summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
Diffstat (limited to 'docs')
-rw-r--r--docs/_include/interface-adjust-mss.txt13
-rw-r--r--docs/_include/interface-common.txt4
-rw-r--r--docs/_include/interface-ipv6.txt14
-rw-r--r--docs/_include/interface-vlan-8021ad.txt10
-rw-r--r--docs/_include/interface-vlan-8021q.txt7
-rw-r--r--docs/configuration/firewall/index.rst112
-rw-r--r--docs/configuration/interfaces/vti.rst19
-rw-r--r--docs/configuration/interfaces/wireguard.rst1
-rw-r--r--docs/configuration/interfaces/wwan.rst4
9 files changed, 90 insertions, 94 deletions
diff --git a/docs/_include/interface-adjust-mss.txt b/docs/_include/interface-adjust-mss.txt
new file mode 100644
index 00000000..195682e7
--- /dev/null
+++ b/docs/_include/interface-adjust-mss.txt
@@ -0,0 +1,13 @@
+.. cfgcmd:: set interfaces {{ var0 }} <interface> {{ var2 }} {{ var3 }}
+ {{ var5 }} {{ var6 }} adjust-mss <mss>
+
+ As Internet wide PMTU discovery rarely works, we sometimes need to clamp our
+ TCP MSS value to a specific value. This is a field in the TCP options part of
+ a SYN packet. By setting the MSS value, you are telling the remote side
+ unequivocally 'do not try to send me packets bigger than this value'.
+
+ .. note:: This command was introduced in VyOS 1.4 - it was previously called:
+ ``set firewall options interface <name> adjust-mss <value>``
+
+ .. hint:: MSS value = MTU - 20 (IP header) - 20 (TCP header), resulting in
+ 1452 bytes on a 1492 byte MTU.
diff --git a/docs/_include/interface-common.txt b/docs/_include/interface-common.txt
index 5a997482..4c6ebbe8 100644
--- a/docs/_include/interface-common.txt
+++ b/docs/_include/interface-common.txt
@@ -22,6 +22,10 @@
:var0: {{ var0 }}
:var1: {{ var1 }}
+.. cmdinclude:: /_include/interface-adjust-mss.txt
+ :var0: {{ var0 }}
+ :var1: {{ var1 }}
+
.. cmdinclude:: /_include/interface-ip.txt
:var0: {{ var0 }}
:var1: {{ var1 }}
diff --git a/docs/_include/interface-ipv6.txt b/docs/_include/interface-ipv6.txt
index e03817cf..d1ed8837 100644
--- a/docs/_include/interface-ipv6.txt
+++ b/docs/_include/interface-ipv6.txt
@@ -53,3 +53,17 @@
.. code-block:: none
set interfaces {{ var0 }} {{ var1 }} {{ var2 }} {{ var4 }} {{ var5 }} {{ var7 }} ipv6 disable-forwarding
+
+.. cfgcmd:: set interfaces {{ var0 }} <interface> {{ var2 }} {{ var3 }}
+ {{ var5 }} {{ var6 }} ipv6 adjust-mss <mss>
+
+ As Internet wide PMTU discovery rarely works, we sometimes need to clamp our
+ TCP MSS value to a specific value. This is a field in the TCP options part of
+ a SYN packet. By setting the MSS value, you are telling the remote side
+ unequivocally 'do not try to send me packets bigger than this value'.
+
+ .. note:: This command was introduced in VyOS 1.4 - it was previously called:
+ ``set firewall options interface <name> adjust-mss6 <value>``
+
+ .. hint:: MSS value = MTU - 40 (IPv6 header) - 20 (TCP header), resulting in
+ 1432 bytes on a 1492 byte MTU.
diff --git a/docs/_include/interface-vlan-8021ad.txt b/docs/_include/interface-vlan-8021ad.txt
index 0a1722dc..0b37560f 100644
--- a/docs/_include/interface-vlan-8021ad.txt
+++ b/docs/_include/interface-vlan-8021ad.txt
@@ -88,6 +88,16 @@ tag is the one closer/closest to the Ethernet header, its name is S-TAG
:var6: <vlan-id>
:var7: 20
+.. cmdinclude:: /_include/interface-adjust-mss.txt
+ :var0: {{ var0 }}
+ :var1: {{ var1 }}
+ :var2: vif-s
+ :var3: <vlan-id>
+ :var4: 1000
+ :var5: vif-c
+ :var6: <vlan-id>
+ :var7: 20
+
.. cmdinclude:: /_include/interface-ip.txt
:var0: {{ var0 }}
:var1: {{ var1 }}
diff --git a/docs/_include/interface-vlan-8021q.txt b/docs/_include/interface-vlan-8021q.txt
index 1a527590..7eb8d350 100644
--- a/docs/_include/interface-vlan-8021q.txt
+++ b/docs/_include/interface-vlan-8021q.txt
@@ -73,6 +73,13 @@ term used for this is ``vif``.
:var3: <vlan-id>
:var4: 10
+.. cmdinclude:: /_include/interface-adjust-mss.txt
+ :var0: {{ var0 }}
+ :var1: {{ var1 }}
+ :var2: vif
+ :var3: <vlan-id>
+ :var4: 10
+
.. cmdinclude:: /_include/interface-ip.txt
:var0: {{ var0 }}
:var1: {{ var1 }}
diff --git a/docs/configuration/firewall/index.rst b/docs/configuration/firewall/index.rst
index a13b4328..c5be158f 100644
--- a/docs/configuration/firewall/index.rst
+++ b/docs/configuration/firewall/index.rst
@@ -17,7 +17,7 @@ The firewall supports the creation of groups for ports, addresses, and
networks (implemented using netfilter ipset) and the option of interface
or zone based firewall policy.
-.. note:: **Important note on usage of terms:**
+.. note:: **Important note on usage of terms:**
The firewall makes use of the terms `in`, `out`, and `local`
for firewall policy. Users experienced with netfilter often confuse
`in` to be a reference to the `INPUT` chain, and `out` the `OUTPUT`
@@ -91,35 +91,35 @@ Some firewall settings are global and have an affect on the whole system.
.. cfgcmd:: set firewall send-redirects [enable | disable]
- enable or disable ICMPv4 redirect messages send by VyOS
+ enable or disable ICMPv4 redirect messages send by VyOS
The following system parameter will be altered:
* ``net.ipv4.conf.all.send_redirects``
.. cfgcmd:: set firewall log-martians [enable | disable]
- enable or disable the logging of martian IPv4 packets.
+ enable or disable the logging of martian IPv4 packets.
The following system parameter will be altered:
* ``net.ipv4.conf.all.log_martians``
.. cfgcmd:: set firewall source-validation [strict | loose | disable]
- Set the IPv4 source validation mode.
+ Set the IPv4 source validation mode.
The following system parameter will be altered:
* ``net.ipv4.conf.all.rp_filter``
.. cfgcmd:: set firewall syn-cookies [enable | disable]
- Enable or Disable if VyOS use IPv4 TCP SYN Cookies.
+ Enable or Disable if VyOS use IPv4 TCP SYN Cookies.
The following system parameter will be altered:
* ``net.ipv4.tcp_syncookies``
.. cfgcmd:: set firewall twa-hazards-protection [enable | disable]
- Enable or Disable VyOS to be :rfc:`1337` conform.
+ Enable or Disable VyOS to be :rfc:`1337` conform.
The following system parameter will be altered:
* ``net.ipv4.tcp_rfc1337``
@@ -135,7 +135,7 @@ Some firewall settings are global and have an affect on the whole system.
.. cfgcmd:: set firewall state-policy invalid log enable
- Set the global setting for invalid packets.
+ Set the global setting for invalid packets.
.. cfgcmd:: set firewall state-policy related action [accept | drop | reject]
@@ -209,7 +209,7 @@ recommended.
.. cfgcmd:: set firewall group ipv6-network-group <name> description <text>
Provide a IPv4 or IPv6 network group description.
-
+
Port Groups
===========
@@ -292,7 +292,7 @@ Matching criteria
There are a lot of matching criteria against which the package can be tested.
-.. cfgcmd:: set firewall name <name> rule <1-9999> source address
+.. cfgcmd:: set firewall name <name> rule <1-9999> source address
[address | addressrange | CIDR]
.. cfgcmd:: set firewall name <name> rule <1-9999> destination address
[address | addressrange | CIDR]
@@ -312,16 +312,16 @@ There are a lot of matching criteria against which the package can be tested.
set firewall ipv6-name WAN-IN-v6 rule 100 source address 2001:db8::202
-.. cfgcmd:: set firewall name <name> rule <1-9999> source mac-address
+.. cfgcmd:: set firewall name <name> rule <1-9999> source mac-address
<mac-address>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-9999> source mac-address
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-9999> source mac-address
<mac-address>
Only in the source criteria, you can specify a mac-address.
.. code-block:: none
- set firewall name LAN-IN-v4 rule 100 source mac-address 00:53:00:11:22:33
+ set firewall name LAN-IN-v4 rule 100 source mac-address 00:53:00:11:22:33
set firewall name LAN-IN-v4 rule 101 source mac-address !00:53:00:aa:12:34
.. cfgcmd:: set firewall name <name> rule <1-9999> source port
@@ -344,7 +344,7 @@ There are a lot of matching criteria against which the package can be tested.
Multiple source ports can be specified as a comma-separated list.
The whole list can also be "negated" using '!'. For example:
-
+
.. code-block:: none
set firewall ipv6-name WAN-IN-v6 rule 10 source port '!22,https,3333-3338'
@@ -388,7 +388,7 @@ There are a lot of matching criteria against which the package can be tested.
<0-255> | all | tcp_udp]
Match a protocol criteria. A protocol number or a name which is here
- defined: ``/etc/protocols``.
+ defined: ``/etc/protocols``.
Special names are ``all`` for all protocols and ``tcp_udp`` for tcp and udp
based packets. The ``!`` negate the selected protocol.
@@ -404,7 +404,7 @@ There are a lot of matching criteria against which the package can be tested.
Allowed values fpr TCP flags: ``SYN``, ``ACK``, ``FIN``, ``RST``, ``URG``,
``PSH``, ``ALL`` When specifying more than one flag, flags should be comma
separated. The ``!`` negate the selected protocol.
-
+
.. code-block:: none
set firewall name WAN-IN-v4 rule 10 tcp flags 'ACK'
@@ -429,7 +429,7 @@ A Rule-Set can be applied to every interface:
* ``out``: Ruleset for forwarded packets on an outbound interface
* ``local``: Ruleset for packets destined for this router
-.. cfgcmd:: set interface ethernet <ethN> firewall [in | out | local]
+.. cfgcmd:: set interface ethernet <ethN> firewall [in | out | local]
[name | ipv6-name] <rule-set>
Here are some examples for applying a rule-set to an interface
@@ -487,7 +487,7 @@ To define a zone setup either one with interfaces or a local zone.
Applying a Rule-Set to a Zone
=============================
-Before you are able to apply a rule-set to a zone you have to create the zones
+Before you are able to apply a rule-set to a zone you have to create the zones
first.
It helps to think of the syntax as: (see below). The 'rule-set' should be
@@ -635,7 +635,7 @@ Rule-set overview
.. opcmd:: show firewall statistics
This will show you a statistic of all rule-sets since the last boot.
-
+
.. opcmd:: show firewall [name | ipv6name] <name> rule <1-9999>
This command will give an overview of a rule in a single rule-set
@@ -656,7 +656,7 @@ Rule-set overview
443
8080
8443
-
+
vyos@vyos:~$ show firewall group LANv4
Name : LANv4
Type : network
@@ -781,77 +781,3 @@ Example Partial Config
}
}
}
-
-
-.. _routing-mss-clamp:
-
-
-****************
-TCP-MSS Clamping
-****************
-
-As Internet wide PMTU discovery rarely works, we sometimes need to clamp
-our TCP MSS value to a specific value. This is a field in the TCP
-Options part of a SYN packet. By setting the MSS value, you are telling
-the remote side unequivocally 'do not try to send me packets bigger than
-this value'.
-
-Starting with VyOS 1.2 there is a firewall option to clamp your TCP MSS
-value for IPv4 and IPv6.
-
-
-.. note:: MSS value = MTU - 20 (IP header) - 20 (TCP header), resulting
- in 1452 bytes on a 1492 byte MTU.
-
-
-
-IPv4
-====
-
-
-.. cfgcmd:: set firewall options interface <interface> adjust-mss
- <number-of-bytes>
-
- Use this command to set the maximum segment size for IPv4 transit
- packets on a specific interface (500-1460 bytes).
-
-Example
--------
-
-Clamp outgoing MSS value in a TCP SYN packet to `1452` for `pppoe0` and
-`1372`
-for your WireGuard `wg02` tunnel.
-
-.. code-block:: none
-
- set firewall options interface pppoe0 adjust-mss '1452'
- set firewall options interface wg02 adjust-mss '1372'
-
-
-
-IPv6
-====
-
-.. cfgcmd:: set firewall options interface <interface> adjust-mss6
- <number-of-bytes>
-
- Use this command to set the maximum segment size for IPv6 transit
- packets on a specific interface (1280-1492 bytes).
-
-.. _firewall:ipv6_example:
-
-Example
--------
-
-Clamp outgoing MSS value in a TCP SYN packet to `1280` for both `pppoe0` and
-`wg02` interface.
-
-.. code-block:: none
-
- set firewall options interface pppoe0 adjust-mss6 '1280'
- set firewall options interface wg02 adjust-mss6 '1280'
-
-
-
-.. hint:: When doing your byte calculations, you might find useful this
- `Visual packet size calculator <https://baturin.org/tools/encapcalc/>`_.
diff --git a/docs/configuration/interfaces/vti.rst b/docs/configuration/interfaces/vti.rst
index 34842866..1704b9d1 100644
--- a/docs/configuration/interfaces/vti.rst
+++ b/docs/configuration/interfaces/vti.rst
@@ -20,4 +20,21 @@ Results in:
address 192.168.2.249/30
address 2001:db8:2::249/64
description "Description"
- } \ No newline at end of file
+ }
+
+.. warning:: When using site-to-site IPsec with VTI interfaces,
+ be sure to disable route autoinstall
+
+.. code-block:: none
+
+ set vpn ipsec options disable-route-autoinstall
+
+More details about the IPsec and VTI issue and option disable-route-autoinstall
+https://blog.vyos.io/vyos-1-dot-2-0-development-news-in-july
+
+The root cause of the problem is that for VTI tunnels to work, their traffic
+selectors have to be set to 0.0.0.0/0 for traffic to match the tunnel, even
+though actual routing decision is made according to netfilter marks. Unless
+route insertion is disabled entirely, StrongSWAN thus mistakenly inserts a
+default route through the VTI peer address, which makes all traffic routed
+to nowhere. \ No newline at end of file
diff --git a/docs/configuration/interfaces/wireguard.rst b/docs/configuration/interfaces/wireguard.rst
index df6433c6..1c4b734c 100644
--- a/docs/configuration/interfaces/wireguard.rst
+++ b/docs/configuration/interfaces/wireguard.rst
@@ -151,6 +151,7 @@ below is always the public key from your peer, not your local one.
.. code-block:: none
set interfaces wireguard wg01 address '10.1.0.1/30'
+ set interfaces wireguard wg01 description 'VPN-to-wg02'
set interfaces wireguard wg01 peer to-wg02 allowed-ips '192.168.2.0/24'
set interfaces wireguard wg01 peer to-wg02 address '192.0.2.1'
set interfaces wireguard wg01 peer to-wg02 port '51820'
diff --git a/docs/configuration/interfaces/wwan.rst b/docs/configuration/interfaces/wwan.rst
index 0c820471..eb530c27 100644
--- a/docs/configuration/interfaces/wwan.rst
+++ b/docs/configuration/interfaces/wwan.rst
@@ -39,6 +39,10 @@ Common interface configuration
:var0: wwan
:var1: wwan0
+.. cmdinclude:: /_include/interface-adjust-mss.txt
+ :var0: wwan
+ :var1: wwan0
+
.. cmdinclude:: /_include/interface-ip.txt
:var0: wwan
:var1: wwan0