6 files changed, 156 insertions, 52 deletions

diff --git a/docs/configuration/firewall/general.rst b/docs/configuration/firewall/general.rst
index cfd7a8ce..0cf8bcec 100644
--- a/docs/configuration/firewall/general.rst
+++ b/docs/configuration/firewall/general.rst
@@ -591,17 +591,18 @@ A Rule-Set can be applied to every interface:
 * ``out``: Ruleset for forwarded packets on an outbound interface
 * ``local``: Ruleset for packets destined for this router
 
-.. cfgcmd:: set interface ethernet <ethN> firewall [in | out | local]
-   [name | ipv6-name] <rule-set>
+.. cfgcmd:: set firewall interface <interface> [in | out | local] [name |
+   ipv6-name] <rule-set>
+
 
    Here are some examples for applying a rule-set to an interface
 
    .. code-block:: none
 
-      set interface ethernet eth1 vif 100 firewall in name LANv4-IN
-      set interface ethernet eth1 vif 100 firewall out name LANv4-OUT
-      set interface bonding bond0 firewall in name LANv4-IN
-      set interfaces openvpn vtun1 firewall in name Lanv4-IN
+      set firewall interface eth1.100 in name LANv4-IN
+      set firewall interface eth1.100 out name LANv4-OUT
+      set firewall interface bond0 in name LANv4-IN
+      set firewall interface vtun1 in name LANv4-IN
 
    .. note::
       As you can see in the example here, you can assign the same rule-set to
@@ -815,6 +816,11 @@ Example Partial Config
 .. code-block:: none
 
   firewall {
+     interface eth0 {
+         in {
+             name FROM-INTERNET
+         }
+     }
      all-ping enable
      broadcast-ping disable
      config-trap disable
@@ -871,11 +877,6 @@ Example Partial Config
          address dhcp
          description OUTSIDE
          duplex auto
-         firewall {
-             in {
-                 name FROM-INTERNET
-             }
-         }
      }
   }
 
diff --git a/docs/configuration/interfaces/openvpn.rst b/docs/configuration/interfaces/openvpn.rst
index ff32d869..5850591c 100644
--- a/docs/configuration/interfaces/openvpn.rst
+++ b/docs/configuration/interfaces/openvpn.rst
@@ -177,7 +177,7 @@ WAN interface and a direction (local).
 
 .. code-block:: none
 
-    set interfaces ethernet eth0 firewall local name 'OUTSIDE-LOCAL'
+    set firewall interface eth0 local name 'OUTSIDE-LOCAL'
 
 
 Static Routing:
diff --git a/docs/configuration/interfaces/pppoe.rst b/docs/configuration/interfaces/pppoe.rst
index dbf92caf..4f3926b2 100644
--- a/docs/configuration/interfaces/pppoe.rst
+++ b/docs/configuration/interfaces/pppoe.rst
@@ -335,9 +335,9 @@ assigning it to the pppoe0 itself as shown here:
 
 .. code-block:: none
 
-  set interfaces pppoe pppoe0 firewall in name NET-IN
-  set interfaces pppoe pppoe0 firewall local name NET-LOCAL
-  set interfaces pppoe pppoe0 firewall out name NET-OUT
+  set firewall interface pppoe0 in name NET-IN
+  set firewall interface pppoe0 local name NET-LOCAL
+  set firewall interface pppoe0 out name NET-OUT
 
 VLAN Example
 ============
diff --git a/docs/configuration/interfaces/tunnel.rst b/docs/configuration/interfaces/tunnel.rst
index 6a5fb171..eac74d91 100644
--- a/docs/configuration/interfaces/tunnel.rst
+++ b/docs/configuration/interfaces/tunnel.rst
@@ -18,7 +18,7 @@ a closer look at the protocols and options currently supported by VyOS.
 Common interface configuration
 ------------------------------
 
-.. cmdinclude:: /_include/interface-common-without-dhcp.txt
+.. cmdinclude:: /_include/interface-common-without-dhcp1.txt
    :var0: tunnel
    :var1: tun0
 
diff --git a/docs/configuration/policy/route-map.rst b/docs/configuration/policy/route-map.rst
index 7743b14b..cc65d50c 100644
--- a/docs/configuration/policy/route-map.rst
+++ b/docs/configuration/policy/route-map.rst
@@ -199,38 +199,63 @@ Route Map
 
    BGP atomic aggregate attribute.
 
-.. cfgcmd:: set policy route-map <text> rule <1-65535> set bgp-extcommunity-rt
-   <aa:nn>
+.. cfgcmd:: set policy route-map <text> rule <1-65535> set community
+   <add|replace> <community>
 
-   Set route target value. ExtCommunity in format: asn:value.
+   Add or replace BGP community attribute in format ``<0-65535:0-65535>``
+   or from well-known community list
 
-.. cfgcmd:: set policy route-map <text> rule <1-65535> set comm-list comm-list
-   <text>
+.. cfgcmd:: set policy route-map <text> rule <1-65535> set community none
 
-   BGP communities with a community-list.
+   Delete all BGP communities
 
-.. cfgcmd:: set policy route-map <text> rule <1-65535> set comm-list delete
+.. cfgcmd:: set policy route-map <text> rule <1-65535> set community delete
+   <text>
 
    Delete BGP communities matching the community-list.
 
-.. cfgcmd:: set policy route-map <text> rule <1-65535> set community
-   <aa:bb|local-AS|no-advertise|no-export|internet|additive|none>
+.. cfgcmd:: set policy route-map <text> rule <1-65535> set large-community
+   <add|replace> <GA:LDP1:LDP2>
 
-   Set BGP community attribute.
+   Add or replace BGP large-community attribute in format 
+   ``<0-4294967295:0-4294967295:0-4294967295>``
 
-.. cfgcmd:: set policy route-map <text> rule <1-65535> set distance <0-255>
+.. cfgcmd:: set policy route-map <text> rule <1-65535> set large-community none
+   
+   Delete all BGP large-communities
 
-   Locally significant administrative distance.
+.. cfgcmd:: set policy route-map <text> rule <1-65535> set large-community delete
+   <text>
+
+   Delete BGP communities matching the large-community-list.
 
-.. cfgcmd:: set policy route-map <text> rule <1-65535> set extcommunity-rt
+.. cfgcmd:: set policy route-map <text> rule <1-65535> set extcommunity bandwidth
+   <1-25600|cumulative|num-multipaths>
+
+   Set extcommunity bandwidth
+
+.. cfgcmd:: set policy route-map <text> rule <1-65535> set extcommunity bandwidth-non-transitive
+
+   The link bandwidth extended community is encoded as non-transitive
+
+.. cfgcmd:: set policy route-map <text> rule <1-65535> set extcommunity rt
    <text>
 
-   Set route target value.
+   Set route target value in format ``<0-65535:0-4294967295>`` or ``<IP:0-65535>``.
 
-.. cfgcmd:: set policy route-map <text> rule <1-65535> set extcommunity-soo
+.. cfgcmd:: set policy route-map <text> rule <1-65535> set extcommunity soo
    <text>
 
-   Set site of origin value.
+   Set site of origin value in format ``<0-65535:0-4294967295>`` or ``<IP:0-65535>``.
+
+.. cfgcmd:: set policy route-map <text> rule <1-65535> set extcommunity none
+
+   Clear all BGP extcommunities.
+
+.. cfgcmd:: set policy route-map <text> rule <1-65535> set distance <0-255>
+
+   Locally significant administrative distance.
+
 
 .. cfgcmd:: set policy route-map <text> rule <1-65535> set ip-next-hop
    <x.x.x.x>
@@ -271,11 +296,6 @@ Route Map
    address for the route, then prefer to use the global address as the
    nexthop.
 
-.. cfgcmd:: set policy route-map <text> rule <1-65535> set large-community
-   <text>
-
-   Set BGP large community value.
-
 .. cfgcmd:: set policy route-map <text> rule <1-65535> set local-preference
    <0-4294967295>
 
@@ -319,3 +339,29 @@ Route Map
    <0-4294967295>
 
    Set BGP weight attribute
+
+List of well-known communities
+==============================
+   * ``local-as`` -                     Well-known communities value NO_EXPORT_SUBCONFED 0xFFFFFF03
+   * ``no-advertise`` -                 Well-known communities value NO_ADVERTISE 0xFFFFFF02
+   * ``no-export`` -                    Well-known communities value NO_EXPORT 0xFFFFFF01
+   * ``internet`` -                     Well-known communities value 0
+   * ``graceful-shutdown`` -            Well-known communities value GRACEFUL_SHUTDOWN 0xFFFF0000
+   * ``accept-own`` -                   Well-known communities value ACCEPT_OWN 0xFFFF0001
+   * ``route-filter-translated-v4`` -   Well-known communities value ROUTE_FILTER_TRANSLATED_v4 0xFFFF0002
+   * ``route-filter-v4`` -              Well-known communities value ROUTE_FILTER_v4 0xFFFF0003
+   * ``route-filter-translated-v6`` -   Well-known communities value ROUTE_FILTER_TRANSLATED_v6 0xFFFF0004
+   * ``route-filter-v6`` -              Well-known communities value ROUTE_FILTER_v6 0xFFFF0005
+   * ``llgr-stale`` -                   Well-known communities value LLGR_STALE 0xFFFF0006
+   * ``no-llgr`` -                      Well-known communities value NO_LLGR 0xFFFF0007
+   * ``accept-own-nexthop`` -           Well-known communities value accept-own-nexthop 0xFFFF0008
+   * ``blackhole`` -                    Well-known communities value BLACKHOLE 0xFFFF029A
+   * ``no-peer`` -                      Well-known communities value NOPEER 0xFFFFFF04
+
+
+
+
+
+
+
+
diff --git a/docs/configuration/system/login.rst b/docs/configuration/system/login.rst
index 08746201..3a37342d 100644
--- a/docs/configuration/system/login.rst
+++ b/docs/configuration/system/login.rst
@@ -1,8 +1,10 @@
+:lastproofread: 2022-10-15
+
 .. _user_management:
 
-###############
-User Management
-###############
+#####################
+Login/User Management
+#####################
 
 The default VyOS user account (`vyos`), as well as newly created user accounts,
 have all capabilities to configure the system. All accounts have sudo
@@ -100,21 +102,55 @@ The third part is simply an identifier, and is for your own reference.
    * ``http://<host>/<file>`` - Load via HTTP from remote machine
    * ``tftp://<host>/<file>`` - Load via TFTP from remote machine
 
-Example
--------
+MFA/2FA authentication using One-Time-Pad
+-----------------------------------------
 
-In the following example, both `User1` and `User2` will be able to SSH into
-VyOS as user ``vyos`` using their very own keys. `User1` is restricted to only
-be able to connect from a single IP address.
+It is possible to enhance authentication security by using the :abbr:`2FA
+(Two-factor authentication)`/:abbr:`MFA (Multi-factor authentication)` feature
+together with :abbr:`OTP (One-Time-Pad)` on VyOS. :abbr:`2FA (Two-factor
+authentication)`/:abbr:`MFA (Multi-factor authentication)` is configured
+independently per each user. If an OTP key is configured for a user, 2FA/MFA
+is automatically enabled for that particular user. If a user does not have an
+OTP key configured, there is no 2FA/MFA check for that user.
 
-.. code-block:: none
+.. cfgcmd:: set system login user <username> authentication otp key <key>
 
-  set system login user vyos authentication public-keys 'User1' key "AAAAB3Nz...KwEW"
-  set system login user vyos authentication public-keys 'User1' type ssh-rsa
-  set system login user vyos authentication public-keys 'User1' options "from=&quot;192.168.0.100&quot;"
-  set system login user vyos authentication public-keys 'User2' key "AAAAQ39x...fbV3"
-  set system login user vyos authentication public-keys 'User2' type ssh-rsa
+   Enable OTP 2FA for user `username` with default settings, using the BASE32
+   encoded 2FA/MFA key specified by `<key>`.
+
+Optional/default settings
+^^^^^^^^^^^^^^^^^^^^^^^^^
+
+.. cfgcmd:: set system login user <username> authentication otp rate-limit <limit>
+   :defaultvalue:
+
+   Limit logins to `<limit>` per every ``rate-time`` seconds. Rate limit must be
+   between 1 and 10 attempts.
+
+.. cfgcmd:: set system login user <username> authentication otp rate-time <seconds>
+   :defaultvalue:
+
+   Limit logins to ``rate-limit`` attemps per every `<seconds>`. Rate time must
+   be between 15 and 600 seconds.
+
+.. cfgcmd:: set system login user <username> authentication otp window-size <size>
+   :defaultvalue:
+
+   Set window of concurrently valid codes.
+
+   By default, a new token is generated every 30 seconds by the mobile
+   application. In order to compensate for possible time-skew between
+   the client and the server, an extra token before and after the current
+   time is allowed. This allows for a time skew of up to 30 seconds
+   between authentication server and client.
 
+   For example, if problems with poor time synchronization are experienced,
+   the window can be increased from its default size of 3 permitted codes
+   (one previous code, the current code, the next code) to 17 permitted codes
+   (the 8 previous codes, the current code, and the 8 next codes). This will
+   permit for a time skew of up to 4 minutes between client and server.
+
+   The window size must be between 1 and 21.
 
 RADIUS
 ======
@@ -158,7 +194,6 @@ Configuration
    the attribute you will only get regular, non privilegued, system users.
 
 
-
 Login Banner
 ============
 
@@ -176,3 +211,25 @@ information for this system.
 
 .. note:: To create a new line in your login message you need to escape the new
    line character by using ``\\n``.
+
+
+Example
+=======
+
+In the following example, both `User1` and `User2` will be able to SSH into
+VyOS as user ``vyos`` using their very own keys. `User1` is restricted to only
+be able to connect from a single IP address. In addition if password base login
+is wanted for the ``vyos`` user a 2FA/MFA keycode is required in addition to
+the password.
+
+.. code-block:: none
+
+  set system login user vyos authentication public-keys 'User1' key "AAAAB3Nz...KwEW"
+  set system login user vyos authentication public-keys 'User1' type ssh-rsa
+  set system login user vyos authentication public-keys 'User1' options "from=&quot;192.168.0.100&quot;"
+
+  set system login user vyos authentication public-keys 'User2' key "AAAAQ39x...fbV3"
+  set system login user vyos authentication public-keys 'User2' type ssh-rsa
+
+  set system login user vyos authentication otp key OHZ3OJ7U2N25BK4G7SOFFJTZDTCFUUE2
+  set system login user vyos authentication plaintext-password vyos