diff options
Diffstat (limited to 'docs/configuration')
| -rw-r--r-- | docs/configuration/firewall/bridge.rst | 98 | ||||
| -rw-r--r-- | docs/configuration/firewall/ipv4.rst | 58 | ||||
| -rw-r--r-- | docs/configuration/firewall/ipv6.rst | 58 | ||||
| -rw-r--r-- | docs/configuration/highavailability/index.rst | 7 | ||||
| -rw-r--r-- | docs/configuration/interfaces/macsec.rst | 48 | ||||
| -rw-r--r-- | docs/configuration/interfaces/wireless.rst | 229 | ||||
| -rw-r--r-- | docs/configuration/loadbalancing/haproxy.rst (renamed from docs/configuration/loadbalancing/reverse-proxy.rst) | 212 | ||||
| -rw-r--r-- | docs/configuration/loadbalancing/index.rst | 2 | ||||
| -rw-r--r-- | docs/configuration/nat/nat66.rst | 12 | ||||
| -rw-r--r-- | docs/configuration/protocols/index.rst | 1 | ||||
| -rw-r--r-- | docs/configuration/protocols/openfabric.rst | 237 | ||||
| -rw-r--r-- | docs/configuration/service/https.rst | 22 | ||||
| -rw-r--r-- | docs/configuration/service/ntp.rst | 85 | ||||
| -rw-r--r-- | docs/configuration/system/flow-accounting.rst | 4 | ||||
| -rw-r--r-- | docs/configuration/system/option.rst | 24 | ||||
| -rw-r--r-- | docs/configuration/system/syslog.rst | 18 |
16 files changed, 975 insertions, 140 deletions
diff --git a/docs/configuration/firewall/bridge.rst b/docs/configuration/firewall/bridge.rst index 14b4e148..9c360d35 100644 --- a/docs/configuration/firewall/bridge.rst +++ b/docs/configuration/firewall/bridge.rst @@ -327,8 +327,102 @@ There are a lot of matching criteria against which the packet can be tested. Please refer to :doc:`IPv4</configuration/firewall/ipv4>` and :doc:`IPv6</configuration/firewall/ipv6>` matching criteria for more details. -Since bridges operates at layer 2, both matchers for IPv4 and IPv6 are -supported in bridge firewall configuration. Same applies for firewall groups. +Since bridges operats at layer 2, both matchers for IPv4 and IPv6 are +supported in bridge firewall configuration. Same applies to firewall groups. + +Same specific matching criteria that can be used in bridge firewall are +described in this section: + +.. cfgcmd:: set firewall bridge forward filter rule <1-999999> ethernet-type + [802.1q | 802.1ad | arp | ipv4 | ipv6] +.. cfgcmd:: set firewall bridge input filter rule <1-999999> ethernet-type + [802.1q | 802.1ad | arp | ipv4 | ipv6] +.. cfgcmd:: set firewall bridge output filter rule <1-999999> ethernet-type + [802.1q | 802.1ad | arp | ipv4 | ipv6] +.. cfgcmd:: set firewall bridge prerouting filter rule <1-999999> ethernet-type + [802.1q | 802.1ad | arp | ipv4 | ipv6] +.. cfgcmd:: set firewall bridge name <name> rule <1-999999> ethernet-type + [802.1q | 802.1ad | arp | ipv4 | ipv6] + + Match based on the Ethernet type of the packet. + +.. cfgcmd:: set firewall bridge forward filter rule <1-999999> vlan + ethernet-type [802.1q | 802.1ad | arp | ipv4 | ipv6] +.. cfgcmd:: set firewall bridge input filter rule <1-999999> vlan + ethernet-type [802.1q | 802.1ad | arp | ipv4 | ipv6] +.. cfgcmd:: set firewall bridge output filter rule <1-999999> vlan + ethernet-type [802.1q | 802.1ad | arp | ipv4 | ipv6] +.. cfgcmd:: set firewall bridge prerouting filter rule <1-999999> vlan + ethernet-type [802.1q | 802.1ad | arp | ipv4 | ipv6] +.. cfgcmd:: set firewall bridge name <name> rule <1-999999> vlan + ethernet-type [802.1q | 802.1ad | arp | ipv4 | ipv6] + + Match based on the Ethernet type of the packet when it is VLAN tagged. + +.. cfgcmd:: set firewall bridge forward filter rule <1-999999> vlan id + <0-4096> +.. cfgcmd:: set firewall bridge input filter rule <1-999999> vlan id + <0-4096> +.. cfgcmd:: set firewall bridge output filter rule <1-999999> vlan id + <0-4096> +.. cfgcmd:: set firewall bridge prerouting filter rule <1-999999> vlan id + <0-4096> +.. cfgcmd:: set firewall bridge name <name> rule <1-999999> vlan id + <0-4096> + + Match based on VLAN identifier. Range is also supported. + +.. cfgcmd:: set firewall bridge forward filter rule <1-999999> vlan priority + <0-7> +.. cfgcmd:: set firewall bridge input filter rule <1-999999> vlan priority + <0-7> +.. cfgcmd:: set firewall bridge output filter rule <1-999999> vlan priority + <0-7> +.. cfgcmd:: set firewall bridge prerouting filter rule <1-999999> vlan priority + <0-7> +.. cfgcmd:: set firewall bridge name <name> rule <1-999999> vlan priority + <0-7> + + Match based on VLAN priority (Priority Code Point - PCP). Range is also + supported. + +Packet Modifications +==================== + +Starting from **VyOS-1.5-rolling-202410060007**, the firewall can modify +packets before they are sent out. This feaure provides more flexibility in +packet handling. + +.. cfgcmd:: set firewall bridge [prerouting | forward | output] filter + rule <1-999999> set dscp <0-63> + + Set a specific value of Differentiated Services Codepoint (DSCP). + +.. cfgcmd:: set firewall bridge [prerouting | forward | output] filter + rule <1-999999> set mark <1-2147483647> + + Set a specific packet mark value. + +.. cfgcmd:: set firewall bridge [prerouting | forward | output] filter + rule <1-999999> set tcp-mss <500-1460> + + Set the TCP-MSS (TCP maximum segment size) for the connection. + +.. cfgcmd:: set firewall bridge [prerouting | forward | output] filter + rule <1-999999> set ttl <0-255> + + Set the TTL (Time to Live) value. + +.. cfgcmd:: set firewall bridge [prerouting | forward | output] filter + rule <1-999999> set hop-limit <0-255> + + Set hop limit value. + +.. cfgcmd:: set firewall bridge [forward | output] filter + rule <1-999999> set connection-mark <0-2147483647> + + Set connection mark value. + Use IP firewall =============== diff --git a/docs/configuration/firewall/ipv4.rst b/docs/configuration/firewall/ipv4.rst index abae31a5..5fc9bd4c 100644 --- a/docs/configuration/firewall/ipv4.rst +++ b/docs/configuration/firewall/ipv4.rst @@ -771,13 +771,13 @@ geoip) to keep database and rules updated. invert the criteria to match is also supported. For example ``!IFACE_GROUP`` .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> - ipsec [match-ipsec | match-none] + ipsec [match-ipsec-in | match-ipsec-out | match-none-in | match-none-out] .. cfgcmd:: set firewall ipv4 input filter rule <1-999999> - ipsec [match-ipsec | match-none] + ipsec [match-ipsec-in | match-none-in] .. cfgcmd:: set firewall ipv4 output filter rule <1-999999> - ipsec [match-ipsec | match-none] + ipsec [match-ipsec-out | match-none-out] .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - ipsec [match-ipsec | match-none] + ipsec [match-ipsec-in | match-ipsec-out | match-none-in | match-none-out] Match based on ipsec. @@ -980,6 +980,56 @@ geoip) to keep database and rules updated. Match when 'count' amount of connections are seen within 'time'. These matching criteria can be used to block brute-force attempts. +Packet Modifications +==================== + +Starting from **VyOS-1.5-rolling-202410060007**, the firewall can modify +packets before they are sent out. This feaure provides more flexibility in +packet handling. + +.. cfgcmd:: set firewall ipv4 prerouting raw rule <1-999999> + set dscp <0-63> +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + set dscp <0-63> +.. cfgcmd:: set firewall ipv4 output [filter | raw] rule <1-999999> + set dscp <0-63> + + Set a specific value of Differentiated Services Codepoint (DSCP). + +.. cfgcmd:: set firewall ipv4 prerouting raw rule <1-999999> + set mark <1-2147483647> +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + set mark <1-2147483647> +.. cfgcmd:: set firewall ipv4 output [filter | raw] rule <1-999999> + set mark <1-2147483647> + + Set a specific packet mark value. + +.. cfgcmd:: set firewall ipv4 prerouting raw rule <1-999999> + set tcp-mss <500-1460> +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + set tcp-mss <500-1460> +.. cfgcmd:: set firewall ipv4 output [filter | raw] rule <1-999999> + set tcp-mss <500-1460> + + Set the TCP-MSS (TCP maximum segment size) for the connection. + +.. cfgcmd:: set firewall ipv4 prerouting raw rule <1-999999> + set ttl <0-255> +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + set ttl <0-255> +.. cfgcmd:: set firewall ipv4 output [filter | raw] rule <1-999999> + set ttl <0-255> + + Set the TTL (Time to Live) value. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + set connection-mark <0-2147483647> +.. cfgcmd:: set firewall ipv4 output [filter | raw] rule <1-999999> + set connection-mark <0-2147483647> + + Set connection mark value. + ******** Synproxy ******** diff --git a/docs/configuration/firewall/ipv6.rst b/docs/configuration/firewall/ipv6.rst index 5f526dac..c579b6d1 100644 --- a/docs/configuration/firewall/ipv6.rst +++ b/docs/configuration/firewall/ipv6.rst @@ -762,13 +762,13 @@ geoip) to keep database and rules updated. invert the criteria to match is also supported. For example ``!IFACE_GROUP`` .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> - ipsec [match-ipsec | match-none] + ipsec [match-ipsec-in | match-ipsec-out | match-none-in | match-none-out] .. cfgcmd:: set firewall ipv6 input filter rule <1-999999> - ipsec [match-ipsec | match-none] + ipsec [match-ipsec-in | match-none-in] .. cfgcmd:: set firewall ipv6 output filter rule <1-999999> - ipsec [match-ipsec | match-none] + ipsec [match-ipsec-out | match-none-out] .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> - ipsec [match-ipsec | match-none] + ipsec [match-ipsec-in | match-ipsec-out | match-none-in | match-none-out] Match based on ipsec. @@ -970,6 +970,56 @@ geoip) to keep database and rules updated. Match when 'count' amount of connections are seen within 'time'. These matching criteria can be used to block brute-force attempts. +Packet Modifications +==================== + +Starting from **VyOS-1.5-rolling-202410060007**, the firewall can modify +packets before they are sent out. This feaure provides more flexibility in +packet handling. + +.. cfgcmd:: set firewall ipv6 prerouting raw rule <1-999999> + set dscp <0-63> +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + set dscp <0-63> +.. cfgcmd:: set firewall ipv6 output [filter | raw] rule <1-999999> + set dscp <0-63> + + Set a specific value of Differentiated Services Codepoint (DSCP). + +.. cfgcmd:: set firewall ipv6 prerouting raw rule <1-999999> + set mark <1-2147483647> +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + set mark <1-2147483647> +.. cfgcmd:: set firewall ipv6 output [filter | raw] rule <1-999999> + set mark <1-2147483647> + + Set a specific packet mark value. + +.. cfgcmd:: set firewall ipv6 prerouting raw rule <1-999999> + set tcp-mss <500-1460> +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + set tcp-mss <500-1460> +.. cfgcmd:: set firewall ipv6 output [filter | raw] rule <1-999999> + set tcp-mss <500-1460> + + Set the TCP-MSS (TCP maximum segment size) for the connection. + +.. cfgcmd:: set firewall ipv6 prerouting raw rule <1-999999> + set hop-limit <0-255> +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + set hop-limit <0-255> +.. cfgcmd:: set firewall ipv6 output [filter | raw] rule <1-999999> + set hop-limit <0-255> + + Set hop limit value. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + set connection-mark <0-2147483647> +.. cfgcmd:: set firewall ipv4 output [filter | raw] rule <1-999999> + set connection-mark <0-2147483647> + + Set connection mark value. + ******** Synproxy ******** diff --git a/docs/configuration/highavailability/index.rst b/docs/configuration/highavailability/index.rst index 93d01364..a7683ef3 100644 --- a/docs/configuration/highavailability/index.rst +++ b/docs/configuration/highavailability/index.rst @@ -308,9 +308,16 @@ execute custom checks in addition to the master router reachability. Transition scripts are executed when VRRP state changes from master to backup or fault and vice versa and can be used to enable or disable certain services, for example. +.. warning:: It is not recommended to change VRRP configuration inside health-check + and transition scripts. + Health check scripts ^^^^^^^^^^^^^^^^^^^^ +There is the ability to run an arbitrary script at regular intervals according to health-check +parameters. If a script returns 0, it indicates success. If a script returns anything +else, it will indicate that the VRRP instance should enter the FAULT state. + This setup will make the VRRP process execute the ``/config/scripts/vrrp-check.sh script`` every 60 seconds, and transition the group to the fault state if it fails (i.e. exits with non-zero status) three diff --git a/docs/configuration/interfaces/macsec.rst b/docs/configuration/interfaces/macsec.rst index 0c0c052b..1ab7f361 100644 --- a/docs/configuration/interfaces/macsec.rst +++ b/docs/configuration/interfaces/macsec.rst @@ -236,4 +236,50 @@ the unencrypted but authenticated content. set interfaces macsec macsec1 security static key 'eadcc0aa9cf203f3ce651b332bd6e6c7' set interfaces macsec macsec1 security static peer R2 mac 00:11:22:33:44:01 set interfaces macsec macsec1 security static peer R2 key 'ddd6f4a7be4d8bbaf88b26f10e1c05f7' - set interfaces macsec macsec1 source-interface 'eth1'
\ No newline at end of file + set interfaces macsec macsec1 source-interface 'eth1' + +*************** +MACsec over wan +*************** + +MACsec is an interesting alternative to existing tunneling solutions that +protects layer 2 by performing integrity, origin authentication, and optionally +encryption. The typical use case is to use MACsec between hosts and access +switches, between two hosts, or between two switches. in this example below, +we use VXLAN and MACsec to secure the tunnel. + +**R1 MACsec01** + +.. code-block:: none + + set interfaces macsec macsec1 address '192.0.2.1/24' + set interfaces macsec macsec1 address '2001:db8::1/64' + set interfaces macsec macsec1 security cipher 'gcm-aes-128' + set interfaces macsec macsec1 security encrypt + set interfaces macsec macsec1 security static key 'ddd6f4a7be4d8bbaf88b26f10e1c05f7' + set interfaces macsec macsec1 security static peer SEC02 key 'eadcc0aa9cf203f3ce651b332bd6e6c7' + set interfaces macsec macsec1 security static peer SEC02 mac '00:11:22:33:44:02' + set interfaces macsec macsec1 source-interface 'vxlan1' + set interfaces vxlan vxlan1 mac '00:11:22:33:44:01' + set interfaces vxlan vxlan1 remote '10.1.3.3' + set interfaces vxlan vxlan1 source-address '172.16.100.1' + set interfaces vxlan vxlan1 vni '10' + set protocols static route 10.1.3.3/32 next-hop 172.16.100.2 + +**R2 MACsec02** + +.. code-block:: none + + set interfaces macsec macsec1 address '192.0.2.2/24' + set interfaces macsec macsec1 address '2001:db8::2/64' + set interfaces macsec macsec1 security cipher 'gcm-aes-128' + set interfaces macsec macsec1 security encrypt + set interfaces macsec macsec1 security static key 'eadcc0aa9cf203f3ce651b332bd6e6c7' + set interfaces macsec macsec1 security static peer SEC01 key 'ddd6f4a7be4d8bbaf88b26f10e1c05f7' + set interfaces macsec macsec1 security static peer SEC01 mac '00:11:22:33:44:01' + set interfaces macsec macsec1 source-interface 'vxlan1' + set interfaces vxlan vxlan1 mac '00:11:22:33:44:02' + set interfaces vxlan vxlan1 remote '10.1.2.2' + set interfaces vxlan vxlan1 source-address '172.16.100.2' + set interfaces vxlan vxlan1 vni '10' + set protocols static route 10.1.2.2/32 next-hop 172.16.100.1 diff --git a/docs/configuration/interfaces/wireless.rst b/docs/configuration/interfaces/wireless.rst index 695866a0..e6a29f9a 100644 --- a/docs/configuration/interfaces/wireless.rst +++ b/docs/configuration/interfaces/wireless.rst @@ -60,8 +60,8 @@ Wireless options .. cfgcmd:: set interfaces wireless <interface> channel <number> - Channel number (IEEE 802.11), for 2.4Ghz (802.11 b/g/n) channels range from - 1-14. On 5Ghz (802.11 a/h/j/n/ac) channels available are 0, 34 to 173. + Channel number (IEEE 802.11), for 2.4Ghz (802.11 b/g/n/ax) channels range from + 1-14. On 5Ghz (802.11 a/h/j/n/ac) channels available are 0, 34 to 177. On 6GHz (802.11 ax) channels range from 1 to 233. .. cfgcmd:: set interfaces wireless <interface> disable-broadcast-ssid @@ -116,7 +116,7 @@ Wireless options * ``ac`` - 802.11ac - 1300 Mbits/sec * ``ax`` - 802.11ax - exceeds 1GBit/sec - .. note:: In VyOS, 802.11ax is only implemented for 6GHz as of yet. + .. note:: In VyOS, 802.11ax is only implemented for 2.4GHz and 6GHz. .. cfgcmd:: set interfaces wireless <interface> physical-device <device> @@ -164,6 +164,8 @@ PPDU HT (High Throughput) capabilities (802.11n) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + Configuring HT mode options is required when using 802.11n or 802.11ax at 2.4GHz. + .. cfgcmd:: set interfaces wireless <interface> capabilities ht 40mhz-incapable Device is incapable of 40 MHz, do not advertise. This sets ``[40-INTOLERANT]`` @@ -378,11 +380,30 @@ HE (High Efficiency) capabilities (802.11ax) <number> must be one of: - * ``131`` - 20 MHz channel width - * ``132`` - 40 MHz channel width - * ``133`` - 80 MHz channel width - * ``134`` - 160 MHz channel width - * ``135`` - 80+80 MHz channel width + * ``81`` - 20 MHz channel width (2.4GHz) + * ``83`` - 40 MHz channel width, secondary 20MHz channel above primary + channel (2.4GHz) + * ``84`` - 40 MHz channel width, secondary 20MHz channel below primary + channel (2.4GHz) + * ``131`` - 20 MHz channel width (6GHz) + * ``132`` - 40 MHz channel width (6GHz) + * ``133`` - 80 MHz channel width (6GHz) + * ``134`` - 160 MHz channel width (6GHz) + * ``135`` - 80+80 MHz channel width (6GHz) + +.. cfgcmd:: set interfaces wireless <interface> + capabilities he coding-scheme <number> + + This setting configures Spacial Stream and Modulation Coding Scheme + settings for HE mode (HE-MCS). It is usually not needed to set this + explicitly, but it might help with some WiFi adapters. + + <number> must be one of: + + * ``0`` - HE-MCS 0-7 + * ``1`` - HE-MCS 0-9 + * ``2`` - HE-MCS 0-11 + * ``3`` - HE-MCS is not supported Wireless options (Station/Client) ================================= @@ -693,16 +714,200 @@ Resulting in type access-point } } - system { - [...] - wifi-regulatory-domain DE - } To get it to work as an access point with this configuration you will need to set up a DHCP server to work with that network. You can - of course - also bridge the Wireless interface with any configured bridge (:ref:`bridge-interface`) on the system. +WiFi-6(e) - 802.11ax +==================== + +The following examples will show valid configurations for WiFi-6 (2.4GHz) +and WiFi-6e (6GHz) Access-Points with the following characteristics: + +* Network ID (SSID) ``test.ax`` +* WPA passphrase ``super-dooper-secure-passphrase`` +* Use 802.11ax protocol +* Wireless channel ``11`` for 2.4GHz +* Wireless channel ``5`` for 6GHz + + +Example Configuration: WiFi-6 at 2.4GHz +--------------------------------------- + +You may expect real throughputs around 10MBytes/s or higher in crowded areas. + +.. code-block:: none + + set system wireless country-code de + set interfaces wireless wlan0 capabilities he antenna-pattern-fixed + set interfaces wireless wlan0 capabilities he beamform multi-user-beamformer + set interfaces wireless wlan0 capabilities he beamform single-user-beamformee + set interfaces wireless wlan0 capabilities he beamform single-user-beamformer + set interfaces wireless wlan0 capabilities he bss-color 13 + set interfaces wireless wlan0 capabilities he channel-set-width 81 + set interfaces wireless wlan0 capabilities ht 40mhz-incapable + set interfaces wireless wlan0 capabilities ht channel-set-width ht20 + set interfaces wireless wlan0 capabilities ht channel-set-width ht40+ + set interfaces wireless wlan0 capabilities ht channel-set-width ht40- + set interfaces wireless wlan0 capabilities ht short-gi 20 + set interfaces wireless wlan0 capabilities ht short-gi 40 + set interfaces wireless wlan0 capabilities ht stbc rx 2 + set interfaces wireless wlan0 capabilities ht stbc tx + set interfaces wireless wlan0 channel 11 + set interfaces wireless wlan0 description "802.11ax 2.4GHz" + set interfaces wireless wlan0 mode ax + set interfaces wireless wlan0 security wpa cipher CCMP + set interfaces wireless wlan0 security wpa cipher CCMP-256 + set interfaces wireless wlan0 security wpa cipher GCMP-256 + set interfaces wireless wlan0 security wpa cipher GCMP + set interfaces wireless wlan0 security wpa mode wpa2 + set interfaces wireless wlan0 security wpa passphrase super-dooper-secure-passphrase + set interfaces wireless wlan0 ssid test.ax + set interfaces wireless wlan0 type access-point + commit + +Resulting in + +.. code-block:: none + + system { + wireless { + country-code de + } + } + interfaces { + [...] + wireless wlan0 { + capabilities { + he { + antenna-pattern-fixed + beamform { + multi-user-beamformer + single-user-beamformee + single-user-beamformer + } + bss-color 13 + channel-set-width 81 + } + ht { + 40mhz-incapable + channel-set-width ht20 + channel-set-width ht40+ + channel-set-width ht40- + short-gi 20 + short-gi 40 + stbc { + rx 2 + tx + } + } + } + channel 11 + description "802.11ax 2.4GHz" + hw-id [...] + mode ax + physical-device phy0 + security { + wpa { + cipher CCMP + cipher CCMP-256 + cipher GCMP-256 + cipher GCMP + mode wpa2 + passphrase super-dooper-secure-passphrase + } + } + ssid test.ax + type access-point + } + } + +Example Configuration: WiFi-6e at 6GHz +-------------------------------------- + +You may expect real throughputs around 50MBytes/s to 150MBytes/s, +depending on obstructions by walls, water, metal or other materials +with high electro-magnetic dampening at 6GHz. Best results are achieved +with the AP being in the same room and in line-of-sight. + +.. code-block:: none + + set system wireless country-code de + set interfaces wireless wlan0 capabilities he antenna-pattern-fixed + set interfaces wireless wlan0 capabilities he beamform multi-user-beamformer + set interfaces wireless wlan0 capabilities he beamform single-user-beamformee + set interfaces wireless wlan0 capabilities he beamform single-user-beamformer + set interfaces wireless wlan0 capabilities he bss-color 13 + set interfaces wireless wlan0 capabilities he channel-set-width 134 + set interfaces wireless wlan0 capabilities he capabilities he center-channel-freq freq-1 15 + set interfaces wireless wlan0 channel 5 + set interfaces wireless wlan0 description "802.11ax 6GHz" + set interfaces wireless wlan0 mode ax + set interfaces wireless wlan0 security wpa cipher CCMP + set interfaces wireless wlan0 security wpa cipher CCMP-256 + set interfaces wireless wlan0 security wpa cipher GCMP-256 + set interfaces wireless wlan0 security wpa cipher GCMP + set interfaces wireless wlan0 security wpa mode wpa3 + set interfaces wireless wlan0 security wpa passphrase super-dooper-secure-passphrase + set interfaces wireless wlan0 mgmt-frame-protection required + set interfaces wireless wlan0 enable-bf-protection + set interfaces wireless wlan0 ssid test.ax + set interfaces wireless wlan0 type access-point + set interfaces wireless wlan0 stationary-ap + commit + +Resulting in + +.. code-block:: none + + system { + wireless { + country-code de + } + } + interfaces { + [...] + wireless wlan0 { + capabilities { + he { + antenna-pattern-fixed + beamform { + multi-user-beamformer + single-user-beamformee + single-user-beamformer + } + bss-color 13 + center-channel-freq { + freq-1 15 + } + channel-set-width 134 + } + } + channel 5 + description "802.11ax 6GHz" + enable-bf-protection + hw-id [...] + mgmt-frame-protection required + mode ax + physical-device phy0 + security { + wpa { + cipher CCMP + cipher CCMP-256 + cipher GCMP-256 + cipher GCMP + mode wpa3 + passphrase super-dooper-secure-passphrase + } + } + ssid test.ax + stationary-ap + type access-point + } + } + .. _wireless-interface-intel-ax200: Intel AX200 diff --git a/docs/configuration/loadbalancing/reverse-proxy.rst b/docs/configuration/loadbalancing/haproxy.rst index 32be85c8..b29f9620 100644 --- a/docs/configuration/loadbalancing/reverse-proxy.rst +++ b/docs/configuration/loadbalancing/haproxy.rst @@ -1,11 +1,11 @@ ############# -Reverse-proxy +Haproxy ############# .. include:: /_include/need_improvement.txt -VyOS reverse-proxy is balancer and proxy server that provides +Haproxy is a balancer and proxy server that provides high-availability, load balancing and proxying for TCP (level 4) and HTTP-based (level 7) applications. @@ -20,37 +20,37 @@ to be applied and specifies the real servers to be utilized. Service ------- -.. cfgcmd:: set load-balancing reverse-proxy service <name> listen-address +.. cfgcmd:: set load-balancing haproxy service <name> listen-address <address> Set service to bind on IP address, by default listen on any IPv4 and IPv6 -.. cfgcmd:: set load-balancing reverse-proxy service <name> port +.. cfgcmd:: set load-balancing haproxy service <name> port <port> Create service `<name>` to listen on <port> -.. cfgcmd:: set load-balancing reverse-proxy service <name> mode +.. cfgcmd:: set load-balancing haproxy service <name> mode <tcp|http> Configure service `<name>` mode TCP or HTTP -.. cfgcmd:: set load-balancing reverse-proxy service <name> backend +.. cfgcmd:: set load-balancing haproxy service <name> backend <name> Configure service `<name>` to use the backend <name> -.. cfgcmd:: set load-balancing reverse-proxy service <name> ssl +.. cfgcmd:: set load-balancing haproxy service <name> ssl certificate <name> - Set SSL certificate <name> for service <name> + Set SSL certificate <name> for service <name>. Multiple certificates could be defined. -.. cfgcmd:: set load-balancing reverse-proxy service <name> +.. cfgcmd:: set load-balancing haproxy service <name> http-response-headers <header-name> value <header-value> Set custom HTTP headers to be included in all responses -.. cfgcmd:: set load-balancing reverse-proxy service <name> logging facility +.. cfgcmd:: set load-balancing haproxy service <name> logging facility <facility> level <level> Specify facility and level for logging. @@ -64,12 +64,12 @@ Rules allow to control and route incoming traffic to specific backend based on predefined conditions. Rules allow to define matching criteria and perform action accordingly. -.. cfgcmd:: set load-balancing reverse-proxy service <name> rule <rule> +.. cfgcmd:: set load-balancing haproxy service <name> rule <rule> domain-name <name> Match domain name -.. cfgcmd:: set load-balancing reverse-proxy service <name> rule <rule> +.. cfgcmd:: set load-balancing haproxy service <name> rule <rule> ssl <sni> SSL match Server Name Indication (SNI) option: @@ -79,7 +79,7 @@ perform action accordingly. Indication -.. cfgcmd:: set load-balancing reverse-proxy service <name> rule <rule> +.. cfgcmd:: set load-balancing haproxy service <name> rule <rule> url-path <match> <url> Allows to define URL path matching rules for a specific service. @@ -92,12 +92,12 @@ perform action accordingly. * ``end`` Matches the end of the URL path. * ``exact`` Requires an exactly match of the URL path -.. cfgcmd:: set load-balancing reverse-proxy service <name> rule <rule> +.. cfgcmd:: set load-balancing haproxy service <name> rule <rule> set backend <name> Assign a specific backend to a rule -.. cfgcmd:: set load-balancing reverse-proxy service <name> rule <rule> +.. cfgcmd:: set load-balancing haproxy service <name> rule <rule> redirect-location <url> Redirect URL to a new location @@ -106,7 +106,7 @@ perform action accordingly. Backend ------- -.. cfgcmd:: set load-balancing reverse-proxy backend <name> balance +.. cfgcmd:: set load-balancing haproxy backend <name> balance <balance> Load-balancing algorithms to be used for distributed requests among the @@ -120,54 +120,54 @@ Backend * ``least-connection`` Distributes requests to the server with the fewest active connections -.. cfgcmd:: set load-balancing reverse-proxy backend <name> mode +.. cfgcmd:: set load-balancing haproxy backend <name> mode <mode> Configure backend `<name>` mode TCP or HTTP -.. cfgcmd:: set load-balancing reverse-proxy backend <name> server +.. cfgcmd:: set load-balancing haproxy backend <name> server <name> address <x.x.x.x> Set the address of the backend server to which the incoming traffic will be forwarded -.. cfgcmd:: set load-balancing reverse-proxy backend <name> server +.. cfgcmd:: set load-balancing haproxy backend <name> server <name> port <port> Set the address of the backend port -.. cfgcmd:: set load-balancing reverse-proxy backend <name> server +.. cfgcmd:: set load-balancing haproxy backend <name> server <name> check Active health check backend server -.. cfgcmd:: set load-balancing reverse-proxy backend <name> server +.. cfgcmd:: set load-balancing haproxy backend <name> server <name> send-proxy Send a Proxy Protocol version 1 header (text format) -.. cfgcmd:: set load-balancing reverse-proxy backend <name> server +.. cfgcmd:: set load-balancing haproxy backend <name> server <name> send-proxy-v2 Send a Proxy Protocol version 2 header (binary format) -.. cfgcmd:: set load-balancing reverse-proxy backend <name> ssl +.. cfgcmd:: set load-balancing haproxy backend <name> ssl ca-certificate <ca-certificate> Configure requests to the backend server to use SSL encryption and authenticate backend against <ca-certificate> -.. cfgcmd:: set load-balancing reverse-proxy backend <name> ssl no-verify +.. cfgcmd:: set load-balancing haproxy backend <name> ssl no-verify Configure requests to the backend server to use SSL encryption without validating server certificate -.. cfgcmd:: set load-balancing reverse-proxy backend <name> +.. cfgcmd:: set load-balancing haproxy backend <name> http-response-headers <header-name> value <header-value> Set custom HTTP headers to be included in all responses using the backend -.. cfgcmd:: set load-balancing reverse-proxy backend <name> logging facility +.. cfgcmd:: set load-balancing haproxy backend <name> logging facility <facility> level <level> Specify facility and level for logging. @@ -180,22 +180,22 @@ Global Global parameters -.. cfgcmd:: set load-balancing reverse-proxy global-parameters max-connections +.. cfgcmd:: set load-balancing haproxy global-parameters max-connections <num> Limit maximum number of connections -.. cfgcmd:: set load-balancing reverse-proxy global-parameters ssl-bind-ciphers +.. cfgcmd:: set load-balancing haproxy global-parameters ssl-bind-ciphers <ciphers> Limit allowed cipher algorithms used during SSL/TLS handshake -.. cfgcmd:: set load-balancing reverse-proxy global-parameters tls-version-min +.. cfgcmd:: set load-balancing haproxy global-parameters tls-version-min <version> Specify the minimum required TLS version 1.2 or 1.3 -.. cfgcmd:: set load-balancing reverse-proxy global-parameters logging +.. cfgcmd:: set load-balancing haproxy global-parameters logging facility <facility> level <level> Specify facility and level for logging. @@ -212,22 +212,22 @@ HTTP checks For web application providing information about their state HTTP health checks can be used to determine their availability. -.. cfgcmd:: set load-balancing reverse-proxy backend <name> http-check +.. cfgcmd:: set load-balancing haproxy backend <name> http-check Enables HTTP health checks using OPTION HTTP requests against '/' and expecting a successful response code in the 200-399 range. -.. cfgcmd:: set load-balancing reverse-proxy backend <name> http-check +.. cfgcmd:: set load-balancing haproxy backend <name> http-check method <method> Sets the HTTP method to be used, can be either: option, get, post, put -.. cfgcmd:: set load-balancing reverse-proxy backend <name> http-check +.. cfgcmd:: set load-balancing haproxy backend <name> http-check uri <path> Sets the endpoint to be used for health checks -.. cfgcmd:: set load-balancing reverse-proxy backend <name> http-check +.. cfgcmd:: set load-balancing haproxy backend <name> http-check expect <condition> Sets the expected result condition for considering a server healthy. @@ -244,7 +244,7 @@ TCP checks Health checks can also be configured for TCP mode backends. You can configure protocol aware checks for a range of Layer 7 protocols: -.. cfgcmd:: set load-balancing reverse-proxy backend <name> health-check <protocol> +.. cfgcmd:: set load-balancing haproxy backend <name> health-check <protocol> Available health check protocols: * ``ldap`` LDAP protocol check. @@ -261,15 +261,15 @@ protocol aware checks for a range of Layer 7 protocols: Redirect HTTP to HTTPS ====================== -Configure the load-balancing reverse-proxy service for HTTP. +Configure the load-balancing haproxy service for HTTP. This configuration listen on port 80 and redirect incoming requests to HTTPS: .. code-block:: none - set load-balancing reverse-proxy service http port '80' - set load-balancing reverse-proxy service http redirect-http-to-https + set load-balancing haproxy service http port '80' + set load-balancing haproxy service http redirect-http-to-https The name of the service can be different, in this example it is only for convenience. @@ -287,17 +287,17 @@ servers (srv01 and srv02) using the round-robin load-balancing algorithm. .. code-block:: none - set load-balancing reverse-proxy service my-tcp-api backend 'bk-01' - set load-balancing reverse-proxy service my-tcp-api mode 'tcp' - set load-balancing reverse-proxy service my-tcp-api port '8888' + set load-balancing haproxy service my-tcp-api backend 'bk-01' + set load-balancing haproxy service my-tcp-api mode 'tcp' + set load-balancing haproxy service my-tcp-api port '8888' - set load-balancing reverse-proxy backend bk-01 balance 'round-robin' - set load-balancing reverse-proxy backend bk-01 mode 'tcp' + set load-balancing haproxy backend bk-01 balance 'round-robin' + set load-balancing haproxy backend bk-01 mode 'tcp' - set load-balancing reverse-proxy backend bk-01 server srv01 address '192.0.2.11' - set load-balancing reverse-proxy backend bk-01 server srv01 port '8881' - set load-balancing reverse-proxy backend bk-01 server srv02 address '192.0.2.12' - set load-balancing reverse-proxy backend bk-01 server srv02 port '8882' + set load-balancing haproxy backend bk-01 server srv01 address '192.0.2.11' + set load-balancing haproxy backend bk-01 server srv01 port '8881' + set load-balancing haproxy backend bk-01 server srv02 address '192.0.2.12' + set load-balancing haproxy backend bk-01 server srv02 port '8882' Balancing based on domain name @@ -315,23 +315,23 @@ to the backend ``bk-api-02`` .. code-block:: none - set load-balancing reverse-proxy service http description 'bind app listen on 443 port' - set load-balancing reverse-proxy service http mode 'tcp' - set load-balancing reverse-proxy service http port '80' + set load-balancing haproxy service http description 'bind app listen on 443 port' + set load-balancing haproxy service http mode 'tcp' + set load-balancing haproxy service http port '80' - set load-balancing reverse-proxy service http rule 10 domain-name 'node1.example.com' - set load-balancing reverse-proxy service http rule 10 set backend 'bk-api-01' - set load-balancing reverse-proxy service http rule 20 domain-name 'node2.example.com' - set load-balancing reverse-proxy service http rule 20 set backend 'bk-api-02' + set load-balancing haproxy service http rule 10 domain-name 'node1.example.com' + set load-balancing haproxy service http rule 10 set backend 'bk-api-01' + set load-balancing haproxy service http rule 20 domain-name 'node2.example.com' + set load-balancing haproxy service http rule 20 set backend 'bk-api-02' - set load-balancing reverse-proxy backend bk-api-01 description 'My API-1' - set load-balancing reverse-proxy backend bk-api-01 mode 'tcp' - set load-balancing reverse-proxy backend bk-api-01 server api01 address '127.0.0.1' - set load-balancing reverse-proxy backend bk-api-01 server api01 port '4431' - set load-balancing reverse-proxy backend bk-api-02 description 'My API-2' - set load-balancing reverse-proxy backend bk-api-02 mode 'tcp' - set load-balancing reverse-proxy backend bk-api-02 server api01 address '127.0.0.2' - set load-balancing reverse-proxy backend bk-api-02 server api01 port '4432' + set load-balancing haproxy backend bk-api-01 description 'My API-1' + set load-balancing haproxy backend bk-api-01 mode 'tcp' + set load-balancing haproxy backend bk-api-01 server api01 address '127.0.0.1' + set load-balancing haproxy backend bk-api-01 server api01 port '4431' + set load-balancing haproxy backend bk-api-02 description 'My API-2' + set load-balancing haproxy backend bk-api-02 mode 'tcp' + set load-balancing haproxy backend bk-api-02 server api01 address '127.0.0.2' + set load-balancing haproxy backend bk-api-02 server api01 port '4432' Terminate SSL @@ -357,30 +357,30 @@ connection limit of 4000 and a minimum TLS version of 1.3. .. code-block:: none - set load-balancing reverse-proxy service http description 'Force redirect to HTTPS' - set load-balancing reverse-proxy service http port '80' - set load-balancing reverse-proxy service http redirect-http-to-https + set load-balancing haproxy service http description 'Force redirect to HTTPS' + set load-balancing haproxy service http port '80' + set load-balancing haproxy service http redirect-http-to-https - set load-balancing reverse-proxy service https backend 'bk-default' - set load-balancing reverse-proxy service https description 'listen on 443 port' - set load-balancing reverse-proxy service https mode 'http' - set load-balancing reverse-proxy service https port '443' - set load-balancing reverse-proxy service https ssl certificate 'cert' - set load-balancing reverse-proxy service https http-response-headers Strict-Transport-Security value 'max-age=31536000' + set load-balancing haproxy service https backend 'bk-default' + set load-balancing haproxy service https description 'listen on 443 port' + set load-balancing haproxy service https mode 'http' + set load-balancing haproxy service https port '443' + set load-balancing haproxy service https ssl certificate 'cert' + set load-balancing haproxy service https http-response-headers Strict-Transport-Security value 'max-age=31536000' - set load-balancing reverse-proxy service https rule 10 url-path exact '/.well-known/xxx' - set load-balancing reverse-proxy service https rule 10 set redirect-location '/certs/' - set load-balancing reverse-proxy service https rule 20 url-path end '/mail' - set load-balancing reverse-proxy service https rule 20 url-path exact '/email/bar' - set load-balancing reverse-proxy service https rule 20 set redirect-location '/postfix/' + set load-balancing haproxy service https rule 10 url-path exact '/.well-known/xxx' + set load-balancing haproxy service https rule 10 set redirect-location '/certs/' + set load-balancing haproxy service https rule 20 url-path end '/mail' + set load-balancing haproxy service https rule 20 url-path exact '/email/bar' + set load-balancing haproxy service https rule 20 set redirect-location '/postfix/' - set load-balancing reverse-proxy backend bk-default description 'Default backend' - set load-balancing reverse-proxy backend bk-default mode 'http' - set load-balancing reverse-proxy backend bk-default server sr01 address '192.0.2.23' - set load-balancing reverse-proxy backend bk-default server sr01 port '80' + set load-balancing haproxy backend bk-default description 'Default backend' + set load-balancing haproxy backend bk-default mode 'http' + set load-balancing haproxy backend bk-default server sr01 address '192.0.2.23' + set load-balancing haproxy backend bk-default server sr01 port '80' - set load-balancing reverse-proxy global-parameters max-connections '4000' - set load-balancing reverse-proxy global-parameters tls-version-min '1.3' + set load-balancing haproxy global-parameters max-connections '4000' + set load-balancing haproxy global-parameters tls-version-min '1.3' SSL Bridging @@ -402,17 +402,17 @@ and checks backend server has a valid certificate trusted by CA ``cacert`` .. code-block:: none - set load-balancing reverse-proxy service https backend 'bk-bridge-ssl' - set load-balancing reverse-proxy service https description 'listen on 443 port' - set load-balancing reverse-proxy service https mode 'http' - set load-balancing reverse-proxy service https port '443' - set load-balancing reverse-proxy service https ssl certificate 'cert' + set load-balancing haproxy service https backend 'bk-bridge-ssl' + set load-balancing haproxy service https description 'listen on 443 port' + set load-balancing haproxy service https mode 'http' + set load-balancing haproxy service https port '443' + set load-balancing haproxy service https ssl certificate 'cert' - set load-balancing reverse-proxy backend bk-bridge-ssl description 'SSL backend' - set load-balancing reverse-proxy backend bk-bridge-ssl mode 'http' - set load-balancing reverse-proxy backend bk-bridge-ssl ssl ca-certificate 'cacert' - set load-balancing reverse-proxy backend bk-bridge-ssl server sr01 address '192.0.2.23' - set load-balancing reverse-proxy backend bk-bridge-ssl server sr01 port '443' + set load-balancing haproxy backend bk-bridge-ssl description 'SSL backend' + set load-balancing haproxy backend bk-bridge-ssl mode 'http' + set load-balancing haproxy backend bk-bridge-ssl ssl ca-certificate 'cacert' + set load-balancing haproxy backend bk-bridge-ssl server sr01 address '192.0.2.23' + set load-balancing haproxy backend bk-bridge-ssl server sr01 port '443' Balancing with HTTP health checks @@ -422,21 +422,21 @@ This configuration enables HTTP health checks on backend servers. .. code-block:: none - set load-balancing reverse-proxy service my-tcp-api backend 'bk-01' - set load-balancing reverse-proxy service my-tcp-api mode 'tcp' - set load-balancing reverse-proxy service my-tcp-api port '8888' + set load-balancing haproxy service my-tcp-api backend 'bk-01' + set load-balancing haproxy service my-tcp-api mode 'tcp' + set load-balancing haproxy service my-tcp-api port '8888' - set load-balancing reverse-proxy backend bk-01 balance 'round-robin' - set load-balancing reverse-proxy backend bk-01 mode 'tcp' + set load-balancing haproxy backend bk-01 balance 'round-robin' + set load-balancing haproxy backend bk-01 mode 'tcp' - set load-balancing reverse-proxy backend bk-01 http-check method 'get' - set load-balancing reverse-proxy backend bk-01 http-check uri '/health' - set load-balancing reverse-proxy backend bk-01 http-check expect 'status 200' + set load-balancing haproxy backend bk-01 http-check method 'get' + set load-balancing haproxy backend bk-01 http-check uri '/health' + set load-balancing haproxy backend bk-01 http-check expect 'status 200' - set load-balancing reverse-proxy backend bk-01 server srv01 address '192.0.2.11' - set load-balancing reverse-proxy backend bk-01 server srv01 port '8881' - set load-balancing reverse-proxy backend bk-01 server srv01 check - set load-balancing reverse-proxy backend bk-01 server srv02 address '192.0.2.12' - set load-balancing reverse-proxy backend bk-01 server srv02 port '8882' - set load-balancing reverse-proxy backend bk-01 server srv02 check + set load-balancing haproxy backend bk-01 server srv01 address '192.0.2.11' + set load-balancing haproxy backend bk-01 server srv01 port '8881' + set load-balancing haproxy backend bk-01 server srv01 check + set load-balancing haproxy backend bk-01 server srv02 address '192.0.2.12' + set load-balancing haproxy backend bk-01 server srv02 port '8882' + set load-balancing haproxy backend bk-01 server srv02 check diff --git a/docs/configuration/loadbalancing/index.rst b/docs/configuration/loadbalancing/index.rst index 382bd0d7..92dcc622 100644 --- a/docs/configuration/loadbalancing/index.rst +++ b/docs/configuration/loadbalancing/index.rst @@ -9,4 +9,4 @@ Load-balancing :includehidden: wan - reverse-proxy + haproxy diff --git a/docs/configuration/nat/nat66.rst b/docs/configuration/nat/nat66.rst index 9345e708..42f63fc9 100644 --- a/docs/configuration/nat/nat66.rst +++ b/docs/configuration/nat/nat66.rst @@ -105,6 +105,18 @@ Example: set nat66 destination rule 1 destination address 'fc00::/64' set nat66 destination rule 1 translation address 'fc01::/64' +For the destination, groups can also be used instead of an address. + +Example: + +.. code-block:: none + + set firewall group ipv6-address-group ADR-INSIDE-v6 address fc00::1 + + set nat66 destination rule 1 inbound-interface name 'eth0' + set nat66 destination rule 1 destination group address-group ADR-INSIDE-v6 + set nat66 destination rule 1 translation address 'fc01::/64' + Configuration Examples ====================== diff --git a/docs/configuration/protocols/index.rst b/docs/configuration/protocols/index.rst index ea217d3c..e7b1b27f 100644 --- a/docs/configuration/protocols/index.rst +++ b/docs/configuration/protocols/index.rst @@ -14,6 +14,7 @@ Protocols isis mpls segment-routing + openfabric ospf pim pim6 diff --git a/docs/configuration/protocols/openfabric.rst b/docs/configuration/protocols/openfabric.rst new file mode 100644 index 00000000..aecb5181 --- /dev/null +++ b/docs/configuration/protocols/openfabric.rst @@ -0,0 +1,237 @@ +.. _openfabric: + +########## +OpenFabric +########## + +OpenFabric, specified in `draft-white-openfabric-06.txt +<https://datatracker.ietf.org/doc/html/draft-white-openfabric-06>`_, is +a routing protocol derived from IS-IS, providing link-state routing with +efficient flooding for topologies like spine-leaf networks. + +OpenFabric a dual stack protocol. +A single OpenFabric instance is able to perform routing for both IPv4 and IPv6. + +******* +General +******* + +Configuration +============= + +Mandatory Settings +------------------ + +For OpenFabric to operate correctly, one must do the equivalent of a Router ID +in Connectionless Network Service (CLNS). This Router ID is called the +:abbr:`NET (Network Entity Title)`. The system identifier must be unique within +the network + +.. cfgcmd:: set protocols openfabric net <network-entity-title> + + This command sets network entity title (NET) provided in ISO format. + + Here is an example :abbr:`NET (Network Entity Title)` value: + + .. code-block:: none + + 49.0001.1921.6800.1002.00 + + The CLNS address consists of the following parts: + + * :abbr:`AFI (Address family authority identifier)` - ``49`` The AFI value + 49 is what OpenFabric uses for private addressing. + + * Area identifier: ``0001`` OpenFabric area number (numerical area ``1``) + + * System identifier: ``1921.6800.1002`` - for system identifiers we recommend + to use IP address or MAC address of the router itself. The way to construct + this is to keep all of the zeroes of the router IP address, and then change + the periods from being every three numbers to every four numbers. The + address that is listed here is ``192.168.1.2``, which if expanded will turn + into ``192.168.001.002``. Then all one has to do is move the dots to have + four numbers instead of three. This gives us ``1921.6800.1002``. + + * :abbr:`NET (Network Entity Title)` selector: ``00`` Must always be 00. This + setting indicates "this system" or "local system." + +.. cfgcmd:: set protocols openfabric domain <name> interface <interface> + address-family <ipv4|ipv6> + + This command enables OpenFabric instance with <NAME> on this interface, and + allows for adjacency to occur for address family (IPv4 or IPv6 or both). + +OpenFabric Global Configuration +------------------------------- + +.. cfgcmd:: set protocols openfabric domain-password <plaintext-password|md5> + <password> + + This command configures the authentication password for a routing domain, + as clear text or md5 one. + +.. cfgcmd:: set protocols openfabric domain <name> purge-originator + + This command enables :rfc:`6232` purge originator identification. + +.. cfgcmd:: set protocols openfabric domain <name> set-overload-bit + + This command sets overload bit to avoid any transit traffic through this + router. + +.. cfgcmd:: set protocols openfabric domain <name> log-adjacency-changes + + Log changes in adjacency state. + +.. cfgcmd:: set protocols openfabric domain <name> fabric-tier <number> + + This command sets a static tier number to advertise as location + in the fabric. + + +Interface Configuration +----------------------- + +.. cfgcmd:: set protocols openfabric interface <interface> hello-interval + <seconds> + + This command sets hello interval in seconds on a given interface. + The range is 1 to 600. Hello packets are used to establish and maintain + adjacency between OpenFabric neighbors. + +.. cfgcmd:: set protocols openfabric domain <name> interface <interface> + hello-multiplier <number> + + This command sets multiplier for hello holding time on a given + interface. The range is 2 to 100. + +.. cfgcmd:: set protocols openfabric domain <name> interface <interface> + metric <metric> + + This command sets default metric for circuit. + The metric range is 1 to 16777215. + +.. cfgcmd:: set protocols openfabric interface <interface> passive + + This command enables the passive mode for this interface. + +.. cfgcmd:: set protocols openfabric domain <name> interface <interface> + password plaintext-password <text> + + This command sets the authentication password for the interface. + +.. cfgcmd:: set protocols openfabric domain <name> interface <interface> + csnp-interval <seconds> + + This command sets Complete Sequence Number Packets (CSNP) interval in seconds. + The interval range is 1 to 600. + +.. cfgcmd:: set protocols openfabric domain <name> interface <interface> + psnp-interval <number> + + This command sets Partial Sequence Number Packets (PSNP) interval in seconds. + The interval range is 1 to 120. + +Timers +------ + +.. cfgcmd:: set protocols openfabric domain <name> lsp-gen-interval <seconds> + + This command sets minimum interval at which link-state packets (LSPs) are + generated. The interval range is 1 to 120. + +.. cfgcmd:: set protocols openfabric domain <name> lsp-refresh-interval <seconds> + + This command sets LSP refresh interval in seconds. The interval range + is 1 to 65235. + +.. cfgcmd:: set protocols openfabric domain <name> max-lsp-lifetime <seconds> + + This command sets LSP maximum LSP lifetime in seconds. The interval range + is 360 to 65535. LSPs remain in a database for 1200 seconds by default. + If they are not refreshed by that time, they are deleted. You can change + the LSP refresh interval or the LSP lifetime. The LSP refresh interval + should be less than the LSP lifetime or else LSPs will time out before + they are refreshed. + +.. cfgcmd:: set protocols openfabric domain <name> spf-interval <seconds> + + This command sets minimum interval between consecutive shortest path first + (SPF) calculations in seconds.The interval range is 1 to 120. + + +******** +Examples +******** + +Enable OpenFabric +================= + +**Node 1:** + +.. code-block:: none + + set interfaces loopback lo address '192.168.255.255/32' + set interfaces ethernet eth1 address '192.0.2.1/24' + + set protocols openfabric domain VyOS interface eth1 address-family ipv4 + set protocols openfabric domain VyOS interface lo address-family ipv4 + set protocols openfabric net '49.0001.1921.6825.5255.00' + +**Node 2:** + +.. code-block:: none + + set interfaces loopback lo address '192.168.255.254/32' + set interfaces ethernet eth1 address '192.0.2.2/24' + + set protocols openfabric domain VyOS interface eth1 address-family ipv4 + set protocols openfabric domain VyOS interface lo address-family ipv4 + set protocols openfabric net '49.0001.1921.6825.5254.00' + + + +This gives us the following neighborships: + +.. code-block:: none + + Node-1@vyos:~$ show openfabric neighbor + show openfabric neighbor + Area VyOS: + System Id Interface L State Holdtime SNPA + vyos eth1 2 Up 27 2020.2020.2020 + + + Node-2@vyos:~$ show openfabric neighbor + show openfabric neighbor + Area VyOS: + System Id Interface L State Holdtime SNPA + vyos eth1 2 Up 30 2020.2020.2020 + +Here's the IP routes that are populated: + +.. code-block:: none + + Node-1@vyos:~$ show ip route openfabric + show ip route openfabric + Codes: K - kernel route, C - connected, S - static, R - RIP, + O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, + T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR, + f - OpenFabric, + > - selected route, * - FIB route, q - queued, r - rejected, b - backup + t - trapped, o - offload failure + + f 192.0.2.0/24 [115/20] via 192.0.2.2, eth1 onlink, weight 1, 00:00:10 + f>* 192.168.255.254/32 [115/20] via 192.0.2.2, eth1 onlink, weight 1, 00:00:10 + + Node-2@vyos:~$ show ip route openfabric + show ip route openfabric + Codes: K - kernel route, C - connected, S - static, R - RIP, + O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, + T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR, + f - OpenFabric, + > - selected route, * - FIB route, q - queued, r - rejected, b - backup + t - trapped, o - offload failure + + f 192.0.2.0/24 [115/20] via 192.0.2.1, eth1 onlink, weight 1, 00:00:48 + f>* 192.168.255.255/32 [115/20] via 192.0.2.1, eth1 onlink, weight 1, 00:00:48 diff --git a/docs/configuration/service/https.rst b/docs/configuration/service/https.rst index af397456..e72e8e8b 100644 --- a/docs/configuration/service/https.rst +++ b/docs/configuration/service/https.rst @@ -67,19 +67,22 @@ API Set a named api key. Every key has the same, full permissions on the system. -.. cfgcmd:: set service https api debug +REST +==== + +.. cfgcmd:: set service https api rest + + Enable REST API + +.. cfgcmd:: set service https api rest debug To enable debug messages. Available via :opcmd:`show log` or :opcmd:`monitor log` -.. cfgcmd:: set service https api strict +.. cfgcmd:: set service https api rest strict Enforce strict path checking. -.. cfgcmd:: set service https api cors allow-origin <origin> - - Allow cross-origin requests from `<origin>`. - GraphQL ======= @@ -105,12 +108,17 @@ GraphQL Set the byte length of the JWT secret. Default is 32. +.. cfgcmd:: set service https api graphql cors allow-origin <origin> + + Allow cross-origin requests from `<origin>`. + ********************* Example Configuration ********************* -Set an API-KEY is the minimal configuration to get a working API Endpoint. +Setting REST API and an API-KEY is the minimal configuration to get a working API Endpoint. .. code-block:: none set service https api keys id MY-HTTPS-API-ID key MY-HTTPS-API-PLAINTEXT-KEY + set service https api rest diff --git a/docs/configuration/service/ntp.rst b/docs/configuration/service/ntp.rst index f82baa34..f4ccb4b1 100644 --- a/docs/configuration/service/ntp.rst +++ b/docs/configuration/service/ntp.rst @@ -50,7 +50,7 @@ Configuration * ``time2.vyos.net`` * ``time3.vyos.net`` -.. cfgcmd:: set service ntp server <address> <noselect | nts | pool | prefer> +.. cfgcmd:: set service ntp server <address> <noselect | nts | pool | prefer | ptp | interleave> Configure one or more attributes to the given NTP server. @@ -67,6 +67,12 @@ Configuration this host will be chosen for synchronization among a set of correctly operating hosts. + * ``ptp`` enables the PTP transport for this server (see :ref:`ptp-transport`). + + * ``interleave`` enables NTP interleaved mode (see + `draft-ntp-interleaved-modes`_), which can improve synchronization accuracy + and stability when supported by both parties. + .. cfgcmd:: set service ntp listen-address <address> NTP process will only listen on the specified IP address. You must specify @@ -112,3 +118,80 @@ Configuration timezone. This normally works with the right/UTC timezone which is the default +.. _draft-ntp-interleaved-modes: https://datatracker.ietf.org/doc/draft-ietf-ntp-interleaved-modes/07/ + +Hardware Timestamping of NTP Packets +====================================== + +The chrony daemon on VyOS can leverage NIC hardware capabilities to record the +exact time packets are received on the interface, as well as when packets were +actually transmitted. This provides improved accuracy and stability when the +system is under load, as queuing and OS context switching can introduce a +variable delay between when the packet is received on the network and when it +is actually processed by the NTP daemon. + +Hardware timestamping depends on NIC support. Some NICs can be configured to +apply timestamps to any incoming packet, while others only support applying +timestamps to specific protocols (e.g. PTP). + +When timestamping is enabled on an interface, chrony's default behavior is to +try to configure the interface to only timestamp NTP packets. If this mode is +not supported, chrony will attempt to set it to timestamp all packets. If +neither option is supported (e.g. the NIC can only timestamp received PTP +packets), chrony will leverage timestamping on transmitted packets only, which +still provides some benefit. + +.. cfgcmd:: set service ntp timestamp interface <interface> + + Configures hardware timestamping on the interface <interface>. The special + value `all` can also be specified to enable timestamping on all interfaces + that support it. + + Configure the timestamping behavior with the following option: + + * ``receive-filter [all|ntp|ptp|none]`` selects the receive filter mode, + which controls which inbound packets the NIC applies timestamps to. The + selected mode must be supported by the NIC, or timestamping will be + disabled for the interface. + + +The following `receive-filter` modes can be selected: + +* `all`: All received packets will be timestamped. + +* `ntp`: Only received NTP protocol packets will be timestamped. + +* `ptp`: Only received PTP protocol packets will be timestamped. Combined with + the PTP transport for NTP packets, this can be leveraged to take advantage of + hardware timestamping on NICs that only support the ptp filter mode. + +* `none`: No received packets will be timestamped. Hardware timestamping of + transmitted packets will still be leveraged, if supported by the NIC. + +.. _ptp-transport: + +PTP Transport of NTP Packets +============================= + +The Precision Time Protocol (IEEE 1588) is a local network time synchronization +protocol that provides high precision time synchronization by leveraging +hardware clocks in NICs and other network elements. VyOS does not currently +support standards-based PTP, which can be deployed independently of +NTP. + +For networks consisting of VyOS and other Linux systems running relatively +recent versions of the chrony daemon, NTP packets can be "tunneled" over +PTP. NTP over PTP provides the best of both worlds, leveraging hardware support +for timestamping PTP packets while retaining the configuration flexibility and +fault tolerance of NTP. + +.. cfgcmd:: set service ntp ptp + + Enables the NTP daemon PTP transport. The NTP daemon will listen on the + configured PTP port. Note that one or more servers must be individually + enabled for PTP before the daemon will synchronize over the transport. + +.. cfgcmd:: set service ntp ptp port <port> + + Configures the PTP port. By default, the standard port 319 is used. + diff --git a/docs/configuration/system/flow-accounting.rst b/docs/configuration/system/flow-accounting.rst index 30d6fc4d..801ddae6 100644 --- a/docs/configuration/system/flow-accounting.rst +++ b/docs/configuration/system/flow-accounting.rst @@ -42,6 +42,10 @@ exported. Configuration ============= +.. warning:: Using NetFlow on routers with high traffic levels may lead to + high CPU usage and may affect the router's performance. In such cases, + consider using sFlow instead. + In order for flow accounting information to be collected and displayed for an interface, the interface must be configured for flow accounting. diff --git a/docs/configuration/system/option.rst b/docs/configuration/system/option.rst index 44c66186..b5ebaaee 100644 --- a/docs/configuration/system/option.rst +++ b/docs/configuration/system/option.rst @@ -43,8 +43,6 @@ Kernel .. cfgcmd:: set system option kernel disable-power-saving - Disable CPU power saving mechanisms also known as C states. - This will add the following two options to the Kernel commandline: * ``intel_idle.max_cstate=0`` Disable intel_idle and fall back on acpi_idle @@ -52,6 +50,28 @@ Kernel .. note:: Setting will only become active with the next reboot! +.. cfgcmd:: set system option kernel amd-pstate-driver <mode> + + Enables and configures p-state driver for modern AMD Ryzen and Epyc CPUs. + + The available modes are: + + * ``active`` This is the low-level firmware control mode based on the profile + set and the system governor has no effect. + * ``passive`` The driver allows the system governor to manage CPU frequency + while providing available performance states. + * ``guided`` The driver allows to set desired performance levels and the firmware + selects a performance level in this range and fitting to the current workload. + + This will add the following two options to the Kernel commandline: + + * ``initcall_blacklist=acpi_cpufreq_init`` Disable default ACPI CPU frequency scale + * ``amd_pstate={mode}`` Sets the p-state mode + + .. note:: Setting will only become active with the next reboot! + + .. seealso:: https://docs.kernel.org/admin-guide/pm/amd-pstate.html + *********** HTTP client *********** diff --git a/docs/configuration/system/syslog.rst b/docs/configuration/system/syslog.rst index cc7ac676..ae1b9273 100644 --- a/docs/configuration/system/syslog.rst +++ b/docs/configuration/system/syslog.rst @@ -17,6 +17,24 @@ Syslog supports logging to multiple targets, those targets could be a plain file on your VyOS installation itself, a serial console or a remote syslog server which is reached via :abbr:`IP (Internet Protocol)` UDP/TCP. +Global +------ + +.. cfgcmd:: system syslog global marker interval <number> + +Interval (in seconds) for sending mark messages to the syslog input to +indicate that the logging system is functioning. + +.. cfgcmd:: system syslog global preserve-fqdn + +If set, the domain part of the hostname is always sent, +even within the same domain as the receiving system. + +.. cfgcmd:: system rsyslog global facility <keyword> level <keyword> + +Filter syslog messages based on facility and level. + + Console ------- |