From 73234b987a5668331810981d8a262c3fbe4bd8b1 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sat, 20 Apr 2019 15:49:13 +0200 Subject: Login: adjust CLI interface to VyOS 1.2 crux --- docs/system/system-users.rst | 28 +++++++--------------------- 1 file changed, 7 insertions(+), 21 deletions(-) (limited to 'docs') diff --git a/docs/system/system-users.rst b/docs/system/system-users.rst index a6be5a05..67786f20 100644 --- a/docs/system/system-users.rst +++ b/docs/system/system-users.rst @@ -77,35 +77,21 @@ a default timeout and port. .. code-block:: sh - set system login radius server 192.168.1.2 secret 's3cr3t0815' - set system login radius server 192.168.1.2 timeout '5' - set system login radius server 192.168.1.2 port '1812' - set system login radius server 192.168.1.3 secret 's3cr3t0816' + set system login radius-server 192.168.1.2 secret 's3cr3t0815' + set system login radius-server 192.168.1.2 timeout '5' + set system login radius-server 192.168.1.2 port '1812' + set system login radius-server 192.168.1.3 secret 's3cr3t0816' This configuration results in: .. code-block:: sh - show system login radius - server 192.168.1.2 { + show system login + radius-server 192.168.1.2 { secret s3cr3t0815 timeout 5 port 1812 } - server 192.168.1.3 { + radius-server 192.168.1.3 { secret s3cr3t0816 } - -RADIUS Source Address -********************* - -If you are using e.g. OSPF as IGP always the nearest interface facing the RADIUS -server is used. With VyOS 1.2 you can bind all outgoing RADIUS requests to a -single source IP e.g. the loopback interface. - -.. code-block:: sh - - set system login radius source-address 3.3.3.3 - -Above command will use `3.3.3.3` as source IPv4 address for all queries originating -from this NAS. -- cgit v1.2.3 From db9afbc174d6ce7ffc01d593b96b8b23821b0bd0 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sat, 20 Apr 2019 15:51:35 +0200 Subject: Version: set version/release to 1.2.2/Crux --- docs/conf.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'docs') diff --git a/docs/conf.py b/docs/conf.py index e9960a8e..0f78ad37 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -24,10 +24,10 @@ copyright = u'2018, VyOS maintainers and contributors' author = u'VyOS maintainers and contributors' # The short X.Y version -version = u'1.2.0' +version = u'1.2.2' # The full version, including alpha/beta/rc tags -release = u'1.2.0-beta' +release = u'Crux' # -- General configuration --------------------------------------------------- -- cgit v1.2.3 From b7059fb3911aa3011d22d5aeb2b2361a63ab9fba Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sun, 21 Apr 2019 21:03:40 +0200 Subject: MSS-Clamping: move from routing to firewall chapter --- docs/firewall.rst | 37 +++++++++++++++++++++++++++++++++++++ docs/routing.rst | 42 ++++++++++++++++++++++++++++++++++-------- 2 files changed, 71 insertions(+), 8 deletions(-) (limited to 'docs') diff --git a/docs/firewall.rst b/docs/firewall.rst index 8ab4dacf..e14cb19b 100644 --- a/docs/firewall.rst +++ b/docs/firewall.rst @@ -174,5 +174,42 @@ Example Partial Config } } +MSS Clamping +------------ + +As Internet wide PMTU discovery rarely works we sometimes need to clamp our TCP +MSS value to a specific value. Starting with VyOS 1.2 there is a firewall option +to clamp your TCP MSS value for IPv4 and IPv6. + +Clamping can be disabled per interface using the `disable` keywork: + +.. code-block:: sh + + set firewall options interface pppoe0 disable + +IPv4 +---- + +Clamp outgoing MSS value in a TCP SYN packet to `1452` for `pppoe0` and `1372` +for your WireGuard `wg02` tunnel. + +.. code-block:: sh + + set firewall options interface pppoe0 adjust-mss '1452' + set firewall options interface wg02 adjust-mss '1372' + +IPv6 +---- + +Clamp outgoing MSS value in a TCP SYN packet to `1280` for both `pppoe0` and +`wg02` interface. + +To achieve the same for IPv6 please use: + +.. code-block:: sh + + set firewall options interface pppoe0 adjust-mss6 '1280' + set firewall options interface wg02 adjust-mss6 '1280' + [https://www.xfinity.com/support/internet/list-of-blocked-ports/ XFinity Blocked Port List] diff --git a/docs/routing.rst b/docs/routing.rst index 43a1d0d9..b4144969 100644 --- a/docs/routing.rst +++ b/docs/routing.rst @@ -281,7 +281,7 @@ display arp table entries .. code-block:: sh - show protocols static arp + show protocols static arp Address HWtype HWaddress Flags Mask Iface 10.1.1.1 ether 08:00:27:de:23:2e C eth1 @@ -331,15 +331,41 @@ we use: set interfaces ethernet eth1 policy route FILTER-WEB -The route policy functionality in VyOS can also be used to rewrite TCP MSS -using the set policy route rule `set tcp-mss ` directive, -modify DSCP value using `set dscp `, or mark the traffic with an -internal ID using `set mark ` for further processing (e.g. QOS) on a -per-rule basis for matching traffic. +MSS Clamping +============ -In addition to 5-tuple matching, additional options such as time-based rules, -are available. See the built-in help for a complete list of options. +As Internet wide PMTU discovery rarely works we sometimes need to clamp our TCP +MSS value to a specific value. Starting with VyOS 1.2 there is a firewall option +to clamp your TCP MSS value for IPv4 and IPv6. +Clamping can be disabled per interface using the `disable` keywork: +.. code-block:: sh + + set firewall options interface pppoe0 disable + +IPv4 +---- + +Clamp outgoing MSS value in a TCP SYN packet to `1452` for `pppoe0` and `1372` +for your WireGuard `wg02` tunnel. + +.. code-block:: sh + + set firewall options interface pppoe0 adjust-mss '1452' + set firewall options interface wg02 adjust-mss '1372' + +IPv6 +---- + +Clamp outgoing MSS value in a TCP SYN packet to `1280` for both `pppoe0` and +`wg02` interface. + +To achieve the same for IPv6 please use: + +.. code-block:: sh + + set firewall options interface pppoe0 adjust-mss6 '1280' + set firewall options interface wg02 adjust-mss6 '1280' .. _ARP: https://en.wikipedia.org/wiki/Address_Resolution_Protocol -- cgit v1.2.3