > ip Match IP protocol header - > ipv6 Match IPV6 header + > ipv6 Match IPV6 protocol header mark Match on mark applied by firewall vif Virtual Local Area Network (VLAN) ID for this match @@ -737,18 +737,18 @@ setting: .. code-block:: none - vyos@vyos# set traffic-policy priority-queue MY-PRIO class 3 queue-type + vyos@vyos# set qos policy priority-queue MY-PRIO class 3 queue-type Possible completions: + drop-tail First-In-First-Out (FIFO) (default) fq-codel Fair Queue Codel fair-queue Stochastic Fair Queue (SFQ) - drop-tail First-In-First-Out (FIFO) - priority Priority queueing based on DSCP + priority Priority queueing random-detect Random Early Detection (RED) -.. cfgcmd:: set traffic-policy priority-queue <policy-name> class <class-ID> - queue-limit <limit>` +.. cfgcmd:: set qos policy priority-queue <policy-name> class <class-ID> + queue-limit <limit> Use this command to configure a Priority Queue policy, set its name, set a class with a priority from 1 to 7 and define a hard limit on @@ -809,7 +809,7 @@ algorithm might be to prevent a backbone overload. But only for TCP (because dropped packets could be retransmitted), not for UDP. -.. cfgcmd:: set traffic-policy random-detect <policy-name> bandwidth <bandwidth> +.. cfgcmd:: set qos policy random-detect <policy-name> bandwidth <bandwidth> Use this command to configure a Random-Detect policy, set its name and set the available bandwidth for this policy. It is used for @@ -817,7 +817,7 @@ algorithm might be to prevent a backbone overload. But only for TCP set to the bandwidth of your interface. Random Detect is not a shaping policy, this command will not shape. -.. cfgcmd:: set traffic-policy random-detect <policy-name> precedence +.. cfgcmd:: set qos policy random-detect <policy-name> precedence <IP-precedence-value> average-packet <bytes> Use this command to configure a Random-Detect policy and set its @@ -828,7 +828,7 @@ algorithm might be to prevent a backbone overload. But only for TCP .. note:: When configuring a Random-Detect policy: **the higher the precedence number, the higher the priority**. -.. cfgcmd:: set traffic-policy random-detect <policy-name> precedence +.. cfgcmd:: set qos policy random-detect <policy-name> precedence <IP-precedence-value> mark-probability <value> Use this command to configure a Random-Detect policy and set its @@ -837,7 +837,7 @@ algorithm might be to prevent a backbone overload. But only for TCP probability by giving the N value of the fraction 1/N (default: 10). -.. cfgcmd:: set traffic-policy random-detect <policy-name> precedence +.. cfgcmd:: set qos policy random-detect <policy-name> precedence <IP-precedence-value> maximum-threshold <packets> Use this command to configure a Random-Detect policy and set its @@ -846,7 +846,7 @@ algorithm might be to prevent a backbone overload. But only for TCP be (from 0 to 4096 packets, default: 18). At this size, the marking (drop) probability is maximal. -.. cfgcmd:: set traffic-policy random-detect <policy-name> precedence +.. cfgcmd:: set qos policy random-detect <policy-name> precedence <IP-precedence-value> minimum-threshold <packets> Use this command to configure a Random-Detect policy and set its @@ -879,7 +879,7 @@ The default values for the minimum-threshold depend on IP precedence: +------------+-----------------------+ -.. cfgcmd:: set traffic-policy random-detect <policy-name> precedence +.. cfgcmd:: set qos policy random-detect <policy-name> precedence <IP-precedence-value> queue-limit <packets> Use this command to configure a Random-Detect policy and set its @@ -925,12 +925,12 @@ Rate-Control traffic is stocked with tokens which correspond to the amount of traffic that can be burst in one go. Tokens arrive at a steady rate, until the bucket is full. -.. cfgcmd:: set traffic-policy rate-control <policy-name> bandwidth <rate> +.. cfgcmd:: set qos policy rate-control <policy-name> bandwidth <rate> Use this command to configure a Rate-Control policy, set its name and the rate limit you want to have. -.. cfgcmd:: set traffic-policy rate-control <policy-name> burst <burst-size> +.. cfgcmd:: set qos policy rate-control <policy-name> burst <burst-size> Use this command to configure a Rate-Control policy, set its name and the size of the bucket in bytes which will be available for @@ -942,7 +942,7 @@ buffer if you want to reach your configured rate. A very small buffer will soon start dropping packets. -.. cfgcmd:: set traffic-policy rate-control <policy-name> latency +.. cfgcmd:: set qos policy rate-control <policy-name> latency Use this command to configure a Rate-Control policy, set its name and the maximum amount of time a packet can be queued (default: 50 @@ -981,14 +981,14 @@ At every round, the deficit counter adds the quantum so that even large packets will have their opportunity to be dequeued. -.. cfgcmd:: set traffic-policy round-robin <policy name> class +.. cfgcmd:: set qos policy round-robin <policy name> class <class-ID> quantum <packets> Use this command to configure a Round-Robin policy, set its name, set a class ID, and the quantum for that class. The deficit counter will add that value each round. -.. cfgcmd:: set traffic-policy round-robin <policy name> class +.. cfgcmd:: set qos policy round-robin <policy name> class <class ID> queue-limit <packets> Use this command to configure a Round-Robin policy, set its name, set @@ -999,12 +999,14 @@ class through the ``queue-type`` setting. .. code-block:: none - vyos@vyos# set traffic-policy round-robin DRR class 10 queue-type + vyos@vyos# set qos policy round-robin DRR class 10 queue-type Possible completions: + drop-tail First-In-First-Out (FIFO) (default) fq-codel Fair Queue Codel fair-queue Stochastic Fair Queue (SFQ) - drop-tail First-In-First-Out (FIFO) - priority Priority queueing based on DSCP + priority Priority queueing based + random-detect + Random Early Detection (RED) @@ -1035,34 +1037,34 @@ allocated. Priority can be any number from 0 to 7. The lower the number, the higher the priority. -.. cfgcmd:: set traffic-policy shaper <policy-name> bandwidth <rate> +.. cfgcmd:: set qos policy shaper <policy-name> bandwidth <rate> Use this command to configure a Shaper policy, set its name and the maximum bandwidth for all combined traffic. -.. cfgcmd:: set traffic-policy shaper <policy-name> class <class-ID> bandwidth +.. cfgcmd:: set qos policy shaper <policy-name> class <class-ID> bandwidth <rate> Use this command to configure a Shaper policy, set its name, define a class and set the guaranteed traffic you want to allocate to that class. -.. cfgcmd:: set traffic-policy shaper <policy-name> class <class-ID> burst +.. cfgcmd:: set qos policy shaper <policy-name> class <class-ID> burst <bytes> Use this command to configure a Shaper policy, set its name, define a class and set the size of the `tocken bucket`_ in bytes, which will be available to be sent at ceiling speed (default: 15Kb). -.. cfgcmd:: set traffic-policy shaper <policy-name> class <class-ID> ceiling +.. cfgcmd:: set qos policy shaper <policy-name> class <class-ID> ceiling <bandwidth> Use this command to configure a Shaper policy, set its name, define a class and set the maximum speed possible for this class. The default ceiling value is the bandwidth value. -.. cfgcmd:: set traffic-policy shaper <policy-name> class <class-ID> priority +.. cfgcmd:: set qos policy shaper <policy-name> class <class-ID> priority <0-7> Use this command to configure a Shaper policy, set its name, define @@ -1078,34 +1080,34 @@ parameters. .. code-block:: none - vyos@vyos# set traffic-policy shaper HTB class 10 queue-type + vyos@vyos# set qos policy shaper HTB class 10 queue-type Possible completions: - fq-codel Fair Queue Codel + fq-codel Fair Queue Codel (default) fair-queue Stochastic Fair Queue (SFQ) drop-tail First-In-First-Out (FIFO) - priority Priority queueing based on DSCP + priority Priority queueing random-detect Random Early Detection (RED) .. code-block:: none - vyos@vyos# set traffic-policy shaper HTB class 10 + vyos@vyos# set qos policy shaper HTB class 10 Possible completions: - bandwidth Bandwidth used for this class - burst Burst size for this class (default: 15kb) + bandwidth Available bandwidth for this policy (default: auto) + burst Burst size for this class (default: 15k) ceiling Bandwidth limit for this class codel-quantum - fq-codel - Number of bytes used as 'deficit' (default 1514) - description Description for this traffic class - flows fq-codel - Number of flows (default 1024) - interval fq-codel - Interval (milliseconds) used to measure the delay (default 100) + Deficit in the fair queuing algorithm (default 1514) + description Description + flows Number of flows into which the incoming packets are classified (default 1024) + interval Interval used to measure the delay (default 100) +> match Class matching rule name - priority Priority for usage of excess bandwidth + priority Priority for rule evaluation queue-limit Maximum queue size (packets) - queue-type Queue type for this class + queue-type Queue type for default traffic (default: fq-codel) set-dscp Change the Differentiated Services (DiffServ) field in the IP header - target fq-codel - Acceptable minimum queue delay (milliseconds) + target Acceptable minimum standing/persistent queue delay (default: 5) @@ -1124,24 +1126,24 @@ A simple example of Shaper using priorities. .. code-block:: none - set traffic-policy shaper MY-HTB bandwidth '50mbit' - set traffic-policy shaper MY-HTB class 10 bandwidth '20%' - set traffic-policy shaper MY-HTB class 10 match DSCP ip dscp 'EF' - set traffic-policy shaper MY-HTB class 10 queue-type 'fq-codel' - set traffic-policy shaper MY-HTB class 20 bandwidth '10%' - set traffic-policy shaper MY-HTB class 20 ceiling '50%' - set traffic-policy shaper MY-HTB class 20 match PORT666 ip destination port '666' - set traffic-policy shaper MY-HTB class 20 priority '3' - set traffic-policy shaper MY-HTB class 20 queue-type 'fair-queue' - set traffic-policy shaper MY-HTB class 30 bandwidth '10%' - set traffic-policy shaper MY-HTB class 30 ceiling '50%' - set traffic-policy shaper MY-HTB class 30 match ADDRESS30 ip source address '192.168.30.0/24' - set traffic-policy shaper MY-HTB class 30 priority '5' - set traffic-policy shaper MY-HTB class 30 queue-type 'fair-queue' - set traffic-policy shaper MY-HTB default bandwidth '10%' - set traffic-policy shaper MY-HTB default ceiling '100%' - set traffic-policy shaper MY-HTB default priority '7' - set traffic-policy shaper MY-HTB default queue-type 'fair-queue' + set qos policy shaper MY-HTB bandwidth '50mbit' + set qos policy shaper MY-HTB class 10 bandwidth '20%' + set qos policy shaper MY-HTB class 10 match DSCP ip dscp 'EF' + set qos policy shaper MY-HTB class 10 queue-type 'fq-codel' + set qos policy shaper MY-HTB class 20 bandwidth '10%' + set qos policy shaper MY-HTB class 20 ceiling '50%' + set qos policy shaper MY-HTB class 20 match PORT666 ip destination port '666' + set qos policy shaper MY-HTB class 20 priority '3' + set qos policy shaper MY-HTB class 20 queue-type 'fair-queue' + set qos policy shaper MY-HTB class 30 bandwidth '10%' + set qos policy shaper MY-HTB class 30 ceiling '50%' + set qos policy shaper MY-HTB class 30 match ADDRESS30 ip source address '192.168.30.0/24' + set qos policy shaper MY-HTB class 30 priority '5' + set qos policy shaper MY-HTB class 30 queue-type 'fair-queue' + set qos policy shaper MY-HTB default bandwidth '10%' + set qos policy shaper MY-HTB default ceiling '100%' + set qos policy shaper MY-HTB default priority '7' + set qos policy shaper MY-HTB default queue-type 'fair-queue' Applying a traffic policy @@ -1151,32 +1153,23 @@ Once a traffic-policy is created, you can apply it to an interface: .. code-block:: none - set interfaces etherhet eth0 traffic-policy out WAN-OUT + set qos interface eth0 egress WAN-OUT You can only apply one policy per interface and direction, but you could reuse a policy on different interfaces and directions: .. code-block:: none - set interfaces ethernet eth0 traffic-policy in WAN-IN - set interfaces etherhet eth0 traffic-policy out WAN-OUT - set interfaces etherhet eth1 traffic-policy in LAN-IN - set interfaces etherhet eth1 traffic-policy out LAN-OUT - set interfaces ethernet eth2 traffic-policy in LAN-IN - set interfaces ethernet eth2 traffic-policy out LAN-OUT - set interfaces etherhet eth3 traffic-policy in TWO-WAY-POLICY - set interfaces etherhet eth3 traffic-policy out TWO-WAY-POLICY - set interfaces etherhet eth4 traffic-policy in TWO-WAY-POLICY - set interfaces etherhet eth4 traffic-policy out TWO-WAY-POLICY - -Getting queueing information ----------------------------- - -.. opcmd:: show queueing <interface-type> <interface-name> - - Use this command to see the queueing information for an interface. - You will be able to see a packet counter (Sent, Dropped, Overlimit - and Backlog) per policy and class configured. + set qos interface eth0 ingress WAN-IN + set qos interface eth0 egress WAN-OUT + set qos interface eth1 ingress LAN-IN + set qos interface eth1 egress LAN-OUT + set qos interface eth2 ingress LAN-IN + set qos interface eth2 egress LAN-OUT + set qos interface eth3 ingress TWO-WAY-POLICY + set qos interface eth3 egress TWO-WAY-POLICY + set qos interface eth4 ingress TWO-WAY-POLICY + set qos interface eth4 egress TWO-WAY-POLICY @@ -1203,11 +1196,11 @@ That is how it is possible to do the so-called "ingress shaping". .. code-block:: none - set traffic-policy shaper MY-INGRESS-SHAPING bandwidth 1000kbit - set traffic-policy shaper MY-INGRESS-SHAPING default bandwidth 1000kbit - set traffic-policy shaper MY-INGRESS-SHAPING default queue-type fair-queue + set qos policy shaper MY-INGRESS-SHAPING bandwidth 1000kbit + set qos policy shaper MY-INGRESS-SHAPING default bandwidth 1000kbit + set qos policy shaper MY-INGRESS-SHAPING default queue-type fair-queue - set interfaces input ifb0 traffic-policy out MY-INGRESS-SHAPING + set qos interface ifb0 egress MY-INGRESS-SHAPING set interfaces ethernet eth0 redirect ifb0 .. warning:: @@ -1226,4 +1219,4 @@ That is how it is possible to do the so-called "ingress shaping". .. _HFSC: https://en.wikipedia.org/wiki/Hierarchical_fair-service_curve .. _Intermediate Functional Block: https://www.linuxfoundation.org/collaborate/workgroups/networking/ifb -.. start_vyoslinter
\ No newline at end of file +.. start_vyoslinter diff --git a/docs/configuration/vpn/dmvpn.rst b/docs/configuration/vpn/dmvpn.rst index 6680d46a..7a4b81f7 100644 --- a/docs/configuration/vpn/dmvpn.rst +++ b/docs/configuration/vpn/dmvpn.rst @@ -190,7 +190,7 @@ Hub set interfaces tunnel tun100 address '172.16.253.134/29' set interfaces tunnel tun100 encapsulation 'gre' - set interfaces tunnel tun100 local-ip '192.0.2.1' + set interfaces tunnel tun100 source-address '192.0.2.1' set interfaces tunnel tun100 enable-multicast set interfaces tunnel tun100 parameters ip key '1' @@ -200,7 +200,6 @@ Hub set protocols nhrp tunnel tun100 redirect set protocols nhrp tunnel tun100 shortcut - set vpn ipsec esp-group ESP-HUB compression 'disable' set vpn ipsec esp-group ESP-HUB lifetime '1800' set vpn ipsec esp-group ESP-HUB mode 'transport' set vpn ipsec esp-group ESP-HUB pfs 'dh-group2' @@ -208,7 +207,6 @@ Hub set vpn ipsec esp-group ESP-HUB proposal 1 hash 'sha1' set vpn ipsec esp-group ESP-HUB proposal 2 encryption '3des' set vpn ipsec esp-group ESP-HUB proposal 2 hash 'md5' - set vpn ipsec ike-group IKE-HUB ikev2-reauth 'no' set vpn ipsec ike-group IKE-HUB key-exchange 'ikev1' set vpn ipsec ike-group IKE-HUB lifetime '3600' set vpn ipsec ike-group IKE-HUB proposal 1 dh-group '2' @@ -296,7 +294,7 @@ VyOS can also run in DMVPN spoke mode. set interfaces ethernet eth0 address 'dhcp' set interfaces tunnel tun100 address '172.16.253.133/29' - set interfaces tunnel tun100 local-ip 0.0.0.0 + set interfaces tunnel tun100 source-address 0.0.0.0 set interfaces tunnel tun100 encapsulation 'gre' set interfaces tunnel tun100 enable-multicast set interfaces tunnel tun100 parameters ip key '1' @@ -309,7 +307,6 @@ VyOS can also run in DMVPN spoke mode. set protocols nhrp tunnel tun100 redirect set protocols nhrp tunnel tun100 shortcut - set vpn ipsec esp-group ESP-HUB compression 'disable' set vpn ipsec esp-group ESP-HUB lifetime '1800' set vpn ipsec esp-group ESP-HUB mode 'transport' set vpn ipsec esp-group ESP-HUB pfs 'dh-group2' @@ -318,7 +315,6 @@ VyOS can also run in DMVPN spoke mode. set vpn ipsec esp-group ESP-HUB proposal 2 encryption '3des' set vpn ipsec esp-group ESP-HUB proposal 2 hash 'md5' set vpn ipsec ike-group IKE-HUB close-action 'none' - set vpn ipsec ike-group IKE-HUB ikev2-reauth 'no' set vpn ipsec ike-group IKE-HUB key-exchange 'ikev1' set vpn ipsec ike-group IKE-HUB lifetime '3600' set vpn ipsec ike-group IKE-HUB proposal 1 dh-group '2' diff --git a/docs/configuration/vpn/index.rst b/docs/configuration/vpn/index.rst index 3cd9e50d..cf825a63 100644 --- a/docs/configuration/vpn/index.rst +++ b/docs/configuration/vpn/index.rst @@ -23,3 +23,4 @@ pages to sort dmvpn site2site_ipsec + remoteaccess_ipsec diff --git a/docs/configuration/vpn/ipsec.rst b/docs/configuration/vpn/ipsec.rst index 327f3abb..b6ee86af 100644 --- a/docs/configuration/vpn/ipsec.rst +++ b/docs/configuration/vpn/ipsec.rst @@ -51,8 +51,6 @@ VyOS IKE group has the next options: * ``hold`` set action to hold; - * ``clear`` set action to clear; - * ``restart`` set action to restart; * ``dead-peer-detection`` controls the use of the Dead Peer Detection protocol @@ -73,11 +71,9 @@ VyOS IKE group has the next options: * ``timeout`` keep-alive timeout in seconds <2-86400> (default 120) IKEv1 only * ``ikev2-reauth`` whether rekeying of an IKE_SA should also reauthenticate - the peer. In IKEv1, reauthentication is always done: - - * ``yes`` enable remote host re-authentication during an IKE rekey; - - * ``no`` disable remote host re-authenticaton during an IKE rekey; + the peer. In IKEv1, reauthentication is always done. + Setting this parameter enables remote host re-authentication during an IKE + rekey. * ``key-exchange`` which protocol should be used to initialize the connection If not set both protocols are handled and connections will use IKEv2 when @@ -87,13 +83,10 @@ VyOS IKE group has the next options: * ``ikev2`` use IKEv2 for Key Exchange; -* ``lifetime`` IKE lifetime in seconds <30-86400> (default 28800); - -* ``mobike`` enable MOBIKE Support. MOBIKE is only available for IKEv2: +* ``lifetime`` IKE lifetime in seconds <0-86400> (default 28800); - * ``enable`` enable MOBIKE (default for IKEv2); - - * ``disable`` disable MOBIKE; +* ``disable-mobike`` disables MOBIKE Support. MOBIKE is only available for IKEv2 + and enabled by default. * ``mode`` IKEv1 Phase 1 Mode Selection: @@ -126,12 +119,8 @@ Multiple proposals can be specified in a single group. VyOS ESP group has the next options: -* ``compression`` whether IPComp compression of content is proposed - on the connection: - - * ``disable`` disable IPComp compression (default); - - * ``enable`` enable IPComp compression; +* ``compression`` Enables the IPComp(IP Payload Compression) protocol which + allows compressing the content of IP packets. * ``life-bytes`` ESP life in bytes <1024-26843545600000>. Number of bytes transmitted over an IPsec SA before it expires; @@ -172,11 +161,11 @@ Options (Global IPsec settings) Attributes * ``disable-route-autoinstall`` Do not automatically install routes to remote networks; - * ``flexvpn`` Allow FlexVPN vendor ID payload (IKEv2 only). Send the Cisco FlexVPN vendor ID payload (IKEv2 only), which is required in order to make Cisco brand devices allow negotiating a local traffic selector (from strongSwan's point of view) that is not the assigned virtual IP address if such an address is requested by strongSwan. Sending the Cisco FlexVPN vendor ID prevents the peer from narrowing the initiator's local traffic selector and allows it to e.g. negotiate a TS of 0.0.0.0/0 == 0.0.0.0/0 instead. This has been tested with a "tunnel mode ipsec ipv4" Cisco template but should also work for GRE encapsulation; + * ``flexvpn`` Allows FlexVPN vendor ID payload (IKEv2 only). Send the Cisco FlexVPN vendor ID payload (IKEv2 only), which is required in order to make Cisco brand devices allow negotiating a local traffic selector (from strongSwan's point of view) that is not the assigned virtual IP address if such an address is requested by strongSwan. Sending the Cisco FlexVPN vendor ID prevents the peer from narrowing the initiator's local traffic selector and allows it to e.g. negotiate a TS of 0.0.0.0/0 == 0.0.0.0/0 instead. This has been tested with a "tunnel mode ipsec ipv4" Cisco template but should also work for GRE encapsulation; * ``interface`` Interface Name to use. The name of the interface on which virtual IP addresses should be installed. If not specified the addresses will be installed on the outbound interface; - * ``virtual-ip`` Allow install virtual-ip addresses. Comma separated list of virtual IPs to request in IKEv2 configuration payloads or IKEv1 Mode Config. The wildcard addresses 0.0.0.0 and :: request an arbitrary address, specific addresses may be defined. The responder may return a different address, though, or none at all. + * ``virtual-ip`` Allows to install virtual-ip addresses. Comma separated list of virtual IPs to request in IKEv2 configuration payloads or IKEv1 Mode Config. The wildcard addresses 0.0.0.0 and :: request an arbitrary address, specific addresses may be defined. The responder may return a different address, though, or none at all. Define the ``virtual-address`` option to configure the IP address in site-to-site hierarchy. ************************* IPsec policy matching GRE @@ -232,8 +221,8 @@ On the LEFT: On the RIGHT, setup by analogy and swap local and remote addresses. -Source tunnel from loopbacks -^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Source tunnel from dummy interface +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The scheme above doesn't work when one of the routers has a dynamic external address though. The classic workaround for this is to setup an address on a @@ -251,7 +240,7 @@ On the LEFT: .. code-block:: none - set interfaces loopback lo address 192.168.99.1/32 + set interfaces dummy dum0 address 192.168.99.1/32 set interfaces tunnel tun0 encapsulation gre set interfaces tunnel tun0 address 10.10.10.1/30 @@ -262,7 +251,7 @@ On the RIGHT: .. code-block:: none - set interfaces loopback lo address 192.168.99.2/32 + set interfaces dummy dum0 address 192.168.99.2/32 set interfaces tunnel tun0 encapsulation gre set interfaces tunnel tun0 address 10.10.10.2/30 diff --git a/docs/configuration/vpn/l2tp.rst b/docs/configuration/vpn/l2tp.rst index 8dc34ee4..4a7657e7 100644 --- a/docs/configuration/vpn/l2tp.rst +++ b/docs/configuration/vpn/l2tp.rst @@ -17,8 +17,8 @@ with native Windows and Mac VPN clients): set vpn ipsec interface eth0 set vpn l2tp remote-access outside-address 192.0.2.2 - set vpn l2tp remote-access client-ip-pool start 192.168.255.2 - set vpn l2tp remote-access client-ip-pool stop 192.168.255.254 + set vpn l2tp remote-access client-ip-pool L2TP-POOL range 192.168.255.2-192.168.255.254 + set vpn l2tp remote-access default-pool 'L2TP-POOL' set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret <secret> set vpn l2tp remote-access authentication mode local @@ -60,7 +60,7 @@ To allow VPN-clients access via your external address, a NAT rule is required: .. code-block:: none - set nat source rule 110 outbound-interface 'eth0' + set nat source rule 110 outbound-interface name 'eth0' set nat source rule 110 source address '192.168.255.0/24' set nat source rule 110 translation address masquerade @@ -73,15 +73,16 @@ parameter to the client. set vpn l2tp remote-access name-server '198.51.100.8' set vpn l2tp remote-access name-server '198.51.100.4' -Established sessions can be viewed using the **show vpn remote-access** -operational command, or **show l2tp-server sessions** +Established sessions can be viewed using the **show l2tp-server sessions** +operational command .. code-block:: none - vyos@vyos:~$ show vpn remote-access - ifname | username | calling-sid | ip | rate-limit | type | comp | state | uptime - --------+----------+--------------+---------------+------------+------+------+--------+---------- - ppp0 | vyos | 192.168.0.36 | 192.168.255.1 | | l2tp | | active | 00:06:13 + vyos@vyos:~$ show l2tp-server sessions + ifname | username | ip | ip6 | ip6-dp | calling-sid | rate-limit | state | uptime | rx-bytes | tx-bytes + --------+----------+---------------+-----+--------+-------------+------------+--------+----------+----------+---------- + l2tp0 | test | 192.168.255.3 | | | 192.168.0.36 | | active | 02:01:47 | 7.7 KiB | 1.2 KiB + LNS (L2TP Network Server) @@ -94,8 +95,8 @@ Below is an example to configure a LNS: .. code-block:: none set vpn l2tp remote-access outside-address 192.0.2.2 - set vpn l2tp remote-access client-ip-pool start 192.168.255.2 - set vpn l2tp remote-access client-ip-pool stop 192.168.255.254 + set vpn l2tp remote-access client-ip-pool L2TP-POOL range 192.168.255.2-192.168.255.254 + set vpn l2tp remote-access default-pool 'L2TP-POOL' set vpn l2tp remote-access lns shared-secret 'secret' set vpn l2tp remote-access ccp-disable set vpn l2tp remote-access authentication mode local @@ -121,17 +122,18 @@ The rate-limit is set in kbit/sec. .. code-block:: none set vpn l2tp remote-access outside-address 192.0.2.2 - set vpn l2tp remote-access client-ip-pool start 192.168.255.2 - set vpn l2tp remote-access client-ip-pool stop 192.168.255.254 + set vpn l2tp remote-access client-ip-pool L2TP-POOL range 192.168.255.2-192.168.255.254 + set vpn l2tp remote-access default-pool 'L2TP-POOL' set vpn l2tp remote-access authentication mode local set vpn l2tp remote-access authentication local-users username test password test set vpn l2tp remote-access authentication local-users username test rate-limit download 20480 set vpn l2tp remote-access authentication local-users username test rate-limit upload 10240 - vyos@vyos:~$ show vpn remote-access - ifname | username | calling-sid | ip | rate-limit | type | comp | state | uptime - -------+----------+--------------+---------------+-------------+------+------+--------+----------- - ppp0 | test | 192.168.0.36 | 192.168.255.2 | 20480/10240 | l2tp | | active | 00:06:30 + vyos@vyos:~$ show l2tp-server sessions + ifname | username | ip | ip6 | ip6-dp | calling-sid | rate-limit | state | uptime | rx-bytes | tx-bytes + --------+----------+---------------+-----+--------+-------------+------------+--------+----------+----------+---------- + l2tp0 | test | 192.168.255.3 | | | 192.168.0.36 | | active | 02:01:47 | 7.7 KiB | 1.2 KiB + RADIUS authentication ====================== diff --git a/docs/configuration/vpn/openconnect.rst b/docs/configuration/vpn/openconnect.rst index 1b4d4b4c..1cc197e9 100644 --- a/docs/configuration/vpn/openconnect.rst +++ b/docs/configuration/vpn/openconnect.rst @@ -222,6 +222,52 @@ To display the configured OTP user settings, use the command: show openconnect-server user <username> otp <full|key-b32|key-hex|qrcode|uri> +Identity Based Configuration +============================ + +OpenConnect supports a subset of it's configuration options to be applied on a +per user/group basis, for configuration purposes we refer to this functionality +as "Identity based config". The following `OpenConnect Server Manual +<https://ocserv.gitlab.io/www/manual.html#:~:text=Configuration%20files%20that% +20will%20be%20applied%20per%20user%20connection%20or%0A%23%20per%20group>`_ +outlines the set of configuration options that are allowed. This can be +leveraged to apply different sets of configs to different users or groups of +users. + +.. code-block:: none + + sudo mkdir -p /config/auth/ocserv/config-per-user + sudo touch /config/auth/ocserv/default-user.conf + + set vpn set vpn openconnect authentication identity-based-config mode user + set vpn openconnect authentication identity-based-config directory /config/auth/ocserv/config-per-user + set vpn openconnect authentication identity-based-config default-config /config/auth/ocserv/default-user.conf + +.. warning:: The above directory and default-config must be a child directory + of /config/auth, since files outside this directory are not persisted after an + image upgrade. + +Once you commit the above changes you can create a config file in the +/config/auth/ocserv/config-per-user directory that matches a username of a +user you have created e.g. "tst". Now when logging in with the "tst" user the +config options you set in this file will be loaded. + +Be sure to set a sane default config in the default config file, this will be +loaded in the case that a user is authenticated and no file is found in the +configured directory matching the users username/group. + +.. code-block:: none + + sudo nano /config/auth/ocserv/config-per-user/tst + +The same configuration options apply when Identity based config is configured +in group mode except that group mode can only be used with RADIUS +authentication. + +.. warning:: OpenConnect server matches the filename in a case sensitive + manner, make sure the username/group name you configure matches the + filename exactly. + Configuring RADIUS accounting ============================= diff --git a/docs/configuration/vpn/pptp.rst b/docs/configuration/vpn/pptp.rst index 12364acb..fe536eec 100644 --- a/docs/configuration/vpn/pptp.rst +++ b/docs/configuration/vpn/pptp.rst @@ -20,8 +20,8 @@ server example set vpn pptp remote-access authentication local-users username test password 'test' set vpn pptp remote-access authentication mode 'local' - set vpn pptp remote-access client-ip-pool start '192.168.0.10' - set vpn pptp remote-access client-ip-pool stop '192.168.0.15' + set vpn pptp remote-access client-ip-pool PPTP-POOL range 192.168.0.10-192.168.0.15 + set vpn pptp remote-access default-pool 'PPTP-POOL' set vpn pptp remote-access gateway-address '10.100.100.1' set vpn pptp remote-access outside-address '10.1.1.120' diff --git a/docs/configuration/vpn/remoteaccess_ipsec.rst b/docs/configuration/vpn/remoteaccess_ipsec.rst new file mode 100644 index 00000000..9bc49979 --- /dev/null +++ b/docs/configuration/vpn/remoteaccess_ipsec.rst @@ -0,0 +1,176 @@ +.. _remoteaccess_ipsec: + +IPSec IKEv2 Remote Access VPN +============================= + +Internet Key Exchange version 2 (IKEv2) is a tunneling protocol, based on IPsec, +that establishes a secure VPN communication between VPN devices, and defines +negotiation and authentication processes for IPsec security associations (SAs). +It is often known as IKEv2/IPSec or IPSec IKEv2 remote-access — or road-warriors +as others call it. + +Key exchange and payload encryption is done using IKE and ESP proposals as known +from IKEv1 but the connections are faster to establish, more reliable, and also +support roaming from IP to IP (called MOBIKE which makes sure your connection +does not drop when changing networks from e.g. WIFI to LTE and back). +Authentication can be achieved with X.509 certificates. + +Setting up certificates: +^^^^^^^^^^^^^^^^^^^^^^^^ +First of all, we need to create a CA root certificate and server certificate +on the server side. + +.. code-block:: none + + vyos@vpn.vyos.net# run generate pki ca install ca_root + Enter private key type: [rsa, dsa, ec] (Default: rsa) + Enter private key bits: (Default: 2048) + Enter country code: (Default: GB) + Enter state: (Default: Some-State) + Enter locality: (Default: Some-City) + Enter organization name: (Default: VyOS) + Enter common name: (Default: vyos.io) + Enter how many days certificate will be valid: (Default: 1825) + Note: If you plan to use the generated key on this router, do not encrypt the private key. + Do you want to encrypt the private key with a passphrase? [y/N] N + 2 value(s) installed. Use "compare" to see the pending changes, and "commit" to apply. + [edit] + + + vyos@vpn.vyos.net# comp + [pki ca] + + ca_root { + + certificate "MIIDnTCCAoWgAwI…." + + private { + + key "MIIEvAIBADANBgkqhkiG9….” + + vyos@vpn.vyos.net# run generate pki certificate sign ca_root install server_cert + Do you already have a certificate request? [y/N] N + Enter private key type: [rsa, dsa, ec] (Default: rsa) + Enter private key bits: (Default: 2048) + Enter country code: (Default: GB) + Enter state: (Default: Some-State) + Enter locality: (Default: Some-City) + Enter organization name: (Default: VyOS) + Enter common name: (Default: vyos.io) vpn.vyos.net + Do you want to configure Subject Alternative Names? [y/N] N + Enter how many days certificate will be valid: (Default: 365) + Enter certificate type: (client, server) (Default: server) + Note: If you plan to use the generated key on this router, do not encrypt the private key. + Do you want to encrypt the private key with a passphrase? [y/N] N + 2 value(s) installed. Use "compare" to see the pending changes, and "commit" to apply. + + vyos@vpn.vyos.net# comp + [pki certificate] + + server_cert { + + certificate "MIIDuzCCAqOgAwIBAgIUaSrCPWx………" + + private { + + key "MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBK….." + + } + + } + + +Once the command is completed, it will add the certificate to the configuration +session, to the pki subtree. You can then review the proposed changes and +commit them. + +Setting up IPSec: +^^^^^^^^^^^^^^^^^ + +After the PKI certs are all set up we can start configuring our IPSec/IKE +proposals used for key-exchange end data encryption. The used encryption ciphers +and integrity algorithms vary from operating system to operating system. The +ones used in this example are validated to work on Windows 10. + +.. code-block:: none + + set vpn ipsec esp-group ESP-RW lifetime '3600' + set vpn ipsec esp-group ESP-RW pfs 'disable' + set vpn ipsec esp-group ESP-RW proposal 10 encryption 'aes128gcm128' + set vpn ipsec esp-group ESP-RW proposal 10 hash 'sha256' + + set vpn ipsec ike-group IKE-RW key-exchange 'ikev2' + set vpn ipsec ike-group IKE-RW lifetime '7200' + set vpn ipsec ike-group IKE-RW proposal 10 dh-group '14' + set vpn ipsec ike-group IKE-RW proposal 10 encryption 'aes128gcm128' + set vpn ipsec ike-group IKE-RW proposal 10 hash 'sha256' + +Every connection/remote-access pool we configure also needs a pool where we +can draw our client IP addresses from. We provide one IPv4 and IPv6 pool. +Authorized clients will receive an IPv4 address from the configured IPv4 prefix +and an IPv6 address from the IPv6 prefix. We can also send some DNS nameservers +down to our clients used on their connection. + +.. code-block:: none + + set vpn ipsec remote-access pool ra-rw-ipv4 name-server '192.0.2.1' + set vpn ipsec remote-access pool ra-rw-ipv4 prefix '192.0.2.128/25' + + set vpn ipsec remote-access pool ra-rw-ipv6 name-server '2001:db8:1000::1' + set vpn ipsec remote-access pool ra-rw-ipv6 prefix '2001:db8:2000::/64' + +Setting up tunnel: +^^^^^^^^^^^^^^^^^^ + +.. code-block:: none + + set vpn ipsec remote-access connection rw authentication local-id '192.0.2.1' + set vpn ipsec remote-access connection rw authentication server-mode 'x509' + set vpn ipsec remote-access connection rw authentication x509 ca-certificate 'ca_root' + set vpn ipsec remote-access connection rw authentication x509 certificate 'server_cert' + set vpn ipsec remote-access connection rw esp-group 'ESP-RW' + set vpn ipsec remote-access connection rw ike-group 'IKE-RW' + set vpn ipsec remote-access connection rw local-address '192.0.2.1' + set vpn ipsec remote-access connection rw pool 'ra-rw-ipv4' + set vpn ipsec remote-access connection rw pool 'ra-rw-ipv6' + +VyOS also supports two different modes of authentication, local and RADIUS. +To create a new local user named "vyos" with a password of "vyos" use the +following commands. + +.. code-block:: none + + set vpn ipsec remote-access connection rw authentication client-mode 'eap-mschapv2' + set vpn ipsec remote-access connection rw authentication local-users username vyos password 'vyos' + +Client Configuration +^^^^^^^^^^^^^^^^^^^^ + +Most operating systems include native client support for IPsec IKEv2 VPN +connections, and others typically have an app or add-on package which adds the +capability. +This section covers IPsec IKEv2 client configuration for Windows 10. + +VyOS provides a command to generate a connection profile used by Windows clients +that will connect to the "rw" connection on our VyOS server. + +.. note:: Windows expects the server name to be also used in the server's + certificate common name, so it's best to use this DNS name for your VPN + connection. + +.. code-block:: none + + vyos@vpn.vyos.net:~$ generate ipsec profile windows-remote-access rw remote vpn.vyos.net + + + ==== <snip> ==== + Add-VpnConnection -Name "VyOS IKEv2 VPN" -ServerAddress "vpn.vyos.net" -TunnelType "Ikev2" + + Set-VpnConnectionIPsecConfiguration -ConnectionName "VyOS IKEv2 VPN" -AuthenticationTransformConstants GCMAES128 -CipherTransformConstants + GCMAES128 -EncryptionMethod GCMAES128 -IntegrityCheckMethod SHA256128 -PfsGroup None -DHGroup "Group14" -PassThru -Force + ==== </snip> ==== + +Add the commands from Snippet in the Windows side via PowerShell. +Also import the root CA cert to the Windows “Trusted Root Certification +Authorities” and establish the connection. + +Verification: +^^^^^^^^^^^^^ + +.. code-block:: none + + vyos@vpn.vyos.net:~$ show vpn ipsec remote-access summary + Connection ID Username Protocol State Uptime Tunnel IP Remote Host Remote ID IKE Proposal IPSec Proposal + --------------- ---------- ---------- ------- -------- ----------- ------------- ----------- ------------------------------------------ ------------------ + 5 vyos IKEv2 UP 37s 192.0.2.129 10.0.0.2 10.0.0.2 AES_GCM_16-128/PRF_HMAC_SHA2_256/MODP_2048 ESP:AES_GCM_16-128 + diff --git a/docs/configuration/vpn/rsa-keys.rst b/docs/configuration/vpn/rsa-keys.rst index a95f5f33..1ebab731 100644 --- a/docs/configuration/vpn/rsa-keys.rst +++ b/docs/configuration/vpn/rsa-keys.rst @@ -17,7 +17,7 @@ install <key-pair nam>>". You may choose different length than 2048 of course. Note: If you plan to use the generated key on this router, do not encrypt the private key. Do you want to encrypt the private key with a passphrase? [y/N] N Configure mode commands to install key pair: - Do you want to install the public key? [Y/n] Yrgerg + Do you want to install the public key? [Y/n] Y set pki key-pair ipsec-LEFT public key 'MIIBIjANBgkqh...' Do you want to install the private key? [Y/n] Y set pki key-pair ipsec-LEFT private key 'MIIEvgIBADAN...' diff --git a/docs/configuration/vpn/site2site_ipsec.rst b/docs/configuration/vpn/site2site_ipsec.rst index e89d25c6..23df1b76 100644 --- a/docs/configuration/vpn/site2site_ipsec.rst +++ b/docs/configuration/vpn/site2site_ipsec.rst @@ -10,8 +10,8 @@ connected/routed networks. To configure site-to-site connection you need to add peers with the ``set vpn ipsec site-to-site peer <name>`` command. -The peer name must be an alphanumeric and can have hypen or underscore as -special characters. It is purely informational. +The peer name must be an alphanumeric and can have hypen or underscore as +special characters. It is purely informational. Each site-to-site peer has the next options: @@ -20,11 +20,11 @@ Each site-to-site peer has the next options: * ``psk`` - Preshared secret key name: - * ``dhcp-interface`` - ID for authentication generated from DHCP address + * ``dhcp-interface`` - ID for authentication generated from DHCP address dynamically; - * ``id`` - static ID's for authentication. In general local and remote + * ``id`` - static ID's for authentication. In general local and remote address ``<x.x.x.x>``, ``<h:h:h:h:h:h:h:h>`` or ``%any``; - * ``secret`` - predefined shared secret. Used if configured mode + * ``secret`` - predefined shared secret. Used if configured mode ``pre-shared-secret``; @@ -110,7 +110,7 @@ Each site-to-site peer has the next options: * ``remote-address`` - remote IP address or hostname for IPSec connection. IPv4 or IPv6 address is used when a peer has a public static IP address. - Hostname is a DNS name which could be used when a peer has a public IP + Hostname is a DNS name which could be used when a peer has a public IP address and DNS name, but an IP address could be changed from time to time. * ``tunnel`` - define criteria for traffic to be matched for encrypting and send @@ -149,6 +149,10 @@ Each site-to-site peer has the next options: * ``esp-group`` - define ESP group for encrypt traffic, passed this VTI interface. +* ``virtual-address`` - Defines a virtual IP address which is requested by the + initiator and one or several IPv4 and/or IPv6 addresses are assigned from + multiple pools by the responder. + Examples: ------------------ @@ -241,13 +245,13 @@ If there is SNAT rules on eth1, need to add exclude rule # server side set nat source rule 10 destination address '10.0.0.0/24' set nat source rule 10 'exclude' - set nat source rule 10 outbound-interface 'eth1' + set nat source rule 10 outbound-interface name 'eth1' set nat source rule 10 source address '192.168.0.0/24' # remote office side set nat source rule 10 destination address '192.168.0.0/24' set nat source rule 10 'exclude' - set nat source rule 10 outbound-interface 'eth1' + set nat source rule 10 outbound-interface name 'eth1' set nat source rule 10 source address '10.0.0.0/24' To allow traffic to pass through to clients, you need to add the following @@ -280,118 +284,144 @@ Imagine the following topology IPSec IKEv2 site2site VPN (source ./draw.io/vpn_s2s_ikev2.drawio) +**LEFT:** +* WAN interface on `eth0.201` +* `eth0.201` interface IP: `172.18.201.10/24` +* `vti10` interface IP: `10.0.0.2/31` +* `dum0` interface IP: `10.0.11.1/24` (for testing purposes) + +**RIGHT:** +* WAN interface on `eth0.202` +* `eth0.201` interface IP: `172.18.202.10/24` +* `vti10` interface IP: `10.0.0.3/31` +* `dum0` interface IP: `10.0.12.1/24` (for testing purposes) .. note:: Don't get confused about the used /31 tunnel subnet. :rfc:`3021` gives you additional information for using /31 subnets on point-to-point links. -**left** +**LEFT** .. code-block:: none + set interfaces ethernet eth0 vif 201 address '172.18.201.10/24' + set interfaces dummy dum0 address '10.0.11.1/24' set interfaces vti vti10 address '10.0.0.2/31' - set vpn ipsec authentication psk OFFICE-B id '172.18.201.10' - set vpn ipsec authentication psk OFFICE-B id '172.18.202.10' - set vpn ipsec authentication psk OFFICE-B secret 'secretkey' + set vpn ipsec authentication psk peer_172-18-202-10 id '172.18.201.10' + set vpn ipsec authentication psk peer_172-18-202-10 id '172.18.202.10' + set vpn ipsec authentication psk peer_172-18-202-10 secret 'secretkey' set vpn ipsec esp-group ESP_DEFAULT lifetime '3600' set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel' set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19' set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128' set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256' + set vpn ipsec ike-group IKEv2_DEFAULT close-action 'none' + set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'hold' + set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30' + set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120' + set vpn ipsec ike-group IKEv2_DEFAULT disable-mobike set vpn ipsec ike-group IKEv2_DEFAULT key-exchange 'ikev2' set vpn ipsec ike-group IKEv2_DEFAULT lifetime '10800' - set vpn ipsec ike-group IKEv2_DEFAULT disable-mobike set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 dh-group '19' set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 encryption 'aes256gcm128' set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 hash 'sha256' set vpn ipsec interface 'eth0.201' - set vpn ipsec site-to-site peer OFFICE-B authentication local-id '172.18.201.10' - set vpn ipsec site-to-site peer OFFICE-B authentication mode 'pre-shared-secret' - set vpn ipsec site-to-site peer OFFICE-B authentication remote-id '172.18.202.10' - set vpn ipsec site-to-site peer OFFICE-B connection-type 'respond' - set vpn ipsec site-to-site peer OFFICE-B ike-group 'IKEv2_DEFAULT' - set vpn ipsec site-to-site peer OFFICE-B local-address '192.168.0.10' - set vpn ipsec site-to-site peer OFFICE-B remote-address '172.18.202.10' - set vpn ipsec site-to-site peer OFFICE-B vti bind 'vti10' - set vpn ipsec site-to-site peer OFFICE-B vti esp-group 'ESP_DEFAULT' + set vpn ipsec site-to-site peer peer_172-18-202-10 authentication local-id '172.18.201.10' + set vpn ipsec site-to-site peer peer_172-18-202-10 authentication mode 'pre-shared-secret' + set vpn ipsec site-to-site peer peer_172-18-202-10 authentication remote-id '172.18.202.10' + set vpn ipsec site-to-site peer peer_172-18-202-10 connection-type 'initiate' + set vpn ipsec site-to-site peer peer_172-18-202-10 ike-group 'IKEv2_DEFAULT' + set vpn ipsec site-to-site peer peer_172-18-202-10 ikev2-reauth 'inherit' + set vpn ipsec site-to-site peer peer_172-18-202-10 local-address '172.18.201.10' + set vpn ipsec site-to-site peer peer_172-18-202-10 remote-address '172.18.202.10' + set vpn ipsec site-to-site peer peer_172-18-202-10 vti bind 'vti10' + set vpn ipsec site-to-site peer peer_172-18-202-10 vti esp-group 'ESP_DEFAULT' -**right** + set protocols static interface-route 10.0.12.0/24 next-hop-interface vti10 + +**RIGHT** .. code-block:: none + set interfaces ethernet eth0 vif 202 address '172.18.202.10/24' + set interfaces dummy dum0 address '10.0.12.1/24' set interfaces vti vti10 address '10.0.0.3/31' - set vpn ipsec authentication psk OFFICE-A id '172.18.201.10' - set vpn ipsec authentication psk OFFICE-A id '172.18.202.10' - set vpn ipsec authentication psk OFFICE-A secret 'secretkey' + set vpn ipsec authentication psk peer_172-18-201-10 id '172.18.202.10' + set vpn ipsec authentication psk peer_172-18-201-10 id '172.18.201.10' + set vpn ipsec authentication psk peer_172-18-201-10 secret 'secretkey' set vpn ipsec esp-group ESP_DEFAULT lifetime '3600' set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel' set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19' set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128' set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256' - set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'restart' + set vpn ipsec ike-group IKEv2_DEFAULT close-action 'none' + set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'hold' set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30' set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120' + set vpn ipsec ike-group IKEv2_DEFAULT disable-mobike set vpn ipsec ike-group IKEv2_DEFAULT key-exchange 'ikev2' set vpn ipsec ike-group IKEv2_DEFAULT lifetime '10800' - set vpn ipsec ike-group IKEv2_DEFAULT disable-mobike set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 dh-group '19' set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 encryption 'aes256gcm128' set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 hash 'sha256' set vpn ipsec interface 'eth0.202' - set vpn ipsec site-to-site peer OFFICE-A authentication local-id '172.18.202.10' - set vpn ipsec site-to-site peer OFFICE-A authentication mode 'pre-shared-secret' - set vpn ipsec site-to-site peer OFFICE-A authentication remote-id '172.18.201.10' - set vpn ipsec site-to-site peer OFFICE-A connection-type 'initiate' - set vpn ipsec site-to-site peer OFFICE-A ike-group 'IKEv2_DEFAULT' - set vpn ipsec site-to-site peer OFFICE-A local-address '172.18.202.10' - set vpn ipsec site-to-site peer OFFICE-A remote-address '172.18.201.10' - set vpn ipsec site-to-site peer OFFICE-A vti bind 'vti10' - set vpn ipsec site-to-site peer OFFICE-A vti esp-group 'ESP_DEFAULT' + set vpn ipsec site-to-site peer peer_172-18-201-10 authentication local-id '172.18.202.10' + set vpn ipsec site-to-site peer peer_172-18-201-10 authentication mode 'pre-shared-secret' + set vpn ipsec site-to-site peer peer_172-18-201-10 authentication remote-id '172.18.201.10' + set vpn ipsec site-to-site peer peer_172-18-201-10 connection-type 'initiate' + set vpn ipsec site-to-site peer peer_172-18-201-10 ike-group 'IKEv2_DEFAULT' + set vpn ipsec site-to-site peer peer_172-18-201-10 ikev2-reauth 'inherit' + set vpn ipsec site-to-site peer peer_172-18-201-10 local-address '172.18.202.10' + set vpn ipsec site-to-site peer peer_172-18-201-10 remote-address '172.18.201.10' + set vpn ipsec site-to-site peer peer_172-18-201-10 vti bind 'vti10' + set vpn ipsec site-to-site peer peer_172-18-201-10 vti esp-group 'ESP_DEFAULT' + + set protocols static interface-route 10.0.11.0/24 next-hop-interface vti10 Key Parameters: * ``authentication local-id/remote-id`` - IKE identification is used for validation of VPN peer devices during IKE negotiation. If you do not configure - local/remote-identity, the device uses the IPv4 or IPv6 address that + local/remote-identity, the device uses the IPv4 or IPv6 address that corresponds to the local/remote peer by default. - In certain network setups (like ipsec interface with dynamic address, or - behind the NAT ), the IKE ID received from the peer does not match the IKE - gateway configured on the device. This can lead to a Phase 1 validation + In certain network setups (like ipsec interface with dynamic address, or + behind the NAT ), the IKE ID received from the peer does not match the IKE + gateway configured on the device. This can lead to a Phase 1 validation failure. - So, make sure to configure the local/remote id explicitly and ensure that the + So, make sure to configure the local/remote id explicitly and ensure that the IKE ID is the same as the remote-identity configured on the peer device. * ``disable-route-autoinstall`` - This option when configured disables the routes installed in the default table 220 for site-to-site ipsec. It is mostly used with VTI configuration. -* ``dead-peer-detection action = clear | hold | restart`` - R_U_THERE - notification messages(IKEv1) or empty INFORMATIONAL messages (IKEv2) - are periodically sent in order to check the liveliness of the IPsec peer. The - values clear, hold, and restart all activate DPD and determine the action to +* ``dead-peer-detection action = clear | hold | restart`` - R_U_THERE + notification messages(IKEv1) or empty INFORMATIONAL messages (IKEv2) + are periodically sent in order to check the liveliness of the IPsec peer. The + values clear, hold, and restart all activate DPD and determine the action to perform on a timeout. - With ``clear`` the connection is closed with no further actions taken. - ``hold`` installs a trap policy, which will catch matching traffic and tries - to re-negotiate the connection on demand. - ``restart`` will immediately trigger an attempt to re-negotiate the + With ``clear`` the connection is closed with no further actions taken. + ``hold`` installs a trap policy, which will catch matching traffic and tries + to re-negotiate the connection on demand. + ``restart`` will immediately trigger an attempt to re-negotiate the connection. -* ``close-action = none | clear | hold | restart`` - defines the action to take - if the remote peer unexpectedly closes a CHILD_SA (see above for meaning of +* ``close-action = none | clear | hold | restart`` - defines the action to take + if the remote peer unexpectedly closes a CHILD_SA (see above for meaning of values). A closeaction should not be used if the peer uses reauthentication or uniqueids. - - When the close-action option is set on the peers, the connection-type + + When the close-action option is set on the peers, the connection-type of each peer has to considered carefully. For example, if the option is set - on both peers, then both would attempt to initiate and hold open multiple - copies of each child SA. This might lead to instability of the device or - cpu/memory utilization. - - Below flow-chart could be a quick reference for the close-action - combination depending on how the peer is configured. + on both peers, then both would attempt to initiate and hold open multiple + copies of each child SA. This might lead to instability of the device or + cpu/memory utilization. + + Below flow-chart could be a quick reference for the close-action + combination depending on how the peer is configured. .. figure:: /_static/images/IPSec_close_action_settings.jpg - + Similar combinations are applicable for the dead-peer-detection. diff --git a/docs/configuration/vpn/sstp.rst b/docs/configuration/vpn/sstp.rst index f3e062fe..d9bb4353 100644 --- a/docs/configuration/vpn/sstp.rst +++ b/docs/configuration/vpn/sstp.rst @@ -116,9 +116,20 @@ Configuration Specifies the port `<port>` that the SSTP port will listen on (default 443). -.. cfgcmd:: set vpn sstp client-ip-pool subnet <subnet> +.. cfgcmd:: set vpn sstp client-ip-pool <POOL-NAME> range <x.x.x.x-x.x.x.x | x.x.x.x/x> - Use `<subnet>` as the IP pool for all connecting clients. + Use this command to define the first IP address of a pool of + addresses to be given to SSTP clients. If notation ``x.x.x.x-x.x.x.x``, + it must be within a /24 subnet. If notation ``x.x.x.x/x`` is + used there is possibility to set host/netmask. + +.. cfgcmd:: set vpn sstp client-ip-pool <POOL-NAME> next-pool <NEXT-POOL-NAME> + + Use this command to define the next address pool name. + +.. cfgcmd:: set vpn sstp default-pool <POOL-NAME> + + Use this command to define default address pool name. .. cfgcmd:: set vpn sstp client-ipv6-pool prefix <address> mask <number-of-bits> @@ -282,7 +293,8 @@ Example set vpn sstp authentication local-users username vyos password vyos set vpn sstp authentication mode local set vpn sstp gateway-address 192.0.2.254 - set vpn sstp client-ip-pool subnet 192.0.2.0/25 + set vpn sstp client-ip-pool SSTP-POOL range 192.0.2.0/25 + set vpn sstp default-pool 'SSTP-POOL' set vpn sstp name-server 10.0.0.1 set vpn sstp name-server 10.0.0.2 set vpn sstp ssl ca-cert-file /config/auth/ca.crt diff --git a/docs/configuration/vrf/index.rst b/docs/configuration/vrf/index.rst index e58005e7..bd482cd9 100644 --- a/docs/configuration/vrf/index.rst +++ b/docs/configuration/vrf/index.rst @@ -30,7 +30,6 @@ then enslaved to a VRF device. .. note:: A routing table ID can not be modified once it is assigned. It can only be changed by deleting and re-adding the VRF instance. - .. cfgcmd:: set vrf bind-to-all By default the scope of the port bindings for unbound sockets is limited to @@ -41,6 +40,33 @@ then enslaved to a VRF device. TCP & UDP services running in the default VRF context (ie., not bound to any VRF device) can work across all VRF domains by enabling this option. +Zebra/Kernel route filtering +---------------------------- + +Zebra supports prefix-lists and Route Mapss to match routes received from +other FRR components. The permit/deny facilities provided by these commands +can be used to filter which routes zebra will install in the kernel. + +.. cfgcmd:: set vrf <name> ip protocol <protocol> route-map <route-map> + + Apply a route-map filter to routes for the specified protocol. + + The following protocols can be used: any, babel, bgp, connected, eigrp, + isis, kernel, ospf, rip, static, table + + .. note:: If you choose any as the option that will cause all protocols that + are sending routes to zebra. + +.. cfgcmd:: set vrf <name> ipv6 protocol <protocol> route-map <route-map> + + Apply a route-map filter to routes for the specified protocol. + + The following protocols can be used: any, babel, bgp, connected, isis, + kernel, ospfv3, ripng, static, table + + .. note:: If you choose any as the option that will cause all protocols that + are sending routes to zebra. + Interfaces ---------- @@ -168,8 +194,8 @@ For VRF maintenance the following operational commands are in place. the round-trip time of these packets is used in calculating the minimum/ average/maximum round-trip time numbers. - Ping command can be interrupted at any given time using `<Ctrl>+c`- A brief - statistic is shown afterwards. + .. note:: Ping command can be interrupted at any given time using ``<Ctrl>+c``. + A brief statistic is shown afterwards. .. code-block:: none @@ -189,6 +215,17 @@ For VRF maintenance the following operational commands are in place. route packets taken to the given hosts IP address family. This option is useful when the host is specified as a hostname rather than an IP address. +.. opcmd:: force vrf <name> + + Join a given VRF. This will open a new subshell within the specified VRF. + + The prompt is adjusted to reflect this change in both config and op-mode. + + .. code-block:: none + + vyos@vyos:~$ force vrf blue + vyos@vyos(vrf:blue):~$ + .. _vrf example: Example @@ -242,12 +279,50 @@ Configuration set vrf name red protocols static route 10.0.0.0/24 interface eth1 vrf 'default' set vrf name red table '2000' +VRF and NAT +----------- + +.. _vrf:nat_configuration: + +Configuration +^^^^^^^^^^^^^ + + .. code-block:: none + + set interfaces ethernet eth0 address '172.16.50.12/24' + set interfaces ethernet eth0 vrf 'red' + + set interfaces ethernet eth1 address '192.168.130.100/24' + set interfaces ethernet eth1 vrf 'blue' + + set nat destination rule 110 description 'NAT ssh- INSIDE' + set nat destination rule 110 destination port '2022' + set nat destination rule 110 inbound-interface name 'eth0' + set nat destination rule 110 protocol 'tcp' + set nat destination rule 110 translation address '192.168.130.40' + + set nat source rule 100 outbound-interface name 'eth0' + set nat source rule 100 protocol 'all' + set nat source rule 100 source address '192.168.130.0/24' + set nat source rule 100 translation address 'masquerade' + + set service ssh vrf 'red' + + set vrf bind-to-all + set vrf name blue protocols static route 0.0.0.0/0 next-hop 172.16.50.1 vrf 'red' + set vrf name blue protocols static route 172.16.50.0/24 interface eth0 vrf 'red' + set vrf name blue table '1010' + + set vrf name red protocols static route 0.0.0.0/0 next-hop 172.16.50.1 + set vrf name red protocols static route 192.168.130.0/24 interface eth1 vrf 'blue' + set vrf name red table '2020' + .. _vrf example operation: Operation ^^^^^^^^^ -After committing the configuration we can verify all leaked routes are +After committing the configuration we can verify all leaked routes are installed, and try to ICMP ping PC1 from PC3. .. code-block:: none @@ -323,8 +398,8 @@ VRF blue routing table L3VPN VRFs ########## -:abbr:`L3VPN VRFs ( Layer 3 Virtual Private Networks )` bgpd supports for -IPv4 RFC 4364 and IPv6 RFC 4659. L3VPN routes, and their associated VRF +:abbr:`L3VPN VRFs ( Layer 3 Virtual Private Networks )` bgpd supports for +IPv4 RFC 4364 and IPv6 RFC 4659. L3VPN routes, and their associated VRF MPLS labels, can be distributed to VPN SAFI neighbors in the default, i.e., non VRF, BGP instance. VRF MPLS labels are reached using core MPLS labels which are distributed using LDP or BGP labeled unicast. @@ -336,14 +411,14 @@ VRF Route Leaking ================= BGP routes may be leaked (i.e. copied) between a unicast VRF RIB and the VPN -SAFI RIB of the default VRF for use in MPLS-based L3VPNs. Unicast routes may +SAFI RIB of the default VRF for use in MPLS-based L3VPNs. Unicast routes may also be leaked between any VRFs (including the unicast RIB of the default BGP -instance). A shortcut syntax is also available for specifying leaking from +instance). A shortcut syntax is also available for specifying leaking from one VRF to another VRF using the default instance’s VPN RIB as the intemediary -. A common application of the VRF-VRF feature is to connect a customer’s +. A common application of the VRF-VRF feature is to connect a customer’s private routing domain to a provider’s VPN service. Leaking is configured from the point of view of an individual VRF: import refers to routes leaked from VPN -to a unicast VRF, whereas export refers to routes leaked from a unicast VRF to +to a unicast VRF, whereas export refers to routes leaked from a unicast VRF to VPN. @@ -352,7 +427,7 @@ VPN. an RD / RTLIST - Configuration for these exported routes must, at a minimum, specify + Configuration for these exported routes must, at a minimum, specify these two parameters. .. _l3vpn-vrf example configuration: @@ -361,37 +436,45 @@ Configuration ============= Configuration of route leaking between a unicast VRF RIB and the VPN SAFI RIB -of the default VRF is accomplished via commands in the context of a VRF +of the default VRF is accomplished via commands in the context of a VRF address-family. -.. cfgcmd:: set vrf name <name> protocols bgp address-family +.. cfgcmd:: set vrf name <name> protocols bgp address-family <ipv4-unicast|ipv6-unicast> rd vpn export <asn:nn|address:nn> - - Specifies the route distinguisher to be added to a route exported from the + + Specifies the route distinguisher to be added to a route exported from the current unicast VRF to VPN. .. cfgcmd:: set vrf name <name> protocols bgp address-family <ipv4-unicast|ipv6-unicast> route-target vpn <import|export|both> [RTLIST] - Specifies the route-target list to be attached to a route (export) or the - route-target list to match against (import) when exporting/importing + Specifies the route-target list to be attached to a route (export) or the + route-target list to match against (import) when exporting/importing between the current unicast VRF and VPN.The RTLIST is a space-separated - list of route-targets, which are BGP extended community values as + list of route-targets, which are BGP extended community values as described in Extended Communities Attribute. .. cfgcmd:: set vrf name <name> protocols bgp address-family <ipv4-unicast|ipv6-unicast> label vpn export <0-1048575|auto> - Enables an MPLS label to be attached to a route exported from the current - unicast VRF to VPN. If the value specified is auto, the label value is + Enables an MPLS label to be attached to a route exported from the current + unicast VRF to VPN. If the value specified is auto, the label value is automatically assigned from a pool maintained. .. cfgcmd:: set vrf name <name> protocols bgp address-family + <ipv4-unicast|ipv6-unicast> label vpn allocation-mode per-nexthop + + Select how labels are allocated in the given VRF. By default, the per-vrf + mode is selected, and one label is used for all prefixes from the VRF. The + per-nexthop will use a unique label for all prefixes that are reachable via + the same nexthop. + +.. cfgcmd:: set vrf name <name> protocols bgp address-family <ipv4-unicast|ipv6-unicast> route-map vpn <import|export> [route-map <name>] - Specifies an optional route-map to be applied to routes imported or + Specifies an optional route-map to be applied to routes imported or exported between the current unicast VRF and VPN. .. cfgcmd:: set vrf name <name> protocols bgp address-family @@ -401,12 +484,19 @@ address-family. .. cfgcmd:: set vrf name <name> protocols bgp address-family <ipv4-unicast|ipv6-unicast> import vrf <name> - - Shortcut syntax for specifying automatic leaking from vrf VRFNAME to the - current VRF using the VPN RIB as intermediary. The RD and RT are auto - derived and should not be specified explicitly for either the source or + + Shortcut syntax for specifying automatic leaking from vrf VRFNAME to the + current VRF using the VPN RIB as intermediary. The RD and RT are auto + derived and should not be specified explicitly for either the source or destination VRF’s. +.. cfgcmd:: set vrf name <name> protocols bgp interface <interface> mpls + forwarding + + It is possible to permit BGP install VPN prefixes without transport labels. + This configuration will install VPN prefixes originated from an e-bgp session, + and with the next-hop directly connected. + .. _l3vpn-vrf example operation: Operation @@ -438,8 +528,8 @@ are in place. UN=10.0.0.10 EC{65035:1011} label=80 type=bgp, subtype=0 .. opcmd:: show bgp <ipv4|ipv6> vpn summary - - Print a summary of neighbor connections for the specified AFI/SAFI + + Print a summary of neighbor connections for the specified AFI/SAFI combination. .. code-block:: none |