diff options
| author | Daniil Baturin <daniil@vyos.io> | 2026-05-06 14:08:35 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2026-05-06 14:08:35 +0100 |
| commit | 9d0341379184622b3da2e7e05aeeceed4bbf83e9 (patch) | |
| tree | 3c881338b1f6e0ec369a138e4c53772fcbaa8253 /docs/configuration | |
| parent | 5eb383a10ec92c65eed525bc174785a6852e997f (diff) | |
| download | vyos-documentation-9d0341379184622b3da2e7e05aeeceed4bbf83e9.tar.gz vyos-documentation-9d0341379184622b3da2e7e05aeeceed4bbf83e9.zip | |
Revert "Add incremental RST-to-MyST swap mechanism (circinus) (#1867)" (#1893)
This reverts commit 5eb383a10ec92c65eed525bc174785a6852e997f.
Diffstat (limited to 'docs/configuration')
129 files changed, 0 insertions, 42020 deletions
diff --git a/docs/configuration/container/md-index.md b/docs/configuration/container/md-index.md deleted file mode 100644 index db46db38..00000000 --- a/docs/configuration/container/md-index.md +++ /dev/null @@ -1,479 +0,0 @@ ---- -lastproofread: '2024-07-03' ---- - -# Container - -The VyOS container implementation is based on [Podman](https://podman.io/) as -a daemonless container engine. - -## Configuration - -```{cfgcmd} set container name \<name\> image - -Sets the image name in the hub registry - -:::{code-block} none -set container name mysql-server image mysql:8.0 -::: - -If a registry is not specified, Docker.io will be used as the container -registry unless an alternative registry is specified using -`set container registry <name>` or the registry is included -in the image name - -:::{code-block} none -set container name mysql-server image quay.io/mysql:8.0 -::: -``` - - -```{cfgcmd} set container name \<name\> entrypoint \<entrypoint\> - -Override the default entrypoint from the image for a container. -``` - - -```{cfgcmd} set container name \<name\> command \<command\> - -Override the default command from the image for a container. -``` - - -```{cfgcmd} set container name \<name\> arguments \<arguments\> - -Set the command arguments for a container. -``` - - -```{cfgcmd} set container name \<name\> host-name \<hostname\> - -Set the host name for a container. -``` - - -```{cfgcmd} set container name \<name\> allow-host-pid - -The container and the host share the same process namespace. -This means that processes running on the host are visible inside the -container, and processes inside the container are visible on the host. - -The command translates to "--pid host" when the container is created. -``` - - -```{cfgcmd} set container name \<name\> allow-host-networks - -Allow host networking in a container. The network stack of the container is -not isolated from the host and will use the host IP. - -The command translates to "--net host" when the container is created. - -:::{note} -**allow-host-networks** cannot be used with **network** -::: -``` - - -```{cfgcmd} set container name \<name\> network \<networkname\> - -Attaches user-defined network to a container. -Only one network must be specified and must already exist. -``` - - -```{cfgcmd} set container name \<name\> network \<networkname\> address \<address\> - -Optionally set a specific static IPv4 or IPv6 address for the container. -This address must be within the named network prefix. - -:::{note} -The first IP in the container network is reserved by the -engine and cannot be used -::: -``` - - -```{cfgcmd} set container name \<name\> name-server \<address\> - -Optionally set a custom name server. -If a container network is used with DNS enabled, -this setting will not have any effect. -``` - - -```{cfgcmd} set container name \<name\> description \<text\> - -Set a container description -``` - - -```{cfgcmd} set container name \<name\> environment \<key\> value \<value\> - -Add custom environment variables. -Multiple environment variables are allowed. -The following commands translate to "-e key=value" when the container -is created. - -:::{code-block} none -set container name mysql-server environment MYSQL_DATABASE value 'zabbix' -set container name mysql-server environment MYSQL_USER value 'zabbix' -set container name mysql-server environment MYSQL_PASSWORD value 'zabbix_pwd' -set container name mysql-server environment MYSQL_ROOT_PASSWORD value 'root_pwd' -::: -``` - - -```{cfgcmd} set container name \<name\> port \<portname\> source \<portnumber\> - -``` -```{cfgcmd} set container name \<name\> port \<portname\> destination \<portnumber\> -``` - -```{cfgcmd} set container name \<name\> port \<portname\> protocol \<tcp | udp\> - -Publish a port for the container. - -:::{code-block} none -set container name zabbix-web-nginx-mysql port http source 80 -set container name zabbix-web-nginx-mysql port http destination 8080 -set container name zabbix-web-nginx-mysql port http protocol tcp -::: -``` -:::{note} -Port publishing cannot be used with **network**. For this purpose, a workaround -using destination NAT and static IP assignment for the container is available. -::: -```{cfgcmd} set container name \<name\> volume \<volumename\> source \<path\> -``` - -```{cfgcmd} set container name \<name\> volume \<volumename\> destination \<path\> - -Mount a volume into the container - -:::{code-block} none -set container name coredns volume 'corefile' source /config/coredns/Corefile -set container name coredns volume 'corefile' destination /etc/Corefile -::: -``` - -```{cfgcmd} set container name \<name\> volume \<volumename\> mode \<ro | rw\> - -Volume is either mounted as rw (read-write - default) or ro (read-only) -``` - -```{cfgcmd} set container name \<name\> tmpfs \<tmpfsname\> destination \<path\> - -Mount a tmpfs *(ramdisk)* filesystem to the given path within the container. -``` - -```{cfgcmd} set container name \<name\> tmpfs \<tmpfsname\> size \<MB\> - -Size in MB for tmpfs filesystem, maximum size is 64GB or 50% of the -systems total available memory. -``` - -```{cfgcmd} set container name \<name\> uid \<number\> -``` - -```{cfgcmd} set container name \<name\> gid \<number\> - -Set the User ID or Group ID of the container -``` - -```{cfgcmd} set container name \<name\> restart [no | on-failure | always] - -Set the restart behavior of the container. - -- **no**: Do not restart containers on exit -- **on-failure**: Restart containers when they exit with a non-zero -exit code, retrying indefinitely (default) -- **always**: Restart containers when they exit, regardless of status, -retrying indefinitely -``` - -```{cfgcmd} set container name \<name\> cpu-quota \<num\> - -This specifies the number of CPU resources the container can use. - -Default is 0 for unlimited. -For example, 1.25 limits the container to use up to 1.25 cores -worth of CPU time. -This can be a decimal number with up to three decimal places. - -The command translates to "--cpus=\<num\>" when the container is created. -``` - -```{cfgcmd} set container name \<name\> memory \<MB\> - -Constrain the memory available to the container. - -Default is 512 MB. Use 0 MB for unlimited memory. -``` - -```{cfgcmd} set container name \<name\> device \<devicename\> source \<path\> -``` - -```{cfgcmd} set container name \<name\> device \<devicename\> destination \<path\> - -Add a host device to the container. -``` - -```{cfgcmd} set container name \<name\> capability \<text\> - -Set container capabilities or permissions. - -- **net-admin**: Network operations (interface, firewall, routing tables) -- **net-bind-service**: Bind a socket to privileged ports -(port numbers less than 1024) -- **net-raw**: Permission to create raw network sockets -- **setpcap**: Capability sets (from bounded or inherited set) -- **sys-admin**: Administration operations (quotactl, mount, sethostname, -setdomainame) -- **sys-time**: Permission to set system clock -``` - -```{cfgcmd} set container name \<name\> sysctl parameter \<parameter\> value \<value\> - -Set container sysctl values. - -The subset of possible parameters are: - -- Kernel Parameters: kernel.msgmax, kernel.msgmnb, kernel.msgmni, kernel.sem, -kernel.shmall, kernel.shmmax, kernel.shmmni, kernel.shm_rmid_forced -- Parameters beginning with fs.mqueue.* -- Parameters beginning with net.* (only if user-defined network is used) -``` - -```{cfgcmd} set container name \<name\> label \<label\> value \<value\> - -Add metadata label for this container. -``` - -```{cfgcmd} set container name \<name\> disable - -Disable a container. -``` - -### Container Health checks - - -By default, no health checks are run, even when defined by the image. - -```{cfgcmd} set container name \<name\> health-check - -Default health check is run for the container if defined by the image. -``` - -```{cfgcmd} set container name \<name\> health-check command \<command\> - -Override the default health check command from the image for a container. -``` - -```{cfgcmd} set container name \<name\> health-check interval \<interval\> - -Override the default health-check interval. For example: `60` -``` - -```{cfgcmd} set container name \<name\> health-check timeout \<timeout\> - -Override the default health-check timeout. For example: `10` -``` - -```{cfgcmd} set container name \<name\> health-check retries \<retries\> - -Number of health check retries before container is considered unhealthy. For example: `1` -``` - -### Container Networks - -```{cfgcmd} set container network \<name\> - -Creates a named container network -``` - -```{cfgcmd} set container network \<name\> description - -A brief description what this network is all about. -``` - -```{cfgcmd} set container network \<name\> prefix \<ipv4|ipv6\> - -Define IPv4 and/or IPv6 prefix for a given network name. -Both IPv4 and IPv6 can be used in parallel. -``` - -```{cfgcmd} set container network \<name\> mtu \<number\> - -Configure {abbr}`MTU (Maximum Transmission Unit)` for a given network. It -is the size (in bytes) of the largest ethernet frame sent on this link. -``` - -```{cfgcmd} set container network \<name\> no-name-server - -Disable Domain Name System (DNS) plugin for this network. -``` - -```{cfgcmd} set container network \<name\> vrf \<name\> - -Bind container network to a given VRF instance. -``` - -### Container Registry - -```{cfgcmd} set container registry \<name\> - -Adds registry to list of unqualified-search-registries. By default, for any -image that does not include the registry in the image name, VyOS will use -docker.io and quay.io as the container registry. -``` - -```{cfgcmd} set container registry \<name\> disable - -Disable a given container registry -``` - -```{cfgcmd} set container registry \<name\> authentication username -``` - -```{cfgcmd} set container registry \<name\> authentication password - -Some container registries require credentials to be used. - -Credentials can be defined here and will only be used when adding a -container image to the system. -``` - -```{cfgcmd} set container registry \<name\> insecure - -Allow registry access over unencrypted HTTP or TLS connections with -untrusted certificates. -``` - -```{cfgcmd} set container registry \<name\> mirror address \<address\> -``` - -```{cfgcmd} set container registry \<name\> mirror host-name \<host-name\> -``` - -```{cfgcmd} set container registry \<name\> mirror port \<port\> -``` - -```{cfgcmd} set container registry \<name\> mirror path \<path\> - -Registry mirror, use ``(host-name|address)[:port][/path]``. - -If you have mirror http://192.168.1.1:8080 for docker.io, you can use ``docker.io/some/repo`` or run ``podman pull docker.io/some/repo`` - -:::{code-block} none -set container registry docker.io mirror address 192.168.1.1 -set container registry docker.io mirror port 8080 -set container registry docker.io insecure -::: -If http://192.168.1.1:8080 is your own registry, you can use ``192.168.1.1:8080/some/repo`` or run ``podman pull 192.168.1.1:8080/some/repo`` - -:::{code-block} none -set container registry 192.168.1.1:8080 insecure -::: -``` - -### Log Configuration - -```{cfgcmd} set container name \<name\> log-driver [k8s-file | journald | none] - -Set the default log driver for containers. - -- **k8s-file**: Log to a plain text file in Kubernetes-style format. -- **journald**: Log to the system journal -- **none**: Disable logging for the container - -Current default is journald. - -``` - -## Operation Commands - -```{opcmd} add container image \<containername\> - -Pull a new image for container -``` -```{opcmd} show container - -Show the list of all active containers. -``` -```{opcmd} show container image - -Show the local container images. -``` -```{opcmd} show container log \<containername\> - -Show logs from a given container -``` -```{opcmd} show container network - -Show a list available container networks -``` -```{opcmd} restart container \<containername\> - -Restart a given container -``` -```{opcmd} update container image \<containername\> - -Update container image -``` -```{opcmd} delete container image \<image id|all\> [force] - -Delete a particular container image based on it's image ID. -You can also delete all container images at once. - -You can not delete a container image if it has more then one tag -assigned, this is why there is a `force` option to pass down to -the container image to also remove those images. -``` - -## Example Configuration - -For the sake of demonstration, [example #1 in the official documentation](https://www.zabbix.com/documentation/current/manual/installation/containers) -to the declarative VyOS CLI syntax. - -```none -set container network zabbix prefix 172.20.0.0/16 -set container network zabbix description 'Network for Zabbix component containers' - -set container name mysql-server image mysql:8.0 -set container name mysql-server network zabbix - -set container name mysql-server environment 'MYSQL_DATABASE' value 'zabbix' -set container name mysql-server environment 'MYSQL_USER' value 'zabbix' -set container name mysql-server environment 'MYSQL_PASSWORD' value 'zabbix_pwd' -set container name mysql-server environment 'MYSQL_ROOT_PASSWORD' value 'root_pwd' - -set container name zabbix-java-gateway image zabbix/zabbix-java-gateway:alpine-5.2-latest -set container name zabbix-java-gateway network zabbix - -set container name zabbix-server-mysql image zabbix/zabbix-server-mysql:alpine-5.2-latest -set container name zabbix-server-mysql network zabbix - -set container name zabbix-server-mysql environment 'DB_SERVER_HOST' value 'mysql-server' -set container name zabbix-server-mysql environment 'MYSQL_DATABASE' value 'zabbix' -set container name zabbix-server-mysql environment 'MYSQL_USER' value 'zabbix' -set container name zabbix-server-mysql environment 'MYSQL_PASSWORD' value 'zabbix_pwd' -set container name zabbix-server-mysql environment 'MYSQL_ROOT_PASSWORD' value 'root_pwd' -set container name zabbix-server-mysql environment 'ZBX_JAVAGATEWAY' value 'zabbix-java-gateway' - -set container name zabbix-server-mysql port zabbix source 10051 -set container name zabbix-server-mysql port zabbix destination 10051 - -set container name zabbix-web-nginx-mysql image zabbix/zabbix-web-nginx-mysql:alpine-5.2-latest -set container name zabbix-web-nginx-mysql network zabbix - -set container name zabbix-web-nginx-mysql environment 'MYSQL_DATABASE' value 'zabbix' -set container name zabbix-web-nginx-mysql environment 'ZBX_SERVER_HOST' value 'zabbix-server-mysql' -set container name zabbix-web-nginx-mysql environment 'DB_SERVER_HOST' value 'mysql-server' -set container name zabbix-web-nginx-mysql environment 'MYSQL_USER' value 'zabbix' -set container name zabbix-web-nginx-mysql environment 'MYSQL_PASSWORD' value 'zabbix_pwd' -set container name zabbix-web-nginx-mysql environment 'MYSQL_ROOT_PASSWORD' value 'root_pwd' - -set container name zabbix-web-nginx-mysql port http source 80 -set container name zabbix-web-nginx-mysql port http destination 8080 -``` diff --git a/docs/configuration/firewall/md-bridge.md b/docs/configuration/firewall/md-bridge.md deleted file mode 100644 index 3ed30f78..00000000 --- a/docs/configuration/firewall/md-bridge.md +++ /dev/null @@ -1,868 +0,0 @@ ---- -lastproofread: '2026-03-28' ---- - -(firewall-configuration)= - -# Bridge Firewall Configuration - -## Overview - -Learn more about bridge firewall configuration -and related op-mode commands. - -The following commands are covered in this section: - -```{eval-rst} -.. cfgcmd:: set firewall bridge <options> -``` - -From the main structure defined in -{doc}`Firewall Overview</configuration/firewall/index>` -in this section you can find detailed information only for the next part -of the general structure: - -```none -- set firewall - * bridge - - forward - + filter - - input - + filter - - output - + filter - - prerouting - + filter - - name - + custom_name -``` - -Traffic that is received by the router on an interface that is a member of a -bridge is processed on the **Bridge Layer**. Before the bridge decision is -made, all packets are analyzed at **Prerouting**. First filters can be applied -here, and also rules for ignoring connection tracking system can be configured. -The relevant configuration that acts in **prerouting** is: - -> - `set firewall bridge prerouting filter ...`. - -For traffic that needs to be switched internally by the bridge, the base -chain is **forward**, and its base command for filtering is `set firewall -bridge forward filter ...`, which happens in stage 4, highlighted with red -color. - -:::{figure} /_static/images/firewall-bridge-forward.webp -::: - -For traffic destined to the router itself or that needs to be routed -(assuming a layer3 bridge is configured), the base chain is **input**, and the -base command is `set firewall bridge input filter ...` and the path is: - -:::{figure} /_static/images/firewall-bridge-input.webp -::: - -If it's not dropped, then the packet is sent to **IP Layer**, and will be -processed by the **IP Layer** firewall: IPv4 or IPv6 ruleset. Check once again -the {doc}`general packet flow diagram</configuration/firewall/index>` if -needed. - -For traffic that originates from the bridge itself, the base chain is -**output**, and the base command is `set firewall bridge output filter -...`, and the path is: - -:::{figure} /_static/images/firewall-bridge-output.webp -::: - -Custom bridge firewall chains can be created with the command `set firewall -bridge name <name> ...`. To use such a custom chain, a rule with action jump -and the appropriate target must be defined in a base chain. - -## Bridge Rules - -For firewall filtering, firewall rules need to be created. Each rule is -numbered, has an action to apply if the rule is matched, and the ability -to specify multiple matching criteria. Data packets go through the rules -from 1 - 999999, so order is crucial. At the first match the action of the -rule will be executed. - -### Actions - -If a rule is defined, an action must also be defined for it. This tells the -firewall what to do if all matching criteria in the rule are met. - -In firewall bridge rules, the action can be: - -> - `accept`: accept the packet. -> - `continue`: continue parsing next rule. -> - `drop`: drop the packet. -> - `jump`: jump to another custom chain. -> - `return`: Return from the current chain and continue at the next rule -> of the last chain. -> - `queue`: Enqueue packet to userspace. -> - `notrack`: ignore connection tracking system. This action is only -> available in prerouting chain. - -```{eval-rst} -.. cfgcmd:: set firewall bridge forward filter rule <1-999999> action - [accept | continue | drop | jump | queue | return] -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge input filter rule <1-999999> action - [accept | continue | drop | jump | queue | return] -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge output filter rule <1-999999> action - [accept | continue | drop | jump | queue | return] -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge prerouting filter rule <1-999999> action - [accept | continue | drop | jump | notrack | queue | return] -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge name <name> rule <1-999999> action - [accept | continue | drop | jump | queue | return] - - This required setting defines the action of the current rule. If action is - set to jump, then jump-target is also needed. -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge forward filter rule <1-999999> - jump-target <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge input filter rule <1-999999> - jump-target <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge output filter rule <1-999999> - jump-target <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge prerouting filter rule <1-999999> - jump-target <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge name <name> rule <1-999999> - jump-target <text> -``` - -If action is set to ``queue``, use next command to specify the queue -target. Range is also supported: - -```{eval-rst} -.. cfgcmd:: set firewall bridge forward filter rule <1-999999> - queue <0-65535> -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge input filter rule <1-999999> - queue <0-65535> -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge output filter rule <1-999999> - queue <0-65535> -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge prerouting filter rule <1-999999> - queue <0-65535> -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge name <name> rule <1-999999> - queue <0-65535> - - Also, if action is set to ``queue``, use next command to specify the queue - options. Possible options are ``bypass`` and ``fanout``: -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge forward filter rule <1-999999> - queue-options bypass -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge input filter rule <1-999999> - queue-options bypass -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge output filter rule <1-999999> - queue-options bypass -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge prerouting filter rule <1-999999> - queue-options bypass -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge name <name> rule <1-999999> - queue-options bypass -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge forward filter rule <1-999999> - queue-options fanout -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge input filter rule <1-999999> - queue-options fanout -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge output filter rule <1-999999> - queue-options fanout -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge prerouting filter rule <1-999999> - queue-options fanout -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge name <name> rule <1-999999> - queue-options fanout -``` - -Also, **default-action** is an action that takes place whenever a packet does -not match any rule in its chain. For base chains, possible options for -**default-action** are **accept** or **drop**. - -```{eval-rst} -.. cfgcmd:: set firewall bridge forward filter default-action - [accept | drop] -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge input filter default-action - [accept | drop] -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge output filter default-action - [accept | drop] -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge prerouting filter default-action - [accept | drop] -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge name <name> default-action - [accept | continue | drop | jump | reject | return] - - This sets the default action of the rule-set if a packet does not match - any of the rules in that chain. If default-action is set to ``jump``, then - ``default-jump-target`` is also needed. Note that for base chains, default - action can only be set to ``accept`` or ``drop``, while on custom chains - more actions are available. -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge name <name> default-jump-target <text> - - To be used only when ``default-action`` is set to ``jump``. Use this - command to specify jump target for default rule. -``` - -:::{note} -**Important note about default-actions:** -If the default action for any base chain is not defined, then the default -action is set to **accept** for that chain. For custom chains, if the -default action is not defined, then the default-action is set to **drop**. -::: - -### Firewall Logs - -You can enable logging for every firewall rule. If enabled, other log options -can be configured. - -```{eval-rst} -.. cfgcmd:: set firewall bridge forward filter rule <1-999999> log -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge input filter rule <1-999999> log -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge output filter rule <1-999999> log -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge prerouting filter rule <1-999999> log -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge name <name> rule <1-999999> log - - Enable logging for the matched packet. If this configuration command is not - present, then the log is not enabled. -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge forward filter default-log -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge input filter default-log -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge output filter default-log -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge prerouting filter default-log -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge name <name> default-log - - Use this command to enable the logging of the default action on - the specified chain. -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge forward filter rule <1-999999> - log-options level [emerg | alert | crit | err | warn | notice - | info | debug] -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge input filter rule <1-999999> - log-options level [emerg | alert | crit | err | warn | notice - | info | debug] -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge output filter rule <1-999999> - log-options level [emerg | alert | crit | err | warn | notice - | info | debug] -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge prerouting filter rule <1-999999> - log-options level [emerg | alert | crit | err | warn | notice - | info | debug] -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge name <name> rule <1-999999> - log-options level [emerg | alert | crit | err | warn | notice - | info | debug] - - Define log-level. Only applicable if rule log is enabled. -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge forward filter rule <1-999999> - log-options group <0-65535> -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge input filter rule <1-999999> - log-options group <0-65535> -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge output filter rule <1-999999> - log-options group <0-65535> -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge prerouting filter rule <1-999999> - log-options group <0-65535> -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge name <name> rule <1-999999> - log-options group <0-65535> - - Define the log group to send messages to. Only applicable if rule log is - enabled. -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge forward filter rule <1-999999> - log-options snapshot-length <0-9000> -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge input filter rule <1-999999> - log-options snapshot-length <0-9000> -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge output filter rule <1-999999> - log-options snapshot-length <0-9000> -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge prerouting filter rule <1-999999> - log-options snapshot-length <0-9000> -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge name <name> rule <1-999999> - log-options snapshot-length <0-9000> - - Define length of packet payload to include in netlink message. Only - applicable if rule log is enabled and the log group is defined. -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge forward filter rule <1-999999> - log-options queue-threshold <0-65535> -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge input filter rule <1-999999> - log-options queue-threshold <0-65535> -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge output filter rule <1-999999> - log-options queue-threshold <0-65535> -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge prerouting filter rule <1-999999> - log-options queue-threshold <0-65535> -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge name <name> rule <1-999999> - log-options queue-threshold <0-65535> - - Define the number of packets to queue inside the kernel before sending them - to userspace. Only applicable if rule log is enabled and the log group is - defined. -``` - -### Firewall Description - -You can define a description for reference for every custom chain. - -```{eval-rst} -.. cfgcmd:: set firewall bridge name <name> description <text> - - Provide a rule-set description to a custom firewall chain. -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge forward filter rule <1-999999> - description <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge input filter rule <1-999999> - description <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge output filter rule <1-999999> - description <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge prerouting filter rule <1-999999> - description <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge name <name> rule <1-999999> - description <text> - - Provide a description for each rule. -``` - -### Rule Status - -By default, when you define a rule, it is enabled. In some cases, it is -useful to disable the rule instead of removing it. - -```{eval-rst} -.. cfgcmd:: set firewall bridge forward filter rule <1-999999> disable -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge input filter rule <1-999999> disable -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge output filter rule <1-999999> disable -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge prerouting filter rule <1-999999> disable -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge name <name> rule <1-999999> disable - - Command for disabling a rule but keep it in the configuration. -``` - -### Matching criteria - -There are many matching criteria against which a packet can be tested. Refer -to {doc}`IPv4</configuration/firewall/ipv4>` and -{doc}`IPv6</configuration/firewall/ipv6>` matching criteria for more details. - -Since bridges operate at layer 2, both matchers for IPv4 and IPv6 are -supported in bridge firewall configuration. Same applies to firewall groups. - -Same specific matching criteria that can be used in bridge firewall are -described in this section: - -```{eval-rst} -.. cfgcmd:: set firewall bridge forward filter rule <1-999999> ethernet-type - [802.1q | 802.1ad | arp | ipv4 | ipv6] -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge input filter rule <1-999999> ethernet-type - [802.1q | 802.1ad | arp | ipv4 | ipv6] -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge output filter rule <1-999999> ethernet-type - [802.1q | 802.1ad | arp | ipv4 | ipv6] -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge prerouting filter rule <1-999999> ethernet-type - [802.1q | 802.1ad | arp | ipv4 | ipv6] -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge name <name> rule <1-999999> ethernet-type - [802.1q | 802.1ad | arp | ipv4 | ipv6] - - Match based on the Ethernet type of the packet. -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge forward filter rule <1-999999> vlan - ethernet-type [802.1q | 802.1ad | arp | ipv4 | ipv6] -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge input filter rule <1-999999> vlan - ethernet-type [802.1q | 802.1ad | arp | ipv4 | ipv6] -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge output filter rule <1-999999> vlan - ethernet-type [802.1q | 802.1ad | arp | ipv4 | ipv6] -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge prerouting filter rule <1-999999> vlan - ethernet-type [802.1q | 802.1ad | arp | ipv4 | ipv6] -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge name <name> rule <1-999999> vlan - ethernet-type [802.1q | 802.1ad | arp | ipv4 | ipv6] - - Match based on the Ethernet type of the packet when it is VLAN tagged. -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge forward filter rule <1-999999> vlan id - <0-4096> -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge input filter rule <1-999999> vlan id - <0-4096> -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge output filter rule <1-999999> vlan id - <0-4096> -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge prerouting filter rule <1-999999> vlan id - <0-4096> -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge name <name> rule <1-999999> vlan id - <0-4096> - - Match based on VLAN identifier. Range is also supported. -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge forward filter rule <1-999999> vlan priority - <0-7> -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge input filter rule <1-999999> vlan priority - <0-7> -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge output filter rule <1-999999> vlan priority - <0-7> -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge prerouting filter rule <1-999999> vlan priority - <0-7> -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge name <name> rule <1-999999> vlan priority - <0-7> - - Match based on VLAN priority (Priority Code Point - PCP). Range is also - supported. -``` - -### Packet Modifications - -Starting from **VyOS-1.5-rolling-202410060007**, the firewall can modify -packets before they are sent out. This feature provides more flexibility in -packet handling. - -```{eval-rst} -.. cfgcmd:: set firewall bridge [prerouting | forward | output] filter - rule <1-999999> set dscp <0-63> - - Set a specific value of Differentiated Services Codepoint (DSCP). -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge [prerouting | forward | output] filter - rule <1-999999> set mark <1-2147483647> - - Set a specific packet mark value. -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge [prerouting | forward | output] filter - rule <1-999999> set tcp-mss <500-1460> - - Set the TCP-MSS (TCP maximum segment size) for the connection. -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge [prerouting | forward | output] filter - rule <1-999999> set ttl <0-255> - - Set the TTL (Time to Live) value. -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge [prerouting | forward | output] filter - rule <1-999999> set hop-limit <0-255> - - Set hop limit value. -``` - -```{eval-rst} -.. cfgcmd:: set firewall bridge [forward | output] filter - rule <1-999999> set connection-mark <0-2147483647> - - Set connection mark value. - -``` - -### Use IP firewall - -By default, for switched traffic, only the rules defined under `set firewall -bridge` are applied. There are two global-options that can be configured in -order to force deeper analysis of the packet on the IP layer. These options -are: - -```{eval-rst} -.. cfgcmd:: set firewall global-options apply-to-bridged-traffic ipv4 - - This command enables the IPv4 firewall for bridged traffic. If this option - is used, packets are also parsed by rules defined in ``set firewall ipv4 - ...`` -``` - -```{eval-rst} -.. cfgcmd:: set firewall global-options apply-to-bridged-traffic ipv6 - - This command enables the IPv6 firewall for bridged traffic. If this option - is used, packets are also parsed by rules defined in ``set firewall ipv6 - ...`` -``` - -## Operation-mode Firewall - -### Rule-set overview - -In this section you can find all useful firewall op-mode commands. - -General commands for firewall configuration, counter and statistics: - -```{eval-rst} -.. opcmd:: show firewall -``` - -```{eval-rst} -.. opcmd:: show firewall summary -``` - -```{eval-rst} -.. opcmd:: show firewall statistics -``` - -And, to print only bridge firewall information: - -```{eval-rst} -.. opcmd:: show firewall bridge -``` - -```{eval-rst} -.. opcmd:: show firewall bridge forward filter -``` - -```{eval-rst} -.. opcmd:: show firewall bridge forward filter rule <rule> -``` - -```{eval-rst} -.. opcmd:: show firewall bridge name <name> -``` - -```{eval-rst} -.. opcmd:: show firewall bridge name <name> rule <rule> -``` - -### Show Firewall log - -```{eval-rst} -.. opcmd:: show log firewall -``` - -```{eval-rst} -.. opcmd:: show log firewall bridge -``` - -```{eval-rst} -.. opcmd:: show log firewall bridge forward -``` - -```{eval-rst} -.. opcmd:: show log firewall bridge forward filter -``` - -```{eval-rst} -.. opcmd:: show log firewall bridge name <name> -``` - -```{eval-rst} -.. opcmd:: show log firewall bridge forward filter rule <rule> -``` - -```{eval-rst} -.. opcmd:: show log firewall bridge name <name> rule <rule> - - Show the logs of all firewall; show all bridge firewall logs; show all logs - for forward hook; show all logs for forward hook and priority filter; show - all logs for particular custom chain; show logs for specific Rule-Set. -``` - -### Example - -Configuration example: - -```none -set firewall bridge forward filter default-action 'drop' -set firewall bridge forward filter default-log -set firewall bridge forward filter rule 10 action 'continue' -set firewall bridge forward filter rule 10 inbound-interface name 'eth2' -set firewall bridge forward filter rule 10 vlan id '22' -set firewall bridge forward filter rule 20 action 'drop' -set firewall bridge forward filter rule 20 inbound-interface group 'TRUNK-RIGHT' -set firewall bridge forward filter rule 20 vlan id '60' -set firewall bridge forward filter rule 30 action 'jump' -set firewall bridge forward filter rule 30 jump-target 'TEST' -set firewall bridge forward filter rule 30 outbound-interface name '!eth1' -set firewall bridge forward filter rule 35 action 'accept' -set firewall bridge forward filter rule 35 vlan id '11' -set firewall bridge forward filter rule 40 action 'continue' -set firewall bridge forward filter rule 40 destination mac-address '66:55:44:33:22:11' -set firewall bridge forward filter rule 40 source mac-address '11:22:33:44:55:66' -set firewall bridge name TEST default-action 'accept' -set firewall bridge name TEST default-log -set firewall bridge name TEST rule 10 action 'continue' -set firewall bridge name TEST rule 10 log -set firewall bridge name TEST rule 10 vlan priority '0' -``` - -And op-mode commands: - -```none -vyos@BRI:~$ show firewall bridge -Rulesets bridge Information - ---------------------------------- -bridge Firewall "forward filter" - -Rule Action Protocol Packets Bytes Conditions -------- -------- ---------- --------- ------- --------------------------------------------------------------------- -10 continue all 0 0 iifname "eth2" vlan id 22 continue -20 drop all 0 0 iifname @I_TRUNK-RIGHT vlan id 60 -30 jump all 2130 170688 oifname != "eth1" jump NAME_TEST -35 accept all 2080 168616 vlan id 11 accept -40 continue all 0 0 ether daddr 66:55:44:33:22:11 ether saddr 11:22:33:44:55:66 continue -default drop all 0 0 - ---------------------------------- -bridge Firewall "name TEST" - -Rule Action Protocol Packets Bytes Conditions -------- -------- ---------- --------- ------- -------------------------------------------------- -10 continue all 2130 170688 vlan pcp 0 prefix "[bri-NAM-TEST-10-C]" continue -default accept all 2130 170688 - -vyos@BRI:~$ -vyos@BRI:~$ show firewall bridge name TEST -Ruleset Information - ---------------------------------- -bridge Firewall "name TEST" - -Rule Action Protocol Packets Bytes Conditions -------- -------- ---------- --------- ------- -------------------------------------------------- -10 continue all 2130 170688 vlan pcp 0 prefix "[bri-NAM-TEST-10-C]" continue -default accept all 2130 170688 - -vyos@BRI:~$ -``` - -Inspect logs: - -```none -vyos@BRI:~$ show log firewall bridge -Dec 05 14:37:47 kernel: [bri-NAM-TEST-10-C]IN=eth1 OUT=eth2 ARP HTYPE=1 PTYPE=0x0800 OPCODE=1 MACSRC=50:00:00:04:00:00 IPSRC=10.11.11.101 MACDST=00:00:00:00:00:00 IPDST=10.11.11.102 -Dec 05 14:37:48 kernel: [bri-NAM-TEST-10-C]IN=eth1 OUT=eth2 ARP HTYPE=1 PTYPE=0x0800 OPCODE=1 MACSRC=50:00:00:04:00:00 IPSRC=10.11.11.101 MACDST=00:00:00:00:00:00 IPDST=10.11.11.102 -Dec 05 14:37:49 kernel: [bri-NAM-TEST-10-C]IN=eth1 OUT=eth2 ARP HTYPE=1 PTYPE=0x0800 OPCODE=1 MACSRC=50:00:00:04:00:00 IPSRC=10.11.11.101 MACDST=00:00:00:00:00:00 IPDST=10.11.11.102 -... -vyos@BRI:~$ show log firewall bridge forward filter -Dec 05 14:42:22 kernel: [bri-FWD-filter-default-D]IN=eth2 OUT=eth1 MAC=33:33:00:00:00:16:50:00:00:06:00:00:86:dd SRC=0000:0000:0000:0000:0000:0000:0000:0000 DST=ff02:0000:0000:0000:0000:0000:0000:0016 LEN=96 TC=0 HOPLIMIT=1 FLOWLBL=0 PROTO=ICMPv6 TYPE=143 CODE=0 -Dec 05 14:42:22 kernel: [bri-FWD-filter-default-D]IN=eth2 OUT=eth1 MAC=33:33:00:00:00:16:50:00:00:06:00:00:86:dd SRC=0000:0000:0000:0000:0000:0000:0000:0000 DST=ff02:0000:0000:0000:0000:0000:0000:0016 LEN=96 TC=0 HOPLIMIT=1 FLOWLBL=0 PROTO=ICMPv6 TYPE=143 CODE=0 -``` diff --git a/docs/configuration/firewall/md-flowtables.md b/docs/configuration/firewall/md-flowtables.md deleted file mode 100644 index e43dbd30..00000000 --- a/docs/configuration/firewall/md-flowtables.md +++ /dev/null @@ -1,189 +0,0 @@ ---- -lastproofread: '2026-03-30' ---- - -(firewall-flowtables-configuration)= - -# Flowtables Firewall Configuration - -```{include} /_include/need_improvement.txt -``` - -## Overview - -This section provides information on firewall configuration for flowtables. - -```{eval-rst} -.. cfgcmd:: set firewall flowtable ... -``` - -To learn about the general traffic flow in VyOS firewalls, -see {doc}`Firewall </configuration/firewall/index>`. - -```none -- set firewall - * flowtable - - custom_flow_table - + ... -``` - -Flowtables let you define a fastpath through the flowtable datapath. -Flowtables support layer 3 (IPv4 and IPv6) and layer 4 (TCP and UDP) -protocols. - -:::{figure} /_static/images/firewall-flowtable-packet-flow.webp -::: - -After the first packet successfully traverses the IP forwarding path (black -circles path), you can offload subsequent packets to the flowtable through your -ruleset. You specify when to add a flow to the flowtable during forward -filtering (red circle number 6). - -When a packet finds a matching entry in the flowtable (flowtable hit), the -system transmits it to the output netdevice. This means packets bypass the -classic IP forwarding path and use the **Fast Path** (orange circles path). -As a result, you do not see these packets from any Netfilter hooks after -ingress. If no matching entry exists in the flowtable (flowtable miss), the -packet traverses the classic IP forwarding path. - -:::{note} -**Flowtable Reference:** -<https://docs.kernel.org/networking/nf_flowtable.html> -::: - -## Flowtable Configuration - -To use flowtables, you need to configure the following: - -> - Create a flowtable that includes the interfaces -> that are going to be used by the flowtable. -> - Create a firewall rule. Set the action to -> `offload` and use your desired flowtable for `offload-target`. - -Creating a flow table: - -```{eval-rst} -.. cfgcmd:: set firewall flowtable <flow_table_name> interface <iface> - - Specify interfaces to use in the flowtable. -``` - -```{eval-rst} -.. cfgcmd:: set firewall flowtable <flow_table_name> description <text> -``` - -Provide a description for the flow table. - -```{eval-rst} -.. cfgcmd:: set firewall flowtable <flow_table_name> offload - <hardware | software> - - Specify the offload type the flowtable uses: ``hardware`` or - ``software``. The default is ``software`` offload. -``` - -:::{note} -**Hardware offload**: Make sure your network interface controller -(NIC) supports hardware offloading and that you have the necessary drivers - -> installed before enabling this option. -::: - -Creating rules for using flow tables: - -```{eval-rst} -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - action offload - - Create a firewall rule in the forward chain with the action set to - ``offload``. -``` - -```{eval-rst} -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - offload-target <flowtable> - - Create a firewall rule in the forward chain and specify which flowtable - to use. Only applicable if the action is ``offload``. -``` - -## Configuration Example - -Consider the following in this setup: - -> - This example uses two interfaces in the flowtables: `eth0` and `eth1`. -> - The example provides a minimal firewall ruleset with filtering rules -> and rules for using flowtable offload capabilities. - -The first packet is evaluated by the firewall path, so a -desired connection should be explicitly accepted. -The same should occur for traffic in reverse order. -In most cases, state policies are -used to accept a connection in the reverse path. - -In the following example only traffic coming from interface `eth0`, -TCP protocol, and destination port 1122 is accepted. -All other traffic to the router is dropped. - -### Commands - -```none -set firewall flowtable FT01 interface 'eth0' -set firewall flowtable FT01 interface 'eth1' -set firewall ipv4 forward filter default-action 'drop' -set firewall ipv4 forward filter rule 10 action 'offload' -set firewall ipv4 forward filter rule 10 offload-target 'FT01' -set firewall ipv4 forward filter rule 10 state 'established' -set firewall ipv4 forward filter rule 10 state 'related' -set firewall ipv4 forward filter rule 20 action 'accept' -set firewall ipv4 forward filter rule 20 state 'established' -set firewall ipv4 forward filter rule 20 state 'related' -set firewall ipv4 forward filter rule 110 action 'accept' -set firewall ipv4 forward filter rule 110 destination address '192.0.2.100' -set firewall ipv4 forward filter rule 110 destination port '1122' -set firewall ipv4 forward filter rule 110 inbound-interface name 'eth0' -set firewall ipv4 forward filter rule 110 protocol 'tcp' -``` - -### Explanation - -Here's what happens for a desired connection: - -> 1. A packet arrives on `eth0` with destination address `192.0.2.100`, TCP -> protocol, and destination port 1122. Assume this address is reachable -> through interface `eth1`. -> 2. For this first packet, the connection state is **new**. Neither rule 10 -> nor rule 20 applies. -> 3. Rule 110 matches, so the connection is accepted. -> 4. When the server 192.0.2.100 replies, the connection state becomes -> **established**, and rule 20 accepts the reply. -> 5. The router receives the second packet for this connection. Because the -> connection state is **established**, rule 10 matches and adds a new -> entry in the flowtable FT01 for this connection. -> 6. Subsequent packets skip the traditional path and use the **Fast Path** -> for offloading. - -### Checks - -Check the conntrack table to verify that the system accepted and properly -offloaded connections. - -```none -vyos@FlowTables:~$ show firewall ipv4 forward filter -Ruleset Information - ---------------------------------- -ipv4 Firewall "forward filter" - -Rule Action Protocol Packets Bytes Conditions -------- -------- ---------- --------- ------- ---------------------------------------------------------------- -10 offload all 8 468 ct state { established, related } flow add @VYOS_FLOWTABLE_FT01 -20 accept all 8 468 ct state { established, related } accept -110 accept tcp 2 120 ip daddr 192.0.2.100 tcp dport 1122 iifname "eth0" accept -default drop all 7 420 - -vyos@FlowTables:~$ sudo conntrack -L | grep tcp -conntrack v1.4.6 (conntrack-tools): 5 flow entries have been shown. -tcp 6 src=198.51.100.100 dst=192.0.2.100 sport=41676 dport=1122 src=192.0.2.100 dst=198.51.100.100 sport=1122 dport=41676 [OFFLOAD] mark=0 use=2 -vyos@FlowTables:~$ -``` diff --git a/docs/configuration/firewall/md-global-options.md b/docs/configuration/firewall/md-global-options.md deleted file mode 100644 index 5a74266c..00000000 --- a/docs/configuration/firewall/md-global-options.md +++ /dev/null @@ -1,259 +0,0 @@ ---- -lastproofread: '2026-03-30' ---- - -(firewall-global-options-configuration)= - -# Global Options Firewall Configuration - -## Overview - -Some firewall settings are global and affect the entire system. This section -provides information about these global options that you can configure using -the VyOS CLI. - -Configuration commands covered in this section: - -```{eval-rst} -.. cfgcmd:: set firewall global-options ... -``` - -## Configuration - -```{eval-rst} -.. cfgcmd:: set firewall global-options all-ping [enable | disable] - - By default, when VyOS receives an ICMP echo request packet destined for - itself, it answers with an ICMP echo reply, unless your firewall prevents - it. - - You can set firewall rules to accept, drop, or reject ICMP in, out, or - local traffic. You can also use the **firewall global-options all-ping** - command. This command affects only LOCAL traffic (packets destined for your - VyOS system), not IN or OUT traffic. - - .. note:: **firewall global-options all-ping** affects only LOCAL traffic - and always behaves in the most restrictive way - - .. code-block:: none - - set firewall global-options all-ping enable - - When you set this command, VyOS answers every ICMP echo request addressed - to itself, but that response occurs only if no other rule drops or rejects - local echo requests. In case of conflict, VyOS does not answer ICMP echo - requests. - - .. code-block:: none - - set firewall global-options all-ping disable - - When you set this command, VyOS answers no ICMP echo requests addressed to - itself, regardless of where they come from or what specific rules accept - them. -``` - -```{eval-rst} -.. cfgcmd:: set firewall global-options apply-to-bridged-traffic [ipv4 | ipv6] - - Apply IPv4 or IPv6 firewall rules to bridged traffic. -``` - -```{eval-rst} -.. cfgcmd:: set firewall global-options broadcast-ping [enable | disable] - - Enable or disable the response to ICMP broadcast messages. The system - alters the following parameter: - - * ``net.ipv4.icmp_echo_ignore_broadcasts`` -``` - -```{eval-rst} -.. cfgcmd:: set firewall global-options ip-src-route [enable | disable] -``` - -```{eval-rst} -.. cfgcmd:: set firewall global-options ipv6-src-route [enable | disable] - - Set whether VyOS accepts packets with a source route option. - The following sysctl parameters will be changed: - - * ``net.ipv4.conf.all.accept_source_route`` - * ``net.ipv6.conf.all.accept_source_route`` -``` - -```{eval-rst} -.. cfgcmd:: set firewall global-options receive-redirects [enable | disable] -``` - -```{eval-rst} -.. cfgcmd:: set firewall global-options ipv6-receive-redirects - [enable | disable] - - Allow VyOS to accept ICMPv4 and ICMPv6 redirect messages. - The following sysctl parameters will be changed: - - * ``net.ipv4.conf.all.accept_redirects`` - * ``net.ipv6.conf.all.accept_redirects`` -``` - -```{eval-rst} -.. cfgcmd:: set firewall global-options send-redirects [enable | disable] - - Allow VyOS to send ICMPv4 redirect messages. - The following sysctl parameter will be changed: - - * ``net.ipv4.conf.all.send_redirects`` -``` - -```{eval-rst} -.. cfgcmd:: set firewall global-options log-martians [enable | disable] - - Allow VyOS to log martian IPv4 packets. - The following sysctl parameter will be changed: - - * ``net.ipv4.conf.all.log_martians`` -``` - -```{eval-rst} -.. cfgcmd:: set firewall global-options source-validation - [strict | loose | disable] - - Set the IPv4 source validation mode. - The following sysctl parameter will be changed: - - * ``net.ipv4.conf.all.rp_filter`` -``` - -```{eval-rst} -.. cfgcmd:: set firewall global-options syn-cookies [enable | disable] - - Allow VyOS to use IPv4 TCP SYN Cookies. - The following sysctl parameter will be changed: - - * ``net.ipv4.tcp_syncookies`` -``` - -```{eval-rst} -.. cfgcmd:: set firewall global-options twa-hazards-protection - [enable | disable] - - Enable or disable VyOS {rfc}`1337` conformance. - The following sysctl parameter will be changed: - - * ``net.ipv4.tcp_rfc1337`` -``` - -```{eval-rst} -.. cfgcmd:: set firewall global-options state-policy established action - [accept | drop | reject] -``` - -```{eval-rst} -.. cfgcmd:: set firewall global-options state-policy established log -``` - -```{eval-rst} -.. cfgcmd:: set firewall global-options state-policy established log-level - [emerg | alert | crit | err | warn | notice | info | debug] - - Set the global setting for an established connection. -``` - -```{eval-rst} -.. cfgcmd:: set firewall global-options state-policy invalid action - [accept | drop | reject] -``` - -```{eval-rst} -.. cfgcmd:: set firewall global-options state-policy invalid log -``` - -```{eval-rst} -.. cfgcmd:: set firewall global-options state-policy invalid log-level - [emerg | alert | crit | err | warn | notice | info | debug] - - Set the global setting for invalid packets. -``` - -```{eval-rst} -.. cfgcmd:: set firewall global-options state-policy related action - [accept | drop | reject] -``` - -```{eval-rst} -.. cfgcmd:: set firewall global-options state-policy related log -``` - -```{eval-rst} -.. cfgcmd:: set firewall global-options state-policy related log-level - [emerg | alert | crit | err | warn | notice | info | debug] - - Set the global setting for related connections. -``` - -VyOS supports setting timeouts for connections by connection type. You can -set timeout values for generic connections, ICMP connections, UDP -connections, or TCP connections in various states. - -```{eval-rst} -.. cfgcmd:: set firewall global-options timeout icmp <1-21474836> - :defaultvalue: -``` - -```{eval-rst} -.. cfgcmd:: set firewall global-options timeout other <1-21474836> - :defaultvalue: -``` - -```{eval-rst} -.. cfgcmd:: set firewall global-options timeout tcp close <1-21474836> - :defaultvalue: -``` - -```{eval-rst} -.. cfgcmd:: set firewall global-options timeout tcp close-wait <1-21474836> - :defaultvalue: -``` - -```{eval-rst} -.. cfgcmd:: set firewall global-options timeout tcp established <1-21474836> - :defaultvalue: -``` - -```{eval-rst} -.. cfgcmd:: set firewall global-options timeout tcp fin-wait <1-21474836> - :defaultvalue: -``` - -```{eval-rst} -.. cfgcmd:: set firewall global-options timeout tcp last-ack <1-21474836> - :defaultvalue: -``` - -```{eval-rst} -.. cfgcmd:: set firewall global-options timeout tcp syn-recv <1-21474836> - :defaultvalue: -``` - -```{eval-rst} -.. cfgcmd:: set firewall global-options timeout tcp syn-sent <1-21474836> - :defaultvalue: -``` - -```{eval-rst} -.. cfgcmd:: set firewall global-options timeout tcp time-wait <1-21474836> - :defaultvalue: -``` - -```{eval-rst} -.. cfgcmd:: set firewall global-options timeout udp other <1-21474836> - :defaultvalue: -``` - -```{eval-rst} -.. cfgcmd:: set firewall global-options timeout udp stream <1-21474836> - :defaultvalue: - - Set the timeout in seconds for a protocol or state. -``` diff --git a/docs/configuration/firewall/md-groups.md b/docs/configuration/firewall/md-groups.md deleted file mode 100644 index ed02d249..00000000 --- a/docs/configuration/firewall/md-groups.md +++ /dev/null @@ -1,526 +0,0 @@ ---- -lastproofread: '2026-03-30' ---- - -(firewall-groups-configuration)= - -# Firewall groups - -## Configuration - -Firewall groups represent collections of IP addresses, networks, ports, -MAC addresses, domains, or interfaces. You can reference a group in firewall, -NAT, and policy route rules as either a source or destination matcher, and/or -as inbound or outbound in the case of interface groups. - -### Address Groups - -An **address group** contains a single IP address or IP address range. - -```{eval-rst} -.. cfgcmd:: set firewall group address-group <name> address [address | - address range] -``` - -```{eval-rst} -.. cfgcmd:: set firewall group ipv6-address-group <name> address <address> - - Define an IPv4 or IPv6 address group. - - .. code-block:: none - - set firewall group address-group ADR-INSIDE-v4 address 192.168.0.1 - set firewall group address-group ADR-INSIDE-v4 address 10.0.0.1-10.0.0.8 - set firewall group ipv6-address-group ADR-INSIDE-v6 address 2001:db8::1 -``` - -```{eval-rst} -.. cfgcmd:: set firewall group address-group <name> description <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall group ipv6-address-group <name> description <text> - - Provide an IPv4 or IPv6 address group description. -``` - -### Remote Groups - -A **remote-group** uses a URL that hosts a newline-delimited list of IPv4 -and/or IPv6 addresses, CIDRs, and ranges. VyOS pulls this list periodically -according to the frequency you define in the firewall **resolver-interval** -and loads matching entries into the group for use in rules. The list is cached -in persistent storage, so rules continue to function if updates fail. - -```{eval-rst} -.. cfgcmd:: set firewall group remote-group <name> url <http(s) url> - - Specify a remote list of IPv4 and/or IPv6 addresses, ranges, and CIDRs - to fetch. -``` - -```{eval-rst} -.. cfgcmd:: set firewall group remote-group <name> description <text> - - Set a description for a remote group. -``` - -The remote list format is flexible. VyOS attempts to parse the first word of -each line as an entry and skips lines it cannot match. Lines that begin with -an alphanumeric character but do not match valid IPv4 or IPv6 addresses, -ranges, or CIDRs are logged to the system log. The following examples show -acceptable formats that VyOS parses correctly: - -```none -127.0.0.1 -127.0.0.0/24 -127.0.0.1-127.0.0.254 -2001:db8::1 -2001:db8:cafe::/48 -2001:db8:cafe::1-2001:db8:cafe::ffff -``` - -### Network Groups - -**Network groups** accept IP networks in CIDR notation. You can add specific -IP addresses as a 32-bit prefix. If you need to add a mix of addresses and -networks, use a network group. - -```{eval-rst} -.. cfgcmd:: set firewall group network-group <name> network <CIDR> -``` - -```{eval-rst} -.. cfgcmd:: set firewall group ipv6-network-group <name> network <CIDR> - - Define an IPv4 or IPv6 network group. - - .. code-block:: none - - set firewall group network-group NET-INSIDE-v4 network 192.168.0.0/24 - set firewall group network-group NET-INSIDE-v4 network 192.168.1.0/24 - set firewall group ipv6-network-group NET-INSIDE-v6 network 2001:db8::/64 -``` - -```{eval-rst} -.. cfgcmd:: set firewall group network-group <name> description <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall group ipv6-network-group <name> description <text> - - Provide an IPv4 or IPv6 network group description. -``` - -### Interface Groups - -An **interface group** represents a collection of interfaces. - -```{eval-rst} -.. cfgcmd:: set firewall group interface-group <name> interface <text> - - Define an interface group. - Wildcard ``*`` is supported. For example: ``eth3*``. - Prepend the character ``!`` to invert the criteria. For example: ``!eth2``. -``` - -```none -set firewall group interface-group LAN interface bond1001 -set firewall group interface-group LAN interface eth3* -``` - -```{eval-rst} -.. cfgcmd:: set firewall group interface-group <name> description <text> - - Provide an interface group description. -``` - -### Port Groups - -A **port group** represents only port numbers, not the protocol. You can -reference port groups for either TCP or UDP. Create TCP and UDP groups -separately to avoid accidentally filtering unnecessary ports. Specify port -ranges by using `-`. - -```{eval-rst} -.. cfgcmd:: set firewall group port-group <name> port - [portname | portnumber | startport-endport] - - Define a port group. A port name can be any name defined in - /etc/services. For example, ``http``. - - .. code-block:: none - - set firewall group port-group PORT-TCP-SERVER1 port http - set firewall group port-group PORT-TCP-SERVER1 port 443 - set firewall group port-group PORT-TCP-SERVER1 port 5000-5010 -``` - -```{eval-rst} -.. cfgcmd:: set firewall group port-group <name> description <text> - - Provide a port group description. -``` - -### MAC Groups - -A **mac group** represents a collection of mac addresses. - -```{eval-rst} -.. cfgcmd:: set firewall group mac-group <name> mac-address <mac-address> - - Define a mac group. -``` - -```none -set firewall group mac-group MAC-G01 mac-address 88:a4:c2:15:b6:4f -set firewall group mac-group MAC-G01 mac-address 4c:d5:77:c0:19:81 -``` - -```{eval-rst} -.. cfgcmd:: set firewall group mac-group <name> description <text> - - Provide a MAC group description. -``` - -### Domain Groups - -A **domain group** represents a collection of domains. - -```{eval-rst} -.. cfgcmd:: set firewall group domain-group <name> address <domain> - - Define a domain group. -``` - -```none -set firewall group domain-group DOM address example.com -``` - -```{eval-rst} -.. cfgcmd:: set firewall group domain-group <name> description <text> - - Provide a domain group description. -``` - -### Dynamic Groups - -Firewall dynamic groups differ from other groups because you can use them as -source/destination in firewall rules, and members are not defined statically -in VyOS configuration. Instead, firewall rules dynamically add members to -these groups. - -#### Defining Dynamic Address Groups - -Dynamic address groups support both IPv4 and IPv6 families. Use these -commands to define dynamic IPv4 and IPv6 address groups: - -```{eval-rst} -.. cfgcmd:: set firewall group dynamic-group address-group <name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall group dynamic-group ipv6-address-group <name> -``` - -Add description to firewall groups: - -```{eval-rst} -.. cfgcmd:: set firewall group dynamic-group address-group <name> - description <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall group dynamic-group ipv6-address-group <name> - description <text> -``` - -#### Adding elements to Dynamic Firewall Groups - -After you define dynamic firewall groups, use them in firewall rules to -dynamically add elements to them. - -Commands used for this task are: - -- Add destination IP address of the connection to a dynamic address group: - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 [forward | input | output] filter rule - <1-999999> add-address-to-group destination-address address-group <name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> add-address-to-group - destination-address address-group <name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 [forward | input | output] filter rule - <1-999999> add-address-to-group destination-address address-group <name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> add-address-to-group - destination-address address-group <name> -``` - -- Add source IP address of the connection to a dynamic address group: - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 [forward | input | output] filter rule - <1-999999> add-address-to-group source-address address-group <name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> add-address-to-group - source-address address-group <name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 [forward | input | output] filter rule - <1-999999> add-address-to-group source-address address-group <name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> add-address-to-group - source-address address-group <name> -``` - -You can define specific timeouts per rule. When a rule matches, the source or -destination address is added to the group, and the element remains in the group -until the timeout expires. If you do not define a timeout, the element remains -in the group until the next reboot or until you commit firewall configuration -changes. - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 [forward | input | output] filter rule - <1-999999> add-address-to-group [destination-address | source-address] - timeout <timeout> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> add-address-to-group - [destination-address | source-address] timeout <timeout> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 [forward | input | output] filter rule - <1-999999> add-address-to-group [destination-address | source-address] - timeout <timeout> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> add-address-to-group - [destination-address | source-address] timeout <timeout> -``` - -Timeout can be defined using seconds, minutes, hours or days: - -```none -set firewall ipv6 name FOO rule 10 add-address-to-group source-address timeout -Possible completions: -<number>s Timeout value in seconds -<number>m Timeout value in minutes -<number>h Timeout value in hours -<number>d Timeout value in days -``` - -#### Using Dynamic Firewall Groups - -Like other firewall groups, you can use dynamic firewall groups in firewall -rules as matching options. For example: - -```none -set firewall ipv4 input filter rule 10 source group dynamic-address-group FOO -set firewall ipv4 input filter rule 10 destination group dynamic-address-group BAR -``` - -## Examples - -### General example - -After you create firewall groups, you can reference them in firewall, NAT, -NAT66, and/or policy-route rules. The following example creates multiple -groups: - -```none -set firewall group address-group SERVERS address 198.51.100.101 -set firewall group address-group SERVERS address 198.51.100.102 -set firewall group network-group TRUSTEDv4 network 192.0.2.0/30 -set firewall group network-group TRUSTEDv4 network 203.0.113.128/25 -set firewall group ipv6-network-group TRUSTEDv6 network 2001:db8::/64 -set firewall group interface-group LAN interface eth2.2001 -set firewall group interface-group LAN interface bon0 -set firewall group port-group PORT-SERVERS port http -set firewall group port-group PORT-SERVERS port 443 -set firewall group port-group PORT-SERVERS port 5000-5010 -``` - -And next, some configuration example where groups are used: - -```none -set firewall ipv4 output filter rule 10 action accept -set firewall ipv4 output filter rule 10 outbound-interface group !LAN -set firewall ipv4 forward filter rule 20 action accept -set firewall ipv4 forward filter rule 20 source group network-group TRUSTEDv4 -set firewall ipv6 input filter rule 10 action accept -set firewall ipv6 input filter rule 10 source group network-group TRUSTEDv6 -set nat destination rule 101 inbound-interface group LAN -set nat destination rule 101 destination group address-group SERVERS -set nat destination rule 101 protocol tcp -set nat destination rule 101 destination group port-group PORT-SERVERS -set nat destination rule 101 translation address 203.0.113.250 -set policy route PBR rule 201 destination group port-group PORT-SERVERS -set policy route PBR rule 201 protocol tcp -set policy route PBR rule 201 set table 15 -``` - -### Port knocking example - -You can use dynamic firewall groups with port knocking to secure access to -the router or any other device. The following example shows a 4-step port -knocking configuration: - -```none -set firewall global-options state-policy established action 'accept' -set firewall global-options state-policy invalid action 'drop' -set firewall global-options state-policy related action 'accept' -set firewall group dynamic-group address-group ALLOWED -set firewall group dynamic-group address-group PN_01 -set firewall group dynamic-group address-group PN_02 -set firewall ipv4 input filter default-action 'drop' -set firewall ipv4 input filter rule 5 action 'accept' -set firewall ipv4 input filter rule 5 protocol 'icmp' -set firewall ipv4 input filter rule 10 action 'drop' -set firewall ipv4 input filter rule 10 add-address-to-group source-address address-group 'PN_01' -set firewall ipv4 input filter rule 10 add-address-to-group source-address timeout '2m' -set firewall ipv4 input filter rule 10 description 'Port_nock 01' -set firewall ipv4 input filter rule 10 destination port '9990' -set firewall ipv4 input filter rule 10 protocol 'tcp' -set firewall ipv4 input filter rule 20 action 'drop' -set firewall ipv4 input filter rule 20 add-address-to-group source-address address-group 'PN_02' -set firewall ipv4 input filter rule 20 add-address-to-group source-address timeout '3m' -set firewall ipv4 input filter rule 20 description 'Port_nock 02' -set firewall ipv4 input filter rule 20 destination port '9991' -set firewall ipv4 input filter rule 20 protocol 'tcp' -set firewall ipv4 input filter rule 20 source group dynamic-address-group 'PN_01' -set firewall ipv4 input filter rule 30 action 'drop' -set firewall ipv4 input filter rule 30 add-address-to-group source-address address-group 'ALLOWED' -set firewall ipv4 input filter rule 30 add-address-to-group source-address timeout '2h' -set firewall ipv4 input filter rule 30 description 'Port_nock 03' -set firewall ipv4 input filter rule 30 destination port '9992' -set firewall ipv4 input filter rule 30 protocol 'tcp' -set firewall ipv4 input filter rule 30 source group dynamic-address-group 'PN_02' -set firewall ipv4 input filter rule 99 action 'accept' -set firewall ipv4 input filter rule 99 description 'Port_nock 04 - Allow ssh' -set firewall ipv4 input filter rule 99 destination port '22' -set firewall ipv4 input filter rule 99 protocol 'tcp' -set firewall ipv4 input filter rule 99 source group dynamic-address-group 'ALLOWED' -``` - -Before testing, we can check the members of firewall groups: - -```none -vyos@vyos# run show firewall group -Firewall Groups - -Name Type References Members Timeout Expires -------- ---------------------- -------------------- ------------- --------- --------- -ALLOWED address_group(dynamic) ipv4-input-filter-30 N/D N/D N/D -PN_01 address_group(dynamic) ipv4-input-filter-10 N/D N/D N/D -PN_02 address_group(dynamic) ipv4-input-filter-20 N/D N/D N/D -[edit] -vyos@vyos# -``` - -With this configuration, to gain SSH access to the router, the user must: - -1. Create a new TCP connection to destination port 9990. A new entry is added - to dynamic firewall group `PN_01`. - - ```none - vyos@vyos# run show firewall group - Firewall Groups - - Name Type References Members Timeout Expires - ------- ---------------------- -------------------- ------------- --------- --------- - ALLOWED address_group(dynamic) ipv4-input-filter-30 N/D N/D N/D - PN_01 address_group(dynamic) ipv4-input-filter-10 192.168.89.31 120 119 - PN_02 address_group(dynamic) ipv4-input-filter-20 N/D N/D N/D - [edit] - vyos@vyos# - ``` - -2. Create a new TCP connection to destination port 9991. A new entry is added - to dynamic firewall group `PN_02`. - - ```none - vyos@vyos# run show firewall group - Firewall Groups - - Name Type References Members Timeout Expires - ------- ---------------------- -------------------- ------------- --------- --------- - ALLOWED address_group(dynamic) ipv4-input-filter-30 N/D N/D N/D - PN_01 address_group(dynamic) ipv4-input-filter-10 192.168.89.31 120 106 - PN_02 address_group(dynamic) ipv4-input-filter-20 192.168.89.31 180 179 - [edit] - vyos@vyos# - ``` - -3. Create a new TCP connection to destination port 9992. A new entry is added - to dynamic firewall group `ALLOWED`. - - ```none - vyos@vyos# run show firewall group - Firewall Groups - - Name Type References Members Timeout Expires - ------- ---------------------- -------------------- ------------- --------- --------- - ALLOWED address_group(dynamic) ipv4-input-filter-30 192.168.89.31 7200 7199 - PN_01 address_group(dynamic) ipv4-input-filter-10 192.168.89.31 120 89 - PN_02 address_group(dynamic) ipv4-input-filter-20 192.168.89.31 180 170 - [edit] - vyos@vyos# - ``` - -4. Now you can connect via SSH to the router (assuming SSH is - configured). - -## Operation-mode - -```{eval-rst} -.. opcmd:: show firewall group -``` - -```{eval-rst} -.. opcmd:: show firewall group <name> - - Display an overview of defined groups, including the firewall group name, - type, references (where the group is used), members, timeout, and - expiration (the last two only apply to dynamic firewall groups). -``` - -Here is an example of such command: - -```none -vyos@vyos:~$ show firewall group -Firewall Groups - -Name Type References Members Timeout Expires ------------- ---------------------- ---------------------- ---------------- --------- --------- -SERVERS address_group nat-destination-101 198.51.100.101 - 198.51.100.102 -ALLOWED address_group(dynamic) ipv4-input-filter-30 192.168.77.39 7200 7174 -PN_01 address_group(dynamic) ipv4-input-filter-10 192.168.0.245 120 112 - 192.168.77.39 120 85 -PN_02 address_group(dynamic) ipv4-input-filter-20 192.168.77.39 180 151 -LAN interface_group ipv4-output-filter-10 bon0 - nat-destination-101 eth2.2001 -TRUSTEDv6 ipv6_network_group ipv6-input-filter-10 2001:db8::/64 -TRUSTEDv4 network_group ipv4-forward-filter-20 192.0.2.0/30 - 203.0.113.128/25 -PORT-SERVERS port_group route-PBR-201 443 - route-PBR-201 5000-5010 - nat-destination-101 http -vyos@vyos:~$ -``` diff --git a/docs/configuration/firewall/md-index.md b/docs/configuration/firewall/md-index.md deleted file mode 100644 index 204744d5..00000000 --- a/docs/configuration/firewall/md-index.md +++ /dev/null @@ -1,236 +0,0 @@ -lastproofread -2024-08-05 - -# Firewall - -<div class="todo"> - -Convert raw command blocks in this file to cfgcmd/opcmd -directives for command coverage tracking. - -</div> - -<div class="warning"> - -<div class="title"> - -Warning - -</div> - -Due to a race condition that can lead to a failure during boot -process, all interfaces are initialized before firewall is configured. This -leads to a situation where the system is open to all traffic, and can be -considered as a security risk. - -</div> - -As VyOS is based on Linux it leverages its firewall. The Netfilter project -created iptables and its successor nftables for the Linux kernel to -work directly on packet data flows. This now extends the concept of -zone-based security to allow for manipulating the data at multiple stages once -accepted by the network interface and the driver before being handed off to -the destination (e.g., a web server OR another device). - -A simplified traffic flow diagram, based on Netfilter packet flow, is shown -next, in order to have a full view and understanding of how packets are -processed, and what possible paths traffic can take. - -<figure> -<img src="/_static/images/firewall-gral-packet-flow.webp" /> -</figure> - -The main points regarding this packet flow and terminology used in VyOS -firewall are covered below: - -> - **Bridge Port?**: choose appropriate path based on whether interface -> where the packet was received is part of a bridge, or not. - -If the interface where the packet was received isn't part of a bridge, then -packet is processed at the **IP Layer**: - -> - **Prerouting**: All packets that are received by the router -> are processed in this stage, regardless of the destination of the packet. -> Starting from vyos-1.5-rolling-202406120020, a new section was added to -> the firewall configuration. There are several actions that can be done in -> this stage, and currently these actions are also defined in different -> parts of the VyOS configuration. Order is important, and the relevant -> configuration that acts in this stage are: -> -> > - **Firewall prerouting**: rules defined under `set firewall [ipv4 | ipv6] prerouting raw...`. All rules defined in this section are -> > processed before connection tracking subsystem. -> > - **Conntrack Ignore**: rules defined under `set system conntrack ignore [ipv4 | ipv6] ...`. Starting from vyos-1.5-rolling-202406120020, -> > configuration done in this section can be done in `firewall [ipv4 | ipv6] prerouting ...`. For compatibility reasons, this feature is -> > still present, but it will be removed in the future. -> > - **Policy Route**: rules defined under `set policy [route | route6] ...`. -> > - **Destination NAT**: rules defined under `set [nat | nat66] destination...`. -> -> - **Destination is the router?**: choose an appropriate path based on -> destination IP address. Transit forward continues to **forward**, -> while traffic where the destination IP address is configured on the router -> continues to **input**. -> -> - **Input**: stage where traffic destined for the router itself can be -> filtered and controlled. This is where all rules for securing the router -> should take place. This includes ipv4 and ipv6 filtering rules, defined -> in: -> -> - `set firewall ipv4 input filter ...`. -> - `set firewall ipv6 input filter ...`. -> -> - **Forward**: stage where transit traffic can be filtered and controlled. -> This includes ipv4 and ipv6 filtering rules, defined in: -> -> - `set firewall ipv4 forward filter ...`. -> - `set firewall ipv6 forward filter ...`. -> -> - **Output**: stage where traffic that originates from the router itself -> can be filtered and controlled. Bear in mind that this traffic can be a -> new connection originated by a internal process running on the VyOS router -> such as NTP, or a response to traffic received externally through -> **input** (for example response to an ssh login attempt to the router). -> This includes ipv4 and ipv6 rules, and two different sections are present: -> -> - **Output Prerouting**: `set firewall [ipv4 | ipv6] output raw ...`. -> As described in **Prerouting**, rules defined in this section are -> processed before connection tracking subsystem. -> - **Output Filter**: `set firewall [ipv4 | ipv6] output filter ...`. -> -> - **Postrouting**: as in **Prerouting**, several actions defined in -> different parts of VyOS configuration are performed in this -> stage. This includes: -> -> - **Source NAT**: rules defined under `set [nat | nat66] source...`. - -If the interface where the packet was received is part of a bridge, then -the packet is processed at the **Bridge Layer**: - -> - **Prerouting (Bridge)**: all packets that are received by the bridge are -> processed in this stage, regardless of the destination of the packet. -> First filters can be applied here, and/or also configure rules for -> ignoring connection tracking system. The relevant configuration that -> acts in: -> - `set firewall bridge prerouting filter ...`. -> - **Forward (Bridge)**: stage where traffic that is trespassing through the -> bridge is filtered and controlled: -> - `set firewall bridge forward filter ...`. -> - **Input (Bridge)**: stage where traffic destined for the bridge itself can -> be filtered and controlled: -> - `set firewall bridge input filter ...`. -> - **Output (Bridge)**: stage where traffic that originates from the bridge -> itself can be filtered and controlled: -> - `set firewall bridge output filter ...`. - -The main structure of the VyOS firewall CLI is shown next: - -``` none -- set firewall - * bridge - - forward - + filter - - input - + filter - - output - + filter - - prerouting - + filter - - name - + custom_name - * flowtable - - custom_flow_table - + ... - * global-options - + all-ping - + broadcast-ping - + ... - * group - - address-group - - ipv6-address-group - - network-group - - ipv6-network-group - - interface-group - - mac-group - - port-group - - domain-group - * ipv4 - - forward - + filter - - input - + filter - - output - + filter - + raw - - prerouting - + raw - - name - + custom_name - * ipv6 - - forward - + filter - - input - + filter - - output - + filter - + raw - - prerouting - + raw - - ipv6-name - + custom_name - * zone - - custom_zone_name - + ... -``` - -Please, refer to appropriate section for more information about firewall -configuration: - -<div class="toctree" maxdepth="1" includehidden=""> - -global-options -groups -bridge -ipv4 -ipv6 -flowtables - -</div> - -<div class="note"> - -<div class="title"> - -Note - -</div> - -**For more information** -of Netfilter hooks and Linux networking packet flows can be -found in [Netfilter-Hooks](https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks) - -</div> - -## Zone-based firewall - -<div class="toctree" maxdepth="1" includehidden=""> - -zone - -</div> - -With zone-based firewalls a new concept was implemented, in addition to the -standard in and out traffic flows, a local flow was added. This local flow was -for traffic originating and destined to the router itself. Which means that -additional rules were required to secure the firewall itself from the network, -in addition to the existing inbound and outbound rules from the traditional -concept above. - -To configure VyOS with the -`zone-based firewall configuration </configuration/firewall/zone>` - -As the example image below shows, the device now needs rules to allow/block -traffic to or from the services running on the device that have open -connections on that interface. - -<figure> -<img src="/_static/images/firewall-zonebased.webp" /> -</figure> diff --git a/docs/configuration/firewall/md-ipv4.md b/docs/configuration/firewall/md-ipv4.md deleted file mode 100644 index cf6e2231..00000000 --- a/docs/configuration/firewall/md-ipv4.md +++ /dev/null @@ -1,2099 +0,0 @@ ---- -lastproofread: '2026-03-30' ---- - -(firewall-ipv4-configuration)= - -# IPv4 Firewall Configuration - -## Overview - -This section provides information on IPv4 firewall configuration and -appropriate operation-mode commands. This section covers the following -configuration commands: - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 ... -``` - -To learn about the general traffic flow in VyOS firewalls, -see {doc}`Firewall </configuration/firewall/index>`. - -```none -- set firewall - * ipv4 - - forward - + filter - - input - + filter - - output - + filter - + raw - - prerouting - + raw - - name - + custom_name -``` - -First, the router receives all traffic and processes it in the **prerouting** -stage. - -This stage includes: - -> - **Firewall Prerouting**: commands found under `set firewall ipv4 -> prerouting raw ...` -> - {doc}`Conntrack Ignore</configuration/system/conntrack>`: `set system -> conntrack ignore ipv4...` -> - {doc}`Policy Route</configuration/policy/route>`: commands found under -> `set policy route ...` -> - {doc}`Destination NAT</configuration/nat/nat44>`: commands found under -> `set nat destination ...` - -For transit traffic, which is received by the router and forwarded, the base -chain is **forward**. The following is a simplified packet flow diagram for -transit traffic: - -:::{figure} /_static/images/firewall-fwd-packet-flow.webp -::: - -The base firewall chain for configuring filtering rules for transit traffic is -`set firewall ipv4 forward filter ...`, which occurs in stage 5, highlighted -in red. - -For traffic to the router itself, the base chain is **input**. For traffic -the router originates, the base chain is **output**. A simplified packet flow -diagram is shown next, which shows the path for traffic destined to the router -itself and traffic the router generates (starting from circle number 6): - -:::{figure} /_static/images/firewall-input-packet-flow.webp -::: - -The base chain for traffic towards the router is -`set firewall ipv4 input filter ...` - -The base chain for traffic the router generates is `set firewall ipv4 -output ...`, where two sub-chains are available: **filter** and **raw**: - -- **Output Prerouting**: `set firewall ipv4 output raw ...`. As described - in **Prerouting**, the system processes rules in this section before the - connection tracking subsystem. -- **Output Filter**: `set firewall ipv4 output filter ...`. The system - processes rules in this section after the connection tracking subsystem. - -:::{note} -**Important note about default-actions:** -If you do not define a default action for a base chain, the system sets -the default action to **accept** for that chain. For custom chains, if you -do not define a default action, the system sets the default-action to -**drop**. -::: - -You can create custom firewall chains using the following commands: -`set firewall ipv4 name <name> ...`. To use a custom chain, you must define -a rule with the **action jump** and the appropriate **target** in a base -chain. - -## Firewall - IPv4 Rules - -Each firewall rule has a -number, an action to apply if the rule matches, and the ability to specify -multiple matching criteria. Packets traverse rules numbered 1-999999, so order -is crucial. The system executes the rule action at the first match. - -### Actions - -If you define a rule, you must define an action for it. The action tells the -firewall what to do if all the criteria you define for that rule are met. - -The action can be: - -> - `accept`: Accept the packet. -> - `continue`: Continue parsing the next rule. -> - `drop`: Drop the packet. -> - `reject`: Reject the packet. -> - `jump`: Jump to another custom chain. -> - `return`: Return from the current chain and continue at the next rule -> of the last chain. -> - `queue`: Enqueue packet to userspace. -> - `synproxy`: Synproxy the packet. - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> action - [accept | continue | drop | jump | queue | reject | return | synproxy] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> action - [accept | continue | drop | jump | queue | reject | return | synproxy] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> action - [accept | continue | drop | jump | queue | reject | return] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> action - [accept | continue | drop | jump | queue | reject | return] - - This required setting defines the action of the current rule. If you set - the action to jump, you must also specify a jump-target. -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> - jump-target <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> - jump-target <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> - jump-target <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - jump-target <text> - - Use this command only when the action is set to ``jump``. Specify the - jump target. -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> - queue <0-65535> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> - queue <0-65535> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> - queue <0-65535> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - queue <0-65535> - - Use this command only when the action is set to ``queue``. Specify the - queue target to use. Queue range is also supported. -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> - queue-options bypass -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> - queue-options bypass -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> - queue-options bypass -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - queue-options bypass - - Use this command only when the action is set to ``queue``. Allow the packet - to pass through the firewall when no userspace software is connected to the - queue. -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> - queue-options fanout -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> - queue-options fanout -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> - queue-options fanout -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - queue-options fanout - - Use this command only when the action is set to ``queue``. Distribute - packets between several queues. -``` - -Also, **default-action** is an action that applies when a packet does not -match any rule in its chain. For base chains, possible options for -**default-action** are **accept** or **drop**. - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 forward filter default-action - [accept | drop] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 input filter default-action - [accept | drop] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 output filter default-action - [accept | drop] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 name <name> default-action - [accept | drop | jump | queue | reject | return] - - This command sets the default action of the rule-set if a packet does not - match the criteria of any rule. If you set the default-action to ``jump``, - you must also specify ``default-jump-target``. Note that for base chains, - you can set the default action only to ``accept`` or ``drop``, while on - custom chains, more actions are available. -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 name <name> default-jump-target <text> - - Use this command only when you set ``default-action`` to ``jump``. Specify - the jump target for the default rule. -``` - -:::{note} -**Important note about default-actions:** -If you do not define a default action for a base chain, the system sets -the default action to **accept** for that chain. For custom chains, if you -do not define a default action, the system sets the default-action to -**drop**. -::: - -### Firewall Logs - -You can enable logging for every single firewall rule. If you enable logging, -you can define other log options. - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> log -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> log -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> log -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> log - - Enable logging for the matched packet. If this command is not present, then - logging is not enabled. -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 forward filter default-log -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 input filter default-log -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 output filter default-log -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 name <name> default-log - - Use this command to enable logging of the default action on the specified - chain. -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> - log-options level [emerg | alert | crit | err | warn | notice - | info | debug] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> - log-options level [emerg | alert | crit | err | warn | notice - | info | debug] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> - log-options level [emerg | alert | crit | err | warn | notice - | info | debug] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - log-options level [emerg | alert | crit | err | warn | notice - | info | debug] - - Define the log level. Only applicable if you enable rule logging. -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> - log-options group <0-65535> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> - log-options group <0-65535> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> - log-options group <0-65535> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - log-options group <0-65535> - - Define the log group to send messages to. Only applicable if you enable rule - logging. -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> - log-options snapshot-length <0-9000> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> - log-options snapshot-length <0-9000> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> - log-options snapshot-length <0-9000> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - log-options snapshot-length <0-9000> - - Define the length of packet payload to include in a netlink message. Only - applicable if you enable rule logging and define the log group. -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> - log-options queue-threshold <0-65535> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> - log-options queue-threshold <0-65535> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> - log-options queue-threshold <0-65535> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - log-options queue-threshold <0-65535> - - Define the number of packets to queue inside the kernel before sending them - to userspace. Only applicable if you enable rule logging and define the log - group. -``` - -### Firewall Description - -You can add a description for reference for every single rule and for every -defined custom chain. - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 name <name> description <text> - - Provide a rule-set description for a custom firewall chain. -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> - description <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> - description <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> - description <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> description <text> - - Provide a description for each rule. -``` - -### Rule Status - -When you define a rule, it is enabled by default. In some cases, it is useful -to disable the rule rather than removing it. - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> disable -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> disable -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> disable -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> disable - - Command for disabling a rule but keeping it in the configuration. -``` - -### Matching criteria - -There are a lot of matching criteria against which the packet can be tested. - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> - connection-status nat [destination | source] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> - connection-status nat [destination | source] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> - connection-status nat [destination | source] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - connection-status nat [destination | source] - - Match based on nat connection status. -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> - connection-mark <1-2147483647> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> - connection-mark <1-2147483647> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> - connection-mark <1-2147483647> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - connection-mark <1-2147483647> - - Match based on connection mark. -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> - conntrack-helper <module> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> - conntrack-helper <module> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> - conntrack-helper <module> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - conntrack-helper <module> - - Match based on connection tracking protocol helper module to secure use of - that helper module. See below for possible completions `<module>`. - - .. code-block:: none - - Possible completions: - ftp Related traffic from FTP helper - h323 Related traffic from H.323 helper - pptp Related traffic from PPTP helper - nfs Related traffic from NFS helper - sip Related traffic from SIP helper - tftp Related traffic from TFTP helper - sqlnet Related traffic from SQLNet helper -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> - source address [address | addressrange | CIDR] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> - source address [address | addressrange | CIDR] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> - source address [address | addressrange | CIDR] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - source address [address | addressrange | CIDR] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> - destination address [address | addressrange | CIDR] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> - destination address [address | addressrange | CIDR] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> - destination address [address | addressrange | CIDR] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - destination address [address | addressrange | CIDR] - - Match criteria based on source and/or destination address. This is similar - to the network groups part, but here you are able to negate the matching - addresses. - - .. code-block:: none - - set firewall ipv4 name FOO rule 50 source address 192.0.2.10-192.0.2.11 - # with a '!' the rule match everything except the specified subnet - set firewall ipv4 name FOO rule 51 source address !203.0.113.0/24 -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> - source address-mask [address] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> - source address-mask [address] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> - source address-mask [address] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - source address-mask [address] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> - destination address-mask [address] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> - destination address-mask [address] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> - destination address-mask [address] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - destination address-mask [address] - - An arbitrary netmask can be applied to mask addresses to only match against - a specific portion. - - This functions for both individual addresses and address groups. - - .. code-block:: none - - # Match any IPv4 address with `11` as the 2nd octet and `13` as the forth octet - set firewall ipv4 name FOO rule 100 destination address 0.11.0.13 - set firewall ipv4 name FOO rule 100 destination address-mask 0.255.0.255 -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> - source fqdn <fqdn> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> - source fqdn <fqdn> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> - source fqdn <fqdn> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - source fqdn <fqdn> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> - destination fqdn <fqdn> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> - destination fqdn <fqdn> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> - destination fqdn <fqdn> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - destination fqdn <fqdn> - - Specify a Fully Qualified Domain Name as source/destination to match. Ensure - that the router is able to resolve this dns query. -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> - source geoip country-code <country> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> - source geoip country-code <country> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> - source geoip country-code <country> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - source geoip country-code <country> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> - destination geoip country-code <country> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> - destination geoip country-code <country> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> - destination geoip country-code <country> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - destination geoip country-code <country> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> - source geoip inverse-match -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> - source geoip inverse-match -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> - source geoip inverse-match -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - source geoip inverse-match -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> - destination geoip inverse-match -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> - destination geoip inverse-match -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> - destination geoip inverse-match -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - destination geoip inverse-match - - Match IP addresses based on its geolocation. More info: `geoip matching - <https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_matching>`_. - Use inverse-match to match anything except the given country-codes. -``` - -Data is provided by DB-IP.com under CC-BY-4.0 license. Attribution required, -permits redistribution so we can include a database in images(~3MB -compressed). Includes cron script (manually callable by op-mode update -geoip) to keep database and rules updated. - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> - source mac-address <mac-address> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> - source mac-address <mac-address> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> - source mac-address <mac-address> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - source mac-address <mac-address> - - You can only specify a source mac-address to match. - - .. code-block:: none - - set firewall ipv4 input filter rule 100 source mac-address 00:53:00:11:22:33 - set firewall ipv4 input filter rule 101 source mac-address !00:53:00:aa:12:34 -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> - source port [1-65535 | portname | start-end] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> - source port [1-65535 | portname | start-end] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> - source port [1-65535 | portname | start-end] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - source port [1-65535 | portname | start-end] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> - destination port [1-65535 | portname | start-end] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> - destination port [1-65535 | portname | start-end] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> - destination port [1-65535 | portname | start-end] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - destination port [1-65535 | portname | start-end] - - A port can be set by number or name as defined in ``/etc/services``. - - .. code-block:: none - - set firewall ipv4 forward filter rule 10 source port '22' - set firewall ipv4 forward filter rule 11 source port '!http' - set firewall ipv4 forward filter rule 12 source port 'https' - - Multiple source ports can be specified as a comma-separated list. - The whole list can also be "negated" using ``!``. For example: -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> - source group address-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> - source group address-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> - source group address-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - source group address-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> - destination group address-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> - destination group address-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> - destination group address-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - destination group address-group <name | !name> - - Use a specific address-group. Prepending the character ``!`` to invert the - criteria to match is also supported. -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> - source group dynamic-address-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> - source group dynamic-address-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> - source group dynamic-address-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - source group dynamic-address-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> - destination group dynamic-address-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> - destination group dynamic-address-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> - destination group dynamic-address-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - destination group dynamic-address-group <name | !name> - - Use a specific dynamic-address-group. Prepending the character ``!`` to - invert the criteria to match is also supported. -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> - source group network-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> - source group network-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> - source group network-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - source group network-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> - destination group network-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> - destination group network-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> - destination group network-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - destination group network-group <name | !name> - - Use a specific network-group. Prepending the character ``!`` to invert the - criteria to match is also supported. -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> - source group port-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> - source group port-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> - source group port-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - source group port-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> - destination group port-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> - destination group port-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> - destination group port-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - destination group port-group <name | !name> - - Use a specific port-group. Prepending the character ``!`` to invert the - criteria to match is also supported. -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> - source group domain-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> - source group domain-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> - source group domain-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - source group domain-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> - destination group domain-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> - destination group domain-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> - destination group domain-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - destination group domain-group <name | !name> - - Use a specific domain-group. Prepending the character ``!`` to invert the - criteria to match is also supported. -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> - source group mac-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> - source group mac-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> - source group mac-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - source group mac-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> - destination group mac-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> - destination group mac-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> - destination group mac-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - destination group mac-group <name | !name> - - Use a specific mac-group. Prepending the character ``!`` to invert the - criteria to match is also supported. -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> - dscp [0-63 | start-end] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> - dscp [0-63 | start-end] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> - dscp [0-63 | start-end] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - dscp [0-63 | start-end] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> - dscp-exclude [0-63 | start-end] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> - dscp-exclude [0-63 | start-end] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> - dscp-exclude [0-63 | start-end] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - dscp-exclude [0-63 | start-end] - - Match based on dscp value. -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> - fragment [match-frag | match-non-frag] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> - fragment [match-frag | match-non-frag] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> - fragment [match-frag | match-non-frag] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - fragment [match-frag | match-non-frag] - - Match based on fragmentation. -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> - icmp [code | type] <0-255> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> - icmp [code | type] <0-255> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> - icmp [code | type] <0-255> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - icmp [code | type] <0-255> - - Match based on icmp code and type. -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> - icmp type-name <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> - icmp type-name <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> - icmp type-name <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - icmp type-name <text> - - Match based on icmp type-name. Use tab for information - about what **type-name** criteria are supported. -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> - inbound-interface name <iface> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> - inbound-interface name <iface> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - inbound-interface name <iface> - - Match based on inbound interface. Wildcard ``*`` is supported. For example: - ``eth2*``. Prepend the character ``!`` to invert the criteria. For example: - ``!eth2`` -``` - -:::{note} -If an interface is attached to a non-default vrf, when using -**inbound-interface**, the vrf name must be used. For example `set firewall -ipv4 forward filter rule 10 inbound-interface name MGMT` -::: - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> - inbound-interface group <iface_group> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> - inbound-interface group <iface_group> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - inbound-interface group <iface_group> - - Match based on the inbound interface group. Prepend the character ``!`` to - invert the criteria. For example, ``!IFACE_GROUP`` -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> - outbound-interface name <iface> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> - outbound-interface name <iface> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - outbound-interface name <iface> - - Match based on outbound interface. Wildcard ``*`` is supported. For example: - ``eth2*``. Prepend the character ``!`` to invert the criteria. For example: - ``!eth2`` -``` - -:::{note} -If an interface is attached to a non-default vrf, when using -**outbound-interface**, the real interface name must be used. For example -`set firewall ipv4 forward filter rule 10 outbound-interface name eth0` -::: - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> - outbound-interface group <iface_group> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> - outbound-interface group <iface_group> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - outbound-interface group <iface_group> - - Match based on outbound interface group. Prepend the character ``!`` to - invert the criteria. For example: ``!IFACE_GROUP`` -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> - ipsec [match-ipsec-in | match-ipsec-out | match-none-in | match-none-out] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> - ipsec [match-ipsec-in | match-none-in] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> - ipsec [match-ipsec-out | match-none-out] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - ipsec [match-ipsec-in | match-ipsec-out | match-none-in | match-none-out] - - Match based on ipsec. -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> - limit burst <0-4294967295> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> - limit burst <0-4294967295> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> - limit burst <0-4294967295> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - limit burst <0-4294967295> - - Match based on the maximum number of packets to allow in excess of rate. -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> - limit rate <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> - limit rate <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> - limit rate <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - limit rate <text> - - Specify the maximum average rate as **integer/unit**. For example: - **5/minutes** -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> - packet-length <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> - packet-length <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> - packet-length <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - packet-length <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> - packet-length-exclude <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> - packet-length-exclude <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> - packet-length-exclude <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - packet-length-exclude <text> - - Match based on packet length. Specify multiple values from 1 to 65535 and - ranges. -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> - packet-type [broadcast | host | multicast | other] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> - packet-type [broadcast | host | multicast | other] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> - packet-type [broadcast | host | multicast | other] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - packet-type [broadcast | host | multicast | other] - - Match based on the packet type. -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> - protocol [<text> | <0-255> | all | tcp_udp] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> - protocol [<text> | <0-255> | all | tcp_udp] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> - protocol [<text> | <0-255> | all | tcp_udp] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - protocol [<text> | <0-255> | all | tcp_udp] - - Match based on protocol number or name as defined in ``/etc/protocols``. - Special names are ``all`` for all protocols and ``tcp_udp`` for TCP and UDP - based packets. The ``!`` character negates the selected protocol. - - .. code-block:: none - - set firewall ipv4 forward filter rule 10 protocol tcp_udp - set firewall ipv4 forward filter rule 11 protocol !tcp_udp -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> - recent count <1-255> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> - recent count <1-255> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> - recent count <1-255> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - recent count <1-255> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> - recent time [second | minute | hour] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> - recent time [second | minute | hour] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> - recent time [second | minute | hour] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - recent time [second | minute | hour] - - Match based on recently seen sources. -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> - tcp flags [not] <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> - tcp flags [not] <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> - tcp flags [not] <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - tcp flags [not] <text> - - Specify TCP flags. Allowed values are ``ack``, ``cwr``, ``ecn``, ``fin``, - ``psh``, ``rst``, ``syn``, and ``urg``. Specify multiple values, and use - ``not`` for inverted selection, as shown in the example. - - .. code-block:: none - - set firewall ipv4 input filter rule 10 tcp flags 'ack' - set firewall ipv4 input filter rule 12 tcp flags 'syn' - set firewall ipv4 input filter rule 13 tcp flags not 'fin' -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> - state [established | invalid | new | related] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> - state [established | invalid | new | related] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> - state [established | invalid | new | related] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - state [established | invalid | new | related] - - Match against the state of a packet. -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> - time startdate <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> - time startdate <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> - time startdate <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - time startdate <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> - time starttime <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> - time starttime <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> - time starttime <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - time starttime <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> - time stopdate <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> - time stopdate <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> - time stopdate <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - time stopdate <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> - time stoptime <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> - time stoptime <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> - time stoptime <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - time stoptime <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> - time weekdays <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> - time weekdays <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> - time weekdays <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - time weekdays <text> - - Time to match the defined rule. -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> - ttl <eq | gt | lt> <0-255> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> - ttl <eq | gt | lt> <0-255> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> - ttl <eq | gt | lt> <0-255> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - ttl <eq | gt | lt> <0-255> - - Match the time to live parameter, where 'eq' means 'equal', 'gt' means - 'greater than', and 'lt' means 'less than'. -``` - -### Packet Modifications - -Starting from **VyOS-1.5-rolling-202410060007**, the firewall can modify -packets before sending them out. This feature provides more flexibility in -packet handling. - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 prerouting raw rule <1-999999> - set dscp <0-63> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> - set dscp <0-63> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 output [filter | raw] rule <1-999999> - set dscp <0-63> - - Set a specific value of Differentiated Services Codepoint (DSCP). -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 prerouting raw rule <1-999999> - set mark <1-2147483647> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> - set mark <1-2147483647> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 output [filter | raw] rule <1-999999> - set mark <1-2147483647> - - Set a specific packet mark value. -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 prerouting raw rule <1-999999> - set tcp-mss <500-1460> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> - set tcp-mss <500-1460> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 output [filter | raw] rule <1-999999> - set tcp-mss <500-1460> - - Set the TCP-MSS (TCP maximum segment size) for the connection. -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 prerouting raw rule <1-999999> - set ttl <0-255> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> - set ttl <0-255> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 output [filter | raw] rule <1-999999> - set ttl <0-255> - - Set the TTL (Time to Live) value. -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> - set connection-mark <0-2147483647> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 output [filter | raw] rule <1-999999> - set connection-mark <0-2147483647> - - Set connection mark value. -``` - -## Synproxy - -Synproxy connections - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 [input | forward] filter rule <1-999999> - action synproxy -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 [input | forward] filter rule <1-999999> - protocol tcp -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 [input | forward] filter rule <1-999999> - synproxy tcp mss <501-65535> - - Set the TCP-MSS (maximum segment size) for the connection -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv4 [input | forward] filter rule <1-999999> - synproxy tcp window-scale <1-14> - - Set the window scale factor for TCP window scaling -``` - -### Example synproxy - -Requirements to enable synproxy: - -> - Traffic must be symmetric. -> - Synproxy relies on syncookies and TCP timestamps, ensure these are enabled. -> - Disable conntrack loose track option. - -```none -set system sysctl parameter net.ipv4.tcp_timestamps value '1' - -set system conntrack tcp loose disable -set system conntrack ignore ipv4 rule 10 destination port '8080' -set system conntrack ignore ipv4 rule 10 protocol 'tcp' -set system conntrack ignore ipv4 rule 10 tcp flags syn - -set firewall global-options syn-cookies 'enable' -set firewall ipv4 input filter rule 10 action 'synproxy' -set firewall ipv4 input filter rule 10 destination port '8080' -set firewall ipv4 input filter rule 10 inbound-interface name 'eth1' -set firewall ipv4 input filter rule 10 protocol 'tcp' -set firewall ipv4 input filter rule 10 synproxy tcp mss '1460' -set firewall ipv4 input filter rule 10 synproxy tcp window-scale '7' -set firewall ipv4 input filter rule 1000 action 'drop' -set firewall ipv4 input filter rule 1000 state invalid -``` - -## Operation-mode Firewall - -### Rule-set overview - -```{eval-rst} -.. opcmd:: show firewall - - This will show you a basic firewall overview, for all rule-sets, not - only for IPv4. - - .. code-block:: none - - vyos@vyos:~$ show firewall - Rulesets Information - - --------------------------------- - ipv4 Firewall "forward filter" - - Rule Action Protocol Packets Bytes Conditions - ------- -------- ---------- --------- ------- ----------------------------- - 20 accept all 0 0 ip saddr @N_TRUSTEDv4 accept - 21 jump all 0 0 jump NAME_AUX - default accept all 0 0 - - --------------------------------- - ipv4 Firewall "input filter" - - Rule Action Protocol Packets Bytes Conditions - ------- -------- ---------- --------- ------- ------------------------- - 10 accept all 156 14377 iifname != @I_LAN accept - default accept all 0 0 - - --------------------------------- - ipv4 Firewall "name AUX" - - Rule Action Protocol Packets Bytes Conditions - ------ -------- ---------- --------- ------- -------------------------------------------- - 10 accept icmp 0 0 meta l4proto icmp accept - 20 accept udp 0 0 meta l4proto udp ip saddr @A_SERVERS accept - 30 drop all 0 0 ip saddr != @A_SERVERS iifname "eth2" - - --------------------------------- - ipv4 Firewall "output filter" - - Rule Action Protocol Packets Bytes Conditions - ------- -------- ---------- --------- ------- ---------------------------------------- - 10 reject all 0 0 oifname @I_LAN - 20 accept icmp 2 168 meta l4proto icmp oifname "eth0" accept - default accept all 72 9258 - - --------------------------------- - ipv6 Firewall "input filter" - - Rule Action Protocol Packets Bytes Conditions - ------- -------- ---------- --------- ------- ------------------------------- - 10 accept all 0 0 ip6 saddr @N6_TRUSTEDv6 accept - default accept all 2 112 - - vyos@vyos:~$ -``` - -```{eval-rst} -.. opcmd:: show firewall summary - - This shows you a summary of rule-sets and groups. - - .. code-block:: none - - vyos@vyos:~$ show firewall summary - Ruleset Summary - - IPv6 Ruleset: - - Ruleset Hook Ruleset Priority Description - -------------- -------------------- ------------------------- - forward filter - input filter - ipv6_name IPV6-VyOS_MANAGEMENT - ipv6_name IPV6-WAN_IN PUBLIC_INTERNET - - IPv4 Ruleset: - - Ruleset Hook Ruleset Priority Description - -------------- ------------------ ------------------------- - forward filter - input filter - name VyOS_MANAGEMENT - name WAN_IN PUBLIC_INTERNET - - Firewall Groups - - Name Type References Members - ----------------------- ------------------ ----------------------- ---------------- - PBX address_group WAN_IN-100 198.51.100.77 - SERVERS address_group WAN_IN-110 192.0.2.10 - WAN_IN-111 192.0.2.11 - WAN_IN-112 192.0.2.12 - WAN_IN-120 - WAN_IN-121 - WAN_IN-122 - SUPPORT address_group VyOS_MANAGEMENT-20 192.168.1.2 - WAN_IN-20 - PHONE_VPN_SERVERS address_group WAN_IN-160 10.6.32.2 - PINGABLE_ADRESSES address_group WAN_IN-170 192.168.5.2 - WAN_IN-171 - PBX ipv6_address_group IPV6-WAN_IN-100 2001:db8::1 - SERVERS ipv6_address_group IPV6-WAN_IN-110 2001:db8::2 - IPV6-WAN_IN-111 2001:db8::3 - IPV6-WAN_IN-112 2001:db8::4 - IPV6-WAN_IN-120 - IPV6-WAN_IN-121 - IPV6-WAN_IN-122 - SUPPORT ipv6_address_group IPV6-VyOS_MANAGEMENT-20 2001:db8::5 - IPV6-WAN_IN-20 - -``` - -```{eval-rst} -.. opcmd:: show firewall ipv4 [forward | input | output] filter -``` - -```{eval-rst} -.. opcmd:: show firewall ipv4 name <name> - - This command will give an overview of a single rule-set. - - .. code-block:: none - - vyos@vyos:~$ show firewall ipv4 input filter - Ruleset Information - - --------------------------------- - IPv4 Firewall "input filter" - - Rule Action Protocol Packets Bytes Conditions - ------- -------- ---------- --------- ------- ----------------------------------------- - 5 jump all 0 0 iifname "eth2" jump NAME_VyOS_MANAGEMENT - default accept all -``` - -```{eval-rst} -.. opcmd:: show firewall ipv4 [forward | input | output] - filter rule <1-999999> -``` - -```{eval-rst} -.. opcmd:: show firewall ipv4 name <name> rule <1-999999> - - This command gives an overview of a rule in a single rule-set, plus - information for default action. -``` - -```none -vyos@vyos:~$show firewall ipv4 output filter rule 20 -Rule Information - ---------------------------------- -ipv4 Firewall "output filter" - -Rule Action Protocol Packets Bytes Conditions -------- -------- ---------- --------- ------- ---------------------------------------- -20 accept icmp 2 168 meta l4proto icmp oifname "eth0" accept -default accept all 286 47614 - -vyos@vyos:~$ -``` - -```{eval-rst} -.. opcmd:: show firewall statistics - - This will show you statistics of all rule-sets since the last boot. -``` - -### Show Firewall log - -```{eval-rst} -.. opcmd:: show log firewall -``` - -```{eval-rst} -.. opcmd:: show log firewall ipv4 -``` - -```{eval-rst} -.. opcmd:: show log firewall ipv4 [forward | input | output | name] -``` - -```{eval-rst} -.. opcmd:: show log firewall ipv4 [forward | input | output] filter -``` - -```{eval-rst} -.. opcmd:: show log firewall ipv4 name <name> -``` - -```{eval-rst} -.. opcmd:: show log firewall ipv4 [forward | input | output] filter rule <rule> -``` - -```{eval-rst} -.. opcmd:: show log firewall ipv4 name <name> rule <rule> - - Show the logs of all firewall; show all IPv4 firewall logs; show all logs - for particular hook; show all logs for particular hook and priority; - show all logs for particular custom chain; show logs for specific rule-set. -``` - -### Example Partial Config - -```none -firewall { - group { - network-group BAD-NETWORKS { - network 198.51.100.0/24 - network 203.0.113.0/24 - } - network-group GOOD-NETWORKS { - network 192.0.2.0/24 - } - port-group BAD-PORTS { - port 65535 - } - } - ipv4 { - forward { - filter { - default-action accept - rule 5 { - action accept - source { - group { - network-group GOOD-NETWORKS - } - } - } - rule 10 { - action drop - description "Bad Networks" - protocol all - source { - group { - network-group BAD-NETWORKS - } - } - } - } - } - } -} -``` - -### Update geoip database - -```{eval-rst} -.. opcmd:: update geoip - - Command to update GeoIP database and firewall sets. -``` diff --git a/docs/configuration/firewall/md-ipv6.md b/docs/configuration/firewall/md-ipv6.md deleted file mode 100644 index f732ec44..00000000 --- a/docs/configuration/firewall/md-ipv6.md +++ /dev/null @@ -1,2131 +0,0 @@ ---- -lastproofread: '2026-04-01' ---- - -(firewall-ipv6-configuration)= - -# IPv6 Firewall Configuration - -## Overview - -This section covers useful information about IPv6 firewall configuration and -appropriate operation-mode commands. - -This section describes the following configuration commands: - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 ... -``` - -To learn about the general traffic flow in VyOS firewalls, -see {doc}`Firewall </configuration/firewall/index>`. - -```none -- set firewall - * ipv6 - - forward - + filter - - input - + filter - - output - + filter - + raw - - prerouting - + raw - - name - + custom_name -``` - -The router first receives all traffic and processes it in the **prerouting** -section. - -This stage includes: - -> - **Firewall Prerouting**: commands found under `set firewall ipv6 -> prerouting raw ...` -> - {doc}`Conntrack Ignore</configuration/system/conntrack>`: `set system -> conntrack ignore ipv6...` -> - {doc}`Policy Route</configuration/policy/route>`: commands found under -> `set policy route6 ...` -> - {doc}`Destination NAT</configuration/nat/nat44>`: commands found under -> `set nat66 destination ...` - -For transit traffic that the router receives and forwards, the base chain is -**forward**. The following diagram shows a simplified packet flow for transit -traffic: - -:::{figure} /_static/images/firewall-fwd-packet-flow.webp -::: - -Use `set firewall ipv6 forward filter ...` to configure filtering rules for -transit traffic. This command corresponds to stage 5 and is highlighted in red -in the diagram. - -For traffic destined to the router, use the **input** chain. For traffic the -router generates, use the **output** chain. The following diagram shows the -packet flow for traffic destined to the router and traffic generated by the -router (starting from circle number 6): - -:::{figure} /_static/images/firewall-input-packet-flow.webp -::: - -Use `set firewall ipv6 input filter ...` to configure traffic destined to -the router. - -Use `set firewall ipv6 output ...` to configure traffic the router generates. -Two sub-chains are available: **filter** and **raw**: - -- **Output Prerouting**: `set firewall ipv6 output raw ...`. - As described in **Prerouting**, the firewall processes rules in this - section before the connection tracking subsystem. -- **Output Filter**: `set firewall ipv6 output filter ...`. The firewall - processes rules in this section after the connection tracking subsystem. - -:::{note} -**Important note about default-actions:** -If you do not define a default action for a base chain, the system sets -the default action to **accept** for that chain. For custom chains, if you -do not define a default action, the system sets the default-action to -**drop** -::: - -Create custom firewall chains using the commands -`set firewall ipv6 name <name> ...`. To use the custom chain, define a -rule with **action jump** and the appropriate **target** in a base chain. - -## Firewall - IPv6 Rules - -Create firewall rules for firewall filtering. Each rule is numbered and has -an action to apply when the rule is matched. You can specify multiple matching -criteria. Packets go through rules from 1 - 999999, so order is crucial. The -firewall executes the action of the first matching rule. - -### Actions - -If you define a rule, you must define an action for it. The action tells the -firewall what to do when all criteria for that rule are met. - -The action can be : - -> - `accept`: accept the packet. -> - `continue`: continue parsing next rule. -> - `drop`: drop the packet. -> - `reject`: reject the packet. -> - `jump`: jump to another custom chain. -> - `return`: Return from the current chain and continue at the next rule -> of the last chain. -> - `queue`: Enqueue packet to userspace. -> - `synproxy`: synproxy the packet. - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> action - [accept | continue | drop | jump | queue | reject | return | synproxy] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> action - [accept | continue | drop | jump | queue | reject | return | synproxy] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> action - [accept | continue | drop | jump | queue | reject | return] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> action - [accept | continue | drop | jump | queue | reject | return] - - This required setting defines the action of the current rule. If you set - the action to jump, you must also define a jump-target. -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> - jump-target <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> - jump-target <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> - jump-target <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> - jump-target <text> - - Use this command only when action is set to ``jump``. Specify the jump - target. -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> - queue <0-65535> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> - queue <0-65535> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> - queue <0-65535> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> - queue <0-65535> - - Use this command only when action is set to ``queue``. Specify the queue - target. Queue ranges are also supported. -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> - queue-options bypass -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> - queue-options bypass -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> - queue-options bypass -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> - queue-options bypass - - Use this command only when action is set to ``queue``. This command allows - the packet to go through the firewall when no userspace software is connected - to the queue. -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> - queue-options fanout -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> - queue-options fanout -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> - queue-options fanout -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> - queue-options fanout - - Use this command only when action is set to ``queue``. This command - distributes packets among multiple queues. -``` - -Also, **default-action** is an action that takes place whenever a packet does -not match any rule in its chain. For base chains, possible options for -**default-action** are **accept** or **drop**. - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 forward filter default-action - [accept | drop] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 input filter default-action - [accept | drop] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 output filter default-action - [accept | drop] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 name <name> default-action - [accept | drop | jump | queue | reject | return] - - Set the default action of the rule-set if a packet does not match any rule - criteria. If you set default-action to ``jump``, you must also define - ``default-jump-target``. For base chains, you can only set the default - action to ``accept`` or ``drop``. For custom chains, more actions are - available. -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 name <name> default-jump-target <text> - - To be used only when ``default-action`` is set to ``jump``. Use this - command to specify the jump target for the default rule. -``` - -:::{note} -**Important note about default-actions:** -If you do not define the default action for a base chain, the system sets -the default action to **accept** for that chain. For custom chains, if you -do not define a default action, the system sets the default-action to -**drop**. -::: - -### Firewall Logs - -You can enable logging for each firewall rule. When enabled, you can also -define other log options. - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> log -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> log -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> log -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> log - - Enable logging for matched packets. If this configuration command is not - present, logging is disabled. -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 forward filter default-log -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 input filter default-log -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 output filter default-log -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 name <name> default-log - - Use this command to enable the logging of the default action on - the specified chain. -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> - log-options level [emerg | alert | crit | err | warn | notice - | info | debug] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> - log-options level [emerg | alert | crit | err | warn | notice - | info | debug] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> - log-options level [emerg | alert | crit | err | warn | notice - | info | debug] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> - log-options level [emerg | alert | crit | err | warn | notice - | info | debug] - - Define log-level. Only applicable if rule log is enabled. -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> - log-options group <0-65535> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> - log-options group <0-65535> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> - log-options group <0-65535> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> - log-options group <0-65535> - - Define the log group to send messages to. Only applicable if rule log is - enabled. -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> - log-options snapshot-length <0-9000> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> - log-options snapshot-length <0-9000> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> - log-options snapshot-length <0-9000> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> - log-options snapshot-length <0-9000> - - Define the length of packet payload to include in a netlink message. Only - applicable when rule logging is enabled and log group is defined. -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> - log-options queue-threshold <0-65535> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> - log-options queue-threshold <0-65535> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> - log-options queue-threshold <0-65535> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> - log-options queue-threshold <0-65535> - - Define the number of packets to queue inside the kernel before sending them - to userspace. Only applicable when rule logging is enabled and log group is - defined. -``` - -### Firewall Description - -For reference, you can define descriptions on every rule and custom chain. - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 name <name> description <text> - - Provide a rule-set description to a custom firewall chain. -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> - description <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> - description <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> - description <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> description <text> - - Provide a description for each rule. -``` - -### Rule Status - -New rules are enabled by default. In some cases, you may want to disable a -rule rather than remove it. - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> disable -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> disable -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> disable -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> disable - - Command for disabling a rule but keep it in the configuration. -``` - -### Matching criteria - -There are a lot of matching criteria against which the packet can be tested. - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> - connection-status nat [destination | source] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> - connection-status nat [destination | source] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> - connection-status nat [destination | source] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> - connection-status nat [destination | source] - - Match packets based on NAT connection status. -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> - connection-mark <1-2147483647> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> - connection-mark <1-2147483647> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> - connection-mark <1-2147483647> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> - connection-mark <1-2147483647> - - Match packets based on connection mark. -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> - source address [address | addressrange | CIDR] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> - source address [address | addressrange | CIDR] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> - source address [address | addressrange | CIDR] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> - source address [address | addressrange | CIDR] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> - destination address [address | addressrange | CIDR] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> - destination address [address | addressrange | CIDR] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> - destination address [address | addressrange | CIDR] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> - destination address [address | addressrange | CIDR] - - Match based on source or destination address. This is similar to network - groups, but you can negate the matching addresses here. - - .. code-block:: none - - set firewall ipv6 name FOO rule 100 source address 2001:db8::202 -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> - source address-mask [address] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> - source address-mask [address] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> - source address-mask [address] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> - source address-mask [address] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> - destination address-mask [address] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> - destination address-mask [address] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> - destination address-mask [address] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> - destination address-mask [address] - - Apply an arbitrary netmask to mask addresses and match only a specific - portion. This is useful for IPv6 because rules remain valid when the IPv6 - prefix changes if the host portion of the system's IPv6 address is static. - Examples include SLAAC and `tokenised IPv6 addresses - <https://datatracker.ietf.org/doc/id/draft-chown-6man-tokenised-ipv6- - identifiers-02.txt>`_ - - This function works for both individual addresses and address groups. - - .. stop_vyoslinter - .. code-block:: none - - # Match any IPv6 address with the suffix ::0000:0000:0000:beef - set firewall ipv6 forward filter rule 100 destination address ::beef - set firewall ipv6 forward filter rule 100 destination address-mask ::ffff:ffff:ffff:ffff - # Address groups - set firewall group ipv6-address-group WEBSERVERS address ::1000 - set firewall group ipv6-address-group WEBSERVERS address ::2000 - set firewall ipv6 forward filter rule 200 source group address-group WEBSERVERS - set firewall ipv6 forward filter rule 200 source address-mask ::ffff:ffff:ffff:ffff - - .. start_vyoslinter -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> - source fqdn <fqdn> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> - source fqdn <fqdn> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> - source fqdn <fqdn> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> - source fqdn <fqdn> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> - destination fqdn <fqdn> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> - destination fqdn <fqdn> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> - destination fqdn <fqdn> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> - destination fqdn <fqdn> - - Specify a Fully Qualified Domain Name as source or destination to match. - Ensure that the router can resolve the DNS query. -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> - source geoip country-code <country> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> - source geoip country-code <country> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> - source geoip country-code <country> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> - source geoip country-code <country> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> - destination geoip country-code <country> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> - destination geoip country-code <country> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> - destination geoip country-code <country> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> - destination geoip country-code <country> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> - source geoip inverse-match -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> - source geoip inverse-match -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> - source geoip inverse-match -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> - source geoip inverse-match -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> - destination geoip inverse-match -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> - destination geoip inverse-match -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> - destination geoip inverse-match -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> - destination geoip inverse-match - - Match IP addresses based on their geolocation. For more information, see - `GeoIP matching <https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_ - matching>`_. Use inverse-match to match anything except the specified - country codes. -``` - -DB-IP.com provides data under CC-BY-4.0 license. Attribution is required and -redistribution is permitted, allowing VyOS to include a database in images -(approximately 3 MB compressed). The package includes a cron script that you -can manually call through op-mode update geoip to keep the database and rules -updated. - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> - source mac-address <mac-address> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> - source mac-address <mac-address> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> - source mac-address <mac-address> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> - source mac-address <mac-address> - - You can specify only a source MAC address to match. - - .. code-block:: none - - set firewall ipv6 input filter rule 100 source mac-address 00:53:00:11:22:33 - set firewall ipv6 input filter rule 101 source mac-address !00:53:00:aa:12:34 -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> - source port [1-65535 | portname | start-end] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> - source port [1-65535 | portname | start-end] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> - source port [1-65535 | portname | start-end] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> - source port [1-65535 | portname | start-end] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> - destination port [1-65535 | portname | start-end] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> - destination port [1-65535 | portname | start-end] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> - destination port [1-65535 | portname | start-end] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> - destination port [1-65535 | portname | start-end] - - Specify a port by number or by name as defined in ``/etc/services``. - - .. code-block:: none - - set firewall ipv6 forward filter rule 10 source port '22' - set firewall ipv6 forward filter rule 11 source port '!http' - set firewall ipv6 forward filter rule 12 source port 'https' - - Multiple source ports can be specified as a comma-separated list. - The whole list can also be "negated" using ``!``. For example: - - .. code-block:: none - - set firewall ipv6 forward filter rule 10 source port '!22,https,3333-3338' -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> - source group address-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> - source group address-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> - source group address-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> - source group address-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> - destination group address-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> - destination group address-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> - destination group address-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> - destination group address-group <name | !name> - - Specify an address group. You can prepend the character ``!`` to invert the - matching criteria. -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> - source group dynamic-address-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> - source group dynamic-address-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> - source group dynamic-address-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> - source group dynamic-address-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> - destination group dynamic-address-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> - destination group dynamic-address-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> - destination group dynamic-address-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> - destination group dynamic-address-group <name | !name> - - Specify a dynamic address group. You can prepend the character ``!`` to - invert the matching criteria. -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> - source group network-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> - source group network-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> - source group network-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> - source group network-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> - destination group network-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> - destination group network-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> - destination group network-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> - destination group network-group <name | !name> - - Specify a network group. You can prepend the character ``!`` to invert the - matching criteria. -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> - source group port-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> - source group port-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> - source group port-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> - source group port-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> - destination group port-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> - destination group port-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> - destination group port-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> - destination group port-group <name | !name> - - Specify a port group. You can prepend the character ``!`` to invert the - matching criteria. -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> - source group domain-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> - source group domain-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> - source group domain-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> - source group domain-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> - destination group domain-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> - destination group domain-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> - destination group domain-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> - destination group domain-group <name | !name> - - Specify a domain group. You can prepend the character ``!`` to invert the - matching criteria. -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> - source group mac-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> - source group mac-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> - source group mac-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> - source group mac-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> - destination group mac-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> - destination group mac-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> - destination group mac-group <name | !name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> - destination group mac-group <name | !name> - - Specify a MAC group. You can prepend the character ``!`` to invert the - matching criteria. -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> - dscp [0-63 | start-end] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> - dscp [0-63 | start-end] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> - dscp [0-63 | start-end] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> - dscp [0-63 | start-end] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> - dscp-exclude [0-63 | start-end] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> - dscp-exclude [0-63 | start-end] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> - dscp-exclude [0-63 | start-end] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> - dscp-exclude [0-63 | start-end] - - Match based on dscp value. -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> - fragment [match-frag | match-non-frag] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> - fragment [match-frag | match-non-frag] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> - fragment [match-frag | match-non-frag] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> - fragment [match-frag | match-non-frag] - - Match packets based on fragmentation. -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> - icmpv6 [code | type] <0-255> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> - icmpv6 [code | type] <0-255> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> - icmpv6 [code | type] <0-255> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> - icmpv6 [code | type] <0-255> - - Match packets based on ICMP or ICMPv6 code and type. -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> - icmpv6 type-name <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> - icmpv6 type-name <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> - icmpv6 type-name <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> - icmpv6 type-name <text> - - Match based on ICMPv6 type-name. Press **Tab** for information about - supported **type-name** criteria. -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> - inbound-interface name <iface> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> - inbound-interface name <iface> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> - inbound-interface name <iface> - - Match based on inbound interface. You can use the wildcard ``*``. For - example: ``eth2*``. You can prepend the character ``!`` to invert the - matching criteria. For example ``!eth2`` -``` - -:::{note} -If an interface is attached to a non-default VRF, when using -**inbound-interface**, use the VRF name. For example: -`set firewall ipv6 forward filter rule 10 inbound-interface name MGMT` -::: - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> - inbound-interface group <iface_group> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> - inbound-interface group <iface_group> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> - inbound-interface group <iface_group> - - Match based on the inbound interface group. You can prepend the character - ``!`` to invert the matching criteria. For example ``!IFACE_GROUP`` -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> - outbound-interface name <iface> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> - outbound-interface name <iface> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> - outbound-interface name <iface> - - Match based on outbound interface. You can use the wildcard ``*``. For - example: ``eth2*``. You can prepend the character ``!`` to invert the - matching criteria. For example ``!eth2`` -``` - -:::{note} -If an interface is attached to a non-default VRF, when using -**outbound-interface**, use the physical interface name. For example: -`set firewall ipv6 forward filter rule 10 outbound-interface name eth0` -::: - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> - outbound-interface group <iface_group> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> - outbound-interface group <iface_group> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> - outbound-interface group <iface_group> - - Match based on outbound interface group. You can prepend the character ``!`` - to invert the matching criteria. For example ``!IFACE_GROUP`` -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> - ipsec [match-ipsec-in | match-ipsec-out | match-none-in | match-none-out] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> - ipsec [match-ipsec-in | match-none-in] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> - ipsec [match-ipsec-out | match-none-out] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> - ipsec [match-ipsec-in | match-ipsec-out | match-none-in | match-none-out] - - Match packets based on IPsec. -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> - limit burst <0-4294967295> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> - limit burst <0-4294967295> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> - limit burst <0-4294967295> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> - limit burst <0-4294967295> - - Match based on the maximum number of packets allowed to exceed the rate - limit. -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> - limit rate <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> - limit rate <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> - limit rate <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> - limit rate <text> - - Match based on the maximum average rate, specified as ``integer/unit``. - For example, specify ``5/minutes``. -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> - packet-length <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> - packet-length <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> - packet-length <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> - packet-length <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> - packet-length-exclude <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> - packet-length-exclude <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> - packet-length-exclude <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> - packet-length-exclude <text> - - Match based on packet length. You can specify multiple values from 1 to - 65535 and ranges. -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> - packet-type [broadcast | host | multicast | other] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> - packet-type [broadcast | host | multicast | other] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> - packet-type [broadcast | host | multicast | other] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> - packet-type [broadcast | host | multicast | other] - - Match based on packet type. -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> - protocol [<text> | <0-255> | all | tcp_udp] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> - protocol [<text> | <0-255> | all | tcp_udp] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> - protocol [<text> | <0-255> | all | tcp_udp] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> - protocol [<text> | <0-255> | all | tcp_udp] - - Match based on protocol number or name as defined in ``/etc/protocols``. - Specify ``all`` for all protocols and ``tcp_udp`` for TCP and UDP packets. - Prepend ``!`` to negate the protocol selection. - - .. code-block:: none - - set firewall ipv6 input filter rule 10 protocol tcp -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> - recent count <1-255> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> - recent count <1-255> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> - recent count <1-255> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> - recent count <1-255> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> - recent time [second | minute | hour] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> - recent time [second | minute | hour] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> - recent time [second | minute | hour] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> - recent time [second | minute | hour] - - Match packets based on recently seen sources. -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> - tcp flags [not] <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> - tcp flags [not] <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> - tcp flags [not] <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> - tcp flags [not] <text> - - Allowed values for TCP flags: ``ack``, ``cwr``, ``ecn``, ``fin``, ``psh``, - ``rst``, ``syn``, and ``urg``. You can specify multiple values. To invert - the selection, use ``not``, as shown in the following example. - - .. code-block:: none - - set firewall ipv6 input filter rule 10 tcp flags 'ack' - set firewall ipv6 input filter rule 12 tcp flags 'syn' - set firewall ipv6 input filter rule 13 tcp flags not 'fin' -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> - state [established | invalid | new | related] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> - state [established | invalid | new | related] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> - state [established | invalid | new | related] -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> - state [established | invalid | new | related] - - Match based on packet state. -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> - time startdate <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> - time startdate <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> - time startdate <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> - time startdate <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> - time starttime <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> - time starttime <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> - time starttime <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> - time starttime <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> - time stopdate <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> - time stopdate <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> - time stopdate <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> - time stopdate <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> - time stoptime <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> - time stoptime <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> - time stoptime <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> - time stoptime <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> - time weekdays <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> - time weekdays <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> - time weekdays <text> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> - time weekdays <text> - - Match packets based on time criteria. -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> - hop-limit <eq | gt | lt> <0-255> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> - hop-limit <eq | gt | lt> <0-255> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> - hop-limit <eq | gt | lt> <0-255> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> - hop-limit <eq | gt | lt> <0-255> - - Match the hop-limit parameter. Use ``eq`` for equal, ``gt`` for greater than, - and ``lt`` for less than. -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> - recent count <1-255> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> - recent count <1-255> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> - recent count <1-255> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> - recent count <1-255> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> - recent time <second | minute | hour> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> - recent time <second | minute | hour> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> - recent time <second | minute | hour> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> - recent time <second | minute | hour> - - Match when the specified number of connections occur within the specified - time period. Use these criteria to block brute-force attempts. -``` - -### Packet Modifications - -The firewall can modify packets before sending them. -This feature provides more flexibility for packet handling. - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 prerouting raw rule <1-999999> - set dscp <0-63> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> - set dscp <0-63> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 output [filter | raw] rule <1-999999> - set dscp <0-63> - - Set a specific value of Differentiated Services Codepoint (DSCP). -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 prerouting raw rule <1-999999> - set mark <1-2147483647> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> - set mark <1-2147483647> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 output [filter | raw] rule <1-999999> - set mark <1-2147483647> - - Set a specific packet mark value. -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 prerouting raw rule <1-999999> - set tcp-mss <500-1460> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> - set tcp-mss <500-1460> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 output [filter | raw] rule <1-999999> - set tcp-mss <500-1460> - - Set the TCP-MSS (TCP maximum segment size) for the connection. -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 prerouting raw rule <1-999999> - set hop-limit <0-255> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> - set hop-limit <0-255> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 output [filter | raw] rule <1-999999> - set hop-limit <0-255> - - Set hop limit value. -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> - set connection-mark <0-2147483647> -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 output [filter | raw] rule <1-999999> - set connection-mark <0-2147483647> - - Set connection mark value. -``` - -## Synproxy - -Synproxy connections - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 [input | forward] filter rule <1-999999> - action synproxy -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 [input | forward] filter rule <1-999999> - protocol tcp -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 [input | forward] filter rule <1-999999> - synproxy tcp mss <501-65535> - - Set the TCP MSS (maximum segment size) for the connection. -``` - -```{eval-rst} -.. cfgcmd:: set firewall ipv6 [input | forward] filter rule <1-999999> - synproxy tcp window-scale <1-14> - - Set the window scale factor for TCP window scaling. -``` - -### Example synproxy - -Requirements to enable synproxy: - -> - Traffic must be symmetric -> - Synproxy relies on syncookies and TCP timestamps, ensure these are enabled -> - Disable conntrack loose track option - -```none -set system sysctl parameter net.ipv4.tcp_timestamps value '1' - -set system conntrack tcp loose disable -set system conntrack ignore ipv6 rule 10 destination port '8080' -set system conntrack ignore ipv6 rule 10 protocol 'tcp' -set system conntrack ignore ipv6 rule 10 tcp flags syn - -set firewall global-options syn-cookies 'enable' -set firewall ipv6 input filter rule 10 action 'synproxy' -set firewall ipv6 input filter rule 10 destination port '8080' -set firewall ipv6 input filter rule 10 inbound-interface name 'eth1' -set firewall ipv6 input filter rule 10 protocol 'tcp' -set firewall ipv6 input filter rule 10 synproxy tcp mss '1460' -set firewall ipv6 input filter rule 10 synproxy tcp window-scale '7' -set firewall ipv6 input filter rule 1000 action 'drop' -set firewall ipv6 input filter rule 1000 state invalid -``` - -## Operation-mode Firewall - -### Rule-set overview - -```{eval-rst} -.. opcmd:: show firewall - - Show a basic firewall overview for all rule-sets, not only for IPv6: - - .. code-block:: none - - vyos@vyos:~$ show firewall - Rulesets Information - - --------------------------------- - IPv4 Firewall "forward filter" - - Rule Action Protocol Packets Bytes Conditions - ------- -------- ---------- --------- ------- ----------------------------------------- - 5 jump all 0 0 iifname "eth1" jump NAME_VyOS_MANAGEMENT - 10 jump all 0 0 oifname "eth1" jump NAME_WAN_IN - 15 jump all 0 0 iifname "eth3" jump NAME_WAN_IN - default accept all - - --------------------------------- - IPv4 Firewall "name VyOS_MANAGEMENT" - - Rule Action Protocol Packets Bytes Conditions - ------- -------- ---------- --------- ------- -------------------------------- - 5 accept all 0 0 ct state established accept - 10 drop all 0 0 ct state invalid - 20 accept all 0 0 ip saddr @A_GOOD_GUYS accept - 30 accept all 0 0 ip saddr @N_ENTIRE_RANGE accept - 40 accept all 0 0 ip saddr @A_VyOS_SERVERS accept - 50 accept icmp 0 0 meta l4proto icmp accept - default drop all 0 0 - - --------------------------------- - IPv6 Firewall "forward filter" - - Rule Action Protocol - ------- -------- ---------- - 5 jump all - 10 jump all - 15 jump all - default accept all - - --------------------------------- - IPv6 Firewall "input filter" - - Rule Action Protocol - ------- -------- ---------- - 5 jump all - default accept all - - --------------------------------- - IPv6 Firewall "ipv6_name IPV6-VyOS_MANAGEMENT" - - Rule Action Protocol - ------- -------- ---------- - 5 accept all - 10 drop all - 20 accept all - 30 accept all - 40 accept all - 50 accept ipv6-icmp - default drop all -``` - -```{eval-rst} -.. opcmd:: show firewall summary - - This will show you a summary of rule-sets and groups - - .. code-block:: none - - vyos@vyos:~$ show firewall summary - Ruleset Summary - - IPv6 Ruleset: - - Ruleset Hook Ruleset Priority Description - -------------- -------------------- ------------------------- - forward filter - input filter - ipv6_name IPV6-VyOS_MANAGEMENT - ipv6_name IPV6-WAN_IN PUBLIC_INTERNET - - IPv4 Ruleset: - - Ruleset Hook Ruleset Priority Description - -------------- ------------------ ------------------------- - forward filter - input filter - name VyOS_MANAGEMENT - name WAN_IN PUBLIC_INTERNET - - Firewall Groups - - Name Type References Members - ----------------------- ------------------ ----------------------- ---------------- - PBX address_group WAN_IN-100 198.51.100.77 - SERVERS address_group WAN_IN-110 192.0.2.10 - WAN_IN-111 192.0.2.11 - WAN_IN-112 192.0.2.12 - WAN_IN-120 - WAN_IN-121 - WAN_IN-122 - SUPPORT address_group VyOS_MANAGEMENT-20 192.168.1.2 - WAN_IN-20 - PHONE_VPN_SERVERS address_group WAN_IN-160 10.6.32.2 - PINGABLE_ADRESSES address_group WAN_IN-170 192.168.5.2 - WAN_IN-171 - PBX ipv6_address_group IPV6-WAN_IN-100 2001:db8::1 - SERVERS ipv6_address_group IPV6-WAN_IN-110 2001:db8::2 - IPV6-WAN_IN-111 2001:db8::3 - IPV6-WAN_IN-112 2001:db8::4 - IPV6-WAN_IN-120 - IPV6-WAN_IN-121 - IPV6-WAN_IN-122 - SUPPORT ipv6_address_group IPV6-VyOS_MANAGEMENT-20 2001:db8::5 - IPV6-WAN_IN-20 - -``` - -```{eval-rst} -.. opcmd:: show firewall ipv6 [forward | input | output] filter -``` - -```{eval-rst} -.. opcmd:: show firewall ipv6 ipv6-name <name> - - This command will give an overview of a single rule-set. - - .. code-block:: none - - vyos@vyos:~$ show firewall ipv6 input filter - Ruleset Information - - --------------------------------- - ipv6 Firewall "input filter" - - Rule Action Protocol Packets Bytes Conditions - ------- -------- ---------- --------- ------- ------------------------------------------------------------------------------ - 10 jump all 13 1456 iifname "eth1" jump NAME6_INP-ETH1 - 20 accept ipv6-icmp 10 1112 meta l4proto ipv6-icmp iifname "eth0" prefix "[ipv6-INP-filter-20-A]" accept - default accept all 14 1584 - - vyos@vyos:~$ -``` - -```{eval-rst} -.. opcmd:: show firewall ipv6 [forward | input | output] - filter rule <1-999999> -``` - -```{eval-rst} -.. opcmd:: show firewall ipv6 name <name> rule <1-999999> -``` - -```{eval-rst} -.. opcmd:: show firewall ipv6 ipv6-name <name> rule <1-999999> - - This command will give an overview of a rule in a single rule-set -``` - -```{eval-rst} -.. opcmd:: show firewall group <name> - - Show an overview of defined groups, including the type, members, and where - the group is used. - - .. code-block:: none - - vyos@vyos:~$ show firewall group LAN - Firewall Groups - - Name Type References Members - ------------ ------------------ ----------------------- ---------------- - LAN ipv6_network_group IPV6-VyOS_MANAGEMENT-30 2001:db8::0/64 - IPV6-WAN_IN-30 - LAN network_group VyOS_MANAGEMENT-30 192.168.200.0/24 - WAN_IN-30 - -``` - -```{eval-rst} -.. opcmd:: show firewall statistics - - Show statistics of all rule-sets since the last boot. -``` - -### Show Firewall log - -```{eval-rst} -.. opcmd:: show log firewall -``` - -```{eval-rst} -.. opcmd:: show log firewall ipv6 -``` - -```{eval-rst} -.. opcmd:: show log firewall ipv6 [forward | input | output | name] -``` - -```{eval-rst} -.. opcmd:: show log firewall ipv6 [forward | input | output] filter -``` - -```{eval-rst} -.. opcmd:: show log firewall ipv6 name <name> -``` - -```{eval-rst} -.. opcmd:: show log firewall ipv6 [forward | input | output] filter rule <rule> -``` - -```{eval-rst} -.. opcmd:: show log firewall ipv6 name <name> rule <rule> - - Show firewall logs for all firewalls, all IPv6 firewalls, specific hooks, - specific priorities, specific custom chains, or specific rule-sets. -``` - -### Example Partial Config - -```none -firewall { - ipv6 { - input { - filter { - rule 10 { - action jump - inbound-interface { - name eth1 - } - jump-target INP-ETH1 - } - rule 20 { - action accept - inbound-interface { - name eth0 - } - log - protocol ipv6-icmp - } - } - } - name INP-ETH1 { - default-action drop - default-log - rule 10 { - action accept - protocol tcp_udp - } - } - } -} -``` - -### Update geoip database - -```{eval-rst} -.. opcmd:: update geoip - - Command used to update GeoIP database and firewall sets. -``` diff --git a/docs/configuration/firewall/md-zone.md b/docs/configuration/firewall/md-zone.md deleted file mode 100644 index 948c5b43..00000000 --- a/docs/configuration/firewall/md-zone.md +++ /dev/null @@ -1,221 +0,0 @@ ---- -lastproofread: '2026-03-30' ---- - -(firewall-zone)= - -# Zone-Based Firewall - -## Overview - -:::{note} -All VyOS versions built after 2023-10-22 (VyOS 1.4 and 1.5) support -this feature. -::: - -This section provides information on firewall configuration for the -zone-based firewall. This section covers the following configuration -commands: - -```{eval-rst} -.. cfgcmd:: set firewall zone ... -``` - -To learn about the general traffic flow in VyOS firewalls, -see {doc}`Firewall </configuration/firewall/index>`. - -```none -- set firewall - * zone - - custom_zone_name - + ... -``` - -In zone-based policy, you assign interfaces to zones and apply inspection -policy to traffic moving between zones. The firewall acts on traffic -according to rules. A zone is a group of interfaces that have similar -functions or features. It establishes the security borders of a network. -A zone defines a boundary where the system subjects traffic to policy -restrictions as it crosses to another region of a network. - -Key Points: - -- A zone must be configured before you assign an interface to it, and you - can assign an interface to only a single zone. -- All traffic to and from an interface within a zone flows freely. -- Existing policies affect all traffic between zones. -- Traffic cannot flow between a zone member interface and any interface that - is not a zone member. -- You must define 2 separate firewalls to define traffic: one for each - direction. - -:::{note} -In {vytask}`T2199` the syntax of the zone configuration was changed. -The zone configuration moved from `zone-policy zone <name>` to `firewall -zone <name>`. -::: - -## Configuration - -As an alternative to applying policy to an interface directly, you can -create a zone-based firewall to simplify configuration when multiple -interfaces belong to the same security zone. Instead of applying rule-sets -to interfaces, you apply them to source-destination zone pairs. - -You can find a basic introduction to zone-based firewalls in the -[VyOS Knowledge Base](https://support.vyos.io/en/kb/articles/a-primer-to-zone-based-firewall), -and an example at {ref}`examples-zone-policy`. - -The following steps are required to create a zone-based firewall: - -1. Define both the source and destination zones -2. Define the rule-set -3. Apply the rule-set to the zones - -### Define a Zone - -To define a zone, set up either one with interfaces or as the local zone. - -```{eval-rst} -.. cfgcmd:: set firewall zone <name> interface <interface> - - Assign interfaces as a member of a zone. - - .. note:: - - * An interface can only be a member of one zone. - * You can have multiple interfaces in a zone. Traffic between - interfaces in the same zone follows the intra-zone-filtering - policy (allowed by default). -``` - -```{eval-rst} -.. cfgcmd:: set firewall zone <name> local-zone - - Define the zone as the local zone for traffic that originates from or is - destined to the router itself. - - .. note:: - - * A local zone cannot have any member interfaces - * You cannot have multiple local zones -``` - -```{eval-rst} -.. cfgcmd:: set firewall zone <name> default-action [drop | reject] - - Modify the zone default-action, which applies to traffic destined to this - zone that does not match any of the source zone rulesets applied. -``` - -```{eval-rst} -.. cfgcmd:: set firewall zone <name> default-log - - Enable logging of packets that match this zone's default-action (disabled - by default). -``` - -```{eval-rst} -.. cfgcmd:: set firewall zone <name> description - - Add a meaningful description. -``` - -### Defining a Rule-Set - -Zone-based firewall rule-sets define traffic from a *Source Zone* to a -*Destination Zone*. - -You create rule-sets as a custom firewall chain using the commands below -(refer to the firewall IPv4/IPv6 sections for the full syntax): - -- For {ref}`IPv4<configuration/firewall/ipv4:Firewall - IPv4 Rules>`: - `set firewall ipv4 name <name> ...` -- For {ref}`IPv6<configuration/firewall/ipv6:Firewall - IPv6 Rules>`: - `set firewall ipv6 name <name> ...` - -It is helpful to name the rule-sets in the format -`<Source Zone>-<Destination Zone>-<v4 | v6>` to make them easily -identifiable. - -### Applying a Rule-Set to a Zone - -After you define a rule-set, apply it to the source and destination zones. -The configuration syntax anchors to the destination zone, with each of the -source zone rule-sets listed against the destination. - -```{eval-rst} -.. cfgcmd:: set firewall zone <Destination Zone> from <Source Zone> - firewall name <ipv4-rule-set-name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall zone <Destination Zone> from <Source Zone> - firewall ipv6-name <ipv6-rule-set-name> -``` - -You should create two rule-sets for each source-destination zone -pair. - -```none -set firewall zone DMZ from LAN firewall name LAN-DMZ-v4 -set firewall zone LAN from DMZ firewall name DMZ-LAN-v4 -``` - -### Applying a Default Rule-Set to a Zone - -When a destination zone shares a common rule-set for multiple source zones, -or when you require a complex set of default policies, you can apply an -optional default rule-set. The default rule-set applies to all zones that do -not have a rule-set configured as defined in -{ref}`IPv4<configuration/firewall/zone:Applying a Rule-Set to a Zone>` - -```{eval-rst} -.. cfgcmd:: set firewall zone <Destination Zone> default-firewall name - <ipv4-rule-set-name> -``` - -```{eval-rst} -.. cfgcmd:: set firewall zone <Destination Zone> default-firewall ipv6-name - <ipv6-rule-set-name> -``` - -## Operation-mode - -```{eval-rst} -.. opcmd:: show firewall zone-policy - - Display a basic summary of the zone configuration. - - .. code-block:: none - - vyos@vyos:~$ show firewall zone-policy - Zone Interfaces From Zone Firewall IPv4 Firewall IPv6 - ------ ------------ ----------- --------------- --------------- - LAN eth1 WAN WAN-LAN-v4 - eth2 - LOCAL LOCAL LAN LAN-LOCAL-v4 - WAN WAN-LOCAL-v4 WAN-LOCAL-v6 - WAN eth3 LAN LAN-WAN-v4 - eth0 LOCAL LOCAL-WAN-v4 -``` - -```{eval-rst} -.. opcmd:: show firewall zone-policy zone <zone> - - Display a basic summary of a particular zone. - - .. code-block:: none - - vyos@vyos:~$ show firewall zone-policy zone WAN - Zone Interfaces From Zone Firewall IPv4 Firewall IPv6 - ------ ------------ ----------- --------------- --------------- - WAN eth3 LAN LAN-WAN-v4 - eth0 LOCAL LOCAL-WAN-v4 - - vyos@vyos:~$ show firewall zone-policy zone LOCAL - Zone Interfaces From Zone Firewall IPv4 Firewall IPv6 - ------ ------------ ----------- --------------- --------------- - LOCAL LOCAL LAN LAN-LOCAL-v4 - WAN WAN-LOCAL-v4 WAN-LOCAL-v6 -``` diff --git a/docs/configuration/highavailability/md-index.md b/docs/configuration/highavailability/md-index.md deleted file mode 100644 index d5d8f390..00000000 --- a/docs/configuration/highavailability/md-index.md +++ /dev/null @@ -1,527 +0,0 @@ ---- -lastproofread: '2021-06-30' ---- - -(high-availability)= - -# High availability - -VRRP (Virtual Router Redundancy Protocol) provides active/backup redundancy for -routers. Every VRRP router has a physical IP/IPv6 address, and a virtual -address. On startup, routers elect the master, and the router with the highest -priority becomes the master and assigns the virtual address to its interface. -All routers with lower priorities become backup routers. The master then starts -sending keepalive packets to notify other routers that it's available. If the -master fails and stops sending keepalive packets, the router with the next -highest priority becomes the new master and takes over the virtual address. - -VRRP keepalive packets use multicast, and VRRP setups are limited to a single -datalink layer segment. You can setup multiple VRRP groups -(also called virtual routers). Virtual routers are identified by a -VRID (Virtual Router IDentifier). If you setup multiple groups on the same -interface, their VRIDs must be unique if they use the same address family, -but it's possible (even if not recommended for readability reasons) to use -duplicate VRIDs on different interfaces. - -## Basic setup - -VRRP groups are created with the -`set high-availability vrrp group $GROUP_NAME` commands. The required -parameters are interface, vrid, and address. - -minimal config - -```none -set high-availability vrrp group Foo vrid 10 -set high-availability vrrp group Foo interface eth0 -set high-availability vrrp group Foo address 192.0.2.1/24 -``` - -You can verify your VRRP group status with the operational mode -`run show vrrp` command: - -```none -vyos@vyos# run show vrrp -Name Interface VRID State Last Transition ----------- ----------- ------ ------- ----------------- -Foo eth1 10 MASTER 2s -``` - -## IPv6 support - -The `address` parameter can be either an IPv4 or IPv6 address, but you can -not mix IPv4 and IPv6 in the same group, and will need to create groups with -different VRIDs specially for IPv4 and IPv6. -If you want to use IPv4 + IPv6 address you can use option `excluded-address` - -## Address - -The `address` can be configured either on the VRRP interface or on not VRRP -interface. - -```none -set high-availability vrrp group Foo address 192.0.2.1/24 -set high-availability vrrp group Foo address 203.0.113.22/24 interface eth2 -set high-availability vrrp group Foo address 198.51.100.33/24 interface eth3 -``` - -## Disabling a VRRP group - -You can disable a VRRP group with `disable` option: - -```none -set high-availability vrrp group Foo disable -``` - -A disabled group will be removed from the VRRP process and your router will not -participate in VRRP for that VRID. It will disappear from operational mode -commands output, rather than enter the backup state. - -## Exclude address - -Exclude IP addresses from `VRRP packets`. This option `excluded-address` is -used when you want to set IPv4 + IPv6 addresses on the same virtual interface -or when used more than 20 IP addresses. - -```none -set high-availability vrrp group Foo excluded-address '203.0.113.254/24' -set high-availability vrrp group Foo excluded-address '2001:db8:aa::1/64' -set high-availability vrrp group Foo excluded-address '2001:db8:22::1/64' -``` - -## Setting VRRP group priority - -VRRP priority can be set with `priority` option: - -```none -set high-availability vrrp group Foo priority 200 -``` - -The priority must be an integer number from 1 to 255. Higher priority value -increases router's precedence in the master elections. - -## Sync groups - -A sync group allows VRRP groups to transition together. - -```none -edit high-availability vrrp -set sync-group MAIN member VLAN9 -set sync-group MAIN member VLAN20 -``` - -In the following example, when VLAN9 transitions, VLAN20 will also transition: - -```none -vrrp { - group VLAN9 { - interface eth0.9 - address 10.9.1.1/24 - priority 200 - vrid 9 - } - group VLAN20 { - interface eth0.20 - priority 200 - address 10.20.20.1/24 - vrid 20 - } - sync-group MAIN { - member VLAN20 - member VLAN9 - } -} -``` - -:::{warning} -All items in a sync group should be similarly configured. -If one VRRP group is set to a different preemption delay or priority, -it would result in an endless transition loop. -::: - -## Preemption - -VRRP can use two modes: preemptive and non-preemptive. In the preemptive mode, -if a router with a higher priority fails and then comes back, routers with lower -priority will give up their master status. In non-preemptive mode, the newly -elected master will keep the master status and the virtual address indefinitely. - -By default VRRP uses preemption. You can disable it with the "no-preempt" -option: - -```none -set high-availability vrrp group Foo no-preempt -``` - -You can also configure the time interval for preemption with the "preempt-delay" -option. For example, to set the higher priority router to take over in 180 -seconds, use: - -```none -set high-availability vrrp group Foo preempt-delay 180 -``` - -## Track - -Track option to track non VRRP interface states. VRRP changes status to -`FAULT` if one of the track interfaces in state `down`. - -```none -set high-availability vrrp group Foo track interface eth0 -set high-availability vrrp group Foo track interface eth1 -``` - -Ignore VRRP main interface faults - -```none -set high-availability vrrp group Foo track exclude-vrrp-interface -``` - -## Unicast VRRP - -By default VRRP uses multicast packets. If your network does not support -multicast for whatever reason, you can make VRRP use unicast communication -instead. - -```none -set high-availability vrrp group Foo peer-address 192.0.2.10 -set high-availability vrrp group Foo hello-source-address 192.0.2.15 -``` - -## rfc3768-compatibility - -RFC 3768 defines a virtual MAC address to each VRRP virtual router. -This virtual router MAC address will be used as the source in all periodic VRRP -messages sent by the active node. When the rfc3768-compatibility option is set, -a new VRRP interface is created, to which the MAC address and the virtual IP -address is automatically assigned. - -```none -set high-availability vrrp group Foo rfc3768-compatibility -``` - -Verification - -```none -$show interfaces ethernet eth0v10 -eth0v10@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue -state UP group default qlen 1000 -link/ether 00:00:5e:00:01:0a brd ff:ff:ff:ff:ff:ff -inet 172.25.0.247/16 scope global eth0v10 -valid_lft forever preferred_lft forever -``` - -:::{warning} -RFC 3768 creates a virtual interface. If you want to apply -the destination NAT rule to the traffic sent to the virtual MAC, set -the created virtual interface as `inbound-interface`. -::: - -## Global options - -On most scenarios, there's no need to change specific parameters, and using -default configuration is enough. But there are cases were extra configuration -is needed. - -```{eval-rst} -.. cfgcmd:: set high-availability vrrp global-parameters startup_delay <1-600> - - This option specifies a delay in seconds before vrrp instances start up - after keepalived starts. -``` - -## Gratuitous ARP - -These configuration is not mandatory and in most cases there's no -need to configure it. But if necessary, Gratuitous ARP can be configured in -`global-parameters` and/or in `group` section. - -```{eval-rst} -.. cfgcmd:: set high-availability vrrp global-parameters garp interval - <0.000-1000> -``` - -```{eval-rst} -.. cfgcmd:: set high-availability vrrp group <name> garp interval <0.000-1000> - - Set delay between gratuitous ARP messages sent on an interface. - - 0 if not defined. -``` - - -```{eval-rst} -.. cfgcmd:: set high-availability vrrp global-parameters garp master-delay <1-255> -``` - - -```{eval-rst} -.. cfgcmd:: set high-availability vrrp group <name> garp master-delay <1-255> - - Set delay for second set of gratuitous ARPs after transition to MASTER. - - 5 if not defined. -``` - -```{eval-rst} -.. cfgcmd:: set high-availability vrrp global-parameters garp master-refresh - <1-600> -``` - -```{eval-rst} -.. cfgcmd:: set high-availability vrrp group <name> garp master-refresh - <1-600> - - Set minimum time interval for refreshing gratuitous ARPs while MASTER. - - 0 if not defined, which means no refreshing. -``` - -```{eval-rst} -.. cfgcmd:: set high-availability vrrp global-parameters garp - master-refresh-repeat <1-600> -``` - -```{eval-rst} -.. cfgcmd:: set high-availability vrrp group <name> garp - master-refresh-repeat <1-600> - - Set number of gratuitous ARP messages to send at a time while MASTER. - - 1 if not defined. -``` - -```{eval-rst} -.. cfgcmd:: set high-availability vrrp global-parameters garp master-repeat - <1-600> -``` - -```{eval-rst} -.. cfgcmd:: set high-availability vrrp group <name> garp master-repeat - <1-600> - - Set number of gratuitous ARP messages to send at a time after transition to - MASTER. - - 5 if not defined. -``` - -## Version - -```{eval-rst} -.. cfgcmd:: set high-availability vrrp global-parameters version 2|3 - - Set the default VRRP version to use. This defaults to 2, but IPv6 instances - will always use version 3. -``` - -## Scripting - -VRRP functionality can be extended with scripts. VyOS supports two kinds of -scripts: health check scripts and transition scripts. Health check scripts -execute custom checks in addition to the master router reachability. Transition -scripts are executed when VRRP state changes from master to backup or fault and -vice versa and can be used to enable or disable certain services, for example. - -:::{note} -Simply placing script files in `/config/scripts/` does not mean the -system can execute them. To make custom scripts executable, grant them -**execute permissions**. Use the following command: - -```none -chmod +x /config/scripts/script-name.sh -``` -::: - -:::{warning} -It is not recommended to change VRRP configuration -inside health-check and transition scripts. -::: - -### Health check scripts - -There is the ability to run an arbitrary script at regular intervals -according to health-check parameters. If a script returns 0, it -indicates success. If a script returns anything else, it will indicate -that the VRRP instance should enter the FAULT state. - -This setup will make the VRRP process execute the -`/config/scripts/vrrp-check.sh script` every 60 seconds, and transition the -group to the fault state if it fails (i.e. exits with non-zero status) three -times: - - -```none -set high-availability vrrp group Foo health-check script /config/scripts/vrrp-check.sh -set high-availability vrrp group Foo health-check interval 60 -set high-availability vrrp group Foo health-check failure-count 3 -``` - - -When the vrrp group is a member of the sync group will use only -the sync group health check script. -This example shows how to configure it for the sync group: - - -```none -set high-availability vrrp sync-group Bar health-check script /config/scripts/vrrp-check.sh -set high-availability vrrp sync-group Bar health-check interval 60 -set high-availability vrrp sync-group Bar health-check failure-count 3 -``` - - -### Transition scripts - -Transition scripts can help you implement various fixups, such as starting and -stopping services, or even modifying the VyOS config on VRRP transition. -This setup will make the VRRP process execute the -`/config/scripts/vrrp-fail.sh` with argument `Foo` when VRRP fails, -and the `/config/scripts/vrrp-master.sh` when the router becomes the master: - - -```none -set high-availability vrrp group Foo transition-script backup "/config/scripts/vrrp-fail.sh Foo" -set high-availability vrrp group Foo transition-script fault "/config/scripts/vrrp-fail.sh Foo" -set high-availability vrrp group Foo transition-script master "/config/scripts/vrrp-master.sh Foo" -``` - - -To know more about scripting, check the {ref}`command-scripting` section. - -## Virtual-server - -```{include} /_include/need_improvement.txt -``` - -Virtual Server allows to Load-balance traffic destination virtual-address:port -between several real servers. - -### Algorithm - -Load-balancing schedule algorithm: - -- round-robin -- weighted-round-robin -- least-connection -- weighted-least-connection -- source-hashing -- destination-hashing -- locality-based-least-connection - -```none -set high-availability virtual-server 203.0.113.1 algorithm 'least-connection' -``` - -### Forward method - -- NAT -- direct -- tunnel - -```none -set high-availability virtual-server 203.0.113.1 forward-method 'nat' -``` - -### Health-check - -Custom health-check script allows checking real-server availability - - -```none -set high-availability virtual-server 203.0.113.1 real-server 192.0.2.11 health-check script <path-to-script> -``` - - -### Fwmark - -Firewall mark. It possible to loadbalancing traffic based on `fwmark` value - -```none -set high-availability virtual-server 203.0.113.1 fwmark '111' -``` - -### Real server - -Real server IP address and port - - -```none -set high-availability virtual-server 203.0.113.1 real-server 192.0.2.11 port '80' -``` - - -### Example - -Virtual-server can be configured with VRRP virtual address or without VRRP. - -In the next example all traffic destined to `203.0.113.1` and port `8280` -protocol TCP is balanced between 2 real servers `192.0.2.11` and -`192.0.2.12` to port `80` - -Real server is auto-excluded if port check with this server fail. - - -```none -set interfaces ethernet eth0 address '203.0.113.11/24' -set interfaces ethernet eth1 address '192.0.2.1/24' -set high-availability vrrp group FOO interface 'eth0' -set high-availability vrrp group FOO no-preempt -set high-availability vrrp group FOO priority '150' -set high-availability vrrp group FOO address '203.0.113.1/24' -set high-availability vrrp group FOO vrid '10' - -set high-availability virtual-server 203.0.113.1 algorithm 'source-hashing' -set high-availability virtual-server 203.0.113.1 delay-loop '10' -set high-availability virtual-server 203.0.113.1 forward-method 'nat' -set high-availability virtual-server 203.0.113.1 persistence-timeout '180' -set high-availability virtual-server 203.0.113.1 port '8280' -set high-availability virtual-server 203.0.113.1 protocol 'tcp' -set high-availability virtual-server 203.0.113.1 real-server 192.0.2.11 port '80' -set high-availability virtual-server 203.0.113.1 real-server 192.0.2.12 port '80' -``` - - -A firewall mark `fwmark` allows using multiple ports for high-availability -virtual-server. -It uses fwmark value. - -In this example all traffic destined to ports "80, 2222, 8888" protocol TCP -marks to fwmark "111" and balanced between 2 real servers. -Port "0" is required if multiple ports are used. - - -```none -set interfaces ethernet eth0 address 'dhcp' -set interfaces ethernet eth0 description 'WAN' -set interfaces ethernet eth1 address '192.0.2.1/24' -set interfaces ethernet eth1 description 'LAN' - -set policy route PR interface 'eth0' -set policy route PR rule 10 destination port '80,2222,8888' -set policy route PR rule 10 protocol 'tcp' -set policy route PR rule 10 set mark '111' - -set high-availability virtual-server vyos fwmark '111' -set high-availability virtual-server vyos protocol 'tcp' -set high-availability virtual-server vyos real-server 192.0.2.11 health-check script '/config/scripts/check-real-server-first.sh' -set high-availability virtual-server vyos real-server 192.0.2.11 port '0' -set high-availability virtual-server vyos real-server 192.0.2.12 health-check script '/config/scripts/check-real-server-second.sh' -set high-availability virtual-server vyos real-server 192.0.2.12 port '0' - -set nat source rule 100 outbound-interface name 'eth0' -set nat source rule 100 source address '192.0.2.0/24' -set nat source rule 100 translation address 'masquerade' -``` - - -Op-mode check virtual-server status - -```none -vyos@r14:~$ run show virtual-server -IP Virtual Server version 1.2.1 (size=4096) -Prot LocalAddress:Port Scheduler Flags - -> RemoteAddress:Port Forward Weight ActiveConn InActConn -FWM 111 lc persistent 300 - -> 192.0.2.11:0 Masq 1 0 0 - -> 192.0.2.12:0 Masq 1 1 0 -``` diff --git a/docs/configuration/interfaces/md-bonding.md b/docs/configuration/interfaces/md-bonding.md deleted file mode 100644 index 4538b145..00000000 --- a/docs/configuration/interfaces/md-bonding.md +++ /dev/null @@ -1,753 +0,0 @@ ---- -lastproofread: '2025-12-09' ---- - -(bond-interface)= - -# Bond / link aggregation - -A **bonding interface** aggregates multiple network interfaces into a single -logical interface (referred to as a bond, {abbr}`LAG (Link Aggregation Group)`, -EtherChannel, or port-channel). - -The behavior of a bonding interface depends on the selected mode. Modes provide -either fault tolerance or a combination of load balancing and fault tolerance. -Additionally, the bonding interface can be configured for link integrity -monitoring. - -## Configuration - -### Common interface configuration - -```{eval-rst} -.. cmdincludemd:: /_include/interface-common-with-dhcp.txt - :var0: bonding - :var1: bond0 -``` - -### Member interfaces - -```{eval-rst} -.. cfgcmd:: set interfaces bonding <interface> member interface <member> - - **Add an interface to the bonding group.** - - **Example:** - - To configure eth0 and eth1 as members of the bonding interface bond0, execute - the following commands: -``` - -```none -set interfaces bonding bond0 member interface eth0 -set interfaces bonding bond0 member interface eth1 -``` - -### Bond modes - -```{eval-rst} -.. cfgcmd:: set interfaces bonding <interface> mode <802.3ad | active-backup | - broadcast | round-robin | transmit-load-balance | adaptive-load-balance | - xor-hash> - - **Configure the bonding mode on the interface. The default mode is** - ``802.3ad``. - - The available modes are: - - * ``802.3ad`` - - .. list-table:: - :widths: 20 80 - - * - **Description:** - - IEEE 802.3ad Dynamic Link Aggregation. Groups only member interfaces with - the same speed (e.g., 1 Gbps) and duplex settings. Member interfaces with - different speed and duplex settings are not included in the active bond. - - Provides load balancing and fault tolerance. Uses the {abbr}`LACP (Link - Aggregation Control Protocol)` to negotiate the bond with the switch. - * - **Traffic distribution:** - - Traffic is distributed according to the **transmit hash policy** - (default: XOR). - - The bonding driver applies an XOR operation to specific packet header fields, - generating a hash value that maps to a particular member interface. This - ensures the same network flow is consistently transmitted over the same member - interface. - - The transmit hash policy is configured via the ``hash-policy`` option. - * - **Failover:** - - If a member interface fails, the hash is recalculated to distribute - traffic among the remaining active member interfaces. - - .. note:: Not all transmit hash policies comply with 802.3ad, particularly - section 43.2.4. Using a non-compliant policy may result in out-of-order - packet delivery. - - * ``active-backup`` - - .. list-table:: - :widths: 20 80 - - * - **Description:** - - Provides fault tolerance. Only one member interface is active at a time. - Other member interfaces remain in a standby mode. - * - **Traffic distribution:** - - All traffic (incoming and outgoing) is routed via one active member interface. - * - **Failover:** - - If the designated member interface fails, all traffic is routed to - another member interface. The bonding driver sends a Gratuitous ARP - to update the peer's MAC address table, linking the bond's MAC address - to another physical port. - - * ``broadcast`` - - .. list-table:: - :widths: 20 80 - - * - **Description:** - - Provides maximum fault tolerance by duplicating traffic. - * - **Traffic distribution:** - - Every packet is duplicated and transmitted on **all** member interfaces. - * - **Failover:** - - Traffic flow is not interrupted as long as at least one member interface - remains active. - - * ``round-robin`` - - .. list-table:: - :widths: 20 80 - - * - **Description:** - - Provides load balancing and fault tolerance. - * - **Traffic distribution:** - - Packets are transmitted in sequential order across the member interfaces - (e.g., packet 1 > interface A, packet 2 > interface B, etc.). - * - **Failover:** - - If a member interface fails, the sequence skips the failed interface and - continues with the remaining active members. - - * ``transmit-load-balance`` - - .. list-table:: - :widths: 20 80 - - * - **Description:** - - Provides adaptive transmit load balancing and fault tolerance. - * - **Traffic distribution:** - - **Outgoing:** Distributed across all active member interfaces based on - the current load. - - **Incoming:** Received by a designated member interface (active receiver). - * - **Failover:** - - If the active receiver fails, another member interface takes over as the new - active receiver. - - * ``adaptive-load-balance`` - - .. list-table:: - :widths: 20 80 - - * - **Description:** - - Provides adaptive transmit load balancing identical to - ``transmit-load-balance``, receive load balancing for IPv4 traffic, and fault - tolerance for both incoming and outgoing traffic. - * - **Traffic distribution:** - - **Outgoing:** Identical to ``transmit-load-balance``. - - **Incoming:** Distributed based on ARP manipulation. For both local and remote - connections, the bonding driver intercepts ARP traffic and changes the source - MAC address to the MAC address of the least loaded member interface. - - All traffic from that peer is then routed to the chosen member interface. - * - **Failover:** - - If a member interface's state changes (fails, recovers, is added, or excluded), - the traffic is redistributed among all active member interfaces. - - * ``xor-hash``: Provides load balancing and fault tolerance based on a hash formula. - Distributes traffic and handles failover identically to ``802.3ad``, but operates - without the {abbr}`LACP (Link Aggregation Control Protocol)`. -``` - -```{eval-rst} -.. cfgcmd:: set interfaces bonding <interface> min-links <0-16> - - **Configure how many member interfaces must be active (in the link-up state) to - mark the bonding interface UP (carrier asserted).** - - This command applies only when the bonding interface is configured in 802.3ad - mode and functions like the Cisco EtherChannel min-links feature. It ensures - that a bonding interface is marked UP (carrier asserted) only when a specified - number of member interfaces are active (in the link-up state). This helps - guarantee a minimum level of bandwidth for higher-level services (such as - clustering) relying on the bonding interface. - - The default value is 0. This marks the bonding interface UP (carrier asserted) - whenever an active LACP aggregator exists, regardless of the number of member - interfaces in that aggregator. - - .. note:: In 802.3ad mode, a bond cannot be active without at least one active - member interface. Therefore, setting min-links to 0 or 1 has the same result: - the bonding interface is marked UP (carrier asserted). -``` - -```{eval-rst} -.. cfgcmd:: set interfaces bonding <interface> lacp-rate <slow|fast> - - **Configure the rate at which the bonding interface requests its link - partner to send** {abbr}`LACPDUs (Link Aggregation Control Protocol Data - Units)` **in 802.3ad mode.** - - This command applies only when the bonding interface is configured in - 802.3ad mode. - - The following options are available: - - * **slow (default):** Requests the link partner to transmit LACPDUs every 30 seconds. - - * **fast:** Requests the link partner to transmit LACPDUs every 1 second. - -``` - -```{eval-rst} -.. cfgcmd:: set interfaces bonding <interface> system-mac <mac address> - - **Configure a specific MAC address for the bonding interface.** - - This sets the 802.3ad system MAC address, which is used for {abbr}`LACPDU (Link - Aggregation Control Protocol Data Unit)` exchanges with the link partner. - You can assign a fixed MAC address or generate a random one for these - {abbr}`LACPDU (Link Aggregation Control Protocol Data Unit)` exchanges. - -``` - -```{eval-rst} -.. cfgcmd:: set interfaces bonding <interface> hash-policy <policy> - - **Configure which transmit hash policy to use for distributing traffic across - member interfaces.** - - The following policies are available: - - * ``layer2`` - - .. list-table:: - :widths: 20 80 - - * - **Description:** - - Routes all traffic destined for a specific network peer through the same - member interface. The policy is 802.3ad-compliant. - * - **Hash inputs:** - - Source MAC address, destination MAC address, and Ethernet packet type ID. - * - **Formula:** - - .. code-block:: none - - hash = source MAC address XOR destination MAC address XOR packet type ID - member interface number = hash modulo member interface count - - * ``layer2+3`` - - .. list-table:: - :widths: 20 80 - - * - **Description:** - - Similar to ``layer2``, routes all traffic destined for a specific network - peer through the same member interface and is IEEE 802.3ad-compliant. Uses - both Layer 2 and Layer 3 information to provide a more balanced traffic distribution. - * - **Hash inputs:** - - * Source MAC address, destination MAC address, and Ethernet packet type ID. - * Source IP address, destination IP address. IPv6 addresses are first hashed - using ``IPv6_addr_hash``. - * - **Formula:** - - .. code-block:: none - - hash = source MAC address XOR destination MAC address XOR packet type ID - hash = hash XOR source IP address XOR destination IP address - hash = hash XOR (hash RSHIFT 16) - hash = hash XOR (hash RSHIFT 8) - member interface number = hash modulo member interface count - - For non-IP traffic, the formula is the same as for ``layer2``. - - * ``layer3+4`` - - .. list-table:: - :widths: 20 80 - - * - **Description:** - - Routes different connections (flows) destined for a specific network peer - through multiple member interfaces, but ensures each individual flow is - routed through only one member interface. - - .. note:: This policy is not fully 802.3ad-compliant. When a single TCP - or UDP flow contains both fragmented and unfragmented packets, the - algorithm may distribute them across different member interfaces. This - may result in out-of-order packet delivery, violating the 802.3ad standard. - * - **Hash inputs:** - - * Source port, destination port (if available). - * Source IP address, destination IP address. IPv6 addresses are first hashed - using ``IPv6_addr_hash``. - * - **Formula:** - - .. code-block:: none - - hash = source port, destination port (as in the header) - hash = hash XOR source IP address XOR destination IP address - hash = hash XOR (hash RSHIFT 16) - hash = hash XOR (hash RSHIFT 8) - member interface number = hash modulo member interface count - - For fragmented TCP or UDP packets and all other IPv4 and IPv6 traffic, the - source and destination port information is omitted. - - For non-IP traffic, the formula is the same as for ``layer2``. -``` - -```{eval-rst} -.. cfgcmd:: set interfaces bonding <interface> primary <interface> - - **Configure the primary member interface in the bond.** - - The primary member interface remains active as long as it is operational; - alternative member interfaces are used only if it fails. - - Use this configuration when a specific member interface is preferred, - such as one with higher throughput. - - This command applies only to ``active-backup``, ``transmit-load-balance``, and - ``adaptive-load-balance`` modes. -``` - -```{eval-rst} -.. cfgcmd:: set interfaces bonding <interface> arp-monitor interval <time> - - **Configure the ARP monitoring interval, in seconds, for the bonding interface.** - - ARP monitoring periodically assesses the health of each member interface by - checking whether it has recently sent or received traffic (this criterion - varies depending on the bonding mode and the member interface’s state). ARP - probes are sent to the IP addresses specified with the arp-monitor target option. - - When ARP monitoring is used with EtherChannel-compatible modes (such as - ``round-robin`` or ``xor-hash``), the switch should be configured to distribute - traffic across all member interfaces. If the switch distributes traffic using - an XOR-based policy, all ARP replies will be received on one member interface, - causing other member interfaces to be incorrectly marked as failed. - - Setting this value to 0 disables ARP monitoring. - - The default value is 0. -``` - -```{eval-rst} -.. cfgcmd:: set interfaces bonding <interface> arp-monitor target <address> - - **Configure the IP addresses for ARP monitoring requests.** - - The bonding driver sends ARP requests to these IP addresses to check the - state of member interfaces. - - To enable ARP monitoring, configure at least one IP address (up to 16 per - bonding interface). - - By default, no IP addresses are configured. -``` - -### {abbr}`VLAN (Virtual Local Area Network)` - -```{eval-rst} -.. cmdincludemd:: /_include/interface-vlan-8021q.txt - :var0: bonding - :var1: bond0 -``` - -### SPAN port mirroring - -```{eval-rst} -.. cmdincludemd:: ../../_include/interface-mirror.txt - :var0: bonding - :var1: bond1 - :var2: eth3 -``` - -#### EVPN multihoming - -EVPN multihoming (EVPN-MH) is a standards-based solution (RFC 7432, RFC 8365) -that enables Customer Edge (CE) devices, such as servers, to connect to two -or more Provider Edge (PE) devices for redundancy and load balancing. - -EVPN-MH is often used as a modern, standards-based alternative to -{abbr}`MLAG (Multi-Chassis Link Aggregation)` and {abbr}`VTEPs (Virtual -Tunnel Endpoints)`. - -**Ethernet Segment (ES) and Ethernet Segment Identifier (ESI)** - -Physical links that connect a CE device to PE devices are bundled using link -aggregation. This logical bundle is called an Ethernet Segment (ES) and is -uniquely identified by an Ethernet Segment Identifier (ESI) within the -EVPN domain. - -To enable EVPN-MH, configure the same ESI on the bonding interfaces of all -PE devices connected to a single CE device. - -An ESI is configured by specifying either a system MAC address and a local -discriminator, or an Ethernet Segment Identifier Name (ESINAME). - -The following two commands generate a 10-byte Type-3 ESI by combining the -system MAC and local discriminator: - -```{eval-rst} -.. cfgcmd:: set interfaces bonding <interface> evpn es-id <1-16777215|10-byte ID> -``` - -```{eval-rst} -.. cfgcmd:: set interfaces bonding <interface> evpn es-sys-mac <xx:xx:xx:xx:xx:xx> - - Alternatively, assign an ESINAME directly as a 10-byte Type-0 ESI using the - following format: 00:AA:BB:CC:DD:EE:FF:GG:HH:II. - - **BGP-EVPN route usage** - - EVPN-MH uses BGP-EVPN route types 1 and 2 for ES discovery and MAC-IP - synchronization: - - * **Type 1 (EAD-per-ES and EAD-per-EVI)** routes advertise the locally - attached ESs and discover remote ESs in the network. - * **Type 2 (MAC-IP advertisement)** routes are advertised with a - destination ESI, enabling MAC-IP synchronization between ES peers. -``` - -```{eval-rst} -.. cfgcmd:: set interfaces bonding <interface> evpn es-df-pref <1-65535> - - **Configure the** {abbr}`DF (Designated Forwarder)` **preference (1-65535) for - the interface. A higher value indicates a higher preference to become the** - {abbr}`DF (Designated Forwarder)`. **The** {abbr}`DF (Designated Forwarder)` - **preference is configured per-ES.** - - The DF election process determines which interface in a specific ES forwards - {abbr}`BUM (Broadcast, Unknown Unicast, and Multicast)` traffic from the EVPN - overlay to the connected CE device. EVPN Type-4 (Ethernet Segment) routes are - used to elect the DF, implementing the preference-based election method defined - in RFC 9785. - - Interfaces not elected as the DF drop any BUM traffic from the EVPN overlay - using non-DF filters. Similarly, traffic received from ES peers via the EVPN - overlay is blocked from forwarding to the CE device to maintain split-horizon - filtering with local bias. -``` - -```{eval-rst} -.. cmdincludemd:: /_include/interface-evpn-uplink.txt - :var0: bonding - :var1: bond0 -``` - -## Example - -The following configuration example applies to all listed third-party vendors. -It creates a bonding interface with two member interfaces, defines VLANs 10 -and 100 on the bonding interface, and assigns an IPv4 address to each VLAN -subinterface. - -```none -# Create the bonding interface bond0 with 802.3ad LACP -set interfaces bonding bond0 hash-policy 'layer2' -set interfaces bonding bond0 mode '802.3ad' - -# Add the required VLANs and IPv4 addresses on them -set interfaces bonding bond0 vif 10 address 192.168.0.1/24 -set interfaces bonding bond0 vif 100 address 10.10.10.1/24 - -# Add the member interfaces to the bonding interface -set interfaces bonding bond0 member interface eth1 -set interfaces bonding bond0 member interface eth2 -``` - -:::{note} -If you are running this configuration in a virtual environment like -EVE-NG, ensure the e1000 driver is chosen for your VyOS NIC. The default -drivers, such as `virtio-net-pci` or `vmxnet3`, are incompatible with -this configuration. Specifically, ICMP messages will not be processed correctly. - -To check your NIC driver, use the following command: {opcmd}`show interfaces ethernet -eth0 physical | grep -i driver` -::: - -### Cisco Catalyst configuration - -Configure a Cisco Catalyst switch to integrate with a two-member VyOS bonding -interface. - -Assign member interfaces to PortChannel: - -```none -interface GigabitEthernet1/0/23 - description VyOS eth1 - channel-group 1 mode active -! -interface GigabitEthernet1/0/24 - description VyOS eth2 - channel-group 1 mode active -! -``` - -A new interface, `Port-channel1`, becomes available; all configuration, -such as allowed VLAN interfaces and STP, is applied here. - -```none -interface Port-channel1 - description LACP Channel for VyOS - switchport trunk encapsulation dot1q - switchport trunk allowed vlan 10,100 - switchport mode trunk - spanning-tree portfast trunk -! -``` - -### Juniper EX Switch configuration - -Configure a Juniper EX Series switch to integrate with a two-member VyOS bonding -interface. - -```none -# Create aggregated ethernet device with 802.3ad LACP and port speeds of 10gbit/s -set interfaces ae0 aggregated-ether-options link-speed 10g -set interfaces ae0 aggregated-ether-options lacp active - -# Create layer 2 on the aggregated ethernet device with trunking for our VLANs -set interfaces ae0 unit 0 family ethernet-switching port-mode trunk - -# Add the required vlans to the device -set interfaces ae0 unit 0 family ethernet-switching vlan members 10 -set interfaces ae0 unit 0 family ethernet-switching vlan members 100 - -# Add the two interfaces to the aggregated ethernet device, in this setup both -# ports are on the same switch (switch 0, module 1, port 0 and 1) -set interfaces xe-0/1/0 ether-options 802.3ad ae0 -set interfaces xe-0/1/1 ether-options 802.3ad ae0 - -# But this can also be done with multiple switches in a stack, a virtual -# chassis on Juniper (switch 0 and switch 1, module 1, port 0 on both switches) -set interfaces xe-0/1/0 ether-options 802.3ad ae0 -set interfaces xe-1/1/0 ether-options 802.3ad ae0 -``` - -### Aruba/HP configuration - -Configure an Aruba/HP 2510G switch to integrate with a two-member VyOS bonding -interface. - -```none -# Create trunk with 2 member interfaces (interface 1 and 2) and LACP -trunk 1-2 Trk1 LACP - -# Add the required VLANs to the trunk -vlan 10 tagged Trk1 -vlan 100 tagged Trk1 -``` - -### Arista EOS configuration - -When deploying VyOS in environments with Arista switches, use the following -blueprint as an initial setup to configure an operational LACP port-channel -between the two devices. - -Let's assume the following topology: - -:::{figure} /_static/images/vyos_arista_bond_lacp.webp -:alt: VyOS Arista EOS setup -::: - -**R1** - -```none -interfaces { - bonding bond10 { - hash-policy layer3+4 - member { - interface eth1 - interface eth2 - } - mode 802.3ad - vif 100 { - address 192.0.2.1/30 - address 2001:db8::1/64 - } - } -``` - -**R2** - -```none -interfaces { - bonding bond10 { - hash-policy layer3+4 - member { - interface eth1 - interface eth2 - } - mode 802.3ad - vif 100 { - address 192.0.2.2/30 - address 2001:db8::2/64 - } - } -``` - -**SW1** - -```none -! -vlan 100 - name FOO -! -interface Port-Channel10 - switchport trunk allowed vlan 100 - switchport mode trunk - spanning-tree portfast -! -interface Port-Channel20 - switchport mode trunk - no spanning-tree portfast auto - spanning-tree portfast network -! -interface Ethernet1 - channel-group 10 mode active -! -interface Ethernet2 - channel-group 10 mode active -! -interface Ethernet3 - channel-group 20 mode active -! -interface Ethernet4 - channel-group 20 mode active -! -``` - -**SW2** - -```none -! -vlan 100 - name FOO -! -interface Port-Channel10 - switchport trunk allowed vlan 100 - switchport mode trunk - spanning-tree portfast -! -interface Port-Channel20 - switchport mode trunk - no spanning-tree portfast auto - spanning-tree portfast network -! -interface Ethernet1 - channel-group 10 mode active -! -interface Ethernet2 - channel-group 10 mode active -! -interface Ethernet3 - channel-group 20 mode active -! -interface Ethernet4 - channel-group 20 mode active -! -``` - -:::{note} -When testing this environment in EVE-NG, ensure the e1000 driver -is chosen for your VyOS network interfaces. If the default virtio driver -is used, VyOS will not transmit LACP PDUs, preventing the port-channel -from ever becoming active. -::: - -## Operation - -```{eval-rst} -.. opcmd:: show interfaces bonding - - Show brief interface information. - - .. code-block:: none - - vyos@vyos:~$ show interfaces bonding - Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down - Interface IP Address S/L Description - --------- ---------- --- ----------- - bond0 - u/u my-sw1 int 23 and 24 - bond0.10 192.168.0.1/24 u/u office-net - bond0.100 10.10.10.1/24 u/u management-net - -``` - -```{eval-rst} -.. opcmd:: show interfaces bonding <interface> - - Show detailed interface information. - - .. code-block:: none - - vyos@vyos:~$ show interfaces bonding bond5 - bond5: <NO-CARRIER,BROADCAST,MULTICAST,MASTER,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000 - link/ether 00:50:56:bf:ef:aa brd ff:ff:ff:ff:ff:ff - inet6 fe80::e862:26ff:fe72:2dac/64 scope link tentative - valid_lft forever preferred_lft forever - - RX: bytes packets errors dropped overrun mcast - 0 0 0 0 0 0 - TX: bytes packets errors dropped carrier collisions - 0 0 0 0 0 0 -``` - -```{eval-rst} -.. opcmd:: show interfaces bonding <interface> detail - - Show detailed information about the underlying physical links on the given - bonding interface. - - .. code-block:: none - - vyos@vyos:~$ show interfaces bonding bond5 detail - Ethernet Channel Bonding Driver: v3.7.1 (April 27, 2011) - - Bonding Mode: IEEE 802.3ad Dynamic link aggregation - Transmit Hash Policy: layer2 (0) - MII Status: down - MII Polling Interval (ms): 100 - Up Delay (ms): 0 - Down Delay (ms): 0 - - 802.3ad info - LACP rate: slow - Min links: 0 - Aggregator selection policy (ad_select): stable - - Slave Interface: eth1 - MII Status: down - Speed: Unknown - Duplex: Unknown - Link Failure Count: 0 - Permanent HW addr: 00:50:56:bf:ef:aa - Slave queue ID: 0 - Aggregator ID: 1 - Actor Churn State: churned - Partner Churn State: churned - Actor Churned Count: 1 - Partner Churned Count: 1 - - Slave Interface: eth2 - MII Status: down - Speed: Unknown - Duplex: Unknown - Link Failure Count: 0 - Permanent HW addr: 00:50:56:bf:19:26 - Slave queue ID: 0 - Aggregator ID: 2 - Actor Churn State: churned - Partner Churn State: churned - Actor Churned Count: 1 - Partner Churned Count: 1 -``` diff --git a/docs/configuration/interfaces/md-bridge.md b/docs/configuration/interfaces/md-bridge.md deleted file mode 100644 index 77775767..00000000 --- a/docs/configuration/interfaces/md-bridge.md +++ /dev/null @@ -1,431 +0,0 @@ ---- -lastproofread: '2025-12-22' ---- - -(bridge-interface)= - -# Bridge - -VyOS bridges connect Ethernet segments by grouping multiple interfaces into a -single bridge interface, which acts as a virtual software switch. Unlike -routers, which forward traffic based on Layer 3 IP addresses, bridges operate -at Layer 2 and forward traffic based on MAC addresses. Operating at Layer 2, -bridges are protocol-agnostic and transparently forward all Ethernet- -encapsulated traffic, whether it is IPv4, IPv6, or specialized industrial -protocols. - -This implementation utilizes the Linux bridge subsystem to support a subset of -the ANSI/IEEE 802.1d standard for transparent bridging and MAC address learning. - -:::{note} -{abbr}`STP (Spanning Tree Protocol)` is disabled by default in VyOS -and must be explicitly enabled if required. See {ref}`stp` for details. -::: - -## Configuration - -### Common interface configuration - -```{cmdincludemd} /_include/interface-common-with-dhcp.txt -:var0: bridge -:var1: br0 -``` - - -### Member interfaces - -```{cfgcmd} set interfaces bridge \<interface\> member interface \<member\> - -**Configure an interface as a bridge member.** - -Valid interface types are: {ref}`ethernet-interface`, {ref}`bond-interface`, -{ref}`l2tpv3-interface`, {ref}`openvpn`, {ref}`vxlan-interface`, -{ref}`wireless-interface`, {ref}`tunnel-interface`, and -{ref}`geneve-interface`. - -Use tab completion to list interfaces that can be bridged. -``` - -```{cfgcmd} set interfaces bridge \<interface\> member interface \<member\> priority \<priority\> - -**Configure the** {abbr}`STP (Spanning Tree Protocol)` **port priority -for a specific member interface within a bridge.** - -Within the {abbr}`STP (Spanning Tree Protocol)` topology, each member interface -in a bridge operates as a port with an assigned **priority** and **path cost**. -{abbr}`STP (Spanning Tree Protocol)` uses these values to determine the -**lowest-cost path** to the root bridge, maintaining a loop-free topology. -Traffic flows through the path with the lowest path cost, while alternate -paths remain in standby. - -A **lower** priority value means **higher** precedence in path selection. - -{abbr}`STP (Spanning Tree Protocol)` considers the port priority only if -multiple member interfaces have the same path costs. -``` - -```{cfgcmd} set interfaces bridge \<interface\> member interface \<member\> cost \<cost\> - -**Configure the** {abbr}`STP (Spanning Tree Protocol)` **path cost for a -specific member interface within the bridge.** - -Path cost is the primary metric {abbr}`STP (Spanning Tree Protocol)` uses to -determine the path to the root bridge. This value is based on interface -bandwidth; faster interfaces receive lower costs. - -By assigning a lower cost, you give the interface higher precedence during -path selection. -``` - -```{cfgcmd} set interfaces bridge \<interface\> member interface \<member\> disable-learning - -**Disable MAC address learning for a specific member interface -within a bridge.** - -When learning is disabled, the bridge will not add source MAC addresses -observed on this port to its forwarding database (FDB). Frames destined -to MACs not present in the FDB are then flooded to all bridge ports -rather than unicast-forwarded. -``` - - -### Bridge options - -Configure how bridge interfaces maintain their {abbr}`FDB (Forwarding Database)` -, react to topology changes, and optimize multicast data streams. - -```{cfgcmd} set interfaces bridge \<interface\> aging \<time\> - -**Configure the MAC address aging time for the bridge.** - -The duration in seconds that a MAC address remains in the bridge’s {abbr}`FDB -(Forwarding Database)` before removal if no traffic is received from that -address. - -The default value is 300 seconds. -``` - -```{cfgcmd} set interfaces bridge \<interface\> max-age \<time\> - -**Configure the** {abbr}`STP (Spanning Tree Protocol)` **max age timer for -the bridge.** - -The duration in seconds that the bridge waits for a {abbr}`BPDU (Bridge -Protocol Data Unit)` from the root bridge. - -If the bridge does not receive a {abbr}`BPDU (Bridge Protocol Data Unit)` -within this period, it recalculates the path to the root bridge or initiates -a new root bridge election. -``` - -```{cfgcmd} set interfaces bridge \<interface\> igmp querier - -**Configure the bridge interface to act as the** {abbr}`IGMP (Internet Group -Management Protocol)`/{abbr}`MLD (Multicast Listener Discovery)` **Querier.** - -**When configured:** The bridge interface sends {abbr}`IGMP (Internet Group -Management Protocol)` (IPv4) and {abbr}`MLD (Multicast Listener Discovery)` -(IPv6) general queries to all connected hosts to identify active multicast -listeners. -``` - -```{cfgcmd} set interfaces bridge \<interface\> igmp snooping - -**Configure the bridge interface to perform** {abbr}`IGMP (Internet Group -Management Protocol)`/{abbr}`MLD (Multicast Listener Discovery)` -**snooping.** - -**When configured:** The bridge interface monitors {abbr}`IGMP (Internet Group -Management Protocol)` (IPv4) and {abbr}`MLD (Multicast Listener Discovery)` -(IPv6) join requests and restricts multicast traffic forwarding to only active -listeners. This prevents network flooding. -``` - -(stp)= - -#### STP configuration - -{abbr}`STP (Spanning Tree Protocol)` is a Layer 2 protocol that prevents loops -in Ethernet networks by ensuring only one logical path exists between any two -bridges. This creates a loop-free topology and prevents broadcast storms that -can crash the network. - -By default, {abbr}`STP (Spanning Tree Protocol)` is disabled on bridge interfaces. -To activate loop prevention, you must explicitly enable the protocol and -configure its parameters. - -```{cfgcmd} set interfaces bridge \<interface\> stp - -Enable {abbr}`STP (Spanning Tree Protocol)` on the bridge interface. -``` - -```{cfgcmd} set interfaces bridge \<interface\> forwarding-delay \<delay\> - -**Configure the** {abbr}`STP (Spanning Tree Protocol)` **delay, in seconds, -for the bridge interface.** - -This parameter defines how long the bridge interface remains in the listening -and learning states before forwarding traffic. The delay ensures that the -bridge has sufficient time to detect loops (in the listening state) and learn -the MAC addresses of connected devices (in the learning state). - -The default value is 15 seconds. The total time before forwarding begins is -twice this value. -``` - -```{cfgcmd} set interfaces bridge \<interface\> hello-time \<interval\> - -**Configure the** {abbr}`STP (Spanning Tree Protocol)` **Hello advertisement -interval, in seconds.** - -This parameter sets the frequency at which the bridge interface transmits -Hello packets ({abbr}`BPDUs (Bridge Protocol Data Units)`). These packets -originate from the root bridge and are propagated by designated bridges. If -neighbors stop receiving Hello packets, they assume a connection failure and -trigger a topology recalculation. - -The default value is 2 seconds. -``` - - -### VLAN - -#### VLAN-aware bridges - -```{cfgcmd} set interfaces bridge \<interface\> enable-vlan - -**Enable VLAN filtering (also known as VLAN awareness) on the bridge interface.** - -When enabled, the bridge strictly segregates traffic among VLANs configured -on its member interfaces. - -:::{note} -Do not configure **vif 1** on a VLAN-aware bridge. The main bridge -interface acts as VLAN 1 (the default native VLAN) and automatically -handles all untagged traffic. -::: -``` - -```{cfgcmd} set interfaces bridge \<interface\> protocol \<802.1ad | 802.1q\> - -**Configure the VLAN protocol (EtherType) for the bridge interface.** - -The following options are available: -* ``802.1q`` (default): Sets the EtherType to ``0x8100``. Used for standard -enterprise VLANs. -* ``802.1ad``: Sets the EtherType to ``0x88a8``. Used for QinQ (provider bridging). -``` - - -#### VLAN configuration - -```{cmdincludemd} /_include/interface-vlan-8021q.txt -:var0: bridge -:var1: br0 -``` - -```{cfgcmd} set interfaces bridge \<interface\> member interface \<member\> native-vlan \<vlan-id\> - -**Configure the native VLAN ID for a specific member interface within a -VLAN-aware bridge.** - -This assigns the specified ``<vlan-id>`` to untagged traffic entering the member -interface. The bridge strips the VLAN tag from outgoing traffic matching this -ID. - -**Example:** - -Set the native VLAN ID to 2 for the member interface ``eth0``: - -:::{code-block} none -set interfaces bridge br1 member interface eth0 native-vlan 2 -::: -``` - -```{cfgcmd} set interfaces bridge \<interface\> member interface \<member\> allowed-vlan \<vlan-id\> - -**Configure allowed VLAN IDs for a specific member interface within a -VLAN-aware bridge.** - -Enter a single VLAN ID or a range of VLAN IDs separated by a hyphen. - -**Example:** - -To allow VLAN ID 4 on member interface ``eth0``: - -:::{code-block} none -set interfaces bridge br1 member interface eth0 allowed-vlan 4 -::: -**Example:** - -To allow VLAN IDs 6 through 8 on member interface ``eth0``: - -:::{code-block} none -set interfaces bridge br1 member interface eth0 allowed-vlan 6-8 -::: -``` - - -### SPAN port mirroring - -```{cmdincludemd} ../../_include/interface-mirror.txt -:var0: bridge -:var1: br1 -:var2: eth3 -``` - - -## Examples - -### Configure a standard bridge - -The following example creates a bridge named br100 with {abbr}`STP (Spanning -Tree Protocol)` enabled. - -Configuration requirements: -- **Bridge name:** `br100` -- **Member interfaces:** Physical interface `eth1` and VLAN interface `eth2.10`. -- **STP:** Enabled. -- **Bridge IP addresses:** `192.0.2.1/24` (IPv4) and `2001:db8::ffff/64` (IPv6). - -```none -set interfaces bridge br100 address 192.0.2.1/24 -set interfaces bridge br100 address 2001:db8::ffff/64 -set interfaces bridge br100 member interface eth1 -set interfaces bridge br100 member interface eth2.10 -set interfaces bridge br100 stp -``` - -Verify the configuration: - -```none -vyos@vyos# show interfaces bridge br100 - address 192.0.2.1/24 - address 2001:db8::ffff/64 - member { - interface eth1 { - } - interface eth2.10 { - } - } - stp -``` - - -### Configure a VLAN-aware bridge - -The following example creates a VLAN-aware bridge named br100. In this setup, -one member interface is configured as a trunk port, and the other as an access -port. The VLAN interface is configured with IP addresses. - -**Configuration requirements:** -- **Bridge name:** `br100`. -- **Trunk port** (`eth1`): Handles **tagged** traffic for VLAN 10. -- **Access port** (`eth2`): Handles **untagged** traffic (assigned to native - VLAN 10). -- **STP:** Enabled. -- **VLAN IP addresses** (`vif 10`): `192.0.2.1/24` (IPv4) and - `2001:db8::ffff/64` (IPv6). - -```none -set interfaces bridge br100 enable-vlan -set interfaces bridge br100 member interface eth1 allowed-vlan 10 -set interfaces bridge br100 member interface eth2 native-vlan 10 -set interfaces bridge br100 vif 10 address 192.0.2.1/24 -set interfaces bridge br100 vif 10 address 2001:db8::ffff/64 -set interfaces bridge br100 stp -``` - -Verify the configuration: - -```none -vyos@vyos# show interfaces bridge br100 - enable-vlan - member { - interface eth1 { - allowed-vlan 10 - } - interface eth2 { - native-vlan 10 - } - } - stp - vif 10 { - address 192.0.2.1/24 - address 2001:db8::ffff/64 - } -``` - - -### Operation - -```{opcmd} show bridge - -Show the status of member interfaces for all configured bridges. - -:::{code-block} none -vyos@vyos:~$ show bridge -3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master br0 state forwarding -priority 32 cost 100 -4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master br0 state forwarding -priority 32 cost 100 -::: -``` - -```{opcmd} show bridge \<name\> fdb - -Show the {abbr}`FDB (Forwarding Database)` for the specified bridge. - -:::{code-block} none -vyos@vyos:~$ show bridge br0 fdb -50:00:00:08:00:01 dev eth1 vlan 20 master br0 permanent -50:00:00:08:00:01 dev eth1 vlan 10 master br0 permanent -50:00:00:08:00:01 dev eth1 master br0 permanent -33:33:00:00:00:01 dev eth1 self permanent -33:33:00:00:00:02 dev eth1 self permanent -01:00:5e:00:00:01 dev eth1 self permanent -50:00:00:08:00:02 dev eth2 vlan 20 master br0 permanent -50:00:00:08:00:02 dev eth2 vlan 10 master br0 permanent -50:00:00:08:00:02 dev eth2 master br0 permanent -33:33:00:00:00:01 dev eth2 self permanent -33:33:00:00:00:02 dev eth2 self permanent -01:00:5e:00:00:01 dev eth2 self permanent -33:33:00:00:00:01 dev br0 self permanent -33:33:00:00:00:02 dev br0 self permanent -33:33:ff:08:00:01 dev br0 self permanent -01:00:5e:00:00:6a dev br0 self permanent -33:33:00:00:00:6a dev br0 self permanent -01:00:5e:00:00:01 dev br0 self permanent -33:33:ff:00:00:00 dev br0 self permanent -::: -``` - -```{opcmd} show bridge \<name\> mdb - -Show the {abbr}`MDB (Multicast group Database)` for the specified bridge. - -The {abbr}`MDB (Multicast group Database)` is populated by {abbr}`IGMP -(Internet Group Management Protocol)`/{abbr}`MLD (Multicast Listener -Discovery)` snooping and lists the multicast groups currently active on the -bridge. - -:::{code-block} none -vyos@vyos:~$ show bridge br0 mdb -dev br0 port br0 grp ff02::1:ff00:0 temp vid 1 -dev br0 port br0 grp ff02::2 temp vid 1 -dev br0 port br0 grp ff02::1:ff08:1 temp vid 1 -dev br0 port br0 grp ff02::6a temp vid 1 -::: -``` - -```{opcmd} show bridge \<name\> macs - -Show the learned {abbr}`MAC (Media Access Control)` address table for the -specified bridge. - -:::{code-block} none -vyos@vyos:~$ show bridge br100 macs -port no mac addr is local? ageing timer - 1 00:53:29:44:3b:19 yes 0.00 -::: -```
\ No newline at end of file diff --git a/docs/configuration/interfaces/md-dummy.md b/docs/configuration/interfaces/md-dummy.md deleted file mode 100644 index d2d27c5d..00000000 --- a/docs/configuration/interfaces/md-dummy.md +++ /dev/null @@ -1,87 +0,0 @@ ---- -lastproofread: '2026-01-23' ---- - -(dummy-interface)= - -# Dummy - -A dummy interface is a virtual network interface that operates like the -loopback interface, accepting traffic and routing it back to the local host. -Unlike the loopback interface, which is limited to one per system and reserved -for internal system use, multiple dummy interfaces can be created, removed, and -managed without impacting core operations. - -As a software-based interface, the dummy interface does not depend on physical -link state and remains active as long as the operating system is running. - -Dummy interfaces are commonly used in environments with multiple redundant -uplinks (e.g., a server connected to two different switches), where assigning a -management IP address to a specific physical interface is risky. If that -interface fails, the management IP address becomes unreachable. - -Assigning the management IP address to a dummy interface and advertising it -over all available physical links ensures the address remains reachable as long -as at least one physical path is active. - -Dummy interfaces are also used for testing and simulation purposes. - -## Configuration - -### Common interface configuration - -```{cmdincludemd} /_include/interface-address.txt -:var0: dummy -:var1: dum0 -``` - -```{cmdincludemd} /_include/interface-description.txt -:var0: dummy -:var1: dum0 -``` - -```{cmdincludemd} /_include/interface-disable.txt -:var0: dummy -:var1: dum0 -``` - -```{cmdincludemd} /_include/interface-vrf.txt -:var0: dummy -:var1: dum0 -``` - - -## Operation - -```{opcmd} show interfaces dummy - -Show brief interface information. - -:::{code-block} none -vyos@vyos:~$ show interfaces dummy -Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down -Interface IP Address S/L Description ---------- ---------- --- ----------- -dum0 172.18.254.201/32 u/u -::: -``` - -```{opcmd} show interfaces dummy \<interface\> - -Show detailed interface information. - -:::{code-block} none -vyos@vyos:~$ show interfaces dummy dum0 -dum0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000 - link/ether 26:7c:8e:bc:fc:f5 brd ff:ff:ff:ff:ff:ff - inet 172.18.254.201/32 scope global dum0 - valid_lft forever preferred_lft forever - inet6 fe80::247c:8eff:febc:fcf5/64 scope link - valid_lft forever preferred_lft forever - - RX: bytes packets errors dropped overrun mcast - 0 0 0 0 0 0 - TX: bytes packets errors dropped carrier collisions - 1369707 4267 0 0 0 0 -::: -```
\ No newline at end of file diff --git a/docs/configuration/interfaces/md-ethernet.md b/docs/configuration/interfaces/md-ethernet.md deleted file mode 100644 index eac0b443..00000000 --- a/docs/configuration/interfaces/md-ethernet.md +++ /dev/null @@ -1,515 +0,0 @@ ---- -lastproofread: '2026-01-19' ---- - -(ethernet-interface)= - -# Ethernet - -Ethernet interfaces (e.g., `eth0`, `eth1`) represent the host's physical -or virtual network ports. - -They are the most common interface type, serving as the base layer upon which -IP addresses, VLANs, and tunnels are configured to carry traffic across both -LANs and WANs. - -## Configuration - -### Common interface configuration - -```{cmdincludemd} /_include/interface-common-with-dhcp.txt -:var0: ethernet -:var1: eth0 -``` - -```{cfgcmd} set interfaces ethernet \<interface\> switchdev - -**Enable** ``switchdev`` **mode for the interface.** - -In ``switchdev`` mode, the interface offloads traffic switching between ports -to the hardware, bypassing the host CPU. This increases the interface’s -traffic-handling capacity and reduces its forwarding delay. -``` - -:::{note} -`switchdev` mode is available only on certain physical network -interfaces and requires a switchdev-compatible driver. -::: - -### Ethernet options - -```{cfgcmd} set interfaces ethernet \<interface\> duplex \<auto | full | half\> - -**Configure duplex mode for the interface.** - -The following duplex modes are available: - -* ``auto``: The interface negotiates the duplex mode with the connected device. -* ``full``: The interface sends and receives data simultaneously. The - connected device must also be set to full-duplex to avoid a duplex mismatch. -* ``half``: The interface either sends or receives data, but not both at the - same time. - -The default duplex mode is ``auto``. -``` - -```{cfgcmd} set interfaces ethernet \<interface\> speed \<auto | 10 | 100 | 1000 | 2500 | 5000 | 10000 | 25000 | 40000 | 50000 | 100000\> - -**Configure the interface's speed, in Mbit/s.** - -The following options are available: - -* ``auto``: The interface negotiates the speed with the connected device. -* ``10, 100, 1000 ...``: The interface operates at the selected speed. The - connected device must be set to the same speed to establish a connection. - -The default option is ``auto``. -``` - -```{cfgcmd} set interfaces ethernet \<interface\> ring-buffer rx \<value\> - -**Configure the receive (RX) ring buffer size for the interface.** - -The RX ring buffer size defines the number of incoming packets the interface -can queue in hardware before the CPU processes them. - -Higher values reduce the risk of drops when the NIC receives network traffic -faster than the CPU can process it, though latency may increase. Lower values -reduce latency but increase the risk of packet drops during incoming traffic -bursts. - -To view supported values for a specific interface, use: -``` - -```none -ethtool -g <interface> -``` - -```{cfgcmd} set interfaces ethernet \<interface\> ring-buffer tx \<value\> - -**Configure the transmit (TX) ring buffer size.** - -The TX ring buffer size defines the number of outgoing packets the interface -can queue in hardware before they are transmitted onto the network. - -Higher values reduce the risk of drops when the CPU generates traffic faster -than the NIC can handle, though latency may increase. Lower values reduce -latency but increase the risk of packet drops during outgoing traffic bursts. - -To view supported values for a specific interface, use: -``` - -```none -ethtool -g <interface> -``` - - -#### Interrupt Coalescing - -Interrupt coalescing is a mechanism that reduces CPU interrupt load by bundling -multiple packets into a single interrupt event instead of interrupting -the CPU for every packet arrival or transmission. - -:::{note} -Not all network drivers or virtual interfaces support all -coalescing parameters. Use `ethtool --show-coalesce <interface>` -to verify which settings are supported by your hardware and driver. -::: - -**Basic adaptive coalescing** - -```{cfgcmd} set interfaces ethernet \<interface\> interrupt-coalescing adaptive-rx - -``` -```{cfgcmd} set interfaces ethernet \<interface\> interrupt-coalescing adaptive-tx - -Enable adaptive interrupt coalescing. The NIC automatically tunes RX/TX -interrupt pacing based on traffic patterns to reduce CPU utilization -during high throughput while preserving latency at low packet rates. -``` - -**Basic interrupt delay** - -```{cfgcmd} set interfaces ethernet \<interface\> interrupt-coalescing rx-usecs \<0-16384\> -``` - -```{cfgcmd} set interfaces ethernet \<interface\> interrupt-coalescing tx-usecs \<0-16384\> - -Set the delay in microseconds before generating an RX/TX interrupt after -receiving or transmitting a packet. Lower values reduce latency; higher -values reduce CPU load. -``` - -**Interrupt frame thresholds** - -```{cfgcmd} set interfaces ethernet \<interface\> interrupt-coalescing rx-frames \<number\> -``` - -```{cfgcmd} set interfaces ethernet \<interface\> interrupt-coalescing tx-frames \<number\> - -Generate an RX/TX interrupt only after the specified number of packets -have been received or transmitted. -``` - -**IRQ-specific coalescing** - -```{cfgcmd} set interfaces ethernet \<interface\> interrupt-coalescing rx-usecs-irq \<number\> -``` - -```{cfgcmd} set interfaces ethernet \<interface\> interrupt-coalescing rx-frames-irq \<number\> -``` - -```{cfgcmd} set interfaces ethernet \<interface\> interrupt-coalescing tx-usecs-irq \<number\> -``` - -```{cfgcmd} set interfaces ethernet \<interface\> interrupt-coalescing tx-frames-irq \<number\> - -Control interrupt coalescing parameters while the driver is already -servicing an interrupt (IRQ context). These settings allow finer tuning -of interrupt behavior under sustained load. -``` - -**Adaptive rate thresholds** - -```{cfgcmd} set interfaces ethernet \<interface\> interrupt-coalescing pkt-rate-low \<number\> -``` - -```{cfgcmd} set interfaces ethernet \<interface\> interrupt-coalescing pkt-rate-high \<number\> - -Define packet-rate thresholds (packets per second) used by adaptive -coalescing to switch between low-rate and high-rate interrupt coalescing -profiles. -``` - -**Low-rate adaptive parameters** - -```{cfgcmd} set interfaces ethernet \<interface\> interrupt-coalescing rx-usecs-low \<number\> -``` - -```{cfgcmd} set interfaces ethernet \<interface\> interrupt-coalescing rx-frame-low \<number\> -``` - -```{cfgcmd} set interfaces ethernet \<interface\> interrupt-coalescing tx-usecs-low \<number\> -``` - -```{cfgcmd} set interfaces ethernet \<interface\> interrupt-coalescing tx-frame-low \<number\> - -Interrupt coalescing parameters applied when the packet rate is below -``pkt-rate-low``. Typically optimized for lower latency. -``` - -**High-rate adaptive parameters** - -```{cfgcmd} set interfaces ethernet \<interface\> interrupt-coalescing rx-usecs-high \<number\> -``` - -```{cfgcmd} set interfaces ethernet \<interface\> interrupt-coalescing rx-frame-high \<number\> -``` - -```{cfgcmd} set interfaces ethernet \<interface\> interrupt-coalescing tx-usecs-high \<number\> -``` - -```{cfgcmd} set interfaces ethernet \<interface\> interrupt-coalescing tx-frame-high \<number\> - -Interrupt coalescing parameters applied when the packet rate exceeds -``pkt-rate-high``. Typically optimized for maximum throughput and -reduced CPU utilization. -``` - -**Statistics and sampling** - -```{cfgcmd} set interfaces ethernet \<interface\> interrupt-coalescing stats-block-usecs \<number\> -``` - -```{cfgcmd} set interfaces ethernet \<interface\> interrupt-coalescing sample-interval \<number\> - -Control how frequently coalescing statistics are updated and how often -the NIC samples traffic rates for adaptive coalescing decisions. -``` - -**Completion queue (CQE) mode** - -```{cfgcmd} set interfaces ethernet \<interface\> interrupt-coalescing cqe-mode-rx -``` - -```{cfgcmd} set interfaces ethernet \<interface\> interrupt-coalescing cqe-mode-tx - -Enable RX/TX Completion Queue Entry (CQE) mode, if supported by the -driver. CQE mode can improve performance on high-speed NICs by -optimizing completion handling. -``` - -**Transmit aggregation** - -```{cfgcmd} set interfaces ethernet \<interface\> interrupt-coalescing tx-aggr-max-bytes \<number\> -``` - -```{cfgcmd} set interfaces ethernet \<interface\> interrupt-coalescing tx-aggr-max-frames \<number\> -``` - -```{cfgcmd} set interfaces ethernet \<interface\> interrupt-coalescing tx-aggr-time-usecs \<number\> - -Control transmit packet aggregation. Packets may be buffered and sent -together until one of the configured limits (bytes, frames, or time) -is reached, reducing interrupt and DMA overhead. -``` - -#### Offloading - -```{cfgcmd} set interfaces ethernet \<interface\> offload \<lro | tso | gso | gro | rps | sg\> - -**Configure the offloading features for the interface.** - -The interface offloading features define whether specific packet-processing tasks -are performed by hardware (the NIC) or by software (the kernel). You can enable -multiple offloading features for a single interface. - - * ``lro`` **(Large Receive Offload):** Instructs the NIC to merge multiple - incoming packets into one larger packet before sending it to the CPU. - - :::{note} - {abbr}`LRO (Large Receive Offload)` hardware support is often limited - to TCP/IPv4 packets. For details on LRO limitations, see - https://lwn.net/Articles/358910/ - ::: - :::{warning} - {abbr}`LRO (Large Receive Offload)` irreversibly alters packet - headers during merging. This prevents the merged packet from being correctly - split back into the original packets, causing packet drops and forwarding - failures on routers and bridges. Use {abbr}`LRO (Large Receive Offload)` only - for end-hosts that do not forward traffic. - ::: - * ``tso`` **(TCP Segmentation Offload):** Instructs the NIC to split large TCP - packets into smaller ones before transmitting them to the network. - - **Important:** {abbr}`SG (Scatter-Gather/Scatter-Gather DMA)` must be enabled - for {abbr}`TSO (TCP Segmentation Offload)` to work. Additionally, {abbr}`GSO - (Generic Segmentation Offload)` should be enabled as a safety fallback; it - ensures that if traffic is rerouted to hardware without {abbr}`TSO (TCP - Segmentation Offload)` support, the kernel can still segment the packets, - preventing transmission failures. - - * ``gso`` **(Generic Segmentation Offload):** Instructs the kernel to split - large packets into smaller ones before sending them to the NIC. - - {abbr}`GSO (Generic Segmentation Offload)` serves as a software fallback for - hardware that does not support {abbr}`TSO (TCP Segmentation Offload)` or for - protocols (like UDP) that hardware cannot offload. - - **Important:** {abbr}`SG (Scatter-Gather/Scatter-Gather DMA)` must be enabled - for {abbr}`GSO (Generic Segmentation Offload)` to work. - - * ``gro`` **(Generic Receive Offload):** Instructs the kernel to merge multiple - incoming packets into one larger packet before passing it to upper protocol - layers. - - Unlike LRO, GRO preserves the necessary packet metadata so the merged packet - can be correctly split back into the original packets. This makes GRO safe for - use on routers and bridges. - - :::{note} -The exception is for IPv4 IDs. If the "Don't Fragment" (DF) bit is -set and IDs are not sequential, {abbr}`GSO (Generic Segmentation Offload)` -alters them to maintain a consistent sequence for {abbr}`GSO (Generic -Segmentation Offload)` compatibility. - ::: - * ``rps`` **(Receive Packet Steering):** Instructs the kernel to distribute - the processing of incoming packets across multiple CPU cores. - - The kernel calculates a hash from packet headers (IP addresses and ports) to - ensure packets from the same flow are processed by the same CPU core. - - :::{note} -{abbr}`RPS (Receive Packet Steering)` is a software version of -{abbr}`RSS (Receive Side Scaling)` and is useful for NICs without hardware -multi-queue support. - ::: - * ``sg`` **(Scatter-Gather/Scatter-Gather DMA):** Instructs the NIC to fetch - data fragments from various RAM locations and transmit them as a single packet - to the network, eliminating the need for the kernel to copy them into a - contiguous block first. -``` - -#### 802.1X (EAPOL) authentication - -```{cmdincludemd} /_include/interface-eapol.txt -:var0: ethernet -:var1: eth0 -``` - -#### EVPN Multihoming - -Uplink/core tracking. - -```{cmdincludemd} /_include/interface-evpn-uplink.txt -:var0: ethernet -:var1: eth0 -``` - -### VLAN -#### Regular VLANs (802.1q) - -```{cmdincludemd} /_include/interface-vlan-8021q.txt -:var0: ethernet -:var1: eth0 -``` - -#### 802.1ad (QinQ) - -```{cmdincludemd} /_include/interface-vlan-8021ad.txt -:var0: ethernet -:var1: eth0 -``` - -### SPAN port mirroring - -```{cmdincludemd} ../../_include/interface-mirror.txt -:var0: ethernet -:var1: eth1 -:var2: eth3 -``` - -## Operation - -```{opcmd} show interfaces ethernet - -Show brief interface information. - -:::{code-block} none -vyos@vyos:~$ show interfaces ethernet -Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down -Interface IP Address S/L Description ---------- ---------- --- ----------- -eth0 172.18.201.10/24 u/u LAN -eth1 172.18.202.11/24 u/u WAN -eth2 - u/D -::: -``` - -```{opcmd} show interfaces ethernet \<interface\> - -Show detailed interface information. - -:::{code-block} none -vyos@vyos:~$ show interfaces ethernet eth0 -eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 - link/ether 00:50:44:00:f5:c9 brd ff:ff:ff:ff:ff:ff - inet6 fe80::250:44ff:fe00:f5c9/64 scope link - valid_lft forever preferred_lft forever - - RX: bytes packets errors dropped overrun mcast - 56735451 179841 0 0 0 142380 - TX: bytes packets errors dropped carrier collisions - 5601460 62595 0 0 0 0 -::: -``` - -```{opcmd} show interfaces ethernet \<interface\> physical - -Show interface hardware-level and driver details. - -:::{code-block} none -vyos@vyos:~$ show interfaces ethernet eth0 physical -Settings for eth0: - Supported ports: [ TP ] - Supported link modes: 1000baseT/Full - 10000baseT/Full - Supported pause frame use: No - Supports auto-negotiation: No - Supported FEC modes: Not reported - Advertised link modes: Not reported - Advertised pause frame use: No - Advertised auto-negotiation: No - Advertised FEC modes: Not reported - Speed: 10000Mb/s - Duplex: Full - Port: Twisted Pair - PHYAD: 0 - Transceiver: internal - Auto-negotiation: off - MDI-X: Unknown - Supports Wake-on: uag - Wake-on: d - Link detected: yes -driver: vmxnet3 -version: 1.4.16.0-k-NAPI -firmware-version: -expansion-rom-version: -bus-info: 0000:0b:00.0 -supports-statistics: yes -supports-test: no -supports-eeprom-access: no -supports-register-dump: yes -supports-priv-flags: no -::: -``` - -```{opcmd} show interfaces ethernet \<interface\> physical offload - -Show the status of the interface offloading features. - -:::{code-block} none -vyos@vyos:~$ show interfaces ethernet eth0 physical offload -rx-checksumming on -tx-checksumming on -tx-checksum-ip-generic on -scatter-gather off -tx-scatter-gather off -tcp-segmentation-offload off -tx-tcp-segmentation off -tx-tcp-mangleid-segmentation off -tx-tcp6-segmentation off -udp-fragmentation-offload off -generic-segmentation-offload off -generic-receive-offload off -large-receive-offload off -rx-vlan-offload on -tx-vlan-offload on -ntuple-filters off -receive-hashing on -tx-gre-segmentation on -tx-gre-csum-segmentation on -tx-udp_tnl-segmentation on -tx-udp_tnl-csum-segmentation on -tx-gso-partial on -tx-nocache-copy off -rx-all off -::: -``` - -```{opcmd} show interfaces ethernet \<interface\> transceiver - -Show information about the transceiver module plugged into the interface -(e.g., SFP+, QSFP). - -:::{code-block} none -vyos@vyos:~$ show interfaces ethernet eth5 transceiver - Identifier : 0x03 (SFP) - Extended identifier : 0x04 (GBIC/SFP defined by 2-wire interface ID) - Connector : 0x07 (LC) - Transceiver codes : 0x00 0x00 0x00 0x01 0x00 0x00 0x00 0x00 0x00 - Transceiver type : Ethernet: 1000BASE-SX - Encoding : 0x01 (8B/10B) - BR, Nominal : 1300MBd - Rate identifier : 0x00 (unspecified) - Length (SMF,km) : 0km - Length (SMF) : 0m - Length (50um) : 550m - Length (62.5um) : 270m - Length (Copper) : 0m - Length (OM3) : 0m - Laser wavelength : 850nm - Vendor name : CISCO-FINISAR - Vendor OUI : 00:90:65 - Vendor PN : FTRJ-8519-7D-CS4 - Vendor rev : A - Option values : 0x00 0x1a - Option : RX_LOS implemented - Option : TX_FAULT implemented - Option : TX_DISABLE implemented - BR margin, max : 0% - BR margin, min : 0% - Vendor SN : FNS092xxxxx - Date code : 0506xx -::: -```
\ No newline at end of file diff --git a/docs/configuration/interfaces/md-geneve.md b/docs/configuration/interfaces/md-geneve.md deleted file mode 100644 index 1fce1119..00000000 --- a/docs/configuration/interfaces/md-geneve.md +++ /dev/null @@ -1,105 +0,0 @@ ---- -lastproofread: '2026-02-02' ---- - -(geneve-interface)= - -# Geneve - -{abbr}`Geneve (Generic Network Virtualization Encapsulation)` interfaces -operate as virtual network ports. Administrators can apply standard network -configurations on them, such as IP addressing, bridging, or firewall rules, -just as they would on physical Ethernet ports. - -The Geneve protocol encapsulates Layer 2 Ethernet frames originating from -endpoints such as virtual machines, containers, or physical servers inside UDP -packets. It unifies the features of earlier encapsulation protocols, including -VXLAN, NVGRE, and STT, and addresses their limitations, such as fixed header -structures and a lack of metadata support. Because of its extensibility, Geneve -may eventually replace those older protocols. - -Geneve tunnels are used to connect virtual switches residing within -hypervisors, physical switches, middleboxes, and other network appliances. - -Geneve tunnels operate over any standard IP network. In larger deployments, -the underlying network (underlay) is often built using a **Clos** topology, -also known as a *leaf-and-spine* or *fat-tree* topology. - -Geneve header: - -```none -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -|Ver| Opt Len |O|C| Rsvd. | Protocol Type | -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -| Virtual Network Identifier (VNI) | Reserved | -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -| Variable Length Options | -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -``` - - -## Configuration - -### Common interface configuration - -```{cmdincludemd} /_include/interface-address.txt -:var0: geneve -:var1: gnv0 -``` - -```{cmdincludemd} /_include/interface-description.txt -:var0: geneve -:var1: gnv0 -``` - -```{cmdincludemd} /_include/interface-disable.txt -:var0: geneve -:var1: gnv0 -``` - -```{cmdincludemd} /_include/interface-mac.txt -:var0: geneve -:var1: gnv0 -``` - -```{cmdincludemd} /_include/interface-mtu.txt -:var0: geneve -:var1: gnv0 -``` - -```{cmdincludemd} /_include/interface-ip.txt -:var0: geneve -:var1: gnv0 -``` - -```{cmdincludemd} /_include/interface-ipv6.txt -:var0: geneve -:var1: gnv0 -``` - - -### Geneve options - -```{cfgcmd} set interfaces geneve gnv0 remote \<address\> - -Configure the remote endpoint IP address for the Geneve tunnel. -``` - -```{cfgcmd} set interfaces geneve gnv0 vni \<vni\> - -**Configure** {abbr}`VNI (Virtual Network Identifier)` **for the Geneve -interface.** - -The VNI is a virtual network identifier. It allows multiple virtual networks to -share the same physical infrastructure and remain isolated. - -The VNI is also used to distribute traffic after it leaves the tunnel, for -example, to map packets with overlapping IP addresses to specific routing -tables. -``` - -```{cfgcmd} set interfaces gnv0 \<interface\> port \<port\> - -**Configure the destination UDP port for the remote Geneve tunnel endpoint.** -Ensure the remote peer is configured to listen on this specific port. -```
\ No newline at end of file diff --git a/docs/configuration/interfaces/md-index.md b/docs/configuration/interfaces/md-index.md deleted file mode 100644 index 9082cd80..00000000 --- a/docs/configuration/interfaces/md-index.md +++ /dev/null @@ -1,26 +0,0 @@ -# Interfaces - -```{toctree} -:includehidden: true -:maxdepth: 1 - -bonding -bridge -dummy -ethernet -geneve -l2tpv3 -loopback -macsec -openvpn -wireguard -pppoe -pseudo-ethernet -sstp-client -tunnel -virtual-ethernet -vti -vxlan -wireless -wwan -``` diff --git a/docs/configuration/interfaces/md-l2tpv3.md b/docs/configuration/interfaces/md-l2tpv3.md deleted file mode 100644 index 324840fa..00000000 --- a/docs/configuration/interfaces/md-l2tpv3.md +++ /dev/null @@ -1,170 +0,0 @@ ---- -lastproofread: '2026-02-05' ---- - -(l2tpv3-interface)= - -# L2TPv3 - -{abbr}`L2TPv3 (Layer 2 Tunneling Protocol version 3)` interfaces let you -establish L2TPv3 tunnels to transport Layer 2 traffic over IP networks. - -The L2TPv3 protocol (defined in RFC 3931) wraps Layer 2 frames (e.g., Ethernet, -Frame Relay, HDLC) within IP packets, allowing them to traverse the underlying -IP infrastructure. - -Unlike L2TPv2, which strictly requires UDP encapsulation, the L2TPv3 protocol -is more flexible and supports two encapsulation types: - -> - **Direct IP:** Tunnel data is encapsulated directly inside IP packets -> (Protocol 115) for lower overhead. -> - **UDP:** Tunnel data is encapsulated inside a UDP datagram. This allows the -> tunnel to traverse NAT more easily. - -L2TPv3 tunnels connect geographically separated sites, serving as a simpler -alternative to {ref}`mpls` by operating over basic IP connectivity rather than -requiring a full MPLS infrastructure. - -L2TPv3 tunnels can be established over both IPv4 and IPv6 underlying networks. - -## Configuration - -### Common interface configuration - -```{cmdincludemd} /_include/interface-common-without-dhcp.txt -:var0: l2tpv3 -:var1: l2tpeth0 -``` - - -### L2TPv3 options - -Use the following commands to configure the L2TPv3 tunnel's specific parameters. - -```{cfgcmd} set interfaces l2tpv3 \<interface\> encapsulation \<udp | ip\> - -**Configure the encapsulation type for the L2TPv3 tunnel.** - -Valid values are ``udp`` and ``ip``. - -The default encapsulation type is ``udp``. -``` - -:::{note} -The encapsulation type must match on both the local and remote peers -for the tunnel to establish. -::: - -```{cfgcmd} set interfaces l2tpv3 \<interface\> source-address \<address\> - -**Configure the L2TPv3 tunnel source IP address.** - -The specified address must be a local interface IP address and can be either -IPv4 or IPv6. -``` - -```{cfgcmd} set interfaces l2tpv3 \<interface\> remote \<address\> - -**Configure the L2TPv3 tunnel destination IP address.** - -The specified address must be a remote peer’s interface IP address and can be -either IPv4 or IPv6. -``` - -```{cfgcmd} set interfaces l2tpv3 \<interface\> session-id \<id\> - -**Configure the local session ID within the L2TPv3 tunnel.** - -The ``session-id`` is a 32-bit value that identifies an incoming tunnel session -on the local peer. - -The ``peer-session-id`` that identifies this session on the remote peer must be -set to the same value. -``` - -```{cfgcmd} set interfaces l2tpv3 \<interface\> peer-session-id \<id\> - -**Configure the peer session ID within the L2TPv3 tunnel.** - -The ``peer-session-id`` is a 32-bit value that identifies an outgoing tunnel -session from the local peer. - -The ``peer-session-id`` must match the ``session-id`` configured for this -session on the remote peer. -``` - -```{cfgcmd} set interfaces l2tpv3 \<interface\> tunnel-id \<id\> - -**Configure the local identifier for the L2TPv3 tunnel.** - -The ``tunnel-id`` is a 32-bit value that identifies the L2TPv3 tunnel on the -local peer. - -The ``peer-tunnel-id`` that identifies this tunnel on the remote peer must be -set to the same value. -``` - -```{cfgcmd} set interfaces l2tpv3 \<interface\> peer-tunnel-id \<id\> - -**Configure the peer identifier for the L2TPv3 tunnel.** - -The ``peer-tunnel-id`` is a 32-bit value that identifies the L2TPv3 tunnel on -the remote peer and must correspond to the ``tunnel-id`` configured for that -tunnel on that peer. - -The ``peer-tunnel-id`` must match the ``tunnel-id`` that identifies this tunnel -on the remote peer. -``` - - -## Example - -### L2TPv3 tunnel with IP encapsulation - -The following example shows the configuration of an L2TPv3 tunnel using direct -IP encapsulation: - -```none -# show interfaces l2tpv3 -l2tpv3 l2tpeth10 { - address 192.168.37.1/27 - encapsulation ip - source-address 192.0.2.1 - peer-session-id 100 - peer-tunnel-id 200 - remote 203.0.113.24 - session-id 100 - tunnel-id 200 -} -``` - -The inverse configuration must be applied to the remote peer. - -### L2TPv3 tunnel with UDP encapsulation - -The following example shows the configuration of an L2TPv3 tunnel using UDP -encapsulation. - -This setup is recommended when the tunnel traverses NAT devices. - -Configuration notes: -- Use a local LAN IP address as the `source-address`. -- Configure a forwarding rule to allow tunnel traffic on the specified UDP port - on the upstream NAT device. -- Use a distinct UDP port for each individual tunnel. - -```none -# show interfaces l2tpv3 -l2tpv3 l2tpeth10 { - address 192.168.37.1/27 - destination-port 9001 - encapsulation udp - source-address 192.0.2.1 - peer-session-id 100 - peer-tunnel-id 200 - remote 203.0.113.24 - session-id 100 - source-port 9000 - tunnel-id 200 -} -``` diff --git a/docs/configuration/interfaces/md-loopback.md b/docs/configuration/interfaces/md-loopback.md deleted file mode 100644 index 72f14c16..00000000 --- a/docs/configuration/interfaces/md-loopback.md +++ /dev/null @@ -1,67 +0,0 @@ ---- -lastproofread: '2026-01-23' ---- - -(loopback-interface)= - -# Loopback - -The loopback interface is a virtual, software-based network interface. All -traffic sent to it loops back and only targets services on the local host. - -:::{note} -Only one loopback `lo` interface is allowed per operating system. -If you require multiple virtual interfaces, use the {ref}`dummy-interface` -interface type. -::: - -## Configuration - -### Common interface configuration - -```{cmdincludemd} /_include/interface-address.txt -:var0: loopback -:var1: lo -``` - -```{cmdincludemd} /_include/interface-description.txt -:var0: loopback -:var1: lo -``` - - -## Operation - -```{opcmd} show interfaces loopback - -Show brief interface information. - -:::{code-block} none -vyos@vyos:~$ show interfaces loopback -Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down -Interface IP Address S/L Description ---------- ---------- --- ----------- -lo 127.0.0.1/8 u/u - ::1/128 -::: -``` - -```{opcmd} show interfaces loopback lo - -Show detailed interface information. - -:::{code-block} none -vyos@vyos:~$ show interfaces loopback lo -lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 - link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 - inet 127.0.0.1/8 scope host lo - valid_lft forever preferred_lft forever - inet6 ::1/128 scope host - valid_lft forever preferred_lft forever - - RX: bytes packets errors dropped overrun mcast - 300 6 0 0 0 0 - TX: bytes packets errors dropped carrier collisions - 300 6 0 0 0 0 -::: -```
\ No newline at end of file diff --git a/docs/configuration/interfaces/md-macsec.md b/docs/configuration/interfaces/md-macsec.md deleted file mode 100644 index b3c70362..00000000 --- a/docs/configuration/interfaces/md-macsec.md +++ /dev/null @@ -1,319 +0,0 @@ ---- -lastproofread: '2026-02-13' ---- - -(macsec-interface)= - -# MACsec - -MACsec is an IEEE standard (IEEE 802.1AE) for MAC security, introduced in -2006\. It enables protocol-independent connectivity between two hosts, providing -data confidentiality, authenticity, and integrity using GCM-AES ciphers. MACsec -operates at the Ethernet layer as a Layer 2 protocol and secures traffic within -Layer 2 networks, including DHCP and ARP requests. It does not compete with -other security solutions, such as IPsec (Layer 3) or TLS (Layer 4), as each -addresses distinct use cases. - -## Configuration - -### Common interface configuration - -```{cmdincludemd} /_include/interface-common-with-dhcp.txt -:var0: macsec -:var1: macsec0 -``` - - -### MACsec options - -```{cfgcmd} set interfaces macsec \<interface\> security cipher \<gcm-aes-128|gcm-aes-256\> - -**Configure the cipher suite for the MACsec interface.** - -This configuration parameter is mandatory. -``` - -```{cfgcmd} set interfaces macsec \<interface\> security encrypt - -**Enable encryption on the MACsec interface.** - -By default, MACsec interfaces only provide authentication; encryption is -optional. -When enabled, outgoing packets are encrypted using the configured cipher suite. -``` - -```{cfgcmd} set interfaces macsec \<interface\> source-interface \<physical-source\> - -**Configure a physical source interface for the MACsec interface.** - -Traffic transmitted through this interface is authenticated and, if configured, -encrypted. -``` - - -#### MACsec key management - -**Static** {abbr}`SAK (Secure Authentication Key)` **mode** - -In static SAK mode, administrators must manually configure and update SAKs on -each MACsec peer. {abbr}`MKA (MACsec Key Agreement protocol)` cannot be used in -this mode. - -```{cfgcmd} set interfaces macsec \<interface\> security static key \<key\> - -**Configure the Transmit (TX) SAK for the MACsec interface.** - -The key must be a 16-byte (GCM-AES-128) or 64-byte (GCM-AES-256) hexadecimal -string. -``` - -```{cfgcmd} set interfaces macsec \<interface\> security static peer \<peer\> mac \<mac address\> - -**Configure the MAC address associated with the MACsec peer.** -``` - -```{cfgcmd} set interfaces macsec \<interface\> security static peer \<peer\> key \<key\> - -**Configure the RX SAK for traffic from the MACsec peer.** - -The key must be a 16-byte (GCM-AES-128) or 64-byte (GCM-AES-256) hexadecimal -string. -``` - -```{cfgcmd} set interfaces macsec \<interface\> security static peer \<peer\> disable -``` - -**Dynamic** {abbr}`MKA (MACsec Key Agreement protocol)` **mode** - -In this mode, the {abbr}`MKA (MACsec Key Agreement protocol)` protocol is used -to generate, distribute, and update {abbr}`CAKs (MACsec Connectivity -Association Keys)`, and to authenticate MACsec peers. - -```{cfgcmd} set interfaces macsec \<interface\> security mka cak \<key\> - -**Configure the** {abbr}`CAK (MACsec Connectivity Association Key)` **for the -MACsec interface.** - -The {abbr}`CAK (MACsec Connectivity Association Key)` and its {abbr}`CKN -(MACsec Connectivity Association Key Name)` form the pre-shared master key pair -used to authenticate MACsec peers. -``` - -```{cfgcmd} set interfaces macsec \<interface\> security mka ckn \<key\> - -Configure the {abbr}`CKN (MACsec Connectivity Association Key Name)` for the -MACsec interface. -``` - -```{cfgcmd} set interfaces macsec \<interface\> security mka priority \<priority\> - -Configure the MKA key server priority for the MACsec interface. -The peer with the lowest priority is elected as the key server. -``` - -#### Replay protection - -```{cfgcmd} set interfaces macsec \<interface\> security replay-window \<window\> - -The replay protection window defines how many out-of-order frames can be -received before they are dropped as a potential replay attack. -The following values are valid: -- ``0``: Any out-of-order frame is immediately dropped. -- ``1-4294967295``: Allows the specified number of out-of-order frames. -``` - -## Operation - -```{opcmd} run generate macsec mka cak \<gcm-aes-128|gcm-aes-256\> - -Generate a 128-bit (GCM-AES-128) or 256-bit (GCM-AES-256) {abbr}`MKA (MACsec -Key Agreement protocol)` {abbr}`CAK (MACsec Connectivity Association Key)`. - -:::{code-block} none -vyos@vyos:~$ generate macsec mka cak gcm-aes-128 -20693b6e08bfa482703a563898c9e3ad -::: -``` - -```{opcmd} run generate macsec mka ckn - -Generate an {abbr}`MKA (MACsec Key Agreement protocol)` {abbr}`CAK (MACsec -Connectivity Association Key)`. - -:::{code-block} none -vyos@vyos:~$ generate macsec mka ckn -88737efef314ee319b2cbf30210a5f164957d884672c143aefdc0f5f6bc49eb2 -::: -``` - -```{opcmd} show interfaces macsec - -Show all MACsec interfaces. - -:::{code-block} none -vyos@vyos:~$ show interfaces macsec -17: macsec1: protect on validate strict sc off sa off encrypt on send_sci on end_station off scb off replay off -cipher suite: GCM-AES-128, using ICV length 16 -TXSC: 005056bfefaa0001 on SA 0 -20: macsec0: protect on validate strict sc off sa off encrypt off send_sci on end_station off scb off replay off -cipher suite: GCM-AES-128, using ICV length 16 -TXSC: 005056bfefaa0001 on SA 0 -::: -``` - -```{opcmd} show interfaces macsec \<interface\> - -Show information for a specific MACsec interface. - -:::{code-block} none -vyos@vyos:~$ show interfaces macsec macsec1 -17: macsec1: protect on validate strict sc off sa off encrypt on send_sci on end_station off scb off replay off -cipher suite: GCM-AES-128, using ICV length 16 -TXSC: 005056bfefaa0001 on SA 0 -::: -``` - -## Examples - -**Site-to-site MACsec with dynamic MKA over an untrusted network** - -In the following example, two routers (R1 and R2) are connected via an -untrusted switch, using their `eth1` interfaces as the underlay. The MACsec -interface (`macsec1`) with dynamic MKA encrypts traffic between them. - -Topology details: -- R1 IP addresses: `192.0.2.1/24` and `2001:db8::1/64`. -- R2 IP addresses: `192.0.2.2/24` and `2001:db8::2/64`. - -**R1** - -```none -set interfaces macsec macsec1 address '192.0.2.1/24' -set interfaces macsec macsec1 address '2001:db8::1/64' -set interfaces macsec macsec1 security cipher 'gcm-aes-128' -set interfaces macsec macsec1 security encrypt -set interfaces macsec macsec1 security mka cak '232e44b7fda6f8e2d88a07bf78a7aff4' -set interfaces macsec macsec1 security mka ckn '40916f4b23e3d548ad27eedd2d10c6f98c2d21684699647d63d41b500dfe8836' -set interfaces macsec macsec1 source-interface 'eth1' -``` - -**R2** - -```none -set interfaces macsec macsec1 address '192.0.2.2/24' -set interfaces macsec macsec1 address '2001:db8::2/64' -set interfaces macsec macsec1 security cipher 'gcm-aes-128' -set interfaces macsec macsec1 security encrypt -set interfaces macsec macsec1 security mka cak '232e44b7fda6f8e2d88a07bf78a7aff4' -set interfaces macsec macsec1 security mka ckn '40916f4b23e3d548ad27eedd2d10c6f98c2d21684699647d63d41b500dfe8836' -set interfaces macsec macsec1 source-interface 'eth1' -``` - -Pinging (IPv6) the other host and intercepting traffic on `eth1` confirm that -the content is encrypted. - -```none -17:35:44.586668 00:50:56:bf:ef:aa > 00:50:56:b3:ad:d6, ethertype Unknown (0x88e5), length 150: - 0x0000: 2c00 0000 000a 0050 56bf efaa 0001 d9fb ,......PV....... - 0x0010: 920a 8b8d 68ed 9609 29dd e767 25a4 4466 ....h...)..g%.Df - 0x0020: 5293 487b 9990 8517 3b15 22c7 ea5c ac83 R.H{....;."..\.. - 0x0030: 4c6e 13cf 0743 f917 2c4e 694e 87d1 0f09 Ln...C..,NiN.... - 0x0040: 0f77 5d53 ed75 cfe1 54df 0e5a c766 93cb .w]S.u..T..Z.f.. - 0x0050: c4f2 6e23 f200 6dfe 3216 c858 dcaa a73b ..n#..m.2..X...; - 0x0060: 4dd1 9358 d9e4 ed0e 072f 1acc 31c4 f669 M..X...../..1..i - 0x0070: e93a 9f38 8a62 17c6 2857 6ac5 ec11 8b0e .:.8.b..(Wj..... - 0x0080: 6b30 92a5 7ccc 720b k0..|.r. -``` - -Disabling encryption on the MACsec interface by removing the `security -encrypt` option shows the unencrypted but authenticated content. - -```none -17:37:00.746155 00:50:56:bf:ef:aa > 00:50:56:b3:ad:d6, ethertype Unknown (0x88e5), length 150: - 0x0000: 2000 0000 0009 0050 56bf efaa 0001 86dd .......PV....... - 0x0010: 6009 86f3 0040 3a40 2001 0db8 0000 0000 `....@:@........ - 0x0020: 0000 0000 0000 0001 2001 0db8 0000 0000 ................ - 0x0030: 0000 0000 0000 0002 8100 d977 0f30 0003 ...........w.0.. - 0x0040: 1ca0 c65e 0000 0000 8d93 0b00 0000 0000 ...^............ - 0x0050: 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f ................ - 0x0060: 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f .!"#$%&'()*+,-./ - 0x0070: 3031 3233 3435 3637 87d5 eed3 3a39 d52b 01234567....:9.+ - 0x0080: a282 c842 5254 ef28 ...BRT.( -``` - -**Site-to-site MACsec with static SAK over an untrusted network** - -This example uses the same topology as above, but applies static SAK mode to -the MACsec interface configuration. - -**R1** - -```none -set interfaces macsec macsec1 address '192.0.2.1/24' -set interfaces macsec macsec1 address '2001:db8::1/64' -set interfaces macsec macsec1 security cipher 'gcm-aes-128' -set interfaces macsec macsec1 security encrypt -set interfaces macsec macsec1 security static key 'ddd6f4a7be4d8bbaf88b26f10e1c05f7' -set interfaces macsec macsec1 security static peer R2 mac 00:11:22:33:44:02 -set interfaces macsec macsec1 security static peer R2 key 'eadcc0aa9cf203f3ce651b332bd6e6c7' -set interfaces macsec macsec1 source-interface 'eth1' -``` - -**R2** - -```none -set interfaces macsec macsec1 address '192.0.2.2/24' -set interfaces macsec macsec1 address '2001:db8::2/64' -set interfaces macsec macsec1 security cipher 'gcm-aes-128' -set interfaces macsec macsec1 security encrypt -set interfaces macsec macsec1 security static key 'eadcc0aa9cf203f3ce651b332bd6e6c7' -set interfaces macsec macsec1 security static peer R1 mac 00:11:22:33:44:01 -set interfaces macsec macsec1 security static peer R1 key 'ddd6f4a7be4d8bbaf88b26f10e1c05f7' -set interfaces macsec macsec1 source-interface 'eth1' -``` - -## MACsec over WAN - -MACsec offers an alternative to traditional tunneling solutions by securing -Layer 2 with integrity, origin authentication, and optional encryption. - -While typically deployed between hosts and access switches, MACsec can also -secure traffic over a WAN. In the following example, we combine VXLAN (for -transport) and MACsec (for security) to create a secure tunnel between two -sites. - -**R1 MACsec01** - -```none -set interfaces macsec macsec1 address '192.0.2.1/24' -set interfaces macsec macsec1 address '2001:db8::1/64' -set interfaces macsec macsec1 security cipher 'gcm-aes-128' -set interfaces macsec macsec1 security encrypt -set interfaces macsec macsec1 security static key 'ddd6f4a7be4d8bbaf88b26f10e1c05f7' -set interfaces macsec macsec1 security static peer SEC02 key 'eadcc0aa9cf203f3ce651b332bd6e6c7' -set interfaces macsec macsec1 security static peer SEC02 mac '00:11:22:33:44:02' -set interfaces macsec macsec1 source-interface 'vxlan1' -set interfaces vxlan vxlan1 mac '00:11:22:33:44:01' -set interfaces vxlan vxlan1 remote '10.1.3.3' -set interfaces vxlan vxlan1 source-address '172.16.100.1' -set interfaces vxlan vxlan1 vni '10' -set protocols static route 10.1.3.3/32 next-hop 172.16.100.2 -``` - -**R2 MACsec02** - -```none -set interfaces macsec macsec1 address '192.0.2.2/24' -set interfaces macsec macsec1 address '2001:db8::2/64' -set interfaces macsec macsec1 security cipher 'gcm-aes-128' -set interfaces macsec macsec1 security encrypt -set interfaces macsec macsec1 security static key 'eadcc0aa9cf203f3ce651b332bd6e6c7' -set interfaces macsec macsec1 security static peer SEC01 key 'ddd6f4a7be4d8bbaf88b26f10e1c05f7' -set interfaces macsec macsec1 security static peer SEC01 mac '00:11:22:33:44:01' -set interfaces macsec macsec1 source-interface 'vxlan1' -set interfaces vxlan vxlan1 mac '00:11:22:33:44:02' -set interfaces vxlan vxlan1 remote '10.1.2.2' -set interfaces vxlan vxlan1 source-address '172.16.100.2' -set interfaces vxlan vxlan1 vni '10' -set protocols static route 10.1.2.2/32 next-hop 172.16.100.1 -``` diff --git a/docs/configuration/interfaces/md-openvpn-examples.md b/docs/configuration/interfaces/md-openvpn-examples.md deleted file mode 100644 index 1eb697c4..00000000 --- a/docs/configuration/interfaces/md-openvpn-examples.md +++ /dev/null @@ -1,855 +0,0 @@ -# Site-to-site - -<div class="todo"> - -Convert raw command blocks in this file to cfgcmd/opcmd -directives for command coverage tracking. - -</div> - -OpenVPN is popular for client-server setups, but its site-to-site mode is less -common and often not supported by router appliances. Despite limited support, -it is effective for quickly establishing tunnels between routers. - -As of VyOS 1.4, OpenVPN site-to-site mode can use either pre-shared keys or -x.509 certificates. - -Pre-shared key mode is now deprecated and will be removed from future OpenVPN -versions. VyOS will also discontinue support for this option because pre-shared -keys are significantly less secure than TLS. - -We will configure OpenVPN with self-signed certificates, and then discuss the -legacy pre-shared key mode. - -In both cases, we will use the following settings: - -- The public IP address of the local VPN endpoint is 198.51.100.10. -- The public IP address of the remote VPN endpoint is 203.0.113.11. -- The tunnel uses 10.255.1.1 for the local IP address and 10.255.1.2 for the - remote IP address. -- The local site has a subnet of 10.0.0.0/16. -- The remote site has a subnet of 10.1.0.0/16. -- The official OpenVPN port 1194 is reserved for client VPN. For site-to-site - VPN, port 1195 is used. -- The `persistent-tunnel` directive allows us to configure tunnel-related - attributes, such as firewall policy, as we would on any standard network - interface. -- If known, the remote router's IP address can be configured using - the `remote-host` directive. If unknown, it can be omitted. - We assume the remote router has a dynamic IP address. - -<figure> -<img src="/_static/images/openvpn_site2site_diagram.webp" /> -</figure> - -## Set up site-to-site certificates - -Deploying a complete Public Key Infrastructure (PKI) with a Certificate -Authority (CA) would overcomplicate site-to-site OpenVPN setups, which are -primarily designed for simplicity. To keep their configuration simple without -compromising security, VyOS 1.4 and later lets you verify self-signed -certificates using certificate fingerprints. - -Generate a self-signed certificate on each router, preferably using the -Elliptic Curve (EC) type. In configuration mode, run the following command: -`run generate pki certificate self-signed install <name>`. This adds the -certificate to the configuration session's `pki` subtree. Review and commit -the changes. - -``` none -vyos@vyos# run generate pki certificate self-signed install openvpn-local -Enter private key type: [rsa, dsa, ec] (Default: rsa) ec -Enter private key bits: (Default: 256) -Enter country code: (Default: GB) -Enter state: (Default: Some-State) -Enter locality: (Default: Some-City) -Enter organization name: (Default: VyOS) -Enter common name: (Default: vyos.io) -Do you want to configure Subject Alternative Names? [y/N] -Enter how many days certificate will be valid: (Default: 365) -Enter certificate type: (client, server) (Default: server) -Note: If you plan to use the generated key on this router, do not encrypt the private key. -Do you want to encrypt the private key with a passphrase? [y/N] -2 value(s) installed. Use "compare" to see the pending changes, and "commit" to apply. -[edit] - -vyos@vyos# compare -[pki] -+ certificate openvpn-local { -+ certificate "MIICJTCCAcugAwIBAgIUMXLfRNJ5iOjk/uAZqUe4phW8MdgwCgYIKoZIzj0EAwIwVzELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcMCVNvbWUtQ2l0eTENMAsGA1UECgwEVnlPUzEQMA4GA1UEAwwHdnlvcy5pbzAeFw0yMzA5MDcyMTQzMTNaFw0yNDA5MDYyMTQzMTNaMFcxCzAJBgNVBAYTAkdCMRMwEQYDVQQIDApTb21lLVN0YXRlMRIwEAYDVQQHDAlTb21lLUNpdHkxDTALBgNVBAoMBFZ5T1MxEDAOBgNVBAMMB3Z5b3MuaW8wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASp7D0vE3SKSAWAzr/lw9Eq9Q89r247AJR6ec/GT26AIcVA1bsongV1YaWvRwzTPC/yi5pkzV/PcT/WU7JQIyMWo3UwczAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAdBgNVHQ4EFgQUBrAxRdFppdG/UBRdo7qNyHutaTQwHwYDVR0jBBgwFoAUBrAxRdFppdG/UBRdo7qNyHutaTQwCgYIKoZIzj0EAwIDSAAwRQIhAI2+8C92z9wTcTWkQ/goRxs10EBC+h78O+vgo9k97z5iAiBSeqfaVr5taQTS31+McGTAK3cYWNTg0DlOBI8aKO2oRg==" -+ private { -+ key "MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgtOeEb0dMb5P/2Exi09WWvk6Cvz0oOBoDuP68ZimS2LShRANCAASp7D0vE3SKSAWAzr/lw9Eq9Q89r247AJR6ec/GT26AIcVA1bsongV1YaWvRwzTPC/yi5pkzV/PcT/WU7JQIyMW" -+ } -+ } - -[edit] - -vyos@vyos# commit -``` - -You do **not** need to copy the certificate to the other router. Instead, -retrieve its SHA-256 fingerprint. Since OpenVPN currently supports only SHA-256 -fingerprints, use the following command: - -``` none -vyos@vyos# run show pki certificate openvpn-local fingerprint sha256 -5C:B8:09:64:8B:59:51:DC:F4:DF:2C:12:5C:B7:03:D1:68:94:D7:5B:62:C2:E1:83:79:F1:F0:68:B2:81:26:79 -``` - -<div class="note"> - -<div class="title"> - -Note - -</div> - -Certificate names are arbitrary. While `openvpn-local` and -`openvpn-remote` are used here, you may choose any names. - -</div> - -Repeat the procedure on the other router. - -## Set up site-to-site OpenVPN - -Local configuration: - -``` none -Configure the tunnel: - -set interfaces openvpn vtun1 mode site-to-site -set interfaces openvpn vtun1 protocol udp -set interfaces openvpn vtun1 persistent-tunnel -set interfaces openvpn vtun1 remote-host '203.0.113.11' # Public IP of the other side -set interfaces openvpn vtun1 local-port '1195' -set interfaces openvpn vtun1 remote-port '1195' -set interfaces openvpn vtun1 local-address '10.255.1.1' # Local IP of vtun interface -set interfaces openvpn vtun1 remote-address '10.255.1.2' # Remote IP of vtun interface -set interfaces openvpn vtun1 tls certificate 'openvpn-local' # The self-signed certificate -set interfaces openvpn vtun1 tls peer-fingerprint <remote cert fingerprint> # The output of 'run show pki certificate <name> fingerprint sha256' on the remote router -set interfaces openvpn vtun1 tls role active -``` - -Remote configuration: - -``` none -set interfaces openvpn vtun1 mode site-to-site -set interfaces openvpn vtun1 protocol udp -set interfaces openvpn vtun1 persistent-tunnel -set interfaces openvpn vtun1 remote-host '198.51.100.10' # Pub IP of other site -set interfaces openvpn vtun1 local-port '1195' -set interfaces openvpn vtun1 remote-port '1195' -set interfaces openvpn vtun1 local-address '10.255.1.2' # Local IP of vtun interface -set interfaces openvpn vtun1 remote-address '10.255.1.1' # Remote IP of vtun interface -set interfaces openvpn vtun1 tls certificate 'openvpn-remote' # The self-signed certificate -set interfaces openvpn vtun1 tls peer-fingerprint <local cert fingerprint> # The output of 'run show pki certificate <name> fingerprint sha256 on the local router -set interfaces openvpn vtun1 tls role passive -``` - -## Set up pre-shared keys - -Before VyOS 1.4, site-to-site OpenVPN without PKI required pre-shared keys. -This option is still available but is deprecated and will be removed in future -releases. If you need to set up a tunnel to an older VyOS version or a system -with older OpenVPN, you still need to use pre-shared keys. - -First, generate a key by running `run generate pki openvpn shared-secret install <name>` in configuration mode. You can use any name; in this example, -we use `s2s`. - -``` none -vyos@local# run generate pki openvpn shared-secret install s2s -2 value(s) installed. Use "compare" to see the pending changes, and "commit" to apply. -[edit] -vyos@local# compare -[pki openvpn shared-secret] -+ s2s { -+ key "7c73046a9da91e874d31c7ad894a32688cda054bde157c64270f28eceebc0bb2f44dbb70335fad45148b0456aaa78cb34a34c0958eeed4f75e75fd99ff519ef940f7029a316c436d2366a2b0fb8ea1d1c792a65f67d10a461af83ef4530adc25d1c872de6d9c7d5f338223d1f3b66dc3311bbbddc0e05228c47b91c817c721aadc7ed18f0662df52ad14f898904372679e3d9697d062b0869d12de47ceb2e626fa12e1926a3119be37dd29c9b0ad81997230f4038926900d5edb78522d2940cfe207f8e2b948e0d459fa137ebb18064ac5982b28dd1899020b4f2b082a20d5d4eb65710fbb1e62b5e061df39620267eab429d3eedd9a1ae85957457c8e4655f3" -+ version "1" -+ } - -[edit] - -vyos@local# commit -[edit] -``` - -Next, install the key on the remote router: - -``` none -vyos@remote# set pki openvpn shared-secret s2s key <generated key string> -``` - -Finally, configure the key in your OpenVPN interface settings: - -``` none -set interfaces openvpn vtun1 shared-secret-key s2s -``` - -## Set up firewall exceptions - -To allow OpenVPN traffic to pass through the WAN interface, create a firewall -exception: - -``` none -set firewall ipv4 name OUTSIDE_LOCAL rule 10 action 'accept' -set firewall ipv4 name OUTSIDE_LOCAL rule 10 description 'Allow established/related' -set firewall ipv4 name OUTSIDE_LOCAL rule 10 state 'established' -set firewall ipv4 name OUTSIDE_LOCAL rule 10 state 'related' -set firewall ipv4 name OUTSIDE_LOCAL rule 20 action 'accept' -set firewall ipv4 name OUTSIDE_LOCAL rule 20 description 'OpenVPN_IN' -set firewall ipv4 name OUTSIDE_LOCAL rule 20 destination port '1195' -set firewall ipv4 name OUTSIDE_LOCAL rule 20 log -set firewall ipv4 name OUTSIDE_LOCAL rule 20 protocol 'udp' -``` - -Apply the OUTSIDE_LOCAL firewall group to the WAN interface and to the input -filter for traffic destined for the router itself: - -``` none -set firewall ipv4 input filter rule 10 action 'jump' -set firewall ipv4 input filter rule 10 inbound-interface name eth0 -set firewall ipv4 input filter rule 10 jump-target OUTSIDE_LOCAL -``` - -Static routing: - -Configure static routes by referencing the tunnel interface. For example, if -the local router's network is `10.0.0.0/16` and the remote router's network -is `10.1.0.0/16`, define the routes as follows: - -Local configuration: - -``` none -set protocols static route 10.1.0.0/16 interface vtun1 -``` - -Remote configuration: - -``` none -set protocols static route 10.0.0.0/16 interface vtun1 -``` - -As with standard Ethernet interfaces, you can apply firewall policies to the -tunnel interface for input, output, and forward directions. - -If you use multiple tunnels, OpenVPN must distinguish between them beyond just -the pre-shared key. To achieve this, assign either unique IP addresses or -unique ports to each tunnel. - -Verify OpenVPN status using the show openvpn operational commands. - -``` none -vyos@vyos:~$ show openvpn site-to-site - -OpenVPN status on vtun1 - -Client CN Remote Host Tunnel IP Local Host TX bytes RX bytes Connected Since ------------ ----------------- ----------- ------------ ---------- ---------- ----------------- -N/A 10.110.12.54:1195 N/A N/A 504.0 B 656.0 B N/A -``` - -# Server-client - -In OpenVPN’s server-client mode, the server acts as a central hub, allowing -multiple clients to connect and securely route their traffic or access a -private network. Multi-client server is the most popular OpenVPN mode for -routers. - -## Set up server-client certificates - -Server-client mode always uses x.509 authentication and therefore requires a -PKI setup. The PKI utility now simplifies the creation of Certificate -Authorities (CAs), server and client certificates, and Diffie-Hellman keys -directly in VyOS using configuration or operational mode commands. - -On the server, generate all certificates by running the following commands in -configuration mode. The certificates will be added to the configuration -session's PKI subtree. - -Certificate Authority (CA): - -``` none -vyos@vyos# run generate pki ca install ca-1 -Enter private key type: [rsa, dsa, ec] (Default: rsa) -Enter private key bits: (Default: 2048) -Enter country code: (Default: GB) -Enter state: (Default: Some-State) -Enter locality: (Default: Some-City) -Enter organization name: (Default: VyOS) -Enter common name: (Default: vyos.io) ca-1 -Enter how many days certificate will be valid: (Default: 1825) -Note: If you plan to use the generated key on this router, do not encrypt the private key. -Do you want to encrypt the private key with a passphrase? [y/N] -2 value(s) installed. Use "compare" to see the pending changes, and "commit" to apply. -[edit] -vyos@vyos# compare -[pki] -+ ca ca-1 { -+ certificate "MIIDlzCCAn+gAwIBAgIUQW7AtPu0Qzp7VzT0TyYx83/ME8swDQYJKoZIhvcNAQELBQAwVDELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcMCVNvbWUtQ2l0eTENMAsGA1UECgwEVnlPUzENMAsGA1UEAwwEY2EtMTAeFw0yNTA2MTExMTIyMjJaFw0zMDA2MTAxMTIyMjJaMFQxCzAJBgNVBAYTAkdCMRMwEQYDVQQIDApTb21lLVN0YXRlMRIwEAYDVQQHDAlTb21lLUNpdHkxDTALBgNVBAoMBFZ5T1MxDTALBgNVBAMMBGNhLTEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDi+v6i241T9ABxq1ngjWxDQITkqjV0nq2Jb3HSSuQpXRCu7DWdQZlbvnMHnkV/WTL0RNgkhS4iV/WYhE+bLihwiZ0GTeQnUd1QJSkusFROX46w6kKXYUR5IQtcBC+vdky8PESynPd+DXsJn5X9JTWqDeviUAQz/ZjDzWk+71MBCqa+Zps1zpIjK0ywn7pR/HnDrxJOQXlBMNgvbv8U3IAZ2jJp0jTB8TnuDtWSA+XZejMm/EN/AWUQyliX6OJFSCIhBL2BZ9lmVms4/HkRpbd50k3vvCoz+lAOEE6VsH0fEdLC3lZ+CtXZ7kjp2wdWWuSs5ggIJYZZkixsCisbtEmbAgMBAAGjYTBfMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAdBgNVHQ4EFgQUAG9lvr7AzJ/y4vY/XlWxXru+6m0wDQYJKoZIhvcNAQELBQADggEBAKsu4eZa8Fha9aKfuKqlGQHPpEFfVDaVJmebw0uMw+b5Y8EpBxzZrgbqbk3Mty8pBjNa9jkZzph04gHN4pR6kg3iQlUKGxZUfsB9ZUjKhkgNdUI9zq1323MKEvuIuYdt61DCfBHwY6Xax5Ge+BahR2bXdPaQH452/+xMTqkukkpLbioTeIDg6FCU2HYPY5emDF5DDZAZWXtTqi0zdT3Y6FqiTvs5VuWwXCcp+HM+Lwe1/VVJhwi4CHTq0CKWnQIH5blYjmyxzRBlrlZm4ntWlL5Mtepa1A3DJirY4kw/SqMAAh/Q9lh41JzBc8epf+OdnOzK55YmtmctGO2o+NBCFi0=" -+ private { -+ key "MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDi+v6i241T9ABxq1ngjWxDQITkqjV0nq2Jb3HSSuQpXRCu7DWdQZlbvnMHnkV/WTL0RNgkhS4iV/WYhE+bLihwiZ0GTeQnUd1QJSkusFROX46w6kKXYUR5IQtcBC+vdky8PESynPd+DXsJn5X9JTWqDeviUAQz/ZjDzWk+71MBCqa+Zps1zpIjK0ywn7pR/HnDrxJOQXlBMNgvbv8U3IAZ2jJp0jTB8TnuDtWSA+XZejMm/EN/AWUQyliX6OJFSCIhBL2BZ9lmVms4/HkRpbd50k3vvCoz+lAOEE6VsH0fEdLC3lZ+CtXZ7kjp2wdWWuSs5ggIJYZZkixsCisbtEmbAgMBAAECggEAZdykF6wV8Z4n8NsoG4j8E/ZJbWEhWjO3x1y3JNutJw735LhmmysMSsreToXtxGfgYRTgNwt5l7oHoqmGHCsLxO1NBb5A7JBllIkIwUYqn31syOJofg0NsJpuwZ2zVLfvWe5mGg4tV2lvVPNEWXWwbp+Ow2KLcFWXkA+H8tFuW6F2mH3ntYlIi/WiCNjsEotNx8Kk7OVwt43DbkN/rbF5lxquuLedaSspOHuhIAOfZB5ZySfqohQalSAaguVD66rGPMrerZ2Vc7B1iJ6Mn/KZrSaQeHwyWrwDDHdzVwG9waydevtGTVO0dvH4etWnRypDx8p1FPJJKD4XVcsl3rR6oQKBgQD497Ep2RJcbNnKVj+kNXGriSGmyRSp6CL61KotepzgucK0RtGMeFJge56/otMHMAxIOcDMX6vRn2MB2pqVqwqUBQy6JfLrSemdpIjMN9xlX6Dw3BWP39SdewZ896/Eo0Q1ythMj1ORp+u3PqOlSa14Cy9aPwDWmNy2deD68YDnsQKBgQDpZE/T84BMQ0FzL6NRijZRzR6Dc775hRfmmSTYI0KqpG0gXNSc5UgrWSLN5H7fnx36mT01P7UkgXCInV0AlJOfkt4a8QTqM1Fh/rZbLLWpQE55S6Fs28GDiFYl2kvZT/TtxhA/E0POf/YXl/8KITS7ZVAZxE8rxBe1hVUfDbnlCwKBgQDeWUguGaGeTdCMNk8MNnbYPdaCAB+mRp3G6ls51sF4qi5Lltva2jKn3H/AoohZaP3vGzUm0WLACdsAct2QQXtnCsN9FBtJK2+qzKEn0dPR7X/s3IGdRse6BX+b6BFgSnfGmuxmI7L86L1JoHXCTnTQOx0FOjNjdI3ZnplZRIpdYQKBgFJacASU9l9yl+SiGZnLEDG7FBpEPE3lVbKrtSGDB6IY1NzHhMo76URKdop6Jv6XMcfcTIm+ihdwiRnblRaAVrrG4xJUm2xcYUoXy5bOZudq5oXMVxCHVngoImXG6l6q5P0Fl3P6Q0HZSye2HWsgnm/FZwdAisMhtU/61TdY65BTAoGBAM4jKeImiXta5lz1RgNiW/TPhft3UbOLj3TbzchNCNAamqCv4Tmh9YKB2d/mz2hNxbnAGe2cYn4iRYKcjJLMZ0UfBL2WxlrgQYQPPGzSD0fH1pLIXPohpBZpsGqNR3Nc8Jd+Uw3IiIJ2oxPCOPTOJsklNB0Xf1AlUUagB16bhhZZ" -+ } -+ } - -[edit] -vyos@vyos# commit -``` - -Server certificate: - -``` none -vyos@vyos# run generate pki certificate sign ca-1 install srv-1 -Do you already have a certificate request? [y/N] N -Enter private key type: [rsa, dsa, ec] (Default: rsa) -Enter private key bits: (Default: 2048) -Enter country code: (Default: GB) -Enter state: (Default: Some-State) -Enter locality: (Default: Some-City) -Enter organization name: (Default: VyOS) -Enter common name: (Default: vyos.io) srv-1 -Do you want to configure Subject Alternative Names? [y/N] -Enter how many days certificate will be valid: (Default: 365) -Enter certificate type: (client, server) (Default: server) server -Note: If you plan to use the generated key on this router, do not encrypt the private key. -Do you want to encrypt the private key with a passphrase? [y/N] -2 value(s) installed. Use "compare" to see the pending changes, and "commit" to apply. -[edit] -vyos@vyos# compare -[pki certificate] -+ srv-1 { -+ certificate "MIIDrDCCApSgAwIBAgIULpu+qZjfG01kUI58XNmqXbQC3qQwDQYJKoZIhvcNAQELBQAwVDELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcMCVNvbWUtQ2l0eTENMAsGA1UECgwEVnlPUzENMAsGA1UEAwwEY2EtMTAeFw0yNTA2MTExMTMxMDJaFw0yNjA2MTExMTMxMDJaMFUxCzAJBgNVBAYTAkdCMRMwEQYDVQQIDApTb21lLVN0YXRlMRIwEAYDVQQHDAlTb21lLUNpdHkxDTALBgNVBAoMBFZ5T1MxDjAMBgNVBAMMBXNydi0xMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAysTrMfVH63aVidJT7bIf+zLwkLse07nGsv4aliGEbufr239RBHV4Jn8LbQ+nB/8mhYGjNY4OnZ7NYz3FU/iglo8qFtaZ26mWtPWpv2xW1F8JAEK7l5BAg42cBucxiIZFeRm+jkE6VN1bcNU0utnn3sbCwZMyH6pS9k08G1qrrFLA7ZFhv5AmgJcODmO8sigSAu7rRS/6O3eO6ICnVjvIfHLb+9DKKUEffHzFV8RrkqVCGmgisz9fF+j1Rvg9s+ylNc2lZJTbb1XnzixvSRro4t9I3uIWdpJ0iOu09YiTXGQgH9ER6V3rFiX00RdSiSXf+MJCV64hC1msg+8V3Nrw9QIDAQABo3UwczAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAdBgNVHQ4EFgQUzH0h4vBxma89HF9rUQ+DW052c5swHwYDVR0jBBgwFoAUAG9lvr7AzJ/y4vY/XlWxXru+6m0wDQYJKoZIhvcNAQELBQADggEBAI/Cyd0y7AJ7wY3yRssCud2iJAl9/ZjgxzXOUo6ibawYIYOnSf9tS3eD4CIH4BgppDXoJZ/qEA4WvIsLx3yvnyOxiqyk3TQmKIZ27VJH+yQkgzPeiKrHn1pCXBKEb1/jlT8Ozu4Lmn/oFwDH6nk8toxI8DM+qsTxqUFlTA3ea9yaRtxeNPMWJdaxZSUYGVSZL0wVKw5ZuQ1Gn7vGVApWlYDKYbMozCuZUG1q8wMzFBRa7x0anvh5hM4bksLz+Y1ujCS8f8b4Xtb8KIdFrZtTvtl97crv62bN05VueAcbwtYbIBNWNoT/CvmqV7k3uPg95GYSNddFqEMbQHoyd8hdDCo=" -+ private { -+ key "MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDKxOsx9UfrdpWJ0lPtsh/7MvCQux7Tucay/hqWIYRu5+vbf1EEdXgmfwttD6cH/yaFgaM1jg6dns1jPcVT+KCWjyoW1pnbqZa09am/bFbUXwkAQruXkECDjZwG5zGIhkV5Gb6OQTpU3Vtw1TS62efexsLBkzIfqlL2TTwbWqusUsDtkWG/kCaAlw4OY7yyKBIC7utFL/o7d47ogKdWO8h8ctv70MopQR98fMVXxGuSpUIaaCKzP18X6PVG+D2z7KU1zaVklNtvVefOLG9JGuji30je4hZ2knSI67T1iJNcZCAf0RHpXesWJfTRF1KJJd/4wkJXriELWayD7xXc2vD1AgMBAAECggEACsUk3PVzSX11+ekTDigM7NHK11UpEQPoGu/GR70mBKIK9BCyI/N9W0YaPEO9kn4p9KNrINgXzKV3sVLBnXEyTmzyRl5Fs9YxLBF0X7eIcSVPHBVvU2CVHKez5uX2ypKfNAx7A6FRUNqlFbwtXdNfLoUOKSwBWI86ctytWaKaRb/TTSGQkaP/z/cwIsXOLfG9m6iFkw98ShUzalrUWNo/4fJKlO1+DvXVYE9sv9rjD8J7DtAbr5KykQ5n0AAlZTCWQ7jwMybSnjjY9ypZUms0l17raJrfhrdbWayc6xMDvtrmNIDebkF+J7cHU06aEV+yQXV/7yjyZgUSM2ANcHMdzQKBgQDmTi5tUeaj1JUSl9lAP/XUzcElw2tcU1B8qpX69J4ofjTNgj5okLWQZVIy1UyAfLOI3LJbHTBUtSvedhH0VaMulq99NXs5qnbPGG3//RBAc0wKhJknB5Qv0D3FxMI14kMO6jzPly+aIGEk4dTtHvZuHbbVHbKSZ5MMouLyT+SS7wKBgQDhZETARZ0MazeWRaPJwdkjlfNcqqcsnDicdcppCkcDCjeLxkVPZc8ej37rshOvw2Pf1D0PddGyOhJoWCWA8QE2LQoDHLaDnQ0L6aQ3yjN5Gxx9RCDFi3Zuat/mPcv3tFO7uUmeYvRC5fGYrghq29NADmUefOopAc06Izd4A3iqWwKBgQC1uPrpR7a1jwgRo7/I8q8HO1MseQY903+u3ut5GYuyZ+NCRYL4/zZEua4ibivvNnZzh7E0M9PvAwWag4+nO+uG11+hbJHO7rLQtnYVh5lLQa6+neI66cAD+kzDwH1+BwriufFB3Amzk9kTQR7B+6x3NvsNLmG5JADj96Mbj+7MAQKBgFIevEXplyzdK6WevexWqoyip8aNjtdcG+w1pofa7MCYymAs3zfseihCVBYADdguModsxsqJPNvY+Lf31cJDDRP2GP3FSmJtqEE84U5KZ7KqRBkH54DSLVZRrj4vKc+YbiGpgr8ogqKVMQ9V6U81xKREGmefT5mdRG74Qc+CREadAoGAFtdsH5js1yFEeGFad4BZJ69grEavD3pNCfIe9oIPtXvvFdzxd+QbKgqFf3JMJp/HYi8A0iv/i4mzf00KXzF4JU7bIJYrUVlk/w8x77gzDRIphsPqpMBJkTI0jisQHZKWNEe7IbmM/dWW2S4jvCkrhB7F5Szf72Q+j/lPbfx2g/8=" -+ } -+ } - -[edit] -vyos@vyos# commit -``` - -Diffie-Hellman key: - -``` none -vyos@vyos# run generate pki dh install dh-1 -Enter DH parameters key size: (Default: 2048) -Generating parameters... -1 value(s) installed. Use "compare" to see the pending changes, and "commit" to apply. -[edit] -vyos@vyos# compare -[pki] -+ dh dh-1 { -+ parameters "MIIBCAKCAQEAp25kxwZeLZ7wcbRii5E5RD4uWCUOBxarzKEE0msa84omh5nZ9dv/4bfJw4gIXlA2+sGc2lLV/jajZminMryiSwJdisyVuUdOB7sJWZwrzHBAY0qFbNyaRMVJBar2xVm+XcKd3A2eNTEgn10G7rPPvf6CJ5isUKFaKT8ymUv+mI0upLneYdGs8/yS3sAojzeulCf49fa5SiaGCcZZkdOI3Nby1u/ZG4okqJ2wE2c2hRVLs1k5qrrono0OF4Dh0B91ihnywRfp1xPYeqpiln+OPh+PPgTuBxkz4VxwRDoQ+NhVr/LOCb3vbhnyFisxI0w4r3109cA3QiDmo1L14aKl1wIBAg==" -+ } - -[edit] -vyos@vyos# commit -``` - -Client certificate: - -``` none -vyos@vyos:~$ generate pki certificate sign ca-1 install client1 -Do you already have a certificate request? [y/N] N -Enter private key type: [rsa, dsa, ec] (Default: rsa) -Enter private key bits: (Default: 2048) -Enter country code: (Default: GB) -Enter state: (Default: Some-State) -Enter locality: (Default: Some-City) -Enter organization name: (Default: VyOS) -Enter common name: (Default: vyos.io) client1 -Do you want to configure Subject Alternative Names? [y/N] -Enter how many days certificate will be valid: (Default: 365) -Enter certificate type: (client, server) (Default: server) client -Note: If you plan to use the generated key on this router, do not encrypt the private key. -Do you want to encrypt the private key with a passphrase? [y/N] -You are not in configure mode, commands to install manually from configure mode: -set pki certificate client1 certificate 'MIIDrjCCApagAwIBAgIUPvtffeYTdoOiHxu++wdrjHwwVX4wDQYJKoZIhvcNAQELBQAwVDELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcMCVNvbWUtQ2l0eTENMAsGA1UECgwEVnlPUzENMAsGA1UEAwwEY2EtMTAeFw0yNTA2MTExMTQxMDlaFw0yNjA2MTExMTQxMDlaMFcxCzAJBgNVBAYTAkdCMRMwEQYDVQQIDApTb21lLVN0YXRlMRIwEAYDVQQHDAlTb21lLUNpdHkxDTALBgNVBAoMBFZ5T1MxEDAOBgNVBAMMB2NsaWVudDEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC9H6E6gm0PfXO1n/WoA9xlg89/bnScLmfztVDn1uyNn8epE6zAi2GWBhtj4ixLllIwLdkJ7L2mF3yUZtA1Q0oYbGIqTbnaZ37JydCygVGnlLT7UX9zfRfS3KebCIvIte7OyCmnUfVfFzdIsp+4LI3S2wX/9Vyn4UBAR8QQNbezRB3XPMk9gzULnuLhmEDP6GVcPq7RzGXoXUMqsCxfEOJBjej0y4ANKH07HGVVrfVRiY+zlGkM4TFjVuZKnEA0BO6dhOA0E+7gsIXsC06UzzatkjsyWHpb2/DOECIifBoYej9DITu8VxyyZmgaINHEn2gGb0LRHO7rvQapc+XZ2z9DAgMBAAGjdTBzMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMCMB0GA1UdDgQWBBQnUyqEzG+AqZzsdSud5MDqsOxiXTAfBgNVHSMEGDAWgBQAb2W+vsDMn/Li9j9eVbFeu77qbTANBgkqhkiG9w0BAQsFAAOCAQEAplItvZpoX/joG3QREu9tHVKwDTmXB2lwUM5G8iKPgd6D6oOILZMe2KuvWt12dcdEzUCGfJwJJ8M8R2WD0OmcLdFqvM/8UM1hYzUP2BCnFCLtElVD+b4wMlQNpdHqNbdckw8J4MLQlhUgu9rZAZ0XjWCprr+U50bX++vYRw7Un3Ds6ETEvjflm5WAPb2e0V1hhISPl8K+VXO7RAwxy0DHcDuR+YaD+hnNgMsJV3/QwA17Iy8x86RpOgqmesbt0U7e9Rmo81aVgiy/V4OCV7u6bPX03fmZNS8UwwJuRUlxkjO+epHNYB2cnOcjSkUxaIJ9Hv3tMWHQEtbVZsNYSOZozw==' -set pki certificate client1 private key 'MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC9H6E6gm0PfXO1n/WoA9xlg89/bnScLmfztVDn1uyNn8epE6zAi2GWBhtj4ixLllIwLdkJ7L2mF3yUZtA1Q0oYbGIqTbnaZ37JydCygVGnlLT7UX9zfRfS3KebCIvIte7OyCmnUfVfFzdIsp+4LI3S2wX/9Vyn4UBAR8QQNbezRB3XPMk9gzULnuLhmEDP6GVcPq7RzGXoXUMqsCxfEOJBjej0y4ANKH07HGVVrfVRiY+zlGkM4TFjVuZKnEA0BO6dhOA0E+7gsIXsC06UzzatkjsyWHpb2/DOECIifBoYej9DITu8VxyyZmgaINHEn2gGb0LRHO7rvQapc+XZ2z9DAgMBAAECggEAPS/Fhtt5k2BgFivZW3FcVc+OS0keGwV8hkFsGoXTZIKEIzSFWIn/mX0CUY90C0Rn9MRwiqB4PwssOAsHY6QQjdRK8irRbVK8l2ZeydHC7DfVUdXtKR0YnxTaePML3nTV/TqPF14Rx6EINtHrkLeBbu2DhGsKfhoHIoTVbvUiKLHa2TkGJOkhvjsyMSPKzUXa1AzLmu+UBIhRYpEPHj0SQUUJJnKgIb7mTR2fhJScHcKwsrPq6S8OpChvsYZ6zatgrTFz9tuhD4IjL7NBiYP45BwGaLIaQjph8yAJwwHWoOP+TTj5WYflkW6Uu8F9gC0ve6dPGPNEi2TUdirvAe4LYQKBgQD0UfAPm6tQg8pdkvfMBvYc21fk8zqmgcA4OtvDi60aXuv5jI5+faISvOG2JLuFhKIDOb5ZerzGvkN+LvWgzr9H7YdGZNNtwKgpS/MGqcuuHncTxWBAwYgKhf26a/tqFZRNurJ6GowxDiAcQEc1mWnmdngRa+dvvCwNbXvGVqfVEQKBgQDGKi447TqD76QfvRPn/fRSjM+QE1duk+XorEJ0HHIha5HV9kCrZdV/olGRjDLwPJO6JW7iE2FUsS9SsIrccFE/9P2ZUqfYP2wL5vNO5kAmoLLUl0gwqg1WnBTPJfXeKReTj2uGmOdEuuMPXpL/49hDuPViiE2Q4MGe2Z+oEYN/EwKBgHfQMuTEl2e9qaDn8OM6SrluC5V4fjunh6dLnfgwaCx1fk1702lOnQuJWzsiml9o4raoO6PP4AGqzphz2PsKSJ2ya1NnIJRDFXRjDYQoAn2Z7RViBsja36chfINObxXgDUFtHBdrK3LnFXIlR4aOfHOLh2grvWx7IDNZjIiAeH+xAoGAJlmFZnjqiRv4bDgAQTZRcSRVCvHjSsAOj0++8I+MutEBgSHN9B2aCsBT/tHeDcX7ZNvXsKLFhElh+iO2S+DkqHb2GRT47I2hkFAaqBtBMPiKgz/ftaNDP46nLEuRYHQdXu4zhfHTV+a/CHtqAWGLuddyjaYJNM96SQ6eqjzxcMcCgYAzdxOF2e27hIgo2ttjsROMGqW0/0r/HsKGKPnao7xHQNCAswTnBT+QGugPCe0NXjuxbySP7V1GeWMWF+WV5khtteWerT1/ELAC48NSDpaMxVa4GP8Q/0w6+ZyJty3UGbCYQzZZue81dU+42LUIaVJ4NAc2tYj3jD780udasawS6w==' -``` - -Manually copy the CA, client certificate, and Diffie-Hellman key to the client -device, then commit them before configuring the OpenVPN interface. - -For more options, refer to `configuration/pki/index:pki`. - -## Set up server-client OpenVPN - -The following example demonstrates the most complicated scenario: each client -acts as a router with its own subnet (e.g., an HQ and multiple branch offices). -Simpler setups are subsets of it. - -In this scenario, the 10.23.1.0/24 network is used for client tunnel endpoints, -and all client subnets belong to 10.23.0.0/20. Each client needs access to the -192.168.0.0/16 network. - -Server configuration: - -``` none -set interfaces openvpn vtun10 encryption data-ciphers 'aes256' -set interfaces openvpn vtun10 hash 'sha512' -set interfaces openvpn vtun10 local-host '172.18.201.10' -set interfaces openvpn vtun10 local-port '1194' -set interfaces openvpn vtun10 mode 'server' -set interfaces openvpn vtun10 persistent-tunnel -set interfaces openvpn vtun10 protocol 'udp' -set interfaces openvpn vtun10 server client client1 ip '10.23.1.10' -set interfaces openvpn vtun10 server client client1 subnet '10.23.2.0/25' -set interfaces openvpn vtun10 server domain-name 'vyos.net' -set interfaces openvpn vtun10 server max-connections '250' -set interfaces openvpn vtun10 server name-server '172.16.254.30' -set interfaces openvpn vtun10 server subnet '10.23.1.0/24' -set interfaces openvpn vtun10 server topology 'subnet' -set interfaces openvpn vtun10 tls ca-certificate ca-1 -set interfaces openvpn vtun10 tls certificate srv-1 -set interfaces openvpn vtun10 tls dh-params dh-1 -``` - -The configuration above uses the default 1194/UDP port, 256-bit AES encryption, -SHA-512 for HMAC authentication, and the persistent-tunnel option. -Persistent-tunnel is recommended as it keeps the TUN/TAP device active during -connection resets or daemon reloads. Clients are identified by the CN attribute -in their SSL certificates. - -To grant clients access to a specific network behind the router, use the -push-route option to automatically install the appropriate route on each client. - -``` none -set interfaces openvpn vtun10 server push-route 192.168.0.0/16 -``` - -OpenVPN does not automatically create kernel routes for client subnets when -clients connect; it only uses client-subnet association internally. Therefore, -you must manually create a route to the 10.23.0.0/20 network: - -``` none -set protocols static route 10.23.0.0/20 interface vtun10 -``` - -## Set up OpenVPN client - -VyOS can operate not only as an OpenVPN site-to-site peer or a server for -multiple clients, but also as an OpenVPN client. Any VyOS OpenVPN interface -can be configured to connect to another VyOS or third-party OpenVPN server. - -Client configuration: - -``` none -set interfaces openvpn vtun10 encryption data-ciphers 'aes256' -set interfaces openvpn vtun10 hash 'sha512' -set interfaces openvpn vtun10 mode 'client' -set interfaces openvpn vtun10 persistent-tunnel -set interfaces openvpn vtun10 protocol 'udp' -set interfaces openvpn vtun10 remote-host '172.18.201.10' -set interfaces openvpn vtun10 remote-port '1194' -set interfaces openvpn vtun10 tls ca-certificate ca-1 -set interfaces openvpn vtun10 tls certificate client1 -``` - -## Verification - -Check the tunnel status: - -``` none -vyos@vyos:~$ show openvpn server - -OpenVPN status on vtun10 - -Client CN Remote Host Tunnel IP Local Host TX bytes RX bytes Connected Since ------------ ------------------ ----------- ---------------- ---------- ---------- ------------------- -client1 172.16.12.54:33166 10.23.1.10 172.18.201.10:1194 3.4 KB 3.4 KB 2024-06-11 12:07:25 -``` - -# Server bridge - -In Ethernet bridging configurations, an OpenVPN interface operating in server -mode with the device type set to TAP can be added to a bridge. By encapsulating -entire Ethernet frames (up to 1514 bytes) rather than just IP packets (up to -1500 bytes), this setup enables clients to transmit Layer 2 frames through the -OpenVPN tunnel. - -The following is a basic configuration example: - -Server side: - -``` none -set interfaces bridge br10 member interface eth1.10 -set interfaces bridge br10 member interface vtun10 -set interfaces openvpn vtun10 device-type 'tap' -set interfaces openvpn vtun10 encryption data-ciphers 'aes192' -set interfaces openvpn vtun10 hash 'sha256' -set interfaces openvpn vtun10 local-host '172.18.201.10' -set interfaces openvpn vtun10 local-port '1194' -set interfaces openvpn vtun10 mode 'server' -set interfaces openvpn vtun10 server bridge gateway '10.10.0.1' -set interfaces openvpn vtun10 server bridge start '10.10.0.100' -set interfaces openvpn vtun10 server bridge stop '10.10.0.200' -set interfaces openvpn vtun10 server bridge subnet-mask '255.255.255.0' -set interfaces openvpn vtun10 server topology 'subnet' -set interfaces openvpn vtun10 tls ca-certificate 'ca-1' -set interfaces openvpn vtun10 tls certificate 'srv-1' -set interfaces openvpn vtun10 tls dh-params 'dh-1' -``` - -Client side: - -``` none -set interfaces openvpn vtun10 device-type 'tap' -set interfaces openvpn vtun10 encryption data-ciphers 'aes192' -set interfaces openvpn vtun10 hash 'sha256' -set interfaces openvpn vtun10 mode 'client' -set interfaces openvpn vtun10 protocol 'udp' -set interfaces openvpn vtun10 remote-host '172.18.201.10' -set interfaces openvpn vtun10 remote-port '1194' -set interfaces openvpn vtun10 tls ca-certificate 'ca-1' -set interfaces openvpn vtun10 tls certificate 'client-1' -``` - -# Server LDAP authentication - -## LDAP - -Enterprise installations usually include a directory service to centralize -employee password management. VyOS and OpenVPN support using LDAP and Active -Directory as a single user backend. - -Authentication is performed by the `openvpn-auth-ldap.so` plugin, included -with every VyOS installation. To use it, you must create a dedicated -configuration file. - -**Best practice:** Store the configuration file in the `/config` directory -to ensure it is preserved after image updates. - -``` none -set interfaces openvpn vtun0 openvpn-option "--plugin /usr/lib/openvpn/openvpn-auth-ldap.so /config/auth/ldap-auth.config" -``` - -A sample configuration file is shown below: - -``` none -<LDAP> -# LDAP server URL -URL ldap://ldap.example.com -# Bind DN (If your LDAP server doesn't support anonymous binds) -BindDN cn=LDAPUser,dc=example,dc=com -# Bind Password password -Password S3cr3t -# Network timeout (in seconds) -Timeout 15 -</LDAP> - -<Authorization> -# Base DN -BaseDN "ou=people,dc=example,dc=com" -# User Search Filter -SearchFilter "(&(uid=%u)(objectClass=shadowAccount))" -# Require Group Membership - allow all users -RequireGroup false -</Authorization> -``` - -### Active Directory - -A sample configuration file is shown below: - -``` none -<LDAP> - # LDAP server URL - URL ldap://dc01.example.com - # Bind DN (If your LDAP server doesn’t support anonymous binds) - BindDN CN=LDAPUser,DC=example,DC=com - # Bind Password - Password mysecretpassword - # Network timeout (in seconds) - Timeout 15 - # Enable Start TLS - TLSEnable no - # Follow LDAP Referrals (anonymously) - FollowReferrals no -</LDAP> - -<Authorization> - # Base DN - BaseDN "DC=example,DC=com" - # User Search Filter, user must be a member of the VPN AD group - SearchFilter "(&(sAMAccountName=%u)(memberOf=CN=VPN,OU=Groups,DC=example,DC=com))" - # Require Group Membership - RequireGroup false # already handled by SearchFilter - <Group> - BaseDN "OU=Groups,DC=example,DC=com" - SearchFilter "(|(cn=VPN))" - MemberAttribute memberOf - </Group> -</Authorization> -``` - -If you only want to check that the user account is enabled and can authenticate -(against the primary group), the following snippet is sufficient: - -``` none -<LDAP> - URL ldap://dc01.example.com - BindDN CN=SA_OPENVPN,OU=ServiceAccounts,DC=example,DC=com - Password ThisIsTopSecret - Timeout 15 - TLSEnable no - FollowReferrals no -</LDAP> - -<Authorization> - BaseDN "DC=example,DC=com" - SearchFilter "sAMAccountName=%u" - RequireGroup false -</Authorization> -``` - -A complete example of an LDAP authentication configuration for OpenVPN is shown -below: - -``` none -vyos@vyos# show interfaces openvpn - openvpn vtun0 { - mode server - openvpn-option "--tun-mtu 1500 --fragment 1300 --mssfix" - openvpn-option "--plugin /usr/lib/openvpn/openvpn-auth-ldap.so /config/auth/ldap-auth.config" - openvpn-option "--push redirect-gateway" - openvpn-option --duplicate-cn - openvpn-option "--verify-client-cert none" - openvpn-option --comp-lzo - openvpn-option --persist-key - openvpn-option --persist-tun - server { - domain-name example.com - max-connections 5 - name-server 203.0.113.0.10 - name-server 198.51.100.3 - subnet 172.18.100.128/29 - } - tls { - ca-certificate ca.crt - certificate server.crt - dh-params dh1024.pem - } - } -``` - -For a detailed example, refer to `OpenVPN with LDAP </configexamples/autotest/OpenVPN_with_LDAP/OpenVPN_with_LDAP>`. - -# Multi-factor authentication - -VyOS supports multi-factor authentication (MFA) or two-factor authentication -using Time-based One-Time Passwords (TOTP). It is compatible with Google -Authenticator and other software tokens. - -## Server side - -``` none -set interfaces openvpn vtun20 encryption cipher 'aes256' -set interfaces openvpn vtun20 hash 'sha512' -set interfaces openvpn vtun20 mode 'server' -set interfaces openvpn vtun20 persistent-tunnel -set interfaces openvpn vtun20 server client user1 -set interfaces openvpn vtun20 server mfa totp challenge 'disable' -set interfaces openvpn vtun20 server subnet '10.10.2.0/24' -set interfaces openvpn vtun20 server topology 'subnet' -set interfaces openvpn vtun20 tls ca-certificate 'openvpn_vtun20' -set interfaces openvpn vtun20 tls certificate 'openvpn_vtun20' -set interfaces openvpn vtun20 tls dh-params 'dh-pem' -``` - -A TOTP secret is created for each client in the OpenVPN server configuration. -To display authentication information, use the following command: -`show interfaces openvpn vtun20 user user1 mfa qrcode`. - -Example: - -``` none -vyos@vyos:~$ sh interfaces openvpn vtun20 user user1 mfa qrcode -█████████████████████████████████████ -█████████████████████████████████████ -████ ▄▄▄▄▄ █▀▄▀ ▀▀▄▀ ▀▀▄ █ ▄▄▄▄▄ ████ -████ █ █ █▀▀▄ █▀▀▀█▀██ █ █ █ ████ -████ █▄▄▄█ █▀█ ▄ █▀▀ █▄▄▄█ █▄▄▄█ ████ -████▄▄▄▄▄▄▄█▄█ █ █ ▀ █▄▀▄█▄▄▄▄▄▄▄████ -████▄▄ ▄ █▄▄ ▄▀▄█▄ ▄▀▄█ ▄▄▀ ▀▄█ ▀████ -████ ▀██▄▄▄█▄ ██ █▄▄▄▄ █▄▀█ █ █▀█████ -████ ▄█▀▀▄▄ ▄█▀ ▀▄ ▄▄▀▄█▀▀▀ ▄▄▀████ -████▄█ ▀▄▄▄▀ ▀ ▄█ ▄ █▄█▀ █▀ █▀█████ -████▀█▀ ▀ ▄█▀▄▀▀█▄██▄█▀▀ ▀ ▀ ▄█▀████ -████ ██▄▄▀▄▄█ ██ ▀█ ▄█ ▀▄█ █▀██▀████ -████▄███▄█▄█ ▀█▄ ██▄▄▄█▀ ▄▄▄ █ ▀ ████ -████ ▄▄▄▄▄ █▄█▀▄ ▀▄ ▀█▀ █▄█ ██▀█████ -████ █ █ █ ▄█▀█▀▀▄ ▄▀▀▄▄▄▄▄▄ ████ -████ █▄▄▄█ █ ▄ ▀ █▄▄▄██▄▀█▄▀▄█▄ █████ -████▄▄▄▄▄▄▄█▄██▄█▄▄▄▄▄█▄█▄█▄██▄██████ -█████████████████████████████████████ -█████████████████████████████████████ -``` - -Scan the QR code to add the user account to Google Authenticator. On the client -side, use the generated OTP as the password. - -# Authentication with username/password - -An OpenVPN server can securely obtain a username and password from a connecting -client and use this information for authentication. - -First, configure the server to use an authentication plugin or script. The -server calls this plugin every time a client tries to connect, passing it the -client's credentials. - -In the following example, the `--auth-user-pass-verify` directive is used -with the via-env method and a specified script path to validate the client's -username and password. - -## Server configuration - -``` none -set interfaces openvpn vtun10 local-port '1194' -set interfaces openvpn vtun10 mode 'server' -set interfaces openvpn vtun10 openvpn-option '--auth-user-pass-verify /config/auth/check_user.sh via-env' -set interfaces openvpn vtun10 openvpn-option '--script-security 3' -set interfaces openvpn vtun10 persistent-tunnel -set interfaces openvpn vtun10 protocol 'udp' -set interfaces openvpn vtun10 server client client-1 ip '10.10.10.55' -set interfaces openvpn vtun10 server push-route 192.0.2.0/24 -set interfaces openvpn vtun10 server subnet '10.10.10.0/24' -set interfaces openvpn vtun10 server topology 'subnet' -set interfaces openvpn vtun10 tls ca-certificate 'ca-1' -set interfaces openvpn vtun10 tls certificate 'srv-1' -set interfaces openvpn vtun10 tls dh-params 'dh-1' -``` - -The /config/auth/check_user.sh example includes two test users: - -``` none -#!/bin/bash -USERNAME="$username" -PASSWORD="$password" - -# Replace this with real user checking logic or use getent -if [[ "$USERNAME" == "client1" && "$PASSWORD" == "pass123" ]]; then - exit 0 -elif [[ "$USERNAME" == "peter" && "$PASSWORD" == "qwerty" ]]; then - exit 0 -else - exit 1 -fi -``` - -## Client configuration - -Storing the client certificate locally lets you generate the OpenVPN client -configuration file. Use the following command: - -``` none -vyos@vyos:~$ generate openvpn client-config interface vtun10 ca ca-1 certificate client1 -``` - -Copy the output and save it as a .ovpn file. Add the `auth-user-pass` -directive to the file. This instructs the OpenVPN client to prompt the user -for a username and password, which are then sent to the server over the TLS -channel. You can now import this file into any OpenVPN client application. - -``` none -client -dev tun -proto udp -remote 192.168.77.10 1194 - -remote-cert-tls server -proto udp -dev tun -dev-type tun -persist-key -persist-tun -verb 3 -auth-user-pass - - -<ca> ------BEGIN CERTIFICATE----- -MIIDlzCCAn+gAwIBAgIUQW7AtPu0Qzp7VzT0TyYx83/ME8swDQYJKoZIhvcNAQEL -BQAwVDELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcM -CVNvbWUtQ2l0eTENMAsGA1UECgwEVnlPUzENMAsGA1UEAwwEY2EtMTAeFw0yNTA2 -MTExMTIyMjJaFw0zMDA2MTAxMTIyMjJaMFQxCzAJBgNVBAYTAkdCMRMwEQYDVQQI -DApTb21lLVN0YXRlMRIwEAYDVQQHDAlTb21lLUNpdHkxDTALBgNVBAoMBFZ5T1Mx -DTALBgNVBAMMBGNhLTEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDi -+v6i241T9ABxq1ngjWxDQITkqjV0nq2Jb3HSSuQpXRCu7DWdQZlbvnMHnkV/WTL0 -RNgkhS4iV/WYhE+bLihwiZ0GTeQnUd1QJSkusFROX46w6kKXYUR5IQtcBC+vdky8 -PESynPd+DXsJn5X9JTWqDeviUAQz/ZjDzWk+71MBCqa+Zps1zpIjK0ywn7pR/HnD -rxJOQXlBMNgvbv8U3IAZ2jJp0jTB8TnuDtWSA+XZejMm/EN/AWUQyliX6OJFSCIh -BL2BZ9lmVms4/HkRpbd50k3vvCoz+lAOEE6VsH0fEdLC3lZ+CtXZ7kjp2wdWWuSs -5ggIJYZZkixsCisbtEmbAgMBAAGjYTBfMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0P -AQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAdBgNVHQ4E -FgQUAG9lvr7AzJ/y4vY/XlWxXru+6m0wDQYJKoZIhvcNAQELBQADggEBAKsu4eZa -8Fha9aKfuKqlGQHPpEFfVDaVJmebw0uMw+b5Y8EpBxzZrgbqbk3Mty8pBjNa9jkZ -zph04gHN4pR6kg3iQlUKGxZUfsB9ZUjKhkgNdUI9zq1323MKEvuIuYdt61DCfBHw -Y6Xax5Ge+BahR2bXdPaQH452/+xMTqkukkpLbioTeIDg6FCU2HYPY5emDF5DDZAZ -WXtTqi0zdT3Y6FqiTvs5VuWwXCcp+HM+Lwe1/VVJhwi4CHTq0CKWnQIH5blYjmyx -zRBlrlZm4ntWlL5Mtepa1A3DJirY4kw/SqMAAh/Q9lh41JzBc8epf+OdnOzK55Ym -tmctGO2o+NBCFi0= ------END CERTIFICATE----- - -</ca> - -<cert> ------BEGIN CERTIFICATE----- -MIIDrjCCApagAwIBAgIUN6vPxDEW89cfbEFPa0tZlnsW1GkwDQYJKoZIhvcNAQEL -BQAwVDELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcM -CVNvbWUtQ2l0eTENMAsGA1UECgwEVnlPUzENMAsGA1UEAwwEY2EtMTAeFw0yNTA2 -MTExMTQ0MjlaFw0yNjA2MTExMTQ0MjlaMFcxCzAJBgNVBAYTAkdCMRMwEQYDVQQI -DApTb21lLVN0YXRlMRIwEAYDVQQHDAlTb21lLUNpdHkxDTALBgNVBAoMBFZ5T1Mx -EDAOBgNVBAMMB2NsaWVudDEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB -AQCdOWq8vdO8CznGN83uAXCuN4PcdTJaRFEdJIEfqHjlcG0MZQuPIAlDbOU+IWmu -QBmeCj7SlbYtVYo1uQOMUaIrAvxLIQUaL1Y60oLVTF5eAPrGV+NSTQR5uMApcH9/ -RcZcW530pu/QpYinKTbGkEd54so6YRVPmYbIOPNUMbnZbccpinYi5t2dqubBb585 -A7L40043VtsVVbPjQq5V0HDursvqlaMqMRcffhR8H4B4ByU/EPRK4yTKm1hi19v3 -UtRHiq74CfGtJzYtplgrLJBON7TsbIi/fEux4q1yhbKA0S66L6e5DZldRxNZOXG6 -QjEL0RkYloMgkbv/2HLCu09hAgMBAAGjdTBzMAwGA1UdEwEB/wQCMAAwDgYDVR0P -AQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMCMB0GA1UdDgQWBBQCkfdfq3hv -7UtqAxq/5VDRIdgJLTAfBgNVHSMEGDAWgBQAb2W+vsDMn/Li9j9eVbFeu77qbTAN -BgkqhkiG9w0BAQsFAAOCAQEAJ43+aDVRC+y2vsu6WRG2l6zYnLoIJZW4afdKMC1a -nhTWhj4AhAt8evhVbAxi/8qhQX3yXF2bUQKdS++8AVcvZFlSES32S5eBx83AwGLt -QkgvGx+QThKmoJwrelyuS2X0XX3P0WzohYI6HzSr6p9F8KhTvSW97E6SnldpdvEM -uG1C+61/Vys7WLmDBh1PZTGE03nRp3H4Q9ynyXEEf1MK3eZkzg5H3Evj66p82pD5 -8IauRfghMHJf3tOC+y0YIoXshF3lPq4nYso5Jc/HGCHlsboCODMCnY3CZsH7/O1n -/MI710KpzZTCLnv4Qtx9JpZxR7FTddl36OOuYUXU3Gcnsg== ------END CERTIFICATE----- - -</cert> - -<key> ------BEGIN PRIVATE KEY----- -MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCdOWq8vdO8CznG -N83uAXCuN4PcdTJaRFEdJIEfqHjlcG0MZQuPIAlDbOU+IWmuQBmeCj7SlbYtVYo1 -uQOMUaIrAvxLIQUaL1Y60oLVTF5eAPrGV+NSTQR5uMApcH9/RcZcW530pu/QpYin -KTbGkEd54so6YRVPmYbIOPNUMbnZbccpinYi5t2dqubBb585A7L40043VtsVVbPj -Qq5V0HDursvqlaMqMRcffhR8H4B4ByU/EPRK4yTKm1hi19v3UtRHiq74CfGtJzYt -plgrLJBON7TsbIi/fEux4q1yhbKA0S66L6e5DZldRxNZOXG6QjEL0RkYloMgkbv/ -2HLCu09hAgMBAAECggEAOR3xRVUO9Sr816JRSQwz486eNDpNSxazgwtOb3JUTUH9 -E7onq1y/kMOgOmSIEHoP9GaTcQxbbPe86IxomhLT/50ri52YzWzx/heY2SVPyQXB -FMo79putKw0vnj5UyydNiyLrbMQyrhFc5iFmWVdz5/c4cWHwjIThPp7V4znXYwHZ -OB/Xn1NNHDNy872oQn5wZWzuA4ml0OqjU5D+Ne9srODl3r4OTo3lb1N3JuH3aOSA -cACl1JnN/KElN8IotIdweeUFAdn2jsGjZnCpGaJvZQ+2iMn6doJXHgFiF5+GMF7o -aOatglElIuqgPtB/4nvnegSL0DSnB36ojqv2PAh24wKBgQDPBt4S4muqo8SqP2e0 -8X78MyK3tz1VmgPKn3O68Vdi1V7FPz0RHRGsw/kdgxXsJlfZTWgzcq2NNFu0yPBJ -A/h7qo16mv8GW7cJCd2exjb+/oq4r5iWeqLdSsMUXN87x02LRaMNd9wz1mls1Z73 -oQ5hJ7zTtlyYXnvKPQo8X1ImjwKBgQDCaptQxZ/a3tcUQQlXAFMAScviODZd0LCL -30ZalwpNs6nVVIPoZHD3tlzWN5Es74gndfkC7/Gm2cnsOW9QQaU56q+5LeNXItW8 -rc6yXq3vNQerqJxHNUmKWwLCQtSyLRjFqpGTl/PyX2bGXQ7/zjTL3W8VMD5otf4Y -SJJB+sKjDwKBgHSVX3WvAAamFtfwwMwKuwH3IfPnQqj0BHKUfK2nvxgvJCFbzV3X -yt5Jtf3ClhPYO9xpVOa0C7va4lHaXkYf8Exj7SxAIKFKALccUStaYBoU6bW7XOhQ -w2pu8ZCEBEo7oBVv77Rj7SNb+R6K5ex5TAm2QQXQSjCb9IYc/ail3TNNAoGBALu6 -GPMrgKnlFyV1j0E1DPBwUbDEuqpoArFtDRAYXFifLVTS4PQbWIG403f9++659Gy2 -G5ZcfqiwD6xL4VJLsPF1zewvhR/0gRJJehb+GVGrkRaOHykbKUGxk75kreDGbu8f -PqaXyXS17hWIch1Lzes0jDiXdwvA//QOzztqmVq9AoGAVMbmf04+QtzckLolAP4q -Uwr5svfy14A7V3IGkwlsHZdm37L26lfxW0kpOOE7g7D6gdinuALo6oopP7RN/IDq -PLaaHaGrIoLAEVFa0bRLGsrU2q87ytwfSgdra4jmsTn+xEabdI4IgmqWgwSRvGVf -KN18e19Ssw5x7Wq0Rsw/3VM= ------END PRIVATE KEY----- - -</key> -``` - -When prompted, log in with the username and password. diff --git a/docs/configuration/interfaces/md-openvpn.md b/docs/configuration/interfaces/md-openvpn.md deleted file mode 100644 index 170c585d..00000000 --- a/docs/configuration/interfaces/md-openvpn.md +++ /dev/null @@ -1,614 +0,0 @@ -(openvpn)= - -# OpenVPN - -Traditionally, hardware routers use IPsec exclusively because it is easy to -implement in hardware, and their CPUs lack sufficient power for software-based -encryption. This limitation is less relevant for VyOS, as it is a software -router. - -OpenVPN has been widely used on UNIX platforms for a long time and is a popular -choice for remote-access VPNs. It also supports site-to-site connections. - -OpenVPN offers the following advantages: - -- It uses a single TCP or UDP connection and does not rely on packet source - addresses, so it works even through double NAT. This makes it well-suited for - public hotspots. -- It is easy to set up and offers very flexible split tunneling. -- A variety of client GUI frontends are available for any platform. - -Disadvantages include: - -- It is slower than IPsec due to higher protocol overhead and because it runs - in user mode, while IPsec on Linux runs in kernel mode. -- No operating system includes OpenVPN client software by default. - -In the VyOS CLI, OpenVPN is configured as a network interface using `set -interfaces openvpn` rather than `set vpn`, which is often overlooked. - -## Configuration - -```{cfgcmd} set interfaces openvpn \<interface\> authentication password \<text\> - - **Configure the password for the** ``auth-user-pass`` **authentication method.** - - This option applies only to OpenVPN clients. -``` - - -```{cfgcmd} set interfaces openvpn \<interface\> authentication username \<text\> - -**Configure the username for the** ``auth-user-pass`` **authentication method.** - -This option applies only to OpenVPN clients. -``` - - -```{cfgcmd} set interfaces openvpn \<interface\> description \<description\> - -Configure the description for the OpenVPN interface. -``` - - -```{cfgcmd} set interfaces openvpn \<interface\> device-type \<tap | tun\> - -**Configure the virtual network device type for the OpenVPN interface:** - -* ``tun`` **(default)**: Operates at Layer 3, encapsulating IPv4 or IPv6 packets. -* ``tap``: Operates at Layer 2, encapsulating Ethernet 802.3 frames. -``` - - -```{cfgcmd} set interfaces openvpn \<interface\> disable - -Disable the specific OpenVPN interface. -``` - - -```{cfgcmd} set interfaces openvpn \<interface\> encryption cipher \< 3des | aes128 | aes128gcm | aes192 | aes192gcm | aes256 | aes256gcm | none \> - -**Configure the static encryption cipher for the OpenVPN tunnel.** - -The ``cipher`` option maps to OpenVPN’s ``--cipher`` directive and specifies -the symmetric encryption algorithm for both control and data channels. - -This was previously the default encryption method in all OpenVPN modes. In -newer OpenVPN versions, the ``--cipher`` directive is considered **legacy** -and should be used only in compatibility scenarios. -``` - - -```{cfgcmd} set interfaces openvpn \<interface\> encryption data-ciphers \< 3des | aes128 | aes128gcm | aes192 | aes192gcm | aes256 | aes256gcm | none \> - -**Configure a prioritized list of negotiated ciphers for OpenVPN in** -``client`` **or** ``server`` **mode.** - -The ``data-ciphers`` option represents a list of supported encryption -algorithms. It corresponds to OpenVPN’s ``--data-ciphers`` directive and -enables cipher negotiation, where both peers automatically agree on a mutually -supported cipher during session startup. - -:::{note} -This option is not compatible with ``site-to-site`` mode. -::: -``` - - -```{cfgcmd} set interfaces openvpn \<interface\> encryption data-ciphers-fallback \< 3des | aes128 | aes128gcm | aes192 | aes192gcm | aes256 | aes256gcm | none \> - -**Configure the fallback cipher for** ``site-to-site`` **mode.** - -The ``data-ciphers-fallback`` option maps to OpenVPN’s ``--data-ciphers- -fallback`` directive. It defines the cipher to use if negotiation is **not -supported**. - -:::{note} -This option ensures consistent encryption between two static peers -without cipher negotiation capability. -::: -``` - - -```{cfgcmd} set interfaces openvpn \<interface\> hash \<md5 | sha1 | sha256 | ...\> - -Configure the hashing algorithm for the OpenVPN interface. -``` - - -```{cmdincludemd} /_include/interface-ip.txt -:var0: openvpn -:var1: vtun0 -``` - - -```{cmdincludemd} /_include/interface-ipv6.txt -:var0: openvpn -:var1: vtun0 -``` - - -```{cfgcmd} set interfaces openvpn \<interface\> keep-alive failure-count \<value\> - -**Configure the number of tolerated keepalive packet failures.** - -Default: 60 consecutive failures. -``` - - -```{cfgcmd} set interfaces openvpn \<interface\> keep-alive interval \<value\> - -**Configure the frequency, in seconds, at which keepalive packets are sent.** - -Default: 10 seconds. -``` - - -```{cfgcmd} set interfaces openvpn \<interface\> local-address \<address\> - -Configure the local tunnel IP address for ``site-to-site`` mode. -``` - - -```{cfgcmd} set interfaces openvpn \<interface\> local-host \<address\> - -**Configure the local IP address to accept connections.** - -If configured, OpenVPN binds to this IP address only. - -By default, OpenVPN binds to all interfaces. -``` - - -```{cfgcmd} set interfaces openvpn \<interface\> local-port \<port\> - -Configure the local port to accept connections. -``` - - -```{cfgcmd} set interfaces openvpn \<interface\> mirror egress \<monitor-interface\> - -Configure mirroring of outgoing traffic from this OpenVPN interface to the -designated monitor interface. -``` - - -```{cfgcmd} set interfaces openvpn \<interface\> mirror ingress \<monitor-interface\> - -Configure mirroring of incoming traffic from this OpenVPN interface to the -designated monitor interface. -``` - - -```{cfgcmd} set interfaces openvpn \<interface\> mode \<site-to-site | server | client\> - -**Configure OpenVPN operation mode:** - -* ``site-to-site``: Establishes a site-to-site VPN connection. -* ``client``: Operates as a client in server-client mode. -* ``server``: Operates as a server in server-client mode. -``` - -### OpenVPN Data Channel Offload (DCO) - -OpenVPN {abbr}`DCO (Data Channel Offload)` improves the performance of -encrypted OpenVPN data processing by keeping most data handling in the kernel -and avoiding frequent context switches between the kernel and user space. - -As a result, packet processing becomes more efficient and may utilize hardware -encryption offload support available in the kernel. - -:::{note} -- {abbr}`DCO (Data Channel Offload)` is an **experimental**, not fully supported - OpenVPN feature. Some OpenVPN features and deployment scenarios are **not - compatible** with {abbr}`DCO (Data Channel Offload)`. - - For a complete list of supported features, visit: - <https://community.openvpn.net/openvpn/wiki/DataChannelOffload/Features> -- {abbr}`DCO (Data Channel Offload)` is configured per tunnel and disabled - by default. Existing tunnels operate without {abbr}`DCO (Data Channel - Offload)` unless it is explicitly enabled. -- Enabling {abbr}`DCO (Data Channel Offload)` resets the interface. -::: - -**Best practice:** Create a new tunnel with {abbr}`DCO (Data Channel Offload)` -enabled to avoid compatibility issues with existing clients. - -```{cfgcmd} set interfaces openvpn \<interface\> offload dco - - **Enable** {abbr}`DCO (Data Channel Offload)` **for the specified OpenVPN - interface.** - - Example: - - :::{code-block} none - set interfaces openvpn vtun0 offload dco - ::: - This command enables {abbr}`DCO (Data Channel Offload)` and loads the required - kernel module. -``` - - -```{cfgcmd} set interfaces openvpn \<interface\> openvpn-option \<text\> - -**Add raw OpenVPN configuration options to the openvpn.conf file.** - -OpenVPN provides many configuration options, but not all are available in the -VyOS CLI. - -If a required option is missing, you may submit a feature request at -Phabricator so all users can benefit from it (see Contributing/Issues and Features). - -Alternatively, use ``openvpn-option`` to pass raw OpenVPN configuration options -to the openvpn.conf file. - -:::{warning} -Use this option only as a last resort. Invalid options or syntax -may prevent OpenVPN from starting. Check system logs for errors after applying -changes. -::: -Example: - -:::{code-block} none -set interfaces openvpn vtun0 openvpn-option 'persist-key' -::: -This command adds ``persist-key`` to the configuration file. This solves the -problem by persisting keys across resets, so they do not need to be re-read. - -:::{code-block} none -set interfaces openvpn vtun0 openvpn-option 'route-up "/config/auth/tun_up.sh arg1"' -::: -This command adds ``route-up "/config/auth/tun_up.sh arg1"`` to the -configuration file. This option is executed after connection authentication, -either immediately or after a short delay, as defined. - -Ensure the path and arguments are enclosed in single or double quotes. - -:::{note} -Some raw configuration options require quotes. To include them, use -the " statement. -::: -``` - - -```{cfgcmd} set interfaces openvpn \<interface\> persistent-tunnel - -**Enable always-active mode for the TUN/TAP device.** - -When enabled, the TUN/TAP device remains active upon connection resets or -daemon reloads. -``` - - -```{cfgcmd} set interfaces openvpn \<interface\> protocol \<udp | tcp-passive | tcp-active \> - -**Configure the protocol for OpenVPN communication with a remote host:** - -* ``udp`` **(default)**: Uses the UDP protocol. -* ``tcp-passive``: Uses the TCP protocol and accepts connections passively. -* ``tcp-active``: Uses the TCP protocol and initiates connections actively. -``` - - -```{cfgcmd} set interfaces openvpn \<interface\> redirect \<interface\> - -Enable redirection of incoming packets to the specified interface. -``` - - -```{cfgcmd} set interfaces openvpn \<interface\> remote-address \<address\> - -Configure the remote tunnel IP address for site-to-site mode. -``` - - -```{cfgcmd} set interfaces openvpn \<interface\> remote-host \<address | host\> - -**Configure the IPv4/IPv6 address or hostname for a server device if OpenVPN -runs in client mode.** - -This setting is not used in server mode. -``` - - -```{cfgcmd} set interfaces openvpn \<interface\> remote-port \<port\> - -Configure the remote port to connect to the server. -``` - - -```{cfgcmd} set interfaces openvpn \<interface\> replace-default-route - -Configure the OpenVPN tunnel as the default route. -``` - - -```{cfgcmd} set interfaces openvpn \<interface\> server bridge disable - -Disable the given instance. -``` - - -```{cfgcmd} set interfaces openvpn \<interface\> server bridge gateway \<ipv4 address\> - -Configure the gateway IP address. -``` - - -```{cfgcmd} set interfaces openvpn \<interface\> server bridge start \<ipv4 address\> - -Configure the first IP address in the pool to allocate to connecting clients. -``` - - -```{cfgcmd} set interfaces openvpn \<interface\> server bridge stop \<ipv4 address\> - -Configure the last IP address in the pool to allocate to connecting clients. -``` - - -```{cfgcmd} set interfaces openvpn \<interface\> server bridge subnet-mask \<ipv4 subnet mask\> - -Configure the subnet mask pushed to dynamic clients. -``` - - -```{cfgcmd} set interfaces openvpn \<interface\> server client \<name\> - -Configure the Common Name (CN) specified in the client certificate. -``` - - -```{cfgcmd} set interfaces openvpn \<interface\> server client \<name\> disable - -Disable the client connection. -``` - - -```{cfgcmd} set interfaces openvpn \<interface\> server client \<name\> ip \<address\> - -Configure the IPv4/IPv6 address for the client. -``` - - -```{cfgcmd} set interfaces openvpn \<interface\> server client \<name\> push-route \<subnet\> - -Configure a route to be pushed to the specific client. -``` - - -```{cfgcmd} set interfaces openvpn \<interface\> server client \<name\> subnet \<subnet\> - -**Configure a fixed subnet to be routed from the server to the specified -client.** - -Used as OpenVPN’s ``iroute`` directive. -``` - - -```{cfgcmd} set interfaces openvpn \<interface\> server client-ip-pool start \<address\> - -Configure the first IP address in the subnet's IPv4 pool to be dynamically -allocated to connecting clients. -``` - - -```{cfgcmd} set interfaces openvpn \<interface\> server client-ip-pool stop \<address\> - -Configure the last IP address in the subnet's IPv4 pool to be dynamically -allocated to connecting clients. -``` - - -```{cfgcmd} set interfaces openvpn \<interface\> server client-ip-pool subnet \<netmask\> - -**Configure the subnet mask pushed to dynamic clients.** - -Use this command only for the TAP device type. Do not use it for bridged -interfaces. -``` - - -```{cfgcmd} set interfaces openvpn \<interface\> server client-ipv6-pool base \<ipv6addr/bits\> - -Configure the IPv6 address pool for dynamic assignment to clients. -``` - - -```{cfgcmd} set interfaces openvpn \<interface\> server domain-name \<name\> - -Configure the DNS suffix to be pushed to all clients. -``` - - -```{cfgcmd} set interfaces openvpn \<interface\> server max-connections \<1-4096\> - -Configure the maximum number of client connections. -``` - - -```{cfgcmd} set interfaces openvpn \<interface\> server mfa totp challenge \<enable | disable\> - -If enabled, openvpn-otp expects a password as a result of the challenge/ -response protocol. -``` - - -```{cfgcmd} set interfaces openvpn \<interface\> server mfa totp digits \<1-65535\> - -**Configure the number of digits to use for the** {abbr}`TOTP (Time-based -One-Time Password)` **hash.** - -Default: 6. -``` - - -```{cfgcmd} set interfaces openvpn \<interface\> server mfa totp drift \<1-65535\> - -**Configure the time drift in seconds.** - -Default: 0. -``` - - -```{cfgcmd} set interfaces openvpn \<interface\> server mfa totp slop \<1-65535\> - -**Configure the allowed clock slop in seconds.** - -Default: 180. -``` - - -```{cfgcmd} set interfaces openvpn \<interface\> server mfa totp step \<1-65535\> - -**Configure the step value for** {abbr}`TOTP (Time-based One-Time Password)` -**in seconds.** - -Default: 30. -``` - - -```{cfgcmd} set interfaces openvpn \<interface\> server name-server \<address\> - -Define the client DNS configuration to be used with the connection. -``` - - -```{cfgcmd} set interfaces openvpn \<interface\> server push-route \<subnet\> - -Configure the route to be pushed to all clients. -``` - - -```{cfgcmd} set interfaces openvpn \<interface\> server reject-unconfigured-client - -Reject connections from clients that are not explicitly configured. -``` - - -```{cfgcmd} set interfaces openvpn \<interface\> server subnet \<subnet\> - -**Configure the IPv4 or IPv6 network.** - -This parameter is mandatory when operating in server mode. -``` - - -```{cfgcmd} set interfaces openvpn \<interface\> server topology \< net30 | point-to-point | subnet\> - -**Configure the virtual addressing topology for** ``tun`` **mode.** - -This command does not affect ``tap`` mode, which always uses the ``subnet`` -topology. - -* ``subnet`` **(default)**: Allocates a single IP address to each connecting client. -This is the recommended topology. -* ``net30``: Allocates a /30 subnet to each connecting client. This is a legacy -topology used to support Windows clients. It is now effectively deprecated. -* ``point-to-point``: Creates a point-to-point topology where the remote -endpoint of the client’s ``tun`` interface always points to the local endpoint -of the server’s ``tun`` interface. - -Like ``subnet``, this topology allocates a single IP address per client. Use it -only if no clients run Windows operating systems. -``` -```{cfgcmd} set interfaces openvpn \<interface\> shared-secret-key \<key\> - -Configure the static secret key for a site-to-site OpenVPN connection. -``` -```{cfgcmd} set interfaces openvpn \<interface\> tls auth-key \<key\> - -**Configure the TLS secret key for tls-auth.** - -This adds an HMAC signature to all SSL/TLS handshake packets to verify -integrity. - -Use ``run generate pki openvpn shared-secret install <name>`` to generate -the key. -``` -```{cfgcmd} set interfaces openvpn \<interface\> tls ca-certificate \<name\> - -Configure the Certificate Authority chain in the PKI configuration. -``` -```{cfgcmd} set interfaces openvpn \<interface\> tls certificate \<name\> - -Configure the certificate name in the PKI configuration. -``` -```{cfgcmd} set interfaces openvpn \<interface\> tls crypt-key - -Configure a shared secret key to provide an additional level of security, -a variant similar to tls-auth. -``` -```{cfgcmd} set interfaces openvpn \<interface\> tls dh-params - -Configure Diffie-Hellman parameters for server mode. -``` -```{cfgcmd} set interfaces openvpn \<interface\> tls peer-fingerprint \<text\> - -Configure the peer certificate SHA256 fingerprint for site-to-site mode. -``` -```{cfgcmd} set interfaces openvpn \<interface\> tls role \<active | passive\> - -**Configure the TLS negotiation role, preferably used in site-to-site mode:** -* ``active``: Initiates TLS negotiation actively. -* ``passive``: Waits for incoming TLS connections. -``` -```{cfgcmd} set interfaces openvpn \<interface\> tls tls-version-min \<1.0 | 1.1 | 1.2 | 1.3 \> - -Configure the minimum TLS version to be accepted from the peer. -``` -```{cfgcmd} set interfaces openvpn \<interface\> use-lzo-compression - -Configure fast LZO compression on this TUN/TAP interface. -``` -```{cfgcmd} set interfaces openvpn \<interface\> vrf \<name\> - -Assign the interface to a specific VRF instance. -``` - -## Operation mode - -```{opcmd} show openvpn site-to-site - -Show tunnel status for OpenVPN site-to-site interfaces. -``` -```{opcmd} show openvpn server - -Show tunnel status for OpenVPN server interfaces. -``` -```{opcmd} show openvpn client - -Show tunnel status for OpenVPN client interfaces. -``` -```{opcmd} show log openvpn - -Show logs for all OpenVPN interfaces. -``` -```{opcmd} show log openvpn interface \<interface\> - -Show logs for the specific OpenVPN interface. -``` -```{opcmd} reset openvpn client \<text\> - -Reset the specified OpenVPN client. -``` -```{opcmd} reset openvpn interface \<interface\> - -Reset the OpenVPN process on the specified interface. -``` -```{opcmd} generate openvpn client-config interface \<interface\> ca \<name\> certificate \<name\> - -Generate an OpenVPN client configuration file in the .ovpn format for client machines. -``` - -## Examples - -This section covers examples of OpenVPN configurations for various deployments. - -```{toctree} -:includehidden: true -:maxdepth: 1 - -openvpn-examples -``` - diff --git a/docs/configuration/interfaces/md-pppoe.md b/docs/configuration/interfaces/md-pppoe.md deleted file mode 100644 index b79f41a2..00000000 --- a/docs/configuration/interfaces/md-pppoe.md +++ /dev/null @@ -1,419 +0,0 @@ ---- -lastproofread: '2026-03-03' ---- - -(pppoe-interface)= - -# PPPoE - -{abbr}`PPPoE (Point-to-Point Protocol over Ethernet)` is a network protocol -that encapsulates PPP frames within Ethernet frames. -It's often used for connecting ISP clients to a broadband access server. - -## Configuration - -### Common interface configuration - -```{cmdincludemd} /_include/interface-description.txt -:var0: pppoe -:var1: pppoe0 -``` - -```{cmdincludemd} /_include/interface-disable.txt -:var0: pppoe -:var1: pppoe0 -``` - -```{cmdincludemd} /_include/interface-mtu.txt -:var0: pppoe -:var1: pppoe0 -``` - -```{cmdincludemd} /_include/interface-vrf.txt -:var0: pppoe -:var1: pppoe0 -``` - - -### PPPoE options - -```{cfgcmd} set interfaces pppoe \<interface\> access-concentrator \<name\> - -**Configure the name of the target access concentrator for the PPPoE session.** - -During the PPPoE discovery process, the client sends a PPPoE initiation packet. -Multiple access concentrators may respond with offer packets, and the client -selects one of them. - -This setting restricts the client to establishing sessions only with the -specified access concentrator. -``` - -```{cfgcmd} set interfaces pppoe \<interface\> authentication username \<username\> - -**Configure the username for PPPoE session authentication.** - -Although authentication is optional in the interface configuration, most ISPs -require it to establish a connection. -``` - -```{cfgcmd} set interfaces pppoe \<interface\> authentication password \<password\> - -**Configure the password for PPPoE session authentication.** - -Although authentication is optional in the interface configuration, most ISPs -require it to establish a connection. -``` - -```{cfgcmd} set interfaces pppoe \<interface\> connect-on-demand - -**Enable dial-on-demand on the PPPoE interface.** - -When enabled, the system establishes a PPPoE connection only when traffic -passes through the interface. If the connection fails, it is reestablished when -traffic resumes. - -For on-demand connections, you must also configure an ``idle-timeout`` period -to disconnect the session after inactivity. - -:::{note} -Setting the idle timeout to zero, or leaving it unconfigured, keeps -the connection active continuously once established. -::: - -By default, the PPPoE connection is established at boot and remains active -continuously; if the connection fails, it is reestablished immediately. -``` - -```{cfgcmd} set interfaces pppoe \<interface\> no-default-route - -Request an IP address from the PPPoE server without installing a default route. - -Example: - -:::{code-block} none -set interfaces pppoe pppoe0 no-default-route -::: - -:::{note} -Introduced in VyOS 1.4, this command inverts the logic of the former -``default-route`` CLI option. -::: -``` - -```{cfgcmd} set interfaces pppoe \<interface\> default-route-distance \<distance\> - -Configure the distance for the default gateway provided by the PPPoE server. - -Example: - -:::{code-block} none -set interfaces pppoe pppoe0 default-route-distance 220 -::: -``` - -```{cfgcmd} set interfaces pppoe \<interface\> mru \<mru\> - -**Configure the** {abbr}`MRU (Maximum Receive Unit)` **for the PPPoE -interface.** - -This setting instructs the pppd daemon to restrict the remote peer from sending -packets larger than the configured MRU. Allowed MRU values range from 128 to -16384 bytes. - -An MRU of 296 is suitable for very slow links (40 bytes for the TCP/IP header -and 256 bytes for data). - -The default MRU is 1492 bytes. - -:::{note} -When using the IPv6 protocol, the MRU must be at least 1280 bytes. -::: -``` - -```{cfgcmd} set interfaces pppoe \<interface\> idle-timeout \<time\> - -**Configure the idle timeout for on-demand PPPoE sessions.** - -This setting defines how long the connection remains active without any traffic -before being disconnected. - -:::{note} -Setting the idle timeout to zero, or leaving it unconfigured, keeps -the connection active continuously once established. -::: -``` - -```{cfgcmd} set interfaces pppoe \<interface\> holdoff \<time\> - -**Configure the redial delay for persistent PPPoE sessions.** - -If a persistent session (with ``connect-on-demand`` disabled) is terminated by -the remote peer or drops unexpectedly, the router waits the specified interval -before attempting to reconnect. - -The default redial delay is 30 seconds. -``` - -```{cfgcmd} set interfaces pppoe \<interface\> local-address \<address\> - -**Configure the local endpoint IP address for PPPoE sessions.** - -By default, this IP address is negotiated. -``` - -```{cfgcmd} set interfaces pppoe \<interface\> no-peer-dns - -Disable the installation of advertised DNS nameservers on the local system. -``` - -```{cfgcmd} set interfaces pppoe \<interface\> remote-address \<address\> - -**Configure the remote endpoint IP address for PPPoE sessions.** - -By default, this IP address is negotiated. -``` - -```{cfgcmd} set interfaces pppoe \<interface\> service-name \<name\> - -**Configure the service name of the target access concentrator for the PPPoE -session.** - -By default, the PPPoE interface connects to any available access concentrator. -``` - -```{cfgcmd} set interfaces pppoe \<interface\> source-interface \<source-interface\> - -**Configure the underlying interface for the PPPoE connection.** - -Each PPPoE connection is established over an underlying interface, which can be -an Ethernet interface, a VIF, or a bonding interface. -``` - -```{cfgcmd} set interfaces pppoe \<interface\> ip adjust-mss \<mss | clamp-mss-to-pmtu\> - -**Configure the** {abbr}`MSS (Maximum Segment Size)` **advertised in outgoing -TCP SYN packets on the specified interface.** - -By clamping the MSS value in TCP SYN packets, you instruct the remote side not -to send packets larger than the specified size. This helps prevent connection -issues if {abbr}`PMTUD (Path MTU Discovery)` fails. - -The following options are available: - -* ``mss``: Sets the MSS to a specific value in bytes. -* ``clamp-mss-to-pmtu``: Sets the MSS to the interface’s MTU minus 40 bytes for - IPv4 traffic (20 bytes for the IPv4 header and 20 bytes for the TCP header). - This option is recommended to automatically set the proper value. - -:::{note} -Introduced in VyOS 1.4, this command replaces the older ``set firewall -options interface <name> adjust-mss <value>`` syntax. -::: -``` - -```{cfgcmd} set interfaces pppoe \<interface\> ip disable-forwarding - -**Configure the interface for host or router behavior.** - -If configured, the interface switches to host mode, and IPv4 forwarding is -disabled on it. -``` - -```{cfgcmd} set interfaces pppoe \<interface\> ip source-validation \<strict | loose | disable\> - -**Configure source IP address validation using** -{abbr}`RPF (Reverse Path Forwarding)` **on this interface, as specified in** -{rfc}`3704`. - -The following options are available: - -* ``strict``: Each incoming packet’s source IP address is checked against the - {abbr}`FIB (Forwarding Information Base)`. If the interface is not the best - route back to that source, validation fails, and the packet is dropped. -* ``loose``: Each incoming packet’s source IP address is checked against the - {abbr}`FIB (Forwarding Information Base)`. If the source IP address is - unreachable through any interface, validation fails. -* ``disable``: No source IP address validation is performed. All incoming - packets are accepted. - -{rfc}`3704` recommends enabling ``strict`` mode to prevent IP spoofing, such as -DDoS attacks. For asymmetric or other complex routing scenarios, use ``loose`` -mode. -``` - - -#### IPv6 - -```{cfgcmd} set interfaces pppoe \<interface\> ipv6 address autoconf - -Enable IPv6 address assignment via {abbr}`SLAAC (Stateless Address -Auto-Configuration)` on this interface. -``` - -```{cfgcmd} set interfaces pppoe \<interface\> ipv6 adjust-mss \<mss | clamp-mss-to-pmtu\> - -**Configure the** {abbr}`MSS (Maximum Segment Size)` **advertised in outgoing -TCP SYN packets on the specified interface.** - -By clamping the MSS value in TCP SYN packets, you instruct the remote side not -to send packets larger than the specified size. This helps prevent connection -issues if {abbr}`PMTUD (Path MTU Discovery)` fails. - -The following options are available: - -* ``mss``: Sets the MSS to a specific value in bytes. -* ``clamp-mss-to-pmtu``: Sets the MSS to the interface’s MTU minus 60 bytes for - IPv6 traffic (40 bytes for the IPv6 header and 20 bytes for the TCP header). - This option is recommended to automatically set the proper value. - -:::{note} -Introduced in VyOS 1.4, this command replaces the older ``set firewall -options interface <name> adjust-mss <value>`` syntax. -::: -``` - -```{cfgcmd} set interfaces pppoe \<interface\> ipv6 disable-forwarding - -**Configure the interface for host or router behavior.** - -If configured, the interface switches to host mode, and IPv6 forwarding is -disabled on it. -``` - -```{cmdincludemd} /_include/interface-dhcpv6-prefix-delegation.txt -:var0: pppoe -:var1: pppoe0 -``` - - -## Operation - -```{opcmd} show interfaces pppoe \<interface\> - -Show detailed information about a specific PPPoE interface. - -:::{code-block} none -vyos@vyos:~$ show interfaces pppoe pppoe0 -pppoe0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc pfifo_fast state UNKNOWN group default qlen 3 - link/ppp - inet 192.0.2.1 peer 192.0.2.255/32 scope global pppoe0 - valid_lft forever preferred_lft forever - - RX: bytes packets errors dropped overrun mcast - 7002658233 5064967 0 0 0 0 - TX: bytes packets errors dropped carrier collisions - 533822843 1620173 0 0 0 0 -::: -``` - -```{opcmd} show interfaces pppoe \<interface\> queue - -Show queue information for a specific PPPoE interface. - -:::{code-block} none -vyos@vyos:~$ show interfaces pppoe pppoe0 queue -qdisc pfifo_fast 0: root refcnt 2 bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1 - Sent 534625359 bytes 1626761 pkt (dropped 62, overlimits 0 requeues 0) - backlog 0b 0p requeues 0 -::: -``` - - -### Connect/disconnect - -```{opcmd} disconnect interface \<interface\> - -Disconnect the specified interface. -``` - -```{opcmd} connect interface \<interface\> - -Initiate a session on the specified interface. -``` - - -## Example - -### PPPoE over DSL - -**Configuration scenario:** - -- Your ISP's DSL modem is connected to the `eth0` interface on your VyOS - router. -- Your ISP does not require VLAN tagging. -- PPPoE credentials are provided by your ISP. The typical username format is - `name@host.net`, though this may vary. - -**Configuration notes:** - -- The maximum MTU size for DSL is 1492 because of PPPoE overhead. If you are - switching from a DHCP-based ISP (e.g., a standard cable connection), ensure - VPN links have MTU sizes adjusted accordingly. -- To ignore ISP-provided nameservers and use only your statically configured - ones, set the `name-server` option to `none`. -- A default route is automatically installed once the interface is up. To - change this behavior, use the `no-default-route` CLI option. - -:::{note} -The PPPoE configuration syntax changed after VyOS 1.2 (Crux) and is -automatically migrated during an upgrade. -::: - -```none -set interfaces pppoe pppoe0 authentication username 'userid' -set interfaces pppoe pppoe0 authentication password 'secret' -set interfaces pppoe pppoe0 source-interface 'eth0' -``` - -Secure your setup by creating rules matching the `pppoe0` interface in the -firewall chains: - -```none -set firewall ipv4 input filter rule 10 inbound-interface name 'pppoe0' -set firewall ipv4 forward filter rule 10 inbound-interface name 'pppoe0' -``` - - -### PPPoE over VLAN - -Some ISPs require PPPoE connections to be -established over a VLAN interface. This specific topology is fully supported by -VyOS. - -The following configuration establishes the PPPoE connection through VLAN 7, -which is the default VLAN for Deutsche Telekom: - -```none -set interfaces pppoe pppoe0 authentication username 'userid' -set interfaces pppoe pppoe0 authentication password 'secret' -set interfaces pppoe pppoe0 source-interface 'eth0.7' -``` - - -#### IPv6 DHCPv6 prefix delegation - -**Configuration scenario:** - -The following configuration establishes a PPPoE session on the `eth1` -interface, requests a `/56` IPv6 prefix delegation from the ISP, and assigns -a `/64` subnet from that delegation to the `eth0` interface. - -**Configuration notes:** - -- The IPv6 address assigned to `eth0` is `<prefix>::1/64`. -- If you do not know your delegated prefix size, begin with `sla-len 0`. -- To advertise the prefix on the `eth0` link, configure IPv6 Router - Advertisement. - -```none -set interfaces pppoe pppoe0 authentication username vyos -set interfaces pppoe pppoe0 authentication password vyos -set interfaces pppoe pppoe0 dhcpv6-options pd 0 interface eth0 address '1' -set interfaces pppoe pppoe0 dhcpv6-options pd 0 interface eth0 sla-id '0' -set interfaces pppoe pppoe0 dhcpv6-options pd 0 length '56' -set interfaces pppoe pppoe0 ipv6 address autoconf -set interfaces pppoe pppoe0 source-interface eth1 - -set service router-advert interface eth0 prefix ::/64 -``` diff --git a/docs/configuration/interfaces/md-pseudo-ethernet.md b/docs/configuration/interfaces/md-pseudo-ethernet.md deleted file mode 100644 index fc8833eb..00000000 --- a/docs/configuration/interfaces/md-pseudo-ethernet.md +++ /dev/null @@ -1,52 +0,0 @@ ---- -lastproofread: '2026-03-05' ---- - -(pseudo-ethernet-interface)= - -# MACVLAN (pseudo-Ethernet) - -MACVLAN, or pseudo-Ethernet interfaces, operate as logical subinterfaces of -standard Ethernet interfaces. Each subinterface has a unique MAC address but -shares a single physical Ethernet port. -That allows the user to send packets from different source IPv4 or IPv6 addresses -using a different MAC address. - -Pseudo-Ethernet interfaces behave like physical Ethernet interfaces. They -support IPv4 and IPv6 addressing, can obtain IP addresses through DHCP or -DHCPv6, and are mapped to a physical Ethernet port. They inherit -characteristics such as speed and duplex from their parent interface and can -be referenced like standard Ethernet interfaces once created. - -```{eval-rst} -Pseudo-Ethernet interfaces may not work in environments that require a - :abbr:`NIC (Network Interface Card)` to have only one MAC address. - This includes: - - * VMware machines with default settings. - * Network switches that permit only a single MAC address. - * xDSL modems that learn the NIC's MAC address. -``` - -## Configuration - -### Common interface configuration - -```{cmdincludemd} /_include/interface-common-with-dhcp.txt -:var0: pseudo-ethernet -:var1: peth0 -``` - -### MACVLAN (pseudo-Ethernet) options - -```{cfgcmd} set interfaces pseudo-ethernet \<interface\> source-interface \<ethX\> - -Assign a physical Ethernet interface to the specified pseudo-Ethernet interface. -``` - -### VLAN - -```{cmdincludemd} /_include/interface-vlan-8021q.txt -:var0: pseudo-ethernet -:var1: peth0 -```
\ No newline at end of file diff --git a/docs/configuration/interfaces/md-sstp-client.md b/docs/configuration/interfaces/md-sstp-client.md deleted file mode 100644 index da98aecd..00000000 --- a/docs/configuration/interfaces/md-sstp-client.md +++ /dev/null @@ -1,170 +0,0 @@ ---- -lastproofread: '2026-03-16' ---- - -(sstp-client-interface)= - -# SSTP client - -{abbr}`SSTP (Secure Socket Tunneling Protocol)` transports PPP traffic over an -SSL/TLS channel, providing transport-level security through key negotiation, -encryption, and traffic integrity checking. The use of SSL/TLS over TCP port -443 (by default, the port can be changed) allows SSTP to pass through virtually -all firewalls and proxy servers, except for authenticated web proxies. - -:::{note} -VyOS includes a built-in SSTP server. For more information, see -{ref}`sstp`. -::: - -## Configuration - -### Common interface configuration - -```{cmdincludemd} /_include/interface-description.txt -:var0: sstpc -:var1: sstpc0 -``` - -```{cmdincludemd} /_include/interface-disable.txt -:var0: sstpc -:var1: sstpc0 -``` - -```{cmdincludemd} /_include/interface-mtu.txt -:var0: sstpc -:var1: sstpc0 -``` - -```{cmdincludemd} /_include/interface-vrf.txt -:var0: sstpc -:var1: sstpc0 -``` - - -### SSTP client options - -```{cfgcmd} set interfaces sstpc \<interface\> no-default-route - -Request an IP address from the SSTP server without installing a default route. - -Example: - -:::{code-block} none -set interfaces sstpc sstpc0 no-default-route -::: -:::{note} Introduced in VyOS 1.4, this command inverts the logic of the former -``default-route`` CLI option. -::: -``` - -```{cfgcmd} set interfaces sstpc \<interface\> default-route-distance \<distance\> - -Configure the distance for the default gateway provided by the SSTP server. - -Example: - -:::{code-block} none -set interfaces sstpc sstpc0 default-route-distance 220 -::: -``` - -```{cfgcmd} set interfaces sstpc \<interface\> no-peer-dns - -Disable the installation of advertised DNS nameservers on the local system. -``` - -```{cfgcmd} set interfaces sstpc \<interface\> server \<address\> - -**Configure the remote SSTP server address for the client connection.** - -The address can be either an IP address or a {abbr}`FQDN (Fully Qualified -Domain Name)`. -``` - -```{cfgcmd} set interfaces sstpc \<interface\> ip adjust-mss \<mss | clamp-mss-to-pmtu\> - -**Configure the** {abbr}`MSS (Maximum Segment Size)` **advertised in outgoing -TCP SYN packets on the specified interface.** - -By clamping the MSS value in TCP SYN packets, you instruct the remote side not -to send packets larger than the specified size. This helps prevent connection -issues if {abbr}`PMTUD (Path MTU Discovery)` fails. - -The following options are available: - -* ``mss``: Sets the MSS to a specific value in bytes. -* ``clamp-mss-to-pmtu``: Sets the MSS to the interface’s MTU minus 40 bytes for -IPv4 traffic (20 bytes for the IPv4 header and 20 bytes for the TCP header). -This option is recommended to automatically set the proper value. - -:::{note} Introduced in VyOS 1.4, this command replaces the older ``set firewall -options interface <name> adjust-mss <value>`` syntax. -::: -``` - -```{cfgcmd} set interfaces sstpc \<interface\> ip disable-forwarding - -**Configure the interface for host or router behavior.** - -If configured, the interface switches to host mode, and IPv4 forwarding is -disabled on it. -``` - -```{cfgcmd} set interfaces sstpc \<interface\> ip source-validation \<strict | loose | disable\> - -**Configure source IP address validation using** -{abbr}`RPF (Reverse Path Forwarding)` **on this interface, as specified in** -{rfc}`3704`. - -The following options are available: - -* ``strict``: Each incoming packet’s source IP address is checked against the -{abbr}`FIB (Forwarding Information Base)`. If the interface is not the best -route back to that source, validation fails, and the packet is dropped. -* ``loose``: Each incoming packet’s source IP address is checked against the -{abbr}`FIB (Forwarding Information Base)`. If the source IP address is -unreachable through any interface, validation fails. -* ``disable``: No source IP address validation is performed. All incoming -packets are accepted. - -{rfc}`3704` recommends enabling ``strict`` mode to prevent IP spoofing, such as -DDoS attacks. For asymmetric or other complex routing scenarios, use ``loose`` -mode. -``` - - -## Operation - -```{opcmd} show interfaces sstpc \<interface\> - -Show detailed information about the specified interface. - -:::{code-block} none -vyos@vyos:~$ show interfaces sstpc sstpc10 -sstpc10: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 3 - link/ppp - inet 192.0.2.5 peer 192.0.2.254/32 scope global sstpc10 - valid_lft forever preferred_lft forever - inet6 fe80::fd53:c7ff:fe8b:144f/64 scope link - valid_lft forever preferred_lft forever - - RX: bytes packets errors dropped overrun mcast - 215 9 0 0 0 0 - TX: bytes packets errors dropped carrier collisions - 539 14 0 0 0 0 -::: -``` - - -### Connect/disconnect - -```{opcmd} disconnect interface \<interface\> - -Disconnect the specified interface. -``` - -```{opcmd} connect interface \<interface\> - -Initiate a session on the specified interface. -```
\ No newline at end of file diff --git a/docs/configuration/interfaces/md-tunnel.md b/docs/configuration/interfaces/md-tunnel.md deleted file mode 100644 index 6b50a924..00000000 --- a/docs/configuration/interfaces/md-tunnel.md +++ /dev/null @@ -1,304 +0,0 @@ ---- -lastproofread: '2026-01-23' ---- - -(tunnel-interface)= - -# Tunnel - -Tunnel interfaces are virtual links that transmit encapsulated traffic between -private networks or hosts across public infrastructure, such as the Internet. -They operate using encapsulation protocols to wrap original traffic for -transport. The supported protocols include {abbr}`GRE (Generic Routing -Encapsulation)`, IPIP, IPIP6, IP6IP6, and 6in4 (SIT). - -While {abbr}`GRE (Generic Routing Encapsulation)` is often the preferred -one-size-fits-all solution due to its versatility, other encapsulation -protocols may be better suited for specific use cases. - -VyOS uses a single tunnel interface type for all of these protocols. There are -no separate {abbr}`GRE (Generic Routing Encapsulation)`, IPIP, or IP6IP6 -interface types; instead, the desired encapsulation protocol is selected within -the `set interfaces tunnel` configuration. - -Configuration options for each protocol are described below. - -:::{warning} -Do not change the encapsulation type for already configured tunnel -interfaces, as this may break their dependent configurations. -::: - -## Common interface configuration - -```{eval-rst} -.. cmdincludemd:: /_include/interface-address.txt - :var0: tunnel - :var1: tun0 -``` - -```{eval-rst} -.. cmdincludemd:: /_include/interface-common-without-mac.txt - :var0: tunnel - :var1: tun0 -``` - -## IPIP - -IPIP is a straightforward encapsulation protocol defined in RFC 2003. It -encapsulates one IPv4 packet inside another IPv4 packet. - -Tunnels with IPIP encapsulation do not have protocol-specific configuration -options except for explicitly defining the encapsulation type as IPIP (see -the example below). - -Example: - -```none -set interfaces tunnel tun0 encapsulation ipip -set interfaces tunnel tun0 source-address 192.0.2.10 -set interfaces tunnel tun0 remote 203.0.113.20 -set interfaces tunnel tun0 address 192.168.100.200/24 -``` - -## IP6IP6 - -IP6IP6 is the IPv6 counterpart to IPIP. It encapsulates one IPv6 packet inside -another IPv6 packet. - -Similar to their IPIP counterparts, tunnels with IP6IP6 encapsulation do not -have protocol-specific configuration options except for explicitly defining -the encapsulation type as IP6IP6. - -Example: - -```none -set interfaces tunnel tun0 encapsulation ip6ip6 -set interfaces tunnel tun0 source-address 2001:db8:aa::1 -set interfaces tunnel tun0 remote 2001:db8:aa::2 -set interfaces tunnel tun0 address 2001:db8:bb::1/64 -``` - -## IPIP6 - -IPIP6 is an encapsulation protocol that wraps IPv4 packets inside IPv6 packets. - -Similar to IPIP and IP6IP6, protocol-specific configuration for tunnels with -IPIP6 encapsulation only requires defining the encapsulation type as IP6IP6. - -Example: - -```none -set interfaces tunnel tun0 encapsulation ipip6 -set interfaces tunnel tun0 source-address 2001:db8:aa::1 -set interfaces tunnel tun0 remote 2001:db8:aa::2 -set interfaces tunnel tun0 address 192.168.70.80/24 -``` - -## 6in4 (SIT) - -6in4, also known as {abbr}`SIT (Simple Internet Transition)`, is an -encapsulation protocol defined in {rfc}`4213` that wraps IPv6 packets -inside IPv4 packets. The encapsulating IPv4 headers use IP protocol number 41, -which is reserved exclusively for IPv6 encapsulation. - -The encapsulation process adds a 20-byte IPv4 header to each IPv6 packet. -Consequently, 6in4 tunnel interfaces can transmit IPv6 packets up to 1480 bytes -over an underlying network with a standard MTU of 1500 bytes without -fragmentation. - -6in4 tunnel interfaces are frequently used by IPv6 tunnel brokers (such as -[Hurricane Electric]) to connect isolated IPv6 networks or individual hosts to -the IPv6 internet. - -Example: - -```none -set interfaces tunnel tun0 encapsulation sit -set interfaces tunnel tun0 source-address 192.0.2.10 -set interfaces tunnel tun0 remote 192.0.2.20 -set interfaces tunnel tun0 address 2001:db8:bb::1/64 -``` - -```{eval-rst} -.. seealso:: For a practical configuration example, see the - {ref}`Tunnelbroker.net (IPv6) <examples-tunnelbroker-ipv6>` section. -``` - -## Generic Routing Encapsulation (GRE) - -{abbr}`GRE (Generic Routing Encapsulation)` is a versatile encapsulation -protocol defined in RFC 2784. Unlike simpler protocols such as IPIP, it allows -both IPv4 and IPv6 to be transported through the same tunnel. - -{abbr}`GRE (Generic Routing Encapsulation)` encapsulates original data packets -by adding a {abbr}`GRE (Generic Routing Encapsulation)` header, followed by an -IP header (the delivery header). The delivery header uses IP protocol number 47 -to identify {abbr}`GRE (Generic Routing Encapsulation)`-encapsulated traffic. - -In VyOS, {abbr}`GRE (Generic Routing Encapsulation)` tunnels can be established -over both IPv4 (encapsulation `gre`) and IPv6 (encapsulation `ip6gre`) -transport networks. - -### Configuration - -To configure a {abbr}`GRE (Generic Routing Encapsulation)` tunnel, you need to -define a tunnel source IP address, a tunnel destination IP address, an -encapsulation type ({abbr}`GRE (Generic Routing Encapsulation)`), and a tunnel -interface IP address. - -Example: - -The following example shows how to configure an IPv4/IPv6-over-IPv6 {abbr}`GRE -(Generic Routing Encapsulation)` tunnel between a VyOS router and a Linux host -running `systemd-networkd`. - -**VyOS router:** - -```none -set interfaces tunnel tun101 address '2001:db8:feed:beef::1/126' -set interfaces tunnel tun101 address '192.168.5.1/30' -set interfaces tunnel tun101 encapsulation 'ip6gre' -set interfaces tunnel tun101 source-address '2001:db8:babe:face::3afe:3' -set interfaces tunnel tun101 remote '2001:db8:9bb:3ce::5' -``` - -**Linux** `systemd-networkd`: - -The `systemd-networkd` setup requires two configuration files: `xxx.netdev` -to create the {abbr}`GRE (Generic Routing Encapsulation)` tunnel interface, and -`xxx.network` to assign IP addresses to it. - -```none -# cat /etc/systemd/network/gre-example.netdev -[NetDev] -Name=gre-example -Kind=ip6gre -MTUBytes=14180 - -[Tunnel] -Remote=2001:db8:babe:face::3afe:3 - - -# cat /etc/systemd/network/gre-example.network -[Match] -Name=gre-example - -[Network] -Address=2001:db8:feed:beef::2/126 - -[Address] -Address=192.168.5.2/30 -``` - -### GRE keys - -A GRE key is an optional 32-bit field in the GRE header that allows multiple -GRE tunnels to operate between the same source and destination endpoints. When -a packet arrives, the receiver checks the GRE key to determine which tunnel -interface should process it. - -Although it may sound security-related, the GRE key is only an identifier and -provides no encryption or data protection. - -Example: - -```none -set interfaces tunnel tun0 source-address 192.0.2.10 -set interfaces tunnel tun0 remote 192.0.2.20 -set interfaces tunnel tun0 address 10.40.50.60/24 -set interfaces tunnel tun0 parameters ip key 10 -``` - -```none -set interfaces tunnel tun1 source-address 192.0.2.10 -set interfaces tunnel tun1 remote 192.0.2.20 -set interfaces tunnel tun1 address 172.16.17.18/24 -set interfaces tunnel tun1 parameters ip key 20 -``` - -### GRETAP - -Unlike GRE, which encapsulates only Layer 3 (IP) traffic, GRETAP encapsulates -Layer 2 (Ethernet) frames. - -That means that GRETAP tunnel interfaces can be members of a bridge interface. -This allows two geographically distant sites to connect as if they were on the -same LAN. - -GRETAP tunnels can be established over both IPv4 and IPv6 transport networks. - -Example: - -```none -set interfaces bridge br0 member interface eth0 -set interfaces bridge br0 member interface tun0 -set interfaces tunnel tun0 encapsulation gretap -set interfaces tunnel tun0 source-address 198.51.100.2 -set interfaces tunnel tun0 remote 203.0.113.10 -``` - -### Troubleshooting - -GRE is a standardized tunneling protocol used in many network environments. - -Although the GRE tunnel setup is straightforward, connectivity failures -frequently occur because ACLs or firewall rules block IP protocol 47 or -prevent direct communication between the tunnel endpoints. - -If your GRE tunnel fails to establish, perform these diagnostic steps: - -1\. Verify that the remote peer is reachable from the configured -`source-address`. - -This ensures that the underlying physical path between the two endpoints is -functional. - -```none -vyos@vyos:~$ ping 203.0.113.10 interface 198.51.100.2 count 4 -PING 203.0.113.10 (203.0.113.10) from 198.51.100.2 : 56(84) bytes of data. -64 bytes from 203.0.113.10: icmp_seq=1 ttl=254 time=0.807 ms -64 bytes from 203.0.113.10: icmp_seq=2 ttl=254 time=1.50 ms -64 bytes from 203.0.113.10: icmp_seq=3 ttl=254 time=0.624 ms -64 bytes from 203.0.113.10: icmp_seq=4 ttl=254 time=1.41 ms - ---- 203.0.113.10 ping statistics --- -4 packets transmitted, 4 received, 0% packet loss, time 3007ms -rtt min/avg/max/mdev = 0.624/1.087/1.509/0.381 ms -``` - -2\. Verify that the tunnel interface is correctly configured (with the link type -set to GRE) and is actively processing traffic. - -```none -vyos@vyos:~$ show interfaces tunnel tun100 -tun100@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1476 qdisc noqueue state UNKNOWN group default qlen 1000 - link/gre 198.51.100.2 peer 203.0.113.10 - inet 10.0.0.1/30 brd 10.0.0.3 scope global tun100 - valid_lft forever preferred_lft forever - inet6 fe80::5efe:c612:2/64 scope link - valid_lft forever preferred_lft forever - - RX: bytes packets errors dropped overrun mcast - 2183 27 0 0 0 0 - TX: bytes packets errors dropped carrier collisions - 836 9 0 0 0 0 -``` - -3\. Test the connection through the tunnel using the private IP addresses -assigned to each tunnel endpoint. - -```none -vyos@vyos:~$ ping 10.0.0.2 interface 10.0.0.1 count 4 -PING 10.0.0.2 (10.0.0.2) from 10.0.0.1 : 56(84) bytes of data. -64 bytes from 10.0.0.2: icmp_seq=1 ttl=255 time=1.05 ms -64 bytes from 10.0.0.2: icmp_seq=2 ttl=255 time=1.88 ms -64 bytes from 10.0.0.2: icmp_seq=3 ttl=255 time=1.98 ms -64 bytes from 10.0.0.2: icmp_seq=4 ttl=255 time=1.98 ms - ---- 10.0.0.2 ping statistics --- -4 packets transmitted, 4 received, 0% packet loss, time 3008ms -rtt min/avg/max/mdev = 1.055/1.729/1.989/0.395 ms -``` - -[hurricane electric]: https://tunnelbroker.net/ -[other proposals]: https://www.isc.org/othersoftware/ diff --git a/docs/configuration/interfaces/md-virtual-ethernet.md b/docs/configuration/interfaces/md-virtual-ethernet.md deleted file mode 100644 index dee1b332..00000000 --- a/docs/configuration/interfaces/md-virtual-ethernet.md +++ /dev/null @@ -1,119 +0,0 @@ ---- -lastproofread: '2026-01-26' ---- - -(virtual-ethernet)= - -# Virtual Ethernet - -Virtual Ethernet (veth) interfaces are software-based interfaces that operate -in pairs, creating a tunnel between each other. Traffic transmitted into one -interface of the pair (e.g., `veth0`) is delivered directly to its peer -interface (e.g., `veth1`). - -Veth interfaces are commonly used to connect network namespaces or VRFs, but -they can also function as standalone virtual network interfaces. - -:::{note} -Veth interfaces must be created in pairs, where each interface acts -as the peer of the other. -::: - -## Configuration - -### Common interface configuration - -```{cmdincludemd} /_include/interface-address-with-dhcp.txt -:var0: virtual-ethernet -:var1: veth0 -``` - -```{cmdincludemd} /_include/interface-description.txt -:var0: virtual-ethernet -:var1: veth0 -``` - - -### VLAN - -#### Regular VLANs (802.1q) - -```{cmdincludemd} /_include/interface-vlan-8021q.txt -:var0: virtual-ethernet -:var1: veth0 -``` - - -#### 802.1ad (QinQ) - -```{cmdincludemd} /_include/interface-vlan-8021ad.txt -:var0: virtual-ethernet -:var1: veth0 -``` - -```{cmdincludemd} /_include/interface-disable.txt -:var0: virtual-ethernet -:var1: veth0 -``` - -```{cmdincludemd} /_include/interface-vrf.txt -:var0: virtual-ethernet -:var1: veth0 -``` - - -## Operation - -```{opcmd} show interfaces virtual-ethernet - -Show brief interface information. - -:::{code-block} none -vyos@vyos:~$ show interfaces virtual-ethernet -Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down -Interface IP Address S/L Description ---------- ---------- --- ----------- -veth10 100.64.0.0/31 u/u -veth11 100.64.0.1/31 u/u -::: -``` - -```{opcmd} show interfaces virtual-ethernet \<interface\> - -Show detailed interface information. - -:::{code-block} none -vyos@vyos:~$ show interfaces virtual-ethernet veth11 -10: veth11@veth10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master red state UP group default qlen 1000 -link/ether b2:7b:df:47:e9:11 brd ff:ff:ff:ff:ff:ff -inet 100.64.0.1/31 scope global veth11 -valid_lft forever preferred_lft forever -inet6 fe80::b07b:dfff:fe47:e911/64 scope link -valid_lft forever preferred_lft forever - -RX: bytes packets errors dropped overrun mcast -0 0 0 0 0 0 -TX: bytes packets errors dropped carrier collisions -1369707 4267 0 0 0 0 -::: -``` - - -## Example - -The following example shows how to connect the global VRF to VRF ‘red ‘ using -the `veth10` and `veth11` veth pair. - -```none -set interfaces virtual-ethernet veth10 address '100.64.0.0/31' -set interfaces virtual-ethernet veth10 peer-name 'veth11' -set interfaces virtual-ethernet veth11 address '100.64.0.1/31' -set interfaces virtual-ethernet veth11 peer-name 'veth10' -set interfaces virtual-ethernet veth11 vrf 'red' -set vrf name red table '1000' - -vyos@vyos:~$ ping 100.64.0.1 -PING 100.64.0.1 (100.64.0.1) 56(84) bytes of data. -64 bytes from 100.64.0.1: icmp_seq=1 ttl=64 time=0.080 ms -64 bytes from 100.64.0.1: icmp_seq=2 ttl=64 time=0.119 ms -``` diff --git a/docs/configuration/interfaces/md-vti.md b/docs/configuration/interfaces/md-vti.md deleted file mode 100644 index 461a3388..00000000 --- a/docs/configuration/interfaces/md-vti.md +++ /dev/null @@ -1,53 +0,0 @@ -# VTI - Virtual Tunnel Interface - -<div class="todo"> - -Convert raw command blocks in this file to cfgcmd/opcmd -directives for command coverage tracking. - -</div> - -Set Virtual Tunnel Interface - -``` none -set interfaces vti vti0 address 192.168.2.249/30 -set interfaces vti vti0 address 2001:db8:2::249/64 -``` - -Results in: - -``` none -vyos@vyos# show interfaces vti -vti vti0 { - address 192.168.2.249/30 - address 2001:db8:2::249/64 - description "Description" -} -``` - -<div class="warning"> - -<div class="title"> - -Warning - -</div> - -When using site-to-site IPsec with VTI interfaces, -be sure to disable route autoinstall - -</div> - -``` none -set vpn ipsec options disable-route-autoinstall -``` - -More details about the IPsec and VTI issue and option disable-route-autoinstall -<https://blog.vyos.io/vyos-1-dot-2-0-development-news-in-july> - -The root cause of the problem is that for VTI tunnels to work, their traffic -selectors have to be set to 0.0.0.0/0 for traffic to match the tunnel, even -though actual routing decision is made according to netfilter marks. Unless -route insertion is disabled entirely, StrongSWAN thus mistakenly inserts a -default route through the VTI peer address, which makes all traffic routed -to nowhere. diff --git a/docs/configuration/interfaces/md-vxlan.md b/docs/configuration/interfaces/md-vxlan.md deleted file mode 100644 index 8dae75ff..00000000 --- a/docs/configuration/interfaces/md-vxlan.md +++ /dev/null @@ -1,373 +0,0 @@ ---- -lastproofread: '2026-03-16' ---- - -(vxlan-interface)= - -# VXLAN - -{abbr}`VXLAN (Virtual Extensible LAN)` is a network virtualization technology -that addresses scalability challenges in large cloud computing environments. -It encapsulates Ethernet frames (Layer 2) within UDP datagrams (Layer 4), which -are then transmitted via UDP port 4789, as assigned by IANA. VXLAN endpoints, -called {abbr}`VTEPs (VXLAN tunnel endpoints)`, terminate VXLAN tunnels and can -be either virtual or physical switch ports. - -VXLAN supports up to 16 million logical networks and enables Layer 2 adjacency -across Layer 3 IP networks. It uses multicast or unicast with head-end -replication (HER) to flood broadcast, unknown unicast, and multicast (BUM) -traffic. - -The VXLAN specification was initially developed by VMware, Arista Networks, and -Cisco. Other supporters include Huawei, Broadcom, Citrix, Pica8, Big Switch -Networks, Cumulus Networks, Dell EMC, Ericsson, Mellanox, FreeBSD, OpenBSD, Red -Hat, Joyent, and Juniper Networks. - -VXLAN is officially documented by the IETF in {rfc}`7348`. - -When configuring VXLAN in a VyOS virtual machine, ensure that MAC spoofing -(Hyper-V) or Forged Transmits (ESX) are permitted. Otherwise, the hypervisor -may block forwarded frames. - -:::{note} -Although the IANA-assigned VXLAN port is **4789**, VyOS uses the -Linux default UDP port **8472** for VXLAN interfaces. To ensure compatibility -with other vendors, set the port to the IANA standard **4789**. -::: - -## Configuration - -### Common interface configuration - -```{cmdincludemd} /_include/interface-common-without-dhcp.txt -:var0: vxlan -:var1: vxlan0 -``` - - -### VXLAN-specific options - -```{cfgcmd} set interfaces vxlan \<interface\> vni \<number\> - -**Configure a** {abbr}`VNI (VXLAN Network Identifier)` **for the VXLAN -interface.** - -Each VXLAN segment is identified by this 24-bit VNI, allowing up to 16 million -segments to coexist within the same administrative domain. -``` - -```{cfgcmd} set interfaces vxlan \<interface\> port \<port\> - -Configure the UDP port of the remote VXLAN endpoint. - -:::{note} -Although the IANA-assigned VXLAN port is **4789**, VyOS uses the -Linux default UDP port **8472** for VXLAN interfaces. -::: -``` - -```{cfgcmd} set interfaces vxlan \<interface\> source-address \<address\> - -Configure the source IP address for the VXLAN underlay. - -:::{warning} -This setting is mandatory when deploying VXLAN via L2VPN/EVPN. -::: -``` - -```{cfgcmd} set interfaces vxlan \<interface\> gpe - -**Enable the** {abbr}`GPE (Generic Protocol Extension)` **for the VXLAN -interface.** - -To use this feature, you must configure the interface with the ``external`` -parameter. -``` - -```{cfgcmd} set interfaces vxlan \<interface\> parameters external - -**Configure the VXLAN interface to use an external control plane, such as BGP -L2VPN/EVPN, for remote endpoint discovery.** - -If not configured, the internal {abbr}`FDB (Forwarding Database)` is used. -``` - -```{cfgcmd} set interfaces vxlan \<interface\> parameters neighbor-suppress - -**Enable ARP and ND suppression on the VXLAN interface.** - -This reduces ARP and ND message flooding across the VXLAN network. As defined -in {rfc}`7432#section-10`, participating VTEPs use known MAC-to-IP bindings -to reply to local requests on behalf of remote hosts. -``` - -```{cfgcmd} set interfaces vxlan \<interface\> parameters nolearning - -Disable {abbr}`SLLA (Source Link-Layer Address)` and IP address learning on -the VXLAN interface. -``` - -```{cfgcmd} set interfaces vxlan \<interface\> parameters vni-filter - -**Enable** {abbr}`VNI (VXLAN Network Identifier)` **filtering on the VXLAN -interface.** - -When enabled, the interface only receives packets with VNIs configured in its -VNI filtering table. - -:::{note} -VNI filtering works only if the interface is configured with the -``external`` parameter. -::: -``` - - -#### Unicast - -```{cfgcmd} set interfaces vxlan \<interface\> remote \<address\> - -**Configure the IPv4 or IPv6 address of the remote VTEP.** - -Unlike multicast setups, this command allows you to directly configure the -remote IPv4 or IPv6 address. -``` - - -#### Multicast - -```{cfgcmd} set interfaces vxlan \<interface\> source-interface \<interface\> - -**Configure the source interface for the VXLAN underlay.** - -All VXLAN traffic is sent and received through the specified interface. -This setting is mandatory when deploying VXLAN over a multicast network. -``` - -```{cfgcmd} set interfaces vxlan \<interface\> group \<address\> - -**Configure the IPv4 or IPv6 multicast group address for the VXLAN interface.** - -VXLAN tunnels can be built using either multicast group or unicast IP addresses. -``` - - -## Multicast VXLAN - -Topology: PC4 - Leaf2 - Spine1 - Leaf3 - PC5 - -PC4 uses the IP address `10.0.0.4/24`, and PC5 uses the IP address -`10.0.0.5/24`. Both devices assume they reside within the same broadcast -domain. - -Assume PC4 on Leaf2 pings PC5 on Leaf3. Rather than manually specifying Leaf3 -as the remote endpoint, Leaf2 encapsulates the packet into a UDP datagram and -sends it to the designated multicast address via Spine1. Spine1 forwards the -packet to all leaves in the same multicast group, including Leaf3. Upon -receiving the datagram, Leaf3 forwards it to PC5 and learns that PC4 is -reachable through Leaf2 by inspecting the source IP in the encapsulated -datagram. - -PC5 receives the ping and responds with an echo reply. Leaf3, now aware of -PC4's location, forwards the reply directly to Leaf2's unicast address. Upon -receiving the echo reply, Leaf2 learns that PC5 is reachable through Leaf3. - -After this discovery, subsequent traffic between PC4 and PC5 will not use the -multicast address between the leaves, as both leaves have learned the PCs' -locations. This reduces multicast traffic and network load, improving -scalability as more leaves are added. - -## Single VXLAN device (SVD) - -In VyOS, you can configure multiple **VLAN-to-VNI mappings** for EVPN-VXLAN on -a single container interface, known as a single VXLAN device (SVD). This -enables significant VNI scaling because a separate VXLAN interface is not -required for each VNI. - -```{cfgcmd} set interfaces vxlan \<interface\> vlan-to-vni \<vlan\> vni \<vni\> - -**Map a VLAN ID to a VNI on the specified VXLAN interface.** - -The VXLAN interface can be added to a bridge. - -The following example shows an SVD configuration with multiple VLAN-to-VNI -mappings. - -:::{code-block} none -set interfaces bridge br0 member interface vxlan0 -set interfaces vxlan vxlan0 parameters external -set interfaces vxlan vxlan0 source-interface 'dum0' -set interfaces vxlan vxlan0 vlan-to-vni 10 vni '10010' -set interfaces vxlan vxlan0 vlan-to-vni 11 vni '10011' -set interfaces vxlan vxlan0 vlan-to-vni 30 vni '10030' -set interfaces vxlan vxlan0 vlan-to-vni 31 vni '10031' -::: -``` - - -### Example - -The following example demonstrates a multicast VXLAN deployment. - -The setup includes three routers: Spine1, a Cisco IOS router, and Leaf2 and -Leaf3, which are VyOS routers. - -**Topology:** Leaf2 - Spine1 - Leaf3. - -The topology is built using GNS3. - -```none -Spine1: -fa0/2 towards Leaf2, IP-address: 10.1.2.1/24 -fa0/3 towards Leaf3, IP-address: 10.1.3.1/24 - -Leaf2: -Eth0 towards Spine1, IP-address: 10.1.2.2/24 -Eth1 towards a VLAN-aware switch - -Leaf3: -Eth0 towards Spine1, IP-address 10.1.3.3/24 -Eth1 towards a VLAN-aware switch -``` - -**Spine1 configuration:** - -```none -conf t -ip multicast-routing -! -interface fastethernet0/2 - ip address 10.1.2.1 255.255.255.0 - ip pim sparse-dense-mode -! -interface fastethernet0/3 - ip address 10.1.3.1 255.255.255.0 - ip pim sparse-dense-mode -! -router ospf 1 - network 10.0.0.0 0.255.255.255 area 0 -``` - -Multicast routing is required for scalable traffic forwarding between leaves. -{abbr}`PIM (Protocol Independent Multicast)` must be enabled towards the leaves -so the spine can learn from which multicast groups each leaf expects traffic. - -**Leaf2 configuration:** - -```none -set interfaces ethernet eth0 address '10.1.2.2/24' -set protocols ospf area 0 network '10.0.0.0/8' - -! First VXLAN interface -set interfaces bridge br241 address '172.16.241.1/24' -set interfaces bridge br241 member interface 'eth1.241' -set interfaces bridge br241 member interface 'vxlan241' - -set interfaces vxlan vxlan241 group '239.0.0.241' -set interfaces vxlan vxlan241 source-interface 'eth0' -set interfaces vxlan vxlan241 vni '241' - -! Second VXLAN interface -set interfaces bridge br242 address '172.16.242.1/24' -set interfaces bridge br242 member interface 'eth1.242' -set interfaces bridge br242 member interface 'vxlan242' - -set interfaces vxlan vxlan242 group '239.0.0.242' -set interfaces vxlan vxlan242 source-interface 'eth0' -set interfaces vxlan vxlan242 vni '242' -``` - -**Leaf3 configuration:** - -```none -set interfaces ethernet eth0 address '10.1.3.3/24' -set protocols ospf area 0 network '10.0.0.0/8' - -! First VXLAN interface -set interfaces bridge br241 address '172.16.241.1/24' -set interfaces bridge br241 member interface 'eth1.241' -set interfaces bridge br241 member interface 'vxlan241' - -set interfaces vxlan vxlan241 group '239.0.0.241' -set interfaces vxlan vxlan241 source-interface 'eth0' -set interfaces vxlan vxlan241 vni '241' - -! Second VXLAN interface -set interfaces bridge br242 address '172.16.242.1/24' -set interfaces bridge br242 member interface 'eth1.242' -set interfaces bridge br242 member interface 'vxlan242' - -set interfaces vxlan vxlan242 group '239.0.0.242' -set interfaces vxlan vxlan242 source-interface 'eth0' -set interfaces vxlan vxlan242 vni '242' -``` - -The configurations for Leaf2 and Leaf3 are nearly identical. Detailed -explanations for each command are provided below. - -```none -set interfaces bridge br241 address '172.16.241.1/24' -``` - -This command creates a bridge to bind traffic on `eth1` VLAN 241 with the -`vxlan241` interface. The IP address is optional. If configured, it can serve -as the default gateway for each leaf, allowing devices on the VLAN to reach -other subnets. Subnets must be redistributed by {abbr}`OSPF (Open Shortest Path -First)` so the spine can learn how to reach them. To advertise `172.16/12` -networks, change the {abbr}`OSPF (Open Shortest Path First)` network from -`10.0.0.0/8` to `0.0.0.0/0`. - -```none -set interfaces bridge br241 member interface 'eth1.241' -set interfaces bridge br241 member interface 'vxlan241' -``` - -These commands bind `eth1.241` and `vxlan241` as member interfaces of the -same bridge. - -```none -set interfaces vxlan vxlan241 group '239.0.0.241' -``` - -This command configures the multicast group used by all leaves for this VLAN -extension. It must be the same on all leaves that have this interface. - -```none -set interfaces vxlan vxlan241 source-interface 'eth0' -``` - -This command configures the interface that listens for multicast packets. It -can also be a loopback interface. - -```none -set interfaces vxlan vxlan241 vni '241' -``` - -This command configures the unique ID for the VXLAN interface. - -```none -set interfaces vxlan vxlan241 port 12345 -``` - -VyOS uses the Linux default UDP port **8472** for VXLAN interfaces. This -command allows you to configure a different UDP port. - -## Unicast VXLAN - -As an alternative to multicast, you can configure the VXLAN tunnel by -specifying the remote IPv4 address directly. The following updates the previous -multicast example: - -```none -# leaf2 and leaf3 -delete interfaces vxlan vxlan241 group '239.0.0.241' -delete interfaces vxlan vxlan241 source-interface 'eth0' - -# leaf2 -set interfaces vxlan vxlan241 remote 10.1.3.3 - -# leaf3 -set interfaces vxlan vxlan241 remote 10.1.2.2 -``` - -The default UDP port is 8472. To configure a different port, use `set -interfaces vxlan <vxlanN> port <port>`. diff --git a/docs/configuration/interfaces/md-wireguard.md b/docs/configuration/interfaces/md-wireguard.md deleted file mode 100644 index 27003282..00000000 --- a/docs/configuration/interfaces/md-wireguard.md +++ /dev/null @@ -1,441 +0,0 @@ ---- -lastproofread: '2026-03-02' ---- - -(wireguard)= - -# WireGuard - -WireGuard is an extremely simple, fast, and modern VPN that utilizes -state-of-the-art cryptography. See <https://www.wireguard.com> for more -information. - -## Site-to-site VPN - -The following diagram illustrates a site-to-site VPN setup. - -:::{figure} /_static/images/wireguard_site2site_diagram.webp -::: - -## Keypairs - -WireGuard requires a keypair, which includes a **private** key -to decrypt incoming traffic, and a **public** key for peer(s) to encrypt -outgoing traffic. - -### Generate keypair - -```{eval-rst} -.. opcmd:: generate pki wireguard key-pair - - Generate a keypair: a public and a private key. - - .. note:: This command only outputs the keys to your console. It neither stores - them in the system nor applies them to the system configuration. - - - .. code-block:: none - - vyos@vyos:~$ generate pki wireguard key-pair - Private key: iJJyEARGK52Ls1GYRCcFvPuTj7WyWYDo//BknoDU0XY= - Public key: EKY0dxRrSD98QHjfHOK13mZ5PJ7hnddRZt5woB3szyw= -``` - -```{eval-rst} -.. opcmd:: generate pki wireguard key-pair install interface <interface> - - Generate a keypair and output the private key assignment command for the - specified interface. - - .. code-block:: none - - vyos@vyos:~$ generate pki wireguard key-pair install interface wg10 - "generate" CLI command executed from operational level. - Generated private key is not automatically added to the VyOS configuration, use the following configuration mode commands to install key: - - set interfaces wireguard wg10 private-key '4Krkv8h6NkAYMMaBWI957yYDJDMvj9URTHstdlOcDU0=' - - Corresponding public-key to use on peer system is: 'UxDsYT6EnpTIOKUzvMlw2p0sNOKQvFxEdSVrnNrX1Ro=' - - .. note:: If you invoke this command from configuration mode with the ``run`` - prefix, the generated private key is automatically assigned to the specified - interface. - - .. code-block:: none - - vyos@vyos# run generate pki wireguard key-pair install interface wg10 - "generate" CLI command executed from config session. - Generated private-key was imported to CLI! - - Use the following command to verify: show interfaces wireguard wg10 - Corresponding public-key to use on peer system is: '7d9KwabjLhHpJiEJeIGd0CBlao/eTwFOh6xyCovTfG8=' - - vyos@vyos# compare - [edit interfaces] - +wireguard wg10 { - + private-key CJweb8FC6BU3Loj4PC2pn5V82cDjIPs7G1saW0ZfLWc= - +} -``` - -```{eval-rst} -.. opcmd:: show interfaces wireguard <interface> public-key - - Show the public key assigned to the interface. - - .. code-block:: none - - vyos@vyos:~$ show interfaces wireguard wg01 public-key - EKY0dxRrSD98QHjfHOK13mZ5PJ7hnddRZt5woB3szyw= - -``` - -#### Optional - -```{eval-rst} -.. opcmd:: generate pki wireguard preshared-key - - Generate a pre-shared key. - - The pre-shared key is optional. It adds an additional layer of symmetric-key - cryptography on top of the asymmetric cryptography. - - .. code-block:: none - - vyos@vyos:~$ generate pki wireguard preshared-key - Pre-shared key: OHH2EwZfMNK+1L6BXbYw3bKCtMrfjpR4mCAEeBlFnRs= - -``` - -```{eval-rst} -.. opcmd:: generate pki wireguard preshared-key install interface <interface> peer <peer> - - Generate a pre-shared key and output the key assignment command for the - specified peer. - - .. code-block:: none - - vyos@vyos:~$ generate pki wireguard preshared-key install interface wg10 peer foo - "generate" CLI command executed from operational level. - Generated preshared-key is not stored to CLI, use configure mode commands to install key: - - set interfaces wireguard wg10 peer foo preshared-key '32vQ1w1yFKTna8n7Gu7EimubSe2Y63m8bafz55EG3Ro=' - - Pre-shared key: +LuaZ8W6DjsDFJFX3jJzoNqrsXHhvq08JztM9z8LHCs= - - - .. note:: If you invoke this command from configuration mode with the run - prefix, the generated key is automatically assigned to the specified peer. - -``` - -## Interface configuration - -The next step is to configure your local WireGuard interface and define the -networks you want to tunnel (`allowed-ips`). - -If your system only initiates connections, specifying the listen port is -optional. If your system accepts incoming connections, you must define a port -for peers to connect to. Otherwise, WireGuard selects a random port at each -reboot, and that may break your peers' ability to connect if that port is not enabled in your firewall rules. - -To configure a WireGuard tunnel, you also need your peer's public key. - -:::{note} -The public key specified in the peer configuration block is always -the **remote** peer's public key, never your local one. -::: - -**Local side configuration** - -The local side is configured with the following parameters: - -- Local WireGuard interface IP: `10.1.0.1/30` -- Local listen port: `51820` -- Remote peer name: `to-wg02` -- Remote peer endpoint: `192.0.2.1` on port `51820` -- Remote peer public key: `XMrlPykaxhdAAiSjhtPlvi30NVkvLQliQuKP7AI7CyI=` -- Allowed networks: `192.168.2.0/24` - -```none -set interfaces wireguard wg01 address '10.1.0.1/30' -set interfaces wireguard wg01 description 'VPN-to-wg02' -set interfaces wireguard wg01 peer to-wg02 allowed-ips '192.168.2.0/24' -set interfaces wireguard wg01 peer to-wg02 address '192.0.2.1' -set interfaces wireguard wg01 peer to-wg02 port '51820' -set interfaces wireguard wg01 peer to-wg02 public-key 'XMrlPykaxhdAAiSjhtPlvi30NVkvLQliQuKP7AI7CyI=' -set interfaces wireguard wg01 port '51820' - -set protocols static route 192.168.2.0/24 interface wg01 -``` - -To send traffic destined for `192.168.2.0/24` through the WireGuard interface -(`wg01`), configure a static route. Multiple IP addresses or networks can be -defined and routed. The final check is performed against `allowed-ips`, which -either permits or drops the traffic. - -:::{warning} -You cannot assign the same `allowed-ips` to multiple WireGuard -peers. This is a strict design restriction. For more information, check the -[WireGuard mailing list]. -::: - -```{eval-rst} -.. cfgcmd:: set interfaces wireguard <interface> private-key <private-key> - - Assign a private key to the specified WireGuard interface. - - Example: - - .. code-block:: none - - set interfaces wireguard wg01 private-key 'iJJyEARGK52Ls1GYRCcFvPuTj7WyWYDo//BknoDU0XY=' - - - To generate a private key, use the following command: - {opcmd}`generate pki wireguard key-pair`. - - To view the public key assigned to the interface so you can share it with a - peer, use the following command: - {opcmd}`show interfaces wireguard wg01 public-key`. -``` - -```{eval-rst} -.. cmdincludemd:: /_include/interface-per-client-thread.txt - :var0: wireguard - :var1: wg01 -``` - -**Remote side configuration** - -```none -set interfaces wireguard wg01 address '10.1.0.2/30' -set interfaces wireguard wg01 description 'VPN-to-wg01' -set interfaces wireguard wg01 peer to-wg01 allowed-ips '192.168.1.0/24' -set interfaces wireguard wg01 peer to-wg01 address '192.0.2.2' -set interfaces wireguard wg01 peer to-wg01 port '51820' -set interfaces wireguard wg01 peer to-wg01 public-key 'EKY0dxRrSD98QHjfHOK13mZ5PJ7hnddRZt5woB3szyw=' -set interfaces wireguard wg01 port '51820' -set interfaces wireguard wg01 private-key 'OLTQY3HuK5qWDgVs6fJR093SwPgOmCKkDI1+vJLGoFU=' - -set protocols static route 192.168.1.0/24 interface wg01 -``` - -## Firewall exceptions - -To allow WireGuard traffic through the WAN interface, create a firewall -exception: - -```none -set firewall ipv4 name OUTSIDE_LOCAL rule 10 action accept -set firewall ipv4 name OUTSIDE_LOCAL rule 10 description 'Allow established/related' -set firewall ipv4 name OUTSIDE_LOCAL rule 10 state established enable -set firewall ipv4 name OUTSIDE_LOCAL rule 10 state related enable -set firewall ipv4 name OUTSIDE_LOCAL rule 20 action accept -set firewall ipv4 name OUTSIDE_LOCAL rule 20 description WireGuard_IN -set firewall ipv4 name OUTSIDE_LOCAL rule 20 destination port 51820 -set firewall ipv4 name OUTSIDE_LOCAL rule 20 log enable -set firewall ipv4 name OUTSIDE_LOCAL rule 20 protocol udp -``` - -Ensure that the OUTSIDE_LOCAL firewall group is applied to the WAN interface -and in an input (local) direction. - -```none -set firewall ipv4 input filter rule 10 action jump -set firewall ipv4 input filter rule 10 jump-target 'OUTSIDE_LOCAL' -set firewall ipv4 input filter rule 10 inbound-interface name 'eth0' -``` - -Verify that your firewall rules permit traffic. If so, your WireGuard VPN -should be operational. - -```none -wg01# ping 192.168.1.1 -PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data. -64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=1.16 ms -64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=1.77 ms - -wg02# ping 192.168.2.1 -PING 192.168.2.1 (192.168.2.1) 56(84) bytes of data. -64 bytes from 192.168.2.1: icmp_seq=1 ttl=64 time=4.40 ms -64 bytes from 192.168.2.1: icmp_seq=2 ttl=64 time=1.02 ms -``` - -An additional layer of symmetric-key cryptography can be used on top of the -asymmetric cryptography. This is optional. - -```none -vyos@vyos:~$ generate pki wireguard preshared-key -Pre-shared key: rvVDOoc2IYEnV+k5p7TNAmHBMEGTHbPU8Qqg8c/sUqc= -``` - -Copy the key, as it is not stored locally. Since it is a symmetric key, only -you and your peer should know its contents. Distribute the key securely. - -```none -wg01# set interfaces wireguard wg01 peer to-wg02 preshared-key 'rvVDOoc2IYEnV+k5p7TNAmHBMEGTHbPU8Qqg8c/sUqc=' -wg02# set interfaces wireguard wg01 peer to-wg01 preshared-key 'rvVDOoc2IYEnV+k5p7TNAmHBMEGTHbPU8Qqg8c/sUqc=' -``` - -## Remote access (road warrior) - -With WireGuard, a road warrior VPN configuration is similar to a site-to-site -VPN. It just omits the `address` and `port` statements. - -In the following example, the IP addresses for remote clients are defined -within each peer configuration. This allows peers to communicate with each -other. - -Additionally, this setup uses a `persistent-keepalive` flag set to 15 seconds -to keep the connection alive. This setting is mainly relevant if a peer is -behind NAT and cannot be reached if the connection is lost. For effectiveness, -the value should be lower than the UDP timeout. - -```none -wireguard wg01 { - address 10.172.24.1/24 - address 2001:db8:470:22::1/64 - description RoadWarrior - peer MacBook { - allowed-ips 10.172.24.30/32 - allowed-ips 2001:db8:470:22::30/128 - persistent-keepalive 15 - pubkey F5MbW7ye7DsoxdOaixjdrudshjjxN5UdNV+pGFHqehc= - } - peer iPhone { - allowed-ips 10.172.24.20/32 - allowed-ips 2001:db8:470:22::20/128 - persistent-keepalive 15 - pubkey BknHcLFo8nOo8Dwq2CjaC/TedchKQ0ebxC7GYn7Al00= - } - port 2224 - private-key OLTQY3HuK5qWDgVs6fJR093SwPgOmCKkDI1+vJLGoFU= -} -``` - -Below is the configuration for the iPhone peer. The `AllowedIPs` wildcard -setting directs all IPv4 and IPv6 traffic through the VPN connection. - -```none -[Interface] -PrivateKey = ARAKLSDJsadlkfjasdfiowqeruriowqeuasdf= -Address = 10.172.24.20/24, 2001:db8:470:22::20/64 -DNS = 10.0.0.53, 10.0.0.54 - -[Peer] -PublicKey = RIbtUTCfgzNjnLNPQ/ulkGnnB2vMWHm7l2H/xUfbyjc= -AllowedIPs = 0.0.0.0/0, ::/0 -Endpoint = 192.0.2.1:2224 -PersistentKeepalive = 15 -``` - -To enable split tunneling, specify the remote subnets. This ensures that only -traffic destined for the remote site is sent through the tunnel, while all -other traffic remains unaffected. - -```none -[Interface] -PrivateKey = 8Iasdfweirousd1EVGUk5XsT+wYFZ9mhPnQhmjzaJE6Go= -Address = 10.172.24.30/24, 2001:db8:470:22::30/64 - -[Peer] -PublicKey = RIbtUTCfgzNjnLNPQ/ulkGnnB2vMWHm7l2H/xUfbyjc= -AllowedIPs = 10.172.24.30/24, 2001:db8:470:22::/64 -Endpoint = 192.0.2.1:2224 -PersistentKeepalive = 15 -``` - -## Operational commands - -### Status - -```{eval-rst} -.. opcmd:: show interfaces wireguard wg01 summary - - Show information about the WireGuard service, including the latest handshake. - - .. code-block:: none - - vyos@vyos:~$ show interfaces wireguard wg01 summary - interface: wg01 - public key: - private key: (hidden) - listening port: 51820 - - peer: <peer pubkey> - endpoint: <peer public IP> - allowed ips: 10.69.69.2/32 - latest handshake: 23 hours, 45 minutes, 26 seconds ago - transfer: 1.26 MiB received, 6.47 MiB sent -``` - -```{eval-rst} -.. opcmd:: show interfaces wireguard - - Show a list of all WireGuard interfaces. - - .. code-block:: none - - Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down - Interface IP Address S/L Description - --------- ---------- --- ----------- - wg01 10.0.0.1/24 u/u - -``` - -```{eval-rst} -.. opcmd:: show interfaces wireguard <interface> - - Show general information about a specific WireGuard interface. - - .. code-block:: none - - vyos@vyos:~$ show interfaces wireguard wg01 - interface: wg01 - address: 10.0.0.1/24 - public key: h1HkYlSuHdJN6Qv4Hz4bBzjGg5WUty+U1L7DJsZy1iE= - private key: (hidden) - listening port: 41751 - - RX: bytes packets errors dropped overrun mcast - 0 0 0 0 0 0 - TX: bytes packets errors dropped carrier collisions - 0 0 0 0 0 0 -``` - -## Remote access (road warrior) clients - -Some users connect mobile devices to their VyOS router using WireGuard. To -simplify deployment, generate a per-mobile configuration from the VyOS CLI. - -:::{warning} -From a security perspective, it is not recommended to let a third -party create and share the private key for a secure connection. You should -create the private portion yourself and hand out only the public key. -::: - -```{eval-rst} -.. opcmd:: generate wireguard client-config <name> interface <interface> server - <ip|fqdn> address <client-ip> - - **Generate a client configuration file that establishes a connection to the - specified interface.** - - The public key from the specified interface is automatically included in the - configuration file. - - The command also generates a configuration snippet that can be copied into the - VyOS CLI. The ``<name>`` you provide will be used as the peer name in the - snippet. - - You must also specify the IP address or FQDN of the server the client connects - to. The address parameter can be used twice to assign both an IPv4 (/32) and - an IPv6 (/128) address to the client. - - .. figure:: /_static/images/wireguard_qrcode.webp - :alt: WireGuard Client QR code -``` - - - -[wireguard mailing list]: https://lists.zx2c4.com/pipermail/wireguard/2018-December/003704.html diff --git a/docs/configuration/interfaces/md-wireless.md b/docs/configuration/interfaces/md-wireless.md deleted file mode 100644 index d2fd4d49..00000000 --- a/docs/configuration/interfaces/md-wireless.md +++ /dev/null @@ -1,1012 +0,0 @@ ---- -lastproofread: '2026-03-23' ---- - -(wireless-interface)= - -# Wireless LAN / Wi-Fi - -{abbr}`WLAN (Wireless LAN)` interfaces provide 802.11 (a/b/g/n/ac) wireless -connectivity, referred to as Wi-Fi, and operate in one of the following -modes: - -- {abbr}`WAP (Wireless Access-Point)` mode provides network access to connecting - stations if the physical hardware supports acting as a WAP -- Station mode acts as a Wi-Fi client accessing the network through an available - WAP -- Monitor mode lets the system passively monitor wireless traffic - -If the system detects an unconfigured wireless device, it will be automatically -added to the configuration tree, specifying any detected settings (for example, -its MAC address) and configured to run in monitor mode. - -## Configuration - -### Common interface configuration - -```{eval-rst} -.. cmdincludemd:: /_include/interface-common-with-dhcp.txt - :var0: wireless - :var1: wlan0 -``` - -### System-wide configuration - -```{eval-rst} -.. cfgcmd:: set system wireless country-code <cc> - - Country code (ISO/IEC 3166-1). Used to set regulatory domain. Set as needed - to indicate country in which device is operating. This can limit available - channels and transmit power. - - .. note:: This option is mandatory in ``access-point`` mode. -``` - -### Wireless options - -```{eval-rst} -.. cfgcmd:: set interfaces wireless <interface> channel <number> - - Configure the IEEE 802.11 wireless radio channel for the interface. - Channel allocation depends on the frequency band: - - * **2.4 GHz** (802.11b/g/n/ax): Channels range from 1 to 14. - * **5 GHz** (802.11a/h/j/n/ac/ax): Channels range from 34 to 177. - * **6 GHz** (802.11ax): Channels range from 1 to 233. - * **Automatic channel selection:** 0. -``` - -```{eval-rst} -.. cfgcmd:: set interfaces wireless <interface> disable-broadcast-ssid - - Send empty SSID in beacons and ignore probe request frames that do not specify - full SSID, i.e., require stations to know the SSID. -``` - -```{eval-rst} -.. cfgcmd:: set interfaces wireless <interface> expunge-failing-stations - - Disassociate stations based on excessive transmission failures or other - indications of connection loss. - - This depends on the driver capabilities and may not be available with all - drivers. -``` - -```{eval-rst} -.. cfgcmd:: set interfaces wireless <interface> isolate-stations - - Client isolation can be used to prevent low-level bridging of frames between - associated stations in the BSS. - - By default, this bridging is allowed. -``` - -```{eval-rst} -.. cfgcmd:: set interfaces wireless <interface> max-stations <count> - - Maximum number of stations allowed in station table. New stations will be - rejected after the station table is full. IEEE 802.11 has a limit of 2007 - different association IDs, so this number should not be larger than that. - - This defaults to 2007. -``` - -```{eval-rst} -.. cfgcmd:: set interfaces wireless <interface> mgmt-frame-protection - - Management Frame Protection (MFP) according to IEEE 802.11w - - .. note:: {abbr}`MFP (Management Frame Protection)` is required for WPA3. -``` - -```{eval-rst} -.. cfgcmd:: set interfaces wireless <interface> enable-bf-protection - - Beacon Protection: management frame protection for Beacon frames. - - .. note:: This option requires {abbr}`MFP (Management Frame Protection)` - to be enabled. -``` - -```{eval-rst} -.. cfgcmd:: set interfaces wireless <interface> mode <a | b | g | n | ac | ax> - - Operation mode of wireless radio. - - * ``a`` - 802.11a - 54 Mbits/sec - * ``b`` - 802.11b - 11 Mbits/sec - * ``g`` - 802.11g - 54 Mbits/sec (default) - * ``n`` - 802.11n - 600 Mbits/sec - * ``ac`` - 802.11ac - 1300 Mbits/sec - * ``ax`` - 802.11ax - exceeds 1GBit/sec - - .. note:: In VyOS, 802.11ax is only implemented for 2.4GHz and 6GHz. -``` - -```{eval-rst} -.. cfgcmd:: set interfaces wireless <interface> physical-device <device> - - Wireless hardware device used as underlay radio. - - This defaults to phy0. -``` - -```{eval-rst} -.. cfgcmd:: set interfaces wireless <interface> reduce-transmit-power <number> - - Adds the Power Constraint information element to Beacon and Probe Response - frames. - - This option adds the Power Constraint information element when applicable - and the Country information element is configured. The Power Constraint - element is required by Transmit Power Control. - - Valid values are 0..255. -``` - -```{eval-rst} -.. cfgcmd:: set interfaces wireless <interface> ssid <ssid> - - SSID to be used in IEEE 802.11 management frames -``` - -```{eval-rst} -.. cfgcmd:: set interfaces wireless <interface> type - <access-point | station | monitor> - - Wireless device type for this interface - - * ``access-point``: Forwards packets between other nodes. - * ``station``: Connects to another {abbr}`AP (Access Point)`. - * ``monitor``: Passively monitors all packets on the frequency/channel. -``` - -```{eval-rst} -.. cmdincludemd:: /_include/interface-per-client-thread.txt - :var0: wireless - :var1: wlan0 -``` - -#### PPDU - -```{eval-rst} -.. cfgcmd:: set interfaces wireless <interface> capabilities require-ht -``` - -```{eval-rst} -.. cfgcmd:: set interfaces wireless <interface> capabilities require-vht -``` - -```{eval-rst} -.. cfgcmd:: set interfaces wireless <interface> capabilities require-he -``` - -##### HT (High Throughput) capabilities (802.11n) - -> Configuring HT mode options is required when using 802.11n or -> 802.11ax at 2.4GHz. - -```{eval-rst} -.. cfgcmd:: set interfaces wireless <interface> capabilities ht 40mhz-incapable - - Device is incapable of 40 MHz, do not advertise. This sets ``[40-INTOLERANT]`` -``` - -```{eval-rst} -.. cfgcmd:: set interfaces wireless <interface> capabilities ht auto-powersave - - WMM-PS Unscheduled Automatic Power Save Delivery [U-APSD] -``` - -```{eval-rst} -.. cfgcmd:: set interfaces wireless <interface> capabilities ht - channel-set-width <ht20 | ht40+ | ht40-> - - Supported channel width set. - - * ``ht20`` - 20 MHz channel width - * ``ht40-`` - Both 20 MHz and 40 MHz with secondary channel below the primary - channel - * ``ht40+`` - Both 20 MHz and 40 MHz with secondary channel above the primary - channel - - .. note:: Channel availability for HT40- and HT40+ is limited. The following - table lists channels permitted for HT40- and HT40+ according to IEEE - 802.11n Annex J. Channel availability may vary by location. - - .. code-block:: none - - freq HT40- HT40+ - 2.4 GHz 5-13 1-7 (1-9 in Europe/Japan) - 5 GHz 40,48,56,64 36,44,52,60 - - .. note:: 40 MHz channels may switch their primary and secondary channels if - needed or creation of 40 MHz channel may be rejected based on overlapping - BSSes. These changes are done automatically when hostapd is setting up the - 40 MHz channel. -``` - -```{eval-rst} -.. cfgcmd:: set interfaces wireless <interface> capabilities ht - delayed-block-ack - - Enable HT-delayed Block Ack ``[DELAYED-BA]`` -``` - -```{eval-rst} -.. cfgcmd:: set interfaces wireless <interface> capabilities ht dsss-cck-40 - - DSSS/CCK Mode in 40 MHz, this sets ``[DSSS_CCK-40]`` -``` - -```{eval-rst} -.. cfgcmd:: set interfaces wireless <interface> capabilities ht greenfield - - This enables the greenfield option which sets the ``[GF]`` option -``` - -```{eval-rst} -.. cfgcmd:: set interfaces wireless <interface> capabilities ht ldpc - - Enable LDPC coding capability -``` - -```{eval-rst} -.. cfgcmd:: set interfaces wireless <interface> capabilities ht lsig-protection - - Enable L-SIG TXOP protection capability -``` - -```{eval-rst} -.. cfgcmd:: set interfaces wireless <interface> capabilities ht max-amsdu - <3839 | 7935> - - Maximum A-MSDU length 3839 (default) or 7935 octets -``` - -```{eval-rst} -.. cfgcmd:: set interfaces wireless <interface> capabilities ht - short-gi <20 | 40> - - Short GI capabilities for 20 and 40 MHz -``` - -```{eval-rst} -.. cfgcmd:: set interfaces wireless <interface> capabilities ht - smps <static | dynamic> - - Spatial Multiplexing Power Save (SMPS) settings -``` - -```{eval-rst} -.. cfgcmd:: set interfaces wireless <interface> capabilities ht stbc rx <num> - - Enable receiving PPDU using STBC (Space Time Block Coding) -``` - -```{eval-rst} -.. cfgcmd:: set interfaces wireless <interface> capabilities ht stbc tx - - Enable sending PPDU using STBC (Space Time Block Coding) -``` - -##### VHT (Very High Throughput) capabilities (802.11ac) - - -```{eval-rst} -.. cfgcmd:: set interfaces wireless <interface> capabilities vht antenna-count <count> -``` - -% -% Number of antennas on this card - -```{eval-rst} -.. cfgcmd:: set interfaces wireless <interface> capabilities vht - antenna-pattern-fixed - - Set if antenna pattern does not change during the lifetime of an association -``` - -```{eval-rst} -.. cfgcmd:: set interfaces wireless <interface> capabilities vht beamform - <single-user-beamformer | single-user-beamformee | multi-user-beamformer | - multi-user-beamformee> - - Beamforming capabilities: - - * ``single-user-beamformer`` - Support for operation as - single user beamformer - * ``single-user-beamformee`` - Support for operation as - single user beamformee - * ``multi-user-beamformer`` - Support for operation as - multi user beamformer - * ``multi-user-beamformee`` - Support for operation as - multi user beamformee -``` - -```{eval-rst} -.. cfgcmd:: set interfaces wireless <interface> capabilities vht - center-channel-freq <freq-1 | freq-2> <number> - - VHT operating channel center frequency - center freq 1 - (for use with 80, 80+80 and 160 modes) - - VHT operating channel center frequency - center freq 2 - (for use with the 80+80 mode) - - <number> must be from 34 - 173. For 80 MHz channels it should be channel + 6. -``` - -```{eval-rst} -.. cfgcmd:: set interfaces wireless <interface> capabilities vht - channel-set-width <0 | 1 | 2 | 3> - - * ``0`` - 20 or 40 MHz channel width (default) - * ``1`` - 80 MHz channel width - * ``2`` - 160 MHz channel width - * ``3`` - 80+80 MHz channel width -``` - -```{eval-rst} -.. cfgcmd:: set interfaces wireless <interface> capabilities vht ldpc - - Enable LDPC (Low Density Parity Check) coding capability -``` - -```{eval-rst} -.. cfgcmd:: set interfaces wireless <interface> - capabilities vht link-adaptation - - VHT link adaptation capabilities -``` - -```{eval-rst} -.. cfgcmd:: set interfaces wireless <interface> capabilities vht - max-mpdu <value> - - Increase Maximum MPDU length to 7991 or 11454 octets (default 3895 octets) -``` - -```{eval-rst} -.. cfgcmd:: set interfaces wireless <interface> capabilities vht - max-mpdu-exp <value> - - Set the maximum length of A-MPDU pre-EOF padding that the station can - receive -``` - -```{eval-rst} -.. cfgcmd:: set interfaces wireless <interface> capabilities vht - short-gi <80 | 160> - - Short GI capabilities -``` - -```{eval-rst} -.. cfgcmd:: set interfaces wireless <interface> capabilities vht stbc rx <num> - - Enable receiving PPDU using STBC (Space Time Block Coding) -``` - -```{eval-rst} -.. cfgcmd:: set interfaces wireless <interface> capabilities vht stbc tx - - Enable sending PPDU using STBC (Space Time Block Coding) -``` - -```{eval-rst} -.. cfgcmd:: set interfaces wireless <interface> capabilities vht tx-powersave - - Enable VHT TXOP Power Save Mode -``` - -```{eval-rst} -.. cfgcmd:: set interfaces wireless <interface> capabilities vht vht-cf - - Station supports receiving VHT variant HT Control field -``` - -##### HE (High Efficiency) capabilities (802.11ax) - -```{eval-rst} -.. cfgcmd:: set interfaces wireless <interface> - capabilities he antenna-pattern-fixed - - Tell the AP that antenna positions are fixed and will not change - during the lifetime of an association. -``` - -```{eval-rst} -.. cfgcmd:: set interfaces wireless <interface> capabilities he beamform - <single-user-beamformer | single-user-beamformee | multi-user-beamformer> - - Beamforming capabilities: - - * ``single-user-beamformer`` - Support for operation as - single user beamformer - * ``single-user-beamformee`` - Support for operation as - single user beamformee - * ``multi-user-beamformer`` - Support for operation as multi - user beamformer -``` - -```{eval-rst} -.. cfgcmd:: set interfaces wireless <interface> - capabilities he bss-color <number> - - BSS coloring helps to prevent channel jamming when multiple APs use - the same channels. - - Valid values are 1..63 -``` - -```{eval-rst} -.. cfgcmd:: set interfaces wireless <interface> capabilities he - center-channel-freq <freq-1 | freq-2> <number> - - HE operating channel center frequency - center freq 1 - (for use with 80, 80+80 and 160 modes) - - HE operating channel center frequency - center freq 2 - (for use with the 80+80 mode) - - <number> must be within 1..233. For 80 MHz channels it should be - channel + 6 and for 160 MHz channels, it should be channel + 14. -``` - -```{eval-rst} -.. cfgcmd:: set interfaces wireless <interface> - capabilities he channel-set-width <number> - - <number> must be one of: - - * ``81`` - 20 MHz channel width (2.4GHz) - * ``83`` - 40 MHz channel width, secondary 20MHz channel above primary - channel (2.4GHz) - * ``84`` - 40 MHz channel width, secondary 20MHz channel below primary - channel (2.4GHz) - * ``131`` - 20 MHz channel width (6GHz) - * ``132`` - 40 MHz channel width (6GHz) - * ``133`` - 80 MHz channel width (6GHz) - * ``134`` - 160 MHz channel width (6GHz) - * ``135`` - 80+80 MHz channel width (6GHz) -``` - -```{eval-rst} -.. cfgcmd:: set interfaces wireless <interface> - capabilities he coding-scheme <number> - - This setting configures Spatial Stream and Modulation Coding Scheme - settings for HE mode (HE-MCS). It is usually not needed to set this - explicitly, but it might help with some WiFi adapters. - - <number> must be one of: - - * ``0`` - HE-MCS 0-7 - * ``1`` - HE-MCS 0-9 - * ``2`` - HE-MCS 0-11 - * ``3`` - HE-MCS is not supported -``` - -### Wireless options (Station/Client) - -The example creates a wireless station (commonly referred to as Wi-Fi client) -that accesses the network through the WAP defined in the above example. The -default physical device (`phy0`) is used. - -```none -set system wireless country-code de -set interfaces wireless wlan0 type station -set interfaces wireless wlan0 address dhcp -set interfaces wireless wlan0 ssid 'TEST' -set interfaces wireless wlan0 security wpa passphrase '12345678' -``` - -Resulting configuration: - -```none -system { - wireless { - country-code de - } -} -interfaces { - wireless wlan0 { - address dhcp - security { - wpa { - passphrase "12345678" - } - } - ssid TEST - type station - } -``` - -### Security - -{abbr}`WPA (Wi-Fi Protected Access)`, WPA2 Enterprise and WPA3 Enterprise in -combination with 802.1X based authentication can be used to authenticate -users or computers in a domain. - -The wireless client (supplicant) authenticates against the RADIUS server -(authentication server) using an {abbr}`EAP (Extensible Authentication -Protocol)` method configured on the RADIUS server. The WAP (also referred -to as authenticator) role is to send all authentication messages between the -supplicant and the configured authentication server, thus the RADIUS server -is responsible for authenticating the users. - -The WAP in this example has the following characteristics: - -- IP address `192.168.2.1/24` -- Network ID (SSID) `Enterprise-TEST` -- WPA passphrase `12345678` -- Use 802.11n protocol -- Wireless channel `1` -- RADIUS server at `192.168.3.10` with shared-secret `VyOSPassword` - - -```none -set system wireless country-code de -set interfaces wireless wlan0 address '192.168.2.1/24' -set interfaces wireless wlan0 type access-point -set interfaces wireless wlan0 channel 1 -set interfaces wireless wlan0 mode n -set interfaces wireless wlan0 ssid 'Enterprise-TEST' -set interfaces wireless wlan0 security wpa mode wpa2 -set interfaces wireless wlan0 security wpa cipher CCMP -set interfaces wireless wlan0 security wpa radius server 192.168.3.10 key 'VyOSPassword' -set interfaces wireless wlan0 security wpa radius server 192.168.3.10 port 1812 -``` - - -Resulting configuration: - -```none -system { - wireless { - country-code de - } -} -interfaces { - [...] - wireless wlan0 { - address 192.168.2.1/24 - channel 1 - mode n - security { - wpa { - cipher CCMP - mode wpa2 - radius { - server 192.168.3.10 { - key 'VyOSPassword' - port 1812 - } - } - } - } - ssid "Enterprise-TEST" - type access-point - } -} -``` - -### VLAN - -#### Regular VLANs (802.1q) - -```{eval-rst} -.. cmdincludemd:: /_include/interface-vlan-8021q.txt - :var0: wireless - :var1: wlan0 -``` - -#### QinQ (802.1ad) - -```{eval-rst} -.. cmdincludemd:: /_include/interface-vlan-8021ad.txt - :var0: wireless - :var1: wlan0 -``` - -## Operation - -```{eval-rst} -.. opcmd:: show interfaces wireless info -``` - -Use this command to view operational status and wireless-specific information -about all wireless interfaces. - -```none -vyos@vyos:~$ show interfaces wireless info -Interface Type SSID Channel -wlan0 access-point VyOS-TEST-0 1 -``` - -```{eval-rst} -.. opcmd:: show interfaces wireless detail -``` - -Show the operational status and detailed wireless-specific -information about all wireless interfaces. - - -```none -vyos@vyos:~$ show interfaces wireless detail -wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 - link/ether XX:XX:XX:XX:XX:c3 brd XX:XX:XX:XX:XX:ff - inet xxx.xxx.99.254/24 scope global wlan0 - valid_lft forever preferred_lft forever - inet6 fe80::xxxx:xxxx:fe54:2fc3/64 scope link - valid_lft forever preferred_lft forever - - RX: bytes packets errors dropped overrun mcast - 66072 282 0 0 0 0 - TX: bytes packets errors dropped carrier collisions - 83413 430 0 0 0 0 - -wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 - link/ether XX:XX:XX:XX:XX:c3 brd XX:XX:XX:XX:XX:ff - inet xxx.xxx.100.254/24 scope global wlan0 - valid_lft forever preferred_lft forever - inet6 fe80::xxxx:xxxx:ffff:2ed3/64 scope link - valid_lft forever preferred_lft forever - - RX: bytes packets errors dropped overrun mcast - 166072 5282 0 0 0 0 - TX: bytes packets errors dropped carrier collisions - 183413 5430 0 0 0 0 -``` - - -```{eval-rst} -.. opcmd:: show interfaces wireless <wlanX> -``` - -This command shows both status and statistics on the specified wireless -interface. The wireless interface identifier can range from wlan0 to wlan999. - - -```none -vyos@vyos:~$ show interfaces wireless wlan0 -wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 - link/ether XX:XX:XX:XX:XX:c3 brd XX:XX:XX:XX:XX:ff - inet xxx.xxx.99.254/24 scope global wlan0 - valid_lft forever preferred_lft forever - inet6 fe80::xxxx:xxxx:fe54:2fc3/64 scope link - valid_lft forever preferred_lft forever - - RX: bytes packets errors dropped overrun mcast - 66072 282 0 0 0 0 - TX: bytes packets errors dropped carrier collisions - 83413 430 0 0 0 0 -``` - - -```{eval-rst} -.. opcmd:: show interfaces wireless <wlanX> brief -``` - -This command gives a brief status overview of a specified wireless interface. -The wireless interface identifier can range from wlan0 to wlan999. - -```none -vyos@vyos:~$ show interfaces wireless wlan0 brief -Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down -Interface IP Address S/L Description ---------- ---------- --- ----------- -wlan0 192.168.2.254/24 u/u -``` - -```{eval-rst} -.. opcmd:: show interfaces wireless <wlanX> queue -``` - -Use this command to view wireless interface queue information. -The wireless interface identifier can range from wlan0 to wlan999. - -```none -vyos@vyos:~$ show interfaces wireless wlan0 queue -qdisc pfifo_fast 0: root bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1 - Sent 810323 bytes 6016 pkt (dropped 0, overlimits 0 requeues 0) - rate 0bit 0pps backlog 0b 0p requeues 0 -``` - -```{eval-rst} -.. opcmd:: show interfaces wireless <wlanX> scan -``` - -This command is used to retrieve information about WAP within the range of your -wireless interface. This command is useful on wireless interfaces configured -in station mode. - -:::{note} -Scanning is not supported on all wireless drivers and wireless -hardware. Refer to your driver and wireless hardware documentation for -further details. -::: - -```none -vyos@vyos:~$ show interfaces wireless wlan0 scan -Address SSID Channel Signal (dbm) -00:53:3b:88:6e:d8 WLAN-576405 1 -64.00 -00:53:3b:88:6e:da Telekom_FON 1 -64.00 -00:53:00:f2:c2:a4 BabyView_F2C2A4 6 -60.00 -00:53:3b:88:6e:d6 Telekom_FON 100 -72.00 -00:53:3b:88:6e:d4 WLAN-576405 100 -71.00 -00:53:44:a4:96:ec KabelBox-4DC8 56 -81.00 -00:53:d9:7a:67:c2 WLAN-741980 1 -75.00 -00:53:7c:99:ce:76 Vodafone Homespot 1 -86.00 -00:53:44:a4:97:21 KabelBox-4DC8 1 -78.00 -00:53:44:a4:97:21 Vodafone Hotspot 1 -79.00 -00:53:44:a4:97:21 Vodafone Homespot 1 -79.00 -00:53:86:40:30:da Telekom_FON 1 -86.00 -00:53:7c:99:ce:76 Vodafone Hotspot 1 -86.00 -00:53:44:46:d2:0b Vodafone Hotspot 1 -87.00 -``` - -## Examples - -The following example creates a WAP. When configuring multiple WAP interfaces, -you must specify unique IP addresses, channels, Network IDs commonly referred -to as {abbr}`SSID (Service Set Identifier)`, and MAC addresses. - -The WAP in this example has the following characteristics: - -- IP address `192.168.2.1/24` -- Network ID (SSID) `TEST` -- WPA passphrase `12345678` -- Use 802.11n protocol -- Wireless channel `1` - -```none -set system wireless country-code de -set interfaces wireless wlan0 address '192.168.2.1/24' -set interfaces wireless wlan0 type access-point -set interfaces wireless wlan0 channel 1 -set interfaces wireless wlan0 mode n -set interfaces wireless wlan0 ssid 'TEST' -set interfaces wireless wlan0 security wpa mode wpa2 -set interfaces wireless wlan0 security wpa cipher CCMP -set interfaces wireless wlan0 security wpa passphrase '12345678' -``` - -Resulting configuration: - -```none -system { - wireless { - country-code de - } -} -interfaces { - [...] - wireless wlan0 { - address 192.168.2.1/24 - channel 1 - mode n - security { - wpa { - cipher CCMP - mode wpa2 - passphrase "12345678" - } - } - ssid "TEST" - type access-point - } -} -``` - -To enable access point functionality, configure a DHCP server for this -interface's network, or add the interface to an existing local bridge -(see {ref}`bridge-interface` for details). - -### Wi-Fi 6/6E (802.11ax) - -The following examples configure Wi-Fi 6 (2.4 GHz) and Wi-Fi 6E (6 GHz) -{abbr}`APs (Access Points)` with the following parameters: - -- Network ID (SSID): `test.ax` -- WPA passphrase: `super-dooper-secure-passphrase` -- Protocol: 802.11ax -- Wireless channel for 2.4 GHz: `11` -- Wireless channel for 6 GHz: `5` - -#### Example configuration: Wi-Fi 6 at 2.4 GHz - -You may expect real throughput around 10 MB/s or higher in crowded areas. - - -```none -set system wireless country-code de -set interfaces wireless wlan0 capabilities he antenna-pattern-fixed -set interfaces wireless wlan0 capabilities he beamform multi-user-beamformer -set interfaces wireless wlan0 capabilities he beamform single-user-beamformee -set interfaces wireless wlan0 capabilities he beamform single-user-beamformer -set interfaces wireless wlan0 capabilities he bss-color 13 -set interfaces wireless wlan0 capabilities he channel-set-width 81 -set interfaces wireless wlan0 capabilities ht 40mhz-incapable -set interfaces wireless wlan0 capabilities ht channel-set-width ht20 -set interfaces wireless wlan0 capabilities ht channel-set-width ht40+ -set interfaces wireless wlan0 capabilities ht channel-set-width ht40- -set interfaces wireless wlan0 capabilities ht short-gi 20 -set interfaces wireless wlan0 capabilities ht short-gi 40 -set interfaces wireless wlan0 capabilities ht stbc rx 2 -set interfaces wireless wlan0 capabilities ht stbc tx -set interfaces wireless wlan0 channel 11 -set interfaces wireless wlan0 description "802.11ax 2.4GHz" -set interfaces wireless wlan0 mode ax -set interfaces wireless wlan0 security wpa cipher CCMP -set interfaces wireless wlan0 security wpa cipher CCMP-256 -set interfaces wireless wlan0 security wpa cipher GCMP-256 -set interfaces wireless wlan0 security wpa cipher GCMP -set interfaces wireless wlan0 security wpa mode wpa2 -set interfaces wireless wlan0 security wpa passphrase super-dooper-secure-passphrase -set interfaces wireless wlan0 ssid test.ax -set interfaces wireless wlan0 type access-point -commit -``` - - -Resulting configuration: - -```none -system { - wireless { - country-code de - } -} -interfaces { - [...] - wireless wlan0 { - capabilities { - he { - antenna-pattern-fixed - beamform { - multi-user-beamformer - single-user-beamformee - single-user-beamformer - } - bss-color 13 - channel-set-width 81 - } - ht { - 40mhz-incapable - channel-set-width ht20 - channel-set-width ht40+ - channel-set-width ht40- - short-gi 20 - short-gi 40 - stbc { - rx 2 - tx - } - } - } - channel 11 - description "802.11ax 2.4GHz" - hw-id [...] - mode ax - physical-device phy0 - security { - wpa { - cipher CCMP - cipher CCMP-256 - cipher GCMP-256 - cipher GCMP - mode wpa2 - passphrase super-dooper-secure-passphrase - } - } - ssid test.ax - type access-point - } -} -``` - -#### Example configuration: Wi-Fi 6E at 6 GHz - -You may expect real throughput between 50 MB/s and 150 MB/s, depending on -obstructions from walls, water, metal, or other materials -with high electromagnetic damping at 6 GHz. Best results are achieved -with the AP being in the same room and in line-of-sight. - - -```none -set system wireless country-code de -set interfaces wireless wlan0 capabilities he antenna-pattern-fixed -set interfaces wireless wlan0 capabilities he beamform multi-user-beamformer -set interfaces wireless wlan0 capabilities he beamform single-user-beamformee -set interfaces wireless wlan0 capabilities he beamform single-user-beamformer -set interfaces wireless wlan0 capabilities he bss-color 13 -set interfaces wireless wlan0 capabilities he channel-set-width 134 -set interfaces wireless wlan0 capabilities he center-channel-freq freq-1 15 -set interfaces wireless wlan0 channel 5 -set interfaces wireless wlan0 description "802.11ax 6GHz" -set interfaces wireless wlan0 mode ax -set interfaces wireless wlan0 security wpa cipher CCMP -set interfaces wireless wlan0 security wpa cipher CCMP-256 -set interfaces wireless wlan0 security wpa cipher GCMP-256 -set interfaces wireless wlan0 security wpa cipher GCMP -set interfaces wireless wlan0 security wpa mode wpa3 -set interfaces wireless wlan0 security wpa passphrase super-dooper-secure-passphrase -set interfaces wireless wlan0 mgmt-frame-protection required -set interfaces wireless wlan0 enable-bf-protection -set interfaces wireless wlan0 ssid test.ax -set interfaces wireless wlan0 type access-point -set interfaces wireless wlan0 stationary-ap -commit -``` - - -Resulting configuration: - -```none -system { - wireless { - country-code de - } -} -interfaces { - [...] - wireless wlan0 { - capabilities { - he { - antenna-pattern-fixed - beamform { - multi-user-beamformer - single-user-beamformee - single-user-beamformer - } - bss-color 13 - center-channel-freq { - freq-1 15 - } - channel-set-width 134 - } - } - channel 5 - description "802.11ax 6GHz" - enable-bf-protection - hw-id [...] - mgmt-frame-protection required - mode ax - physical-device phy0 - security { - wpa { - cipher CCMP - cipher CCMP-256 - cipher GCMP-256 - cipher GCMP - mode wpa3 - passphrase super-dooper-secure-passphrase - } - } - ssid test.ax - stationary-ap - type access-point - } -} -``` - -(wireless-interface-intel-ax200)= - -### Intel AX200 - -The Intel AX200 card does not work out of the box in AP mode. You can -still put this card into AP mode using the following configuration: - - -```none -set system wireless country-code 'us' -set interfaces wireless wlan0 channel '1' -set interfaces wireless wlan0 mode 'n' -set interfaces wireless wlan0 physical-device 'phy0' -set interfaces wireless wlan0 ssid 'VyOS' -set interfaces wireless wlan0 type 'access-point' -``` - diff --git a/docs/configuration/interfaces/md-wwan.md b/docs/configuration/interfaces/md-wwan.md deleted file mode 100644 index e8121f28..00000000 --- a/docs/configuration/interfaces/md-wwan.md +++ /dev/null @@ -1,355 +0,0 @@ ---- -lastproofread: '2026-03-30' ---- - -(wwan-interface)= - -# WWAN - -{abbr}`WWAN (Wireless Wide Area Network)` interfaces provide access to cellular -networks via a cellular modem or card. - -Configure these interfaces under the `interfaces wwan` node. - -## Configuration - -### Common interface configuration - -```{cmdincludemd} /_include/interface-address-with-dhcp.txt -:var0: wwan -:var1: wwan0 -``` - -```{cmdincludemd} /_include/interface-description.txt -:var0: wwan -:var1: wwan0 -``` - -```{cmdincludemd} /_include/interface-disable.txt -:var0: wwan -:var1: wwan0 -``` - -```{cmdincludemd} /_include/interface-disable-link-detect.txt -:var0: wwan -:var1: wwan0 -``` - -```{cmdincludemd} /_include/interface-mtu.txt -:var0: wwan -:var1: wwan0 -``` - -```{cmdincludemd} /_include/interface-ip.txt -:var0: wwan -:var1: wwan0 -``` - -```{cmdincludemd} /_include/interface-ipv6.txt -:var0: wwan -:var1: wwan0 -``` - -```{cmdincludemd} /_include/interface-vrf.txt -:var0: wwan -:var1: wwan0 -``` - -**DHCP(v6)** - -```{cmdincludemd} /_include/interface-dhcp-options.txt -:var0: wwan -:var1: wwan0 -``` - -```{cmdincludemd} /_include/interface-dhcpv6-options.txt -:var0: wwan -:var1: wwan0 -``` - -```{cmdincludemd} /_include/interface-dhcpv6-prefix-delegation.txt -:var0: wwan -:var1: wwan0 -``` - - -### WWAN options - -```{cfgcmd} set interfaces wwan \<interface\> apn \<apn\> - -**Configure the** {abbr}`APN (Access Point Name)` **for the WWAN connection.** - -Every WWAN connection requires an {abbr}`APN (Access Point Name)` to connect to -the cellular network. - -This parameter is mandatory. Contact your service provider for the correct -{abbr}`APN (Access Point Name)`. -``` - - -## Operation - -```{opcmd} show interfaces wwan \<interface\> - -Show the operational status and traffic statistics for the specified WWAN -interface. - -:::{code-block} none -vyos@vyos:~$ show interfaces wwan wwan0 -wwan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 1000 -link/ether 02:c2:f3:00:01:02 brd ff:ff:ff:ff:ff:ff -inet 10.155.144.12/30 brd 10.155.144.15 scope global dynamic wwan0 -valid_lft 7012sec preferred_lft 7012sec -inet6 fe80::c2:f3ff:fe00:0102/64 scope link -valid_lft forever preferred_lft forever - -RX: bytes packets errors dropped overrun mcast -640 2 0 0 0 0 -TX: bytes packets errors dropped carrier collisions -3229 16 0 0 0 0 -::: -``` - - -```{opcmd} show interfaces wwan \<interface\> summary - -Show WWAN module hardware characteristics and connection information. - -:::{code-block} none -vyos@vyos:~$ show interfaces wwan wwan0 summary --------------------------------- -General | dbus path: /org/freedesktop/ModemManager1/Modem/0 -| device id: 79f4e9cc2e9fc8d4a3b8c8f6327c2e363170194d --------------------------------- -Hardware | manufacturer: Sierra Wireless, Incorporated -| model: MC7710 -| revision: SWI9200X_03.05.29.03ap r6485 CNSHZ-ED-XP0031 2014/12/02 17:53:15 -| h/w revision: 1.0 -| supported: gsm-umts, lte -| current: gsm-umts, lte -| equipment id: 358xxxxxxxxxxxx --------------------------------- -System | device: /sys/devices/pci0000:00/0000:00:13.0/usb3/3-1/3-1.3 -| drivers: qcserial, qmi_wwan -| plugin: Generic -| primary port: cdc-wdm0 -| ports: ttyUSB0 (qcdm), ttyUSB2 (at), cdc-wdm0 (qmi), wwan0 (net) --------------------------------- -Numbers | own: 4917xxxxxxxx --------------------------------- -Status | lock: sim-pin2 -| unlock retries: sim-pin (3), sim-pin2 (3), sim-puk (10), sim-puk2 (10) -| state: connected -| power state: on -| access tech: lte -| signal quality: 63% (recent) --------------------------------- -Modes | supported: allowed: 2g; preferred: none -| allowed: 3g; preferred: none -| allowed: 4g; preferred: none -| allowed: 2g, 3g; preferred: 3g -| allowed: 2g, 3g; preferred: 2g -| allowed: 2g, 4g; preferred: 4g -| allowed: 2g, 4g; preferred: 2g -| allowed: 3g, 4g; preferred: 3g -| allowed: 3g, 4g; preferred: 4g -| allowed: 2g, 3g, 4g; preferred: 4g -| allowed: 2g, 3g, 4g; preferred: 3g -| allowed: 2g, 3g, 4g; preferred: 2g -| current: allowed: 2g, 3g, 4g; preferred: 2g --------------------------------- -Bands | supported: egsm, dcs, pcs, utran-1, utran-8, eutran-1, eutran-3, -| eutran-7, eutran-8, eutran-20 -| current: egsm, dcs, pcs, utran-1, utran-8, eutran-1, eutran-3, -| eutran-7, eutran-8, eutran-20 --------------------------------- -IP | supported: ipv4, ipv6, ipv4v6 --------------------------------- -3GPP | imei: 358xxxxxxxxxxxx -| operator id: 26201 -| operator name: Telekom.de -| registration: home --------------------------------- -3GPP EPS | ue mode of operation: ps-1 --------------------------------- -SIM | dbus path: /org/freedesktop/ModemManager1/SIM/0 --------------------------------- -Bearer | dbus path: /org/freedesktop/ModemManager1/Bearer/0 -::: -``` - -```{opcmd} show interfaces wwan \<interface\> capabilities - -Show WWAN module radio capabilities. - -:::{code-block} none -vyos@vyos:~$ show interfaces wwan wwan0 capabilities -Max TX channel rate: '50000000' -Max RX channel rate: '100000000' -Data Service: 'simultaneous-cs-ps' -SIM: 'supported' -Networks: 'gsm, umts, lte' -Bands: 'gsm-dcs-1800, gsm-900-extended, gsm-900-primary, gsm-pcs-1900, wcdma-2100, wcdma-900' -LTE bands: '1, 3, 7, 8, 20' -::: -``` - - -```{opcmd} show interfaces wwan \<interface\> firmware - -Show WWAN module firmware information. - -:::{code-block} none -vyos@vyos:~$ show interfaces wwan wwan0 firmware -Model: MC7710 -Boot version: SWI9200X_03.05.29.03bt r6485 CNSHZ-ED-XP0031 2014/12/02 17:33:08 -AMSS version: SWI9200X_03.05.29.03ap r6485 CNSHZ-ED-XP0031 2014/12/02 17:53:15 -SKU ID: unknown -Package ID: unknown -Carrier ID: 0 -Config version: unknown -::: -``` - -```{opcmd} show interfaces wwan \<interface\> imei - -Show WWAN module IMEI. - -:::{code-block} none -vyos@vyos:~$ show interfaces wwan wwan0 imei -ESN: '0' -IMEI: '358xxxxxxxxxxxx' -MEID: 'unknown' -::: -``` - -```{opcmd} show interfaces wwan \<interface\> imsi - -Show the IMSI of the associated SIM card. - -:::{code-block} none -vyos@vyos:~$ show interfaces wwan wwan0 imsi -IMSI: '262xxxxxxxxxxxx' -::: -``` - -```{opcmd} show interfaces wwan \<interface\> model - -Show WWAN module model. - -:::{code-block} none -vyos@vyos:~$ show interfaces wwan wwan0 model -Model: 'MC7710' -::: -``` - -```{opcmd} show interfaces wwan \<interface\> msisdn - -Show the MSISDN of the associated SIM card. - -:::{code-block} none -vyos@vyos:~$ show interfaces wwan wwan0 msisdn -MSISDN: '4917xxxxxxxx' -::: -``` - -```{opcmd} show interfaces wwan \<interface\> revision - -Show WWAN module hardware revision. - -:::{code-block} none -vyos@vyos:~$ show interfaces wwan wwan0 revision -Revision: 'SWI9200X_03.05.29.03ap r6485 CNSHZ-ED-XP0031 2014/12/02 17:53:15' -::: -``` - -```{opcmd} show interfaces wwan \<interface\> signal - -Show signal information for the cellular connection. - -:::{code-block} none -vyos@vyos:~$ show interfaces wwan wwan0 signal -LTE: -RSSI: '-74 dBm' -RSRQ: '-7 dB' -RSRP: '-100 dBm' -SNR: '13.0 dB' -Radio Interface: 'lte' -Active Band Class: 'eutran-3' -Active Channel: '1300' -::: -``` - -```{opcmd} show interfaces wwan \<interface\> sim - -Show WWAN module SIM card information. - -:::{code-block} none -vyos@vyos:~$ show interfaces wwan wwan0 sim -Provisioning applications: -Primary GW: slot '1', application '1' -Primary 1X: session doesn't exist -Secondary GW: session doesn't exist -Secondary 1X: session doesn't exist -Slot [1]: -Card state: 'present' -UPIN state: 'not-initialized' -UPIN retries: '0' -UPUK retries: '0' -Application [1]: -Application type: 'usim (2)' -Application state: 'ready' -Application ID: -A0:00:00:00:87:10:02:FF:49:94:20:89:03:10:00:00 -Personalization state: 'ready' -UPIN replaces PIN1: 'no' -PIN1 state: 'disabled' -PIN1 retries: '3' -PUK1 retries: '10' -PIN2 state: 'enabled-not-verified' -PIN2 retries: '3' -PUK2 retries: '10' -::: -``` - - -## Example - -The following example shows how to configure a cellular connection using a -Sierra Wireless MC7710 miniPCIe card that operates over USB despite its form -factor. The card is installed in a {ref}`pc-engines-apu4`. - -```none -set interfaces wwan wwan0 apn 'internet.telekom' -set interfaces wwan wwan0 address 'dhcp' -``` - - -## Supported hardware - -The following WWAN modules have been successfully tested with a -{ref}`pc-engines-apu4` board: -- Sierra Wireless AirPrime MC7304 miniPCIe card (LTE) -- Sierra Wireless AirPrime MC7430 miniPCIe card (LTE) -- Sierra Wireless AirPrime MC7455 miniPCIe card (LTE) -- Sierra Wireless AirPrime MC7710 miniPCIe card (LTE) -- Huawei ME909u-521 miniPCIe card (LTE) -- Huawei ME909s-120 miniPCIe card (LTE) -- HP LT4120 Snapdragon X5 LTE - -## Firmware update - -WWAN modules include reprogrammable firmware, and most vendors regularly -provide updates for it. - -Since VyOS communicates with these devices via the QMI interface, you can -update firmware directly within the system using the `qmi-firmware-update` -utility. - -The following example shows how to update the firmware for a Sierra Wireless -MC7710 module using the provided .cwe file. - -```bash -$ sudo qmi-firmware-update --update -d 1199:68a2 \ - 9999999_9999999_9200_03.05.14.00_00_generic_000.000_001_SPKG_MC.cwe -``` diff --git a/docs/configuration/loadbalancing/md-haproxy.md b/docs/configuration/loadbalancing/md-haproxy.md deleted file mode 100644 index 96e2442f..00000000 --- a/docs/configuration/loadbalancing/md-haproxy.md +++ /dev/null @@ -1,574 +0,0 @@ ---- -lastproofread: '2026-04-06' ---- - -# HAproxy - -```{include} /_include/need_improvement.txt -``` - -HAProxy is a load balancer and proxy server that provides -high-availability, load balancing, and proxying for TCP (level 4) and -HTTP-based (level 7) applications. - -## Configuration - -Service configuration specifies the port to bind to. Backend -configuration defines the load balancing method and specifies the backend -servers. - -### Service - -```{eval-rst} -.. cfgcmd:: set load-balancing haproxy service <name> listen-address - <address> - - Set the IP address for the service to bind to. By default, the service - listens on all IPv4 and IPv6 addresses. -``` - -```{eval-rst} -.. cfgcmd:: set load-balancing haproxy service <name> port - <port> - - Create service `<name>` to listen on <port> -``` - -```{eval-rst} -.. cfgcmd:: set load-balancing haproxy service <name> mode - <tcp|http> - - Configure service `<name>` mode TCP or HTTP -``` - -```{eval-rst} -.. cfgcmd:: set load-balancing haproxy service <name> backend - <name> - - Configure service `<name>` to use the backend <name> -``` - -```{eval-rst} -.. cfgcmd:: set load-balancing haproxy service <name> ssl - certificate <name> - - Set the SSL certificate <name> for service <name>. You can define - multiple certificates. -``` - -```{eval-rst} -.. cfgcmd:: set load-balancing haproxy service <name> - http-response-headers <header-name> value <header-value> - - Set custom HTTP headers to include in all responses. -``` - -```{eval-rst} -.. cfgcmd:: set load-balancing haproxy service <name> logging facility - <facility> level <level> - - Specify facility and level for logging. - For an explanation on {ref}`syslog_facilities` and - {ref}`syslog_severity_level`, - see tables in the syslog configuration section. -``` - -```{eval-rst} -.. cfgcmd:: set load-balancing haproxy service <name> timeout client - <seconds> - - Set the maximum inactivity time on the client side for this service. - Value range 1-3600 seconds. -``` - -```{eval-rst} -.. cfgcmd:: set load-balancing haproxy service <name> http-compression algorithm - <gzip | deflate | identity | raw-deflate> - - Set the compression algorithm to be used when compressing HTTP responses. -``` - -```{eval-rst} -.. cfgcmd:: set load-balancing haproxy service <name> http-compression mime-type - <mime-type> - - Set the list of HTTP response MIME types which haproxy will attempt to - compress, if received uncompressed from backend server. -``` - -#### Rules - -Rules control and route incoming traffic to specific backends based on -predefined conditions. Rules define matching criteria and specify actions -to perform. - -```{eval-rst} -.. cfgcmd:: set load-balancing haproxy service <name> rule <rule> - domain-name <name> - - Match domain name -``` - -```{eval-rst} -.. cfgcmd:: set load-balancing haproxy service <name> rule <rule> - ssl <sni> - - SSL match Server Name Indication (SNI) option: - * ``req-ssl-sni`` SSL Server Name Indication (SNI) request match - * ``ssl-fc-sni`` SSL frontend connection Server Name Indication match - * ``ssl-fc-sni-end`` SSL frontend match end of connection Server Name - - Indication -``` - -```{eval-rst} -.. cfgcmd:: set load-balancing haproxy service <name> rule <rule> - url-path <match> <url> - - Define URL path matching rules for a specific service. Use this command - to specify how to match the URL path against incoming requests. - - The available options for <match> are: - * ``begin`` Matches the beginning of the URL path - * ``end`` Matches the end of the URL path. - * ``exact`` Matches the URL path exactly. -``` - -```{eval-rst} -.. cfgcmd:: set load-balancing haproxy service <name> rule <rule> - set backend <name> - - Assign a specific backend to a rule -``` - -```{eval-rst} -.. cfgcmd:: set load-balancing haproxy service <name> rule <rule> - redirect-location <url> - - Redirect URL to a new location. - -``` - -### Backend - -```{eval-rst} -.. cfgcmd:: set load-balancing haproxy backend <name> balance - <balance> - - Specify the load balancing algorithm for distributing requests among - available servers. - - Balance algorithms: - * ``source-address`` Distributes requests based on the source IP address - of the client. - * ``round-robin`` Distributes requests in a circular manner, - sequentially sending each request to the next server in line. - * ``least-connection`` Distributes requests to the server with the fewest - active connections. -``` - -```{eval-rst} -.. cfgcmd:: set load-balancing haproxy backend <name> mode - <mode> - - Configure backend `<name>` mode TCP or HTTP. -``` - -```{eval-rst} -.. cfgcmd:: set load-balancing haproxy backend <name> server - <name> address <x.x.x.x> - - Set the address of the backend server that receives incoming traffic. -``` - -```{eval-rst} -.. cfgcmd:: set load-balancing haproxy backend <name> server - <name> port <port> - - Set the address of the backend port. -``` - -```{eval-rst} -.. cfgcmd:: set load-balancing haproxy backend <name> server - <name> check - - Active health check backend server. -``` - -```{eval-rst} -.. cfgcmd:: set load-balancing haproxy backend <name> server - <name> check port <port> - - Set an alternative port number for health checks. - Overrides the default server port used for TCP/HTTP checks. -``` - -```{eval-rst} -.. cfgcmd:: set load-balancing haproxy backend <name> server - <name> send-proxy - - Send a Proxy Protocol version 1 header (text format). -``` - -```{eval-rst} -.. cfgcmd:: set load-balancing haproxy backend <name> server - <name> send-proxy-v2 - - Send a Proxy Protocol version 2 header (binary format). -``` - -```{eval-rst} -.. cfgcmd:: set load-balancing haproxy backend <name> ssl - ca-certificate <ca-certificate> - - Use SSL encryption for backend requests and authenticate the backend - against ``<ca-certificate>``. -``` - -```{eval-rst} -.. cfgcmd:: set load-balancing haproxy backend <name> ssl no-verify - - Use SSL encryption for backend requests without validating the server - certificate. -``` - -```{eval-rst} -.. cfgcmd:: set load-balancing haproxy backend <name> - http-response-headers <header-name> value <header-value> - - Set custom HTTP headers to include in all responses from the backend. -``` - -```{eval-rst} -.. cfgcmd:: set load-balancing haproxy backend <name> logging facility - <facility> level <level> - - Specify facility and level for logging. - For an explanation on {ref}`syslog_facilities` and - {ref}`syslog_severity_level`, - see tables in the {ref}`syslog` configuration section. -``` - -```{eval-rst} -.. cfgcmd:: set load-balancing haproxy backend <name> timeout check - <seconds> - - Set the timeout in seconds for established connections. - Value range 1-3600 seconds. - -``` - -```{eval-rst} -.. cfgcmd:: set load-balancing haproxy backend <name> timeout connect - <seconds> - - Set the maximum time to wait for a connection attempt to a server to succeed. - Value range 1-3600 seconds. -``` - -```{eval-rst} -.. cfgcmd:: set load-balancing haproxy backend <name> timeout server - <seconds> - - Set the maximum inactivity time on the server side. - Value range 1-3600 seconds. - - -``` - -### Global - -Global configuration parameters: - -```{eval-rst} -.. cfgcmd:: set load-balancing haproxy global-parameters max-connections - <num> - - Limit maximum number of connections -``` - -```{eval-rst} -.. cfgcmd:: set load-balancing haproxy global-parameters ssl-bind-ciphers - <ciphers> - - Limit the cipher algorithms allowed during SSL/TLS handshake. -``` - -```{eval-rst} -.. cfgcmd:: set load-balancing haproxy global-parameters tls-version-min - <version> - - Specify the minimum required TLS version 1.2 or 1.3 -``` - -```{eval-rst} -.. cfgcmd:: set load-balancing haproxy global-parameters logging - facility <facility> level <level> - - Specify facility and level for logging. - For an explanation on {ref}`syslog_facilities` and - {ref}`syslog_severity_level` - see tables in syslog configuration section. -``` - -```{eval-rst} -.. cfgcmd:: set load-balancing haproxy timeout check <seconds> - - Set the timeout in seconds for established connections. - Value range 1-3600 seconds. Default is 5 seconds. -``` - -```{eval-rst} -.. cfgcmd:: set load-balancing haproxy timeout client <seconds> - - Set the maximum inactivity time on the client side. - Value range 1-3600 seconds. Default is 50 seconds. -``` - -```{eval-rst} -.. cfgcmd:: set load-balancing haproxy timeout connect <seconds> - - Set the maximum time to wait for a connection attempt to a server to succeed. - Value range 1-3600 seconds. Default is 10 seconds. -``` - -```{eval-rst} -.. cfgcmd:: set load-balancing haproxy timeout server <seconds> - - Set the maximum inactivity time on the server side. - Value range 1-3600 seconds. Default is 50 seconds. -``` - -## Health checks - -### HTTP checks - -Use HTTP health checks to monitor web applications that provide health status -information and determine their availability. - -```{eval-rst} -.. cfgcmd:: set load-balancing haproxy backend <name> http-check - - Enables HTTP health checks using OPTION HTTP requests against '/' and - expecting a successful response code in the 200-399 range. -``` - -```{eval-rst} -.. cfgcmd:: set load-balancing haproxy backend <name> http-check - method <method> - - Set the HTTP method: ``OPTION``, ``GET``, ``POST``, or ``PUT``. -``` - -```{eval-rst} -.. cfgcmd:: set load-balancing haproxy backend <name> http-check - uri <path> - - Set the endpoint to use for health checks. -``` - -```{eval-rst} -.. cfgcmd:: set load-balancing haproxy backend <name> http-check - expect <condition> - - Set the expected result condition for a server to be considered healthy. - - Some possible examples are: - * ``status 200`` Expecting a 200 response code - * ``status 200-399`` Expecting a non-failure response code - * ``string success`` Expecting the string `success` in the response body - -``` - -### TCP checks - -Configure health checks for TCP mode backends. You can configure protocol-aware -checks for a range of Layer 7 protocols: - -```{eval-rst} -.. cfgcmd:: set load-balancing haproxy backend <name> health-check <protocol> - - Available health check protocols: - * ``ldap`` LDAP protocol check. - * ``redis`` Redis protocol check. - * ``mysql`` MySQL protocol check. - * ``pgsql`` PostgreSQL protocol check. - * ``smtp`` SMTP protocol check. -``` - -:::{note} -If you specify a server to check but do not configure a -protocol, HAProxy performs a basic TCP health check. A server is online if -it responds to a connection attempt with a valid `SYN/ACK` packet. -::: - -## Redirect HTTP to HTTPS - -Configure a HAProxy service for HTTP that listens on port 80 and redirects -incoming requests to HTTPS: - -```none -set load-balancing haproxy service http port '80' -set load-balancing haproxy service http redirect-http-to-https -``` - -You can use a different service name; in this example, `http` is just for -convenience. - -## Examples - -### Level 4 balancing - -This configuration enables the TCP reverse proxy for the `my-tcp-api` -service. Incoming TCP connections on port 8888 are load balanced across the -backend servers (srv01 and srv02) using the round-robin load balancing -algorithm. - -```none -set load-balancing haproxy service my-tcp-api backend 'bk-01' -set load-balancing haproxy service my-tcp-api mode 'tcp' -set load-balancing haproxy service my-tcp-api port '8888' - -set load-balancing haproxy backend bk-01 balance 'round-robin' -set load-balancing haproxy backend bk-01 mode 'tcp' - -set load-balancing haproxy backend bk-01 server srv01 address '192.0.2.11' -set load-balancing haproxy backend bk-01 server srv01 port '8881' -set load-balancing haproxy backend bk-01 server srv02 address '192.0.2.12' -set load-balancing haproxy backend bk-01 server srv02 port '8882' -``` - -### Balancing based on domain name - -The following configuration demonstrates how to use VyOS -to achieve load balancing based on the domain name: - -The HTTP service listens on TCP port 80. - -Rule 10 matches requests with the domain name `node1.example.com` and -forwards them to the backend `bk-api-01`. - -Rule 20 matches requests with the domain name `node2.example.com` and -forwards them to the backend `bk-api-02`. - -```none -set load-balancing haproxy service http description 'bind app listen on 443 port' -set load-balancing haproxy service http mode 'tcp' -set load-balancing haproxy service http port '80' - -set load-balancing haproxy service http rule 10 domain-name 'node1.example.com' -set load-balancing haproxy service http rule 10 set backend 'bk-api-01' -set load-balancing haproxy service http rule 20 domain-name 'node2.example.com' -set load-balancing haproxy service http rule 20 set backend 'bk-api-02' - -set load-balancing haproxy backend bk-api-01 description 'My API-1' -set load-balancing haproxy backend bk-api-01 mode 'tcp' -set load-balancing haproxy backend bk-api-01 server api01 address '127.0.0.1' -set load-balancing haproxy backend bk-api-01 server api01 port '4431' -set load-balancing haproxy backend bk-api-02 description 'My API-2' -set load-balancing haproxy backend bk-api-02 mode 'tcp' -set load-balancing haproxy backend bk-api-02 server api01 address '127.0.0.2' -set load-balancing haproxy backend bk-api-02 server api01 port '4432' -``` - -### Terminate SSL - -The following configuration terminates SSL on the router. - -The `http` service listens on port 80 and redirects HTTP requests to -HTTPS. - -The `https` service listens on port 443 with the `bk-default` backend -and handles HTTPS traffic using the `cert` certificate for SSL termination. -The HSTS header is set with a 1-year expiry to tell browsers to always use -SSL for the site. - -Rule 10 matches requests with the exact URL path `/.well-known/xxx` and -redirects them to `/certs/`. - -Rule 20 matches requests with URL paths ending in `/mail` or the exact -path `/email/bar` and redirects them to `/postfix/`. - -Global parameters include a maximum connection limit of 4000 and a minimum -TLS version of 1.3. - -```none -set load-balancing haproxy service http description 'Force redirect to HTTPS' -set load-balancing haproxy service http port '80' -set load-balancing haproxy service http redirect-http-to-https - -set load-balancing haproxy service https backend 'bk-default' -set load-balancing haproxy service https description 'listen on 443 port' -set load-balancing haproxy service https mode 'http' -set load-balancing haproxy service https port '443' -set load-balancing haproxy service https ssl certificate 'cert' -set load-balancing haproxy service https http-response-headers Strict-Transport-Security value 'max-age=31536000' - -set load-balancing haproxy service https rule 10 url-path exact '/.well-known/xxx' -set load-balancing haproxy service https rule 10 set redirect-location '/certs/' -set load-balancing haproxy service https rule 20 url-path end '/mail' -set load-balancing haproxy service https rule 20 url-path exact '/email/bar' -set load-balancing haproxy service https rule 20 set redirect-location '/postfix/' - -set load-balancing haproxy backend bk-default description 'Default backend' -set load-balancing haproxy backend bk-default mode 'http' -set load-balancing haproxy backend bk-default server sr01 address '192.0.2.23' -set load-balancing haproxy backend bk-default server sr01 port '80' - -set load-balancing haproxy global-parameters max-connections '4000' -set load-balancing haproxy global-parameters tls-version-min '1.3' -``` - -### SSL Bridging - -The following configuration terminates incoming HTTPS traffic on the router, -then re-encrypts the traffic and sends it to the backend server via HTTPS. -Use this when encryption is required for both paths but you do not want to -install publicly trusted certificates on each backend server. - -Backend service certificates are checked against the certificate authority -specified in the configuration, which could be an internal CA. - -The `https` service listens on port 443 with backend `bk-bridge-ssl` to -handle HTTPS traffic. It uses certificate named `cert` for SSL termination. - -The `bk-bridge-ssl` backend connects to `sr01` server on port 443 via HTTPS -and checks backend server has a valid certificate trusted by CA `cacert` - -```none -set load-balancing haproxy service https backend 'bk-bridge-ssl' -set load-balancing haproxy service https description 'listen on 443 port' -set load-balancing haproxy service https mode 'http' -set load-balancing haproxy service https port '443' -set load-balancing haproxy service https ssl certificate 'cert' - -set load-balancing haproxy backend bk-bridge-ssl description 'SSL backend' -set load-balancing haproxy backend bk-bridge-ssl mode 'http' -set load-balancing haproxy backend bk-bridge-ssl ssl ca-certificate 'cacert' -set load-balancing haproxy backend bk-bridge-ssl server sr01 address '192.0.2.23' -set load-balancing haproxy backend bk-bridge-ssl server sr01 port '443' -``` - -### Balancing with HTTP health checks - -This configuration enables HTTP health checks for backend servers. - -```none -set load-balancing haproxy service my-tcp-api backend 'bk-01' -set load-balancing haproxy service my-tcp-api mode 'tcp' -set load-balancing haproxy service my-tcp-api port '8888' - -set load-balancing haproxy backend bk-01 balance 'round-robin' -set load-balancing haproxy backend bk-01 mode 'tcp' - -set load-balancing haproxy backend bk-01 http-check method 'get' -set load-balancing haproxy backend bk-01 http-check uri '/health' -set load-balancing haproxy backend bk-01 http-check expect 'status 200' - -set load-balancing haproxy backend bk-01 server srv01 address '192.0.2.11' -set load-balancing haproxy backend bk-01 server srv01 port '8881' -set load-balancing haproxy backend bk-01 server srv01 check -set load-balancing haproxy backend bk-01 server srv02 address '192.0.2.12' -set load-balancing haproxy backend bk-01 server srv02 port '8882' -set load-balancing haproxy backend bk-01 server srv02 check port '8892' -``` diff --git a/docs/configuration/loadbalancing/md-index.md b/docs/configuration/loadbalancing/md-index.md deleted file mode 100644 index 8b3dba24..00000000 --- a/docs/configuration/loadbalancing/md-index.md +++ /dev/null @@ -1,16 +0,0 @@ ---- -lastproofread: '2026-04-06' ---- - -(load-balancing)= - -# Load-balancing - -```{eval-rst} -.. toctree:: - :maxdepth: 1 - :includehidden: - - wan - haproxy -``` diff --git a/docs/configuration/loadbalancing/md-wan.md b/docs/configuration/loadbalancing/md-wan.md deleted file mode 100644 index 5de0404c..00000000 --- a/docs/configuration/loadbalancing/md-wan.md +++ /dev/null @@ -1,303 +0,0 @@ ---- -lastproofread: '2026-04-06' ---- - -# WAN load balancing - -```{eval-rst} -.. TODO:: Convert raw command blocks in this file to cfgcmd/opcmd - directives for command coverage tracking. -``` - -The load balancer distributes outbound traffic across two or more -interfaces. If a path fails, the load balancer balances traffic across the -remaining healthy paths. When a path recovers, it is automatically added back -to the routing table. The load balancer adds routes for each path and -distributes traffic based on interface health and weight. - -In a minimal configuration, the following must be provided: - -> - An interface with a `nexthop`. -> - One rule with a LAN (inbound-interface) and the WAN (interface). - -The following examples uses two DHCP WAN interfaces and one LAN (`eth2`): - -```none -set load-balancing wan interface-health eth0 nexthop 'dhcp' -set load-balancing wan interface-health eth1 nexthop 'dhcp' -set load-balancing wan rule 1 inbound-interface 'eth2' -set load-balancing wan rule 1 interface eth0 -set load-balancing wan rule 1 interface eth1 -``` - -:::{note} -Do not use WAN load balancing with dynamic routing protocols. This -feature creates customized routing tables and firewall rules that are -incompatible with routing protocols. -::: - -## Load balancing rules - -You define interfaces, their weight, and the traffic type to balance in -numbered rule sets. The load balancer executes rules in numerical order -against outgoing packets. When a packet matches a rule, it is sent through the -specified interface. Packets that do not match any rule use the system routing -table. You cannot change rule numbers. - -Create a load balancing rule, it can be a number between 1 and 9999: - -```none -vyos@vyos# set load-balancing wan rule 1 -Possible completions: -description Description for this rule -> destination Destination -exclude Exclude packets matching this rule from wan load balance -failover Enable failover for packets matching this rule from wan load balance -inbound-interface Inbound interface name (e.g., "eth0") [REQUIRED] -+> interface Interface name [REQUIRED] -> limit Enable packet limit for this rule -per-packet-balancing Option to match traffic per-packet instead of the default, per-flow -protocol Protocol to match -> source Source information -``` - -### Interface weight - -By default, the load balancer distributes outbound -traffic randomly across available interfaces. You can assign weights to -interfaces to influence the distribution. If `eth0` has more bandwidth -than `eth1`, you can assign a higher weight to `eth0` to send more -traffic through it: - -```none -set load-balancing wan rule 1 interface eth0 weight 2 -set load-balancing wan rule 1 interface eth1 weight 1 -``` - -In this example,\`\`eth0\`\` receives 66% of traffic, and `eth1` receives -33% of traffic. - -### Rate limit - -Set a packet rate limit for a rule to apply it to traffic above or below a -specified threshold. To configure rate limiting, use: - -```none -set load-balancing wan rule <rule> limit <parameter> -``` - -- `burst`: Number of packets allowed to overshoot the limit within `period`. - Default 5. -- `period`: Time window for rate calculation. Possible values: - `second` (one second), `minute` (one minute), `hour` (one hour). - Default is `second`. -- `rate`: Number of packets. Default: `5`. -- `threshold`: `below` or `above` the specified rate limit. - -### Flow and packet-based balancing - -The load balancer balances outgoing traffic by flow. A connection tracking -table tracks flows by source address, destination address, and port. Each -flow is assigned to an interface based on the balancing rules, and subsequent -packets use the same interface. This ensures packets arrive in order when links -have different speeds. - -Packet-based balancing can improve balance across interfaces when packet -order is not critical. Enable per-packet balancing for a rule with: - -```none -set load-balancing wan rule <rule> per-packet-balancing -``` - -### Exclude traffic - -To exclude traffic from load balancing, traffic matching an exclude rule -bypasses load balancing and uses the system routing table instead: - -```none -set load-balancing wan rule <rule> exclude -``` - -## Health checks - -The load balancer periodically checks the health of interfaces and paths by -sending ICMP packets (ping) to remote destinations, performing TTL tests, or -executing a user-defined script. If an interface fails the health check, the -load balancer removes it from its interface pool. -To enable health checking for an interface: - -```none -vyos@vyos# set load-balancing wan interface-health <interface> -Possible completions: -failure-count Failure count -nexthop Outbound interface nexthop address. Can be 'dhcp or ip address' [REQUIRED] -success-count Success count -+> test Rule number -``` - -Specify the nexthop on the path to the destination. You can set -`ipv4-address` to `dhcp`. - -```none -set load-balancing wan interface-health <interface> nexthop <ipv4-address> -``` - -Set the number of health check failures before the load balancer marks an -interface as unavailable (range 1-10, default 1). Or set the number of -successful health checks before adding an interface back to the pool -(range 1-10, default 1). - -```none -set load-balancing wan interface-health <interface> failure-count <number> -set load-balancing wan interface-health <interface> success-count <number> -``` - -Configure each health check in its own test. Tests are numbered and processed -in numeric order. You can define multiple tests for multi-target health -checking: - -```none -vyos@vyos# set load-balancing wan interface-health eth1 test 0 -Possible completions: -resp-time Ping response time (seconds) -target Health target address -test-script Path to user defined script -ttl-limit Ttl limit (hop count) -type WLB test type -``` - -- `resp-time`: The maximum response time for ping in seconds. Range - 1-30, default `5`. -- `target`: The target to receive ICMP packets. The address can be an IPv4 - address or hostname. -- `test-script`: A user-defined script must return 0 to succeed and - non-zero to fail. Scripts reside in `/config/scripts`. For other locations, - provide the full path. -- `ttl-limit`: For the UDP TTL limit test, specify the hop count limit. - The limit must be shorter than the path length. The test succeeds when an - ICMP time-expired message is returned. Default `1`. -- `type`: Specify the test type: `ping`, `ttl`, or a user-defined - script. - -## Source NAT rules - -By default, interfaces in a load balancing pool replace the source IP of -each outgoing packet with their own address to ensure replies arrive on the -same interface. The load balancer handles this through automatically generated -Source NAT (SNAT) rules applied only to balanced traffic. To disable the -automatic generation of SNAT rules when this behavior is not desired, use: - -```none -set load-balancing wan disable-source-nat -``` - -## Sticky connections - -Inbound connections to a WAN interface can be improperly handled when -replies are sent back to the client. - -```{image} /_static/images/sticky-connections.webp -:align: center -:width: 80% -``` - -When responding to an incoming packet, you may want to ensure the response -leaves from the same interface as the incoming packet. Enable sticky -connections in the load balancer to do this: - -```none -set load-balancing wan sticky-connections inbound -``` - -## Failover - -In failover mode, one interface is primary and other interfaces are -secondary or spare. The load balancer uses only the primary interface. If it -fails, a secondary interface from the available pool takes over. The load -balancer selects the primary interface based on its weight and health. Other -interfaces become secondary. Secondary interfaces are chosen based on their -weight and health. You can also select interface roles based on rule order by -including interfaces in balancing rules and ordering those rules accordingly. -To enable failover mode, create a failover rule: - -```none -set load-balancing wan rule <number> failover -``` - -Existing sessions do not automatically fail over to a new path. Flush the -session table on each connection state change to enable failover: - -```none -set load-balancing wan flush-connections -``` - -:::{warning} -Flushing the session table causes other connections to revert from -flow-based to packet-based balancing until each flow is reestablished. -::: - -## Script execution - -Run a script when an interface state changes. Scripts run from the -`/config/scripts` directory. To use a script in another location, -specify the full path: - -```none -set load-balancing wan hook script-name -``` - -Two environment variables are available: - -- `WLB_INTERFACE_NAME=[interfacename]`: Interface to be monitored -- `WLB_INTERFACE_STATE=[ACTIVE|FAILED]`: Interface state - -:::{warning} -Blocking call with no timeout: VyOS becomes unresponsive if the -script does not return. -::: - -## Handling and monitoring - -The following command shows WAN load balancer information including test -types and targets. The character at the start of each line indicates the test -state: - -- `+` successful. -- `-` failed. -- A blank indicates that no test has been carried out. - -```none -vyos@vyos:~$ show wan-load-balance -Interface: eth0 -Status: failed -Last Status Change: Tue Jun 11 20:12:19 2019 --Test: ping Target: - Last Interface Success: 55s - Last Interface Failure: 0s - # Interface Failure(s): 5 - -Interface: eth1 -Status: active -Last Status Change: Tue Jun 11 20:06:42 2019 -+Test: ping Target: - Last Interface Success: 0s - Last Interface Failure: 6m26s - # Interface Failure(s): 0 -``` - -Show connection data of load balanced traffic: - -```none -vyos@vyos:~$ show wan-load-balance connection -conntrack v1.4.2 (conntrack-tools): 3 flow entries have been shown. -Type State Src Dst Packets Bytes -tcp TIME_WAIT 10.1.1.13:38040 203.0.113.2:80 203.0.113.2 192.168.188.71 -udp 10.1.1.13:41891 198.51.100.3:53 198.51.100.3 192.168.188.71 -udp 10.1.1.13:55437 198.51.100.3:53 198.51.100.3 192.168.188.71 -``` - -### Restart - -```none -restart wan-load-balance -``` diff --git a/docs/configuration/md-index.md b/docs/configuration/md-index.md deleted file mode 100644 index c86bb551..00000000 --- a/docs/configuration/md-index.md +++ /dev/null @@ -1,24 +0,0 @@ -# Configuration Guide - -The following structure represents the CLI structure. - -```{eval-rst} -.. toctree:: - :maxdepth: 1 - :includehidden: - - container/index - firewall/index - highavailability/index - interfaces/index - loadbalancing/index - nat/index - policy/index - pki/index - protocols/index - service/index - system/index - trafficpolicy/index - vpn/index - vrf/index -``` diff --git a/docs/configuration/nat/md-cgnat.md b/docs/configuration/nat/md-cgnat.md deleted file mode 100644 index 914a466b..00000000 --- a/docs/configuration/nat/md-cgnat.md +++ /dev/null @@ -1,200 +0,0 @@ -(cgnat)= - -# CGNAT - -{abbr}`CGNAT (Carrier-Grade Network Address Translation)` , also known as -Large-Scale NAT (LSN), is a type of network address translation used by -Internet Service Providers (ISPs) to enable multiple private IP addresses to -share a single public IP address. This technique helps to conserve the limited -IPv4 address space. -The 100.64.0.0/10 address block is reserved for use in carrier-grade NAT - -## Overview - -CGNAT works by placing a NAT device within the ISP's network. This device -translates private IP addresses from customer networks to a limited pool of -public IP addresses assigned to the ISP. This allows many customers to share a -smaller number of public IP addresses. - -Not all {rfc}`6888` requirements are implemented in CGNAT. - -Implemented the following {rfc}`6888` requirements: - -- REQ 2: A CGN must have a default "IP address pooling" behavior of "Paired". - CGN must use the same external IP address mapping for all sessions associated - with the same internal IP address, be they TCP, UDP, ICMP, something else, - or a mix of different protocols. -- REQ 3: The CGN function should not have any limitations on the size or the - contiguity of the external address pool. -- REQ 4: A CGN must support limiting the number of external ports (or, - equivalently, "identifiers" for ICMP) that are assigned per subscriber - -### Advantages of CGNAT - -- **IPv4 Address Conservation**: CGNAT helps mitigate the exhaustion of IPv4 addresses by allowing multiple customers to share a single public IP address. -- **Scalability**: ISPs can support more customers without needing a proportional increase in public IP addresses. -- **Cost-Effective**: Reduces the cost associated with acquiring additional public IPv4 addresses. - -### Considerations - -- **Traceability Issues**: Since multiple users share the same public IP address, tracking individual users for security and legal purposes can be challenging. -- **Performance Overheads**: The translation process can introduce latency and potential performance bottlenecks, especially under high load. -- **Application Compatibility**: Some applications and protocols may not work well with CGNAT due to their reliance on unique public IP addresses. -- **Port Allocation Limits**: Each public IP address has a limited number of ports, which can be exhausted, affecting the ability to establish new connections. -- **Port Control Protocol**: PCP is not implemented. - -## Port calculation - -When implementing CGNAT, ensuring that there are enough ports allocated per subscriber is critical. Below is a summary based on RFC 6888. - -1. **Total Ports Available**: - - - Total Ports: 65536 (0 to 65535) - - Reserved Ports: Assume 1024 ports are reserved for well-known services and administrative purposes. - - Usable Ports: 65536 - 1024 = 64512 - -2. **Estimate Ports Needed per Subscriber**: - - - Example: A household might need 1000 ports to ensure smooth operation for multiple devices and applications. - -3. **Calculate the Number of Subscribers per Public IP**: - - - Usable Ports / Ports per Subscriber - - 64512 / 1000 ≈ 64 subscribers per public IP - -## Configuration - -```{cfgcmd} set nat cgnat pool external \<pool-name\> external-port-range \<port-range\> - -Set an external port-range for the external pool, the default range is -1024-65535. Multiple entries can be added to the same pool. -``` - - -```{cfgcmd} set nat cgnat pool external \<pool-name\> per-user-limit port \<num\> - -Set external source port limits that will be allocated to each subscriber -individually. The default value is 2000. -``` - - -```{cfgcmd} set nat cgnat pool external \<pool-name\> range [address | address range | network] [seq] - -Set the range of external IP addresses for the CGNAT pool. -The sequence is optional; if set, a lower value means higher priority. -``` - - -```{cfgcmd} set nat cgnat pool internal \<pool-name\> range [address range | network] - -Set the range of internal IP addresses for the CGNAT pool. -``` - - -```{cfgcmd} set nat cgnat rule \<num\> source pool \<internal-pool-name\> - -Set the rule for the source pool. -``` - - -```{cfgcmd} set nat cgnat rule \<num\> translation pool \<external-pool-name\> - -Set the rule for the translation pool. -``` - - -```{cfgcmd} set nat cgnat log-allocation - -Enable logging of IP address and ports allocations. -``` - - -## Configuration Examples - -### Single external address - -Example of setting up a basic CGNAT configuration: -In the following example, we define an external pool named `ext-1` with one -external IP address. - -Each subscriber will be allocated a maximum of 2000 ports from the external pool. - -```none -set nat cgnat pool external ext1 external-port-range '1024-65535' -set nat cgnat pool external ext1 per-user-limit port '2000' -set nat cgnat pool external ext1 range '192.0.2.222/32' -set nat cgnat pool internal int1 range '100.64.0.0/28' -set nat cgnat rule 10 source pool 'int1' -set nat cgnat rule 10 translation pool 'ext1' -``` - - -### Multiple external addresses - -```none -set nat cgnat pool external ext1 external-port-range '1024-65535' -set nat cgnat pool external ext1 per-user-limit port '8000' -set nat cgnat pool external ext1 range '192.0.2.1-192.0.2.2' -set nat cgnat pool external ext1 range '203.0.113.253-203.0.113.254' -set nat cgnat pool internal int1 range '100.64.0.1-100.64.0.32' -set nat cgnat rule 10 source pool 'int1' -set nat cgnat rule 10 translation pool 'ext1' -``` - - -### External address sequences - -```none -set nat cgnat pool external ext-01 per-user-limit port '16000' -set nat cgnat pool external ext-01 range 203.0.113.1/32 seq '10' -set nat cgnat pool external ext-01 range 192.0.2.1/32 seq '20' -set nat cgnat pool internal int-01 range '100.64.0.0/29' -set nat cgnat rule 10 source pool 'int-01' -set nat cgnat rule 10 translation pool 'ext-01' -``` - - -## Operation commands - -```{opcmd} show nat cgnat allocation - -Show address and port allocations -``` - -```{opcmd} show nat cgnat allocation external-address \<address\> - -Show all allocations for an external IP address -``` - -```{opcmd} show nat cgnat allocation internal-address \<address\> - -Show all allocations for an internal IP address -``` - - -### Show CGNAT allocations - -```none -vyos@vyos:~$ show nat cgnat allocation -Internal IP External IP Port range -------------- ------------- ------------ -100.64.0.0 203.0.113.1 1024-17023 -100.64.0.1 203.0.113.1 17024-33023 -100.64.0.2 203.0.113.1 33024-49023 -100.64.0.3 203.0.113.1 49024-65023 -100.64.0.4 192.0.2.1 1024-17023 -100.64.0.5 192.0.2.1 17024-33023 -100.64.0.6 192.0.2.1 33024-49023 -100.64.0.7 192.0.2.1 49024-65023 - -vyos@vyos:~$ show nat cgnat allocation internal-address 100.64.0.4 -Internal IP External IP Port range -------------- ------------- ------------ -100.64.0.4 192.0.2.1 1024-17023 -``` - - -## Further Reading - -- {rfc}`6598` - IANA-Reserved IPv4 Prefix for Shared Address Space -- {rfc}`6888` - Requirements for CGNAT diff --git a/docs/configuration/nat/md-index.md b/docs/configuration/nat/md-index.md deleted file mode 100644 index 35e5d32b..00000000 --- a/docs/configuration/nat/md-index.md +++ /dev/null @@ -1,13 +0,0 @@ -(nat)= - -# NAT - -```{toctree} -:includehidden: true -:maxdepth: 1 - -nat44 -nat64 -nat66 -cgnat -``` diff --git a/docs/configuration/nat/md-nat44.md b/docs/configuration/nat/md-nat44.md deleted file mode 100644 index ea855906..00000000 --- a/docs/configuration/nat/md-nat44.md +++ /dev/null @@ -1,800 +0,0 @@ -(nat44)= - -# NAT44 - -{abbr}`NAT (Network Address Translation)` is a common method of -remapping one IP address space into another by modifying network address -information in the IP header of packets while they are in transit across -a traffic routing device. The technique was originally used as a -shortcut to avoid the need to readdress every host when a network was -moved. It has become a popular and essential tool in conserving global -address space in the face of IPv4 address exhaustion. One -Internet-routable IP address of a NAT gateway can be used for an entire -private network. - -IP masquerading is a technique that hides an entire IP address space, -usually consisting of private IP addresses, behind a single IP address -in another, usually public address space. The hidden addresses are -changed into a single (public) IP address as the source address of the -outgoing IP packets so they appear as originating not from the hidden -host but from the routing device itself. Because of the popularity of -this technique to conserve IPv4 address space, the term NAT has become -virtually synonymous with IP masquerading. - -As network address translation modifies the IP address information in -packets, NAT implementations may vary in their specific behavior in -various addressing cases and their effect on network traffic. The -specifics of NAT behavior are not commonly documented by vendors of -equipment containing NAT implementations. - -The computers on an internal network can use any of the addresses set -aside by the {abbr}`IANA (Internet Assigned Numbers Authority)` for -private addressing (see {rfc}`1918`). These reserved IP addresses are -not in use on the Internet, so an external machine will not directly -route to them. The following addresses are reserved for private use: - -- 10.0.0.0 to 10.255.255.255 (CIDR: 10.0.0.0/8) -- 172.16.0.0 to 172.31.255.255 (CIDR: 172.16.0.0/12) -- 192.168.0.0 to 192.168.255.255 (CIDR: 192.168.0.0/16) - -If an ISP deploys a {abbr}`CGN (Carrier-grade NAT)`, and uses -{rfc}`1918` address space to number customer gateways, the risk of -address collision, and therefore routing failures, arises when the -customer network already uses an {rfc}`1918` address space. - -This prompted some ISPs to develop a policy within the {abbr}`ARIN -(American Registry for Internet Numbers)` to allocate new private -address space for CGNs, but ARIN deferred to the IETF before -implementing the policy indicating that the matter was not a typical -allocation issue but a reservation of addresses for technical purposes -(per {rfc}`2860`). - -IETF published {rfc}`6598`, detailing a shared address space for use in -ISP CGN deployments that can handle the same network prefixes occurring -both on inbound and outbound interfaces. ARIN returned address space to -the {abbr}`IANA (Internet Assigned Numbers Authority)` for this -allocation. - -The allocated address block is 100.64.0.0/10. - -Devices evaluating whether an IPv4 address is public must be updated to -recognize the new address space. Allocating more private IPv4 address -space for NAT devices might prolong the transition to IPv6. - -## Overview - -### Different NAT Types - -(source-nat)= - -#### SNAT - -{abbr}`SNAT (Source Network Address Translation)` is the most common -form of {abbr}`NAT (Network Address Translation)` and is typically -referred to simply as NAT. To be more correct, what most people refer -to as {abbr}`NAT (Network Address Translation)` is actually the process -of {abbr}`PAT (Port Address Translation)`, or NAT overload. SNAT is -typically used by internal users/private hosts to access the Internet -\- the source address is translated and thus kept private. - -(destination-nat)= - -#### DNAT - -{abbr}`DNAT (Destination Network Address Translation)` changes the -destination address of packets passing through the router, while -{ref}`source-nat` changes the source address of packets. DNAT is -typically used when an external (public) host needs to initiate a -session with an internal (private) host. A customer needs to access a -private service behind the routers public IP. A connection is -established with the routers public IP address on a well known port and -thus all traffic for this port is rewritten to address the internal -(private) host. - -(bidirectional-nat)= - -#### Bidirectional NAT - -This is a common scenario where both {ref}`source-nat` and -{ref}`destination-nat` are configured at the same time. It's commonly -used when internal (private) hosts need to establish a connection with -external resources and external systems need to access internal -(private) resources. - -### NAT, Routing, Firewall Interaction - -There is a very nice picture/explanation in the Vyatta documentation -which should be rewritten here. - -### NAT Ruleset - -{abbr}`NAT (Network Address Translation)` is configured entirely on a -series of so called `rules`. Rules are numbered and evaluated by the -underlying OS in numerical order! The rule numbers can be changes by -utilizing the {cfgcmd}`rename` and {cfgcmd}`copy` commands. - -:::{note} -Changes to the NAT system only affect newly established -connections. Already established connections are not affected. -::: - -:::{hint} -When designing your NAT ruleset leave some space between -consecutive rules for later extension. Your ruleset could start with -numbers 10, 20, 30. You thus can later extend the ruleset and place -new rules between existing ones. -::: - -Rules will be created for both {ref}`source-nat` and -{ref}`destination-nat`. - -For {ref}`bidirectional-nat` a rule for both {ref}`source-nat` and -{ref}`destination-nat` needs to be created. - -(traffic-filters)= - -### Traffic Filters - -Traffic Filters are used to control which packets will have the defined -NAT rules applied. Five different filters can be applied within a NAT -rule. - -- **outbound-interface** - applicable only to {ref}`source-nat`. It - configures the interface which is used for the outside traffic that - this translation rule applies to. Interface groups, inverted - selection and wildcard, are also supported. - - Examples: - - ```none - set nat source rule 20 outbound-interface name eth0 - set nat source rule 30 outbound-interface name bond1* - set nat source rule 20 outbound-interface name !vtun2 - set nat source rule 20 outbound-interface group GROUP1 - set nat source rule 20 outbound-interface group !GROUP2 - ``` - -- **inbound-interface** - applicable only to {ref}`destination-nat`. It - configures the interface which is used for the inside traffic the - translation rule applies to. Interface groups, inverted - selection and wildcard, are also supported. - - Example: - - ```none - set nat destination rule 20 inbound-interface name eth0 - set nat destination rule 30 inbound-interface name bond1* - set nat destination rule 20 inbound-interface name !vtun2 - set nat destination rule 20 inbound-interface group GROUP1 - set nat destination rule 20 inbound-interface group !GROUP2 - ``` - -- **protocol** - specify which types of protocols this translation rule - applies to. Only packets matching the specified protocol are NATed. - By default this applies to `all` protocols. - - Example: - - - Set SNAT rule 20 to only NAT TCP and UDP packets - - Set DNAT rule 20 to only NAT UDP packets - - ```none - set nat source rule 20 protocol tcp_udp - set nat destination rule 20 protocol udp - ``` - -- **source** - specifies which packets the NAT translation rule applies - to based on the packets source IP address and/or source port. Only - matching packets are considered for NAT. - - Example: - - - Set SNAT rule 20 to only NAT packets arriving from the 192.0.2.0/24 - network - - Set SNAT rule 30 to only NAT packets arriving from the 203.0.113.0/24 - network with a source port of 80 and 443 - - ```none - set nat source rule 20 source address 192.0.2.0/24 - set nat source rule 30 source address 203.0.113.0/24 - set nat source rule 30 source port 80,443 - ``` - -- **destination** - specify which packets the translation will be - applied to, only based on the destination address and/or port number - configured. - - :::{note} - If no destination is specified the rule will match on any - destination address and port. - ::: - - Example: - - - Configure SNAT rule (40) to only NAT packets with a destination - address of 192.0.2.1. - - ```none - set nat source rule 40 destination address 192.0.2.1 - ``` - -### Address Conversion - -Every NAT rule has a translation command defined. The address defined -for the translation is the address used when the address information in -a packet is replaced. - -#### Source Address - -For {ref}`source-nat` rules the packets source address will be replaced -with the address specified in the translation command. A port -translation can also be specified and is part of the translation -address. - -:::{note} -The translation address must be set to one of the available -addresses on the configured `outbound-interface` or it must be set to -`masquerade` which will use the primary IP address of the -`outbound-interface` as its translation address. - -When using NAT for a large number of host systems it -recommended that a minimum of 1 IP address is used to NAT every 256 -private host systems. This is due to the limit of 65,000 port numbers -available for unique translations and a reserving an average of -200-300 sessions per host system. -::: - -Example: - -- Define a discrete source IP address of 100.64.0.1 for SNAT rule 20 -- Use address `masquerade` (the interfaces primary address) on rule 30 -- For a large amount of private machines behind the NAT your address - pool might to be bigger. Use any address in the range 100.64.0.10 - - 100.64.0.20 on SNAT rule 40 when doing the translation - -```none -set nat source rule 20 translation address 100.64.0.1 -set nat source rule 30 translation address 'masquerade' -set nat source rule 40 translation address 100.64.0.10-100.64.0.20 -``` - -#### Destination Address - -For {ref}`destination-nat` rules the packets destination address will be -replaced by the specified address in the `translation address` command. - -Example: - -- DNAT rule 10 replaces the destination address of an inbound packet - with 192.0.2.10 - -```none -set nat destination rule 10 translation address 192.0.2.10 -``` - -Also, in {ref}`destination-nat`, redirection to localhost is supported. -The redirect statement is a special form of dnat which always translates -the destination address to the local host’s one. - -Example of redirection: - -```none -set nat destination rule 10 translation redirect port 22 -``` - -### NAT Load Balance - -Advanced configuration can be used in order to apply source or destination NAT, -and within a single rule, be able to define multiple translated addresses, -so NAT balances the translations among them. - -NAT Load Balance uses an algorithm that generates a hash and based on it, then -it applies corresponding translation. This hash can be generated randomly, or -can use data from the ip header: source-address, destination-address, -source-port and/or destination-port. By default, it will generate the hash -randomly. - -When defining the translated address, called `backends`, a `weight` must -be configured. This lets the user define load balance distribution according -to their needs. Them sum of all the weights defined for the backends should -be equal to 100. In oder words, the weight defined for the backend is the -percentage of the connections that will receive such backend. - -```{eval-rst} -.. cfgcmd:: set nat [source | destination] rule <rule> load-balance hash - [source-address | destination-address | source-port | destination-port - | random] -``` - -```{eval-rst} -.. cfgcmd:: set nat [source | destination] rule <rule> load-balance backend - <x.x.x.x> weight <1-100> - -``` - -## Configuration Examples - -To setup SNAT, we need to know: - -- The internal IP addresses we want to translate -- The outgoing interface to perform the translation on -- The external IP address to translate to - -In the example used for the Quick Start configuration above, we -demonstrate the following configuration: - -```none -set nat source rule 100 outbound-interface name 'eth0' -set nat source rule 100 source address '192.168.0.0/24' -set nat source rule 100 translation address 'masquerade' -``` - -Which generates the following configuration: - -```none -rule 100 { - outbound-interface { - name eth0 - } - source { - address 192.168.0.0/24 - } - translation { - address masquerade - } -} -``` - -In this example, we use **masquerade** as the translation address -instead of an IP address. The **masquerade** target is effectively an -alias to say "use whatever IP address is on the outgoing interface", -rather than a statically configured IP address. This is useful if you -use DHCP for your outgoing interface and do not know what the external -address will be. - -When using NAT for a large number of host systems it recommended that a -minimum of 1 IP address is used to NAT every 256 host systems. This is -due to the limit of 65,000 port numbers available for unique -translations and a reserving an average of 200-300 sessions per host -system. - -Example: For an ~8,000 host network a source NAT pool of 32 IP addresses -is recommended. - -A pool of addresses can be defined by using a hyphen between two IP -addresses: - -```none -set nat source rule 100 translation address '203.0.113.32-203.0.113.63' -``` - -(avoidng-leaky-nat)= - -### Avoiding "leaky" NAT - -Linux netfilter will not NAT traffic marked as INVALID. This often -confuses people into thinking that Linux (or specifically VyOS) has a -broken NAT implementation because non-NATed traffic is seen leaving an -external interface. This is actually working as intended, and a packet -capture of the "leaky" traffic should reveal that the traffic is either -an additional TCP "RST", "FIN,ACK", or "RST,ACK" sent by client systems -after Linux netfilter considers the connection closed. The most common -is the additional TCP RST some host implementations send after -terminating a connection (which is implementation-specific). - -In other words, connection tracking has already observed the connection -be closed and has transition the flow to INVALID to prevent attacks from -attempting to reuse the connection. - -You can avoid the "leaky" behavior by using a firewall policy that drops -"invalid" state packets. - -Having control over the matching of INVALID state traffic, e.g. the -ability to selectively log, is an important troubleshooting tool for -observing broken protocol behavior. For this reason, VyOS does not -globally drop invalid state traffic, instead allowing the operator to -make the determination on how the traffic is handled. - -(hairpin-nat-reflection)= - -### Hairpin NAT/NAT Reflection - -A typical problem with using NAT and hosting public servers is the -ability for internal systems to reach an internal server using it's -external IP address. The solution to this is usually the use of -split-DNS to correctly point host systems to the internal address when -requests are made internally. Because many smaller networks lack DNS -infrastructure, a work-around is commonly deployed to facilitate the -traffic by NATing the request from internal hosts to the source address -of the internal interface on the firewall. - -This technique is commonly referred to as NAT Reflection or Hairpin NAT. - -Example: - -- Redirect Microsoft RDP traffic from the outside (WAN, external) world - via {ref}`destination-nat` in rule 100 to the internal, private host - 192.0.2.40. -- Redirect Microsoft RDP traffic from the internal (LAN, private) - network via {ref}`destination-nat` in rule 110 to the internal, - private host 192.0.2.40. We also need a {ref}`source-nat` rule 110 for - the reverse path of the traffic. The internal network 192.0.2.0/24 is - reachable via interface `eth0.10`. - -```none -set nat destination rule 100 description 'Regular destination NAT from external' -set nat destination rule 100 destination port '3389' -set nat destination rule 100 inbound-interface name 'pppoe0' -set nat destination rule 100 protocol 'tcp' -set nat destination rule 100 translation address '192.0.2.40' - -set nat destination rule 110 description 'NAT Reflection: INSIDE' -set nat destination rule 110 destination port '3389' -set nat destination rule 110 inbound-interface name 'eth0.10' -set nat destination rule 110 protocol 'tcp' -set nat destination rule 110 translation address '192.0.2.40' - -set nat source rule 110 description 'NAT Reflection: INSIDE' -set nat source rule 110 destination address '192.0.2.0/24' -set nat source rule 110 outbound-interface name 'eth0.10' -set nat source rule 110 protocol 'tcp' -set nat source rule 110 source address '192.0.2.0/24' -set nat source rule 110 translation address 'masquerade' -``` - -Which results in a configuration of: - -```none -vyos@vyos# show nat - destination { - rule 100 { - description "Regular destination NAT from external" - destination { - port 3389 - } - inbound-interface { - name pppoe0 - } - protocol tcp - translation { - address 192.0.2.40 - } - } - rule 110 { - description "NAT Reflection: INSIDE" - destination { - port 3389 - } - inbound-interface { - name eth0.10 - } - protocol tcp - translation { - address 192.0.2.40 - } - } - } - source { - rule 110 { - description "NAT Reflection: INSIDE" - destination { - address 192.0.2.0/24 - } - outbound-interface { - name eth0.10 - } - protocol tcp - source { - address 192.0.2.0/24 - } - translation { - address masquerade - } - } - } -``` - -### Destination NAT - -DNAT is typically referred to as a **Port Forward**. When using VyOS as -a NAT router and firewall, a common configuration task is to redirect -incoming traffic to a system behind the firewall. - -In this example, we will be using the example Quick Start configuration -above as a starting point. - -To setup a destination NAT rule we need to gather: - -- The interface traffic will be coming in on; -- The protocol and port we wish to forward; -- The IP address of the internal system we wish to forward traffic to. - -In our example, we will be forwarding web server traffic to an internal -web server on 192.168.0.100. HTTP traffic makes use of the TCP protocol -on port 80. For other common port numbers, see: -<https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers> - -Our configuration commands would be: - -```none -set nat destination rule 10 description 'Port Forward: HTTP to 192.168.0.100' -set nat destination rule 10 destination port '80' -set nat destination rule 10 inbound-interface name 'eth0' -set nat destination rule 10 protocol 'tcp' -set nat destination rule 10 translation address '192.168.0.100' -``` - -Which would generate the following NAT destination configuration: - -```none -nat { - destination { - rule 10 { - description "Port Forward: HTTP to 192.168.0.100" - destination { - port 80 - } - inbound-interface { - name eth0 - } - protocol tcp - translation { - address 192.168.0.100 - } - } - } -} -``` - -:::{note} -If forwarding traffic to a different port than it is arriving -on, you may also configure the translation port using -`set nat destination rule [n] translation port`. -::: - -This establishes our Port Forward rule, but if we created a firewall -policy it will likely block the traffic. - -#### Firewall rules for Destination NAT - -It is important to note that when creating firewall rules, the DNAT -translation occurs **before** traffic traverses the firewall. In other -words, the destination address has already been translated to -192.168.0.100. - -So in our firewall ruleset, we want to allow traffic which previously matched -a destination nat rule. In order to avoid creating many rules, one for each -destination nat rule, we can accept all **'dnat'** connections with one simple -rule, using `connection-status` matcher: - -```none -set firewall ipv4 forward filter rule 10 action accept -set firewall ipv4 forward filter rule 10 connection-status nat destination -set firewall ipv4 forward filter rule 10 state new -``` - -This would generate the following configuration: - -```none -ipv4 { - forward { - filter { - rule 10 { - action accept - connection-status { - nat destination - } - state new - } - } - } -} -``` - -### 1-to-1 NAT - -Another term often used for DNAT is **1-to-1 NAT**. For a 1-to-1 NAT -configuration, both DNAT and SNAT are used to NAT all traffic from an -external IP address to an internal IP address and vice-versa. - -Typically, a 1-to-1 NAT rule omits the destination port (all ports) and -replaces the protocol with either **all** or **ip**. - -Then a corresponding SNAT rule is created to NAT outgoing traffic for -the internal IP to a reserved external IP. This dedicates an external IP -address to an internal IP address and is useful for protocols which -don't have the notion of ports, such as GRE. - -Here's an extract of a simple 1-to-1 NAT configuration with one internal -and one external interface: - -```none -set interfaces ethernet eth0 address '192.168.1.1/24' -set interfaces ethernet eth0 description 'Inside interface' -set interfaces ethernet eth1 address '192.0.2.30/24' -set interfaces ethernet eth1 description 'Outside interface' -set nat destination rule 2000 description '1-to-1 NAT example' -set nat destination rule 2000 destination address '192.0.2.30' -set nat destination rule 2000 inbound-interface name 'eth1' -set nat destination rule 2000 translation address '192.168.1.10' -set nat source rule 2000 description '1-to-1 NAT example' -set nat source rule 2000 outbound-interface name 'eth1' -set nat source rule 2000 source address '192.168.1.10' -set nat source rule 2000 translation address '192.0.2.30' -``` - -Firewall rules are written as normal, using the internal IP address as -the source of outbound rules and the destination of inbound rules. - -### NAT before VPN - -Some application service providers (ASPs) operate a VPN gateway to -provide access to their internal resources, and require that a -connecting organisation translate all traffic to the service provider -network to a source address provided by the ASP. - -### Load Balance - -Here we provide two examples on how to apply NAT Load Balance. - -First scenario: apply destination NAT for all HTTP traffic comming through -interface eth0, and user 4 backends. First backend should received 30% of -the request, second backend should get 20%, third 15% and the fourth 35% -We will use source and destination address for hash generation. - -```none -set nat destination rule 10 inbound-interface name eth0 -set nat destination rule 10 protocol tcp -set nat destination rule 10 destination port 80 -set nat destination rule 10 load-balance hash source-address -set nat destination rule 10 load-balance hash destination-address -set nat destination rule 10 load-balance backend 198.51.100.101 weight 30 -set nat destination rule 10 load-balance backend 198.51.100.102 weight 20 -set nat destination rule 10 load-balance backend 198.51.100.103 weight 15 -set nat destination rule 10 load-balance backend 198.51.100.104 weight 35 -``` - -Second scenario: apply source NAT for all outgoing connections from -LAN 10.0.0.0/8, using 3 public addresses and equal distribution. -We will generate the hash randomly. - -```none -set nat source rule 10 outbound-interface name eth0 -set nat source rule 10 source address 10.0.0.0/8 -set nat source rule 10 load-balance hash random -set nat source rule 10 load-balance backend 192.0.2.251 weight 33 -set nat source rule 10 load-balance backend 192.0.2.252 weight 33 -set nat source rule 10 load-balance backend 192.0.2.253 weight 34 -``` - -#### Example Network - -Here's one example of a network environment for an ASP. -The ASP requests that all connections from this company should come from -172.29.41.89 - an address that is assigned by the ASP and not in use at -the customer site. - -:::{figure} /_static/images/nat_before_vpn_topology.webp -:alt: NAT before VPN Topology -:scale: 100 % - -NAT before VPN Topology -::: - -#### Configuration - -The required configuration can be broken down into 4 major pieces: - -- A dummy interface for the provider-assigned IP; -- NAT (specifically, Source NAT); -- IPSec IKE and ESP Groups; -- IPSec VPN tunnels. - -##### Dummy interface - -The dummy interface allows us to have an equivalent of the Cisco IOS -Loopback interface - a router-internal interface we can use for IP -addresses the router must know about, but which are not actually -assigned to a real network. - -We only need a single step for this interface: - -```none -set interfaces dummy dum0 address '172.29.41.89/32' -``` - -##### NAT Configuration - -```none -set nat source rule 110 description 'Internal to ASP' -set nat source rule 110 destination address '172.27.1.0/24' -set nat source rule 110 source address '192.168.43.0/24' -set nat source rule 110 translation address '172.29.41.89' -set nat source rule 120 description 'Internal to ASP' -set nat source rule 120 destination address '10.125.0.0/16' -set nat source rule 120 source address '192.168.43.0/24' -set nat source rule 120 translation address '172.29.41.89' -``` - -##### IPSec IKE and ESP - -The ASP has documented their IPSec requirements: - -- IKE Phase: - - - aes256 Encryption - - sha256 Hashes - -- ESP Phase: - - - aes256 Encryption - - sha256 Hashes - - DH Group 14 - -Additionally, we want to use VPNs only on our eth1 interface (the -external interface in the image above) - -```none -set vpn ipsec ike-group my-ike key-exchange 'ikev1' -set vpn ipsec ike-group my-ike lifetime '7800' -set vpn ipsec ike-group my-ike proposal 1 dh-group '14' -set vpn ipsec ike-group my-ike proposal 1 encryption 'aes256' -set vpn ipsec ike-group my-ike proposal 1 hash 'sha256' - -set vpn ipsec esp-group my-esp lifetime '3600' -set vpn ipsec esp-group my-esp mode 'tunnel' -set vpn ipsec esp-group my-esp pfs 'disable' -set vpn ipsec esp-group my-esp proposal 1 encryption 'aes256' -set vpn ipsec esp-group my-esp proposal 1 hash 'sha256' - -set vpn ipsec interface 'eth1' -``` - -##### IPSec VPN Tunnels - -We'll use the IKE and ESP groups created above for this VPN. Because we -need access to 2 different subnets on the far side, we will need two -different tunnels. If you changed the names of the ESP group and IKE -group in the previous step, make sure you use the correct names here -too. - -```none -set vpn ipsec authentication psk vyos id '203.0.113.46' -set vpn ipsec authentication psk vyos id '198.51.100.243' -set vpn ipsec authentication psk vyos secret 'MYSECRETPASSWORD' -set vpn ipsec site-to-site peer branch authentication local-id '203.0.113.46' -set vpn ipsec site-to-site peer branch authentication mode 'pre-shared-secret' -set vpn ipsec site-to-site peer branch authentication remote-id '198.51.100.243' -set vpn ipsec site-to-site peer branch connection-type 'initiate' -set vpn ipsec site-to-site peer branch default-esp-group 'my-esp' -set vpn ipsec site-to-site peer branch ike-group 'my-ike' -set vpn ipsec site-to-site peer branch ikev2-reauth 'inherit' -set vpn ipsec site-to-site peer branch local-address '203.0.113.46' -set vpn ipsec site-to-site peer branch remote-address '198.51.100.243' -set vpn ipsec site-to-site peer branch tunnel 0 local prefix '172.29.41.89/32' -set vpn ipsec site-to-site peer branch tunnel 0 remote prefix '172.27.1.0/24' -set vpn ipsec site-to-site peer branch tunnel 1 local prefix '172.29.41.89/32' -set vpn ipsec site-to-site peer branch tunnel 1 remote prefix '10.125.0.0/16' -``` - -##### Testing and Validation - -If you've completed all the above steps you no doubt want to see if it's -all working. - -Start by checking for IPSec SAs (Security Associations) with: - -```none -$ show vpn ipsec sa - -Peer ID / IP Local ID / IP ------------- ------------- -198.51.100.243 203.0.113.46 - - Tunnel State Bytes Out/In Encrypt Hash NAT-T A-Time L-Time Proto - ------ ----- ------------- ------- ---- ----- ------ ------ ----- - 0 up 0.0/0.0 aes256 sha256 no 1647 3600 all - 1 up 0.0/0.0 aes256 sha256 no 865 3600 all -``` - -That looks good - we defined 2 tunnels and they're both up and running. diff --git a/docs/configuration/nat/md-nat64.md b/docs/configuration/nat/md-nat64.md deleted file mode 100644 index 2a6931d7..00000000 --- a/docs/configuration/nat/md-nat64.md +++ /dev/null @@ -1,75 +0,0 @@ -# NAT64 - -<div class="todo"> - -Convert raw command blocks in this file to cfgcmd/opcmd -directives for command coverage tracking. - -</div> - -`NAT64 (IPv6-to-IPv4 Prefix Translation)` is a critical component in -modern networking, facilitating communication between IPv6 and IPv4 networks. -This documentation outlines the setup, configuration, and usage of the NAT64 -feature in your project. Whether you are transitioning to IPv6 or need to -seamlessly connect IPv4 and IPv6 devices. -NAT64 is a stateful translation mechanism that translates IPv6 addresses to -IPv4 addresses and IPv4 addresses to IPv6 addresses. NAT64 is used to enable -IPv6-only clients to contact IPv4 servers using unicast UDP, TCP, or ICMP. - -## Overview - -### Different NAT Types - -#### SNAT64 - -`SNAT64 (IPv6-to-IPv4 Source Address Translation)` is a stateful -translation mechanism that translates IPv6 addresses to IPv4 addresses. - -`64:ff9b::/96` is the well-known prefix for IPv4-embedded IPv6 addresses. -The prefix is used to represent IPv4 addresses in an IPv6 address format. -The IPv4 address is encoded in the low-order 32 bits of the IPv6 address. -The high-order 32 bits are set to the well-known prefix 64:ff9b::/96. - -## Configuration Examples - -The following examples show how to configure NAT64 on a VyOS router. -The 192.0.2.10 address is used as the IPv4 address for the translation pool. - -NAT64 server configuration: - -``` none -set interfaces ethernet eth0 address '192.0.2.1/24' -set interfaces ethernet eth0 address '192.0.2.10/24' -set interfaces ethernet eth0 description 'WAN' -set interfaces ethernet eth1 address '2001:db8::1/64' -set interfaces ethernet eth1 description 'LAN' - -set service dns forwarding allow-from '2001:db8::/64' -set service dns forwarding dns64-prefix '64:ff9b::/96' -set service dns forwarding listen-address '2001:db8::1' - -set nat64 source rule 100 source prefix '64:ff9b::/96' -set nat64 source rule 100 translation pool 10 address '192.0.2.10' -set nat64 source rule 100 translation pool 10 port '1-65535' -``` - -NAT64 client configuration: - -``` none -set interfaces ethernet eth1 address '2001:db8::2/64' -set protocols static route6 64:ff9b::/96 next-hop 2001:db8::1 -set system name-server '2001:db8::1' -``` - -Test from the IPv6 only client: - -``` none -vyos@r1:~$ ping 64:ff9b::192.0.2.1 count 2 -PING 64:ff9b::192.0.2.1(64:ff9b::c000:201) 56 data bytes -64 bytes from 64:ff9b::c000:201: icmp_seq=1 ttl=63 time=0.351 ms -64 bytes from 64:ff9b::c000:201: icmp_seq=2 ttl=63 time=0.373 ms - ---- 64:ff9b::192.0.2.1 ping statistics --- -2 packets transmitted, 2 received, 0% packet loss, time 1023ms -rtt min/avg/max/mdev = 0.351/0.362/0.373/0.011 ms -``` diff --git a/docs/configuration/nat/md-nat66.md b/docs/configuration/nat/md-nat66.md deleted file mode 100644 index b7281035..00000000 --- a/docs/configuration/nat/md-nat66.md +++ /dev/null @@ -1,241 +0,0 @@ -# NAT66(NPTv6) - -<div class="todo"> - -Convert raw command blocks in this file to cfgcmd/opcmd -directives for command coverage tracking. - -</div> - -`NPTv6 (IPv6-to-IPv6 Network Prefix Translation)` is an address -translation technology based on IPv6 networks, used to convert an IPv6 -address prefix in an IPv6 message into another IPv6 address prefix. -We call this address translation method NAT66. Devices that support the NAT66 -function are called NAT66 devices, which can provide NAT66 source -and destination address translation functions. - -## Overview - -### Different NAT Types - -#### SNAT66 - -`SNPTv6 (Source IPv6-to-IPv6 Network Prefix Translation)` The conversion -function is mainly used in the following scenarios: - -- A single internal network and external network. Use the NAT66 device to - connect a single internal network and public network, and the hosts in - the internal network use IPv6 address prefixes that only support - routing within the local range. When a host in the internal network - accesses the external network, the source IPv6 address prefix in - the message will be converted into a global unicast IPv6 address - prefix by the NAT66 device. -- Redundancy and load sharing. There are multiple NAT66 devices at the edge - of an IPv6 network to another IPv6 network. The path through the NAT66 - device to another IPv6 network forms an equivalent route, and traffic - can be load-shared on these NAT66 devices. In this case, you - can configure the same source address translation rules on these - NAT66 devices, so that any NAT66 device can handle IPv6 traffic between - different sites. -- Multi-homed. In a multi-homed network environment, the NAT66 device - connects to an internal network and simultaneously connects to - different external networks. Address translation can be configured - on each external network side interface of the NAT66 device to - convert the same internal network address into different external - network addresses, and realize the mapping of the same internal - address to multiple external addresses. - -#### DNAT66 - -The `DNPTv6 (Destination IPv6-to-IPv6 Network Prefix Translation)` -destination address translation function is used in scenarios where the -server in the internal network provides services to the external network, -such as providing Web services or FTP services to the external network. -By configuring the mapping relationship between the internal server -address and the external network address on the external network -side interface of the NAT66 device, external network users can -access the internal network server through the designated -external network address. - -### Prefix Conversion - -#### Source Prefix - -Every SNAT66 rule has a translation command defined. The prefix defined -for the translation is the prefix used when the address information in -a packet is replaced.、 - -The `source-nat66` rule replaces the source address of the packet -and calculates the converted address using the prefix specified in the rule. - -Example: - -- Convert the address prefix of a single <span class="title-ref">fc01::/64</span> network to <span class="title-ref">fc00::/64</span> -- Output from <span class="title-ref">eth0</span> network interface - -``` none -set nat66 source rule 1 outbound-interface name 'eth0' -set nat66 source rule 1 source prefix 'fc01::/64' -set nat66 source rule 1 translation address 'fc00::/64' -``` - -#### Destination Prefix - -For the `destination-nat66` rule, the destination address of -the packet isreplaced by the address calculated from the specified -address or prefix in the <span class="title-ref">translation address</span> command - -Example: - -- Convert the address prefix of a single <span class="title-ref">fc00::/64</span> network - to <span class="title-ref">fc01::/64</span> -- Input from <span class="title-ref">eth0</span> network interface - -``` none -set nat66 destination rule 1 inbound-interface name 'eth0' -set nat66 destination rule 1 destination address 'fc00::/64' -set nat66 destination rule 1 translation address 'fc01::/64' -``` - -For the destination, groups can also be used instead of an address. - -Example: - -``` none -set firewall group ipv6-address-group ADR-INSIDE-v6 address fc00::1 - -set nat66 destination rule 1 inbound-interface name 'eth0' -set nat66 destination rule 1 destination group address-group ADR-INSIDE-v6 -set nat66 destination rule 1 translation address 'fc01::/64' -``` - -## Configuration Examples - -Use the following topology to build a nat66 based isolated -network between internal and external networks (dynamic prefix is -not supported): - -<figure> -<img src="/_static/images/vyos_1_4_nat66_simple.webp" alt="VyOS NAT66 Simple Configure" /> -</figure> - -R1: - -``` none -set interfaces ethernet eth0 ipv6 address autoconf -set interfaces ethernet eth1 address 'fc01::1/64' -set nat66 destination rule 1 destination address 'fc00:470:f1cd:101::/64' -set nat66 destination rule 1 inbound-interface name 'eth0' -set nat66 destination rule 1 translation address 'fc01::/64' -set nat66 source rule 1 outbound-interface name 'eth0' -set nat66 source rule 1 source prefix 'fc01::/64' -set nat66 source rule 1 translation address 'fc00:470:f1cd:101::/64' -``` - -R2: - -``` none -set interfaces bridge br1 address 'fc01::2/64' -set interfaces bridge br1 member interface eth0 -set interfaces bridge br1 member interface eth1 -set protocols static route6 ::/0 next-hop fc01::1 -set service router-advert interface br1 prefix ::/0 -``` - -Use the following topology to translate internal user local addresses -(`fc::/7`) to DHCPv6-PD provided prefixes from an ISP connected to -a VyOS HA pair. - -<figure> -<img src="/_static/images/vyos_1_5_nat66_dhcpv6_wdummy.webp" alt="VyOS NAT66 DHCPv6 using a dummy interface" /> -</figure> - -Configure both routers (a and b) for DHCPv6-PD via dummy interface: - -``` none -set interfaces dummy dum1 description 'DHCPv6-PD NPT dummy' -set interfaces bonding bond0 vif 20 dhcpv6-options pd 0 interface dum1 address '0' -set interfaces bonding bond0 vif 20 dhcpv6-options pd 1 interface dum1 address '0' -set interfaces bonding bond0 vif 20 dhcpv6-options pd 2 interface dum1 address '0' -set interfaces bonding bond0 vif 20 dhcpv6-options pd 3 interface dum1 address '0' -set interfaces bonding bond0 vif 20 dhcpv6-options rapid-commit -commit -``` - -Get the DHCPv6-PD prefixes from both routers: - -``` none -trae@cr01a-vyos# run show interfaces dummy dum1 br -Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down -Interface IP Address S/L Description ---------- ---------- --- ----------- -dum1 2001:db8:123:b008::/64 u/u DHCPv6-PD NPT dummy - 2001:db8:123:b00a::/64 - 2001:db8:123:b00b::/64 - 2001:db8:123:b009::/64 - -trae@cr01b-vyos# run show int dummy dum1 brief -Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down -Interface IP Address S/L Description ---------- ---------- --- ----------- -dum1 2001:db8:123:b00d::/64 u/u DHCPv6-PD NPT dummy - 2001:db8:123:b00c::/64 - 2001:db8:123:b00e::/64 - 2001:db8:123:b00f::/64 -``` - -Configure the A-side router for NPTv6 using the prefixes above: - -``` none -set nat66 source rule 10 description 'NPT to VLAN 10' -set nat66 source rule 10 outbound-interface name 'bond0.20' -set nat66 source rule 10 source prefix 'fd52:d62e:8011:a::/64' -set nat66 source rule 10 translation address '2001:db8:123:b008::/64' -set nat66 source rule 20 description 'NPT to VLAN 70' -set nat66 source rule 20 outbound-interface name 'bond0.20' -set nat66 source rule 20 source prefix 'fd52:d62e:8011:46::/64' -set nat66 source rule 20 translation address '2001:db8:123:b009::/64' -set nat66 source rule 30 description 'NPT to VLAN 200' -set nat66 source rule 30 outbound-interface name 'bond0.20' -set nat66 source rule 30 source prefix 'fd52:d62e:8011:c8::/64' -set nat66 source rule 30 translation address '2001:db8:123:b00a::/64' -set nat66 source rule 40 description 'NPT to VLAN 240' -set nat66 source rule 40 outbound-interface name 'bond0.20' -set nat66 source rule 40 source prefix 'fd52:d62e:8011:f0::/64' -set nat66 source rule 40 translation address '2001:db8:123:b00b::/64' -commit -``` - -Configure the B-side router for NPTv6 using the prefixes above: - -``` none -set nat66 source rule 10 description 'NPT to VLAN 10' -set nat66 source rule 10 outbound-interface name 'bond0.20' -set nat66 source rule 10 source prefix 'fd52:d62e:8011:a::/64' -set nat66 source rule 10 translation address '2001:db8:123:b00c::/64' -set nat66 source rule 20 description 'NPT to VLAN 70' -set nat66 source rule 20 outbound-interface name 'bond0.20' -set nat66 source rule 20 source prefix 'fd52:d62e:8011:46::/64' -set nat66 source rule 20 translation address '2001:db8:123:b00d::/64' -set nat66 source rule 30 description 'NPT to VLAN 200' -set nat66 source rule 30 outbound-interface name 'bond0.20' -set nat66 source rule 30 source prefix 'fd52:d62e:8011:c8::/64' -set nat66 source rule 30 translation address '2001:db8:123:b00e::/64' -set nat66 source rule 40 description 'NPT to VLAN 240' -set nat66 source rule 40 outbound-interface name 'bond0.20' -set nat66 source rule 40 source prefix 'fd52:d62e:8011:f0::/64' -set nat66 source rule 40 translation address '2001:db8:123:b00f::/64' -commit -``` - -Verify that connections are hitting the rule on both sides: - -``` none -trae@cr01a-vyos# run show nat66 source statistics -Rule Packets Bytes Interface ------- --------- ------- ----------- -10 1 104 bond0.20 -20 1 104 bond0.20 -30 8093 669445 bond0.20 -40 2446 216912 bond0.20 -``` diff --git a/docs/configuration/pki/md-index.md b/docs/configuration/pki/md-index.md deleted file mode 100644 index e7d793de..00000000 --- a/docs/configuration/pki/md-index.md +++ /dev/null @@ -1,583 +0,0 @@ ---- -lastproofread: '2024-01-05' ---- - -```{include} /_include/need_improvement.txt -``` - -(pki)= - -# PKI - -VyOS 1.4 changed the way in how encryption keys or certificates are stored on the -system. In the pre VyOS 1.4 era, certificates got stored under /config and every -service referenced a file. That made copying a running configuration from system -A to system B a bit harder, as you had to copy the files and their permissions -by hand. - -{vytask}`T3642` describes a new CLI subsystem that serves as a "certstore" to -all services requiring any kind of encryption key(s). In short, public and -private certificates are now stored in PKCS#8 format in the regular VyOS CLI. -Keys can now be added, edited, and deleted using the regular set/edit/delete -CLI commands. - -VyOS not only can now manage certificates issued by 3rd party Certificate -Authorities, it can also act as a CA on its own. You can create your own root -CA and sign keys with it by making use of some simple op-mode commands. - -Don't be afraid that you need to re-do your configuration. Key transformation is -handled, as always, by our migration scripts, so this will be a smooth transition -for you! - -## Key Generation - -### Certificate Authority (CA) - -VyOS now also has the ability to create CAs, keys, Diffie-Hellman and other -keypairs from an easy to access operational level command. - -```{opcmd} generate pki ca - -Create a new {abbr}`CA (Certificate Authority)` and output the CAs public and -private key on the console. -``` - -```{opcmd} generate pki ca install \<name\> - -Create a new {abbr}`CA (Certificate Authority)` and output the CAs public and -private key on the console. - -:::{note} -In addition to the command above, the output is in a format which can be used -to directly import the key into the VyOS CLI by simply copy-pasting the output -from op-mode into configuration mode. - -``name`` is used for the VyOS CLI command to identify this key. This -key ``name`` is then used in the CLI configuration to reference the key -instance. -::: -``` - -```{opcmd} generate pki ca sign \<ca-name\> - -Create a new subordinate {abbr}`CA (Certificate Authority)` and sign it using -the private key referenced by ca-name. -``` - -```{opcmd} generate pki ca sign \<ca-name\> install \<name\> - -Create a new subordinate {abbr}`CA (Certificate Authority)` and sign it using -the private key referenced by `name`. - -:::{note} -In addition to the command above, the output is in a format which can be used -to directly import the key into the VyOS CLI by simply copy-pasting the output -from op-mode into configuration mode. - -``name`` is used for the VyOS CLI command to identify this key. This -key ``name`` is then used in the CLI configuration to reference the key -instance. -::: -``` - -### Certificates - -```{opcmd} generate pki certificate - -Create a new public/private keypair and output the certificate on the console. -``` - -```{opcmd} generate pki certificate install \<name\> - -Create a new public/private keypair and output the certificate on the console. - -:::{note} -In addition to the command above, the output is in a format which can be used -to directly import the key into the VyOS CLI by simply copy-pasting the output -from op-mode into configuration mode. - -``name`` is used for the VyOS CLI command to identify this key. This -key ``name`` is then used in the CLI configuration to reference the key -instance. -::: -``` - -```{opcmd} generate pki certificate self-signed - -Create a new self-signed certificate. The public/private is then shown on the -console. -``` - -```{opcmd} generate pki certificate self-signed install \<name\> - -Create a new self-signed certificate. The public/private is then shown on the -console. - -:::{note} -In addition to the command above, the output is in a format which can be used -to directly import the key into the VyOS CLI by simply copy-pasting the output -from op-mode into configuration mode. - -``name`` is used for the VyOS CLI command to identify this key. This -key ``name`` is then used in the CLI configuration to reference the key -instance. -::: -``` - -```{opcmd} generate pki certificate sign \<ca-name\> - -Create a new public/private keypair which is signed by the CA referenced by -ca-name. The signed certificate is then output to the console. -``` - -```{opcmd} generate pki certificate sign \<ca-name\> install \<name\> - -Create a new public/private keypair which is signed by the CA referenced by -ca-name. The signed certificate is then output to the console. - -:::{note} -In addition to the command above, the output is in a format which can be used -to directly import the key into the VyOS CLI by simply copy-pasting the output -from op-mode into configuration mode. - -``name`` is used for the VyOS CLI command to identify this key. This -key ``name`` is then used in the CLI configuration to reference the key -instance. -::: -``` - -### Diffie-Hellman parameters - -```{opcmd} generate pki dh - -Generate a new set of {abbr}`DH (Diffie-Hellman)` parameters. The key size -is requested by the CLI and defaults to 2048 bit. - -The generated parameters are then output to the console. -``` - -```{opcmd} generate pki dh install \<name\> - -Generate a new set of {abbr}`DH (Diffie-Hellman)` parameters. The key size -is requested by the CLI and defaults to 2048 bit. - -:::{note} -In addition to the command above, the output is in a format which can be used -to directly import the key into the VyOS CLI by simply copy-pasting the output -from op-mode into configuration mode. - -``name`` is used for the VyOS CLI command to identify this key. This -key ``name`` is then used in the CLI configuration to reference the key -instance. -::: -``` - -### OpenVPN - -```{opcmd} generate pki openvpn shared-secret - -Generate a new OpenVPN shared secret. The generated secret is the output to -the console. -``` - -```{opcmd} generate pki openvpn shared-secret install \<name\> - -Generate a new OpenVPN shared secret. The generated secret is the output to -the console. - -:::{note} -In addition to the command above, the output is in a format which can be used -to directly import the key into the VyOS CLI by simply copy-pasting the output -from op-mode into configuration mode. - -``name`` is used for the VyOS CLI command to identify this key. This -key ``name`` is then used in the CLI configuration to reference the key -instance. -::: -``` - -### WireGuard - -```{opcmd} generate pki wireguard key-pair - -Generate a new WireGuard public/private key portion and output the result to -the console. -``` - -```{opcmd} generate pki wireguard key-pair install \<interface\> - -Generate a new WireGuard public/private key portion and output the result to -the console. - -:::{note} -In addition to the command above, the output is in a format which can -be used to directly import the key into the VyOS CLI by simply copy-pasting -the output from op-mode into configuration mode. - -``interface`` is used for the VyOS CLI command to identify the WireGuard -interface where this private key is to be used. -::: -``` - -```{opcmd} generate pki wireguard preshared-key - -Generate a WireGuard pre-shared secret used for peers to communicate. -``` - -```{opcmd} generate pki wireguard preshared-key install \<peer\> - -Generate a WireGuard pre-shared secret used for peers to communicate. - -:::{note} -In addition to the command above, the output is in a format which can -be used to directly import the key into the VyOS CLI by simply copy-pasting -the output from op-mode into configuration mode. - -``peer`` is used for the VyOS CLI command to identify the WireGuard peer where -this secret is to be used. -::: -``` - -## Key usage (CLI) -### CA (Certificate Authority) - -```{cfgcmd} set pki ca \<name\> certificate - -Add the public CA certificate for the CA named `name` to the VyOS CLI. - -:::{note} -When loading the certificate you need to manually strip the -``-----BEGIN CERTIFICATE-----`` and ``-----END CERTIFICATE-----`` tags. -Also, the certificate/key needs to be presented in a single line without -line breaks (``\n``), this can be done using the following shell command: - -``$ tail -n +2 ca.pem | head -n -1 | tr -d '\n'`` -::: -``` - -```{cfgcmd} set pki ca \<name\> crl - -Certificate revocation list in PEM format. -``` - -```{cfgcmd} set pki ca \<name\> description - -A human readable description what this CA is about. -``` - -```{cfgcmd} set pki ca \<name\> private key - -Add the CAs private key to the VyOS CLI. This should never leave the system, -and is only required if you use VyOS as your certificate generator as -mentioned above. - -:::{note} -When loading the certificate you need to manually strip the -``-----BEGIN KEY-----`` and ``-----END KEY-----`` tags. Also, the -certificate/key needs to be presented in a single line without line -breaks (``\n``), this can be done using the following shell command: - -``$ tail -n +2 ca.key | head -n -1 | tr -d '\n'`` -::: -``` - -```{cfgcmd} set pki ca \<name\> private password-protected - -Mark the CAs private key as password protected. User is asked for the password -when the key is referenced. -``` - -### Server Certificate - -After we have imported the CA certificate(s) we can now import and add -certificates used by services on this router. - -```{cfgcmd} set pki certificate \<name\> certificate - -Add public key portion for the certificate named `name` to the VyOS CLI. - -:::{note} -When loading the certificate you need to manually strip the -``-----BEGIN CERTIFICATE-----`` and ``-----END CERTIFICATE-----`` tags. -Also, the certificate/key needs to be presented in a single line without -line breaks (``\n``), this can be done using the following shell command: - -``$ tail -n +2 cert.pem | head -n -1 | tr -d '\n'`` -::: -``` - -```{cfgcmd} set pki certificate \<name\> description - -A human readable description what this certificate is about. -``` - -```{cfgcmd} set pki certificate \<name\> private key - -Add the private key portion of this certificate to the CLI. This should never -leave the system as it is used to decrypt the data. - -:::{note} -When loading the certificate you need to manually strip the -``-----BEGIN KEY-----`` and ``-----END KEY-----`` tags. Also, the -certificate/key needs to be presented in a single line without line -breaks (``\n``), this can be done using the following shell command: - -``$ tail -n +2 cert.key | head -n -1 | tr -d '\n'`` -::: -``` - -```{cfgcmd} set pki certificate \<name\> private password-protected - -Mark the private key as password protected. User is asked for the password -when the key is referenced. -``` - -```{cfgcmd} set pki certificate \<name\> revoke - -If CA is present, this certificate will be included in generated CRLs -``` - -### Import files to PKI format - -VyOS provides this utility to import existing certificates/key files directly -into PKI from op-mode. Previous to VyOS 1.4, certificates were stored under the -/config folder permanently and will be retained post upgrade. - -```{opcmd} import pki ca \<name\> file \<Path to CA certificate file\> - -Import the public CA certificate from the defined file to VyOS CLI. -``` - -```{opcmd} import pki ca \<name\> key-file \<Path to private key file\> - -Import the CAs private key portion to the CLI. This should never leave the -system as it is used to decrypt the data. The key is required if you use -VyOS as your certificate generator. -``` - -```{opcmd} import pki certificate \<name\> file \<path to certificate\> - -Import the certificate from the file to VyOS CLI. -``` - -```{opcmd} import pki certificate \<name\> key-file \<path to private key\> - -Import the private key of the certificate to the VyOS CLI. This should never -leave the system as it is used to decrypt the data. -``` - -```{opcmd} import pki openvpn shared-secret \<name\> file \<path to OpenVPN secret key\> - -Import the OpenVPN shared secret stored in file to the VyOS CLI. -``` - -#### ACME - -The VyOS PKI subsystem can also be used to automatically retrieve Certificates -using the {abbr}`ACME (Automatic Certificate Management Environment)` protocol. - -```{cfgcmd} set pki certificate \<name\> acme domain-name \<name\> - -Domain names to apply, multiple domain-names can be specified. - -This is a mandatory option -``` - -```{cfgcmd} set pki certificate \<name\> acme email \<address\> - -Email used for registration and recovery contact. - -This is a mandatory option -``` - -```{cfgcmd} set pki certificate \<name\> acme listen-address \<address\> - -The address the server listens to during http-01 challenge -``` - -```{cfgcmd} set pki certificate \<name\> acme rsa-key-size \<2048 | 3072 | 4096\> - -Size of the RSA key. - -This options defaults to 2048 -``` - -```{cfgcmd} set pki certificate \<name\> acme url \<url\> - -ACME Directory Resource URI. - -This defaults to https://acme-v02.api.letsencrypt.org/directory - -:::{note} -During initial deployment we recommend using the staging API -of LetsEncrypt to prevent and blacklisting of your system. The API -endpoint is https://acme-staging-v02.api.letsencrypt.org/directory -::: -``` - -## Operation - -VyOS operational mode commands are not only available for generating keys but -also to display them. - -```{opcmd} show pki ca - -Show a list of installed {abbr}`CA (Certificate Authority)` certificates. - -:::{code-block} none -vyos@vyos:~$ show pki ca -Certificate Authorities: -Name Subject Issuer CN Issued Expiry Private Key Parent --------------- ------------------------------------------------------- ----------------- ------------------- ------------------- ------------- -------------- -DST_Root_CA_X3 CN=ISRG Root X1,O=Internet Security Research Group,C=US CN=DST Root CA X3 2021-01-20 19:14:03 2024-09-30 18:14:03 No N/A -R3 CN=R3,O=Let's Encrypt,C=US CN=ISRG Root X1 2020-09-04 00:00:00 2025-09-15 16:00:00 No DST_Root_CA_X3 -vyos_rw CN=VyOS RW CA,O=VyOS,L=Some-City,ST=Some-State,C=GB CN=VyOS RW CA 2021-07-05 13:46:03 2026-07-04 13:46:03 Yes N/A -::: -``` - -```{opcmd} show pki ca \<name\> - -Show only information for specified Certificate Authority. -``` - -```{opcmd} show pki certificate - -Show a list of installed certificates - -:::{code-block} none -vyos@vyos:~$ show pki certificate -Certificates: -Name Type Subject CN Issuer CN Issued Expiry Revoked Private Key CA Present ---------- ------ --------------------- ------------- ------------------- ------------------- --------- ------------- ------------- -ac2 Server CN=ac2.vyos.net CN=R3 2021-07-05 07:29:59 2021-10-03 07:29:58 No Yes Yes (R3) -rw_server Server CN=VyOS RW CN=VyOS RW CA 2021-07-05 13:48:02 2022-07-05 13:48:02 No Yes Yes (vyos_rw) -::: -``` - -```{opcmd} show pki certificate \<name\> - -Show only information for specified certificate. -``` - -```{opcmd} show pki crl - -Show a list of installed {abbr}`CRLs (Certificate Revocation List)`. -``` - -```{opcmd} renew certbot - -Manually trigger certificate renewal. This will be done twice a day. -``` - -## Examples - -### Create a CA chain and leaf certificates - -This configuration generates & installs into the VyOS PKI system a root -certificate authority, alongside two intermediary certificate authorities for -client & server certificates. These CAs are then used to generate a server -certificate for the router, and a client certificate for a user. -- `vyos_root_ca` is the root certificate authority. -- `vyos_client_ca` and `vyos_server_ca` are intermediary certificate authorities, - which are signed by the root CA. -- `vyos_cert` is a leaf server certificate used to identify the VyOS router, - signed by the server intermediary CA. -- `vyos_example_user` is a leaf client certificate used to identify a user, - signed by client intermediary CA. - -First, we create the root certificate authority. - -```none -[edit] -vyos@vyos# run generate pki ca install vyos_root_ca -Enter private key type: [rsa, dsa, ec] (Default: rsa) rsa -Enter private key bits: (Default: 2048) 2048 -Enter country code: (Default: GB) GB -Enter state: (Default: Some-State) Some-State -Enter locality: (Default: Some-City) Some-City -Enter organization name: (Default: VyOS) VyOS -Enter common name: (Default: vyos.io) VyOS Root CA -Enter how many days certificate will be valid: (Default: 1825) 1825 -Note: If you plan to use the generated key on this router, do not encrypt the private key. -Do you want to encrypt the private key with a passphrase? [y/N] n -2 value(s) installed. Use "compare" to see the pending changes, and "commit" to apply. -``` - -Secondly, we create the intermediary certificate authorities, which are used to -sign the leaf certificates. - -```none -[edit] -vyos@vyos# run generate pki ca sign vyos_root_ca install vyos_server_ca -Do you already have a certificate request? [y/N] n -Enter private key type: [rsa, dsa, ec] (Default: rsa) rsa -Enter private key bits: (Default: 2048) 2048 -Enter country code: (Default: GB) GB -Enter state: (Default: Some-State) Some-State -Enter locality: (Default: Some-City) Some-City -Enter organization name: (Default: VyOS) VyOS -Enter common name: (Default: vyos.io) VyOS Intermediary Server CA -Enter how many days certificate will be valid: (Default: 1825) 1095 -Note: If you plan to use the generated key on this router, do not encrypt the private key. -Do you want to encrypt the private key with a passphrase? [y/N] n -2 value(s) installed. Use "compare" to see the pending changes, and "commit" to apply. - - -[edit] -vyos@vyos# run generate pki ca sign vyos_root_ca install vyos_client_ca -Do you already have a certificate request? [y/N] n -Enter private key type: [rsa, dsa, ec] (Default: rsa) rsa -Enter private key bits: (Default: 2048) 2048 -Enter country code: (Default: GB) GB -Enter state: (Default: Some-State) Some-State -Enter locality: (Default: Some-City) Some-City -Enter organization name: (Default: VyOS) VyOS -Enter common name: (Default: vyos.io) VyOS Intermediary Client CA -Enter how many days certificate will be valid: (Default: 1825) 1095 -Note: If you plan to use the generated key on this router, do not encrypt the private key. -Do you want to encrypt the private key with a passphrase? [y/N] n -2 value(s) installed. Use "compare" to see the pending changes, and "commit" to apply. -``` - -Lastly, we can create the leaf certificates that devices and users will utilise. - -```none -[edit] -vyos@vyos# run generate pki certificate sign vyos_server_ca install vyos_cert -Do you already have a certificate request? [y/N] n -Enter private key type: [rsa, dsa, ec] (Default: rsa) rsa -Enter private key bits: (Default: 2048) 2048 -Enter country code: (Default: GB) GB -Enter state: (Default: Some-State) Some-State -Enter locality: (Default: Some-City) Some-City -Enter organization name: (Default: VyOS) VyOS -Enter common name: (Default: vyos.io) vyos.net -Do you want to configure Subject Alternative Names? [y/N] y -Enter alternative names in a comma separate list, example: ipv4:1.1.1.1,ipv6:fe80::1,dns:vyos.net -Enter Subject Alternative Names: dns:vyos.net,dns:www.vyos.net -Enter how many days certificate will be valid: (Default: 365) 365 -Enter certificate type: (client, server) (Default: server) server -Note: If you plan to use the generated key on this router, do not encrypt the private key. -Do you want to encrypt the private key with a passphrase? [y/N] n -2 value(s) installed. Use "compare" to see the pending changes, and "commit" to apply. - - -[edit] -vyos@vyos# run generate pki certificate sign vyos_client_ca install vyos_example_user -Do you already have a certificate request? [y/N] n -Enter private key type: [rsa, dsa, ec] (Default: rsa) rsa -Enter private key bits: (Default: 2048) 2048 -Enter country code: (Default: GB) GB -Enter state: (Default: Some-State) Some-State -Enter locality: (Default: Some-City) Some-City -Enter organization name: (Default: VyOS) VyOS -Enter common name: (Default: vyos.io) Example User -Do you want to configure Subject Alternative Names? [y/N] y -Enter alternative names in a comma separate list, example: ipv4:1.1.1.1,ipv6:fe80::1,dns:vyos.net,rfc822:user@vyos.net -Enter Subject Alternative Names: rfc822:example.user@vyos.net -Enter how many days certificate will be valid: (Default: 365) 365 -Enter certificate type: (client, server) (Default: server) client -Note: If you plan to use the generated key on this router, do not encrypt the private key. -Do you want to encrypt the private key with a passphrase? [y/N] n -2 value(s) installed. Use "compare" to see the pending changes, and "commit" to apply. -``` diff --git a/docs/configuration/policy/md-access-list.md b/docs/configuration/policy/md-access-list.md deleted file mode 100644 index c3a92e56..00000000 --- a/docs/configuration/policy/md-access-list.md +++ /dev/null @@ -1,70 +0,0 @@ -# Access List Policy - -Filtering is used for both input and output of the routing information. Once -filtering is defined, it can be applied in any direction. VyOS makes filtering -possible using acls and prefix lists. - -Basic filtering can be done using access-list and access-list6. - -## Configuration - -### Access Lists - -```{cfgcmd} set policy access-list \<acl_number\> - -This command creates the new access list policy, where `<acl_number>` must be -a number from 1 to 2699. -``` - -```{cfgcmd} set policy access-list \<acl_number\> description \<text\> - -Set description for the access list. -``` - -```{cfgcmd} set policy access-list \<acl_number\> rule \<1-65535\> action \<permit|deny\> - -This command creates a new rule in the access list and defines an action. -``` - -```{cfgcmd} set policy access-list \<acl_number\> rule \<1-65535\> \<destination|source\> \<any|host|inverse-mask|network\> - -This command defines matching parameters for access list rule. Matching -criteria could be applied to destination or source parameters: - -* any: any IP address to match. -* host: single host IP address to match. -* inverse-match: network/netmask to match (requires network be defined). -* network: network/netmask to match (requires inverse-match be defined). -``` - - -### IPv6 Access List - -Basic filtering could also be applied to IPv6 traffic. - -```{cfgcmd} set policy access-list6 \<text\> - -This command creates the new IPv6 access list, identified by `<text>` -``` - -```{cfgcmd} set policy access-list6 \<text\> description \<text\> - -Set description for the IPv6 access list. -``` - -```{cfgcmd} set policy access-list6 \<text\> rule \<1-65535\> action \<permit|deny\> - -This command creates a new rule in the IPv6 access list and defines an -action. -``` - -```{cfgcmd} set policy access-list6 \<text\> rule \<1-65535\> source \<any|exact-match|network\> - -This command defines matching parameters for IPv6 access list rule. Matching -criteria could be applied to source parameters: - -* any: any IPv6 address to match. -* exact-match: exact match of the network prefixes. -* network: network/netmask to match (requires inverse-match be defined) BUG, -NO invert-match option in access-list6 -```
\ No newline at end of file diff --git a/docs/configuration/policy/md-as-path-list.md b/docs/configuration/policy/md-as-path-list.md deleted file mode 100644 index 1fcece91..00000000 --- a/docs/configuration/policy/md-as-path-list.md +++ /dev/null @@ -1,29 +0,0 @@ -# BGP - AS Path Policy - -VyOS provides policies commands exclusively for BGP traffic filtering and -manipulation: **as-path-list** is one of them. - -## Configuration - -### policy as-path-list - -```{cfgcmd} set policy as-path-list \<text\> - -Create as-path-policy identified by name `<text>`. -``` -```{cfgcmd} set policy as-path-list \<text\> description \<text\> - -Set description for as-path-list policy. -``` -```{cfgcmd} set policy as-path-list \<text\> rule \<1-65535\> action \<permit|deny\> - -Set action to take on entries matching this rule. -``` -```{cfgcmd} set policy as-path-list \<text\> rule \<1-65535\> description \<text\> - -Set description for rule. -``` -```{cfgcmd} set policy as-path-list \<text\> rule \<1-65535\> regex \<text\> - -Regular expression to match against an AS path. For example "64501 64502". -```
\ No newline at end of file diff --git a/docs/configuration/policy/md-community-list.md b/docs/configuration/policy/md-community-list.md deleted file mode 100644 index bdcf4140..00000000 --- a/docs/configuration/policy/md-community-list.md +++ /dev/null @@ -1,29 +0,0 @@ -# BGP - Community List - -VyOS provides policies commands exclusively for BGP traffic filtering and -manipulation: **community-list** is one of them. - -## Configuration - -### policy community-list - -```{cfgcmd} set policy community-list \<text\> - -Creat community-list policy identified by name `<text>`. -``` -```{cfgcmd} set policy community-list \<text\> description \<text\> - -Set description for community-list policy. -``` -```{cfgcmd} set policy community-list \<text\> rule \<1-65535\> action \<permit|deny\> - -Set action to take on entries matching this rule. -``` -```{cfgcmd} set policy community-list \<text\> rule \<1-65535\> description \<text\> - -Set description for rule. -``` -```{cfgcmd} set policy community-list \<text\> rule \<1-65535\> regex \<aa:nn|local-AS|no-advertise|no-export|additive\> - -Regular expression to match against a community-list. -```
\ No newline at end of file diff --git a/docs/configuration/policy/md-examples.md b/docs/configuration/policy/md-examples.md deleted file mode 100644 index 29f4aef0..00000000 --- a/docs/configuration/policy/md-examples.md +++ /dev/null @@ -1,208 +0,0 @@ -# BGP Example - -<div class="todo"> - -Convert raw command blocks in this file to cfgcmd/opcmd -directives for command coverage tracking. - -</div> - -**Policy definition:** - -``` none -# Create policy -set policy route-map setmet rule 2 action 'permit' -set policy route-map setmet rule 2 set as-path prepend '2 2 2' - -# Apply policy to BGP -set protocols bgp system-as 1 -set protocols bgp neighbor 203.0.113.2 address-family ipv4-unicast route-map import 'setmet' -set protocols bgp neighbor 203.0.113.2 address-family ipv4-unicast soft-reconfiguration 'inbound' -``` - -Using 'soft-reconfiguration' we get the policy update without bouncing the -neighbor. - -**Routes learned before routing policy applied:** - -``` none -vyos@vos1:~$ show ip bgp -BGP table version is 0, local router ID is 192.168.56.101 -Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, - r RIB-failure, S Stale, R Removed -Origin codes: i - IGP, e - EGP, ? - incomplete - - Network Next Hop Metric LocPrf Weight Path -*> 198.51.100.3/32 203.0.113.2 1 0 2 i < Path - -Total number of prefixes 1 -``` - -**Routes learned after routing policy applied:** - -``` none -vyos@vos1:~$ show ip bgp -BGP table version is 0, local router ID is 192.168.56.101 -Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, - r RIB-failure, S Stale, R Removed -Origin codes: i - IGP, e - EGP, ? - incomplete - - Network Next Hop Metric LocPrf Weight Path -*> 198.51.100.3/32 203.0.113.2 1 0 2 2 2 2 i - -Total number of prefixes 1 -vyos@vos1:~$ -``` - -You now see the longer AS path. - -# Transparent Proxy - -The following example will show how VyOS can be used to redirect web -traffic to an external transparent proxy: - -``` none -set policy route FILTER-WEB rule 1000 destination port 80 -set policy route FILTER-WEB rule 1000 protocol tcp -set policy route FILTER-WEB rule 1000 set table 100 -``` - -This creates a route policy called FILTER-WEB with one rule to set the -routing table for matching traffic (TCP port 80) to table ID 100 -instead of the default routing table. - -To create routing table 100 and add a new default gateway to be used by -traffic matching our route policy: - -``` none -set protocols static table 100 route 0.0.0.0/0 next-hop 10.255.0.2 -``` - -This can be confirmed using the `show ip route table 100` operational -command. - -Finally, to apply the policy route to ingress traffic on our LAN -interface, we use: - -``` none -set policy route FILTER-WEB interface eth1 -``` - -# Multiple Uplinks - -VyOS Policy-Based Routing (PBR) works by matching source IP address -ranges and forwarding the traffic using different routing tables. - -Routing tables that will be used in this example are: - -- `table 10` Routing table used for VLAN 10 (192.168.188.0/24) -- `table 11` Routing table used for VLAN 11 (192.168.189.0/24) -- `main` Routing table used by VyOS and other interfaces not - participating in PBR - -<figure> -<img src="/_static/images/pbr_example_1.webp" alt="PBR multiple uplinks" /> -<figcaption>Policy-Based Routing with multiple ISP uplinks -(source ./draw.io/pbr_example_1.drawio)</figcaption> -</figure> - -Add default routes for routing `table 10` and `table 11` - -``` none -set protocols static table 10 route 0.0.0.0/0 next-hop 192.0.2.1 -set protocols static table 11 route 0.0.0.0/0 next-hop 192.0.2.2 -``` - -Add policy route matching VLAN source addresses - -``` none -set policy route PBR rule 20 set table '10' -set policy route PBR rule 20 description 'Route VLAN10 traffic to table 10' -set policy route PBR rule 20 source address '192.168.188.0/24' - -set policy route PBR rule 30 set table '11' -set policy route PBR rule 30 description 'Route VLAN11 traffic to table 11' -set policy route PBR rule 30 source address '192.168.189.0/24' -``` - -Apply routing policy to **inbound** direction of out VLAN interfaces - -``` none -set policy route 'PBR' interface eth0.10 -set policy route 'PBR' interface eth0.11 -``` - -**OPTIONAL:** Exclude Inter-VLAN traffic (between VLAN10 and VLAN11) -from PBR - -``` none -set firewall group network-group VLANS-GR description 'VLANs networks' -set firewall group network-group VLANS-GR network '192.168.188.0/24' -set firewall group network-group VLANS-GR network '192.168.189.0/24' - -set policy route PBR rule 10 description 'VLAN10 <-> VLAN11 shortcut' -set policy route PBR rule 10 destination group network-group 'VLANS-GR' -set policy route PBR rule 10 set table 'main' -``` - -These commands allow the VLAN10 and VLAN11 hosts to communicate with -each other using the main routing table. - -## Local route - -The following example allows VyOS to use `PBR (Policy-Based Routing)` -for traffic, which originated from the router itself. That solution for multiple -ISP's and VyOS router will respond from the same interface that the packet was -received. Also, it used, if we want that one VPN tunnel to be through one -provider, and the second through another. - -- `203.0.113.254` IP addreess on VyOS eth1 from ISP1 -- `192.168.2.254` IP addreess on VyOS eth2 from ISP2 -- `table 10` Routing table used for ISP1 -- `table 11` Routing table used for ISP2 - -``` none -set policy local-route rule 101 set table '10' -set policy local-route rule 101 source address '203.0.113.254' -set policy local-route rule 102 set table '11' -set policy local-route rule 102 source address '192.0.2.254' -set protocols static table 10 route 0.0.0.0/0 next-hop '203.0.113.1' -set protocols static table 11 route 0.0.0.0/0 next-hop '192.0.2.2' -``` - -Add multiple source IP in one rule with same priority - -``` none -set policy local-route rule 101 set table '10' -set policy local-route rule 101 source address '203.0.113.254' -set policy local-route rule 101 source address '203.0.113.253' -set policy local-route rule 101 source address '198.51.100.0/24' -``` - -# Clamp MSS for a specific IP - -This example shows how to target an MSS clamp (in our example to 1360 bytes) -to a specific destination IP. - -``` none -set policy route IP-MSS-CLAMP rule 10 description 'Clamp TCP session MSS to 1360 for 198.51.100.30' -set policy route IP-MSS-CLAMP rule 10 destination address '198.51.100.30/32' -set policy route IP-MSS-CLAMP rule 10 protocol 'tcp' -set policy route IP-MSS-CLAMP rule 10 set tcp-mss '1360' -set policy route IP-MSS-CLAMP rule 10 tcp flags 'SYN' -``` - -To apply this policy to the correct interface, configure it on the -interface the inbound local host will send through to reach our -destined target host (in our example eth1). - -``` none -set policy route IP-MSS-CLAMP interface eth1 -``` - -You can view that the policy is being correctly (or incorrectly) utilised -with the following command: - -``` none -show policy route statistics -``` diff --git a/docs/configuration/policy/md-extcommunity-list.md b/docs/configuration/policy/md-extcommunity-list.md deleted file mode 100644 index 5247c13c..00000000 --- a/docs/configuration/policy/md-extcommunity-list.md +++ /dev/null @@ -1,33 +0,0 @@ -# BGP - Extended Community List - -VyOS provides policies commands exclusively for BGP traffic filtering and -manipulation: **extcommunity-list** is one of them. - -## Configuration - -### policy extcommunity-list - -```{cfgcmd} set policy extcommunity-list \<text\> - -Creat extcommunity-list policy identified by name \<text\>. -``` -```{cfgcmd} set policy extcommunity-list \<text\> description \<text\> - -Set description for extcommunity-list policy. -``` -```{cfgcmd} set policy extcommunity-list \<text\> rule \<1-65535\> action \<permit|deny\> - -Set action to take on entries matching this rule. -``` -```{cfgcmd} set policy extcommunity-list \<text\> rule \<1-65535\> description \<text\> - -Set description for rule. -``` -```{cfgcmd} set policy extcommunity-list \<text\> rule \<1-65535\> regex \<text\> - -Regular expression to match against an extended community list, where text -could be: -* \<aa:nn:nn\>: Extended community list regular expression. -* \<rt aa:nn:nn\>: Route Target regular expression. -* \<soo aa:nn:nn\>: Site of Origin regular expression. -```
\ No newline at end of file diff --git a/docs/configuration/policy/md-index.md b/docs/configuration/policy/md-index.md deleted file mode 100644 index bbf49780..00000000 --- a/docs/configuration/policy/md-index.md +++ /dev/null @@ -1,55 +0,0 @@ ---- -lastproofread: '2021-07-12' ---- - -```{include} /_include/need_improvement.txt -``` - -# Policy - -Policies are used for filtering and traffic management. With policies, network -administrators could filter and treat traffic -according to their needs. - -There could be a wide range of routing policies. Some examples are listed -below: - -- Filter traffic based on source/destination address. -- Set some metric to routes learned from a particular neighbor. -- Set some attributes (like AS PATH or Community value) to advertised routes - to neighbors. -- Prefer a specific routing protocol routes over another routing protocol - running on the same router. - -Policies, in VyOS, are implemented using FRR filtering and route maps. Detailed -information of FRR could be found in <http://docs.frrouting.org/> - -## Policy Sections - -```{eval-rst} -.. toctree:: - :maxdepth: 1 - :includehidden: - - access-list - prefix-list - route - route-map - local-route - as-path-list - community-list - extcommunity-list - large-community-list -``` - -## Examples - -Examples of policies usage: - -```{eval-rst} -.. toctree:: - :maxdepth: 1 - :includehidden: - - examples -``` diff --git a/docs/configuration/policy/md-large-community-list.md b/docs/configuration/policy/md-large-community-list.md deleted file mode 100644 index 23b9a85a..00000000 --- a/docs/configuration/policy/md-large-community-list.md +++ /dev/null @@ -1,29 +0,0 @@ -# BGP - Large Community List - -VyOS provides policies commands exclusively for BGP traffic filtering and -manipulation: **large-community-list** is one of them. - -## Configuration - -### policy large-community-list - -```{cfgcmd} set policy large-community-list \<text\> - -Create large-community-list policy identified by name `<text>`. -``` -```{cfgcmd} set policy large-community-list \<text\> description \<text\> - -Set description for large-community-list policy. -``` -```{cfgcmd} set policy large-community-list \<text\> rule \<1-65535\> action \<permit|deny\> - -Set action to take on entries matching this rule. -``` -```{cfgcmd} set policy large-community-list \<text\> rule \<1-65535\> description \<text\> - -Set description for rule. -``` -```{cfgcmd} set policy large-community-list \<text\> rule \<1-65535\> regex \<aa:nn:nn\> - -Regular expression to match against a large community list. -```
\ No newline at end of file diff --git a/docs/configuration/policy/md-local-route.md b/docs/configuration/policy/md-local-route.md deleted file mode 100644 index 527a2380..00000000 --- a/docs/configuration/policy/md-local-route.md +++ /dev/null @@ -1,100 +0,0 @@ -# Local Route Policy - -Policies for local traffic are defined in this section. - -## Configuration - -### Local Route IPv4 - -```{cfgcmd} set policy local-route rule \<1-32765\> set table \<1-200|main\> - -Set the routing table to use for forwarding matching packets. -``` - -```{cfgcmd} set policy local-route rule \<1-32765\> set vrf \<vrf|default\> - -Set the VRF to use for forwarding matching packets. -``` - -```{cfgcmd} set policy local-route rule \<1-32765\> protocol \<protocol\> - -Match specified protocol (name or number). -``` - -```{cfgcmd} set policy local-route rule \<1-32765\> fwmark \<1-2147483647\> - -Match specified firewall mark (fwmark). -``` - -```{cfgcmd} set policy local-route rule \<1-32765\> source address \<x.x.x.x|x.x.x.x/x\> - -Match specified source address or prefix. -``` - -```{cfgcmd} set policy local-route rule \<1-32765\> source port \<1-65535\> - -Match specified source port. -``` - -```{cfgcmd} set policy local-route rule \<1-32765\> destination address \<x.x.x.x|x.x.x.x/x\> - -Match specified destination address or prefix. -``` - -```{cfgcmd} set policy local-route rule \<1-32765\> destination port \<1-65535\> - -Match specified destination port. -``` - -```{cfgcmd} set policy local-route rule \<1-32765\> inbound-interface \<interface\> - -Match specified inbound interface. -``` - - -### Local Route IPv6 - -```{cfgcmd} set policy local-route6 rule \<1-32765\> set table \<1-200|main\> - -Set the routing table to use for forwarding matching packets. -``` - -```{cfgcmd} set policy local-route6 rule \<1-32765\> set vrf \<vrf|default\> - -Set the VRF to use for forwarding matching packets. -``` - -```{cfgcmd} set policy local-route6 rule \<1-32765\> protocol \<protocol\> - -Match specified protocol (name or number). -``` - -```{cfgcmd} set policy local-route6 rule \<1-32765\> fwmark \<1-2147483647\> - -Match specified firewall mark (fwmark). -``` - -```{cfgcmd} set policy local-route6 rule \<1-32765\> source address \<h:h:h:h:h:h:h:h|h:h:h:h:h:h:h:h/x\> - -Match specified source address or prefix. -``` - -```{cfgcmd} set policy local-route6 rule \<1-32765\> source port \<1-65535\> - -Match specified source port. -``` - -```{cfgcmd} set policy local-route6 rule \<1-32765\> destination address \<h:h:h:h:h:h:h:h|h:h:h:h:h:h:h:h/x\> - -Match specified destination address or prefix. -``` - -```{cfgcmd} set policy local-route6 rule \<1-32765\> destination port \<1-65535\> - -Match specified destination port. -``` - -```{cfgcmd} set policy local-route6 rule \<1-32765\> inbound-interface \<interface\> - -Match specified inbound interface. -```
\ No newline at end of file diff --git a/docs/configuration/policy/md-prefix-list.md b/docs/configuration/policy/md-prefix-list.md deleted file mode 100644 index eb827c77..00000000 --- a/docs/configuration/policy/md-prefix-list.md +++ /dev/null @@ -1,152 +0,0 @@ -# Prefix List Policy - -Prefix lists provides the most powerful prefix based filtering mechanism. In -addition to access-list functionality, ip prefix-list has prefix length range -specification. - -If no ip prefix list is specified, it acts as permit. If ip prefix list is -defined, and no match is found, default deny is applied. - -Prefix filtering can be done using prefix-list and prefix-list6. - -## Configuration - -### IPv4 Prefix Lists (prefix-list) - -```{cfgcmd} set policy prefix-list \<text\> - -This command creates the new prefix-list policy, identified by `<text>`. -``` - -```{cfgcmd} set policy prefix-list \<text\> description \<text\> - -Set description for the prefix-list policy. -``` - -```{cfgcmd} set policy prefix-list \<text\> rule \<1-65535\> action \<permit|deny\> - -This command creates a new rule in the prefix-list and defines an action. -``` - -```{cfgcmd} set policy prefix-list \<text\> rule \<1-65535\> description \<text\> - -Set description for rule in the prefix-list. -``` - -```{cfgcmd} set policy prefix-list \<text\> rule \<1-65535\> prefix \<x.x.x.x/x\> - -Prefix to match against. -``` - -```{cfgcmd} set policy prefix-list \<text\> rule \<1-65535\> ge \<0-32\> - -Netmask greater than length. -``` - -```{cfgcmd} set policy prefix-list \<text\> rule \<1-65535\> le \<0-32\> - -Netmask less than length -``` - - -### Example: IPv4 Prefix Lists (prefix-list) - -This example creates an IPv4 prefix-list named PL4-EXAMPLE-NAME, defines 3 -rules each with 1 prefix, and matches le (less than/equal to) /32. - -```{cfgcmd} set policy prefix-list PL4-EXAMPLE-NAME rule 10 action 'permit' - -``` -```{cfgcmd} set policy prefix-list PL4-EXAMPLE-NAME rule 10 le '32' -``` - -```{cfgcmd} set policy prefix-list PL4-EXAMPLE-NAME rule 10 prefix '192.0.2.0/24' -``` - -```{cfgcmd} set policy prefix-list PL4-EXAMPLE-NAME rule 20 action 'permit' -``` - -```{cfgcmd} set policy prefix-list PL4-EXAMPLE-NAME rule 20 le '32' -``` - -```{cfgcmd} set policy prefix-list PL4-EXAMPLE-NAME rule 20 prefix '198.51.100.0/24' -``` - -```{cfgcmd} set policy prefix-list PL4-EXAMPLE-NAME rule 30 action 'permit' -``` - -```{cfgcmd} set policy prefix-list PL4-EXAMPLE-NAME rule 30 le '32' -``` - -```{cfgcmd} set policy prefix-list PL4-EXAMPLE-NAME rule 30 prefix '203.0.113.0/24' -``` - -### IPv6 Prefix Lists (prefix-list6) - -```{cfgcmd} set policy prefix-list6 \<text\> - -This command creates the new IPv6 prefix-list policy, identified by `<text>`. -``` - -```{cfgcmd} set policy prefix-list6 \<text\> description \<text\> - -Set description for the IPv6 prefix-list policy. -``` - -```{cfgcmd} set policy prefix-list6 \<text\> rule \<1-65535\> action \<permit|deny\> - -This command creates a new rule in the IPv6 prefix-list and defines an -action. -``` - -```{cfgcmd} set policy prefix-list6 \<text\> rule \<1-65535\> description \<text\> - -Set description for rule in IPv6 prefix-list. -``` - -```{cfgcmd} set policy prefix-list6 \<text\> rule \<1-65535\> prefix \<h:h:h:h:h:h:h:h/x\> - -IPv6 prefix. -``` - -```{cfgcmd} set policy prefix-list6 \<text\> rule \<1-65535\> ge \<0-128\> - -Netmask greater than length. -``` - -```{cfgcmd} set policy prefix-list6 \<text\> rule \<1-65535\> le \<0-128\> - -Netmask less than length -``` - -### Example: IPv6 Prefix Lists (prefix-list6) - -This example creates an IPv6 prefix-list6 named PL6-EXAMPLE-NAME, defines 3 -rules each with 1 prefix, and matches le (less than/equal to) /128. - -```{cfgcmd} set policy prefix-list6 PL6-EXAMPLE-NAME rule 10 action 'permit' -``` - -```{cfgcmd} set policy prefix-list6 PL6-EXAMPLE-NAME rule 10 le '128' -``` - -```{cfgcmd} set policy prefix-list6 PL6-EXAMPLE-NAME rule 10 prefix '2001:db8:0:0::/64' -``` - -```{cfgcmd} set policy prefix-list6 PL6-EXAMPLE-NAME rule 20 action 'permit' -``` - -```{cfgcmd} set policy prefix-list6 PL6-EXAMPLE-NAME rule 20 le '128' -``` - -```{cfgcmd} set policy prefix-list6 PL6-EXAMPLE-NAME rule 20 prefix '2001:db8:0:1::/64' -``` - -```{cfgcmd} set policy prefix-list6 PL6-EXAMPLE-NAME rule 30 action 'permit' -``` - -```{cfgcmd} set policy prefix-list6 PL6-EXAMPLE-NAME rule 30 le '128' -``` - -```{cfgcmd} set policy prefix-list6 PL6-EXAMPLE-NAME rule 30 prefix '2001:db8:0:2::/64' -```
\ No newline at end of file diff --git a/docs/configuration/policy/md-route-map.md b/docs/configuration/policy/md-route-map.md deleted file mode 100644 index 624b542c..00000000 --- a/docs/configuration/policy/md-route-map.md +++ /dev/null @@ -1,439 +0,0 @@ -# Route Map Policy - -Route map is a powerfull command, that gives network administrators a very -useful and flexible tool for traffic manipulation. - -## Configuration - -### Route Map - -```{cfgcmd} set policy route-map \<text\> - - This command creates a new route-map policy, identified by \<text\>. -``` - - -```{cfgcmd} set policy route-map \<text\> description \<text\> - -Set description for the route-map policy. -``` - - -```{cfgcmd} set policy route-map \<text\> rule \<1-65535\> action \<permit|deny\> - -Set action for the route-map policy. -``` - - -```{cfgcmd} set policy route-map \<text\> rule \<1-65535\> call \<text\> - -Call another route-map policy on match. -``` - - -```{cfgcmd} set policy route-map \<text\> rule \<1-65535\> continue \<1-65535\> - -Jump to a different rule in this route-map on a match. -``` - - -```{cfgcmd} set policy route-map \<text\> rule \<1-65535\> description \<text\> - -Set description for the rule in the route-map policy. -``` - - -```{cfgcmd} set policy route-map \<text\> rule \<1-65535\> match as-path \<text\> - -BGP as-path list to match. -``` - - -```{cfgcmd} set policy route-map \<text\> rule \<1-65535\> match community community-list \<text\> - -BGP community-list to match. -``` - - -```{cfgcmd} set policy route-map \<text\> rule \<1-65535\> match community exact-match - -Set BGP community-list to exactly match. -``` - - -```{cfgcmd} set policy route-map \<text\> rule \<1-65535\> match extcommunity \<text\> - -BGP extended community to match. -``` - - -```{cfgcmd} set policy route-map \<text\> rule \<1-65535\> match interface \<text\> - -First hop interface of a route to match. -``` - - -```{cfgcmd} set policy route-map \<text\> rule \<1-65535\> match ip address access-list \<1-2699\> - -IP address of route to match, based on access-list. -``` - - -```{cfgcmd} set policy route-map \<text\> rule \<1-65535\> match ip address prefix-list \<text\> - -IP address of route to match, based on prefix-list. -``` - - -```{cfgcmd} set policy route-map \<text\> rule \<1-65535\> match ip address prefix-len \<0-32\> - -IP address of route to match, based on specified prefix-length. -Note that this can be used for kernel routes only. -Do not apply to the routes of dynamic routing protocols (e.g. BGP, -RIP, OSFP), as this can lead to unexpected results.. -``` - - -```{cfgcmd} set policy route-map \<text\> rule \<1-65535\> match ip nexthop access-list \<1-2699\> - -IP next-hop of route to match, based on access-list. -``` - - -```{cfgcmd} set policy route-map \<text\> rule \<1-65535\> match ip nexthop address \<x.x.x.x\> - -IP next-hop of route to match, based on ip address. -``` - - -```{cfgcmd} set policy route-map \<text\> rule \<1-65535\> match ip nexthop prefix-len \<0-32\> - -IP next-hop of route to match, based on prefix length. -``` - - -```{cfgcmd} set policy route-map \<text\> rule \<1-65535\> match ip nexthop prefix-list \<text\> - -IP next-hop of route to match, based on prefix-list. -``` - - -```{cfgcmd} set policy route-map \<text\> rule \<1-65535\> match ip nexthop type \<blackhole\> - -IP next-hop of route to match, based on type. -``` - - -```{cfgcmd} set policy route-map \<text\> rule \<1-65535\> match ip route-source access-list \<1-2699\> - -IP route source of route to match, based on access-list. -``` - - -```{cfgcmd} set policy route-map \<text\> rule \<1-65535\> match ip route-source prefix-list \<text\> - -IP route source of route to match, based on prefix-list. -``` - - -```{cfgcmd} set policy route-map \<text\> rule \<1-65535\> match ipv6 address access-list \<text\> - -IPv6 address of route to match, based on IPv6 access-list. -``` - - -```{cfgcmd} set policy route-map \<text\> rule \<1-65535\> match ipv6 address prefix-list \<text\> - -IPv6 address of route to match, based on IPv6 prefix-list. -``` - - -```{cfgcmd} set policy route-map \<text\> rule \<1-65535\> match ipv6 address prefix-len \<0-128\> - -IPv6 address of route to match, based on specified prefix-length. -Note that this can be used for kernel routes only. -Do not apply to the routes of dynamic routing protocols (e.g. BGP, -RIP, OSFP), as this can lead to unexpected results.. -``` - - -```{cfgcmd} set policy route-map \<text\> rule \<1-65535\> match ipv6 nexthop \<h:h:h:h:h:h:h:h\> - -Nexthop IPv6 address to match. -``` - - -```{cfgcmd} set policy route-map \<text\> rule \<1-65535\> match large-community large-community-list \<text\> - -Match BGP large communities. -``` - - -```{cfgcmd} set policy route-map \<text\> rule \<1-65535\> match local-preference \<0-4294967295\> - -Match local preference. -``` - - -```{cfgcmd} set policy route-map \<text\> rule \<1-65535\> match metric \<1-65535\> - -Match route metric. -``` - - -```{cfgcmd} set policy route-map \<text\> rule \<1-65535\> match origin \<egp|igp|incomplete\> - -Boarder Gateway Protocol (BGP) origin code to match. -``` - - -```{cfgcmd} set policy route-map \<text\> rule \<1-65535\> match peer \<x.x.x.x\> - -Peer IP address to match. -``` - - -````{cfgcmd} set policy route-map \<text\> rule \<1-65535\> match protocol \<protocol\> - -```{eval-rst} -Source protocol to match. - * ``babel`` - Babel routing protocol (Babel) - * ``bgp`` - Border Gateway Protocol (BGP) - * ``connected`` - Connected routes (directly attached subnet or host) - * ``isis`` - Intermediate System to Intermediate System (IS-IS) - * ``kernel`` - Kernel routes - * ``ospf`` - Open Shortest Path First (OSPFv2) - * ``ospfv3`` - Open Shortest Path First (IPv6) (OSPFv3) - * ``rip`` - Routing Information Protocol (RIP) - * ``ripng`` - Routing Information Protocol next-generation (IPv6) (RIPng) - * ``static`` - Statically configured routes - * ``table`` - Non-main Kernel Routing Table - * ``vnc`` - Virtual Network Control (VNC) -``` -```` - - -```{cfgcmd} set policy route-map \<text\> rule \<1-65535\> match rpki \<invalid|notfound|valid\> - -Match RPKI validation result. -``` - - -```{cfgcmd} set policy route-map \<text\> rule \<1-65535\> match source-vrf \<text\> - -Source VRF to match. -``` - - -```{cfgcmd} set policy route-map \<text\> rule \<1-65535\> match tag \<1-65535\> - -Route tag to match. -``` - - -```{cfgcmd} set policy route-map \<text\> rule \<1-65535\> on-match goto \<1-65535\> - -Exit policy on match: go to rule <1-65535> -``` - - -```{cfgcmd} set policy route-map \<text\> rule \<1-65535\> on-match next - -Exit policy on match: go to next sequence number. -``` - - -```{cfgcmd} set policy route-map \<text\> rule \<1-65535\> set aggregator \<as|ip\> \<1-4294967295|x.x.x.x\> - -BGP aggregator attribute: AS number or IP address of an aggregation. -``` - - -```{cfgcmd} set policy route-map \<text\> rule \<1-65535\> set as-path exclude \<1-4294967295 | all\> - -Drop AS-NUMBER from the BGP AS path. - -If ``all`` is specified, remove all AS numbers from the AS_PATH of the BGP -path's NLRI. -``` - - -```{cfgcmd} set policy route-map \<text\> rule \<1-65535\> set as-path prepend \<1-4294967295\> - -Prepend the given string of AS numbers to the AS_PATH of the BGP path's NLRI. -``` - - -```{cfgcmd} set policy route-map \<text\> rule \<1-65535\> set as-path prepend-last-as \<n\> - -Prepend the existing last AS number (the leftmost ASN) to the AS_PATH. -``` - - -```{cfgcmd} set policy route-map \<text\> rule \<1-65535\> set atomic-aggregate - -BGP atomic aggregate attribute. -``` - - -```{cfgcmd} set policy route-map \<text\> rule \<1-65535\> set community \<add|replace\> \<community\> - -Add or replace BGP community attribute in format ``<0-65535:0-65535>`` -or from well-known community list -``` - - -```{cfgcmd} set policy route-map \<text\> rule \<1-65535\> set community none - -Delete all BGP communities -``` - - -```{cfgcmd} set policy route-map \<text\> rule \<1-65535\> set community delete \<text\> - -Delete BGP communities matching the community-list. -``` - - -```{cfgcmd} set policy route-map \<text\> rule \<1-65535\> set large-community \<add|replace\> \<GA:LDP1:LDP2\> - -Add or replace BGP large-community attribute in format -``<0-4294967295:0-4294967295:0-4294967295>`` -``` - - -```{cfgcmd} set policy route-map \<text\> rule \<1-65535\> set large-community none - -Delete all BGP large-communities -``` - - -```{cfgcmd} set policy route-map \<text\> rule \<1-65535\> set large-community delete \<text\> - -Delete BGP communities matching the large-community-list. -``` - - -```{cfgcmd} set policy route-map \<text\> rule \<1-65535\> set extcommunity bandwidth \<1-25600|cumulative|num-multipaths\> - -Set extcommunity bandwidth -``` - - -```{cfgcmd} set policy route-map \<text\> rule \<1-65535\> set extcommunity bandwidth-non-transitive - -The link bandwidth extended community is encoded as non-transitive -``` - - -```{cfgcmd} set policy route-map \<text\> rule \<1-65535\> set extcommunity rt \<text\> - -Set route target value in format ``<0-65535:0-4294967295>`` or ``<IP:0-65535>``. -``` - - -```{cfgcmd} set policy route-map \<text\> rule \<1-65535\> set extcommunity soo \<text\> - -Set site of origin value in format ``<0-65535:0-4294967295>`` or ``<IP:0-65535>``. -``` - - -```{cfgcmd} set policy route-map \<text\> rule \<1-65535\> set extcommunity none - -Clear all BGP extcommunities. -``` - - -```{cfgcmd} set policy route-map \<text\> rule \<1-65535\> set distance \<0-255\> - -Locally significant administrative distance. -``` -```{cfgcmd} set policy route-map \<text\> rule \<1-65535\> set ip-next-hop \<x.x.x.x\> - -Nexthop IP address. -``` -```{cfgcmd} set policy route-map \<text\> rule \<1-65535\> set ip-next-hop unchanged - -Set the next-hop as unchanged. Pass through the route-map without -changing its value -``` -```{cfgcmd} set policy route-map \<text\> rule \<1-65535\> set ip-next-hop peer-address - -Set the BGP nexthop address to the address of the peer. For an incoming -route-map this means the ip address of our peer is used. For an -outgoing route-map this means the ip address of our self is used to -establish the peering with our neighbor. -``` -```{cfgcmd} set policy route-map \<text\> rule \<1-65535\> set ipv6-next-hop \<global|local\> \<h:h:h:h:h:h:h:h\> - -Nexthop IPv6 address. -``` -```{cfgcmd} set policy route-map \<text\> rule \<1-65535\> set ipv6-next-hop peer-address - -Set the BGP nexthop address to the address of the peer. For an incoming -route-map this means the ip address of our peer is used. For an -outgoing route-map this means the ip address of our self is used to -establish the peering with our neighbor. -``` -```{cfgcmd} set policy route-map \<text\> rule \<1-65535\> set ipv6-next-hop prefer-global - -For Incoming and Import Route-maps if we receive a v6 global and v6 LL -address for the route, then prefer to use the global address as the -nexthop. -``` -```{cfgcmd} set policy route-map \<text\> rule \<1-65535\> set local-preference \<0-4294967295\> - -Set BGP local preference attribute. -``` -```{cfgcmd} set policy route-map \<text\> rule \<1-65535\> set metric \<+/-metric|0-4294967295|rtt|+rtt|-rtt\> - -Set the route metric. When used with BGP, set the BGP attribute MED -to a specific value. Use ``+/-`` to add or subtract the specified value -to/from the existing/MED. Use ``rtt`` to set the MED to the round trip -time or ``+rtt/-rtt`` to add/subtract the round trip time to/from the MED. -``` -```{cfgcmd} set policy route-map \<text\> rule \<1-65535\> set metric-type \<type-1|type-2\> - -Set OSPF external metric-type. -``` -```{cfgcmd} set policy route-map \<text\> rule \<1-65535\> set origin \<igp|egp|incomplete\> - -Set BGP origin code. -``` -```{cfgcmd} set policy route-map \<text\> rule \<1-65535\> set originator-id \<x.x.x.x\> - -Set BGP originator ID attribute. -``` -```{cfgcmd} set policy route-map \<text\> rule \<1-65535\> set src \<x.x.x.x|h:h:h:h:h:h:h:h\> - -Set source IP/IPv6 address for route. -``` -```{cfgcmd} set policy route-map \<text\> rule \<1-65535\> set table \<1-200\> - -Set prefixes to table. -``` -```{cfgcmd} set policy route-map \<text\> rule \<1-65535\> set tag \<1-65535\> - -Set tag value for routing protocol. -``` -```{cfgcmd} set policy route-map \<text\> rule \<1-65535\> set weight \<0-4294967295\> - -Set BGP weight attribute -``` - -### List of well-known communities - -> - `local-as` - Well-known communities value NO_EXPORT_SUBCONFED 0xFFFFFF03 -> - `no-advertise` - Well-known communities value NO_ADVERTISE 0xFFFFFF02 -> - `no-export` - Well-known communities value NO_EXPORT 0xFFFFFF01 -> - `graceful-shutdown` - Well-known communities value GRACEFUL_SHUTDOWN 0xFFFF0000 -> - `accept-own` - Well-known communities value ACCEPT_OWN 0xFFFF0001 -> - `route-filter-translated-v4` - Well-known communities value ROUTE_FILTER_TRANSLATED_v4 0xFFFF0002 -> - `route-filter-v4` - Well-known communities value ROUTE_FILTER_v4 0xFFFF0003 -> - `route-filter-translated-v6` - Well-known communities value ROUTE_FILTER_TRANSLATED_v6 0xFFFF0004 -> - `route-filter-v6` - Well-known communities value ROUTE_FILTER_v6 0xFFFF0005 -> - `llgr-stale` - Well-known communities value LLGR_STALE 0xFFFF0006 -> - `no-llgr` - Well-known communities value NO_LLGR 0xFFFF0007 -> - `accept-own-nexthop` - Well-known communities value accept-own-nexthop 0xFFFF0008 -> - `blackhole` - Well-known communities value BLACKHOLE 0xFFFF029A -> - `no-peer` - Well-known communities value NOPEER 0xFFFFFF04 diff --git a/docs/configuration/policy/md-route.md b/docs/configuration/policy/md-route.md deleted file mode 100644 index 828bd0f1..00000000 --- a/docs/configuration/policy/md-route.md +++ /dev/null @@ -1,424 +0,0 @@ -# Route and Route6 Policy - -IPv4 route and IPv6 route policies are defined in this section. These route -policies can then be associated to interfaces. - -## Rule-Sets - -A rule-set is a named collection of rules that can be applied to an interface. -Each rule is numbered, has an action to apply if the rule is matched, and the -ability to specify the criteria to match. Data packets go through the rules -from 1 - 999999, at the first match the action of the rule will be executed. - -```{cfgcmd} set policy route \<name\> description \<text\> - -``` -```{cfgcmd} set policy route6 \<name\> description \<text\> - -Provide a rule-set description. -``` - -```{cfgcmd} set policy route \<name\> default-log -``` - -```{cfgcmd} set policy route6 \<name\> default-log - -Option to log packets hitting default-action. -``` - -```{cfgcmd} set policy route \<name\> interface \<interface\> -``` - -```{cfgcmd} set policy route6 \<name\> interface \<interface\> - -Apply routing policy to interface -``` - -```{cfgcmd} set policy route \<name\> rule \<n\> description \<text\> -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> description \<text\> - -Provide a description for each rule. -``` - -```{cfgcmd} set policy route \<name\> rule \<n\> log \<enable|disable\> -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> log \<enable|disable\> - -Option to enable or disable log matching rule. -``` - -### Matching criteria - -There are a lot of matching criteria options available, both for -`policy route` and `policy route6`. These options are listed -in this section. - -```{cfgcmd} set policy route \<name\> rule \<n\> connection-mark \<1-2147483647\> -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> connection-mark \<1-2147483647\> - -Set match criteria based on connection mark. -``` - -```{cfgcmd} set policy route \<name\> rule \<n\> mark \<match_criteria\> -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> mark \<match_criteria\> - -Match based on the firewall mark (fwmark), where \<match_criteria\> can be: - * \<0-2147483647\> a single fwmark - * !\<0-2147483647\> everything except a single fwmark - * <start-end> a range of marks - * !<start-end> everything except the range of marks - -:::{note} -When using the ``set table`` or ``set vrf`` commands the mark -settings are ignored and overwritten with a table-specific mark that -is set to 0x7FFFFFFF - the id of the table/VRF. -::: -``` - -```{cfgcmd} set policy route \<name\> rule \<n\> source address \<match_criteria\> -``` - -```{cfgcmd} set policy route \<name\> rule \<n\> destination address \<match_criteria\> -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> source address \<match_criteria\> -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> destination address \<match_criteria\> - -Set match criteria based on source or destination ipv4|ipv6 address, where -<match_criteria> could be: -``` - -For ipv4: -: - \<x.x.x.x>: IP address to match. - - \<x.x.x.x/x>: Subnet to match. - - \<x.x.x.x>-\<x.x.x.x>: IP range to match. - - !\<x.x.x.x>: Match everything except the specified address. - - !\<x.x.x.x/x>: Match everything except the specified subnet. - - !\<x.x.x.x>-\<x.x.x.x>: Match everything except the specified range. - -And for ipv6: -: - \<h:h:h:h:h:h:h:h>: IPv6 address to match. - - \<h:h:h:h:h:h:h:h/x>: IPv6 prefix to match. - - \<h:h:h:h:h:h:h:h>-\<h:h:h:h:h:h:h:h>: IPv6 range to match. - - !\<h:h:h:h:h:h:h:h>: Match everything except the specified address. - - !\<h:h:h:h:h:h:h:h/x>: Match everything except the specified prefix. - - !\<h:h:h:h:h:h:h:h>-\<h:h:h:h:h:h:h:h>: Match everything except the - specified range. - -```{cfgcmd} set policy route \<name\> rule \<n\> source group \<address-group|domain-group|mac-group|network-group|port-group\> \<text\> -``` - -```{cfgcmd} set policy route \<name\> rule \<n\> destination group \<address-group|domain-group|mac-group|network-group|port-group\> \<text\> -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> source group \<address-group|domain-group|mac-group|network-group|port-group\> \<text\> -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> destination group \<address-group|domain-group|mac-group|network-group|port-group\> \<text\> - -Set match criteria based on source or destination groups, where <text> -would be the group name/identifier. Prepend character '!' for inverted -matching criteria. -``` - -```{cfgcmd} set policy route \<name\> rule \<n\> destination port \<match_criteria\> -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> destination port \<match_criteria\> - -Set match criteria based on destination port, where \<match_criteria\> could -be: -* <port name>: Named port (any name in /etc/services, e.g., http). -* \<1-65535\>: Numbered port. -* <start>-<end>: Numbered port range (e.g., 1001-1005). - -Multiple destination ports can be specified as a comma-separated list. The -whole list can also be "negated" using '!'. For example: -'!22,telnet,http,123,1001-1005' -``` - -```{cfgcmd} set policy route \<name\> rule \<n\> disable -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> disable - -Option to disable rule. -``` - -```{cfgcmd} set policy route \<name\> rule \<n\> dscp \<text\> -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> dscp \<text\> -``` - -```{cfgcmd} set policy route \<name\> rule \<n\> dscp-exclude \<text\> -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> dscp-exclude \<text\> - -Match based on dscp value criteria. Multiple values from 0 to 63 -and ranges are supported. -``` - -```{cfgcmd} set policy route \<name\> rule \<n\> fragment \<match-grag|match-non-frag\> -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> fragment \<match-grag|match-non-frag\> - -Set IP fragment match, where: -* match-frag: Second and further fragments of fragmented packets. -* match-non-frag: Head fragments or unfragmented packets. -``` - -```{cfgcmd} set policy route \<name\> rule \<n\> icmp \<code | type\> -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> icmpv6 \<code | type\> - -Match based on icmp|icmpv6 code and type. -``` - -```{cfgcmd} set policy route \<name\> rule \<n\> icmp type-name \<text\> -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> icmpv6 type-name \<text\> - -Match based on icmp|icmpv6 type-name criteria. Use tab for information -about what type-name criteria are supported. -``` - -```{cfgcmd} set policy route \<name\> rule \<n\> ipsec \<match-ipsec|match-none\> -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> ipsec \<match-ipsec|match-none\> - -Set IPSec inbound match criterias, where: -* match-ipsec: match inbound IPsec packets. -* match-none: match inbound non-IPsec packets. -``` - -```{cfgcmd} set policy route \<name\> rule \<n\> limit burst \<0-4294967295\> -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> limit burst \<0-4294967295\> - -Set maximum number of packets to alow in excess of rate. -``` - -```{cfgcmd} set policy route \<name\> rule \<n\> limit rate \<text\> -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> limit rate \<text\> - -Set maximum average matching rate. Format for rate: integer/time_unit, where -time_unit could be any one of second, minute, hour or day.For example -1/second implies rule to be matched at an average of once per second. -``` - -```{cfgcmd} set policy route \<name\> rule \<n\> protocol \<text | 0-255 | tcp_udp | all \> -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> protocol \<text | 0-255 | tcp_udp | all \> - -Match a protocol criteria. A protocol number or a name which is defined in: -``/etc/protocols``. Special names are ``all`` for all protocols and -``tcp_udp`` for tcp and udp based packets. The ``!`` negates the selected -protocol. -``` - -```{cfgcmd} set policy route \<name\> rule \<n\> packet-length \<text\> -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> packet-length \<text\> -``` - -```{cfgcmd} set policy route \<name\> rule \<n\> packet-length-exclude \<text\> -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> packet-length-exclude \<text\> - -Match based on packet length criteria. Multiple values from 1 to 65535 -and ranges are supported. -``` - -```{cfgcmd} set policy route \<name\> rule \<n\> packet-type \[broadcast | host | multicast | other\] -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> packet-type \[broadcast | host | multicast | other\] - -Match based on packet type criteria. -``` - -```{cfgcmd} set policy route \<name\> rule \<n\> recent count \<1-255\> -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> recent count \<1-255\> -``` - -```{cfgcmd} set policy route \<name\> rule \<n\> recent time \<1-4294967295\> -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> recent time \<1-4294967295\> - -Set parameters for matching recently seen sources. This match could be used -by seeting count (source address seen more than <1-255> times) and/or time -(source address seen in the last <0-4294967295> seconds). -``` - -```{cfgcmd} set policy route \<name\> rule \<n\> state \<established | invalid | new | related\> -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> state \<established | invalid | new | related\> - -Set match criteria based on session state. -``` - -```{cfgcmd} set policy route \<name\> rule \<n\> tcp flags \<text\> -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> tcp flags \<text\> - -Set match criteria based on tcp flags. Allowed values for TCP flags: SYN ACK -FIN RST URG PSH ALL. When specifying more than one flag, flags should be -comma-separated. For example : value of 'SYN,!ACK,!FIN,!RST' will only match -packets with the SYN flag set, and the ACK, FIN and RST flags unset. -``` - -```{cfgcmd} set policy route \<name\> rule \<n\> time monthdays \<text\> -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> time monthdays \<text\> -``` - -```{cfgcmd} set policy route \<name\> rule \<n\> time startdate \<text\> -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> time startdate \<text\> -``` - -```{cfgcmd} set policy route \<name\> rule \<n\> time starttime \<text\> -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> time starttime \<text\> -``` - -```{cfgcmd} set policy route \<name\> rule \<n\> time stopdate \<text\> -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> time stopdate \<text\> -``` - -```{cfgcmd} set policy route \<name\> rule \<n\> time stoptime \<text\> -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> time stoptime \<text\> -``` - -```{cfgcmd} set policy route \<name\> rule \<n\> time weekdays \<text\> -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> time weekdays \<text\> -``` - -```{cfgcmd} set policy route \<name\> rule \<n\> time utc -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> time utc - -Time to match the defined rule. -``` - -```{cfgcmd} set policy route rule \<n\> ttl \<eq | gt | lt\> \<0-255\> - -Match time to live parameter, where 'eq' stands for 'equal'; 'gt' stands for -'greater than', and 'lt' stands for 'less than'. -``` - -```{cfgcmd} set policy route6 rule \<n\> hop-limit \<eq | gt | lt\> \<0-255\> - -Match hop-limit parameter, where 'eq' stands for 'equal'; 'gt' stands for -'greater than', and 'lt' stands for 'less than'. -``` - -### Actions - -When mathcing all patterns defined in a rule, then different actions can -be made. This includes droping the packet, modifying certain data, or -setting a different routing table. - -```{cfgcmd} set policy route \<name\> rule \<n\> action drop -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> action drop - -Set rule action to drop. -``` - -```{cfgcmd} set policy route \<name\> rule \<n\> set connection-mark \<1-2147483647\> -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> set connection-mark \<1-2147483647\> - -Set a specific connection mark. -``` - -```{cfgcmd} set policy route \<name\> rule \<n\> set dscp \<0-63\> -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> set dscp \<0-63\> - -Set packet modifications: Packet Differentiated Services Codepoint (DSCP) -``` - -```{cfgcmd} set policy route \<name\> rule \<n\> set mark \<1-2147483647\> -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> set mark \<1-2147483647\> - -Set a specific packet mark. -``` - -```{cfgcmd} set policy route \<name\> rule \<n\> set table \<main | 1-200\> -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> set table \<main | 1-200\> - -Set the routing table to forward packet with. - -:::{note} -When using the ``set table`` or ``set vrf`` commands matching -against the mark is not possible, because it gets overwritten with a -table-specific mark that is 0x7FFFFFFF - the id of the table/VRF. -::: -``` - -```{cfgcmd} set policy route \<name\> rule \<n\> set tcp-mss \<500-1460\> -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> set tcp-mss \<500-1460\> - -Set packet modifications: Explicitly set TCP Maximum segment size value. -``` - -```{cfgcmd} set policy route \<name\> rule \<n\> set vrf \<default | text \> -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> set vrf \<default | text \> - -Set the VRF to forward packet with. - -:::{note} -When using the ``set table`` or ``set vrf`` commands matching -against the mark is not possible, because it gets overwritten with a -table-specific mark that is 0x7FFFFFFF - the id of the table/VRF. -::: -```
\ No newline at end of file diff --git a/docs/configuration/protocols/md-arp.md b/docs/configuration/protocols/md-arp.md deleted file mode 100644 index 618d5bf3..00000000 --- a/docs/configuration/protocols/md-arp.md +++ /dev/null @@ -1,55 +0,0 @@ -(routing-static-arp)= - -# ARP - -{abbr}`ARP (Address Resolution Protocol)` is a communication protocol used for -discovering the link layer address, such as a MAC address, associated with a -given internet layer address, typically an IPv4 address. This mapping is a -critical function in the Internet protocol suite. ARP was defined in 1982 by -{rfc}`826` which is Internet Standard STD 37. - -In Internet Protocol Version 6 (IPv6) networks, the functionality of ARP is -provided by the Neighbor Discovery Protocol (NDP). - -To manipulate or display [ARP] table entries, the following commands are -implemented. - -## Configure - -```{cfgcmd} set protocols static arp interface \<interface\> address \<host\> mac \<mac\> - -This will configure a static ARP entry always resolving `<address>` to -`<mac>` for interface `<interface>`. - -Example: - -:::{code-block} none -set protocols static arp interface eth0 address 192.0.2.1 mac 01:23:45:67:89:01 -::: -``` - -## Operation - -```{opcmd} show protocols static arp - -Display all known ARP table entries spanning across all interfaces -``` -```none -vyos@vyos:~$ show protocols static arp -Address HWtype HWaddress Flags Mask Iface -10.1.1.1 ether 00:53:00:de:23:2e C eth1 -10.1.1.100 ether 00:53:00:de:23:aa CM eth1 -``` - -```{opcmd} show protocols static arp interface eth1 - -Display all known ARP table entries on a given interface only (`eth1`): -``` -```none -vyos@vyos:~$ show protocols static arp interface eth1 -Address HWtype HWaddress Flags Mask Iface -10.1.1.1 ether 00:53:00:de:23:2e C eth1 -10.1.1.100 ether 00:53:00:de:23:aa CM eth1 -``` - -[arp]: <https://en.wikipedia.org/wiki/Address_Resolution_Protocol> diff --git a/docs/configuration/protocols/md-babel.md b/docs/configuration/protocols/md-babel.md deleted file mode 100644 index 72f7fa67..00000000 --- a/docs/configuration/protocols/md-babel.md +++ /dev/null @@ -1,214 +0,0 @@ -(babel)= - -# Babel - -Babel is a modern routing protocol designed to be robust and efficient -both in ordinary wired networks and in wireless mesh networks. -By default, it uses hop-count on wired networks and a variant of ETX -on wireless links, It can be configured to take radio diversity into account -and to automatically compute a link's latency and include it in the metric. -It is defined in {rfc}`8966`. - -Babel a dual stack protocol. -A single Babel instance is able to perform routing for both IPv4 and IPv6. - -## General Configuration - -VyOS does not have a special command to start the Babel process. -The Babel process starts when the first Babel enabled interface is configured. - -```{cfgcmd} set protocols babel interface \<interface\> -This command specifies a Babel enabled interface by interface name. Both -the sending and receiving of Babel packets will be enabled on the interface -specified in this command. -``` - -## Optional Configuration - -```{cfgcmd} set protocols babel parameters diversity -This command enables routing using radio frequency diversity. -This is highly recommended in networks with many wireless nodes. - -:::{note} -If you enable this, you will probably want to -set diversity-factor and channel below. -::: -``` - - -```{cfgcmd} set protocols babel parameters diversity-factor \<1-256\> -This command sets the multiplicative factor used for diversity routing, -in units of 1/256; lower values cause diversity to play a more important role -in route selection. -The default it 256, which means that diversity plays no role in route -selection; you will probably want to set that to 128 or less on nodes -with multiple independent radios. -``` - - -```{cfgcmd} set protocols babel parameters resend-delay \<milliseconds\> -This command specifies the time in milliseconds after which an 'important' -request or update will be resent. The default is 2000 ms. -``` - - -```{cfgcmd} set protocols babel parameters smoothing-half-life \<seconds\> -This command specifies the time constant, in seconds, of the smoothing -algorithm used for implementing hysteresis. -Larger values reduce route oscillation at the cost of very slightly increasing -convergence time. The value 0 disables hysteresis, and is suitable for wired -networks. The default is 4 s. -``` - -## Interfaces Configuration - -```{cfgcmd} set protocols babel interface \<interface\> type \<auto|wired|wireless\> -This command sets the interface type: - -**auto** – automatically determines the interface type. -**wired** – enables optimisations for wired interfaces. -**wireless** – disables a number of optimisations that are only correct -on wired interfaces. Specifying wireless is always correct, -but may cause slower convergence and extra routing traffic. -``` - - -```{cfgcmd} set protocols babel interface \<interface\> split-horizon \<default|disable|enable\> -This command specifies whether to perform split-horizon on the interface. -Specifying no babel split-horizon is always correct, while babel split-horizon -is an optimisation that should only be used on symmetric -and transitive (wired) networks. - -**default** – enable split-horizon on wired interfaces, and disable -split-horizon on wireless interfaces. -**enable** – enable split-horizon on this interfaces. -**disable** – disable split-horizon on this interfaces. -``` - - -```{cfgcmd} set protocols babel interface \<interface\> hello-interval \<milliseconds\> -This command specifies the time in milliseconds between two scheduled hellos. -On wired links, Babel notices a link failure within two hello intervals; -on wireless links, the link quality value is reestimated at every hello -interval. -The default is 4000 ms. -``` - - -```{cfgcmd} set protocols babel interface \<interface\> update-interval \<milliseconds\> -This command specifies the time in milliseconds between two scheduled updates. -Since Babel makes extensive use of triggered updates, -this can be set to fairly high values on links with little packet loss. -The default is 20000 ms. -``` - - -```{cfgcmd} set protocols babel interface \<interface\> rxcost \<1-65534\> -This command specifies the base receive cost for this interface. -For wireless interfaces, it specifies the multiplier used for computing -the ETX reception cost (default 256); -for wired interfaces, it specifies the cost that will be advertised to -neighbours. -``` - - -```{cfgcmd} set protocols babel interface \<interface\> rtt-decay \<1-256\> -This command specifies the decay factor for the exponential moving average -of RTT samples, in units of 1/256. -Higher values discard old samples faster. The default is 42. -``` - - -```{cfgcmd} set protocols babel interface \<interface\> rtt-min \<milliseconds\> -This command specifies the minimum RTT, in milliseconds, -starting from which we increase the cost to a neighbour. -The additional cost is linear in (rtt - rtt-min). The default is 10 ms. -``` - - -```{cfgcmd} set protocols babel interface \<interface\> rtt-max \<milliseconds\> -This command specifies the maximum RTT, in milliseconds, above which -we don't increase the cost to a neighbour. The default is 120 ms. -``` - -```{cfgcmd} set protocols babel interface \<interface\> max-rtt-penalty \<milliseconds\> -This command specifies the maximum cost added to a neighbour because of RTT, -i.e. when the RTT is higher or equal than rtt-max. -The default is 150. -Setting it to 0 effectively disables the use of a RTT-based cost. -``` - -```{cfgcmd} set protocols babel interface \<interface\> enable-timestamps -This command enables sending timestamps with each Hello and IHU message -in order to compute RTT values. -It is recommended to enable timestamps on tunnel interfaces. -``` - -```{cfgcmd} set protocols babel interface \<interface\> channel \<1-254|interfering|noninterfering\> -This command set the channel number that diversity routing uses for this -interface (see diversity option above). - -**1-254** – interfaces with a channel number interfere with -interfering interfaces and interfaces with the same channel number. -**interfering** – interfering interfaces are assumed to interfere with all other channels except -noninterfering channels. -**noninterfering** – noninterfering interfaces are assumed to only interfere -with themselves. -``` - -## Redistribution Configuration - -```{cfgcmd} set protocols babel redistribute \<ipv4|ipv6\> \<route source\> -This command redistributes routing information from the given route source -to the Babel process. - -IPv4 route source: bgp, connected, eigrp, isis, kernel, nhrp, ospf, rip, static. - -IPv6 route source: bgp, connected, eigrp, isis, kernel, nhrp, ospfv3, ripng, static. -``` - -```{cfgcmd} set protocols babel distribute-list \<ipv4|ipv6\> access-list \<in|out\> \<number\> -This command can be used to filter the Babel routes using access lists. -{cfgcmd}`in` and {cfgcmd}`out` this is the direction in which the access -lists are applied. -``` - -```{cfgcmd} set protocols babel distribute-list \<ipv4|ipv6\> interface \<interface\> access-list \<in|out\> \<number\> -This command allows you apply access lists to a chosen interface to -filter the Babel routes. -``` - -```{cfgcmd} set protocols babel distribute-list \<ipv4|ipv6\> prefix-list \<in|out\> \<name\> -This command can be used to filter the Babel routes using prefix lists. -{cfgcmd}`in` and {cfgcmd}`out` this is the direction in which the prefix -lists are applied. -``` - -```{cfgcmd} set protocols babel distribute-list \<ipv4|ipv6\> interface \<interface\> prefix-list \<in|out\> \<name\> -This command allows you apply prefix lists to a chosen interface to -filter the Babel routes. -``` - -## Configuration Example - -Simple Babel configuration using 2 nodes and redistributing connected interfaces. - -**Node 1:** - -```none -set interfaces loopback lo address 10.1.1.1/32 -set interfaces loopback lo address fd12:3456:dead:beef::1/128 -set protocols babel interface eth0 type wired -set protocols babel redistribute ipv4 connected -set protocols babel redistribute ipv6 connected -``` - -**Node 2:** - -```none -set interfaces loopback lo address 10.2.2.2/32 -set interfaces loopback lo address fd12:3456:beef:dead::2/128 -set protocols babel interface eth0 type wired -set protocols babel redistribute ipv4 connected -set protocols babel redistribute ipv6 connected -``` diff --git a/docs/configuration/protocols/md-bfd.md b/docs/configuration/protocols/md-bfd.md deleted file mode 100644 index 59541abc..00000000 --- a/docs/configuration/protocols/md-bfd.md +++ /dev/null @@ -1,205 +0,0 @@ ---- -lastproofread: '2023-01-27' ---- - -```{include} /_include/need_improvement.txt -``` - -(routing-bfd)= - -# BFD - -{abbr}`BFD (Bidirectional Forwarding Detection)` is described and extended by -the following RFCs: {rfc}`5880`, {rfc}`5881` and {rfc}`5883`. - -In the age of very fast networks, a second of unreachability may equal millions of lost packets. -The idea behind BFD is to detect very quickly when a peer is down and take action extremely fast. - -BFD sends lots of small UDP packets very quickly to ensures that the peer is still alive. - -This allows avoiding the timers defined in BGP and OSPF protocol to expires. - -## Configure BFD - -```{cfgcmd} set protocols bfd peer \<address\> - -Set BFD peer IPv4 address or IPv6 address -``` - -```{cfgcmd} set protocols bfd peer \<address\> echo-mode - -Enables the echo transmission mode -``` - -```{cfgcmd} set protocols bfd peer \<address\> multihop - -Allow this BFD peer to not be directly connected -``` - -```{cfgcmd} set protocols bfd peer \<address\> source [address \<address\> | interface \<interface\>] - -Bind listener to specific interface/address, mandatory for IPv6 -``` - -```{cfgcmd} set protocols bfd peer \<address\> interval echo-interval \<10-60000\> - -The minimal echo receive transmission interval that this system is -capable of handling -``` - -```{cfgcmd} set protocols bfd peer \<address\> interval multiplier \<2-255\> - -Remote transmission interval will be multiplied by this value -``` - -```{cfgcmd} set protocols bfd peer \<address\> interval [receive | transmit] \<10-60000\> - -Interval in milliseconds -``` - -```{cfgcmd} set protocols bfd peer \<address\> shutdown - -Disable a BFD peer -``` - -```{cfgcmd} set protocols bfd peer \<address\> minimum-ttl \<1-254\> - -For multi hop sessions only. Configure the minimum expected TTL for an -incoming BFD control packet. - -This feature serves the purpose of thightening the packet validation -requirements to avoid receiving BFD control packets from other sessions. -``` - -### Enable BFD in BGP - -```{cfgcmd} set protocols bgp neighbor \<neighbor\> bfd - -Enable BFD on a single BGP neighbor -``` - -```{cfgcmd} set protocols bgp peer-group \<neighbor\> bfd - -Enable BFD on a BGP peer group -``` - -### Enable BFD in OSPF - -```{cfgcmd} set protocols ospf interface \<interface\> bfd - - Enable BFD for OSPF on an interface - -``` - -```{cfgcmd} set protocols ospfv3 interface \<interface\> bfd - -Enable BFD for OSPFv3 on an interface -``` - -### Enable BFD in ISIS - -```{cfgcmd} set protocols isis \<name\> interface \<interface\> bfd - -Enable BFD for ISIS on an interface - -``` - -## Operational Commands - -```{opcmd} show bfd peers - - Show all BFD peers - - :::{code-block} none - BFD Peers: - peer 198.51.100.33 vrf default interface eth4.100 - ID: 4182341893 - Remote ID: 12678929647 - Status: up - Uptime: 1 month(s), 16 hour(s), 29 minute(s), 38 second(s) - Diagnostics: ok - Remote diagnostics: ok - Local timers: - Receive interval: 300ms - Transmission interval: 300ms - Echo transmission interval: 50ms - Remote timers: - Receive interval: 300ms - Transmission interval: 300ms - Echo transmission interval: 0ms - - peer 198.51.100.55 vrf default interface eth4.101 - ID: 4618932327 - Remote ID: 3312345688 - Status: up - Uptime: 20 hour(s), 16 minute(s), 19 second(s) - Diagnostics: ok - Remote diagnostics: ok - Local timers: - Receive interval: 300ms - Transmission interval: 300ms - Echo transmission interval: 50ms - Remote timers: - Receive interval: 300ms - Transmission interval: 300ms - Echo transmission interval: 0ms - ::: -``` - -## BFD Static Route Monitoring - - -A monitored static route conditions the installation to the RIB on the BFD -session running state: when BFD session is up the route is installed to RIB, -but when the BFD session is down it is removed from the RIB. - - -### Configuration - -```{cfgcmd} set protocols static route \<subnet\> next-hop \<address\> bfd profile \<profile\> - -Configure a static route for \<subnet\> using gateway \<address\> -and use the gateway address as BFD peer destination address. -``` - -```{cfgcmd} set protocols static route \<subnet\> next-hop \<address\> bfd multi-hop source \<address\> profile \<profile\> - -Configure a static route for \<subnet\> using gateway \<address\>, -use source address to indentify the peer when is multi-hop session -and the gateway address as BFD peer destination address. -``` - -```{cfgcmd} set protocols static route6 \<subnet\> next-hop \<address\> bfd profile \<profile\> - -Configure a static route for \<subnet\> using gateway \<address\> -and use the gateway address as BFD peer destination address. -``` - -```{cfgcmd} set protocols static route6 \<subnet\> next-hop \<address\> bfd multi-hop source \<address\> profile \<profile\> - -Configure a static route for \<subnet\> using gateway \<address\>, -use source address to indentify the peer when is multi-hop session -and the gateway address as BFD peer destination address. -``` - -(bfd-operational-commands)= - -## Operational Commands - -```{opcmd} show bfd static routes - -Showing BFD monitored static routes - -:::{code-block} none -Showing BFD monitored static routes: - - Next hops: - VRF default IPv4 Unicast: - 10.10.13.3/32 peer 192.168.2.3 (status: installed) - 172.16.10.3/32 peer 192.168.10.1 (status: uninstalled) - - VRF default IPv4 Multicast: - - VRF default IPv6 Unicast: -::: -```
\ No newline at end of file diff --git a/docs/configuration/protocols/md-bgp.md b/docs/configuration/protocols/md-bgp.md deleted file mode 100644 index 0af79f6e..00000000 --- a/docs/configuration/protocols/md-bgp.md +++ /dev/null @@ -1,1414 +0,0 @@ -(routing-bgp)= - -# BGP - -{abbr}`BGP (Border Gateway Protocol)` is one of the Exterior Gateway Protocols -and the de facto standard interdomain routing protocol. The latest BGP version -is 4. BGP-4 is described in {rfc}`1771` and updated by {rfc}`4271`. {rfc}`2858` -adds multiprotocol support to BGP. - -VyOS makes use of {abbr}`FRR (Free Range Routing)` and we would like to thank -them for their effort! - -## Basic Concepts - -(bgp-autonomous-systems)= - -### Autonomous Systems - -From {rfc}`1930`: - -> An AS is a connected group of one or more IP prefixes run by one or more -> network operators which has a SINGLE and CLEARLY DEFINED routing policy. - -Each {abbr}`AS (Autonomous System)` has an identifying number associated with it -called an {abbr}`ASN (Autonomous System Number)`. This is a two octet value -ranging in value from 1 to 65535. The AS numbers 64512 through 65535 are defined -as private AS numbers. Private AS numbers must not be advertised on the global -Internet. The 2-byte AS number range has been exhausted. 4-byte AS numbers are -specified in {rfc}`6793`, and provide a pool of 4294967296 AS numbers. - -The {abbr}`ASN (Autonomous System Number)` is one of the essential elements of -BGP. BGP is a distance vector routing protocol, and the AS-Path framework -provides distance vector metric and loop detection to BGP. - -```{cfgcmd} set protocols bgp system-as \<asn\> - -Set local {abbr}`ASN (Autonomous System Number)` that this router represents. -This is a a mandatory option! -``` - -(bgp-address-families)= - - -### Address Families - - -Multiprotocol extensions enable BGP to carry routing information for multiple -network layer protocols. BGP supports an Address Family Identifier (AFI) for -IPv4 and IPv6. - - -(bgp-route-selection)= - - -### Route Selection - - -The route selection process used by FRR's BGP implementation uses the following -decision criterion, starting at the top of the list and going towards the -bottom until one of the factors can be used. - - -01. **Weight check** - - - Prefer higher local weight routes to lower routes. - - -02. **Local preference check** - - - Prefer higher local preference routes to lower. - - -03. **Local route check** - - - Prefer local routes (statics, aggregates, redistributed) to received routes. - - -04. **AS path length check** - - - Prefer shortest hop-count AS_PATHs. - - -05. **Origin check** - - - Prefer the lowest origin type route. That is, prefer IGP origin routes to - EGP, to Incomplete routes. - - -06. **MED check** - - - Where routes with a MED were received from the same AS, prefer the route - with the lowest MED. - - -07. **External check** - - - Prefer the route received from an external, eBGP peer over routes received - from other types of peers. - - -08. **IGP cost check** - - - Prefer the route with the lower IGP cost. - - -09. **Multi-path check** - - - If multi-pathing is enabled, then check whether the routes not yet - distinguished in preference may be considered equal. If - {cfgcmd}`bgp bestpath as-path multipath-relax` is set, all such routes are - considered equal, otherwise routes received via iBGP with identical AS_PATHs - or routes received from eBGP neighbours in the same AS are considered equal. - - -10. **Already-selected external check** - - - Where both routes were received from eBGP peers, then prefer the route - which is already selected. Note that this check is not applied if - {cfgcmd}`bgp bestpath compare-routerid` is configured. This check can - prevent some cases of oscillation. - - -11. **Router-ID check** - - - Prefer the route with the lowest router-ID. If the route has an - ORIGINATOR_ID attribute, through iBGP reflection, then that router ID is - used, otherwise the router-ID of the peer the route was received from is - used. - - -12. **Cluster-List length check** - - - The route with the shortest cluster-list length is used. The cluster-list - reflects the iBGP reflection path the route has taken. - - -13. **Peer address** - - - Prefer the route received from the peer with the higher transport layer - address, as a last-resort tie-breaker. - - -(bgp-capability-negotiation)= - - -### Capability Negotiation - - -When adding IPv6 routing information exchange feature to BGP. There were some -proposals. {abbr}`IETF (Internet Engineering Task Force)` -{abbr}`IDR (Inter Domain Routing)` adopted a proposal called Multiprotocol -Extension for BGP. The specification is described in {rfc}`2283`. The protocol -does not define new protocols. It defines new attributes to existing BGP. When -it is used exchanging IPv6 routing information it is called BGP-4+. When it is -used for exchanging multicast routing information it is called MBGP. - - -*bgpd* supports Multiprotocol Extension for BGP. So if a remote peer supports -the protocol, *bgpd* can exchange IPv6 and/or multicast routing information. - - -Traditional BGP did not have the feature to detect a remote peer's -capabilities, e.g. whether it can handle prefix types other than IPv4 unicast -routes. This was a big problem using Multiprotocol Extension for BGP in an -operational network. {rfc}`2842` adopted a feature called Capability -Negotiation. *bgpd* use this Capability Negotiation to detect the remote peer's -capabilities. If a peer is only configured as an IPv4 unicast neighbor, *bgpd* -does not send these Capability Negotiation packets (at least not unless other -optional BGP features require capability negotiation). - - -By default, FRR will bring up peering with minimal common capability for the -both sides. For example, if the local router has unicast and multicast -capabilities and the remote router only has unicast capability the local router -will establish the connection with unicast only capability. When there are no -common capabilities, FRR sends Unsupported Capability error and then resets the -connection. - - -## Configuration - - -(bgp-router-configuration)= - - -### BGP Router Configuration - - -First of all you must configure BGP router with the {abbr}`ASN (Autonomous -System Number)`. The AS number is an identifier for the autonomous system. -The BGP protocol uses the AS number for detecting whether the BGP connection -is internal or external. VyOS does not have a special command to start the BGP -process. The BGP process starts when the first neighbor is configured. - -```{cfgcmd} set protocols bgp system-as \<asn\> - -Set local autonomous system number that this router represents. This is a -mandatory option! -``` - -#### Peers Configuration - - -##### Defining Peers - -```{cfgcmd} set protocols bgp neighbor \<address|interface\> remote-as \<asn\> - -This command creates a new neighbor whose remote-as is \<asn\>. The neighbor -address can be an IPv4 address or an IPv6 address or an interface to use -for the connection. The command is applicable for peer and peer group. -``` - - -```{cfgcmd} set protocols bgp neighbor \<address|interface\> remote-as internal - -Create a peer as you would when you specify an ASN, except that if the -peers ASN is different than mine as specified under the {cfgcmd}`protocols -bgp <asn>` command the connection will be denied. -``` - - -```{cfgcmd} set protocols bgp neighbor \<address|interface\> remote-as external - -Create a peer as you would when you specify an ASN, except that if the -peers ASN is the same as mine as specified under the {cfgcmd}`protocols -bgp <asn>` command the connection will be denied. -``` - - -```{cfgcmd} set protocols bgp neighbor \<address|interface\> remote-as auto - -Create a peer as you would when you specify an ASN, except that the peers -remote ASN is detected automatically from the OPEN message. -``` - - -```{cfgcmd} set protocols bgp neighbor \<address|interface\> local-role \<role\> [strict] - -BGP roles are defined in RFC {rfc}`9234` and provide an easy way to -add route leak prevention, detection and mitigation. The local Role -value is negotiated with the new BGP Role capability which has a -built-in check of the corresponding value. In case of a mismatch the -new OPEN Roles Mismatch Notification <2, 11> would be sent. -The correct Role pairs are: - -Provider - Customer - -Peer - Peer - -RS-Server - RS-Client - -If {cfgcmd}`strict` is set the BGP session won’t become established -until the BGP neighbor sets local Role on its side. This -configuration parameter is defined in RFC {rfc}`9234` and is used to -enforce the corresponding configuration at your counter-parts side. - -Routes that are sent from provider, rs-server, or the peer local-role -(or if received by customer, rs-client, or the peer local-role) will -be marked with a new Only to Customer (OTC) attribute. - -Routes with this attribute can only be sent to your neighbor if your -local-role is provider or rs-server. Routes with this attribute can -be received only if your local-role is customer or rs-client. - -In case of peer-peer relationship routes can be received only if OTC -value is equal to your neighbor AS number. - -All these rules with OTC will help to detect and mitigate route leaks -and happen automatically if local-role is set. -``` - - -```{cfgcmd} set protocols bgp neighbor \<address|interface\> shutdown - -This command disable the peer or peer group. To reenable the peer use -the delete form of this command. -``` - - -```{cfgcmd} set protocols bgp neighbor \<address|interface\> description \<text\> - -Set description of the peer or peer group. -``` - - -```{cfgcmd} set protocols bgp neighbor \<address|interface\> update-source \<address|interface\> - -Specify the IPv4 source address to use for the BGP session to this neighbor, -may be specified as either an IPv4 address directly or as an interface name. -``` - -(bgp-capability-negotiation-1)= - - -##### Capability Negotiation - -```{cfgcmd} set protocols bgp neighbor \<address|interface\> capability dynamic - -This command would allow the dynamic update of capabilities over an -established BGP session. -``` - - -```{cfgcmd} set protocols bgp neighbor \<address|interface\> capability extended-nexthop - -Allow bgp to negotiate the extended-nexthop capability with it’s peer. -If you are peering over a IPv6 Link-Local address then this capability -is turned on automatically. If you are peering over a IPv6 Global Address -then turning on this command will allow BGP to install IPv4 routes with -IPv6 nexthops if you do not have IPv4 configured on interfaces. -``` - - -```{cfgcmd} set protocols bgp neighbor \<address|interface\> disable-capability-negotiation - -Suppress sending Capability Negotiation as OPEN message optional -parameter to the peer. This command only affects the peer is -configured other than IPv4 unicast configuration. - -When remote peer does not have capability negotiation feature, -remote peer will not send any capabilities at all. In that case, -bgp configures the peer with configured capabilities. - -You may prefer locally configured capabilities more than the negotiated -capabilities even though remote peer sends capabilities. If the peer is -configured by {cfgcmd}`override-capability`, VyOS ignores received -capabilities then override negotiated capabilities with configured values. - -Additionally you should keep in mind that this feature fundamentally -disables the ability to use widely deployed BGP features. BGP unnumbered, -hostname support, AS4, Addpath, Route Refresh, ORF, Dynamic Capabilities, -and graceful restart. -``` - - -```{cfgcmd} set protocols bgp neighbor \<address|interface\> override-capability - -This command allow override the result of Capability Negotiation with -local configuration. Ignore remote peer’s capability value. -``` - - -```{cfgcmd} set protocols bgp neighbor \<address|interface\> strict-capability-match - -This command forces strictly compare remote capabilities and local -capabilities. If capabilities are different, send Unsupported Capability -error then reset connection. - -You may want to disable sending Capability Negotiation OPEN message -optional parameter to the peer when remote peer does not implement -Capability Negotiation. Please use {cfgcmd}`disable-capability-negotiation` -command to disable the feature. -``` - -##### Peer Parameters - -```{cfgcmd} set protocols bgp neighbor \<address|interface\> address-family \<ipv4-unicast|ipv6-unicast\> allowas-in number \<number\> - -This command accept incoming routes with AS path containing AS -number with the same value as the current system AS. This is -used when you want to use the same AS number in your sites, -but you can’t connect them directly. - - The number parameter (1-10) configures the amount of accepted - occurences of the system AS number in AS path. - - This command is only allowed for eBGP peers. It is not applicable - for peer groups. -``` - - -```{cfgcmd} set protocols bgp neighbor \<address|interface\> address-family \<ipv4-unicast|ipv6-unicast\> as-override - -This command override AS number of the originating router with -the local AS number. - -Usually this configuration is used in PEs (Provider Edge) to -replace the incoming customer AS number so the connected CE ( -Customer Edge) can use the same AS number as the other customer -sites. This allows customers of the provider network to use the -same AS number across their sites. - -This command is only allowed for eBGP peers. -``` - - -```{cfgcmd} set protocols bgp neighbor \<address|interface\> address-family \<ipv4-unicast|ipv6-unicast\> attribute-unchanged \<as-path|med|next-hop\> - -This command specifies attributes to be left unchanged for -advertisements sent to a peer or peer group. -``` - - -```{cfgcmd} set protocols bgp neighbor \<address|interface\> address-family \<ipv4-unicast|ipv6-unicast\> maximum-prefix \<number\> - -This command specifies a maximum number of prefixes we can receive -from a given peer. If this number is exceeded, the BGP session -will be destroyed. The number range is 1 to 4294967295. -``` - - -```{cfgcmd} set protocols bgp neighbor \<address|interface\> address-family \<ipv4-unicast|ipv6-unicast\> nexthop-self - -This command forces the BGP speaker to report itself as the -next hop for an advertised route it advertised to a neighbor. -``` - - -```{cfgcmd} set protocols bgp neighbor \<address|interface\> address-family \<ipv4-unicast|ipv6-unicast\> remove-private-as - -This command removes the private ASN of routes that are advertised -to the configured peer. It removes only private ASNs on routes -advertised to EBGP peers. - -If the AS-Path for the route has only private ASNs, the private -ASNs are removed. - -If the AS-Path for the route has a private ASN between public -ASNs, it is assumed that this is a design choice, and the -private ASN is not removed. -``` - - -```{cfgcmd} set protocols bgp neighbor \<address|interface\> address-family \<ipv4-unicast|ipv6-unicast\> soft-reconfiguration inbound - -Changes in BGP policies require the BGP session to be cleared. Clearing has a -large negative impact on network operations. Soft reconfiguration enables you -to generate inbound updates from a neighbor, change and activate BGP policies -without clearing the BGP session. - -This command specifies that route updates received from this neighbor will be -stored unmodified, regardless of the inbound policy. When inbound soft -reconfiguration is enabled, the stored updates are processed by the new -policy configuration to create new inbound updates. - -:::{note} -Storage of route updates uses memory. If you enable soft -reconfiguration inbound for multiple neighbors, the amount of memory used -can become significant. -::: -``` - - -```{cfgcmd} set protocols bgp neighbor \<address|interface\> address-family \<ipv4-unicast|ipv6-unicast\> weight \<number\> - -This command specifies a default weight value for the neighbor’s -routes. The number range is 1 to 65535. -``` - - -```{cfgcmd} set protocols bgp neighbor \<address|interface\> advertisement-interval \<seconds\> - -This command specifies the minimum route advertisement interval for -the peer. The interval value is 0 to 600 seconds, with the default -advertisement interval being 0. -``` - - -```{cfgcmd} set protocols bgp neighbor \<address|interface\> disable-connected-check - -This command allows peerings between directly connected eBGP peers -using loopback addresses without adjusting the default TTL of 1. -``` - - -```{cfgcmd} set protocols bgp neighbor \<address|interface\> disable-send-community \<extended|standard\> - -This command specifies that the community attribute should not be sent -in route updates to a peer. By default community attribute is sent. -``` - - -```{cfgcmd} set protocols bgp neighbor \<address|interface\> ebgp-multihop \<number\> - -This command allows sessions to be established with eBGP neighbors -when they are multiple hops away. When the neighbor is not directly -connected and this knob is not enabled, the session will not establish. -The number of hops range is 1 to 255. This command is mutually -exclusive with {cfgcmd}`ttl-security hops`. -``` - - -```{cfgcmd} set protocols bgp neighbor \<address|interface\> local-as \<asn\> [no-prepend] [replace-as] - -Specify an alternate AS for this BGP process when interacting with -the specified peer or peer group. With no modifiers, the specified -local-as is prepended to the received AS_PATH when receiving routing -updates from the peer, and prepended to the outgoing AS_PATH (after -the process local AS) when transmitting local routes to the peer. - -If the {cfgcmd}`no-prepend` attribute is specified, then the supplied -local-as is not prepended to the received AS_PATH. - -If the {cfgcmd}`replace-as` attribute is specified, then only the supplied -local-as is prepended to the AS_PATH when transmitting local-route -updates to this peer. - -:::{note} -This command is only allowed for eBGP peers. -::: -``` - - -```{cfgcmd} set protocols bgp neighbor \<address|interface\> passive - -Configures the BGP speaker so that it only accepts inbound connections -from, but does not initiate outbound connections to the peer or peer group. -``` - - -```{cfgcmd} set protocols bgp neighbor \<address|interface\> password \<text\> - -This command specifies a MD5 password to be used with the tcp socket that -is being used to connect to the remote peer. -``` - - -```{cfgcmd} set protocols bgp neighbor \<address|interface\> ttl-security hops \<number\> - -This command enforces Generalized TTL Security Mechanism (GTSM), -as specified in {rfc}`5082`. With this command, only neighbors -that are specified number of hops away will be allowed to -become neighbors. The number of hops range is 1 to 254. This -command is mutually exclusive with {cfgcmd}`ebgp-multihop`. -``` - -##### Peer Groups - -Peer groups are used to help improve scaling by generating the same update -information to all members of a peer group. Note that this means that the -routes generated by a member of a peer group will be sent back to that -originating peer with the originator identifier attribute set to indicated -the originating peer. All peers not associated with a specific peer group -are treated as belonging to a default peer group, and will share updates. - -```{cfgcmd} set protocols bgp peer-group \<name\> - - This command defines a new peer group. You can specify to the group the same - parameters that you can specify for specific neighbors. - - :::{note} - If you apply a parameter to an individual neighbor IP address, you - override the action defined for a peer group that includes that IP - address. - ::: -``` - - -```{cfgcmd} set protocols bgp neighbor \<address|interface\> peer-group \<name\> - -This command bind specific peer to peer group with a given name. -``` - -#### Network Advertisement Configuration - -```{cfgcmd} set protocols bgp address-family \<ipv4-unicast|ipv6-unicast\> network \<prefix\> - -This command is used for advertising IPv4 or IPv6 networks. - - :::{note} - By default, the BGP prefix is advertised even if it's not present - in the routing table. This behaviour differs from the implementation of - some vendors. - ::: -``` - - -```{cfgcmd} set protocols bgp parameters network-import-check - -This configuration modifies the behavior of the network statement. If you -have this configured the underlying network must exist in the routing table. -``` - - -```{cfgcmd} set protocols bgp neighbor \<address|interface\> address-family \<ipv4-unicast|ipv6-unicast\> default-originate [route-map \<name\>] - -By default, VyOS does not advertise a default route (0.0.0.0/0) even if it is -in routing table. When you want to announce default routes to the peer, use -this command. Using optional argument {cfgcmd}`route-map` you can inject the -default route to given neighbor only if the conditions in the route map are -met. -``` - -#### Route Aggregation Configuration - -```{cfgcmd} set protocols bgp address-family \<ipv4-unicast|ipv6-unicast\> aggregate-address \<prefix\> - -This command specifies an aggregate address. The router will also -announce longer-prefixes inside of the aggregate address. -``` - - -```{cfgcmd} set protocols bgp address-family \<ipv4-unicast|ipv6-unicast\> aggregate-address \<prefix\> as-set - -This command specifies an aggregate address with a mathematical set of -autonomous systems. This command summarizes the AS_PATH attributes of -all the individual routes. -``` - - -```{cfgcmd} set protocols bgp address-family \<ipv4-unicast|ipv6-unicast\> aggregate-address \<prefix\> summary-only - -This command specifies an aggregate address and provides that -longer-prefixes inside of the aggregate address are suppressed -before sending BGP updates out to peers. -``` - - -```{cfgcmd} set protocols bgp neighbor \<address|interface\> address-family \<ipv4-unicast|ipv6-unicast\> unsuppress-map \<name\> - -This command applies route-map to selectively unsuppress prefixes -suppressed by summarisation. -``` - -#### Redistribution Configuration - -```{cfgcmd} set protocols bgp address-family \<ipv4-unicast|ipv6-unicast\> redistribute <route source> - -This command redistributes routing information from the given route source -to the BGP process. There are six modes available for route source: -connected, kernel, ospf, rip, static, table. -``` - - -```{cfgcmd} set protocols bgp address-family \<ipv4-unicast|ipv6-unicast\> redistribute <route source> metric \<number\> - -This command specifies metric (MED) for redistributed routes. The -metric range is 0 to 4294967295. There are six modes available for -route source: connected, kernel, ospf, rip, static, table. -``` - - -```{cfgcmd} set protocols bgp address-family \<ipv4-unicast|ipv6-unicast\> redistribute <route source> route-map \<name\> - -This command allows to use route map to filter redistributed routes. -There are six modes available for route source: connected, kernel, -ospf, rip, static, table. -``` - -#### General Configuration -##### Common parameters - -```{cfgcmd} set protocols bgp parameters allow-martian-nexthop - - When a peer receives a martian nexthop as part of the NLRI for a route - permit the nexthop to be used as such, instead of rejecting and resetting - the connection. -``` - - -```{cfgcmd} set protocols bgp parameters router-id \<id\> - -This command specifies the router-ID. If router ID is not specified it will -use the highest interface IP address. -``` - - -```{cfgcmd} set protocols bgp address-family \<ipv4-unicast|ipv6-unicast\> maximum-paths \<ebgp|ibgp\> \<number\> - -This command defines the maximum number of parallel routes that -the BGP can support. In order for BGP to use the second path, the -following attributes have to match: Weight, Local Preference, AS -Path (both AS number and AS path length), Origin code, MED, IGP -metric. Also, the next hop address for each path must be different. -``` - - -```{cfgcmd} set protocols bgp parameters no-hard-administrative-reset - -Do not send Hard Reset CEASE Notification for "Administrative Reset" -events. When set and Graceful Restart Notification capability is exchanged -between the peers, Graceful Restart procedures apply, and routes will be retained. -``` - - -```{cfgcmd} set protocols bgp parameters log-neighbor-changes - -This command enable logging neighbor up/down changes and reset reason. -``` - - -```{cfgcmd} set protocols bgp parameters no-client-to-client-reflection - -This command disables route reflection between route reflector clients. -By default, the clients of a route reflector are not required to be -fully meshed and the routes from a client are reflected to other clients. -However, if the clients are fully meshed, route reflection is not required. -In this case, use the {cfgcmd}`no-client-to-client-reflection` command -to disable client-to-client reflection. -``` - - -```{cfgcmd} set protocols bgp parameters no-fast-external-failover - -Disable immediate session reset if peer's connected link goes down. -``` - - -```{cfgcmd} set protocols bgp parameters no-ipv6-auto-ra - -By default, FRR sends router advertisement packets when Extended Next Hop is -on or when a connection is established directly using the device name (Unnumbered BGP). -Setting this option prevents FRR from sending router advertisement packets, but could break Unnumbered BGP. -``` - - -```{cfgcmd} set protocols bgp listen range \<prefix\> peer-group \<name\> - -This command is useful if one desires to loosen the requirement for BGP -to have strictly defined neighbors. Specifically what is allowed is for -the local router to listen to a range of IPv4 or IPv6 addresses defined -by a prefix and to accept BGP open messages. When a TCP connection -(and subsequently a BGP open message) from within this range tries to -connect the local router then the local router will respond and connect -with the parameters that are defined within the peer group. One must define -a peer-group for each range that is listed. If no peer-group is defined -then an error will keep you from committing the configuration. -``` - - -```{cfgcmd} set protocols bgp listen limit \<number\> - -This command goes hand in hand with the listen range command to limit the -amount of BGP neighbors that are allowed to connect to the local router. -The limit range is 1 to 5000. -``` - - -```{cfgcmd} set protocols bgp parameters ebgp-requires-policy - -This command changes the eBGP behavior of FRR. By default FRR enables -{rfc}`8212` functionality which affects how eBGP routes are advertised, -namely no routes are advertised across eBGP sessions without some -sort of egress route-map/policy in place. In VyOS however we have this -RFC functionality disabled by default so that we can preserve backwards -compatibility with older versions of VyOS. With this option one can -enable {rfc}`8212` functionality to operate. -``` - - -```{cfgcmd} set protocols bgp parameters labeled-unicast \<explicit-null | ipv4-explicit-null | ipv6-explicit-null\> - -By default, locally advertised prefixes use the implicit-null label to -encode in the outgoing NLRI. - -The following command uses the explicit-null label value for all the -BGP instances. -``` - -##### Administrative Distance - -```{cfgcmd} set protocols bgp parameters distance global \<external|internal|local\> \<distance\> - -This command change distance value of BGP. The arguments are the distance -values for external routes, internal routes and local routes respectively. -The distance range is 1 to 255. -``` - - -```{cfgcmd} set protocols bgp parameters distance prefix \<subnet\> distance \<distance\> - -This command sets the administrative distance for a particular route. The -distance range is 1 to 255. - -:::{note} -Routes with a distance of 255 are effectively disabled and not -installed into the kernel. -::: -``` - -##### Timers - -```{cfgcmd} set protocols bgp timers holdtime \<seconds\> - - This command specifies hold-time in seconds. The timer range is - 4 to 65535. The default value is 180 second. If you set value to 0 - VyOS will not hold routes. -``` - - -```{cfgcmd} set protocols bgp timers keepalive \<seconds\> - -This command specifies keep-alive time in seconds. The timer -can range from 4 to 65535. The default value is 60 second. -``` - -##### Route Dampening - -When a route fails, a routing update is sent to withdraw the route from the -network's routing tables. When the route is re-enabled, the change in -availability is also advertised. A route that continually fails and returns -requires a great deal of network traffic to update the network about the -route's status. - -Route dampening wich described in {rfc}`2439` enables you to identify routes -that repeatedly fail and return. If route dampening is enabled, an unstable -route accumulates penalties each time the route fails and returns. If the -accumulated penalties exceed a threshold, the route is no longer advertised. -This is route suppression. Routes that have been suppressed are re-entered -into the routing table only when the amount of their penalty falls below a -threshold. - -A penalty of 1000 is assessed each time the route fails. When the penalties -reach a predefined threshold (suppress-value), the router stops advertising -the route. - -Once a route is assessed a penalty, the penalty is decreased by half each time -a predefined amount of time elapses (half-life-time). When the accumulated -penalties fall below a predefined threshold (reuse-value), the route is -unsuppressed and added back into the BGP routing table. - -No route is suppressed indefinitely. Maximum-suppress-time defines the maximum -time a route can be suppressed before it is re-advertised. - -```{cfgcmd} set protocols bgp parameters dampening half-life \<minutes\> - -This command defines the amount of time in minutes after -which a penalty is reduced by half. The timer range is -10 to 45 minutes. -``` - - -```{cfgcmd} set protocols bgp parameters dampening re-use \<seconds\> - -This command defines the accumulated penalty amount at which the -route is re-advertised. The penalty range is 1 to 20000. -``` - - -```{cfgcmd} set protocols bgp parameters dampening start-suppress-time \<seconds\> - -This command defines the accumulated penalty amount at which the -route is suppressed. The penalty range is 1 to 20000. -``` - - -```{cfgcmd} set protocols bgp parameters dampening max-suppress-time \<seconds\> - -This command defines the maximum time in minutes that a route is -suppressed. The timer range is 1 to 255 minutes. -``` - -#### Route Selection Configuration - -```{cfgcmd} set protocols bgp parameters always-compare-med - - This command provides to compare the MED on routes, even when they were - received from different neighbouring ASes. Setting this option makes the - order of preference of routes more defined, and should eliminate MED - induced oscillations. -``` - - -```{cfgcmd} set protocols bgp parameters bestpath as-path confed - -This command specifies that the length of confederation path sets and -sequences should be taken into account during the BGP best path -decision process. -``` - - -```{cfgcmd} set protocols bgp parameters bestpath as-path multipath-relax - -This command specifies that BGP decision process should consider paths -of equal AS_PATH length candidates for multipath computation. Without -the knob, the entire AS_PATH must match for multipath computation. -``` - - -```{cfgcmd} set protocols bgp parameters bestpath as-path ignore - -Ignore AS_PATH length when selecting a route -``` - - -```{cfgcmd} set protocols bgp parameters bestpath compare-routerid - -Ensure that when comparing routes where both are equal on most metrics, -including local-pref, AS_PATH length, IGP cost, MED, that the tie is -broken based on router-ID. - -If this option is enabled, then the already-selected check, where -already selected eBGP routes are preferred, is skipped. - -If a route has an ORIGINATOR_ID attribute because it has been reflected, -that ORIGINATOR_ID will be used. Otherwise, the router-ID of the peer -the route was received from will be used. - -The advantage of this is that the route-selection (at this point) will -be more deterministic. The disadvantage is that a few or even one lowest-ID -router may attract all traffic to otherwise-equal paths because of this -check. It may increase the possibility of MED or IGP oscillation, unless -other measures were taken to avoid these. The exact behaviour will be -sensitive to the iBGP and reflection topology. -``` - - -```{cfgcmd} set protocols bgp parameters bestpath med confed - -This command specifies that BGP considers the MED when comparing routes -originated from different sub-ASs within the confederation to which this -BGP speaker belongs. The default state, where the MED attribute is not -considered. -``` - - -```{cfgcmd} set protocols bgp parameters bestpath med missing-as-worst - -This command specifies that a route with a MED is always considered to be -better than a route without a MED by causing the missing MED attribute to -have a value of infinity. The default state, where the missing MED -attribute is considered to have a value of zero. -``` - - -```{cfgcmd} set protocols bgp parameters default local-pref <local-pref value> - -This command specifies the default local preference value. The local -preference range is 0 to 4294967295. -``` - - -```{cfgcmd} set protocols bgp parameters deterministic-med - -This command provides to compare different MED values that advertised by -neighbours in the same AS for routes selection. When this command is -enabled, routes from the same autonomous system are grouped together, and -the best entries of each group are compared. -``` - - -```{cfgcmd} set protocols bgp address-family ipv4-unicast network \<prefix\> backdoor - -This command allows the router to prefer route to specified prefix learned -via IGP through backdoor link instead of a route to the same prefix learned -via EBGP. -``` - -#### Route Filtering Configuration - -In order to control and modify routing information that is exchanged between -peers you can use route-map, filter-list, prefix-list, distribute-list. - -For inbound updates the order of preference is: - -> - route-map -> - filter-list -> - prefix-list, distribute-list - -For outbound updates the order of preference is: -> - prefix-list, distribute-list -> - filter-list -> - route-map -> -> :::{note} -> The attributes {cfgcmd}`prefix-list` and {cfgcmd}`distribute-list` -> are mutually exclusive, and only one command (distribute-list or -> prefix-list) can be applied to each inbound or outbound direction for a -> particular neighbor. -> ::: - -```{cfgcmd} set protocols bgp neighbor \<address|interface\> address-family \<ipv4-unicast|ipv6-unicast\> distribute-list \<export|import\> \<number\> - -This command applies the access list filters named in \<number\> to the -specified BGP neighbor to restrict the routing information that BGP learns -and/or advertises. The arguments {cfgcmd}`export` and {cfgcmd}`import` -specify the direction in which the access list are applied. -``` - - -```{cfgcmd} set protocols bgp neighbor \<address|interface\> address-family \<ipv4-unicast|ipv6-unicast\> prefix-list \<export|import\> \<name\> - -This command applies the prfefix list filters named in \<name\> to the -specified BGP neighbor to restrict the routing information that BGP learns -and/or advertises. The arguments {cfgcmd}`export` and {cfgcmd}`import` -specify the direction in which the prefix list are applied. -``` - - -```{cfgcmd} set protocols bgp neighbor \<address|interface\> address-family \<ipv4-unicast|ipv6-unicast\> route-map \<export|import\> \<name\> - -This command applies the route map named in \<name\> to the specified BGP -neighbor to control and modify routing information that is exchanged -between peers. The arguments {cfgcmd}`export` and {cfgcmd}`import` -specify the direction in which the route map are applied. -``` - - -```{cfgcmd} set protocols bgp neighbor \<address|interface\> address-family \<ipv4-unicast|ipv6-unicast\> filter-list \<export|import\> \<name\> - -This command applies the AS path access list filters named in \<name\> to the -specified BGP neighbor to restrict the routing information that BGP learns -and/or advertises. The arguments {cfgcmd}`export` and {cfgcmd}`import` -specify the direction in which the AS path access list are applied. -``` - - -```{cfgcmd} set protocols bgp neighbor \<address|interface\> address-family \<ipv4-unicast|ipv6-unicast\> capability orf \<receive|send\> - -This command enables the ORF capability (described in {rfc}`5291`) on the -local router, and enables ORF capability advertisement to the specified BGP -peer. The {cfgcmd}`receive` keyword configures a router to advertise ORF -receive capabilities. The {cfgcmd}`send` keyword configures a router to -advertise ORF send capabilities. To advertise a filter from a sender, you -must create an IP prefix list for the specified BGP peer applied in inbound -derection. -``` - - -```{cfgcmd} set protocols bgp neighbor \<address|interface\> solo - -This command prevents from sending back prefixes learned from the neighbor. -``` - -#### BGP Scaling Configuration - - -BGP routers connected inside the same AS through BGP belong to an internal BGP -session, or IBGP. In order to prevent routing table loops, IBGP speaker does -not advertise IBGP-learned routes to other IBGP speaker (Split Horizon -mechanism). As such, IBGP requires a full mesh of all peers. For large -networks, this quickly becomes unscalable. - - -There are two ways that help us to mitigate the BGPs full-mesh requirement in -a network: - - -> - Using BGP route-reflectors -> - Using BGP confederation - - -##### Route Reflector Configuration - - -Introducing route reflectors removes the need for the full-mesh. When you -configure a route reflector you have to tell the router whether the other IBGP -router is a client or non-client. A client is an IBGP router that the route -reflector will “reflect” routes to, the non-client is just a regular IBGP -neighbor. Route reflectors mechanism is described in {rfc}`4456` and updated -by {rfc}`7606`. - -```{cfgcmd} set protocols bgp neighbor \<address\> address-family \<ipv4-unicast|ipv6-unicast\> route-reflector-client - -This command specifies the given neighbor as route reflector client. -``` - - -```{cfgcmd} set protocols bgp parameters cluster-id \<id\> - -This command specifies cluster ID which identifies a collection of route -reflectors and their clients, and is used by route reflectors to avoid -looping. By default cluster ID is set to the BGP router id value, but can be -set to an arbitrary 32-bit value. -``` - -##### Confederation Configuration - -A BGP confederation divides our AS into sub-ASes to reduce the number of -required IBGP peerings. Within a sub-AS we still require full-mesh IBGP but -between these sub-ASes we use something that looks like EBGP but behaves like -IBGP (called confederation BGP). Confederation mechanism is described in -{rfc}`5065` - -```{cfgcmd} set protocols bgp parameters confederation identifier \<asn\> - -This command specifies a BGP confederation identifier. \<asn\> is the number -of the autonomous system that internally includes multiple sub-autonomous -systems (a confederation). -``` - - -```{cfgcmd} set protocols bgp parameters confederation peers \<nsubasn\> - -This command sets other confederations \<nsubasn\> as members of autonomous -system specified by {cfgcmd}`confederation identifier <asn>`. -``` - -## Operational Mode Commands -### Show - -```{opcmd} show bgp \<ipv4|ipv6\> - - This command displays all entries in BGP routing table. -``` - - -```none -BGP table version is 10, local router ID is 10.0.35.3, vrf id 0 -Default local pref 100, local AS 65000 -Status codes: s suppressed, d damped, h history, * valid, > best, = multipath, - i internal, r RIB-failure, S Stale, R Removed -Nexthop codes: @NNN nexthop's vrf id, < announce-nh-self -Origin codes: i - IGP, e - EGP, ? - incomplete -RPKI validation codes: V valid, I invalid, N Not found - - Network Next Hop Metric LocPrf Weight Path -*> 198.51.100.0/24 10.0.34.4 0 0 65004 i -*> 203.0.113.0/24 10.0.35.5 0 0 65005 i - -Displayed 2 routes and 2 total paths -``` - - -```{opcmd} show bgp \<ipv4|ipv6\> \<address|prefix\> - -This command displays information about the particular entry in the BGP -routing table. -``` - - -```none -BGP routing table entry for 198.51.100.0/24 -Paths: (1 available, best #1, table default) - Advertised to non peer-group peers: - 10.0.13.1 10.0.23.2 10.0.34.4 10.0.35.5 - 65004 - 10.0.34.4 from 10.0.34.4 (10.0.34.4) - Origin IGP, metric 0, valid, external, best (First path received) - Last update: Wed Jan 6 12:18:53 2021 -``` - - -```{opcmd} show bgp cidr-only - -This command displays routes with classless interdomain routing (CIDR). -``` - - -```{opcmd} show bgp \<ipv4|ipv6\> community \<value\> - -This command displays routes that belong to specified BGP communities. -Valid value is a community number in the range from 1 to 4294967200, -or AA:NN (autonomous system-community number/2-byte number), no-export, -local-as, or no-advertise. -``` - - -```{opcmd} show bgp \<ipv4|ipv6\> community-list \<name\> - -This command displays routes that are permitted by the BGP -community list. -``` - - -```{opcmd} show bgp \<ipv4|ipv6\> dampening dampened-paths - -This command displays BGP dampened routes. -``` - - -```{opcmd} show bgp \<ipv4|ipv6\> dampening flap-statistics - -This command displays information about flapping BGP routes. -``` - - -```{opcmd} show bgp \<ipv4|ipv6\> filter-list \<name\> - -This command displays BGP routes allowed by the specified AS Path -access list. -``` - - -```{opcmd} show bgp \<ipv4|ipv6\> neighbors \<address\> advertised-routes - -This command displays BGP routes advertised to a neighbor. -``` - - -```{opcmd} show bgp \<ipv4|ipv6\> neighbors \<address\> received-routes - -This command displays BGP routes originating from the specified BGP -neighbor before inbound policy is applied. To use this command inbound -soft reconfiguration must be enabled. -``` - - -```{opcmd} show bgp \<ipv4|ipv6\> neighbors \<address\> routes - -This command displays BGP received-routes that are accepted after filtering. -``` - - -```{opcmd} show bgp \<ipv4|ipv6\> neighbors \<address\> dampened-routes - -This command displays dampened routes received from BGP neighbor. -``` - - -```{opcmd} show bgp \<ipv4|ipv6\> regexp \<text\> - -This command displays information about BGP routes whose AS path -matches the specified regular expression. -``` - - -```{opcmd} show bgp \<ipv4|ipv6\> summary - -This command displays the status of all BGP connections. -``` - - -```none -IPv4 Unicast Summary: -BGP router identifier 10.0.35.3, local AS number 65000 vrf-id 0 -BGP table version 11 -RIB entries 5, using 920 bytes of memory -Peers 4, using 82 KiB of memory - -Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd -10.0.13.1 4 65000 148 159 0 0 0 02:16:01 0 -10.0.23.2 4 65000 136 143 0 0 0 02:13:21 0 -10.0.34.4 4 65004 161 163 0 0 0 02:16:01 1 -10.0.35.5 4 65005 162 166 0 0 0 02:16:01 1 - -Total number of neighbors 4 -``` - -### Reset - -```{opcmd} reset bgp \<ipv4|ipv6\> \<address\> [soft [in|out]] - -This command resets BGP connections to the specified neighbor IP address. -With argument {cfgcmd}`soft` this command initiates a soft reset. If -you do not specify the {cfgcmd}`in` or {cfgcmd}`out` options, both -inbound and outbound soft reconfiguration are triggered. -``` - - -```{opcmd} reset bgp all - -This command resets all BGP connections of given router. -``` - - -```{opcmd} reset bgp \<ipv4|ipv6\> external - -This command resets all external BGP peers of given router. -``` - - -```{opcmd} reset bgp \<ipv4|ipv6\> peer-group \<name\> [soft [in|out]] - -This command resets BGP connections to the specified peer group. -With argument {cfgcmd}`soft` this command initiates a soft reset. If -you do not specify the {cfgcmd}`in` or {cfgcmd}`out` options, both -inbound and outbound soft reconfiguration are triggered. -``` - -## Examples -### IPv4 peering - -A simple eBGP configuration: - -**Node 1:** - -```none -set protocols bgp system-as 65534 -set protocols bgp neighbor 192.168.0.2 ebgp-multihop '2' -set protocols bgp neighbor 192.168.0.2 remote-as '65535' -set protocols bgp neighbor 192.168.0.2 update-source '192.168.0.1' -set protocols bgp neighbor 192.168.0.2 address-family ipv4-unicast -set protocols bgp address-family ipv4-unicast network '172.16.0.0/16' -set protocols bgp parameters router-id '192.168.0.1' -``` - -**Node 2:** - -```none -set protocols bgp system-as 65535 -set protocols bgp neighbor 192.168.0.1 ebgp-multihop '2' -set protocols bgp neighbor 192.168.0.1 remote-as '65534' -set protocols bgp neighbor 192.168.0.1 update-source '192.168.0.2' -set protocols bgp neighbor 192.168.0.1 address-family ipv4-unicast -set protocols bgp address-family ipv4-unicast network '172.17.0.0/16' -set protocols bgp parameters router-id '192.168.0.2' -``` - -Don't forget, the CIDR declared in the network statement MUST **exist in your -routing table (dynamic or static), the best way to make sure that is true is -creating a static route:** - -**Node 1:** - -```none -set protocols static route 172.16.0.0/16 blackhole distance '254' -``` - -**Node 2:** - -```none -set protocols static route 172.17.0.0/16 blackhole distance '254' -``` - -### IPv6 peering - -A simple BGP configuration via IPv6. - -**Node 1:** - -```none -set protocols bgp system-as 65534 -set protocols bgp neighbor 2001:db8::2 ebgp-multihop '2' -set protocols bgp neighbor 2001:db8::2 remote-as '65535' -set protocols bgp neighbor 2001:db8::2 update-source '2001:db8::1' -set protocols bgp neighbor 2001:db8::2 address-family ipv6-unicast -set protocols bgp address-family ipv6-unicast network '2001:db8:1::/48' -set protocols bgp parameters router-id '10.1.1.1' -``` - -**Node 2:** - -```none -set protocols bgp system-as 65535 -set protocols bgp neighbor 2001:db8::1 ebgp-multihop '2' -set protocols bgp neighbor 2001:db8::1 remote-as '65534' -set protocols bgp neighbor 2001:db8::1 update-source '2001:db8::2' -set protocols bgp neighbor 2001:db8::1 address-family ipv6-unicast -set protocols bgp address-family ipv6-unicast network '2001:db8:2::/48' -set protocols bgp parameters router-id '10.1.1.2' -``` - -Don't forget, the CIDR declared in the network statement **MUST exist in your -routing table (dynamic or static), the best way to make sure that is true is -creating a static route:** - -**Node 1:** - -```none -set protocols static route6 2001:db8:1::/48 blackhole distance '254' -``` - -**Node 2:** - -```none -set protocols static route6 2001:db8:2::/48 blackhole distance '254' -``` - -### Route Filtering - -Route filter can be applied using a route-map: - -**Node1:** - -```none -set policy prefix-list AS65535-IN rule 10 action 'permit' -set policy prefix-list AS65535-IN rule 10 prefix '172.16.0.0/16' -set policy prefix-list AS65535-OUT rule 10 action 'deny' -set policy prefix-list AS65535-OUT rule 10 prefix '172.16.0.0/16' -set policy prefix-list6 AS65535-IN rule 10 action 'permit' -set policy prefix-list6 AS65535-IN rule 10 prefix '2001:db8:2::/48' -set policy prefix-list6 AS65535-OUT rule 10 action 'deny' -set policy prefix-list6 AS65535-OUT rule 10 prefix '2001:db8:2::/48' - -set policy route-map AS65535-IN rule 10 action 'permit' -set policy route-map AS65535-IN rule 10 match ip address prefix-list 'AS65535-IN' -set policy route-map AS65535-IN rule 10 match ipv6 address prefix-list 'AS65535-IN' -set policy route-map AS65535-IN rule 20 action 'deny' -set policy route-map AS65535-OUT rule 10 action 'deny' -set policy route-map AS65535-OUT rule 10 match ip address prefix-list 'AS65535-OUT' -set policy route-map AS65535-OUT rule 10 match ipv6 address prefix-list 'AS65535-OUT' -set policy route-map AS65535-OUT rule 20 action 'permit' - -set protocols bgp system-as 65534 -set protocols bgp neighbor 2001:db8::2 address-family ipv4-unicast route-map export 'AS65535-OUT' -set protocols bgp neighbor 2001:db8::2 address-family ipv4-unicast route-map import 'AS65535-IN' -set protocols bgp neighbor 2001:db8::2 address-family ipv6-unicast route-map export 'AS65535-OUT' -set protocols bgp neighbor 2001:db8::2 address-family ipv6-unicast route-map import 'AS65535-IN' -``` - -**Node2:** - -```none -set policy prefix-list AS65534-IN rule 10 action 'permit' -set policy prefix-list AS65534-IN rule 10 prefix '172.17.0.0/16' -set policy prefix-list AS65534-OUT rule 10 action 'deny' -set policy prefix-list AS65534-OUT rule 10 prefix '172.17.0.0/16' -set policy prefix-list6 AS65534-IN rule 10 action 'permit' -set policy prefix-list6 AS65534-IN rule 10 prefix '2001:db8:1::/48' -set policy prefix-list6 AS65534-OUT rule 10 action 'deny' -set policy prefix-list6 AS65534-OUT rule 10 prefix '2001:db8:1::/48' - -set policy route-map AS65534-IN rule 10 action 'permit' -set policy route-map AS65534-IN rule 10 match ip address prefix-list 'AS65534-IN' -set policy route-map AS65534-IN rule 10 match ipv6 address prefix-list 'AS65534-IN' -set policy route-map AS65534-IN rule 20 action 'deny' -set policy route-map AS65534-OUT rule 10 action 'deny' -set policy route-map AS65534-OUT rule 10 match ip address prefix-list 'AS65534-OUT' -set policy route-map AS65534-OUT rule 10 match ipv6 address prefix-list 'AS65534-OUT' -set policy route-map AS65534-OUT rule 20 action 'permit' - -set protocols bgp system-as 65535 -set protocols bgp neighbor 2001:db8::1 address-family ipv4-unicast route-map export 'AS65534-OUT' -set protocols bgp neighbor 2001:db8::1 address-family ipv4-unicast route-map import 'AS65534-IN' -set protocols bgp neighbor 2001:db8::1 address-family ipv6-unicast route-map export 'AS65534-OUT' -set protocols bgp neighbor 2001:db8::1 address-family ipv6-unicast route-map import 'AS65534-IN' -``` - -We could expand on this and also deny link local and multicast in the rule 20 -action deny. diff --git a/docs/configuration/protocols/md-failover.md b/docs/configuration/protocols/md-failover.md deleted file mode 100644 index 824213e7..00000000 --- a/docs/configuration/protocols/md-failover.md +++ /dev/null @@ -1,123 +0,0 @@ -# Failover - -Failover routes are manually configured routes, but they only install -to the routing table as kernel routes if the health-check target is alive. -If the target is not alive the route is removed from the routing table -until the target becomes available. - -## Failover Routes - -```{cfgcmd} set protocols failover route \<subnet\> next-hop \<address\> check target \<target-address\> - -Configure next-hop `<address>` and `<target-address>` for an IPv4 static -route. Specify the target -IPv4 address for health checking. -``` - - -```{cfgcmd} set protocols failover route \<subnet\> next-hop \<address\> check timeout \<timeout\> - -Timeout in seconds between health target checks. - -Range is 1 to 300, default is 10. -``` - - -```{cfgcmd} set protocols failover route \<subnet\> next-hop \<address\> check type \<protocol\> - -Defines protocols for checking ARP, ICMP, TCP. -``` - -- ICMP probe sends 2 ICMP request packets with a response timeout of 1 second. - If one ICMP response is received, the health check is successful. - - -- ARP probe sends 2 ARP requests with a response timeout of 1 second. - If one response is received, the health check is successful. - - -- TCP probe checks whether the destination port is open. - - - > Default is `icmp`. - -```{cfgcmd} set protocols failover route \<subnet\> next-hop \<address\> check policy \<policy\> - -Policy for checking targets -``` - -- `all-available` all checking target addresses must be available to pass - this check - - -- `any-available` any of the checking target addresses must be available - to pass this check - - - > Default is `any-available`. - -```{cfgcmd} set protocols failover route \<subnet\> next-hop \<address\> interface \<interface\> - -Next-hop interface for the route -``` - - -```{cfgcmd} set protocols failover route \<subnet\> next-hop \<address\> metric \<metric\> - -Route metric - -Default 1. -``` - -## Example - -**One gateway:** - -```none -set protocols failover route 203.0.113.1/32 next-hop 192.0.2.1 check target '192.0.2.1' -set protocols failover route 203.0.113.1/32 next-hop 192.0.2.1 check timeout '5' -set protocols failover route 203.0.113.1/32 next-hop 192.0.2.1 check type 'icmp' -set protocols failover route 203.0.113.1/32 next-hop 192.0.2.1 interface 'eth0' -set protocols failover route 203.0.113.1/32 next-hop 192.0.2.1 metric '10' -``` - -Show the route - -```none -vyos@vyos:~$ show ip route 203.0.113.1 - Routing entry for 203.0.113.1/32 - Known via "kernel", distance 0, metric 10, best - Last update 00:00:39 ago - * 192.0.2.1, via eth0 -``` - -**Two gateways and different metrics:** - -```none -set protocols failover route 203.0.113.1/32 next-hop 192.0.2.1 check target '192.0.2.1' -set protocols failover route 203.0.113.1/32 next-hop 192.0.2.1 check timeout '5' -set protocols failover route 203.0.113.1/32 next-hop 192.0.2.1 check type 'icmp' -set protocols failover route 203.0.113.1/32 next-hop 192.0.2.1 interface 'eth0' -set protocols failover route 203.0.113.1/32 next-hop 192.0.2.1 metric '10' - -set protocols failover route 203.0.113.1/32 next-hop 198.51.100.1 check target '198.51.100.99' -set protocols failover route 203.0.113.1/32 next-hop 198.51.100.1 check timeout '5' -set protocols failover route 203.0.113.1/32 next-hop 198.51.100.1 check type 'icmp' -set protocols failover route 203.0.113.1/32 next-hop 198.51.100.1 interface 'eth2' -set protocols failover route 203.0.113.1/32 next-hop 198.51.100.1 metric '20' -``` - -Show the route - -```none -vyos@vyos:~$ show ip route 203.0.113.1 -Routing entry for 203.0.113.1/32 - Known via "kernel", distance 0, metric 10, best - Last update 00:08:06 ago - * 192.0.2.1, via eth0 - -Routing entry for 203.0.113.1/32 - Known via "kernel", distance 0, metric 20 - Last update 00:08:14 ago - * 198.51.100.1, via eth2 -``` diff --git a/docs/configuration/protocols/md-igmp-proxy.md b/docs/configuration/protocols/md-igmp-proxy.md deleted file mode 100644 index 961f921b..00000000 --- a/docs/configuration/protocols/md-igmp-proxy.md +++ /dev/null @@ -1,79 +0,0 @@ ---- -lastproofread: '2023-11-13' ---- - -(igmp-proxy)= - -# IGMP Proxy - -{abbr}`IGMP (Internet Group Management Protocol)` proxy sends IGMP host messages -on behalf of a connected client. The configuration must define one, and only one -upstream interface, and one or more downstream interfaces. - -## Configuration - -```{cfgcmd} set protocols igmp-proxy interface \<interface\> role \<upstream | downstream\> - -* **upstream:** The upstream network interface is the outgoing interface -which is responsible for communicating to available multicast data sources. -There can only be one upstream interface. - -* **downstream:** Downstream network interfaces are the distribution -interfaces to the destination networks, where multicast clients can join -groups and receive multicast data. One or more downstream interfaces must -be configured. -``` - -```{cfgcmd} set protocols igmp-proxy interface \<interface\> alt-subnet \<network\> - -Defines alternate sources for multicasting and IGMP data. The network address -must be on the following format 'a.b.c.d/n'. By default, the router will -accept data from sources on the same network as configured on an interface. -If the multicast source lies on a remote network, one must define from where -traffic should be accepted. - -This is especially useful for the upstream interface, since the source for -multicast traffic is often from a remote location. - -This option can be supplied multiple times. -``` - -```{cfgcmd} set protocols igmp-proxy disable-quickleave - -Disables quickleave mode. In this mode the daemon will not send a Leave IGMP -message upstream as soon as it receives a Leave message for any downstream -interface. The daemon will not ask for Membership reports on the downstream -interfaces, and if a report is received the group is not joined again the -upstream. - -If it's vital that the daemon should act exactly like a real multicast client -on the upstream interface, this function should be enabled. - -Enabling this function increases the risk of bandwidth saturation. -``` - -```{cfgcmd} set protocols igmp-proxy disable - -Disable this service. -``` - -(igmp-proxy-example)= - -### Example - -Interface eth1 LAN is behind NAT. In order to subscribe 10.0.0.0/23 subnet -multicast which is in eth0 WAN we need to configure igmp-proxy. - -```none -set protocols igmp-proxy interface eth0 role upstream -set protocols igmp-proxy interface eth0 alt-subnet 10.0.0.0/23 -set protocols igmp-proxy interface eth1 role downstream -``` - - -## Operation - -```{opcmd} restart igmp-proxy - -Restart the IGMP proxy process. -```
\ No newline at end of file diff --git a/docs/configuration/protocols/md-index.md b/docs/configuration/protocols/md-index.md deleted file mode 100644 index 5f190ce1..00000000 --- a/docs/configuration/protocols/md-index.md +++ /dev/null @@ -1,25 +0,0 @@ -# Protocols - -```{toctree} -:includehidden: true -:maxdepth: 1 - -arp -babel -bfd -bgp -failover -igmp-proxy -isis -mpls -multicast -segment-routing -traffic-engineering -openfabric -ospf -pim -pim6 -rip -rpki -static -``` diff --git a/docs/configuration/protocols/md-isis.md b/docs/configuration/protocols/md-isis.md deleted file mode 100644 index fca0b12c..00000000 --- a/docs/configuration/protocols/md-isis.md +++ /dev/null @@ -1,822 +0,0 @@ -```{include} /_include/need_improvement.txt -``` - -(routing-isis)= - -# IS-IS - -{abbr}`IS-IS (Intermediate System to Intermediate System)` is a link-state -interior gateway protocol (IGP) which is described in ISO10589, -{rfc}`1195`, {rfc}`5308`. IS-IS runs the Dijkstra shortest-path first (SPF) -algorithm to create a database of the network’s topology, and -from that database to determine the best (that is, lowest cost) path to a -destination. The intermediate systems (the name for routers) exchange topology -information with their directly connected neighbors. IS-IS runs directly on -the data link layer (Layer 2). IS-IS addresses are called -{abbr}`NETs (Network Entity Titles)` and can be 8 to 20 bytes long, but are -generally 10 bytes long. The tree database that is created with IS-IS is -similar to the one that is created with OSPF in that the paths chosen should -be similar. Comparisons to OSPF are inevitable and often are reasonable ones -to make in regards to the way a network will respond with either IGP. - -## General - -### Configuration - -#### Mandatory Settings - -For IS-IS top operate correctly, one must do the equivalent of a Router ID in -CLNS. This Router ID is called the {abbr}`NET (Network Entity Title)`. This -must be unique for each and every router that is operating in IS-IS. It also -must not be duplicated otherwise the same issues that occur within OSPF will -occur within IS-IS when it comes to said duplication. - -```{eval-rst} -.. cfgcmd:: set protocols isis net <network-entity-title> - - This command sets network entity title (NET) provided in ISO format. - - Here is an example {abbr}`NET (Network Entity Title)` value: - - .. code-block:: none - - 49.0001.1921.6800.1002.00 - - The CLNS address consists of the following parts: - - * {abbr}`AFI (Address family authority identifier)` - ``49`` The AFI value - 49 is what IS-IS uses for private addressing. - - * Area identifier: ``0001`` IS-IS area number (numerical area ``1``) - - * System identifier: ``1921.6800.1002`` - for system identifiers we recommend - to use IP address or MAC address of the router itself. The way to construct - this is to keep all of the zeroes of the router IP address, and then change - the periods from being every three numbers to every four numbers. The - address that is listed here is ``192.168.1.2``, which if expanded will turn - into ``192.168.001.002``. Then all one has to do is move the dots to have - four numbers instead of three. This gives us ``1921.6800.1002``. - - * {abbr}`NET (Network Entity Title)` selector: ``00`` Must always be 00. This - setting indicates "this system" or "local system." -``` - -```{eval-rst} -.. cfgcmd:: set protocols isis interface <interface> - - This command enables IS-IS on this interface, and allows for - adjacency to occur. Note that the name of IS-IS instance must be - the same as the one used to configure the IS-IS process. -``` - -#### IS-IS Global Configuration - -```{eval-rst} -.. cfgcmd:: set protocols isis dynamic-hostname - - This command enables support for dynamic hostname TLV. Dynamic hostname - mapping determined as described in {rfc}`2763`, Dynamic Hostname - Exchange Mechanism for IS-IS. -``` - -```{eval-rst} -.. cfgcmd:: set protocols isis level <level-1|level-1-2|level-2> - - This command defines the IS-IS router behavior: - - * **level-1** - Act as a station (Level 1) router only. - * **level-1-2** - Act as a station (Level 1) router and area (Level 2) router. - * **level-2-only** - Act as an area (Level 2) router only. -``` - -```{eval-rst} -.. cfgcmd:: set protocols isis lsp-mtu <size> - - This command configures the maximum size of generated - {abbr}`LSPs (Link State PDUs)`, in bytes. The size range is 128 to 4352. -``` - -```{eval-rst} -.. cfgcmd:: set protocols isis metric-style <narrow|transition|wide> - - This command sets old-style (ISO 10589) or new style packet formats: - - * **narrow** - Use old style of TLVs with narrow metric. - * **transition** - Send and accept both styles of TLVs during transition. - * **wide** - Use new style of TLVs to carry wider metric. -``` - -```{eval-rst} -.. cfgcmd:: set protocols isis purge-originator - - This command enables {rfc}`6232` purge originator identification. Enable - purge originator identification (POI) by adding the type, length and value - (TLV) with the Intermediate System (IS) identification to the LSPs that do - not contain POI information. If an IS generates a purge, VyOS adds this TLV - with the system ID of the IS to the purge. -``` - -```{eval-rst} -.. cfgcmd:: set protocols isis set-attached-bit - - This command sets ATT bit to 1 in Level1 LSPs. It is described in {rfc}`3787`. -``` - -```{eval-rst} -.. cfgcmd:: set protocols isis set-overload-bit - - This command sets overload bit to avoid any transit traffic through this - router. It is described in {rfc}`3787`. -``` - -```{eval-rst} -.. cfgcmd:: set protocols isis default-information originate <ipv4|ipv6> - level-1 - - This command will generate a default-route in L1 database. -``` - -```{eval-rst} -.. cfgcmd:: set protocols isis default-information originate <ipv4|ipv6> - level-2 - - This command will generate a default-route in L2 database. - -``` - -```{eval-rst} -.. cfgcmd:: set protocols isis ldp-sync - - This command will enable IGP-LDP synchronization globally for ISIS. This - requires for LDP to be functional. This is described in {rfc}`5443`. By - default all interfaces operational in IS-IS are enabled for synchronization. - Loopbacks are exempt. -``` - -```{eval-rst} -.. cfgcmd:: set protocols isis ldp-sync holddown <seconds> - - This command will change the hold down value globally for IGP-LDP - synchronization during convergence/interface flap events. - -``` - -#### Interface Configuration - -```{eval-rst} -.. cfgcmd:: set protocols isis interface <interface> circuit-type - <level-1|level-1-2|level-2-only> - - This command specifies circuit type for interface: - - * **level-1** - Level-1 only adjacencies are formed. - * **level-1-2** - Level-1-2 adjacencies are formed - * **level-2-only** - Level-2 only adjacencies are formed -``` - -```{eval-rst} -.. cfgcmd:: set protocols isis interface <interface> hello-interval - <seconds> - - This command sets hello interval in seconds on a given interface. - The range is 1 to 600. -``` - -```{eval-rst} -.. cfgcmd:: set protocols isis interface <interface> hello-multiplier - <seconds> - - This command sets multiplier for hello holding time on a given - interface. The range is 2 to 100. -``` - -```{eval-rst} -.. cfgcmd:: set protocols isis interface <interface> hello-padding - - This command configures padding on hello packets to accommodate asymmetrical - maximum transfer units (MTUs) from different hosts as described in - {rfc}`3719`. This helps to prevent a premature adjacency Up state when one - routing devices MTU does not meet the requirements to establish the adjacency. -``` - -```{eval-rst} -.. cfgcmd:: set protocols isis interface <interface> metric <metric> - - This command set default metric for circuit. - - The metric range is 1 to 16777215 (Max value depend if metric support narrow - or wide value). -``` - -```{eval-rst} -.. cfgcmd:: set protocols isis interface <interface> network - point-to-point - - This command specifies network type to Point-to-Point. The default - network type is broadcast. -``` - -```{eval-rst} -.. cfgcmd:: set protocols isis interface <interface> passive - - This command configures the passive mode for this interface. -``` - -```{eval-rst} -.. cfgcmd:: set protocols isis interface <interface> password - plaintext-password <text> - - This command configures the authentication password for the interface. -``` - -```{eval-rst} -.. cfgcmd:: set protocols isis interface <interface> priority <number> - - This command sets priority for the interface for - {abbr}`DIS (Designated Intermediate System)` election. The priority - range is 0 to 127. -``` - -```{eval-rst} -.. cfgcmd:: set protocols isis interface <interface> psnp-interval - <number> - - This command sets PSNP interval in seconds. The interval range is 0 - to 127. -``` - -```{eval-rst} -.. cfgcmd:: set protocols isis interface <interface> - no-three-way-handshake - - This command disables Three-Way Handshake for P2P adjacencies which - described in {rfc}`5303`. Three-Way Handshake is enabled by default. -``` - -```{eval-rst} -.. cfgcmd:: set protocols isis interface <interface> ldp-sync disable - - This command disables IGP-LDP sync for this specific interface. -``` - -```{eval-rst} -.. cfgcmd:: set protocols isis interface <interface> ldp-sync holddown - <seconds> - - This command will change the hold down value for IGP-LDP synchronization - during convergence/interface flap events, but for this interface only. -``` - -```{eval-rst} -.. cfgcmd:: set protocols isis interface <interface> fast-reroute lfa [level-1 | level-2] enable - - This command enables per-prefix local LFA fast reroute link protection. -``` - -```{eval-rst} -.. cfgcmd:: set protocols isis interface <interface> fast-reroute lfa [level-1 | level-2] exclude - - This command excludes an interface from the local LFA backup nexthop computation. -``` - -```{eval-rst} -.. cfgcmd:: set protocols isis interface <interface> fast-reroute remote-lfa [level-1 | level-2] tunnel mpls-ldp - - This command enables per-prefix Remote LFA fast reroute link protection. - Note that other routers in the network need to be configured to accept LDP - targeted hello messages in order for RLFA to work. -``` - -```{eval-rst} -.. cfgcmd:: set protocols isis interface <interface> fast-reroute remote-lfa [level-1 | level-2] maximum-metric <metric> - - This command limits Remote LFA PQ node selection within the specified metric. Metric value range (1-16777215). -``` - -```{eval-rst} -.. cfgcmd:: set protocols isis interface <interface> fast-reroute ti-lfa [level-1|level-2] [node-protection [link-fallback]] - - This command enables per-prefix TI-LFA fast reroute link or node protection. - When node protection is used, option link-fallback enables the computation - and use of link-protecting LFAs for destinations unprotected by node - protection. -``` - -#### Route Redistribution - -```{eval-rst} -.. cfgcmd:: set protocols isis redistribute ipv4 <route source> level-1 - - This command redistributes routing information from the given route source - into the ISIS database as Level-1. There are six modes available for route - source: bgp, connected, kernel, ospf, rip, static. -``` - -```{eval-rst} -.. cfgcmd:: set protocols isis redistribute ipv4 <route source> level-2 - - This command redistributes routing information from the given route source - into the ISIS database as Level-2. There are six modes available for route - source: bgp, connected, kernel, ospf, rip, static. -``` - -```{eval-rst} -.. cfgcmd:: set protocols isis redistribute ipv4 <route source> - <level-1|level-2> metric <number> - - This command specifies metric for redistributed routes from the given route - source. There are six modes available for route source: bgp, connected, - kernel, ospf, rip, static. The metric range is 1 to 16777215. -``` - -```{eval-rst} -.. cfgcmd:: set protocols isis redistribute ipv4 <route source> - <level-1|level-2> route-map <name> - - This command allows to use route map to filter redistributed routes from - the given route source. There are six modes available for route source: - bgp, connected, kernel, ospf, rip, static. - -``` - -#### Timers - -```{eval-rst} -.. cfgcmd:: set protocols isis lsp-gen-interval <seconds> - - This command sets minimum interval in seconds between regenerating same - LSP. The interval range is 1 to 120. -``` - -```{eval-rst} -.. cfgcmd:: set protocols isis lsp-refresh-interval <seconds> - - This command sets LSP refresh interval in seconds. IS-IS generates LSPs - when the state of a link changes. However, to ensure that routing - databases on all routers remain converged, LSPs in stable networks are - generated on a regular basis even though there has been no change to - the state of the links. The interval range is 1 to 65235. The default - value is 900 seconds. -``` - -```{eval-rst} -.. cfgcmd:: set protocols isis max-lsp-lifetime <seconds> - - This command sets LSP maximum LSP lifetime in seconds. The interval range - is 350 to 65535. LSPs remain in a database for 1200 seconds by default. - If they are not refreshed by that time, they are deleted. You can change - the LSP refresh interval or the LSP lifetime. The LSP refresh interval - should be less than the LSP lifetime or else LSPs will time out before - they are refreshed. -``` - -```{eval-rst} -.. cfgcmd:: set protocols isis spf-interval <seconds> - - This command sets minimum interval between consecutive SPF calculations in - seconds.The interval range is 1 to 120. -``` - -```{eval-rst} -.. cfgcmd:: set protocols isis spf-delay-ietf holddown <milliseconds> -``` - -```{eval-rst} -.. cfgcmd:: set protocols isis spf-delay-ietf init-delay - <milliseconds> -``` - -```{eval-rst} -.. cfgcmd:: set protocols isis spf-delay-ietf long-delay - <milliseconds> -``` - -```{eval-rst} -.. cfgcmd:: set protocols isis spf-delay-ietf short-delay - <milliseconds> -``` - -```{eval-rst} -.. cfgcmd:: set protocols isis spf-delay-ietf time-to-learn - <milliseconds> - - This commands specifies the Finite State Machine (FSM) intended to - control the timing of the execution of SPF calculations in response - to IGP events. The process described in {rfc}`8405`. -``` - -#### Loop Free Alternate (LFA) - -```{eval-rst} -.. cfgcmd:: set protocols isis fast-reroute lfa remote prefix-list <name> - <level-1|level-2> - - This command enables IP fast re-routing that is part of {rfc}`5286`. - Specifically this is a prefix list which references a prefix in which - will select eligible PQ nodes for remote LFA backups. -``` - -```{eval-rst} -.. cfgcmd:: set protocols isis fast-reroute lfa local load-sharing disable - <level-1|level-2> - - This command disables the load sharing across multiple LFA backups. -``` - -```{eval-rst} -.. cfgcmd:: set protocols isis fast-reroute lfa local tiebreaker - <downstream|lowest-backup-metric|node-protecting> index <number> - <level-1|level-2> - - This command will configure a tie-breaker for multiple local LFA backups. - The lower index numbers will be processed first. -``` - -```{eval-rst} -.. cfgcmd:: set protocols isis fast-reroute lfa local priority-limit - <medium|high|critical> <level-1|level-2> - - This command will limit LFA backup computation up to the specified - prefix priority. -``` - -#### Segment Routing over IPv6 (SRv6) - -```{eval-rst} -.. cfgcmd:: set protocols isis segment-routing srv6 interface <interface> - - The {ref}`dummy interface<configuration/interfaces/dummy:dummy>` used - to install SRv6 SIDs into the Linux data plane. The interface must exist and - must be present when configuring IS-IS with - SRv6. -``` - -```{eval-rst} -.. cfgcmd:: set protocols isis segment-routing srv6 locator <locator> - - Specifies the SRv6 locator to use for IS-IS. IS-IS automatically allocates - prefix and adjacency SIDs, creates local SID entries and advertises them - into the IGP domain. -``` - -```{eval-rst} -.. cfgcmd:: set protocols isis segment-routing srv6 node-msd max-end-d <0-255> - - The Maximum End D MSD Type specifies the maximum number of SIDs present in an - SRH when performing decapsulation. As specified in {rfc}`8986`, the permitted - SID types include, but are not limited to, End.DX6, End.DT4, End.DT46, End - with USD, and End.X with USD. - - If the advertised value is zero or no value is advertised, then the router - cannot apply any behavior that results in decapsulation and forwarding of the - inner packet if the outer IPv6 header contains an SRH. - - Reference: {rfc}`9352` -``` - -```{eval-rst} -.. cfgcmd:: set protocols isis segment-routing srv6 node-msd max-end-pop <0-255> - - The Maximum End Pop MSD Type signals the maximum number of SIDs in the SRH to - which the router can apply "Penultimate Segment Pop (PSP) of the SRH" or - "Ultimate Segment Pop (USP) of the SRH" behavior, as defined in "Flavors" - (Section 4.16 of {rfc}`8986`). - - If the advertised value is zero or no value is advertised, then the router - cannot apply PSP or USP flavors. - - Reference: {rfc}`9352` -``` - -```{eval-rst} -.. cfgcmd:: set protocols isis segment-routing srv6 node-msd max-h-encaps <0-255> - - The Maximum H.Encaps MSD Type signals the maximum number of SIDs that can be - added to the segment list of an SRH as part of the "H.Encaps" behavior, as - defined in {rfc}`8986`. - - If the advertised value is zero or no value is advertised, then the headend - can apply an SR Policy that only contains one segment without inserting any - SRH header. A non-zero SRH Max H.encaps MSD indicates that the headend can - insert an SRH up to the advertised number of SIDs. - - Reference: {rfc}`9352` -``` - -```{eval-rst} -.. cfgcmd:: set protocols isis segment-routing srv6 node-msd max-segs-left <0-255> - - The Maximum Segments Left MSD Type signals the maximum value of the - "Segments Left" field ({rfc}`8754`) in the SRH of a received packet before - applying the Endpoint behavior associated with a SID. - - If no value is advertised, the supported value is 0. - - Reference: {rfc}`9352` -``` - -## Examples - -### Enable IS-IS - -**Node 1:** - -```none -set interfaces loopback lo address '192.168.255.255/32' -set interfaces ethernet eth1 address '192.0.2.1/24' - -set protocols isis interface eth1 -set protocols isis interface lo -set protocols isis net '49.0001.1921.6825.5255.00' -``` - -**Node 2:** - -```none -set interfaces ethernet eth1 address '192.0.2.2/24' - -set interfaces loopback lo address '192.168.255.254/32' -set interfaces ethernet eth1 address '192.0.2.2/24' - -set protocols isis interface eth1 -set protocols isis interface lo -set protocols isis net '49.0001.1921.6825.5254.00' -``` - -This gives us the following neighborships, Level 1 and Level 2: - -```none -Node-1@vyos:~$ show isis neighbor -Area VyOS: - System Id Interface L State Holdtime SNPA - vyos eth1 1 Up 28 0c87.6c09.0001 - vyos eth1 2 Up 28 0c87.6c09.0001 - -Node-2@vyos:~$ show isis neighbor -Area VyOS: - System Id Interface L State Holdtime SNPA - vyos eth1 1 Up 29 0c33.0280.0001 - vyos eth1 2 Up 28 0c33.0280.0001 -``` - -Here's the IP routes that are populated. Just the loopback: - -```none -Node-1@vyos:~$ show ip route isis -Codes: K - kernel route, C - connected, S - static, R - RIP, - O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, - T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR, - f - OpenFabric, - > - selected route, * - FIB route, q - queued, r - rejected, b - backup - t - trapped, o - offload failure - -I 192.0.2.0/24 [115/20] via 192.0.2.2, eth1 inactive, weight 1, 00:02:22 -I>* 192.168.255.254/32 [115/20] via 192.0.2.2, eth1, weight 1, 00:02:22 - -Node-2@vyos:~$ show ip route isis -Codes: K - kernel route, C - connected, S - static, R - RIP, - O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, - T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR, - f - OpenFabric, - > - selected route, * - FIB route, q - queued, r - rejected, b - backup - t - trapped, o - offload failure - -I 192.0.2.0/24 [115/20] via 192.0.2.1, eth1 inactive, weight 1, 00:02:21 -I>* 192.168.255.255/32 [115/20] via 192.0.2.1, eth1, weight 1, 00:02:21 -``` - -### Enable IS-IS and redistribute routes not natively in IS-IS - -**Node 1:** - -```none -set interfaces dummy dum0 address '203.0.113.1/24' -set interfaces ethernet eth1 address '192.0.2.1/24' - -set policy prefix-list EXPORT-ISIS rule 10 action 'permit' -set policy prefix-list EXPORT-ISIS rule 10 prefix '203.0.113.0/24' -set policy route-map EXPORT-ISIS rule 10 action 'permit' -set policy route-map EXPORT-ISIS rule 10 match ip address prefix-list 'EXPORT-ISIS' - -set protocols isis interface eth1 -set protocols isis net '49.0001.1921.6800.1002.00' -set protocols isis redistribute ipv4 connected level-2 route-map 'EXPORT-ISIS' -``` - -**Node 2:** - -```none -set interfaces ethernet eth1 address '192.0.2.2/24' - -set protocols isis interface eth1 -set protocols isis net '49.0001.1921.6800.2002.00' -``` - -Routes on Node 2: - -```none -Node-2@r2:~$ show ip route isis -Codes: K - kernel route, C - connected, S - static, R - RIP, - O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, - T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP, - F - PBR, f - OpenFabric, - > - selected route, * - FIB route, q - queued route, r - rejected route - -I 203.0.113.0/24 [115/10] via 192.0.2.1, eth1, 00:03:42 -``` - -### Enable IS-IS and IGP-LDP synchronization - -**Node 1:** - -```none -set interfaces loopback lo address 192.168.255.255/32 -set interfaces ethernet eth0 address 192.0.2.1/24 - -set protocols isis interface eth0 -set protocols isis interface lo passive -set protocols isis ldp-sync -set protocols isis net 49.0001.1921.6825.5255.00 - -set protocols mpls interface eth0 -set protocols mpls ldp discovery transport-ipv4-address 192.168.255.255 -set protocols mpls ldp interface lo -set protocols mpls ldp interface eth0 -set protocols mpls ldp parameters transport-prefer-ipv4 -set protocols mpls ldp router-id 192.168.255.255 -``` - -This gives us IGP-LDP synchronization for all non-loopback interfaces with -a holddown timer of zero seconds: - -```none -Node-1@vyos:~$ show isis mpls ldp-sync -eth0 - LDP-IGP Synchronization enabled: yes - holddown timer in seconds: 0 - State: Sync achieved -``` - -### Enable IS-IS with Segment Routing (Experimental) - -**Node 1:** - -```none -set interfaces loopback lo address '192.168.255.255/32' -set interfaces ethernet eth1 address '192.0.2.1/24' - -set protocols isis interface eth1 -set protocols isis interface lo -set protocols isis net '49.0001.1921.6825.5255.00' -set protocols isis segment-routing global-block high-label-value '599' -set protocols isis segment-routing global-block low-label-value '550' -set protocols isis segment-routing prefix 192.168.255.255/32 index value '1' -set protocols isis segment-routing prefix 192.168.255.255/32 index explicit-null -set protocols mpls interface 'eth1' -``` - -**Node 2:** - -```none -set interfaces loopback lo address '192.168.255.254/32' -set interfaces ethernet eth1 address '192.0.2.2/24' - -set protocols isis interface eth1 -set protocols isis interface lo -set protocols isis net '49.0001.1921.6825.5254.00' -set protocols isis segment-routing global-block high-label-value '599' -set protocols isis segment-routing global-block low-label-value '550' -set protocols isis segment-routing prefix 192.168.255.254/32 index value '2' -set protocols isis segment-routing prefix 192.168.255.254/32 index explicit-null -set protocols mpls interface 'eth1' -``` - -This gives us MPLS segment routing enabled and labels for far end loopbacks: - -```none -Node-1@vyos:~$ show mpls table - Inbound Label Type Nexthop Outbound Label - ---------------------------------------------------------------------- - 552 SR (IS-IS) 192.0.2.2 IPv4 Explicit Null <-- Node-2 loopback learned on Node-1 - 15000 SR (IS-IS) 192.0.2.2 implicit-null - 15001 SR (IS-IS) fe80::e87:6cff:fe09:1 implicit-null - 15002 SR (IS-IS) 192.0.2.2 implicit-null - 15003 SR (IS-IS) fe80::e87:6cff:fe09:1 implicit-null - -Node-2@vyos:~$ show mpls table - Inbound Label Type Nexthop Outbound Label - --------------------------------------------------------------------- - 551 SR (IS-IS) 192.0.2.1 IPv4 Explicit Null <-- Node-1 loopback learned on Node-2 - 15000 SR (IS-IS) 192.0.2.1 implicit-null - 15001 SR (IS-IS) fe80::e33:2ff:fe80:1 implicit-null - 15002 SR (IS-IS) 192.0.2.1 implicit-null - 15003 SR (IS-IS) fe80::e33:2ff:fe80:1 implicit-null -``` - -Here is the routing tables showing the MPLS segment routing label operations: - -```none -Node-1@vyos:~$ show ip route isis -Codes: K - kernel route, C - connected, S - static, R - RIP, - O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, - T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR, - f - OpenFabric, - > - selected route, * - FIB route, q - queued, r - rejected, b - backup - t - trapped, o - offload failure - -I 192.0.2.0/24 [115/20] via 192.0.2.2, eth1 inactive, weight 1, 00:07:48 -I>* 192.168.255.254/32 [115/20] via 192.0.2.2, eth1, label IPv4 Explicit Null, weight 1, 00:03:39 - -Node-2@vyos:~$ show ip route isis -Codes: K - kernel route, C - connected, S - static, R - RIP, - O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, - T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR, - f - OpenFabric, - > - selected route, * - FIB route, q - queued, r - rejected, b - backup - t - trapped, o - offload failure - -I 192.0.2.0/24 [115/20] via 192.0.2.1, eth1 inactive, weight 1, 00:07:46 -I>* 192.168.255.255/32 [115/20] via 192.0.2.1, eth1, label IPv4 Explicit Null, weight 1, 00:03:43 -``` - -### Enable IS-IS with Segment Routing over IPv6 (Experimental) - -**Node 1:** - -```none -set interfaces dummy dum6 description "SRv6 IS-IS" -set interfaces ethernet eth1 address '192.0.2.1/24' -set interfaces loopback lo address '192.168.255.255/32' - -set protocols segment-routing srv6 locator MAIN prefix 2001:db8:1::/64 -set protocols segment-routing interface eth1 - -set protocols isis interface eth1 -set protocols isis interface lo -set protocols isis net '49.0001.1921.6825.5255.00' -set protocols isis segment-routing srv6 locator MAIN -set protocols isis segment-routing srv6 interface dum6 -``` - -**Node 2:** - -```none -set interfaces dummy dum6 description "SRv6 IS-IS" -set interfaces ethernet eth1 address '192.0.2.2/24' -set interfaces loopback lo address '192.168.255.254/32' - -set protocols segment-routing srv6 locator MAIN prefix 2001:db8:2::/64 -set protocols segment-routing interface eth1 - -set protocols isis interface eth1 -set protocols isis interface lo -set protocols isis net '49.0001.1921.6825.5254.00' -set protocols isis segment-routing srv6 locator MAIN -set protocols isis segment-routing srv6 interface dum6 -``` - -### Enable IS-IS with Segment Routing over IPv6 (uSID) (Experimental) - -**Node 1:** - -```none -set interfaces dummy dum6 description "SRv6 IS-IS" -set interfaces ethernet eth1 address '192.0.2.1/24' -set interfaces loopback lo address '192.168.255.255/32' - -set protocols segment-routing interface eth1 -set protocols segment-routing srv6 locator MAIN prefix 2001:db8:1::/48 -set protocols segment-routing srv6 locator MAIN behavior-usid -set protocols segment-routing srv6 locator MAIN block-len 32 -set protocols segment-routing srv6 locator MAIN format usid-f3216 -set protocols segment-routing srv6 locator MAIN func-bits 16 -set protocols segment-routing srv6 locator MAIN node-len 16 - -set protocols isis interface eth1 -set protocols isis interface lo -set protocols isis net '49.0001.1921.6825.5255.00' -set protocols isis segment-routing srv6 interface dum6 -set protocols isis segment-routing srv6 locator MAIN -``` - -**Node 2:** - -```none -set interfaces dummy dum6 description "SRv6 IS-IS" -set interfaces ethernet eth1 address '192.0.2.2/24' -set interfaces loopback lo address '192.168.255.254/32' - -set protocols segment-routing interface eth1 -set protocols segment-routing srv6 locator MAIN prefix 2001:db8:2::/48 -set protocols segment-routing srv6 locator MAIN behavior-usid -set protocols segment-routing srv6 locator MAIN block-len 32 -set protocols segment-routing srv6 locator MAIN format usid-f3216 -set protocols segment-routing srv6 locator MAIN func-bits 16 -set protocols segment-routing srv6 locator MAIN node-len 16 - -set protocols isis interface eth1 -set protocols isis interface lo -set protocols isis net '49.0001.1921.6825.5254.00' -set protocols isis segment-routing srv6 interface dum6 -set protocols isis segment-routing srv6 locator MAIN -``` diff --git a/docs/configuration/protocols/md-mpls.md b/docs/configuration/protocols/md-mpls.md deleted file mode 100644 index 71b14be2..00000000 --- a/docs/configuration/protocols/md-mpls.md +++ /dev/null @@ -1,285 +0,0 @@ -(mpls)= - -# MPLS - -{abbr}`MPLS (Multi-Protocol Label Switching)` is a packet forwarding paradigm -which differs from regular IP forwarding. Instead of IP addresses being used to -make the decision on finding the exit interface, a router will instead use an -exact match on a 32 bit/4 byte header called the MPLS label. This label is -inserted between the ethernet (layer 2) header and the IP (layer 3) header. -One can statically or dynamically assign label allocations, but we will focus -on dynamic allocation of labels using some sort of label distribution protocol -(such as the aptly named Label Distribution Protocol / LDP, Resource Reservation -Protocol / RSVP, or Segment Routing through OSPF/ISIS). These protocols allow -for the creation of a unidirectional/unicast path called a labeled switched -path (initialized as LSP) throughout the network that operates very much like -a tunnel through the network. An easy way of thinking about how an MPLS LSP -actually forwards traffic throughout a network is to think of a GRE tunnel. -They are not the same in how they operate, but they are the same in how they -handle the tunneled packet. It would be good to think of MPLS as a tunneling -technology that can be used to transport many different types of packets, to -aid in traffic engineering by allowing one to specify paths throughout the -network (using RSVP or SR), and to generally allow for easier intra/inter -network transport of data packets. - -For more information on how MPLS label switching works, please go visit -[Wikipedia (MPLS)]. - -:::{note} -MPLS support in VyOS is not finished yet, and therefore its -functionality is limited. Currently there is no support for MPLS enabled VPN -services such as L2VPNs and mVPNs. RSVP support is also not present as the -underlying routing stack (FRR) does not implement it. Currently VyOS -implements LDP as described in RFC 5036; other LDP standard are the -following ones: RFC 6720, RFC 6667, RFC 5919, RFC 5561, RFC 7552, RFC 4447. -Because MPLS is already available (FRR also supports RFC 3031). -::: - -## Label Distribution Protocol - -The {abbr}`MPLS (Multi-Protocol Label Switching)` architecture does not assume -a single protocol to create MPLS paths. VyOS supports the Label Distribution -Protocol (LDP) as implemented by FRR, based on {rfc}`5036`. - -{abbr}`LDP (Label Distribution Protocol)` is a TCP based MPLS signaling protocol -that distributes labels creating MPLS label switched paths in a dynamic manner. -LDP is not a routing protocol, as it relies on other routing protocols for -forwarding decisions. LDP cannot bootstrap itself, and therefore relies on said -routing protocols for communication with other routers that use LDP. - -In order to allow for LDP on the local router to exchange label advertisements -with other routers, a TCP session will be established between automatically -discovered and statically assigned routers. LDP will try to establish a TCP -session to the **transport address** of other routers. Therefore for LDP to -function properly please make sure the transport address is shown in the -routing table and reachable to traffic at all times. - -It is highly recommended to use the same address for both the LDP router-id and -the discovery transport address, but for VyOS MPLS LDP to work both parameters -must be explicitly set in the configuration. - -Another thing to keep in mind with LDP is that much like BGP, it is a protocol -that runs on top of TCP. It however does not have an ability to do something -like a refresh capability like BGPs route refresh capability. Therefore one -might have to reset the neighbor for a capability change or a configuration -change to work. - -## Configuration Options - -```{cfgcmd} set protocols mpls interface \<interface\> - -Use this command to enable MPLS processing on the interface you define. -``` - - -```{cfgcmd} set protocols mpls ldp interface \<interface\> - -Use this command to enable LDP on the interface you define. -``` - - -```{cfgcmd} set protocols mpls ldp router-id \<address\> - -Use this command to configure the IP address used as the LDP router-id of the -local device. -``` - - -```{cfgcmd} set protocols mpls ldp discovery transport-ipv4-address \<address\> - -``` -```{cfgcmd} set protocols mpls ldp discovery transport-ipv6-address \<address\> - -Use this command to set the IPv4 or IPv6 transport-address used by LDP. -``` - -```{cfgcmd} set protocols mpls ldp neighbor \<address\> password \<password\> - -Use this command to configure authentication for LDP peers. Set the -IP address of the LDP peer and a password that should be shared in -order to become neighbors. -``` - -```{cfgcmd} set protocols mpls ldp neighbor \<address\> session-holdtime \<seconds\> - -Use this command to configure a specific session hold time for LDP peers. -Set the IP address of the LDP peer and a session hold time that should be -configured for it. You may have to reset the neighbor for this to work. -``` - -```{cfgcmd} set protocols mpls ldp neighbor \<address\> ttl-security \<disable | hop count\> - -Use this command to enable, disable, or specify hop count for TTL security -for LDP peers. By default the value is set to 255 (or max TTL). -``` - -```{eval-rst} -.. cfgcmd:: set protocols mpls ldp discovery hello-ipv4-interval <seconds> -.. cfgcmd:: set protocols mpls ldp discovery hello-ipv4-holdtime <seconds> -.. cfgcmd:: set protocols mpls ldp discovery hello-ipv6-interval <seconds> -.. cfgcmd:: set protocols mpls ldp discovery hello-ipv6-holdtime <seconds> - - Use these commands if you would like to set the discovery hello and hold time - parameters. -``` - -```{eval-rst} -.. cfgcmd:: set protocols mpls ldp discovery session-ipv4-holdtime <seconds> -.. cfgcmd:: set protocols mpls ldp discovery session-ipv6-holdtime <seconds> - - Use this command if you would like to set the TCP session hold time intervals. -``` - -```{eval-rst} -.. cfgcmd:: set protocols mpls ldp import ipv4 import-filter filter-access-list - <access list number> -.. cfgcmd:: set protocols mpls ldp import ipv6 import-filter filter-access-list6 - <access list number> - - Use these commands to control the importing of forwarding equivalence classes - (FECs) for LDP from neighbors. This would be useful for example on only - accepting the labeled routes that are needed and not ones that are not - needed, such as accepting loopback interfaces and rejecting all others. -``` - -```{eval-rst} -.. cfgcmd:: set protocols mpls ldp export ipv4 export-filter filter-access-list - <access list number> -.. cfgcmd:: set protocols mpls ldp export ipv6 export-filter filter-access-list6 - <access list number> - - Use these commands to control the exporting of forwarding equivalence classes - (FECs) for LDP to neighbors. This would be useful for example on only - announcing the labeled routes that are needed and not ones that are not - needed, such as announcing loopback interfaces and no others. -``` - -```{eval-rst} -.. cfgcmd:: set protocols mpls ldp export ipv4 explicit-null -.. cfgcmd:: set protocols mpls ldp export ipv6 explicit-null - - Use this command if you would like for the router to advertise FECs with a - label of 0 for explicit null operations. -``` - -```{eval-rst} -.. cfgcmd:: set protocols mpls ldp allocation ipv4 access-list <access list number> -.. cfgcmd:: set protocols mpls ldp allocation ipv6 access-list6 <access list number> - - Use this command if you would like to control the local FEC allocations for - LDP. A good example would be for your local router to not allocate a label for - everything. Just a label for what it's useful. A good example would be just a - loopback label. -``` - -```{cfgcmd} set protocols mpls ldp parameters cisco-interop-tlv - -Use this command to use a Cisco non-compliant format to send and interpret -the Dual-Stack capability TLV for IPv6 LDP communications. This is related to -{rfc}`7552`. -``` - -```{cfgcmd} set protocols mpls ldp parameters ordered-control - -Use this command to use ordered label distribution control mode. FRR -by default uses independent label distribution control mode for label -distribution. This is related to {rfc}`5036`. -``` - -```{cfgcmd} set protocols mpls ldp parameters transport-prefer-ipv4 - -Use this command to prefer IPv4 for TCP peer transport connection for LDP -when both an IPv4 and IPv6 LDP address are configured on the same interface. -``` - -```{cfgcmd} set protocols mpls ldp targeted-neighbor ipv4 enable -``` - -```{cfgcmd} set protocols mpls ldp targeted-neighbor ipv6 enable - -Use this command to enable targeted LDP sessions to the local router. The -router will then respond to any sessions that are trying to connect to it that -are not a link local type of TCP connection. -``` - -```{cfgcmd} set protocols mpls ldp targeted-neighbor ipv4 address \<address\> -``` - -```{cfgcmd} set protocols mpls ldp targeted-neighbor ipv6 address \<address\> - -Use this command to enable the local router to try and connect with a targeted -LDP session to another router. -``` - -```{cfgcmd} set protocols mpls ldp targeted-neighbor ipv4 hello-holdtime \<seconds\> -``` - -```{cfgcmd} set protocols mpls ldp targeted-neighbor ipv4 hello-interval \<seconds\> -``` - -```{cfgcmd} set protocols mpls ldp targeted-neighbor ipv6 hello-holdtime \<seconds\> -``` - -```{cfgcmd} set protocols mpls ldp targeted-neighbor ipv6 hello-interval \<seconds\> - -Use these commands if you would like to set the discovery hello and hold time -parameters for the targeted LDP neighbors. -``` - -### Sample configuration to setup LDP on VyOS - -```none -set protocols ospf area 0 network '192.168.255.252/32' <--- Routing for loopback -set protocols ospf area 0 network '192.168.0.5/32' <--- Routing for an interface connecting to the network -set protocols ospf parameters router-id '192.168.255.252' <--- Router ID setting for OSPF -set protocols mpls interface 'eth1' <--- Enable MPLS for an interface connecting to network -set protocols mpls ldp discovery transport-ipv4-address '192.168.255.252' <--- Transport address for LDP for TCP sessions to connect to -set protocols mpls ldp interface 'eth1' <--- Enable LDP for an interface connecting to network -set protocols mpls ldp interface 'lo' <--- Enable LDP on loopback for future services connectivity -set protocols mpls ldp router-id '192.168.255.252' <--- Router ID setting for LDP -set interfaces ethernet eth1 address '192.168.0.5/31' <--- Interface IP for connecting to network -set interfaces loopback lo address '192.168.255.252/32' <--- Interface loopback IP for router ID and other uses -``` - -## Operational Mode Commands - -When LDP is working, you will be able to see label information in the outcome -of `show ip route`. Besides that information, there are also specific *show* -commands for LDP: - -### Show - -```{opcmd} show mpls ldp binding - -Use this command to see the Label Information Base. - -``` - -```{opcmd} show mpls ldp discovery - -Use this command to see discovery hello information -``` - -```{opcmd} show mpls ldp interface - -Use this command to see LDP interface information -``` - -```{opcmd} show mpls ldp neighbor - -Use this command to see LDP neighbor information -``` - -```{opcmd} show mpls ldp neighbor detail - -Use this command to see detailed LDP neighbor information -``` - -### Reset - -```{opcmd} reset mpls ldp neighbor \<IPv4 or IPv6 address\> - -Use this command to reset an LDP neighbor/TCP session that is established -``` - -[wikipedia (mpls)]: <https://en.wikipedia.org/wiki/Multiprotocol_Label_Switching> diff --git a/docs/configuration/protocols/md-multicast.md b/docs/configuration/protocols/md-multicast.md deleted file mode 100644 index 27150a29..00000000 --- a/docs/configuration/protocols/md-multicast.md +++ /dev/null @@ -1,31 +0,0 @@ -(routing-static)= - -# Multicast - -In order to influence Multicast {abbr}`RPF (Reverse Path Forwarding)` lookup, -it is possible to insert into zebra routes for the Multicast -{abbr}`RIB (Routing Information Base)`. These routes are only used for RPF -lookup and will not be used by ZEBRA for insertion into the kernel or for -normal RIB processing. As such it is possible to create weird states with -these commands. - -Use with caution. Most of the time this will not be necessary. - -```{cfgcmd} set protocols static mroute \<subnet\> next-hop \<address\> [distance \<distance\>] - -Insert into the Multicast RIB Route `<subnet>` with specified next-hop. -The distance can be specified as well if desired. -``` -```{cfgcmd} set protocols static mroute \<subnet\> next-hop \<address\> disable - -Do not install route for `<subnet>` into the Multicast RIB. -``` -```{cfgcmd} set protocols static mroute \<subnet\> interface \<interface\> [distance \<distance\>] - -Insert into the Multicast RIB Route `<subnet>` with specified `<interface>`. -The distance can be specified as well if desired. -``` -```{cfgcmd} set protocols static mroute \<subnet\> interface \<interface\> disable - -Do not install route for `<subnet>` into the Multicast RIB. -```
\ No newline at end of file diff --git a/docs/configuration/protocols/md-openfabric.md b/docs/configuration/protocols/md-openfabric.md deleted file mode 100644 index 09ff5900..00000000 --- a/docs/configuration/protocols/md-openfabric.md +++ /dev/null @@ -1,242 +0,0 @@ -(openfabric)= - -# OpenFabric - -OpenFabric, specified in [draft-white-openfabric-06.txt](https://datatracker.ietf.org/doc/html/draft-white-openfabric-06), is -a routing protocol derived from IS-IS, providing link-state routing with -efficient flooding for topologies like spine-leaf networks. - -OpenFabric a dual stack protocol. -A single OpenFabric instance is able to perform routing for both IPv4 and IPv6. - -## General - -### Configuration - -#### Mandatory Settings - -For OpenFabric to operate correctly, one must do the equivalent of a Router ID -in Connectionless Network Service (CLNS). This Router ID is called the -{abbr}`NET (Network Entity Title)`. The system identifier must be unique within -the network - -```{cfgcmd} set protocols openfabric net \<network-entity-title\> - -This command sets network entity title (NET) provided in ISO format. - -Here is an example {abbr}`NET (Network Entity Title)` value: - -:::{code-block} none -49.0001.1921.6800.1002.00 -::: -The CLNS address consists of the following parts: - -* {abbr}`AFI (Address family authority identifier)` - ``49`` The AFI value - 49 is what OpenFabric uses for private addressing. - -* Area identifier: ``0001`` OpenFabric area number (numerical area ``1``) - -* System identifier: ``1921.6800.1002`` - for system identifiers we recommend - to use IP address or MAC address of the router itself. The way to construct - this is to keep all of the zeroes of the router IP address, and then change - the periods from being every three numbers to every four numbers. The - address that is listed here is ``192.168.1.2``, which if expanded will turn - into ``192.168.001.002``. Then all one has to do is move the dots to have - four numbers instead of three. This gives us ``1921.6800.1002``. - -* {abbr}`NET (Network Entity Title)` selector: ``00`` Must always be 00. This - setting indicates "this system" or "local system." -``` - - -```{cfgcmd} set protocols openfabric domain \<name\> interface \<interface\> address-family \<ipv4|ipv6\> - -This command enables OpenFabric instance with \<NAME\> on this interface, and -allows for adjacency to occur for address family (IPv4 or IPv6 or both). -``` - -#### OpenFabric Global Configuration - -```{cfgcmd} set protocols openfabric domain-password \<plaintext-password|md5\> \<password\> - -This command configures the authentication password for a routing domain, -as clear text or md5 one. -``` - - -```{cfgcmd} set protocols openfabric domain \<name\> purge-originator - -This command enables {rfc}`6232` purge originator identification. -``` - - -```{cfgcmd} set protocols openfabric domain \<name\> set-overload-bit - -This command sets overload bit to avoid any transit traffic through this -router. -``` - - -```{cfgcmd} set protocols openfabric domain \<name\> log-adjacency-changes - -Log changes in adjacency state. -``` - - -```{cfgcmd} set protocols openfabric domain \<name\> fabric-tier \<number\> - -This command sets a static tier number to advertise as location -in the fabric. -``` - -#### Interface Configuration - -```{cfgcmd} set protocols openfabric interface \<interface\> hello-interval \<seconds\> - -This command sets hello interval in seconds on a given interface. -The range is 1 to 600. Hello packets are used to establish and maintain -adjacency between OpenFabric neighbors. -``` - - -```{cfgcmd} set protocols openfabric domain \<name\> interface \<interface\> hello-multiplier \<number\> - -This command sets multiplier for hello holding time on a given -interface. The range is 2 to 100. -``` - - -```{cfgcmd} set protocols openfabric domain \<name\> interface \<interface\> metric \<metric\> - -This command sets default metric for circuit. -The metric range is 1 to 16777215. -``` - - -```{cfgcmd} set protocols openfabric interface \<interface\> passive - -This command enables the passive mode for this interface. -``` - - -```{cfgcmd} set protocols openfabric domain \<name\> interface \<interface\> password plaintext-password \<text\> - -This command sets the authentication password for the interface. -``` - - -```{cfgcmd} set protocols openfabric domain \<name\> interface \<interface\> csnp-interval \<seconds\> - -This command sets Complete Sequence Number Packets (CSNP) interval in seconds. -The interval range is 1 to 600. -``` - - -```{cfgcmd} set protocols openfabric domain \<name\> interface \<interface\> psnp-interval \<number\> - -This command sets Partial Sequence Number Packets (PSNP) interval in seconds. -The interval range is 1 to 120. -``` - -#### Timers - -```{cfgcmd} set protocols openfabric domain \<name\> lsp-gen-interval \<seconds\> - -This command sets minimum interval at which link-state packets (LSPs) are -generated. The interval range is 1 to 120. -``` - - -```{cfgcmd} set protocols openfabric domain \<name\> lsp-refresh-interval \<seconds\> - -This command sets LSP refresh interval in seconds. The interval range -is 1 to 65235. -``` - - -```{cfgcmd} set protocols openfabric domain \<name\> max-lsp-lifetime \<seconds\> - -This command sets LSP maximum LSP lifetime in seconds. The interval range -is 360 to 65535. LSPs remain in a database for 1200 seconds by default. -If they are not refreshed by that time, they are deleted. You can change -the LSP refresh interval or the LSP lifetime. The LSP refresh interval -should be less than the LSP lifetime or else LSPs will time out before -they are refreshed. -``` - - -```{cfgcmd} set protocols openfabric domain \<name\> spf-interval \<seconds\> - -This command sets minimum interval between consecutive shortest path first -(SPF) calculations in seconds.The interval range is 1 to 120. -``` - -## Examples -### Enable OpenFabric - -**Node 1:** - -```none -set interfaces loopback lo address '192.168.255.255/32' -set interfaces ethernet eth1 address '192.0.2.1/24' - -set protocols openfabric domain VyOS interface eth1 address-family ipv4 -set protocols openfabric domain VyOS interface lo address-family ipv4 -set protocols openfabric net '49.0001.1921.6825.5255.00' -``` - -**Node 2:** - -```none -set interfaces loopback lo address '192.168.255.254/32' -set interfaces ethernet eth1 address '192.0.2.2/24' - -set protocols openfabric domain VyOS interface eth1 address-family ipv4 -set protocols openfabric domain VyOS interface lo address-family ipv4 -set protocols openfabric net '49.0001.1921.6825.5254.00' -``` - -This gives us the following neighborships: - -```none -Node-1@vyos:~$ show openfabric neighbor -show openfabric neighbor -Area VyOS: - System Id Interface L State Holdtime SNPA - vyos eth1 2 Up 27 2020.2020.2020 - - -Node-2@vyos:~$ show openfabric neighbor -show openfabric neighbor -Area VyOS: - System Id Interface L State Holdtime SNPA - vyos eth1 2 Up 30 2020.2020.2020 -``` - -Here's the IP routes that are populated: - -```none -Node-1@vyos:~$ show ip route openfabric -show ip route openfabric -Codes: K - kernel route, C - connected, S - static, R - RIP, - O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, - T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR, - f - OpenFabric, - > - selected route, * - FIB route, q - queued, r - rejected, b - backup - t - trapped, o - offload failure - -f 192.0.2.0/24 [115/20] via 192.0.2.2, eth1 onlink, weight 1, 00:00:10 -f>* 192.168.255.254/32 [115/20] via 192.0.2.2, eth1 onlink, weight 1, 00:00:10 - -Node-2@vyos:~$ show ip route openfabric -show ip route openfabric -Codes: K - kernel route, C - connected, S - static, R - RIP, - O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, - T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR, - f - OpenFabric, - > - selected route, * - FIB route, q - queued, r - rejected, b - backup - t - trapped, o - offload failure - -f 192.0.2.0/24 [115/20] via 192.0.2.1, eth1 onlink, weight 1, 00:00:48 -f>* 192.168.255.255/32 [115/20] via 192.0.2.1, eth1 onlink, weight 1, 00:00:48 -``` diff --git a/docs/configuration/protocols/md-ospf.md b/docs/configuration/protocols/md-ospf.md deleted file mode 100644 index 72fefb84..00000000 --- a/docs/configuration/protocols/md-ospf.md +++ /dev/null @@ -1,1504 +0,0 @@ -(routing-ospf)= - -# OSPF - -{abbr}`OSPF (Open Shortest Path First)` is a routing protocol for Internet -Protocol (IP) networks. It uses a link state routing (LSR) algorithm and falls -into the group of interior gateway protocols (IGPs), operating within a single -autonomous system (AS). It is defined as OSPF Version 2 in {rfc}`2328` (1998) -for IPv4. Updates for IPv6 are specified as OSPF Version 3 in {rfc}`5340` -(2008). OSPF supports the {abbr}`CIDR (Classless Inter-Domain Routing)` -addressing model. - -OSPF is a widely used IGP in large enterprise networks. - -## OSPFv2 (IPv4) - -### Configuration - -#### General - -VyOS does not have a special command to start the OSPF process. The OSPF process -starts when the first ospf enabled interface is configured. - -```{cfgcmd} set protocols ospf area \<number\> network \<A.B.C.D/M\> - - This command specifies the OSPF enabled interface(s). If the interface has - an address from defined range then the command enables OSPF on this - interface so router can provide network information to the other ospf - routers via this interface. - - This command is also used to enable the OSPF process. The area number can be - specified in decimal notation in the range from 0 to 4294967295. Or it - can be specified in dotted decimal notation similar to ip address. - - Prefix length in interface must be equal or bigger (i.e. smaller network) - than prefix length in network statement. For example statement above doesn't - enable ospf on interface with address 192.168.1.1/23, but it does on - interface with address 192.168.1.129/25. - - In some cases it may be more convenient to enable OSPF on a per - interface/subnet - basis {cfgcmd}`set protocols ospf interface <interface> area <x.x.x.x | x>` -``` - - -```{cfgcmd} set protocols ospf auto-cost reference-bandwidth \<number\> - -This command sets the reference bandwidth for cost calculations, where -bandwidth can be in range from 1 to 4294967, specified in Mbits/s. The -default is 100Mbit/s (i.e. a link of bandwidth 100Mbit/s or higher will -have a cost of 1. Cost of lower bandwidth links will be scaled with -reference to this cost). -``` - - -```{cfgcmd} set protocols ospf parameters router-id \<rid\> - -This command sets the router-ID of the OSPF process. The router-ID may be an -IP address of the router, but need not be – it can be any arbitrary 32bit -number. However it MUST be unique within the entire OSPF domain to the OSPF -speaker – bad things will happen if multiple OSPF speakers are configured -with the same router-ID! -``` - -#### Optional - -```{cfgcmd} set protocols ospf default-information originate [always] [metric \<number\>] [metric-type \<1|2\>] [route-map \<name\>] - -Originate an AS-External (type-5) LSA describing a default route into all -external-routing capable areas, of the specified metric and metric type. -If the {cfgcmd}`always` keyword is given then the default is always -advertised, even when there is no default present in the routing table. -The argument {cfgcmd}`route-map` specifies to advertise the default route -if the route map is satisfied. -``` - - -```{cfgcmd} set protocols ospf distance global \<distance\> - -This command change distance value of OSPF globally. -The distance range is 1 to 255. -``` - - -```{cfgcmd} set protocols ospf distance ospf \<external|inter-area|intra-area\> \<distance\> - -This command change distance value of OSPF. The arguments are the distance -values for external routes, inter-area routes and intra-area routes -respectively. The distance range is 1 to 255. - -:::{note} -Routes with a distance of 255 are effectively disabled and not -installed into the kernel. -::: -``` - - -```{cfgcmd} set protocols ospf log-adjacency-changes [detail] - -This command allows to log changes in adjacency. With the optional -{cfgcmd}`detail` argument, all changes in adjacency status are shown. -Without {cfgcmd}`detail`, only changes to full or regressions are shown. -``` - - -```{cfgcmd} set protocols ospf max-metric router-lsa \<administrative|on-shutdown <seconds\>|on-startup \<seconds\>> - -This enables {rfc}`3137` support, where the OSPF process describes its -transit links in its router-LSA as having infinite distance so that other -routers will avoid calculating transit paths through the router while -still being able to reach networks through the router. - -This support may be enabled administratively (and indefinitely) with the -{cfgcmd}`administrative` command. It may also be enabled conditionally. -Conditional enabling of max-metric router-lsas can be for a period of -seconds after startup with the {cfgcmd}`on-startup <seconds>` command -and/or for a period of seconds prior to shutdown with the -{cfgcmd}`on-shutdown <seconds>` command. The time range is 5 to 86400. -``` - - -```{cfgcmd} set protocols ospf parameters abr-type \<cisco|ibm|shortcut|standard\> - -This command selects ABR model. OSPF router supports four ABR models: - -**cisco** – a router will be considered as ABR if it has several configured -links to the networks in different areas one of which is a backbone area. -Moreover, the link to the backbone area should be active (working). -**ibm** – identical to "cisco" model but in this case a backbone area link -may not be active. -**standard** – router has several active links to different areas. -**shortcut** – identical to "standard" but in this model a router is -allowed to use a connected areas topology without involving a backbone -area for inter-area connections. - -Detailed information about "cisco" and "ibm" models differences can be -found in {rfc}`3509`. A "shortcut" model allows ABR to create routes -between areas based on the topology of the areas connected to this router -but not using a backbone area in case if non-backbone route will be -cheaper. For more information about "shortcut" model, -see ospf-shortcut-abr-02.txt -``` - - -```{cfgcmd} set protocols ospf parameters rfc1583-compatibility - -{rfc}`2328`, the successor to {rfc}`1583`, suggests according to section -G.2 (changes) in section 16.4.1 a change to the path preference algorithm -that prevents possible routing loops that were possible in the old version -of OSPFv2. More specifically it demands that inter-area paths and -intra-area backbone path are now of equal preference but still both -preferred to external paths. - -This command should NOT be set normally. -``` - - -```{cfgcmd} set protocols ospf interface \<interface\> passive [disable] - -This command specifies interface as passive. Passive interface advertises -its address, but does not run the OSPF protocol (adjacencies are not formed -and hello packets are not generated). - -The optional disable option allows to exclude interface from passive state. -This command is used if the command {cfgcmd}`passive-interface default` was -configured. -``` - - -```{cfgcmd} set protocols ospf passive-interface default - -This command specifies all interfaces as passive by default. Because this -command changes the configuration logic to a default passive; therefore, -interfaces where router adjacencies are expected need to be configured -with the {cfgcmd}`passive-interface-exclude` command. -``` - - -```{cfgcmd} set protocols ospf maximum-paths \<1-64\> - -Use this command to control the maximum number of equal cost paths to reach -a specific destination. The upper limit may differ if you change the value -of MULTIPATH_NUM during compilation. The default is MULTIPATH_NUM (64). -``` - - -```{cfgcmd} set protocols ospf refresh timers \<seconds\> - -The router automatically updates link-state information with its neighbors. -Only an obsolete information is updated which age has exceeded a specific -threshold. This parameter changes a threshold value, which by default is -1800 seconds (half an hour). The value is applied to the whole OSPF router. -The timer range is 10 to 1800. -``` - - -```{cfgcmd} set protocols ospf timers throttle spf \<delay|initial-holdtime|max-holdtime\> \<seconds\> - -This command sets the initial delay, the initial-holdtime and the -maximum-holdtime between when SPF is calculated and the event which -triggered the calculation. The times are specified in milliseconds and must -be in the range of 0 to 600000 milliseconds. {cfgcmd}`delay` sets the -initial SPF schedule delay in milliseconds. The default value is 200 ms. -{cfgcmd}`initial-holdtime` sets the minimum hold time between two -consecutive SPF calculations. The default value is 1000 ms. -{cfgcmd}`max-holdtime` sets the maximum wait time between two -consecutive SPF calculations. The default value is 10000 ms. -``` - - -```{cfgcmd} set protocols ospf ldp-sync - -This command will enable IGP-LDP synchronization globally for OSPF. This -requires for LDP to be functional. This is described in {rfc}`5443`. By -default all interfaces operational in OSPF are enabled for synchronization. -Loopbacks are exempt. -``` - - -```{cfgcmd} set protocols ospf ldp-sync holddown \<seconds\> - -This command will change the hold down value globally for IGP-LDP -synchronization during convergence/interface flap events. -``` - - -```{cfgcmd} set protocols ospf capability opaque - -ospfd supports Opaque LSA {rfc}`2370` as partial support for MPLS Traffic -Engineering LSAs. The opaque-lsa capability must be enabled in the -configuration. - -An alternate command could be "mpls-te on" (Traffic Engineering) - -:::{note} -FRR offers only partial support for some of the routing -protocol extensions that are used with MPLS-TE; it does not -support a complete RSVP-TE solution. -::: -``` - -#### Area Configuration - -```{cfgcmd} set protocols ospf area \<number\> area-type stub - -This command specifies the area to be a Stub Area. That is, an area where -no router originates routes external to OSPF and hence an area where all -external routes are via the ABR(s). Hence, ABRs for such an area do not -need to pass AS-External LSAs (type-5) or ASBR-Summary LSAs (type-4) into -the area. They need only pass Network-Summary (type-3) LSAs into such an -area, along with a default-route summary. -``` - - -```{cfgcmd} set protocols ospf area \<number\> area-type stub no-summary - -This command specifies the area to be a Totally Stub Area. In addition to -stub area limitations this area type prevents an ABR from injecting -Network-Summary (type-3) LSAs into the specified stub area. Only default -summary route is allowed. -``` - - -```{cfgcmd} set protocols ospf area \<number\> area-type stub default-cost \<number\> - -This command sets the cost of default-summary LSAs announced to stubby -areas. The cost range is 0 to 16777215. -``` - - -```{cfgcmd} set protocols ospf area \<number\> area-type nssa - -This command specifies the area to be a Not So Stubby Area. External -routing information is imported into an NSSA in Type-7 LSAs. Type-7 LSAs -are similar to Type-5 AS-external LSAs, except that they can only be -flooded into the NSSA. In order to further propagate the NSSA external -information, the Type-7 LSA must be translated to a Type-5 AS-external-LSA -by the NSSA ABR. -``` - - -```{cfgcmd} set protocols ospf area \<number\> area-type nssa no-summary - -This command specifies the area to be a NSSA Totally Stub Area. ABRs for -such an area do not need to pass Network-Summary (type-3) LSAs (except the -default summary route), ASBR-Summary LSAs (type-4) and AS-External LSAs -(type-5) into the area. But Type-7 LSAs that convert to Type-5 at the NSSA -ABR are allowed. -``` - - -```{cfgcmd} set protocols ospf area \<number\> area-type nssa default-cost \<number\> - -This command sets the default cost of LSAs announced to NSSA areas. -The cost range is 0 to 16777215. -``` - - -```{cfgcmd} set protocols ospf area \<number\> area-type nssa translate \<always|candidate|never\> - -Specifies whether this NSSA border router will unconditionally translate -Type-7 LSAs into Type-5 LSAs. When role is Always, Type-7 LSAs are -translated into Type-5 LSAs regardless of the translator state of other -NSSA border routers. When role is Candidate, this router participates in -the translator election to determine if it will perform the translations -duties. When role is Never, this router will never translate Type-7 LSAs -into Type-5 LSAs. -``` - - -```{cfgcmd} set protocols ospf area \<number\> authentication plaintext-password - -This command specifies that simple password authentication should be used -for the given area. The password must also be configured on a per-interface -basis. -``` - - -```{cfgcmd} set protocols ospf area \<number\> authentication md5 - -This command specify that OSPF packets must be authenticated with MD5 HMACs -within the given area. Keying material must also be configured on a -per-interface basis. -``` - - -```{cfgcmd} set protocols ospf area \<number\> range \<A.B.C.D/M\> [cost \<number\>] - -This command summarizes intra area paths from specified area into one -summary-LSA (Type-3) announced to other areas. This command can be used -only in ABR and ONLY router-LSAs (Type-1) and network-LSAs (Type-2) -(i.e. LSAs with scope area) can be summarized. AS-external-LSAs (Type-5) -can’t be summarized - their scope is AS. The optional argument -{cfgcmd}`cost` specifies the aggregated link metric. The metric range is 0 -to 16777215. -``` - - -```{cfgcmd} set protocols ospf area \<number\> range \<A.B.C.D/M\> not-advertise - -This command instead of summarizing intra area paths filter them - i.e. -intra area paths from this range are not advertised into other areas. -This command makes sense in ABR only. -``` - - -```{cfgcmd} set protocols ospf area \<number\> export-list \<acl_number\> - -Filter Type-3 summary-LSAs announced to other areas originated from -intra- area paths from specified area. -This command makes sense in ABR only. -``` - - -```{cfgcmd} set protocols ospf area \<number\> import-list \<acl_number\> - -Same as export-list, but it applies to paths announced into specified -area as Type-3 summary-LSAs. -This command makes sense in ABR only. -``` - - -```{cfgcmd} set protocols ospf area \<number\> range \<A.B.C.D/M\> substitute \<E.F.G.H/M\> - -One Type-3 summary-LSA with routing info <E.F.G.H/M> is announced into -backbone area if defined area contains at least one intra-area network -(i.e. described with router-LSA or network-LSA) from range <A.B.C.D/M>. -This command makes sense in ABR only. -``` - - -```{cfgcmd} set protocols ospf area \<number\> shortcut \<default|disable|enable\> - -This parameter allows to "shortcut" routes (non-backbone) for inter-area -routes. There are three modes available for routes shortcutting: - -**default** – this area will be used for shortcutting only if ABR does not -have a link to the backbone area or this link was lost. -**enable** – the area will be used for shortcutting every time the route -that goes through it is cheaper. -**disable** – this area is never used by ABR for routes shortcutting. -``` - - -```{cfgcmd} set protocols ospf area \<number\> virtual-link \<A.B.C.D\> - -Provides a backbone area coherence by virtual link establishment. - -In general, OSPF protocol requires a backbone area (area 0) to be coherent -and fully connected. I.e. any backbone area router must have a route to any -other backbone area router. Moreover, every ABR must have a link to -backbone area. However, it is not always possible to have a physical link -to a backbone area. In this case between two ABR (one of them has a link to -the backbone area) in the area (not stub area) a virtual link is organized. - -\<number\> – area identifier through which a virtual link goes. -\<A.B.C.D\> – ABR router-id with which a virtual link is established. Virtual -link must be configured on both routers. - -Formally, a virtual link looks like a point-to-point network connecting two -ABR from one area one of which physically connected to a backbone area. -This pseudo-network is considered to belong to a backbone area. -``` - -#### Interface Configuration - -```{cfgcmd} set protocols ospf interface \<interface\> area \<x.x.x.x | x\> - - Enable ospf on an interface and set associated area. - - If you have a lot of interfaces, and/or a lot of subnets, then enabling - OSPF via this command may result in a slight performance improvement. -``` - - -```{cfgcmd} set protocols ospf interface \<interface\> authentication plaintext-password \<text\> - -This command sets OSPF authentication key to a simple password. After -setting, all OSPF packets are authenticated. Key has length up to 8 chars. - -Simple text password authentication is insecure and deprecated in favour of -MD5 HMAC authentication. -``` - - -```{cfgcmd} set protocols ospf interface \<interface\> authentication md5 key-id \<id\> md5-key \<text\> - -This command specifys that MD5 HMAC authentication must be used on this -interface. It sets OSPF authentication key to a cryptographic password. -Key-id identifies secret key used to create the message digest. This ID -is part of the protocol and must be consistent across routers on a link. -The key can be long up to 16 chars (larger strings will be truncated), -and is associated with the given key-id. -``` - - -```{cfgcmd} set protocols ospf interface \<interface\> bandwidth \<number\> - -This command sets the interface bandwidth for cost calculations, where -bandwidth can be in range from 1 to 100000, specified in Mbits/s. -``` - - -```{cfgcmd} set protocols ospf interface \<interface\> cost \<number\> - -This command sets link cost for the specified interface. The cost value is -set to router-LSA’s metric field and used for SPF calculation. The cost -range is 1 to 65535. -``` - - -```{cfgcmd} set protocols ospf interface \<interface\> dead-interval \<number\> - -Set number of seconds for router Dead Interval timer value used for Wait -Timer and Inactivity Timer. This value must be the same for all routers -attached to a common network. The default value is 40 seconds. The -interval range is 1 to 65535. -``` - - -```{cfgcmd} set protocols ospf interface \<interface\> hello-multiplier \<number\> - -The hello-multiplier specifies how many Hellos to send per second, from 1 -(every second) to 10 (every 100ms). Thus one can have 1s convergence time -for OSPF. If this form is specified, then the hello-interval advertised in -Hello packets is set to 0 and the hello-interval on received Hello packets -is not checked, thus the hello-multiplier need NOT be the same across -multiple routers on a common link. -``` - - -```{cfgcmd} set protocols ospf interface \<interface\> hello-interval \<number\> - -Set number of seconds for Hello Interval timer value. Setting this value, -Hello packet will be sent every timer value seconds on the specified -interface. This value must be the same for all routers attached to a -common network. The default value is 10 seconds. The interval range is 1 -to 65535. -``` - - -```{cfgcmd} set protocols ospf interface \<interface\> bfd - -This command enables {abbr}`BFD (Bidirectional Forwarding Detection)` on -this OSPF link interface. -``` - - -```{cfgcmd} set protocols ospf interface \<interface\> mtu-ignore - -This command disables check of the MTU value in the OSPF DBD packets. Thus, -use of this command allows the OSPF adjacency to reach the FULL state even -though there is an interface MTU mismatch between two OSPF routers. -``` - - -```{cfgcmd} set protocols ospf interface \<interface\> network \<type\> - -This command allows to specify the distribution type for the network -connected to this interface: - -**broadcast** – broadcast IP addresses distribution. -**non-broadcast** – address distribution in NBMA networks topology. -**point-to-multipoint** – address distribution in point-to-multipoint -networks. -**point-to-point** – address distribution in point-to-point networks. -``` - - -```{cfgcmd} set protocols ospf interface \<interface\> priority \<number\> - -This command sets Router Priority integer value. The router with the -highest priority will be more eligible to become Designated Router. -Setting the value to 0, makes the router ineligible to become -Designated Router. The default value is 1. The interval range is 0 to 255. -``` - - -```{cfgcmd} set protocols ospf interface \<interface\> retransmit-interval \<number\> - -This command sets number of seconds for RxmtInterval timer value. This -value is used when retransmitting Database Description and Link State -Request packets if acknowledge was not received. The default value is 5 -seconds. The interval range is 3 to 65535. -``` - - -```{cfgcmd} set protocols ospf interface \<interface\> transmit-delay \<number\> - -This command sets number of seconds for InfTransDelay value. It allows to -set and adjust for each interface the delay interval before starting the -synchronizing process of the router's database with all neighbors. The -default value is 1 seconds. The interval range is 3 to 65535. -``` - - -```{cfgcmd} set protocols ospf interface \<interface\> ldp-sync disable - -This command disables IGP-LDP sync for this specific interface. -``` - - -```{cfgcmd} set protocols ospf interface \<interface\> ldp-sync holddown \<seconds\> - -This command will change the hold down value for IGP-LDP synchronization -during convergence/interface flap events, but for this interface only. -``` - -#### External Route Summarisation - - -This feature summarises originated external LSAs (Type-5 and Type-7). Summary -Route will be originated on-behalf of all matched external LSAs. - -```{cfgcmd} set protocols ospf aggregation timer \<seconds\> - -Configure aggregation delay timer interval. - -Summarisation starts only after this delay timer expiry. -``` - - -```{cfgcmd} set protocols ospf summary-address x.x.x.x/y [tag (1-4294967295)] - -This command enable/disables summarisation for the configured address range. - -Tag is the optional parameter. If tag configured Summary route will be -originated with the configured tag. -``` - - -```{cfgcmd} set protocols ospf summary-address x.x.x.x/y no-advertise - -This command to ensure not advertise the summary lsa for the matched -external LSAs. -``` - -#### Graceful Restart - -```{cfgcmd} set protocols ospf graceful-restart [grace-period (1-1800)] - -Configure Graceful Restart {rfc}`3623` restarting support. When enabled, -the default grace period is 120 seconds. - -To perform a graceful shutdown, the FRR ``graceful-restart prepare ip -ospf`` EXEC-level command needs to be issued before restarting the -ospfd daemon. -``` - - -```{cfgcmd} set protocols ospf graceful-restart helper enable [router-id A.B.C.D] - -Configure Graceful Restart {rfc}`3623` helper support. By default, helper support -is disabled for all neighbours. This config enables/disables helper support -on this router for all neighbours. - -To enable/disable helper support for a specific neighbour, the router-id -(A.B.C.D) has to be specified. -``` - - -```{cfgcmd} set protocols ospf graceful-restart helper no-strict-lsa-checking - -By default strict-lsa-checking is configured then the helper will abort -the Graceful Restart when a LSA change occurs which affects the restarting -router. - -This command disables it. -``` - - -```{cfgcmd} set protocols ospf graceful-restart helper supported-grace-time - -Supports as HELPER for configured grace period. -``` - - -```{cfgcmd} set protocols ospf graceful-restart helper planned-only - -It helps to support as HELPER only for planned restarts. - -By default, it supports both planned and unplanned outages. -``` - -#### Manual Neighbor Configuration - - -OSPF routing devices normally discover their neighbors dynamically by -listening to the broadcast or multicast hello packets on the network. -Because an NBMA network does not support broadcast (or multicast), the -device cannot discover its neighbors dynamically, so you must configure all -the neighbors statically. - -```{cfgcmd} set protocols ospf neighbor \<A.B.C.D\> - -This command specifies the IP address of the neighboring device. -``` - - -```{cfgcmd} set protocols ospf neighbor \<A.B.C.D\> poll-interval \<seconds\> - -This command specifies the length of time, in seconds, before the routing -device sends hello packets out of the interface before it establishes -adjacency with a neighbor. The range is 1 to 65535 seconds. The default -value is 60 seconds. -``` - - -```{cfgcmd} set protocols ospf neighbor \<A.B.C.D\> priority \<number\> - -This command specifies the router priority value of the nonbroadcast -neighbor associated with the IP address specified. The default is 0. -This keyword does not apply to point-to-multipoint interfaces. -``` - -#### Redistribution Configuration - -```{cfgcmd} set protocols ospf redistribute \<route source\> - - This command redistributes routing information from the given route source - to the OSPF process. There are five modes available for route source: bgp, - connected, kernel, rip, static. -``` - - -```{cfgcmd} set protocols ospf default-metric \<number\> - -This command specifies the default metric value of redistributed routes. -The metric range is 0 to 16777214. -``` - - -```{cfgcmd} set protocols ospf redistribute \<route source\> metric \<number\> - -This command specifies metric for redistributed routes from the given -route source. There are five modes available for route source: bgp, -connected, kernel, rip, static. The metric range is 1 to 16777214. -``` - - -```{cfgcmd} set protocols ospf redistribute \<route source\> metric-type \<1|2\> - -This command specifies metric type for redistributed routes. Difference -between two metric types that metric type 1 is a metric which is -"commensurable" with inner OSPF links. When calculating a metric to the -external destination, the full path metric is calculated as a metric sum -path of a router which had advertised this link plus the link metric. -Thus, a route with the least summary metric will be selected. If external -link is advertised with metric type 2 the path is selected which lies -through the router which advertised this link with the least metric -despite of the fact that internal path to this router is longer (with more -cost). However, if two routers advertised an external link and with metric -type 2 the preference is given to the path which lies through the router -with a shorter internal path. If two different routers advertised two -links to the same external destimation but with different metric type, -metric type 1 is preferred. If type of a metric left undefined the router -will consider these external links to have a default metric type 2. -``` - - -```{cfgcmd} set protocols ospf redistribute \<route source\> route-map \<name\> - -This command allows to use route map to filter redistributed routes from -the given route source. There are five modes available for route source: -bgp, connected, kernel, rip, static. -``` - -#### Operational Mode Commands - -```{opcmd} show ip ospf neighbor - - This command displays the neighbors status. -``` - - -```none -Neighbor ID Pri State Dead Time Address Interface RXmtL RqstL DBsmL -10.0.13.1 1 Full/DR 38.365s 10.0.13.1 eth0:10.0.13.3 0 0 0 -10.0.23.2 1 Full/Backup 39.175s 10.0.23.2 eth1:10.0.23.3 0 0 0 -``` - - -```{opcmd} show ip ospf neighbor detail - -This command displays the neighbors information in a detailed form, not -just a summary table. -``` - - -```none - Neighbor 10.0.13.1, interface address 10.0.13.1 - - In the area 0.0.0.0 via interface eth0 - - Neighbor priority is 1, State is Full, 5 state changes - - Most recent state change statistics: - - Progressive change 11m55s ago - - DR is 10.0.13.1, BDR is 10.0.13.3 - - Options 2 *|-|-|-|-|-|E|- - - Dead timer due in 34.854s - - Database Summary List 0 - - Link State Request List 0 - - Link State Retransmission List 0 - - Thread Inactivity Timer on - - Thread Database Description Retransmision off - - Thread Link State Request Retransmission on - - Thread Link State Update Retransmission on - - -Neighbor 10.0.23.2, interface address 10.0.23.2 - - In the area 0.0.0.1 via interface eth1 - - Neighbor priority is 1, State is Full, 4 state changes - - Most recent state change statistics: - - Progressive change 41.193s ago - - DR is 10.0.23.3, BDR is 10.0.23.2 - - Options 2 *|-|-|-|-|-|E|- - - Dead timer due in 35.661s - - Database Summary List 0 - - Link State Request List 0 - - Link State Retransmission List 0 - - Thread Inactivity Timer on - - Thread Database Description Retransmision off - - Thread Link State Request Retransmission on - - Thread Link State Update Retransmission on -``` - - -```{opcmd} show ip ospf neighbor \<A.B.C.D\> - -This command displays the neighbors information in a detailed form for a -neighbor whose IP address is specified. -``` - - -```{opcmd} show ip ospf neighbor \<interface\> - -This command displays the neighbors status for a neighbor on the specified -interface. -``` - - -```{opcmd} show ip ospf interface [\<interface\>] - -This command displays state and configuration of OSPF the specified -interface, or all interfaces if no interface is given. -``` - - -```none -eth0 is up - ifindex 2, MTU 1500 bytes, BW 4294967295 Mbit <UP,BROADCAST,RUNNING,MULTICAST> - Internet Address 10.0.13.3/24, Broadcast 10.0.13.255, Area 0.0.0.0 - MTU mismatch detection: enabled - Router ID 10.0.23.3, Network Type BROADCAST, Cost: 1 - Transmit Delay is 1 sec, State Backup, Priority 1 - Backup Designated Router (ID) 10.0.23.3, Interface Address 10.0.13.3 - Multicast group memberships: OSPFAllRouters OSPFDesignatedRouters - Timer intervals configured, Hello 10s, Dead 40s, Wait 40s, Retransmit 5 - Hello due in 4.470s - Neighbor Count is 1, Adjacent neighbor count is 1 -eth1 is up - ifindex 3, MTU 1500 bytes, BW 4294967295 Mbit <UP,BROADCAST,RUNNING,MULTICAST> - Internet Address 10.0.23.3/24, Broadcast 10.0.23.255, Area 0.0.0.1 - MTU mismatch detection: enabled - Router ID 10.0.23.3, Network Type BROADCAST, Cost: 1 - Transmit Delay is 1 sec, State DR, Priority 1 - Backup Designated Router (ID) 10.0.23.2, Interface Address 10.0.23.2 - Saved Network-LSA sequence number 0x80000002 - Multicast group memberships: OSPFAllRouters OSPFDesignatedRouters - Timer intervals configured, Hello 10s, Dead 40s, Wait 40s, Retransmit 5 - Hello due in 4.563s - Neighbor Count is 1, Adjacent neighbor count is 1 -``` - - -```{opcmd} show ip ospf route [detail] - -This command displays the OSPF routing table, as determined by the most -recent SPF calculation. With the optional {cfgcmd}`detail` argument, -each route item's advertiser router and network attribute will be shown. -``` - - -```none -============ OSPF network routing table ============ -N IA 10.0.12.0/24 [3] area: 0.0.0.0 - via 10.0.13.3, eth0 -N 10.0.13.0/24 [1] area: 0.0.0.0 - directly attached to eth0 -N IA 10.0.23.0/24 [2] area: 0.0.0.0 - via 10.0.13.3, eth0 -N 10.0.34.0/24 [2] area: 0.0.0.0 - via 10.0.13.3, eth0 - -============ OSPF router routing table ============= -R 10.0.23.3 [1] area: 0.0.0.0, ABR - via 10.0.13.3, eth0 -R 10.0.34.4 [2] area: 0.0.0.0, ASBR - via 10.0.13.3, eth0 - -============ OSPF external routing table =========== -N E2 172.16.0.0/24 [2/20] tag: 0 - via 10.0.13.3, eth0 -``` - -The table consists of following data: - - -**OSPF network routing table** – includes a list of acquired routes for all -accessible networks (or aggregated area ranges) of OSPF system. "IA" flag -means that route destination is in the area to which the router is not -connected, i.e. it’s an inter-area path. In square brackets a summary metric -for all links through which a path lies to this network is specified. "via" -prefix defines a router-gateway, i.e. the first router on the way to the -destination (next hop). -**OSPF router routing table** – includes a list of acquired routes to all -accessible ABRs and ASBRs. -**OSPF external routing table** – includes a list of acquired routes that are -external to the OSPF process. "E" flag points to the external link metric type -(E1 – metric type 1, E2 – metric type 2). External link metric is printed in -the "\<metric of the router which advertised the link>/\<link metric>" format. - -```{opcmd} show ip ospf border-routers - -This command displays a table of paths to area boundary and autonomous -system boundary routers. -``` - - -```{opcmd} show ip ospf database - -This command displays a summary table with a database contents (LSA). -``` - - -```none - OSPF Router with ID (10.0.13.1) - - Router Link States (Area 0.0.0.0) - -Link ID ADV Router Age Seq# CkSum Link count -10.0.13.1 10.0.13.1 984 0x80000005 0xd915 1 -10.0.23.3 10.0.23.3 1186 0x80000008 0xfe62 2 -10.0.34.4 10.0.34.4 1063 0x80000004 0x4e3f 1 - - Net Link States (Area 0.0.0.0) - -Link ID ADV Router Age Seq# CkSum -10.0.13.1 10.0.13.1 994 0x80000003 0x30bb -10.0.34.4 10.0.34.4 1188 0x80000001 0x9411 - - Summary Link States (Area 0.0.0.0) - -Link ID ADV Router Age Seq# CkSum Route -10.0.12.0 10.0.23.3 1608 0x80000001 0x6ab6 10.0.12.0/24 -10.0.23.0 10.0.23.3 981 0x80000003 0xe232 10.0.23.0/24 - - AS External Link States - -Link ID ADV Router Age Seq# CkSum Route -172.16.0.0 10.0.34.4 1063 0x80000001 0xc40d E2 172.16.0.0/24 [0x0] -``` - - -```{opcmd} show ip ospf database \<type\> [A.B.C.D] [adv-router \<A.B.C.D\>|self-originate] - - This command displays a database contents for a specific link advertisement - type. - - The type can be the following: - asbr-summary, external, network, nssa-external, opaque-area, opaque-as, - opaque-link, router, summary. - - [A.B.C.D] – link-state-id. With this specified the command displays portion - of the network environment that is being described by the advertisement. - The value entered depends on the advertisement’s LS type. It must be - entered in the form of an IP address. - - {cfgcmd}`adv-router <A.B.C.D>` – router id, which link advertisements need - to be reviewed. - - {cfgcmd}`self-originate` displays only self-originated LSAs from the local - router. -``` - - -```none - OSPF Router with ID (10.0.13.1) - - Router Link States (Area 0.0.0.0) - -LS age: 1213 -Options: 0x2 : *|-|-|-|-|-|E|- -LS Flags: 0x3 -Flags: 0x0 -LS Type: router-LSA -Link State ID: 10.0.13.1 -Advertising Router: 10.0.13.1 -LS Seq Number: 80000009 -Checksum: 0xd119 -Length: 36 - - Number of Links: 1 - - Link connected to: a Transit Network - (Link ID) Designated Router address: 10.0.13.1 - (Link Data) Router Interface address: 10.0.13.1 - Number of TOS metrics: 0 - TOS 0 Metric: 1 -``` - - -```{opcmd} show ip ospf database max-age - -This command displays LSAs in MaxAge list. -``` - -#### Examples -### Enable OSPF - -**Node 1** - -```none -set interfaces loopback lo address 10.1.1.1/32 -set interfaces ethernet eth0 address 192.168.0.1/24 -set protocols ospf area 0 network 192.168.0.0/24 -set protocols ospf area 0 network 10.1.1.1/32 -set protocols ospf parameters router-id 10.1.1.1 -``` - -**Node 2** - -```none -set interfaces loopback lo address 10.1.1.2/32 -set interfaces ethernet eth0 address 192.168.0.2/24 -set protocols ospf area 0 network 192.168.0.0/24 -set protocols ospf area 0 network 10.1.1.2/32 -set protocols ospf parameters router-id 10.1.1.2 -``` - -Here's the neighbors up: - -```none -Node-1@vyos:~$ show ip ospf neighbor - -Neighbor ID Pri State Up Time Dead Time Address Interface RXmtL RqstL DBsmL -10.1.1.2 1 Full/DR 3m43s 36.094s 192.168.0.2 eth0:192.168.0.1 0 0 0 - - -Node-2@vyos:~$ show ip ospf neighbor - -Neighbor ID Pri State Up Time Dead Time Address Interface RXmtL RqstL DBsmL -10.1.1.1 1 Full/Backup 3m47s 31.736s 192.168.0.1 eth0:192.168.0.2 0 0 0 -``` - -Here's the routes: - -```none -Node-1@vyos:~$ show ip route ospf -Codes: K - kernel route, C - connected, S - static, R - RIP, - O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, - T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR, - f - OpenFabric, - > - selected route, * - FIB route, q - queued, r - rejected, b - backup - t - trapped, o - offload failure - -O 10.1.1.1/32 [110/0] is directly connected, lo, weight 1, 00:00:14 -O>* 10.1.1.2/32 [110/1] via 192.168.0.2, eth0, weight 1, 00:00:07 -O 192.168.0.0/24 [110/1] is directly connected, eth0, weight 1, 00:03:32 - -Node-2@vyos:~$ show ip route ospf -Codes: K - kernel route, C - connected, S - static, R - RIP, - O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, - T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR, - f - OpenFabric, - > - selected route, * - FIB route, q - queued, r - rejected, b - backup - t - trapped, o - offload failure - -O>* 10.1.1.1/32 [110/1] via 192.168.0.1, eth0, weight 1, 00:00:11 -O 10.1.1.2/32 [110/0] is directly connected, lo, weight 1, 00:00:04 -O 192.168.0.0/24 [110/1] is directly connected, eth0, weight 1, 00:03:18 -``` - -### Enable OSPF with route redistribution of the loopback and default originate: - -**Node 1** - -```none -set interfaces loopback lo address 10.1.1.1/32 -set protocols ospf area 0 network 192.168.0.0/24 -set protocols ospf default-information originate always -set protocols ospf default-information originate metric 10 -set protocols ospf default-information originate metric-type 2 -set protocols ospf log-adjacency-changes -set protocols ospf parameters router-id 10.1.1.1 -set protocols ospf redistribute connected metric-type 2 -set protocols ospf redistribute connected route-map CONNECT - -set policy route-map CONNECT rule 10 action permit -set policy route-map CONNECT rule 10 match interface lo -``` - -**Node 2** - -```none -set interfaces loopback lo address 10.2.2.2/32 -set protocols ospf area 0 network 192.168.0.0/24 -set protocols ospf log-adjacency-changes -set protocols ospf parameters router-id 10.2.2.2 -set protocols ospf redistribute connected metric-type 2 -set protocols ospf redistribute connected route-map CONNECT - -set policy route-map CONNECT rule 10 action permit -set policy route-map CONNECT rule 10 match interface lo -``` - -### Enable OSPF and IGP-LDP synchronization: - -**Node 1:** - -```none -set interfaces loopback lo address 10.1.1.1/32 -set interfaces ethernet eth0 address 192.168.0.1/24 - -set protocols ospf area 0 network '192.168.0.0/24' -set protocols ospf area 0 network '10.1.1.1/32' -set protocols ospf parameters router-id '10.1.1.1' -set protocols ospf ldp-sync - -set protocols mpls interface eth0 -set protocols mpls ldp discovery transport-ipv4-address 10.1.1.1 -set protocols mpls ldp interface lo -set protocols mpls ldp interface eth0 -set protocols mpls ldp parameters transport-prefer-ipv4 -set protocols mpls ldp router-id 10.1.1.1 -``` - -This gives us IGP-LDP synchronization for all non-loopback interfaces with -a holddown timer of zero seconds: - -```none -Node-1@vyos:~$ show ip ospf mpls ldp-sync - eth0 - LDP-IGP Synchronization enabled: yes - Holddown timer in seconds: 0 - State: Sync achieved -``` - -### Enable OSPF with Segment Routing (Experimental): - -**Node 1** - -```none -set interfaces loopback lo address 10.1.1.1/32 -set interfaces ethernet eth0 address 192.168.0.1/24 - -set protocols ospf area 0 network '192.168.0.0/24' -set protocols ospf area 0 network '10.1.1.1/32' -set protocols ospf parameters opaque-lsa -set protocols ospf parameters router-id '10.1.1.1' -set protocols ospf segment-routing global-block high-label-value '1100' -set protocols ospf segment-routing global-block low-label-value '1000' -set protocols ospf segment-routing prefix 10.1.1.1/32 index explicit-null -set protocols ospf segment-routing prefix 10.1.1.1/32 index value '1' -``` - -**Node 2** - -```none -set interfaces loopback lo address 10.1.1.2/32 -set interfaces ethernet eth0 address 192.168.0.2/24 - -set protocols ospf area 0 network '192.168.0.0/24' -set protocols ospf area 0 network '10.1.1.2/32' -set protocols ospf parameters opaque-lsa -set protocols ospf parameters router-id '10.1.1.2' -set protocols ospf segment-routing global-block high-label-value '1100' -set protocols ospf segment-routing global-block low-label-value '1000' -set protocols ospf segment-routing prefix 10.1.1.2/32 index explicit-null -set protocols ospf segment-routing prefix 10.1.1.2/32 index value '2' -``` - -This gives us MPLS segment routing enabled and labels for far end loopbacks: - -```none -Node-1@vyos:~$ show mpls table - Inbound Label Type Nexthop Outbound Label - ----------------------------------------------------------- - 1002 SR (OSPF) 192.168.0.2 IPv4 Explicit Null <-- Node-2 loopback learned on Node-1 - 15000 SR (OSPF) 192.168.0.2 implicit-null - 15001 SR (OSPF) 192.168.0.2 implicit-null - -Node-2@vyos:~$ show mpls table - Inbound Label Type Nexthop Outbound Label - ----------------------------------------------------------- - 1001 SR (OSPF) 192.168.0.1 IPv4 Explicit Null <-- Node-1 loopback learned on Node-2 - 15000 SR (OSPF) 192.168.0.1 implicit-null - 15001 SR (OSPF) 192.168.0.1 implicit-null -``` - -Here is the routing tables showing the MPLS segment routing label operations: - -```none -Node-1@vyos:~$ show ip route ospf -Codes: K - kernel route, C - connected, S - static, R - RIP, - O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, - T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR, - f - OpenFabric, - > - selected route, * - FIB route, q - queued, r - rejected, b - backup - t - trapped, o - offload failure - -O 10.1.1.1/32 [110/0] is directly connected, lo, weight 1, 00:03:43 -O>* 10.1.1.2/32 [110/1] via 192.168.0.2, eth0, label IPv4 Explicit Null, weight 1, 00:03:32 -O 192.168.0.0/24 [110/1] is directly connected, eth0, weight 1, 00:03:43 - -Node-2@vyos:~$ show ip route ospf -Codes: K - kernel route, C - connected, S - static, R - RIP, - O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, - T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR, - f - OpenFabric, - > - selected route, * - FIB route, q - queued, r - rejected, b - backup - t - trapped, o - offload failure - -O>* 10.1.1.1/32 [110/1] via 192.168.0.1, eth0, label IPv4 Explicit Null, weight 1, 00:03:36 -O 10.1.1.2/32 [110/0] is directly connected, lo, weight 1, 00:03:51 -O 192.168.0.0/24 [110/1] is directly connected, eth0, weight 1, 00:03:51 -``` - -(routing-ospfv3)= - -## OSPFv3 (IPv6) - -(ospf-v3-configuration)= - -### Configuration - -(ospf-v3-general)= - -#### General - -VyOS does not have a special command to start the OSPFv3 process. The OSPFv3 -process starts when the first ospf enabled interface is configured. - -```{cfgcmd} set protocols ospfv3 interface \<interface\> area \<number\> - - This command specifies the OSPFv3 enabled interface. This command is also - used to enable the OSPF process. The area number can be specified in - decimal notation in the range from 0 to 4294967295. Or it can be specified - in dotted decimal notation similar to ip address. -``` - - -```{cfgcmd} set protocols ospfv3 parameters router-id \<rid\> - -This command sets the router-ID of the OSPFv3 process. The router-ID may be -an IP address of the router, but need not be – it can be any arbitrary -32bit number. However it MUST be unique within the entire OSPFv3 domain to -the OSPFv3 speaker – bad things will happen if multiple OSPFv3 speakers are -configured with the same router-ID! -``` - -(ospf-v3-optional)= - -#### Optional - -```{cfgcmd} set protocols ospfv3 distance global \<distance\> - -This command change distance value of OSPFv3 globally. -The distance range is 1 to 255. -``` -```{cfgcmd} set protocols ospfv3 distance ospfv3 \<external|inter-area|intra-area\> \<distance\> - -This command change distance value of OSPFv3. The arguments are the -distance values for external routes, inter-area routes and intra-area -routes respectively. The distance range is 1 to 255. -``` - -(ospf-v3-area-configuration)= - -#### Area Configuration - -```{cfgcmd} set protocols ospfv3 area \<number\> range \<prefix\> - -This command summarizes intra area paths from specified area into one -Type-3 Inter-Area Prefix LSA announced to other areas. This command can be -used only in ABR. -``` -```{cfgcmd} set protocols ospfv3 area \<number\> range \<prefix\> not-advertise - -This command instead of summarizing intra area paths filter them - i.e. -intra area paths from this range are not advertised into other areas. This -command makes sense in ABR only. -``` - -(ospf-v3-interface-config)= - -#### Interface Configuration - -```{cfgcmd} set protocols ospfv3 interface \<interface\> ipv6 cost \<number\> - -This command sets link cost for the specified interface. The cost value is -set to router-LSA’s metric field and used for SPF calculation. The cost -range is 1 to 65535. -``` -```{cfgcmd} set protocols ospfv3 interface \<interface\> dead-interval \<number\> - -Set number of seconds for router Dead Interval timer value used for Wait -Timer and Inactivity Timer. This value must be the same for all routers -attached to a common network. The default value is 40 seconds. The -interval range is 1 to 65535. -``` -```{cfgcmd} set protocols ospfv3 interface \<interface\> hello-interval \<number\> - -Set number of seconds for Hello Interval timer value. Setting this value, -Hello packet will be sent every timer value seconds on the specified -interface. This value must be the same for all routers attached to a -common network. The default value is 10 seconds. The interval range is 1 -to 65535. -``` -```{cfgcmd} set protocols ospfv3 interface \<interface\> mtu-ignore - -This command disables check of the MTU value in the OSPF DBD packets. -Thus, use of this command allows the OSPF adjacency to reach the FULL -state even though there is an interface MTU mismatch between two OSPF -routers. -``` -```{cfgcmd} set protocols ospfv3 interface \<interface\> network \<type\> - -This command allows to specify the distribution type for the network -connected to this interface: - -**broadcast** – broadcast IP addresses distribution. -**point-to-point** – address distribution in point-to-point networks. -``` -```{cfgcmd} set protocols ospfv3 interface \<interface\> priority \<number\> - -This command sets Router Priority integer value. The router with the -highest priority will be more eligible to become Designated Router. -Setting the value to 0, makes the router ineligible to become Designated -Router. The default value is 1. The interval range is 0 to 255. -``` -```{cfgcmd} set protocols ospfv3 interface \<interface\> passive - -This command specifies interface as passive. Passive interface advertises -its address, but does not run the OSPF protocol (adjacencies are not formed -and hello packets are not generated). -``` -```{cfgcmd} set protocols ospfv3 interface \<interface\> retransmit-interval \<number\> - -This command sets number of seconds for RxmtInterval timer value. This -value is used when retransmitting Database Description and Link State -Request packets if acknowledge was not received. The default value is 5 -seconds. The interval range is 3 to 65535. -``` -```{cfgcmd} set protocols ospfv3 interface \<interface\> transmit-delay \<number\> - -This command sets number of seconds for InfTransDelay value. It allows to -set and adjust for each interface the delay interval before starting the -synchronizing process of the router's database with all neighbors. The -default value is 1 seconds. The interval range is 3 to 65535. -``` - -(ospf-v3-graceful-restart)= - -#### Graceful Restart - -```{cfgcmd} set protocols ospfv3 graceful-restart [grace-period (1-1800)] - -Configure Graceful Restart {rfc}`3623` restarting support. When enabled, -the default grace period is 120 seconds. - -To perform a graceful shutdown, the FRR ``graceful-restart prepare ip -ospf`` EXEC-level command needs to be issued before restarting the -ospfd daemon. -``` -```{cfgcmd} set protocols ospfv3 graceful-restart helper enable [router-id A.B.C.D] - -Configure Graceful Restart {rfc}`3623` helper support. By default, helper support -is disabled for all neighbours. This config enables/disables helper support -on this router for all neighbours. - -To enable/disable helper support for a specific neighbour, the router-id -(A.B.C.D) has to be specified. -``` -```{cfgcmd} set protocols ospfv3 graceful-restart helper lsa-check-disable - -By default strict-lsa-checking is configured then the helper will abort -the Graceful Restart when a LSA change occurs which affects the restarting -router. - -This command disables it. -``` -```{cfgcmd} set protocols ospfv3 graceful-restart helper supported-grace-time - -Supports as HELPER for configured grace period. -``` -```{cfgcmd} set protocols ospfv3 graceful-restart helper planned-only - -It helps to support as HELPER only for planned restarts. -By default, it supports both planned and unplanned outages. -``` - -(ospf-v3-redistribution-config)= - -#### Redistribution Configuration - -```{cfgcmd} set protocols ospfv3 redistribute \<route source\> - -This command redistributes routing information from the given route source -to the OSPFv3 process. There are five modes available for route source: -bgp, connected, kernel, ripng, static. -``` -```{cfgcmd} set protocols ospf redistribute \<route source\> route-map \<name\> - -This command allows to use route map to filter redistributed routes from -given route source. There are five modes available for route source: bgp, -connected, kernel, ripng, static. -``` - -(ospf-v3-op-cmd)= - -#### Operational Mode Commands - -```{opcmd} show ipv6 ospfv3 neighbor - -This command displays the neighbors status. -``` -```{opcmd} show ipv6 ospfv3 neighbor detail - -This command displays the neighbors information in a detailed form, not -just a summary table. -``` -```{opcmd} show ipv6 ospfv3 neighbor drchoice - -This command displays the neighbor DR choice information. -``` -```{opcmd} show ipv6 ospfv3 interface [prefix]|[\<interface\> [prefix]] - -This command displays state and configuration of OSPF the specified -interface, or all interfaces if no interface is given. Whith the argument -{cfgcmd}`prefix` this command shows connected prefixes to advertise. -``` -```{opcmd} show ipv6 ospfv3 route - -This command displays the OSPF routing table, as determined by the most -recent SPF calculation. -``` -```{opcmd} show ipv6 ospfv3 border-routers - -This command displays a table of paths to area boundary and autonomous -system boundary routers. -``` -```{opcmd} show ipv6 ospfv3 database - -This command displays a summary table with a database contents (LSA). -``` -```{opcmd} show ipv6 ospfv3 database \<type\> [A.B.C.D] [adv-router \<A.B.C.D\>|self-originate] - -This command displays a database contents for a specific link -advertisement type. -``` -```{opcmd} show ipv6 ospfv3 redistribute - -This command displays external information redistributed into OSPFv3 -``` - -(ospf-v3-config-example)= - -#### Configuration Example - -A typical configuration using 2 nodes. - -**Node 1:** - -```none -set protocols ospfv3 interface eth1 area 0.0.0.0 -set protocols ospfv3 area 0.0.0.0 range 2001:db8:1::/64 -set protocols ospfv3 parameters router-id 192.168.1.1 -set protocols ospfv3 redistribute connected -``` - -**Node 2:** - -```none -set protocols ospfv3 interface eth1 area 0.0.0.0 -set protocols ospfv3 area 0.0.0.0 range 2001:db8:2::/64 -set protocols ospfv3 parameters router-id 192.168.2.1 -set protocols ospfv3 redistribute connected -``` - -**To see the redistributed routes:** - -```none -show ipv6 ospfv3 redistribute -``` - -Cost calculation wireguard interfaces is unreliable as ospfv3 uses the link speed to calculate the link cost. -You might therefore want to set the link cost to a fixed value on WireGuard tunnels. - -Example configuration for WireGuard interfaces: - -**Node 1** - -```none -set interfaces wireguard wg01 peer ospf02 allowed-ips '::/0' -set interfaces wireguard wg01 peer ospf02 endpoint '10.1.1.101:12345' -set interfaces wireguard wg01 peer ospf02 pubkey 'ie3...=' -set interfaces wireguard wg01 port '12345' -set protocols ospfv3 parameters router-id 192.168.1.1 -set protocols ospfv3 interface 'wg01' area 0.0.0.0 -set protocols ospfv3 interface 'wg01' cost 10 -set protocols ospfv3 interface 'lo' area 0.0.0.0 -``` - -**Node 2** - -```none -set interfaces wireguard wg01 peer ospf01 allowed-ips '::/0' -set interfaces wireguard wg01 peer ospf01 endpoint '10.1.1.100:12345' -set interfaces wireguard wg01 peer ospf01 pubkey 'NHI...=' -set interfaces wireguard wg01 port '12345' -set protocols ospfv3 parameters router-id 192.168.1.2 -set protocols ospfv3 interface 'wg01' area 0.0.0.0 -set protocols ospfv3 interface 'wg01' cost 10 -set protocols ospfv3 interface 'lo' area 0.0.0.0 -``` - -**Status** - -```none -vyos@ospf01:~$ sh ipv6 ospfv3 neighbor -Neighbor ID Pri DeadTime State/IfState Duration I/F[State] -192.168.0.2 1 00:00:37 Full/PointToPoint 00:18:03 wg01[PointToPoint] - -vyos@ospf02# run sh ipv6 ospfv3 neighbor -Neighbor ID Pri DeadTime State/IfState Duration I/F[State] -192.168.0.1 1 00:00:39 Full/PointToPoint 00:19:44 wg01[PointToPoint] -``` diff --git a/docs/configuration/protocols/md-pim.md b/docs/configuration/protocols/md-pim.md deleted file mode 100644 index 30f3d49b..00000000 --- a/docs/configuration/protocols/md-pim.md +++ /dev/null @@ -1,304 +0,0 @@ ---- -lastproofread: '2023-11-13' ---- - -(pim)= - -# PIM – Protocol Independent Multicast - -VyOS supports {abbr}`PIM-SM (PIM Sparse Mode)` as well as -{abbr}`IGMP (Internet Group Management Protocol)` v2 and v3 - -{abbr}`PIM (Protocol Independent Multicast)` must be configured in every -interface of every participating router. Every router must also have the -location of the Rendevouz Point manually configured. Then, unidirectional -shared trees rooted at the Rendevouz Point will automatically be built -for multicast distribution. - -Traffic from multicast sources will go to the Rendezvous Point, and -receivers will pull it from a shared tree using {abbr}`IGMP (Internet -Group Management Protocol)`. - -Multicast receivers will talk IGMP to their local router, so, besides -having PIM configured in every router, IGMP must also be configured in -any router where there could be a multicast receiver locally connected. - -VyOS supports both IGMP version 2 and version 3 (which allows -source-specific multicast). - -## PIM-SM - PIM Sparse Mode - -```{eval-rst} -.. cfgcmd:: set protocols pim ecmp - - If PIM has the a choice of ECMP nexthops for a particular - {abbr}`RPF (Reverse Path Forwarding)`, PIM will cause S,G flows to be - spread out amongst the nexthops. If this command is not specified then - the first nexthop found will be used. -``` - -```{eval-rst} -.. cfgcmd:: set protocols pim ecmp rebalance - - If PIM is using ECMP and an interface goes down, cause PIM to rebalance all - S,G flows across the remaining nexthops. If this command is not configured - PIM only modifies those S,G flows that were using the interface that went - down. -``` - -```{eval-rst} -.. cfgcmd:: set protocols pim join-prune-interval <n> - - Modify the join/prune interval that PIM uses to the new value. Time is - specified in seconds. - - The default time is 60 seconds. - - If you enter a value smaller than 60 seconds be aware that this can and - will affect convergence at scale. -``` - -```{eval-rst} -.. cfgcmd:: set protocols pim keep-alive-timer <n> - - Modify the time out value for a S,G flow from 1-65535 seconds. If choosing - a value below 31 seconds be aware that some hardware platforms cannot see - data flowing in better than 30 second chunks. -``` - -```{eval-rst} -.. cfgcmd:: set protocols pim packets <n> - - When processing packets from a neighbor process the number of packets - incoming at one time before moving on to the next task. - - The default value is 3 packets. - - This command is only useful at scale when you can possibly have a large - number of PIM control packets flowing. -``` - -```{eval-rst} -.. cfgcmd:: set protocols pim register-accept-list <prefix-list> - - When PIM receives a register packet the source of the packet will be compared - to the prefix-list specified, and if a permit is received normal processing - continues. If a deny is returned for the source address of the register packet - a register stop message is sent to the source. -``` - -```{eval-rst} -.. cfgcmd:: set protocols pim register-suppress-time <n> - - Modify the time that pim will register suppress a FHR will send register - notifications to the kernel. -``` - -```{eval-rst} -.. cfgcmd:: set protocols pim rp <address> group <group> - - In order to use PIM, it is necessary to configure a {abbr}`RP (Rendezvous Point)` - for join messages to be sent to. Currently the only methodology to do this is - via static rendezvous point commands. - - All routers in the PIM network must agree on these values. - - The first ip address is the RP's address and the second value is the matching - prefix of group ranges covered. -``` - -```{eval-rst} -.. cfgcmd:: set protocols pim rp keep-alive-timer <n> - - Modify the time out value for a S,G flow from 1-65535 seconds at - {abbr}`RP (Rendezvous Point)`. The normal keepalive period for the KAT(S,G) - defaults to 210 seconds. However, at the {abbr}`RP (Rendezvous Point)`, the - keepalive period must be at least the Register_Suppression_Time, or the RP - may time out the (S,G) state before the next Null-Register arrives. - Thus, the KAT(S,G) is set to max(Keepalive_Period, RP_Keepalive_Period) - when a Register-Stop is sent. - - If choosing a value below 31 seconds be aware that some hardware platforms - cannot see data flowing in better than 30 second chunks. - - See {rfc}`7761#section-4.1` for details. -``` - -```{eval-rst} -.. cfgcmd:: set protocols pim no-v6-secondary - - When sending PIM hello packets tell PIM to not send any v6 secondary - addresses on the interface. This information is used to allow PIM to use v6 - nexthops in it's decision for {abbr}`RPF (Reverse Path Forwarding)` lookup - if this option is not set (default). -``` - -```{eval-rst} -.. cfgcmd:: set protocols pim spt-switchover infinity-and-beyond [prefix-list <list>] - - On the last hop router if it is desired to not switch over to the SPT tree - configure this command. - - Optional parameter prefix-list can be use to control which groups to switch or - not switch. If a group is PERMIT as per the prefix-list, then the SPT switchover - does not happen for it and if it is DENY, then the SPT switchover happens. -``` - -```{eval-rst} -.. cfgcmd:: set protocols pim ssm prefix-list <list> - - Specify a range of group addresses via a prefix-list that forces PIM to never - do {abbr}`SSM (Source-Specific Multicast)` over. -``` - -### Interface specific commands - -```{eval-rst} -.. cfgcmd:: set protocols pim interface <interface> bfd [profile <name>] - - Automatically create BFD session for each RIP peer discovered in this - interface. When the BFD session monitor signalize that the link is down - the RIP peer is removed and all the learned routes associated with that - peer are removed. - - If optional profile parameter is used, select a BFD profile for the BFD - sessions created via this interface. -``` - -```{eval-rst} -.. cfgcmd:: set protocols pim interface <interface> dr-priority <n> - - Set the {abbr}`DR (Designated Router)` Priority for the interface. - This command is useful to allow the user to influence what node becomes - the DR for a LAN segment. -``` - -```{eval-rst} -.. cfgcmd:: set protocols pim interface <interface> hello <n> - - Set the PIM hello and hold interval for a interface. -``` - -```{eval-rst} -.. cfgcmd:: set protocols pim interface <interface> no-bsm - - Tell PIM that we would not like to use this interface to process - bootstrap messages. -``` - -```{eval-rst} -.. cfgcmd:: set protocols pim interface <interface> no-unicast-bsm - - Tell PIM that we would not like to use this interface to process - unicast bootstrap messages. -``` - -```{eval-rst} -.. cfgcmd:: set protocols pim interface <interface> passive - - Disable sending and receiving PIM control packets on the interface. - - .. cfgcmd:: set protocols pim interface <interface> source-address <ip-address> - - If you have multiple addresses configured on a particular interface and would - like PIM to use a specific source address associated with that interface. -``` - -## IGMP - Internet Group Management Protocol) - -```{eval-rst} -.. cfgcmd:: set protocols pim igmp watermark-warning <n> - - Configure watermark warning generation for an IGMP group limit. Generates - warning once the configured group limit is reached while adding new groups. -``` - -(pim-igmp-interface-commands)= - -### Interface specific commands - -```{eval-rst} -.. cfgcmd:: set protocols pim interface <interface> igmp - join <multicast-address> source-address <IP-address> - - Use this command to allow the selected interface to join a multicast - group defining the multicast address you want to join and the source - IP address too. -``` - -```{eval-rst} -.. cfgcmd:: set protocols pim interface <interface> igmp - query-interval <seconds> - - Use this command to configure in the selected interface the IGMP - host query interval (1-1800) in seconds that PIM will use. -``` - -```{eval-rst} -.. cfgcmd:: set protocols pim interface <interface> igmp - query-max-response-time <n> - - Use this command to configure in the selected interface the IGMP - query response timeout value (10-250) in deciseconds. If a report is - not returned in the specified time, it will be assumed the (S,G) or - (\*,G) state {rfc}`7761#section-4.1` has timed out. -``` - -```{eval-rst} -.. cfgcmd:: set protocols pim interface <interface> igmp version <version-number> - - Use this command to define in the selected interface whether you - choose IGMP version 2 or 3. - - The default value is 3. -``` - -#### Example - -In the following example we can see a basic multicast setup: - -```{image} /_static/images/multicast-basic.webp -:align: center -:alt: Network Topology Diagram -:width: 90% -``` - -**Router 1** - -```none -set interfaces ethernet eth2 address '172.16.0.2/24' -set interfaces ethernet eth1 address '100.64.0.1/24' -set protocols ospf area 0 network '172.16.0.0/24' -set protocols ospf area 0 network '100.64.0.0/24' -set protocols igmp interface eth1 -set protocols pim interface eth1 -set protocols pim interface eth2 -set protocols pim rp address 172.16.255.1 group '224.0.0.0/4' -``` - -**Router 3** - -```none -set interfaces dummy dum0 address '172.16.255.1/24' -set interfaces ethernet eth0 address '172.16.0.1/24' -set interfaces ethernet eth1 address '172.16.1.1/24' -set protocols ospf area 0 network '172.16.0.0/24' -set protocols ospf area 0 network '172.16.255.0/24' -set protocols ospf area 0 network '172.16.1.0/24' -set protocols pim interface dum0 -set protocols pim interface eth0 -set protocols pim interface eth1 -set protocols pim rp address 172.16.255.1 group '224.0.0.0/4' -``` - -**Router 2** - -```none -set interfaces ethernet eth1 address '10.0.0.1/24' -set interfaces ethernet eth2 address '172.16.1.2/24' -set protocols ospf area 0 network '10.0.0.0/24' -set protocols ospf area 0 network '172.16.1.0/24' -set protocols pim interface eth1 -set protocols pim interface eth2 -set protocols pim rp address 172.16.255.1 group '224.0.0.0/4' -``` diff --git a/docs/configuration/protocols/md-pim6.md b/docs/configuration/protocols/md-pim6.md deleted file mode 100644 index 707ae606..00000000 --- a/docs/configuration/protocols/md-pim6.md +++ /dev/null @@ -1,100 +0,0 @@ -(pim6)= - -# PIM6 - Protocol Independent Multicast for IPv6 - -VyOS facilitates IPv6 Multicast by supporting **PIMv6** and **MLD**. - -PIMv6 (Protocol Independent Multicast for IPv6) must be configured in every -interface of every participating router. Every router must also have the -location of the Rendevouz Point manually configured. -Then, unidirectional shared trees rooted at the Rendevouz Point will -automatically be built for multicast distribution. - -Traffic from multicast sources will go to the Rendezvous Point, and receivers -will pull it from a shared tree using MLD (Multicast Listener Discovery). - -Multicast receivers will talk MLD to their local router, so, besides having -PIMv6 configured in every router, MLD must also be configured in any router -where there could be a multicast receiver locally connected. - -VyOS supports both MLD version 1 and version 2 -(which allows source-specific multicast). - -## Basic commands - -These are the commands for a basic setup. - -```{cfgcmd} set protocols pim6 interface \<interface-name\> - - Use this command to enable PIMv6 in the selected interface so that it - can communicate with PIMv6 neighbors. This command also enables MLD reports - and query on the interface unless {cfgcmd}`mld disable` is configured. -``` - - -```{cfgcmd} set protocols pim6 interface \<interface-name\> mld disable - -Disable MLD reports and query on the interface. -``` - - -## Tuning commands - -You can also tune multicast with the following commands. - -```{cfgcmd} set protocols pim6 interface \<interface-name\> mld interval \<seconds\> - -Use this command to configure in the selected interface the MLD -host query interval (1-65535) in seconds that PIM will use. -The default value is 125 seconds. -``` - -```{cfgcmd} set protocols pim6 interface \<interface-name\> mld join \<multicast-address\> - -Use this command to allow the selected interface to join a multicast group. -``` - -```{cfgcmd} set protocols pim6 interface \<interface-name\> mld join \<multicast-address\> source \<source-address\> - -Use this command to allow the selected interface to join a source-specific multicast -group. -``` - -```{cfgcmd} set protocols pim6 interface \<interface-name\> mld last-member-query-count \<count\> - -Set the MLD last member query count. The default value is 2. -``` - -```{cfgcmd} set protocols pim6 interface \<interface-name\> mld last-member-query-interval \<milliseconds\> - -Set the MLD last member query interval in milliseconds (100-6553500). The default value is 1000 milliseconds. -``` - -```{cfgcmd} set protocols pim6 interface \<interface-name\> mld max-response-time \<milliseconds\> - -Set the MLD query response timeout in milliseconds (100-6553500). The default value is 10000 milliseconds. -``` - -```{cfgcmd} set protocols pim6 interface \<interface-name\> mld version \<version-number\> - -Set the MLD version used on this interface. The default value is 2. -``` - - -### Configuration Example - -To enable MLD reports and query on interfaces `eth0` and `eth1`: - -```none -set protocols pim6 interface eth0 -set protocols pim6 interface eth1 -``` - -The following configuration explicitly joins multicast group `ff15::1234` on interface `eth1` -and source-specific multicast group `ff15::5678` with source address `2001:db8::1` on interface -`eth1`: - -```none -set protocols pim6 interface eth0 mld join ff15::1234 -set protocols pim6 interface eth1 mld join ff15::5678 source 2001:db8::1 -``` diff --git a/docs/configuration/protocols/md-rip.md b/docs/configuration/protocols/md-rip.md deleted file mode 100644 index 684337d6..00000000 --- a/docs/configuration/protocols/md-rip.md +++ /dev/null @@ -1,294 +0,0 @@ ---- -lastproofread: '2021-10-04' ---- - -(rip)= - -# RIP - -{abbr}`RIP (Routing Information Protocol)` is a widely deployed interior gateway -protocol. RIP was developed in the 1970s at Xerox Labs as part of the XNS -routing protocol. RIP is a distance-vector protocol and is based on the -Bellman-Ford algorithms. As a distance-vector protocol, RIP router send updates -to its neighbors periodically, thus allowing the convergence to a known -topology. In each update, the distance to any given network will be broadcast -to its neighboring router. - -Supported versions of RIP are: - -> - RIPv1 as described in {rfc}`1058` -> - RIPv2 as described in {rfc}`2453` - -## General Configuration - -```{cfgcmd} set protocols rip network \<A.B.C.D/M\> - -This command enables RIP and sets the RIP enable interface by NETWORK. -The interfaces which have addresses matching with NETWORK are enabled. -``` - - -```{cfgcmd} set protocols rip interface \<interface\> - -This command specifies a RIP enabled interface by interface name. Both -the sending and receiving of RIP packets will be enabled on the port -specified in this command. -``` - - -```{cfgcmd} set protocols rip neighbor \<A.B.C.D\> - -This command specifies a RIP neighbor. When a neighbor doesn’t understand -multicast, this command is used to specify neighbors. In some cases, not -all routers will be able to understand multicasting, where packets are -sent to a network or a group of addresses. In a situation where a neighbor -cannot process multicast packets, it is necessary to establish a direct -link between routers. -``` - - -```{cfgcmd} set protocols rip passive-interface interface \<interface\> - -This command sets the specified interface to passive mode. On passive mode -interface, all receiving packets are processed as normal and VyOS does not -send either multicast or unicast RIP packets except to RIP neighbors -specified with neighbor command. -``` - - -```{cfgcmd} set protocols rip passive-interface interface default - -This command specifies all interfaces to passive mode. -``` - -## Optional Configuration - -```{cfgcmd} set protocols rip default-distance \<distance\> - -This command change the distance value of RIP. The distance range is 1 to 255. - -> :::{note} -> Routes with a distance of 255 are effectively disabled and not -> installed into the kernel. -> ::: -``` - - -```{cfgcmd} set protocols rip network-distance \<A.B.C.D/M\> distance \<distance\> - -This command sets default RIP distance to a specified value when the routes -source IP address matches the specified prefix. -``` - - -```{cfgcmd} set protocols rip network-distance \<A.B.C.D/M\> access-list \<name\> - -This command can be used with previous command to sets default RIP distance -to specified value when the route source IP address matches the specified -prefix and the specified access-list. -``` - - -```{cfgcmd} set protocols rip default-information originate - -This command generate a default route into the RIP. -``` - - -```{cfgcmd} set protocols rip distribute-list access-list \<in|out\> \<number\> - -This command can be used to filter the RIP path using access lists. -{cfgcmd}`in` and {cfgcmd}`out` this is the direction in which the access -lists are applied. -``` - - -```{cfgcmd} set protocols rip distribute-list interface \<interface\> access-list \<in|out\> \<number\> - -This command allows you apply access lists to a chosen interface to -filter the RIP path. -``` - - -```{cfgcmd} set protocols rip distribute-list prefix-list \<in|out\> \<name\> - -This command can be used to filter the RIP path using prefix lists. -{cfgcmd}`in` and {cfgcmd}`out` this is the direction in which the prefix -lists are applied. -``` - - -```{cfgcmd} set protocols rip distribute-list interface \<interface\> prefix-list \<in|out\> \<name\> - -This command allows you apply prefix lists to a chosen interface to -filter the RIP path. -``` - - -```{cfgcmd} set protocols rip route \<A.B.C.D/M\> - -This command is specific to FRR and VyOS. The route command makes a static -route only inside RIP. This command should be used only by advanced users -who are particularly knowledgeable about the RIP protocol. In most cases, -we recommend creating a static route in VyOS and redistributing it in RIP -using {cfgcmd}`redistribute static`. -``` - - -```{cfgcmd} set protocols rip timers update \<seconds\> - -This command specifies the update timer. Every update timer seconds, the -RIP process is awakened to send an unsolicited response message containing -the complete routing table to all neighboring RIP routers. The time range -is 5 to 2147483647. The default value is 30 seconds. -``` - - -```{cfgcmd} set protocols rip timers timeout \<seconds\> - -This command specifies the timeout timer. Upon expiration of the timeout, -the route is no longer valid; however, it is retained in the routing table -for a short time so that neighbors can be notified that the route has been -dropped. The time range is 5 to 2147483647. The default value is 180 -seconds. -``` - - -```{cfgcmd} set protocols rip timers garbage-collection \<seconds\> - -This command specifies the garbage-collection timer. Upon expiration of -the garbage-collection timer, the route is finally removed from the -routing table. The time range is 5 to 2147483647. The default value is 120 -seconds. -``` - -## Redistribution Configuration - -```{cfgcmd} set protocols rip redistribute \<route source\> - -This command redistributes routing information from the given route source -into the RIP tables. There are five modes available for route source: bgp, -connected, kernel, ospf, static. -``` - - -```{cfgcmd} set protocols rip redistribute \<route source\> metric \<metric\> - -This command specifies metric for redistributed routes from the given route -source. There are five modes available for route source: bgp, connected, -kernel, ospf, static. The metric range is 1 to 16. -``` - - -```{cfgcmd} set protocols rip redistribute \<route source\> route-map \<name\> - -This command allows to use route map to filter redistributed routes from -the given route source. There are five modes available for route source: -bgp, connected, kernel, ospf, static. -``` - - -```{cfgcmd} set protocols rip default-metric \<metric\> - -This command modifies the default metric (hop count) value for redistributed -routes. The metric range is 1 to 16. The default value is 1. This command -does not affect connected route even if it is redistributed by -{cfgcmd}`redistribute connected`. To modify connected routes metric -value, please use {cfgcmd}`redistribute connected metric`. -``` - -## Interfaces Configuration - -```{cfgcmd} set interfaces \<inttype\> \<intname\> ip rip authentication plaintext-password \<text\> - -This command sets the interface with RIP simple password authentication. -This command also sets authentication string. The string must be shorter -than 16 characters. -``` - - -```{cfgcmd} set interfaces \<inttype\> \<intname\> ip rip authentication md5 \<id\> password \<text\> - -This command sets the interface with RIP MD5 authentication. This command -also sets MD5 Key. The key must be shorter than 16 characters. -``` - - -```{cfgcmd} set interfaces \<inttype\> \<intname\> ip rip split-horizon disable - -This command disables split-horizon on the interface. By default, VyOS does -not advertise RIP routes out the interface over which they were learned -(split horizon).3 -``` - - -```{cfgcmd} set interfaces \<inttype\> \<intname\> ip rip split-horizon poison-reverse - -This command enables poison-reverse on the interface. If both poison reverse -and split horizon are enabled, then VyOS advertises the learned routes -as unreachable over the interface on which the route was learned. -``` - -## Operational Mode Commands - -```{opcmd} show ip rip - -This command displays RIP routes. -``` -```none -Codes: R - RIP, C - connected, S - Static, O - OSPF, B - BGP -Sub-codes: - (n) - normal, (s) - static, (d) - default, (r) - redistribute, - (i) - interface - - Network Next Hop Metric From Tag Time -C(i) 10.0.12.0/24 0.0.0.0 1 self 0 -C(i) 10.0.13.0/24 0.0.0.0 1 self 0 -R(n) 10.0.23.0/24 10.0.12.2 2 10.0.12.2 0 02:53 -``` - -```{opcmd} show ip rip status - -The command displays current RIP status. It includes RIP timer, filtering, -version, RIP enabled interface and RIP peer information. -``` -```none -Routing Protocol is "rip" - Sending updates every 30 seconds with +/-50%, next due in 11 seconds - Timeout after 180 seconds, garbage collect after 120 seconds - Outgoing update filter list for all interface is not set - Incoming update filter list for all interface is not set - Default redistribution metric is 1 - Redistributing: - Default version control: send version 2, receive any version - Interface Send Recv Key-chain - eth0 2 1 2 - eth2 2 1 2 - Routing for Networks: - 10.0.12.0/24 - eth0 - Routing Information Sources: - Gateway BadPackets BadRoutes Distance Last Update - 10.0.12.2 0 0 120 00:00:11 - Distance: (default is 120) -``` - -## Configuration Example - -Simple RIP configuration using 2 nodes and redistributing connected interfaces. - -**Node 1:** - -```none -set interfaces loopback address 10.1.1.1/32 -set protocols rip network 192.168.0.0/24 -set protocols rip redistribute connected -``` - -**Node 2:** - -```none -set interfaces loopback address 10.2.2.2/32 -set protocols rip network 192.168.0.0/24 -set protocols rip redistribute connected -``` diff --git a/docs/configuration/protocols/md-rpki.md b/docs/configuration/protocols/md-rpki.md deleted file mode 100644 index 1f4cf5bf..00000000 --- a/docs/configuration/protocols/md-rpki.md +++ /dev/null @@ -1,210 +0,0 @@ -(rpki)= - -# RPKI - -:::{pull-quote} - -There are two types of Network Admins who deal with BGP, those who have -created an international incident and/or outage, and those who are lying - --- [tweet by EvilMog](https://twitter.com/Evil_Mog/status/1230924170508169216), 2020-02-21 -::: - -{abbr}`RPKI (Resource Public Key Infrastructure)` is a framework designed to -secure the Internet routing infrastructure. It associates BGP route -announcements with the correct originating {abbr}`ASN (Autonomus System -Number)` which BGP routers can then use to check each route against the -corresponding {abbr}`ROA (Route Origin Authorisation)` for validity. RPKI is -described in {rfc}`6480`. - -A BGP-speaking router like VyOS can retrieve ROA information from RPKI -"Relying Party software" (often just called an "RPKI server" or "RPKI -validator") by using {abbr}`RTR (RPKI to Router)` protocol. There are several -open source implementations to choose from, such as NLNetLabs' [Routinator] -(written in Rust), OpenBSD's [rpki-client] (written in C), and [StayRTR] (written -in Go). The RTR protocol is described in {rfc}`8210`. - -:::{tip} -If you are new to these routing security technologies then there is an -[excellent guide to RPKI] by NLnet Labs which will get you up to speed -very quickly. Their documentation explains everything from what RPKI is to -deploying it in production. It also has some -[help and operational guidance] including "What can I do about my route -having an Invalid state?" -::: - -## Getting started - -First you will need to deploy an RPKI validator for your routers to use. NLnet -Labs provides a collection of [software] you can compare and settle on one. -Once your server is running you can start validating announcements. - -Imported prefixes during the validation may have values: - -> valid -> -> : The prefix and ASN that originated it match a signed ROA. These are -> probably trustworthy route announcements. -> -> invalid -> -> : The prefix or prefix length and ASN that originated it doesn't -> match any existing ROA. This could be the result of a prefix hijack, or -> merely a misconfiguration, but should probably be treated as -> untrustworthy route announcements. -> -> notfound -> -> : No ROA exists which covers that prefix. Unfortunately this is the case for -> about 40%-50% of the prefixes which were announced to the {abbr}`DFZ -> (default-free zone)` at the start of 2024. - -:::{note} -If you are responsible for the global addresses assigned to your -network, please make sure that your prefixes have ROAs associated with them -to avoid being `notfound` by RPKI. For most ASNs this will involve -publishing ROAs via your {abbr}`RIR (Regional Internet Registry)` (RIPE -NCC, APNIC, ARIN, LACNIC, or AFRINIC), and is something you are encouraged -to do whenever you plan to announce addresses into the DFZ. - -Particularly large networks may wish to run their own RPKI certificate -authority and publication server instead of publishing ROAs via their RIR. -This is a subject far beyond the scope of VyOS' documentation. Consider -reading about [Krill] if this is a rabbit hole you need or especially want -to dive down. -::: - -### Features of the Current Implementation - -In a nutshell, the current implementation provides the following features: - -- The BGP router can connect to one or more RPKI cache servers to receive - validated prefix to origin AS mappings. Advanced failover can be implemented - by server sockets with different preference values. -- If no connection to an RPKI cache server can be established after a - pre-defined timeout, the router will process routes without prefix origin - validation. It still will try to establish a connection to an RPKI cache - server in the background. -- By default, enabling RPKI does not change best path selection. In particular, - invalid prefixes will still be considered during best path selection. However, - the router can be configured to ignore all invalid prefixes. -- Route maps can be configured to match a specific RPKI validation state. This - allows the creation of local policies, which handle BGP routes based on the - outcome of the Prefix Origin Validation. -- Updates from the RPKI cache servers are directly applied and path selection is - updated accordingly. (Soft reconfiguration must be enabled for this to work). - -## Configuration - -```{cfgcmd} set protocols rpki polling-period \<1-86400\> - -Define the time interval to update the local cache - -The default value is 300 seconds. -``` - -```{cfgcmd} set protocols rpki expire-interval \<600-172800\> - -Set the number of seconds the router waits until the router -expires the cache. - -The default value is 7200 seconds. -``` - -```{cfgcmd} set protocols rpki retry-interval \<1-7200\> - -Set the number of seconds the router waits until retrying to connect -to the cache server. - -The default value is 600 seconds. -``` - -```{cfgcmd} set protocols rpki cache \<address\> port \<port\> - -Defined the IPv4, IPv6 or FQDN and port number of the caching RPKI caching -instance which is used. - -This is a mandatory setting. -``` - -```{cfgcmd} set protocols rpki cache \<address\> preference \<preference\> - -Multiple RPKI caching instances can be supplied and they need a preference in -which their result sets are used. - -This is a mandatory setting. -``` - - -### SSH - -Connections to the RPKI caching server can not only be established by TCP using -the RTR protocol but you can also rely on a secure SSH session to the server. -This provides transport integrity and confidentiality and it is a good idea if -your validation software supports it. To enable SSH, first you need to create -an SSH client keypair using `generate ssh client-key -/config/auth/id_rsa_rpki`. Once your key is created you can setup the -connection. - -```{cfgcmd} set protocols rpki cache \<address\> ssh username \<user\> - -SSH username to establish an SSH connection to the cache server. -``` - -```{cfgcmd} set protocols rpki cache \<address\> ssh private-key-file \<filepath\> - -Local path that includes the private key file of the router. -``` - -```{cfgcmd} set protocols rpki cache \<address\> ssh public-key-file \<filepath\> - -Local path that includes the public key file of the router. -``` - -:::{note} -When using SSH, private-key-file and public-key-file -are mandatory options. -::: - -## Example - -We can build route-maps for import based on these states. Here is a simple -RPKI configuration, where `routinator` is the RPKI-validating "cache" -server with ip `192.0.2.1`: - -```none -set protocols rpki cache 192.0.2.1 port '3323' -set protocols rpki cache 192.0.2.1 preference '1' -``` - -Here is an example route-map to apply to routes learned at import. In this -filter we reject prefixes with the state `invalid`, and set a higher -`local-preference` if the prefix is RPKI `valid` rather than merely -`notfound`. - -```none -set policy route-map ROUTES-IN rule 10 action 'permit' -set policy route-map ROUTES-IN rule 10 match rpki 'valid' -set policy route-map ROUTES-IN rule 10 set local-preference '300' -set policy route-map ROUTES-IN rule 20 action 'permit' -set policy route-map ROUTES-IN rule 20 match rpki 'notfound' -set policy route-map ROUTES-IN rule 20 set local-preference '125' -set policy route-map ROUTES-IN rule 30 action 'deny' -set policy route-map ROUTES-IN rule 30 match rpki 'invalid' -``` - -Once your routers are configured to reject RPKI-invalid prefixes, you can -test whether the configuration is working correctly using Cloudflare's [test] -website. Keep in mind that in order for this to work, you need to have no -default routes or anything else that would still send traffic to RPKI-invalid -destinations. - -[excellent guide to rpki]: https://rpki.readthedocs.io/ -[help and operational guidance]: https://rpki.readthedocs.io/en/latest/about/help.html -[krill]: https://www.nlnetlabs.nl/projects/rpki/krill/ -[routinator]: https://www.nlnetlabs.nl/projects/rpki/routinator/ -[rpki-client]: https://www.rpki-client.org/ -[software]: https://rpki.readthedocs.io/en/latest/ops/tools.html#relying-party-software -[stayrtr]: https://github.com/bgp/stayrtr/ -[test]: https://isbgpsafeyet.com/ -[tweet by evilmog]: <https://twitter.com/Evil_Mog/status/1230924170508169216> diff --git a/docs/configuration/protocols/md-segment-routing.md b/docs/configuration/protocols/md-segment-routing.md deleted file mode 100644 index 45c89a41..00000000 --- a/docs/configuration/protocols/md-segment-routing.md +++ /dev/null @@ -1,359 +0,0 @@ -(segment-routing)= - -# Segment Routing - -Segment Routing (SR) is a network architecture that is similar to source-routing -. In this architecture, the ingress router adds a list of segments, known as -SIDs, to the packet as it enters the network. These segments represent different -portions of the network path that the packet will take. - -The SR segments are portions of the network path taken by the packet, and are -called SIDs. At each node, the first SID of the list is read, executed as a -forwarding function, and may be popped to let the next node read the next SID of -the list. The SID list completely determines the path where the packet is -forwarded. - -Segment Routing can be applied to an existing MPLS-based data plane and defines -a control plane network architecture. In MPLS networks, segments are encoded as -MPLS labels and are added at the ingress router. These MPLS labels are then -exchanged and populated by Interior Gateway Protocols (IGPs) like IS-IS or OSPF -which are running on most ISPs. - -:::{note} -Segment routing defines a control plane network architecture and -can be applied to an existing MPLS based dataplane. In the MPLS networks, -segments are encoded as MPLS labels and are imposed at the ingress router. -MPLS labels are exchanged and populated by IGPs like IS-IS.Segment Routing -as per RFC8667 for MPLS dataplane. It supports IPv4, IPv6 and ECMP and has -been tested against Cisco & Juniper routers.however,this deployment is still -EXPERIMENTAL for FRR. -::: - -## IS-IS SR Configuration - -Segment routing (SR) is used by the IGP protocols to interconnect network -devices, below configuration shows how to enable SR on IS-IS: - -:::{note} -``Known limitations:`` - -No support for level redistribution (L1 to L2 or L2 to L1) - -No support for binding SID - -No support for SRLB - -Only one SRGB and default SPF Algorithm is supported -::: - -```{cfgcmd} set protocols isis segment-routing global-block high-label-value \<label-value\> - -Set the Segment Routing Global Block i.e. the label range used by MPLS to -store label in the MPLS FIB for Prefix SID. Note that the block size may -not exceed 65535. -``` - - -```{cfgcmd} set protocols isis segment-routing global-block low-label-value \<label-value\> - -Set the Segment Routing Global Block i.e. the low label range used by MPLS to -store label in the MPLS FIB for Prefix SID. Note that the block size may -not exceed 65535. -``` - - -```{cfgcmd} set protocols isis segment-routing local-block high-label-value \<label-value\> - -Set the Segment Routing Local Block i.e. the label range used by MPLS to -store label in the MPLS FIB for Prefix SID. Note that the block size may -not exceed 65535.Segment Routing Local Block, The negative command always -unsets both. -``` - - -```{cfgcmd} set protocols isis segment-routing local-block \<low-label-value \<label-value\> - -Set the Segment Routing Local Block i.e. the low label range used by MPLS to -store label in the MPLS FIB for Prefix SID. Note that the block size may -not exceed 65535.Segment Routing Local Block, The negative command always -unsets both. -``` - - -```{cfgcmd} set protocols isis segment-routing maximum-label-depth \<1-16\> - -Set the Maximum Stack Depth supported by the router. The value depend of -the MPLS dataplane. -``` - - -```{cfgcmd} set protocols isis segment-routing prefix \<address\> index value \<0-65535\> - -A segment ID that contains an IP address prefix calculated by an IGP in the -service provider core network. Prefix SIDs are globally unique, this value -indentify it -``` - - -```{cfgcmd} set protocols isis segment-routing prefix \<address\> index \<no-php-flag | explicit-null| n-flag-clear\> - -this option allows to configure prefix-sid on SR. The ‘no-php-flag’ means NO -Penultimate Hop Popping that allows SR node to request to its neighbor to -not pop the label. The ‘explicit-null’ flag allows SR node to request to its -neighbor to send IP packet with the EXPLICIT-NULL label. The ‘n-flag-clear’ -option can be used to explicitly clear the Node flag that is set by default -for Prefix-SIDs associated to loopback addresses. This option is necessary -to configure Anycast-SIDs. -``` - -```{opcmd} show isis segment-routing node - - Show detailed information about all learned Segment Routing Nodes -``` - - -```{opcmd} show isis route prefix-sid - -Show detailed information about prefix-sid and label learned -``` - -:::{note} -more information related IGP - {ref}`routing-isis` -::: - - -## OSPF SR Configuration - - -Segment routing (SR) is used by the IGP protocols to interconnect network -devices, below configuration shows how to enable SR on OSPF: - -```{cfgcmd} set protocols ospf parameters opaque-lsa - -Enable the Opaque-LSA capability (rfc2370), necessary to transport label -on IGP -``` - -```{cfgcmd} set protocols ospf segment-routing global-block high-label-value \<label-value\> - -Set the Segment Routing Global Block i.e. the label range used by MPLS to -store label in the MPLS FIB for Prefix SID. Note that the block size may -not exceed 65535. -``` - -```{cfgcmd} set protocols ospf segment-routing global-block low-label-value \<label-value\> - -Set the Segment Routing Global Block i.e. the low label range used by MPLS to -store label in the MPLS FIB for Prefix SID. Note that the block size may -not exceed 65535. -``` - -```{cfgcmd} set protocols ospf segment-routing local-block high-label-value \<label-value\> - -Set the Segment Routing Local Block i.e. the label range used by MPLS to -store label in the MPLS FIB for Prefix SID. Note that the block size may -not exceed 65535.Segment Routing Local Block, The negative command always -unsets both. -``` - -```{cfgcmd} set protocols ospf segment-routing local-block \<low-label-value \<label-value\> - -Set the Segment Routing Local Block i.e. the low label range used by MPLS to -store label in the MPLS FIB for Prefix SID. Note that the block size may -not exceed 65535.Segment Routing Local Block, The negative command always -unsets both. -``` - -```{cfgcmd} set protocols ospf segment-routing maximum-label-depth \<1-16\> - -Set the Maximum Stack Depth supported by the router. The value depend of -the MPLS dataplane. -``` - -```{cfgcmd} set protocols ospf segment-routing prefix \<address\> index value \<0-65535\> - -A segment ID that contains an IP address prefix calculated by an IGP in the -service provider core network. Prefix SIDs are globally unique, this value -indentify it -``` - -```{cfgcmd} set protocols ospf segment-routing prefix \<address\> index \<no-php-flag | explicit-null| n-flag-clear\> - -this option allows to configure prefix-sid on SR. The ‘no-php-flag’ means NO -Penultimate Hop Popping that allows SR node to request to its neighbor to -not pop the label. The ‘explicit-null’ flag allows SR node to request to its -neighbor to send IP packet with the EXPLICIT-NULL label. The ‘n-flag-clear’ -option can be used to explicitly clear the Node flag that is set by default -for Prefix-SIDs associated to loopback addresses. This option is necessary -to configure Anycast-SIDs. -``` - -:::{note} -more information related IGP - {ref}`routing-ospf` -::: - -## Configuration Example - -we described the configuration SR ISIS / SR OSPF using 2 connected with them to -share label information. - -### Enable IS-IS with Segment Routing (Experimental) - -**Node 1:** - -```none -set interfaces loopback lo address '192.168.255.255/32' -set interfaces ethernet eth1 address '192.0.2.1/24' - -set protocols isis interface eth1 -set protocols isis interface lo -set protocols isis net '49.0001.1921.6825.5255.00' -set protocols isis segment-routing global-block high-label-value '599' -set protocols isis segment-routing global-block low-label-value '550' -set protocols isis segment-routing prefix 192.168.255.255/32 index value '1' -set protocols isis segment-routing prefix 192.168.255.255/32 index explicit-null -set protocols mpls interface 'eth1' -``` - -**Node 2:** - -```none -set interfaces loopback lo address '192.168.255.254/32' -set interfaces ethernet eth1 address '192.0.2.2/24' - -set protocols isis interface eth1 -set protocols isis interface lo -set protocols isis net '49.0001.1921.6825.5254.00' -set protocols isis segment-routing global-block high-label-value '599' -set protocols isis segment-routing global-block low-label-value '550' -set protocols isis segment-routing prefix 192.168.255.254/32 index value '2' -set protocols isis segment-routing prefix 192.168.255.254/32 index explicit-null -set protocols mpls interface 'eth1' -``` - -This gives us MPLS segment routing enabled and labels for far end loopbacks: - -```none -Node-1@vyos:~$ show mpls table - Inbound Label Type Nexthop Outbound Label - ---------------------------------------------------------------------- - 552 SR (IS-IS) 192.0.2.2 IPv4 Explicit Null <-- Node-2 loopback learned on Node-1 - 15000 SR (IS-IS) 192.0.2.2 implicit-null - 15001 SR (IS-IS) fe80::e87:6cff:fe09:1 implicit-null - 15002 SR (IS-IS) 192.0.2.2 implicit-null - 15003 SR (IS-IS) fe80::e87:6cff:fe09:1 implicit-null - -Node-2@vyos:~$ show mpls table - Inbound Label Type Nexthop Outbound Label - --------------------------------------------------------------------- - 551 SR (IS-IS) 192.0.2.1 IPv4 Explicit Null <-- Node-1 loopback learned on Node-2 - 15000 SR (IS-IS) 192.0.2.1 implicit-null - 15001 SR (IS-IS) fe80::e33:2ff:fe80:1 implicit-null - 15002 SR (IS-IS) 192.0.2.1 implicit-null - 15003 SR (IS-IS) fe80::e33:2ff:fe80:1 implicit-null -``` - -Here is the routing tables showing the MPLS segment routing label operations: - -```none -Node-1@vyos:~$ show ip route isis -Codes: K - kernel route, C - connected, S - static, R - RIP, - O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, - T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR, - f - OpenFabric, - > - selected route, * - FIB route, q - queued, r - rejected, b - backup - t - trapped, o - offload failure - -I 192.0.2.0/24 [115/20] via 192.0.2.2, eth1 inactive, weight 1, 00:07:48 -I>* 192.168.255.254/32 [115/20] via 192.0.2.2, eth1, label IPv4 Explicit Null, weight 1, 00:03:39 - -Node-2@vyos:~$ show ip route isis -Codes: K - kernel route, C - connected, S - static, R - RIP, - O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, - T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR, - f - OpenFabric, - > - selected route, * - FIB route, q - queued, r - rejected, b - backup - t - trapped, o - offload failure - -I 192.0.2.0/24 [115/20] via 192.0.2.1, eth1 inactive, weight 1, 00:07:46 -I>* 192.168.255.255/32 [115/20] via 192.0.2.1, eth1, label IPv4 Explicit Null, weight 1, 00:03:43 -``` - - -### Enable OSPF with Segment Routing (Experimental): - -**Node 1** - -```none -set interfaces loopback lo address 10.1.1.1/32 -set interfaces ethernet eth0 address 192.168.0.1/24 -set protocols ospf area 0 network '192.168.0.0/24' -set protocols ospf area 0 network '10.1.1.1/32' -set protocols ospf parameters opaque-lsa -set protocols ospf parameters router-id '10.1.1.1' -set protocols ospf segment-routing global-block high-label-value '1100' -set protocols ospf segment-routing global-block low-label-value '1000' -set protocols ospf segment-routing prefix 10.1.1.1/32 index explicit-null -set protocols ospf segment-routing prefix 10.1.1.1/32 index value '1' -``` - -**Node 2** - -```none -set interfaces loopback lo address 10.1.1.2/32 -set interfaces ethernet eth0 address 192.168.0.2/24 -set protocols ospf area 0 network '192.168.0.0/24' -set protocols ospf area 0 network '10.1.1.2/32' -set protocols ospf parameters opaque-lsa -set protocols ospf parameters router-id '10.1.1.2' -set protocols ospf segment-routing global-block high-label-value '1100' -set protocols ospf segment-routing global-block low-label-value '1000' -set protocols ospf segment-routing prefix 10.1.1.2/32 index explicit-null -set protocols ospf segment-routing prefix 10.1.1.2/32 index value '2' -``` - -This gives us MPLS segment routing enabled and labels for far end loopbacks: - -```none -Node-1@vyos:~$ show mpls table - Inbound Label Type Nexthop Outbound Label - ----------------------------------------------------------- - 1002 SR (OSPF) 192.168.0.2 IPv4 Explicit Null <-- Node-2 loopback learned on Node-1 - 15000 SR (OSPF) 192.168.0.2 implicit-null - 15001 SR (OSPF) 192.168.0.2 implicit-null - -Node-2@vyos:~$ show mpls table - Inbound Label Type Nexthop Outbound Label - ----------------------------------------------------------- - 1001 SR (OSPF) 192.168.0.1 IPv4 Explicit Null <-- Node-1 loopback learned on Node-2 - 15000 SR (OSPF) 192.168.0.1 implicit-null - 15001 SR (OSPF) 192.168.0.1 implicit-null -``` - -Here is the routing tables showing the MPLS segment routing label operations: - -```none -Node-1@vyos:~$ show ip route ospf -Codes: K - kernel route, C - connected, S - static, R - RIP, - O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, - T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR, - f - OpenFabric, - > - selected route, * - FIB route, q - queued, r - rejected, b - backup - t - trapped, o - offload failure - -O 10.1.1.1/32 [110/0] is directly connected, lo, weight 1, 00:03:43 -O>* 10.1.1.2/32 [110/1] via 192.168.0.2, eth0, label IPv4 Explicit Null, weight 1, 00:03:32 -O 192.168.0.0/24 [110/1] is directly connected, eth0, weight 1, 00:03:43 - -Node-2@vyos:~$ show ip route ospf -Codes: K - kernel route, C - connected, S - static, R - RIP, - O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, - T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR, - f - OpenFabric, - > - selected route, * - FIB route, q - queued, r - rejected, b - backup - t - trapped, o - offload failure - -O>* 10.1.1.1/32 [110/1] via 192.168.0.1, eth0, label IPv4 Explicit Null, weight 1, 00:03:36 -O 10.1.1.2/32 [110/0] is directly connected, lo, weight 1, 00:03:51 -O 192.168.0.0/24 [110/1] is directly connected, eth0, weight 1, 00:03:51 -``` diff --git a/docs/configuration/protocols/md-static.md b/docs/configuration/protocols/md-static.md deleted file mode 100644 index bcfad279..00000000 --- a/docs/configuration/protocols/md-static.md +++ /dev/null @@ -1,419 +0,0 @@ -# Static - -Static routes are manually configured routes, which, in general, cannot be -updated dynamically from information VyOS learns about the network topology from -other routing protocols. However, if a link fails, the router will remove -routes, including static routes, from the `RIPB (Routing Information -Base)` that used this interface to reach the next hop. In general, static -routes should only be used for very simple network topologies, or to override -the behavior of a dynamic routing protocol for a small number of routes. The -collection of all routes the router has learned from its configuration or from -its dynamic routing protocols is stored in the RIB. Unicast routes are directly -used to determine the forwarding table used for unicast packet forwarding. - -## IPv4 Unicast Routes - -<div class="cfgcmd"> - -set protocols static route \<subnet\> next-hop \<address\> - -Configure next-hop <span class="title-ref">\<address\></span> for an IPv4 static route. Multiple static -routes can be created. - -</div> - -<div class="cfgcmd"> - -set protocols static route \<subnet\> next-hop \<address\> disable - -Disable this IPv4 static route entry. - -</div> - -<div class="cfgcmd"> - -set protocols static route \<subnet\> next-hop \<address\> -distance \<distance\> - -Defines next-hop distance for this route, routes with smaller administrative -distance are elected prior to those with a higher distance. - -Range is 1 to 255, default is 1. - -<div class="note"> - -<div class="title"> - -Note - -</div> - -Routes with a distance of 255 are effectively disabled and not -installed into the kernel. - -</div> - -</div> - -### IPv4 Interface Routes - -<div class="cfgcmd"> - -set protocols static route \<subnet\> interface -\<interface\> - -Allows you to configure the next-hop interface for an interface-based IPv4 -static route. <span class="title-ref">\<interface\></span> will be the next-hop interface where traffic is -routed for the given <span class="title-ref">\<subnet\></span>. - -</div> - -<div class="cfgcmd"> - -set protocols static route \<subnet\> interface -\<interface\> disable - -Disables interface-based IPv4 static route. - -</div> - -<div class="cfgcmd"> - -set protocols static route \<subnet\> interface -\<interface\> distance \<distance\> - -Defines next-hop distance for this route, routes with smaller administrative -distance are elected prior to those with a higher distance. - -Range is 1 to 255, default is 1. - -</div> - -### IPv4 BFD - -<div class="cfgcmd"> - -set protocols static route \<subnet\> next-hop \<address\> bfd - -Configure a static route for <span class="title-ref">\<subnet\></span> using gateway <span class="title-ref">\<address\></span> and use the -gateway address as BFD peer destination address. - -</div> - -<div class="cfgcmd"> - -set protocols static route \<subnet\> next-hop \<address\> -bfd profile \<profile\> - -Configure a static route for <span class="title-ref">\<subnet\></span> using gateway <span class="title-ref">\<address\></span> -and use the gateway address as BFD peer destination address with -BFD profile <span class="title-ref">\<profile\></span>. - -</div> - -<div class="cfgcmd"> - -set protocols static route \<subnet\> next-hop \<address\> bfd multi-hop -source-address \<source-address\> - -Configure a static route for <span class="title-ref">\<subnet\></span> using gateway <span class="title-ref">\<address\></span> and use the -gateway address as BFD peer destination address with source address -<span class="title-ref">\<source\></span> but initiate a multi-hop session. - -</div> - -### DHCP Interface Routes - -<div class="cfgcmd"> - -set protocols static route \<subnet\> dhcp-interface \<interface\> - -Defines route with DHCP interface supplying next-hop IP address. - -</div> - -### IPv4 Reject Routes - -<div class="cfgcmd"> - -set protocol static route \<subnet\> reject - -Defines route which emits an ICMP unreachable when matched. - -</div> - -<div class="cfgcmd"> - -set protocols static route \<subnet\> reject distance \<distance\> - -Defines distance for this route, routes with smaller administrative -distance are elected prior to those with a higher distance. - -</div> - -<div class="cfgcmd"> - -set protocols static route \<subnet\> reject tag \<tag\> - -Sets a tag for this route. - -</div> - -<div class="cfgcmd"> - -set protocol static route6 \<subnet\> reject - -Defines route which emits an ICMP unreachable when matched. - -</div> - -### IPv4 Blackhole Routes - -<div class="cfgcmd"> - -set protocols static route \<subnet\> blackhole - -Use this command to configure a "black-hole" route on the router. A -black-hole route is a route for which the system silently discard packets -that are matched. This prevents networks leaking out public interfaces, but -it does not prevent them from being used as a more specific route inside your -network. - -</div> - -<div class="cfgcmd"> - -set protocols static route \<subnet\> blackhole distance \<distance\> - -Defines blackhole distance for this route, routes with smaller administrative -distance are elected prior to those with a higher distance. - -</div> - -<div class="cfgcmd"> - -set protocols static route \<subnet\> blackhole tag \<tag\> - -Sets a tag for this route. - -</div> - -## IPv6 Unicast Routes - -<div class="cfgcmd"> - -set protocols static route6 \<subnet\> next-hop \<address\> - -Configure next-hop <span class="title-ref">\<address\></span> for an IPv6 static route. Multiple static -routes can be created. - -</div> - -<div class="cfgcmd"> - -set protocols static route6 \<subnet\> next-hop \<address\> disable - -Disable this IPv6 static route entry. - -</div> - -<div class="cfgcmd"> - -set protocols static route6 \<subnet\> next-hop \<address\> -distance \<distance\> - -Defines next-hop distance for this route, routes with smaller administrative -distance are elected prior to those with a higher distance. - -Range is 1 to 255, default is 1. - -<div class="note"> - -<div class="title"> - -Note - -</div> - -Routes with a distance of 255 are effectively disabled and not -installed into the kernel. - -</div> - -</div> - -<div class="cfgcmd"> - -set protocols static route6 \<subnet\> next-hop \<address\> -segments \<segments\> - -It is possible to specify a static route for ipv6 prefixes using -an SRv6 segments instruction. The <span class="title-ref">/</span> separator can be used to -specify multiple segment instructions. - -Example: - -``` none -set protocols static route6 2001:db8:1000::/36 next-hop 2001:db8:201::ffff segments '2001:db8:aaaa::7/2002::4/2002::3/2002::2' -``` - -``` none -vyos@vyos:~$ show ipv6 route -Codes: K - kernel route, C - connected, S - static, R - RIPng, - O - OSPFv3, I - IS-IS, B - BGP, N - NHRP, T - Table, - v - VNC, V - VNC-Direct, A - Babel, F - PBR, - f - OpenFabric, - > - selected route, * - FIB route, q - queued, r - rejected, b - backup - t - trapped, o - offload failure -C>* 2001:db8:201::/64 is directly connected, eth0.201, 00:00:46 -S>* 2001:db8:1000::/36 [1/0] via 2001:db8:201::ffff, eth0.201, seg6 2001:db8:aaaa::7,2002::4,2002::3,2002::2, weight 1, 00:00:08 -``` - -</div> - -### IPv6 Interface Routes - -<div class="cfgcmd"> - -set protocols static route6 \<subnet\> interface -\<interface\> - -Allows you to configure the next-hop interface for an interface-based IPv6 -static route. <span class="title-ref">\<interface\></span> will be the next-hop interface where traffic is -routed for the given <span class="title-ref">\<subnet\></span>. - -</div> - -<div class="cfgcmd"> - -set protocols static route6 \<subnet\> interface -\<interface\> disable - -Disables interface-based IPv6 static route. - -</div> - -<div class="cfgcmd"> - -set protocols static route6 \<subnet\> interface -\<interface\> distance \<distance\> - -Defines next-hop distance for this route, routes with smaller administrative -distance are elected prior to those with a higher distance. - -Range is 1 to 255, default is 1. - -</div> - -<div class="cfgcmd"> - -set protocols static route6 \<subnet\> interface -\<interface\> segments \<segments\> - -It is possible to specify a static route for ipv6 prefixes using -an SRv6 segments instruction. The <span class="title-ref">/</span> separator can be used to -specify multiple segment instructions. - -Example: - -``` none -set protocols static route6 2001:db8:1000::/36 interface eth0 segments '2001:db8:aaaa::7/2002::4/2002::3/2002::2' -``` - -</div> - -### IPv6 BFD - -<div class="cfgcmd"> - -set protocols static route6 \<subnet\> next-hop \<address\> bfd - -Configure a static route for <span class="title-ref">\<subnet\></span> using gateway <span class="title-ref">\<address\></span> and use the -gateway address as BFD peer destination address. - -</div> - -<div class="cfgcmd"> - -set protocols static route6 \<subnet\> next-hop \<address\> -bfd profile \<profile\> - -Configure a static route for <span class="title-ref">\<subnet\></span> using gateway <span class="title-ref">\<address\></span> -and use the gateway address as BFD peer destination address with -BFD profile <span class="title-ref">\<profile\></span>. - -</div> - -<div class="cfgcmd"> - -set protocols static route6 \<subnet\> next-hop \<address\> -bfd multi-hop source-address \<source\> - -Configure a static route for <span class="title-ref">\<subnet\></span> using gateway <span class="title-ref">\<address\></span> and use the -gateway address as BFD peer destination address with source address -<span class="title-ref">\<source\></span> but initiate a multi-hop session. - -</div> - -### IPv6 Reject Routes - -<div class="cfgcmd"> - -set protocol static route6 \<subnet\> reject - -Defines route which emits an ICMP unreachable when matched. - -</div> - -<div class="cfgcmd"> - -set protocols static route6 \<subnet\> reject distance \<distance\> - -Defines distance for this route, routes with smaller administrative -distance are elected prior to those with a higher distance. - -</div> - -<div class="cfgcmd"> - -set protocols static route6 \<subnet\> reject tag \<tag\> - -Sets a tag for this route. - -</div> - -### IPv6 Blackhole Routes - -<div class="cfgcmd"> - -set protocols static route6 \<subnet\> blackhole - -Use this command to configure a "black-hole" route on the router. A -black-hole route is a route for which the system silently discard packets -that are matched. This prevents networks leaking out public interfaces, but -it does not prevent them from being used as a more specific route inside your -network. - -</div> - -<div class="cfgcmd"> - -set protocols static route6 \<subnet\> blackhole distance \<distance\> - -Defines blackhole distance for this route, routes with smaller administrative -distance are elected prior to those with a higher distance. - -</div> - -<div class="cfgcmd"> - -set protocols static route6 \<subnet\> blackhole tag \<tag\> - -Sets a tag for this route. - -</div> - -## Alternate Routing Tables - -Alternate routing tables are used with policy based routing by utilizing -`vrf`. diff --git a/docs/configuration/protocols/md-traffic-engineering.md b/docs/configuration/protocols/md-traffic-engineering.md deleted file mode 100644 index 832023a7..00000000 --- a/docs/configuration/protocols/md-traffic-engineering.md +++ /dev/null @@ -1,54 +0,0 @@ -(traffic-engineering)= - -# Traffic Engineering - -Traffic Engineering (TE) is possibility to send traffic from node to node using -alternative path. - -## Common link parameters - -Traffic Engineering parameters are used for both IS-IS and OSPF (not supported yet). - -```{cfgcmd} set protocols traffic-engineering admin-group \<admin-group-name\> bit-position \<bit-position-value\> - -Create Administrative group and assosiate bit position with it. These groups can be -used in the following commands. - -\<bit-position-value\> can have value 0-31. There cannot be two groups with same bit position. -``` - - -```{cfgcmd} set protocols traffic-engineering interface \<ifname\> admin-group \<admin-group-name\> - -Set administrative group for interface \<ifname\>. Multiple values can be provided. -``` - - -```{cfgcmd} set protocols traffic-engineering interface \<ifname\> max-bandwidth \<max-bandwidth-value-mbps\> - -Set maximum bandwidth for interface \<ifname\>. Value given in Mbits per second. -``` - - -```{cfgcmd} set protocols traffic-engineering interface \<ifname\> max-reservable-bandwidth \<max-reservable-bandwidth-value-mbps\> - -Set maximum reservable bandwidth for interface \<ifname\>. Value given in Mbits per second. -``` - -## IS-IS TE Configuration - -Traffic Engineering (TE) can be enabled and exported for IS-IS -using the following commands: - -```{cfgcmd} set protocols isis traffic-engineering enable - -Enable Traffic Engineering for IS-IS. -``` -```{cfgcmd} set protocols isis traffic-engineering export - -Export Traffic Engineering data to neighbors. -``` -```{cfgcmd} set protocols isis traffic-engineering address \<ipv4-address\> - -Configure IPv4 address for MPLS-TE. -```
\ No newline at end of file diff --git a/docs/configuration/service/md-broadcast-relay.md b/docs/configuration/service/md-broadcast-relay.md deleted file mode 100644 index 4202ad6b..00000000 --- a/docs/configuration/service/md-broadcast-relay.md +++ /dev/null @@ -1,70 +0,0 @@ -(udp-broadcast-relay)= - -# UDP Broadcast Relay - -Certain vendors use broadcasts to identify their equipment within one ethernet -segment. Unfortunately if you split your network with multiple VLANs you loose -the ability of identifying your equipment. - -This is where "UDP broadcast relay" comes into play! It will forward received -broadcasts to other configured networks. - -Every UDP port which will be forward requires one unique ID. Currently we -support 99 IDs! - -## Configuration - -```{cfgcmd} set service broadcast-relay id \<n\> description \<description\> - -A description can be added for each and every unique relay ID. This is -useful to distinguish between multiple different ports/applications. -``` - -```{cfgcmd} set service broadcast-relay id \<n\> interface \<interface\> - -The interface used to receive and relay individual broadcast packets. If you -want to receive/relay packets on both `eth1` and `eth2` both interfaces need -to be added. -``` - -```{cfgcmd} set service broadcast-relay id \<n\> address \<ipv4-address\> - -Set the source IP of forwarded packets, otherwise original senders address -is used. -``` - -```{cfgcmd} set service broadcast-relay id \<n\> port \<port\> - -The UDP port number used by your application. It is mandatory for this kind -of operation. -``` - -```{cfgcmd} set service broadcast-relay id \<n\> disable - -Each broadcast relay instance can be individually disabled without deleting -the configured node by using the following command: -``` - -```{cfgcmd} set service broadcast-relay disable - -In addition you can also disable the whole service without the need to remove -it from the current configuration. -``` - -:::{note} -You can run the UDP broadcast relay service on multiple routers -connected to a subnet. There is **NO** UDP broadcast relay packet storm! -::: - -## Example - -To forward all broadcast packets received on `UDP port 1900` on `eth3`, `eth4` -or `eth5` to all other interfaces in this configuration. - -```none -set service broadcast-relay id 1 description 'SONOS' -set service broadcast-relay id 1 interface 'eth3' -set service broadcast-relay id 1 interface 'eth4' -set service broadcast-relay id 1 interface 'eth5' -set service broadcast-relay id 1 port '1900' -``` diff --git a/docs/configuration/service/md-config-sync.md b/docs/configuration/service/md-config-sync.md deleted file mode 100644 index a575f947..00000000 --- a/docs/configuration/service/md-config-sync.md +++ /dev/null @@ -1,164 +0,0 @@ -(config-sync)= - -# Config Sync - -Configuration synchronization (config sync) is a feature of VyOS that -permits synchronization of the configuration of one VyOS router to -another in a network. - -The main benefit to configuration synchronization is that it eliminates having -to manually replicate configuration changes made on the primary router to the -secondary (replica) router. - -The writing of the configuration to the secondary router is performed through -the VyOS HTTP API. The user can specify which portion(s) of the configuration will -be synchronized and the mode to use - whether to replace or add. - -To prevent issues with divergent configurations between the pair of routers, -synchronization is strictly unidirectional from primary to replica. Both -routers should be online and run the same version of VyOS. - -## Configuration - -```{cfgcmd} set service config-sync secondary \<address|key|timeout|port\> - -Specify the address, API key, timeout and port of the secondary router. -You need to enable and configure the HTTP API service on the secondary -router for config sync to operate. -``` - -```{cfgcmd} set service config-sync section \<section\> - -Specify the section of the configuration to synchronize. If more than one -section is to be synchronized, repeat the command to add additional -sections as required. -``` - -```{cfgcmd} set service config-sync mode \<load|set\> - -Two options are available for *mode*: either *load* and replace or *set* -the configuration section. -``` - -```none -Supported options for <section> include: - firewall - interfaces <interface> - nat - nat66 - pki - policy - protocols <protocol> - qos <interface|policy> - service <service> - system <conntrack| - flow-accounting|option|sflow|static-host-mapping|sysctl|time-zone> - vpn - vrf -``` - - -## Operational Commands - -````{opcmd} show configuration secondary sync [commands] [running | candidate | saved] [\<config-node-path\>] - -Display configuration differences between the local node and -a config-sync secondary node. - -This command allows operators to compare configurations across nodes -participating in configuration synchronization (e.g., primary and -secondary routers). It helps detect configuration drift and validate -intended changes before synchronization. - -**Parameters:** - -```{eval-rst} -.. list-table:: - :widths: 30 70 - :header-rows: 0 - - * - ``commands`` (optional) - - Show output as a list of configuration commands instead of raw diff. - * - ``running|candidate|saved`` (optional, mutually exclusive) - - Select which configuration to compare: - ``running`` (current active configuration, default), - ``candidate`` (uncommitted changes), or - ``saved`` (last saved configuration). Only one of these may be - specified at a time; if omitted, ``running`` is used. -``` - -**Examples:** - -:::{code-block} none -# compare full running configuration with a secondary node -show configuration secondary sync - -# compare only interface configuration -show configuration secondary sync running interfaces dummy - -# compare candidate configuration and display as a list of commands -show configuration secondary sync commands candidate -::: -```` - -Without a built-in cross-node diff, operators may unintentionally push -changes that conflict with the remote configuration (e.g., mismatched -interfaces, firewall policies, or protocol settings). - - -## Example - -- Synchronize the time-zone and OSPF configuration from Router A to Router B -- The address of Router B is 10.0.20.112 and the port used is 8443 - -Configure the HTTP API service on Router B - -```none -set service https listen-address '10.0.20.112' -set service https port '8443' -set service https api keys id KID key 'foo' -set service https api rest -``` - -Configure the config-sync service on Router A - -```none -set service config-sync mode 'load' -set service config-sync secondary address '10.0.20.112' -set service config-sync secondary port '8443' -set service config-sync secondary key 'foo' -set service config-sync section protocols 'ospf' -set service config-sync section system 'time-zone' -``` - -Make config-sync relevant changes to Router A's configuration - -```none -vyos@vyos-A# set system time-zone 'America/Los_Angeles' -vyos@vyos-A# commit -INFO:vyos_config_sync:Config synchronization: Mode=load, -Secondary=10.0.20.112 -vyos@vyos-A# save - -vyos@vyos-A# set protocols ospf area 0 network '10.0.48.0/30' -vyos@vyos-A# commit -INFO:vyos_config_sync:Config synchronization: Mode=load, -Secondary=10.0.20.112 -yos@vyos-A# save -``` - -Verify configuration changes have been replicated to Router B - -```none -vyos@vyos-B:~$ show configuration commands | match time-zone -set system time-zone 'America/Los_Angeles' - -vyos@vyos-B:~$ show configuration commands | match ospf -set protocols ospf area 0 network '10.0.48.0/30' -``` - - -## Known issues - -Configuration resynchronization. With the current implementation of *service -config-sync*, the secondary node must be online. diff --git a/docs/configuration/service/md-conntrack-sync.md b/docs/configuration/service/md-conntrack-sync.md deleted file mode 100644 index ec258388..00000000 --- a/docs/configuration/service/md-conntrack-sync.md +++ /dev/null @@ -1,380 +0,0 @@ -# Conntrack Sync - -One of the important features built on top of the Netfilter framework is -connection tracking. Connection tracking allows the kernel to keep track of all -logical network connections or sessions, and thereby relate all of the packets -which may make up that connection. NAT relies on this information to translate -all related packets in the same way, and iptables can use this information to -act as a stateful firewall. - -The connection state however is completely independent of any upper-level -state, such as TCP's or SCTP's state. Part of the reason for this is that when -merely forwarding packets, i.e. no local delivery, the TCP engine may not -necessarily be invoked at all. Even connectionless-mode transmissions such as -UDP, IPsec (AH/ESP), GRE and other tunneling protocols have, at least, a pseudo -connection state. The heuristic for such protocols is often based upon a preset -timeout value for inactivity, after whose expiration a Netfilter connection is -dropped. - -Each Netfilter connection is uniquely identified by a (layer-3 protocol, source -address, destination address, layer-4 protocol, layer-4 key) tuple. The layer-4 -key depends on the transport protocol; for TCP/UDP it is the port numbers, for -tunnels it can be their tunnel ID, but otherwise is just zero, as if it were -not part of the tuple. To be able to inspect the TCP port in all cases, packets -will be mandatorily defragmented. - -It is possible to use either Multicast or Unicast to sync conntrack traffic. -Most examples below show Multicast, but unicast can be specified by using the -"peer" keywork after the specified interface, as in the following example: - -`set service conntrack-sync interface eth0 peer 192.168.0.250` - -## Configuration - -<div class="cfgcmd"> - -set service conntrack-sync accept-protocol - -Accept only certain protocols: You may want to replicate the state of flows -depending on their layer 4 protocol. - -Protocols are: tcp, sctp, dccp, udp, icmp and ipv6-icmp. - -</div> - -<div class="cfgcmd"> - -set service conntrack-sync event-listen-queue-size \<size\> - -The daemon doubles the size of the netlink event socket buffer size if it -detects netlink event message dropping. This clause sets the maximum buffer -size growth that can be reached. - -Queue size for listening to local conntrack events in MB. - -</div> - -<div class="cfgcmd"> - -set service conntrack-sync expect-sync \<all[|ftp|](##SUBST##|ftp|)h323[|nfs|](##SUBST##|nfs|)sip|sqlnet\> - -Protocol for which expect entries need to be synchronized. - -</div> - -<div class="cfgcmd"> - -set service conntrack-sync failover-mechanism vrrp sync-group \<group\> - -Failover mechanism to use for conntrack-sync. - -Only VRRP is supported. Required option. - -</div> - -<div class="cfgcmd"> - -set service conntrack-sync ignore-address \<x.x.x.x\> - -IP addresses or networks for which local conntrack entries will not be synced - -</div> - -<div class="cfgcmd"> - -set service conntrack-sync interface \<name\> - -Interface to use for syncing conntrack entries. - -</div> - -<div class="cfgcmd"> - -set service conntrack-sync interface \<name\> port \<port\> - -Port number used by connection. - -</div> - -<div class="cfgcmd"> - -set service conntrack-sync listen-address \<ipv4address\> - -Local IPv4 addresses for service to listen on. - -</div> - -<div class="cfgcmd"> - -set service conntrack-sync mcast-group \<x.x.x.x\> - -Multicast group to use for syncing conntrack entries. - -Defaults to 225.0.0.50. - -</div> - -<div class="cfgcmd"> - -set service conntrack-sync interface \<name\> peer \<address\> - -Peer to send unicast UDP conntrack sync entires to, if not using Multicast -configuration from above above. - -</div> - -<div class="cfgcmd"> - -set service conntrack-sync sync-queue-size \<size\> - -Queue size for syncing conntrack entries in MB. - -</div> - -<div class="cfgcmd"> - -set service conntrack-sync disable-external-cache - -This diable the external cache and directly injects the flow-states into the -in-kernel Connection Tracking System of the backup firewall. - -</div> - -<div class="cfgcmd"> - -set service conntrack-sync purge-timeout \<timeout\> - -Timeout (in seconds) for purging synchronized entries on handover events. - -On handover, `conntrackd -t` is invoked, which schedules a conntrack table -flush after `<timeout>` seconds to purge stale (“zombie”) entries and -reduce clashes when multiple handovers occur in a short period. -The default is 60 seconds. - -</div> - -<div class="note"> - -<div class="title"> - -Note - -</div> - -In VRRP stateful firewall deployments, align VRRP timing with this -behavior: because synchronized conntrack state is purged after the purge -timeout, set **VRRP preempt-delay** to ≥ **purge-timeout** so mastership -can be restored before conntrack state is purged. - -</div> - -<div class="cfgcmd"> - -set service conntrack-sync disable-syslog - -Disable connection logging via Syslog. - -</div> - -<div class="cfgcmd"> - -set service conntrack-sync startup-resync - -Order conntrackd to request a complete conntrack table resync against -the other node at startup. - -</div> - -## Operation - -<div class="opcmd"> - -show conntrack table ipv4 - -Make sure conntrack is enabled by running and show connection tracking table. - -``` none -vyos@vyos:~$ show conntrack table ipv4 -TCP state codes: SS - SYN SENT, SR - SYN RECEIVED, ES - ESTABLISHED, - FW - FIN WAIT, CW - CLOSE WAIT, LA - LAST ACK, - TW - TIME WAIT, CL - CLOSE, LI - LISTEN - -CONN ID Source Destination Protocol TIMEOUT -1015736576 10.35.100.87:58172 172.31.20.12:22 tcp [6] ES 430279 -1006235648 10.35.101.221:57483 172.31.120.21:22 tcp [6] ES 413310 -1006237088 10.100.68.100 172.31.120.21 icmp [1] 29 -1015734848 10.35.100.87:56282 172.31.20.12:22 tcp [6] ES 300 -1015734272 172.31.20.12:60286 239.10.10.14:694 udp [17] 29 -1006239392 10.35.101.221 172.31.120.21 icmp [1] 29 -``` - -<div class="note"> - -<div class="title"> - -Note - -</div> - -If the table is empty and you have a warning message, it means -conntrack is not enabled. To enable conntrack, just create a NAT or a firewall -rule. `set firewall state-policy established action accept` - -</div> - -</div> - -<div class="opcmd"> - -show conntrack-sync cache external - -Show connection syncing external cache entries - -</div> - -<div class="opcmd"> - -show conntrack-sync cache internal - -Show connection syncing internal cache entries - -</div> - -<div class="opcmd"> - -show conntrack-sync statistics - -Retrieve current statistics of connection tracking subsystem. - -``` none -vyos@vyos:~$ show conntrack-sync statistics -Main Table Statistics: - -cache internal: -current active connections: 19606 -connections created: 6298470 failed: 0 -connections updated: 3786793 failed: 0 -connections destroyed: 6278864 failed: 0 - -cache external: -current active connections: 15771 -connections created: 1660193 failed: 0 -connections updated: 77204 failed: 0 -connections destroyed: 1644422 failed: 0 - -traffic processed: - 0 Bytes 0 Pckts - -multicast traffic (active device=eth0.5): - 976826240 Bytes sent 212898000 Bytes recv - 8302333 Pckts sent 2009929 Pckts recv - 0 Error send 0 Error recv - -message tracking: - 0 Malformed msgs 263 Lost msgs -``` - -</div> - -<div class="opcmd"> - -show conntrack-sync status - -Retrieve current status of connection tracking subsystem. - -``` none -vyos@vyos:~$ show conntrack-sync status -sync-interface : eth0.5 -failover-mechanism : vrrp [sync-group GEFOEKOM] -last state transition : no transition yet! -ExpectationSync : disabled -``` - -</div> - -## Example - -The next example is a simple configuration of conntrack-sync. - -<figure> -<img src="/_static/images/service_conntrack_sync-schema.webp" alt="Conntrack Sync Example" /> -</figure> - -Now configure conntrack-sync service on `router1` **and** `router2` - -``` none -set high-availability vrrp group internal virtual-address ... etc ... -set high-availability vrrp sync-group syncgrp member 'internal' -set service conntrack-sync accept-protocol 'tcp' -set service conntrack-sync accept-protocol 'udp' -set service conntrack-sync accept-protocol 'icmp' -set service conntrack-sync failover-mechanism vrrp sync-group 'syncgrp' -set service conntrack-sync interface 'eth0' -set service conntrack-sync mcast-group '225.0.0.50' -``` - -On the active router, you should have information in the internal-cache of -conntrack-sync. The same current active connections number should be shown in -the external-cache of the standby router - -On active router run: - -``` none -$ show conntrack-sync statistics - -Main Table Statistics: - -cache internal: -current active connections: 10 -connections created: 8517 failed: 0 -connections updated: 127 failed: 0 -connections destroyed: 8507 failed: 0 - -cache external: -current active connections: 0 -connections created: 0 failed: 0 -connections updated: 0 failed: 0 -connections destroyed: 0 failed: 0 - -traffic processed: - 0 Bytes 0 Pckts - -multicast traffic (active device=eth0): - 868780 Bytes sent 224136 Bytes recv - 20595 Pckts sent 14034 Pckts recv - 0 Error send 0 Error recv - -message tracking: - 0 Malformed msgs 0 Lost msgs -``` - -On standby router run: - -``` none -$ show conntrack-sync statistics - -Main Table Statistics: - -cache internal: -current active connections: 0 -connections created: 0 failed: 0 -connections updated: 0 failed: 0 -connections destroyed: 0 failed: 0 - -cache external: -current active connections: 10 -connections created: 888 failed: 0 -connections updated: 134 failed: 0 -connections destroyed: 878 failed: 0 - -traffic processed: - 0 Bytes 0 Pckts - -multicast traffic (active device=eth0): - 234184 Bytes sent 907504 Bytes recv - 14663 Pckts sent 21495 Pckts recv - 0 Error send 0 Error recv - -message tracking: - 0 Malformed msgs 0 Lost msgs -``` diff --git a/docs/configuration/service/md-console-server.md b/docs/configuration/service/md-console-server.md deleted file mode 100644 index 9402e935..00000000 --- a/docs/configuration/service/md-console-server.md +++ /dev/null @@ -1,139 +0,0 @@ -(console-server)= - -# Console Server - -Starting of with VyOS 1.3 (equuleus) we added support for running VyOS as an -Out-of-Band Management device which provides remote access by means of SSH to -directly attached serial interfaces. - -Serial interfaces can be any interface which is directly connected to the CPU -or chipset (mostly known as a ttyS interface in Linux) or any other USB to -serial converter (Prolific PL2303 or FTDI FT232/FT4232 based chips). - -If you happened to use a Cisco NM-16A - Sixteen Port Async Network Module or -NM-32A - Thirty-two Port Async Network Module - this is your VyOS replacement. - -For USB port information please refor to: {ref}`hardware_usb`. - -## Configuration - -Between computers, the most common configuration used was "8N1": eight bit -characters, with one start bit, one stop bit, and no parity bit. Thus 10 Baud -times are used to send a single character, and so dividing the signalling -bit-rate by ten results in the overall transmission speed in characters per -second. This is also the default setting if none of those options are defined. - -```{cfgcmd} set service console-server device \<device\> data-bits [7 | 8] - -Configure either seven or eight data bits. This defaults to eight data -bits if left unconfigured. -``` - - -```{cfgcmd} set service console-server device \<device\> description \<string\> - -A user friendly description identifying the connected peripheral. -``` - - -```{cfgcmd} set service console-server device \<device\> alias \<string\> - -A user friendly alias for this connection. Can be used instead of the -device name when connecting. -``` - - -```{cfgcmd} set service console-server device \<device\> parity [even | odd | none] - -Set the parity option for the console. If unset this will default to none. -``` - - -```{cfgcmd} set service console-server device \<device\> stop-bits [1 | 2] - -Configure either one or two stop bits. This defaults to one stop bits if -left unconfigured. -``` - - -```{cfgcmd} set service console-server device \<device\> speed [ 300 | 1200 | 2400 | 4800 | 9600 | 19200 | 38400 | 57600 | 115200 ] - -:::{note} -USB to serial converters will handle most of their work in software -so you should be carefull with the selected baudrate as some times they -can't cope with the expected speed. -::: -``` - -### Remote Access - - -Each individual configured console-server device can be directly exposed to -the outside world. A user can directly connect via SSH to the configured -port. - -```{cfgcmd} set service console-server device \<device\> ssh port \<port\> - -Accept SSH connections for the given `<device>` on TCP port `<port>`. -After successfull authentication the user will be directly dropped to -the connected serial device. - -:::{hint} -Multiple users can connect to the same serial device but only -one is allowed to write to the console port. -::: -``` - -## Operation - -```{opcmd} show console-server ports - -Show configured serial ports and their respective interface configuration. - -:::{code-block} none -vyos@vyos:~$ show console-server ports -usb0b2.4p1.0 on /dev/serial/by-bus/usb0b2.4p1.0@ at 9600n -::: -``` - - -```{opcmd} show console-server user - -Show currently connected users. - -:::{code-block} none -vyos@vyos:~$ show console-server user -usb0b2.4p1.0 up vyos@localhost -::: -``` -```{opcmd} connect console \<device\> - -Locally connect to serial port identified by `<device>`. - -:::{code-block} none -vyos@vyos-r1:~$ connect console usb0b2.4p1.0 -[Enter `^Ec?' for help] -[-- MOTD -- VyOS Console Server] - -vyos-r2 login: -::: - -:::{hint} -Multiple users can connect to the same serial device but only -one is allowed to write to the console port. -::: - -:::{hint} -The sequence ``^Ec?`` translates to: ``Ctrl+E c ?``. To quit -the session use: ``Ctrl+E c .`` -::: - -:::{hint} -If ``alias`` is set, it can be used instead of the device when -connecting. -::: -``` -```{opcmd} show log console-server - -Show the console server log. -```
\ No newline at end of file diff --git a/docs/configuration/service/md-dhcp-relay.md b/docs/configuration/service/md-dhcp-relay.md deleted file mode 100644 index 43ad0e55..00000000 --- a/docs/configuration/service/md-dhcp-relay.md +++ /dev/null @@ -1,225 +0,0 @@ -(dhcp-relay)= - -# DHCP Relay - -If you want your router to forward DHCP requests to an external DHCP server -you can configure the system to act as a DHCP relay agent. The DHCP relay -agent works with IPv4 and IPv6 addresses. - -All interfaces used for the DHCP relay must be configured. This includes the -uplink to the DHCP server. - -## IPv4 relay - -### Configuration - -```{eval-rst} -.. cfgcmd:: set service dhcp-relay interface <interface> - - Interfaces that participate in the DHCP relay process. If this command is - used, at least two entries of it are required: one for the interface that - captures the dhcp-requests, and one for the interface to forward such - requests. A warning message will be shown if this command is used, since - new implementations should use ``listen-interface`` and - ``upstream-interface``. -``` - -```{eval-rst} -.. cfgcmd:: set service dhcp-relay listen-interface <interface> - - Interface for DHCP Relay Agent to listen for requests. -``` - -```{eval-rst} -.. cfgcmd:: set service dhcp-relay upstream-interface <interface> - - Interface for DHCP Relay Agent to forward requests out. -``` - -```{eval-rst} -.. cfgcmd:: set service dhcp-relay server <server> - - Configure IP address of the DHCP `<server>` which will handle the relayed - packets. -``` - -```{eval-rst} -.. cfgcmd:: set service dhcp-relay relay-options relay-agents-packets discard - - The router should discard DHCP packages already containing relay agent - information to ensure that only requests from DHCP clients are forwarded. -``` - -```{eval-rst} -.. cfgcmd:: set service dhcp-relay disable - - Disable dhcp-relay service. -``` - -#### Options - -```{eval-rst} -.. cfgcmd:: set service dhcp-relay relay-options hop-count <count> - - Set the maximum hop `<count>` before packets are discarded. Range 0...255, - default 10. -``` - -```{eval-rst} -.. cfgcmd:: set service dhcp-relay relay-options max-size <size> - - Set maximum `<size>` of DHCP packets including relay agent information. If a - DHCP packet size surpasses this value it will be forwarded without appending - relay agent information. Range 64...1400, default 576. -``` - -```{eval-rst} -.. cfgcmd:: set service dhcp-relay relay-options relay-agents-packets - <append | discard | forward | replace> - - Four policies for reforwarding DHCP packets exist: - - * **append:** The relay agent is allowed to append its own relay information - to a received DHCP packet, disregarding relay information already present - in the packet. - - * **discard:** Received packets which already contain relay information will - be discarded. - - * **forward:** All packets are forwarded, relay information already present - will be ignored. - - * **replace:** Relay information already present in a packet is stripped and - replaced with the router's own relay information set. -``` - -### Example - -- Listen for DHCP requests on interface `eth1`. -- DHCP server is located at IPv4 address 10.0.1.4 on `eth2`. -- Router receives DHCP client requests on `eth1` and relays them to the - server at 10.0.1.4 on `eth2`. - -:::{figure} /_static/images/service_dhcp-relay01.webp -:alt: DHCP relay example -:scale: 80 % - -DHCP relay example -::: - -The generated configuration will look like: - -```none -show service dhcp-relay - listen-interface eth1 - upstream-interface eth2 - server 10.0.1.4 - relay-options { - relay-agents-packets discard - } -``` - -Also, for backwards compatibility this configuration, which uses generic -interface definition, is still valid: - -```none -show service dhcp-relay - interface eth1 - interface eth2 - server 10.0.1.4 - relay-options { - relay-agents-packets discard - } -``` - -### Operation - -```{eval-rst} -.. opcmd:: restart dhcp relay-agent - - Restart DHCP relay service -``` - -## IPv6 relay - -(dhcp-relay-ipv6-configuration)= - -### Configuration - -```{eval-rst} -.. cfgcmd:: set service dhcpv6-relay listen-interface <interface> - - Set eth1 to be the listening interface for the DHCPv6 relay. - - Multiple interfaces may be specified. -``` - -```{eval-rst} -.. cfgcmd:: set service dhcpv6-relay upstream-interface <interface> - address <server> - - Specifies an upstream network `<interface>` from which replies from - `<server>` and other relay agents will be accepted. -``` - -(dhcp-relay-ipv6-options)= - -```{eval-rst} -.. cfgcmd:: set service dhcpv6-relay disable - - Disable dhcpv6-relay service. -``` - -(dhcp-relay-v6-options)= - -#### Options - -```{eval-rst} -.. cfgcmd:: set service dhcpv6-relay max-hop-count <count> - - Set maximum hop count before packets are discarded, default: 10 -``` - -```{eval-rst} -.. cfgcmd:: set service dhcpv6-relay use-interface-id-option - - If this is set the relay agent will insert the interface ID. This option is - set automatically if more than one listening interfaces are in use. -``` - -(dhcp-relay-ipv6-example)= - -### Example - -- DHCPv6 requests are received by the router on `listening interface` `eth1` -- Requests are forwarded through `eth2` as the `upstream interface` -- External DHCPv6 server is at 2001:db8::4 - -:::{figure} /_static/images/service_dhcpv6-relay01.webp -:alt: DHCPv6 relay example -:scale: 80 % - -DHCPv6 relay example -::: - -The generated configuration will look like: - -```none -commit -show service dhcpv6-relay - listen-interface eth1 { - } - upstream-interface eth2 { - address 2001:db8::4 - } -``` - -(dhcp-relay-ipv6-op-cmd)= - -### Operation - -```{eval-rst} -.. opcmd:: restart dhcpv6 relay-agent - - Restart DHCPv6 relay agent immediately. -``` diff --git a/docs/configuration/service/md-dhcp-server.md b/docs/configuration/service/md-dhcp-server.md deleted file mode 100644 index 96c375da..00000000 --- a/docs/configuration/service/md-dhcp-server.md +++ /dev/null @@ -1,1178 +0,0 @@ -(dhcp-server)= - -# DHCP Server - -VyOS uses Kea DHCP server for both IPv4 and IPv6 address assignment. - -## IPv4 server - -The network topology is declared by shared-network-name and the subnet -declarations. The DHCP service can serve multiple shared networks, with each -shared network having 1 or more subnets. Each subnet must be present on an -interface. A range can be declared inside a subnet to define a pool of dynamic -addresses. Multiple ranges can be defined and can contain holes. Static -mappings can be set to assign "static" addresses to clients based on their MAC -address. - -### Configuration - -```{cfgcmd} set service dhcp-server hostfile-update - - Create DNS record per client lease, by adding clients to /etc/hosts file. - Entry will have format: `<shared-network-name>_<hostname>.<domain-name>` -``` - - -```{cfgcmd} set service dhcp-server shared-network-name \<name\> option domain-name \<domain-name\> - -The domain-name parameter should be the domain name that will be appended to -the client's hostname to form a fully-qualified domain-name (FQDN) (DHCP -Option 015). - -This is the configuration parameter for the entire shared network definition. -All subnets will inherit this configuration item if not specified locally. -``` - - -```{cfgcmd} set service dhcp-server shared-network-name \<name\> option domain-search \<domain-name\> - -The domain-name parameter should be the domain name used when completing DNS -request where no full FQDN is passed. This option can be given multiple times -if you need multiple search domains (DHCP Option 119). - -This is the configuration parameter for the entire shared network definition. -All subnets will inherit this configuration item if not specified locally. -``` - - -```{cfgcmd} set service dhcp-server shared-network-name \<name\> option name-server \<address\> - -Inform client that the DNS server can be found at `<address>`. - -This is the configuration parameter for the entire shared network definition. -All subnets will inherit this configuration item if not specified locally. -Multiple DNS servers can be defined. -``` - - -```{cfgcmd} set service dhcp-server shared-network-name \<name\> option vendor-option \<option-name\> - -This configuration parameter lets you specify a vendor-option for the -entire shared network definition. All subnets will inherit this -configuration item if not specified locally. An example for Ubiquiti is -shown below: -``` - -**Example:** - - -Pass address of Unifi controller at `172.16.100.1` to all clients of `NET1` - -```none -set service dhcp-server shared-network-name 'NET1' option vendor-option -ubiquiti '172.16.100.1' -``` - - -```{cfgcmd} set service dhcp-server listen-address \<address\> - -This configuration parameter lets the DHCP server to listen for DHCP -requests sent to the specified address, it is only realistically useful for -a server whose only clients are reached via unicasts, such as via DHCP relay -agents. -``` - -#### Individual Client Subnet - -```{cfgcmd} set service dhcp-server shared-network-name \<name\> authoritative - -This says that this device is the only DHCP server for this network. If other -devices are trying to offer DHCP leases, this machine will send 'DHCPNAK' to -any device trying to request an IP address that is not valid for this -network. -``` - - -```{cfgcmd} set service dhcp-server shared-network-name \<name\> subnet \<subnet\> subnet-id \<id\> - -This configuration parameter is required and must be unique to each subnet. -It is required to map subnets to lease file entries. -``` - - -```{cfgcmd} set service dhcp-server shared-network-name \<name\> subnet \<subnet\> option default-router \<address\> - -This is a configuration parameter for the `<subnet>`, saying that as part of -the response, tell the client that the default gateway can be reached at -`<address>`. -``` - - -```{cfgcmd} set service dhcp-server shared-network-name \<name\> subnet \<subnet\> option name-server \<address\> - -This is a configuration parameter for the subnet, saying that as part of the -response, tell the client that the DNS server can be found at `<address>`. - -Multiple DNS servers can be defined. -``` - - -```{cfgcmd} set service dhcp-server shared-network-name \<name\> subnet \<subnet\> lease \<time\> - -Assign the IP address to this machine for `<time>` seconds. - -The default value is 86400 seconds which corresponds to one day. -``` - - -```{cfgcmd} set service dhcp-server shared-network-name \<name\> subnet \<subnet\> range \<n\> start \<address\> - -Create DHCP address range with a range id of `<n>`. DHCP leases are taken -from this pool. The pool starts at address `<address>`. -``` - - -```{cfgcmd} set service dhcp-server shared-network-name \<name\> subnet \<subnet\> range \<n\> stop \<address\> - -Create DHCP address range with a range id of `<n>`. DHCP leases are taken -from this pool. The pool stops with address `<address>`. -``` - - -```{cfgcmd} set service dhcp-server shared-network-name \<name\> subnet \<subnet\> exclude \<address\> - -Always exclude this address from any defined range. This address will never -be assigned by the DHCP server. - -This option can be specified multiple times. -``` - - -```{cfgcmd} set service dhcp-server shared-network-name \<name\> subnet \<subnet\> option domain-name \<domain-name\> - -The domain-name parameter should be the domain name that will be appended to -the client's hostname to form a fully-qualified domain-name (FQDN) (DHCP -Option 015). -``` - - -```{cfgcmd} set service dhcp-server shared-network-name \<name\> subnet \<subnet\> option domain-search \<domain-name\> - -The domain-name parameter should be the domain name used when completing DNS -request where no full FQDN is passed. This option can be given multiple times -if you need multiple search domains (DHCP Option 119). -``` - - -```{cfgcmd} set service dhcp-server shared-network-name \<name\> subnet \<subnet\> option vendor-option \<option-name\> - -This configuration parameter lets you specify a vendor-option for the -subnet specified within the shared network definition. An example for -Ubiquiti is shown below: -``` - -**Example:** - - -Create `172.18.201.0/24` as a subnet within `NET1` and pass address of -Unifi controller at `172.16.100.1` to clients of that subnet. - -```none -set service dhcp-server shared-network-name 'NET1' subnet -'172.18.201.0/24' option vendor-option ubiquiti '172.16.100.1' -``` - -#### Dynamic DNS Update (RFC 2136) - - -VyOS DHCP service supports RFC-2136 DDNS protocol. Based on DHCP lease change -events, DHCP server generates DDNS update requests (defines as NameChangeRequests -or NCRs) and posts them to a compliant DNS server, that will update its name -database accordingly. - - -VyOS built-in DNS Forwarder does not support DDNS, you will need an external DNS -server with RFC-2136 DDNS support. - -```{cfgcmd} set service dhcp-server dynamic-dns-update - -Enables DDNS globally. -``` - -**Behavioral settings** - - -These settings can be configured on the global level and overridden on the scope -level, i.e. for individual shared networks or subnets. See examples below. - -```{cfgcmd} set service dhcp-server dynamic-dns-update send-updates [ enable | disable ] - -If set to ``enable`` on global level, updates for all scopes will be enabled, -except if explicitly set to ``disable`` on the scope level. If set to ``disable``, -updates will only be sent for scopes, where ``send-updates`` is explicity -set to ``enable``. - -This model is followed for a few behavioral settings below: if the option is -not set, the setting is inherited from the parent scope. You can override the -parent scope setting by setting the option explicitly. -``` - - -```{cfgcmd} set service dhcp-server dynamic-dns-update override-no-update [ enable | disable ] - -VyOS will ignore client request not to update DNS records and send DDNS -update requests regardless. -``` - - -```{cfgcmd} set service dhcp-server dynamic-dns-update override-client-update [ enable | disable ] - -VyOS will override client DDNS request settings and always update both -forward and reverse DNS records. -``` - - -```{cfgcmd} set service dhcp-server dynamic-dns-update update-on-renew [ enable | disable ] - -Issue DDNS update requests on DHCP lease renew. In busy networks this may -generate a lot of traffic. -``` - - -```{cfgcmd} set service dhcp-server dynamic-dns-update conflict-resolution [ enable | disable ] - -Use RFC-4703 conflict resolution. This algorithm helps in situation when -multiple clients reserve same IP addresses or advertise identical hostnames. -Should be used in most situations. -``` - - -```{cfgcmd} set service dhcp-server dynamic-dns-update replace-client-name [ never | always | when-present | when-not-present ] - -* **never**: use the name sent by the client. If the client didn't provide any, -do not generate one. This is the default behavior - -* **always**: always generate a name for the client - -* **when-present**: replace the name the client sent with a generated one, if -the client didn't send any, do not generate one - -* **when-not-present**: use the name sent by the client. If the client didn't -send any, generate one for the client - -The names are generated using ``generated-prefix``, ``qualifying-suffix`` and the -client's IP address string. -``` - - -```{cfgcmd} set service dhcp-server dynamic-dns-update generated-prefix \<prefix\> - -Prefix used in client name generation. -``` - - -```{cfgcmd} set service dhcp-server dynamic-dns-update qualifying-suffix \<suffix\> - -DNS suffix used in client name generation. -``` - - -```{cfgcmd} set service dhcp-server dynamic-dns-update ttl-percent \<0-100\> - -TTL of the DNS record as a percentage of the DHCP lease time. -``` - - -```{cfgcmd} set service dhcp-server dynamic-dns-update hostname-char-set \<character string\> - -Characters, that are considered invalid in the client name. They will be replaced -with ``hostname-char-replacement`` string. -``` - - -```{cfgcmd} set service dhcp-server dynamic-dns-update hostname-char-replacement \<character string\> - -Replacement string for the invalid characters defined by ``hostname-char-set``. -``` - -**TSIG keys definition** - - -This is the global list of TSIG keys for DDNS updates. They need to be specified by -the name in the DNS domain definitions. - -```{cfgcmd} set service dhcp-server dynamic-dns-update tsig-key \<key-name\> algorithm \<algorithm\> - -Sets the algorithm for the TSIG key. Supported algorithms are ``hmac-md5``, -``hmac-sha1``, ``hmac-sha224``, ``hmac-sha256``, ``hmac-sha384``, ``hmac-sha512`` -``` - - -```{cfgcmd} set service dhcp-server dynamic-dns-update tsig-key \<key-name\> secret \<key-secret\> - -base64-encoded TSIG key secret value -``` - -**DNS domains definition** - - -This is global configuration of DNS servers for the updatable forward and reverse -DNS domains. For every domain multiple DNS servers can be specified. - -```{cfgcmd} set service dhcp-server dynamic-dns-update [forward|reverse]-domain \<domain-name\> key-name \<tsig-key-name\> - -TSIG key used for the domain. -``` - - -```{cfgcmd} set service dhcp-server dynamic-dns-update [forward|reverse]-domain \<domain-name\> dns-server \<number\> address \<ip-address\> - -IP address of the DNS server. -``` - - -```{cfgcmd} set service dhcp-server dynamic-dns-update [forward|reverse]-domain \<domain-name\> dns-server \<number\> port \<port\> - -UDP port of the DNS server. ``53`` is the default. -``` - -**Example:** - - -Global configuration you will most likely want: - -```none -set service dhcp-server dynamic-dns-update send-updates enable -set service dhcp-server dynamic-dns-update conflict-resolution enable -``` - -Override the above configuration for a shared network NET1: - -```none -set service dhcp-server shared-network-name 'NET1' dynamic-dns-update replace-client-name when-not-present -set service dhcp-server shared-network-name 'NET1' dynamic-dns-update generated-prefix ip -set service dhcp-server shared-network-name 'NET1' dynamic-dns-update qualifying-suffix mybigdomain.net -``` - -And in a subnet within the same shared network: - -```none -set service dhcp-server shared-network-name 'NET1' subnet '172.18.201.0/24' dynamic-dns-update qualifying-suffix mydomain.net -``` - -Configure TSIG keys: - -```none -set service dhcp-server dynamic-dns-update tsig-key mydomain-net algorithm hmac-sha256 -set service dhcp-server dynamic-dns-update tsig-key mydomain-net secret eWF5YW15bGl0dGxla2V5IQ== -set service dhcp-server dynamic-dns-update tsig-key reverse-172-18-201 algorithm hmac-sha256 -set service dhcp-server dynamic-dns-update tsig-key reverse-172-18-201 secret eWF5YW15YW5vdGhlcmxpdHRsZWtleSE= -``` - -Configure DDNS domains: - -```none -set service dhcp-server dynamic-dns-update forward-domain mydomain.net key-name mydomain-net -set service dhcp-server dynamic-dns-update forward-domain mydomain.net dns-server 1 address '172.18.0.254' -set service dhcp-server dynamic-dns-update forward-domain mydomain.net dns-server 1 port 1053 -set service dhcp-server dynamic-dns-update forward-domain mydomain.net dns-server 2 address '192.168.124.254' -set service dhcp-server dynamic-dns-update forward-domain mydomain.net dns-server 2 port 53 -set service dhcp-server dynamic-dns-update forward-domain 201.18.172.in-addr.arpa key-name reverse-172-18-201 -set service dhcp-server dynamic-dns-update reverse-domain 201.18.172.in-addr.arpa dns-server 1 address '172.18.0.254' -set service dhcp-server dynamic-dns-update reverse-domain 201.18.172.in-addr.arpa dns-server 1 port 1053 -set service dhcp-server dynamic-dns-update reverse-domain 201.18.172.in-addr.arpa dns-server 2 address '192.168.124.254' -set service dhcp-server dynamic-dns-update reverse-domain 201.18.172.in-addr.arpa dns-server 2 port 53 -``` - -#### High Availability - - -VyOS provides High Availability support for DHCP server. DHCP High -Availability can act in two different modes: - - -- **Active-active**: both DHCP servers will respond to DHCP requests. If - `mode` is not defined, this is the default behavior. -- **Active-passive**: only `primary` server will respond to DHCP requests. - If this server goes offline, then `secondary` server will take place. - - -DHCP High Availability must be configured explicitly by the following -statements on both servers: - -```{cfgcmd} set service dhcp-server high-availability mode [active-active | active-passive] - -Define operation mode of High Availability feature. Default value if command -is not specified is `active-active` -``` - - -```{cfgcmd} set service dhcp-server high-availability source-address \<address\> - -Local IP `<address>` used when communicating to the HA peer. -``` - - -```{cfgcmd} set service dhcp-server high-availability remote \<address\> - -Remote peer IP `<address>` of the second DHCP server in this HA -cluster. -``` - - -```{cfgcmd} set service dhcp-server high-availability name \<name\> - -Define the name of the peer server to establish and identify the HA (High Availability) connection. - -:::{note} -Make sure the specified value does not conflict with the system host-name. -::: -``` - - -```{cfgcmd} set service dhcp-server high-availability status \<primary | secondary\> - -The primary and secondary statements determines whether the server is primary -or secondary. - -:::{note} -In order for the primary and the secondary DHCP server to keep -their lease tables in sync, they must be able to reach each other on TCP -port 647. If you have firewall rules in effect, adjust them accordingly. -::: -:::{hint} -The dialogue between HA partners is neither encrypted nor -authenticated. Since most DHCP servers exist within an organisation's own -secure Intranet, this would be an unnecessary overhead. However, if you -have DHCP HA peers whose communications traverse insecure networks, -then we recommend that you consider the use of VPN tunneling between them -to ensure that the HA partnership is immune to disruption -(accidental or otherwise) via third parties. -::: -``` - -#### Static mappings - - -You can specify a static DHCP assignment on a per host basis. You will need the -MAC address of the station and your desired IP address. The address must be -inside the subnet definition but can be outside of the range statement. - -```{cfgcmd} set service dhcp-server shared-network-name \<name\> subnet \<subnet\> static-mapping \<description\> mac \<address\> - -Create a new DHCP static mapping named `<description>` which is valid for -the host identified by its MAC `<address>`. -``` - - -```{cfgcmd} set service dhcp-server shared-network-name \<name\> subnet \<subnet\> static-mapping \<description\> duid \<identifier\> - -Create a new DHCP static mapping named `<description>` which is valid for -the host identified by its DHCP unique identifier (DUID) `<identifier>`. -``` - - -```{cfgcmd} set service dhcp-server shared-network-name \<name\> subnet \<subnet\> static-mapping \<description\> ip-address \<address\> - -Static DHCP IP address assign to host identified by `<description>`. IP -address must be inside the `<subnet>` which is defined but can be outside -the dynamic range created with {cfgcmd}`set service dhcp-server -shared-network-name <name> subnet <subnet> range <n>`. If no ip-address is -specified, an IP from the dynamic pool is used. - -This is useful, for example, in combination with hostfile update. - -:::{hint} -This is the equivalent of the host block in dhcpd.conf of -isc-dhcpd. -::: -``` - -**Example:** - - -- IP address `192.168.1.100` shall be statically mapped to client named `client1` - -```none -set service dhcp-server shared-network-name 'NET1' subnet 192.168.1.0/24 subnet-id 1 -set service dhcp-server shared-network-name 'NET1' subnet 192.168.1.0/24 static-mapping client1 ip-address 192.168.1.100 -set service dhcp-server shared-network-name 'NET1' subnet 192.168.1.0/24 static-mapping client1 mac aa:bb:11:22:33:00 -``` - -The configuration will look as follows: - -```none -show service dhcp-server shared-network-name NET1 - subnet 192.168.1.0/24 { - static-mapping client1 { - ip-address 192.168.1.100 - mac aa:bb:11:22:33:00 - } - subnet-id 1 - } -``` - -#### Relay agent information (Option 82) - - -Some DHCP relays support the injection of information into a DHCP request, depending on -where the request originated from. This is commonly used to determine the -behaviour of the DHCP server, based on the port/switch combination where the -request was first detected. I.e. the device plugged into a particular port (or -set of ports) always gets the same IP address (or range of IP addresses). This -information is usually included in the request using Option 82, hence this -is what we call this part of the configuration. - - -This behaviour is controlled in two parts. First, "client classes" are defined -which determine which inputs match. Once a positive match has been found the -request is "tagged" with this client class. Second, when the DHCP server -processes the request it checks to see if the configuration has a client class -defined. If it does then that part of the configuration will override the others - - -Client classes can be applied at either the subnet or range level, depending on -how you want the server to behave. - - -**Client Class definition** - -```{cfgcmd} set service dhcp-server client-class \<name\> relay-agent-information circuit-id \<value\> - -Create a new client class (if not already defined) and set it to match on -the "Circuit ID" part of the Option 82 field in the DHCP request. This is -sub option "1" as specified by RFC 3046. The value specified here is either -interpreted as a raw hex value, if it starts with the prefix 0x, or ASCII text -otherwise. e.g. ``e1-5`` and ``0x65312d35`` are the same -``` - - -```{cfgcmd} set service dhcp-server client-class \<name\> relay-agent-information remote-id \<value\> - -Create a new client class (if not already defined) and set it to match on -the "Remote ID" part of the Option 82 field in the DHCP request. This is -sub option "2" as specified by RFC 3046. The value specified here is either -interpreted as a raw hex value, if it starts with the prefix 0x, or ASCII text -otherwise. e.g. ``10.100.0.41`` and ``0x31302e3130302e302e3431`` are the -same -``` - -**Client Class application** - -```{cfgcmd} set service dhcp-server shared-network-name \<subnet-name\> subnet \<CIDR\> client-class \<class-name\> - -Applies the Client Class with the name `<class-name>` to the subnet `<subnet-name>`. -This means that whenever the client class matches a request it is always -routed to this subnet definition first. -``` - - -```{cfgcmd} set service dhcp-server shared-network-name \<subnet-name\> subnet \<CIDR\> range \<range-name\> client-class \<class-name\> - -Applies the Client Class with the name `<class-name>` to the range -`<range-name>` which belongs to subnet `<subnet-name>`. This means that whenever the -client class matches a request it is always routed to this range definition -first. -``` - -NB: Kea (the DHCP server used by VyOS) is programmed to offer as many -alternatives as it can to repeated DHCP Discover requests. Some operating -systems (Notably Microsoft Windows) make multiple DHCP Discover requests before -settling on an address. This particularly seems to happen when the DHCP server -isn't set to authorative. This may explain why the address you espect isn't -being chosen. Wireshark is helpful in these situations. - - -**Example:** - - -The following configuration example will classify requests coming in on port -`e1-5` from DHCP Relay `192.0.2.1` and make sure that they are allocated the -address `192.0.2.4`. Any requests which do not match the circuit and remote ID -will, instead, be allocated from the range otherRange in the usual manner. - - -NB: Both the Circuit ID and Remote ID fields are arbitrary free text. *Most* -switches set the Remote ID to the IP address of the management interface but -that should not be relied upon. Check the documentation of your DHCP Relay for -more detail or, as a measure of last resort, inspect the DHCP requests in -Wireshark. - -```none -service { - dhcp-server { - client-class className { - relay-agent-information { - circuit-id e1-5 - remote-id 192.0.2.1 - } - } - shared-network-name test { - subnet 192.0.2.0/24 { - range classNameRange { - client-class className - start 192.0.2.4 - stop 192.0.2.4 - } - range otherRange { - start 192.0.2.5 - stop 192.0.2.100 - } - subnet-id 1 - } - } - } -} -``` - -### Options - - -:::{list-table} -:header-rows: 1 -:stub-columns: 0 -:widths: 12 7 23 40 20 - -* - Setting name - - Option number - - ISC-DHCP Option name - - Option description - - Multi -* - client-prefix-length - - 1 - - subnet-mask - - Specifies the clients subnet mask as per RFC 950. If unset, - subnet declaration is used. - - N -* - time-offset - - 2 - - time-offset - - Offset of the client's subnet in seconds from Coordinated - Universal Time (UTC) - - N -* - default-router - - 3 - - routers - - IPv4 address of router on the client's subnet - - N -* - time-server - - 4 - - time-servers - - RFC 868 time server IPv4 address - - Y -* - name-server - - 6 - - domain-name-servers - - DNS server IPv4 address - - Y -* - domain-name - - 15 - - domain-name - - Client domain name - - Y -* - ip-forwarding - - 19 - - ip-forwarding - - Enable IP forwarding on client - - N -* - ntp-server - - 42 - - ntp-servers - - IP address of NTP server - - Y -* - wins-server - - 44 - - netbios-name-servers - - NetBIOS over TCP/IP name server - - Y -* - server-identifier - - 54 - - dhcp-server-identifier - - IP address for DHCP server identifier - - N -* - bootfile-server - - siaddr - - next-server - - IPv4 address of next bootstrap server - - N -* - tftp-server-name - - 66 - - tftp-server-name - - Name or IPv4 address of TFTP server - - N -* - bootfile-name - - 67 - - bootfile-name, filename - - Bootstrap file name - - N -* - bootfile-size - - 13 - - boot-size - - Boot image length in 512-octet blocks - - N -* - smtp-server - - 69 - - smtp-server - - IP address of SMTP server - - Y -* - pop-server - - 70 - - pop-server - - IP address of POP3 server - - Y -* - domain-search - - 119 - - domain-search - - Client domain search - - Y -* - static-route - - 121, 249 - - rfc3442-static-route, windows-static-route - - Classless static route - - N -* - wpad-url - - 252 - - wpad-url, wpad-url code 252 = text - - Web Proxy Autodiscovery (WPAD) URL - - N -* - lease - - - - default-lease-time, max-lease-time - - Lease timeout in seconds (default: 86400) - - N -* - range - - - - range - - DHCP lease range - - Y -* - exclude - - - - - - IP address to exclude from DHCP lease range - - Y -* - failover - - - - - - DHCP failover parameters - - -* - static-mapping - - - - - - Name of static mapping - - Y -::: - - -Multi: can be specified multiple times. - - -### Example - - -Please see the {ref}`dhcp-dns-quick-start` configuration. - - -(dhcp-server-v4-example-failover)= - - -#### High Availability - - -Configuration of a DHCP HA pair: - - -- Setup DHCP HA for network 192.0.2.0/24 -- Use active-active HA mode. -- Default gateway and DNS server is at `192.0.2.254` -- The primary DHCP server named dhcp-primary uses address `192.168.189.252` -- The secondary DHCP server with named dhcp-secondary uses address `192.168.189.253` -- DHCP range spans from `192.168.189.10` - `192.168.189.250` - - -Common configuration, valid for both primary and secondary node. - -```none -set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 option default-router '192.0.2.254' -set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 option name-server '192.0.2.254' -set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 option domain-name 'vyos.net' -set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 range 0 start '192.0.2.10' -set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 range 0 stop '192.0.2.250' -set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 subnet-id '1' -``` - -**Primary** - -```none -set service dhcp-server high-availability mode 'active-active' -set service dhcp-server high-availability source-address '192.168.189.252' -set service dhcp-server high-availability name 'dhcp-secondary' -set service dhcp-server high-availability remote '192.168.189.253' -set service dhcp-server high-availability status 'primary' -``` - -**Secondary** - -```none -set service dhcp-server high-availability mode 'active-active' -set service dhcp-server high-availability source-address '192.168.189.253' -set service dhcp-server high-availability name 'dhcp-primary' -set service dhcp-server high-availability remote '192.168.189.252' -set service dhcp-server high-availability status 'secondary' -``` - -(dhcp-server-v4-example-raw)= - - -### Operation Mode - -```{opcmd} show log dhcp server - -Show DHCP server daemon log file -``` - - -```{opcmd} show log dhcp client - -Show logs from all DHCP client processes. -``` - - -```{opcmd} show log dhcp client interface \<interface\> - -Show logs from specific `interface` DHCP client process. -``` - - -```{opcmd} restart dhcp server - -Restart the DHCP server -``` - - -```{opcmd} show dhcp server statistics - -Show the DHCP server statistics: -``` - - -```none -vyos@vyos:~$ show dhcp server statistics -Pool Size Leases Available Usage ------------ ------ -------- ----------- ------- -dhcpexample 99 2 97 2% -``` - - -```{opcmd} show dhcp server statistics pool \<pool\> - -Show the DHCP server statistics for the specified pool. -``` - - -```{opcmd} show dhcp server leases - -Show statuses of all active leases: -``` - - -```none -vyos@vyos:~$ show dhcp server leases -IP Address MAC address State Lease start Lease expiration Remaining Pool Hostname Origin --------------- ----------------- ------- ------------------- ------------------- ----------- -------- ---------- -------- -192.168.11.134 00:50:79:66:68:09 active 2023/11/29 09:51:05 2023/11/29 10:21:05 0:24:10 LAN VPCS1 local -192.168.11.133 50:00:00:06:00:00 active 2023/11/29 09:51:38 2023/11/29 10:21:38 0:24:43 LAN VYOS-6 local -10.11.11.108 50:00:00:05:00:00 active 2023/11/29 09:51:43 2023/11/29 10:21:43 0:24:48 VIF-1001 VYOS5 local -192.168.11.135 00:50:79:66:68:07 active 2023/11/29 09:55:16 2023/11/29 09:59:16 0:02:21 remote -vyos@vyos:~$ -``` - -:::{hint} -Static mappings aren't shown. To show all states, use -`show dhcp server leases state all`. -::: - -```{opcmd} show dhcp server leases origin [local | remote] - -Show statuses of all active leases granted by local (this server) or -remote (failover server): -``` - - -```none -vyos@vyos:~$ show dhcp server leases origin remote -IP Address MAC address State Lease start Lease expiration Remaining Pool Hostname Origin --------------- ----------------- ------- ------------------- ------------------- ----------- -------- ---------- -------- -192.168.11.135 00:50:79:66:68:07 active 2023/11/29 09:55:16 2023/11/29 09:59:16 0:02:21 remote -vyos@vyos:~$ -``` - - -```{opcmd} show dhcp server leases pool \<pool\> - -Show only leases in the specified pool. -``` - - -```none -vyos@vyos:~$ show dhcp server leases pool LAN -IP Address MAC address State Lease start Lease expiration Remaining Pool Hostname Origin --------------- ----------------- ------- ------------------- ------------------- ----------- ------ ---------- -------- -192.168.11.134 00:50:79:66:68:09 active 2023/11/29 09:51:05 2023/11/29 10:21:05 0:23:55 LAN VPCS1 local -192.168.11.133 50:00:00:06:00:00 active 2023/11/29 09:51:38 2023/11/29 10:21:38 0:24:28 LAN VYOS-6 local -vyos@vyos:~$ -``` - - -```{opcmd} show dhcp server leases sort \<key\> - -Sort the output by the specified key. Possible keys: ip, hardware_address, -state, start, end, remaining, pool, hostname (default = ip) -``` - - -```{opcmd} show dhcp server leases state \<state\> - -Show only leases with the specified state. Possible states: all, active, -free, expired, released, abandoned, reset, backup (default = active) -``` - -## IPv6 server - -VyOS also provides DHCPv6 server functionality which is described in this -section. -(dhcp-server-v6-config)= - -### Configuration - -```{cfgcmd} set service dhcpv6-server preference \<preference value\> - - Clients receiving advertise messages from multiple servers choose the server - with the highest preference value. The range for this value is ``0...255``. -``` - - -```{cfgcmd} set service dhcpv6-server shared-network-name \<name\> subnet \<subnet\> subnet-id \<id\> - -This configuration parameter is required and must be unique to each subnet. -It is required to map subnets to lease file entries. -``` - - -```{cfgcmd} set service dhcpv6-server shared-network-name \<name\> subnet \<prefix\> lease-time {default | maximum | minimum} - -The default lease time for DHCPv6 leases is 24 hours. This can be changed by -supplying a ``default-time``, ``maximum-time`` and ``minimum-time``. All -values need to be supplied in seconds. -``` - - -```{cfgcmd} set service dhcpv6-server shared-network-name \<name\> subnet \<prefix\> option nis-domain \<domain-name\> - -A {abbr}`NIS (Network Information Service)` domain can be set to be used for -DHCPv6 clients. -``` - - -```{cfgcmd} set service dhcpv6-server shared-network-name \<name\> subnet \<prefix\> option nisplus-domain \<domain-name\> - -The procedure to specify a {abbr}`NIS+ (Network Information Service Plus)` -domain is similar to the NIS domain one: -``` - - -```{cfgcmd} set service dhcpv6-server shared-network-name \<name\> subnet \<prefix\> option nis-server \<address\> - -Specify a NIS server address for DHCPv6 clients. -``` - - -```{cfgcmd} set service dhcpv6-server shared-network-name \<name\> subnet \<prefix\> option nisplus-server \<address\> - -Specify a NIS+ server address for DHCPv6 clients. -``` - - -```{cfgcmd} set service dhcpv6-server shared-network-name \<name\> subnet \<prefix\> option sip-server \<address | fqdn\> - -Specify a {abbr}`SIP (Session Initiation Protocol)` server by IPv6 -address of Fully Qualified Domain Name for all DHCPv6 clients. -``` - - -```{cfgcmd} set service dhcpv6-server shared-network-name \<name\> subnet \<prefix\> option sntp-server-address \<address\> - -A SNTP server address can be specified for DHCPv6 clients. -``` - -#### Prefix Delegation - - -To hand out individual prefixes to your clients the following configuration is -used: - -```{cfgcmd} set service dhcpv6-server shared-network-name \<name\> subnet \<prefix\> prefix-delegation prefix \<pd-prefix\> prefix-length \<lenght\> - -Delegate prefixes from `<pd-prefix>` to clients in subnet `<prefix>`. Range -is defined by `<lenght>` in bits, 32 to 64. -``` - - -```{cfgcmd} set service dhcpv6-server shared-network-name \<name\> subnet \<prefix\> prefix-delegation prefix \<pd-prefix\> delegated-length \<lenght\> - -Hand out prefixes of size `<length>` in bits from `<pd-prefix>` to clients -in subnet `<prefix>` when the request for prefix delegation. -``` - - -```{cfgcmd} set service dhcpv6-server shared-network-name \<name\> subnet \<prefix\> prefix-delegation prefix \<pd-prefix\> excluded-prefix \<exclude-prefix\> - -Exclude `<exclude-prefix>` from `<pd-prefix>`. -``` -```{cfgcmd} set service dhcpv6-server shared-network-name \<name\> subnet \<prefix\> prefix-delegation prefix \<pd-prefix\> excluded-prefix-length \<length\> - -Define lenght of exclude prefix in `<pd-prefix>`. -``` - -**Example:** -- A shared network named `PD-NET` serves subnet `2001:db8::/64`. -- It is connected to `eth1`. -- Address pool shall be `2001:db8::100` through `2001:db8::199`. -- It hands out prefixes `2001:db8:0:10::/64` through `2001:db8:0:1f::/64`. - -```none -set service dhcpv6-server shared-network-name 'PD-NET' interface 'eth1' -set service dhcpv6-server shared-network-name 'PD-NET' subnet 2001:db8::/64 range 1 start 2001:db8::100 -set service dhcpv6-server shared-network-name 'PD-NET' subnet 2001:db8::/64 range 1 stop 2001:db8::199 -set service dhcpv6-server shared-network-name 'PD-NET' subnet 2001:db8::/64 prefix-delegation prefix 2001:db8:0:10:: delegated-length '64' -set service dhcpv6-server shared-network-name 'PD-NET' subnet 2001:db8::/64 prefix-delegation prefix 2001:db8:0:10:: prefix-length '60' -set service dhcpv6-server shared-network-name 'PD-NET' subnet 2001:db8::/64 subnet-id 1 -``` - -#### Address pools - -DHCPv6 address pools must be configured for the system to act as a DHCPv6 -server. The following example describes a common scenario. - -**Example:** -- A shared network named `NET1` serves subnet `2001:db8::/64` -- It is connected to `eth1` -- DNS server is located at `2001:db8::ffff` -- Address pool shall be `2001:db8::100` through `2001:db8::199`. -- Lease time will be left at the default value which is 24 hours - -```none -set service dhcpv6-server shared-network-name 'NET' interface 'eth1' -set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 range 1 start 2001:db8::100 -set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 range 1 stop 2001:db8::199 -set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 option name-server 2001:db8::ffff -set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 subnet-id 1 -``` - -The configuration will look as follows: - -```none -show service dhcpv6-server - shared-network-name NET1 { - subnet 2001:db8::/64 { - range 1 { - start 2001:db8::100 - stop 2001:db8::199 - } - option { - name-server 2001:db8::ffff - } - subnet-id 1 - } - } -``` - -(dhcp-server-v6-static-mapping)= - -#### Static mappings - -In order to map specific IPv6 addresses to specific hosts static mappings can -be created. The following example explains the process. - -**Example:** -- IPv6 address `2001:db8::101` shall be statically mapped -- IPv6 prefix `2001:db8:0:101::/64` shall be statically mapped -- Host specific mapping shall be named `client1` - -:::{hint} -The identifier is the device's DUID: colon-separated hex list (as -used by isc-dhcp option dhcpv6.client-id). If the device already has a -dynamic lease from the DHCPv6 server, its DUID can be found with `show -service dhcpv6 server leases`. The DUID begins at the 5th octet (after the -4th colon) of IAID_DUID. -::: -```none -set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 static-mapping client1 ipv6-address 2001:db8::101 -set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 static-mapping client1 ipv6-prefix 2001:db8:0:101::/64 -set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 static-mapping client1 duid 00:01:00:01:12:34:56:78:aa:bb:cc:dd:ee:ff -``` - -The configuration will look as follows: - -```none -show service dhcpv6-server shared-network-name NET1 - subnet 2001:db8::/64 { - static-mapping client1 { - duid 00:01:00:01:12:34:56:78:aa:bb:cc:dd:ee:ff - ipv6-address 2001:db8::101 - ipv6-prefix 2001:db8:0:101::/64 - } - } -``` - -(dhcp-server-v6-op-cmd)= - -### Operation Mode - -```{opcmd} show log dhcpv6 server - -Show DHCPv6 server daemon log file -``` -```{opcmd} show log dhcpv6 client - -Show logs from all DHCPv6 client processes. -``` -```{opcmd} show log dhcpv6 client interface \<interface\> - -Show logs from specific `interface` DHCPv6 client process. -``` -```{opcmd} restart dhcpv6 server - -To restart the DHCPv6 server -``` -```{opcmd} show dhcpv6 server leases - -Shows status of all assigned leases: -``` -```none -vyos@vyos:~$ show dhcpv6 server leases -IPv6 address State Last communication Lease expiration Remaining Type Pool DUID ----------------- ------- -------------------- ------------------- ----------- ----- -------- -------------------------------------------- -2001:db8::101 active 2019/12/05 19:40:10 2019/12/06 07:40:10 11:45:21 IA_NA NET1 98:76:54:32:00:01:00:01:12:34:56:78:aa:bb:cc:dd:ee:ff -2001:db8::102 active 2019/12/05 14:01:23 2019/12/06 02:01:23 6:06:34 IA_NA NET1 87:65:43:21:00:01:00:01:11:22:33:44:fa:fb:fc:fd:fe:ff -2001:db8:10::/64 active 2019/12/05 23:20:10 2019/12/06 11:40:10 11:45:21 IA_PD PD-NET1 98:76:54:32:00:01:00:01:12:34:56:78:aa:bb:cc:dd:ee:ff -``` - -:::{hint} -Static mappings aren't shown. To show all states, use `show dhcp -server leases state all`. -::: - -```{opcmd} show dhcpv6 server leases pool \<pool\> - -Show only leases in the specified pool. -``` -```{opcmd} show dhcpv6 server leases sort \<key\> - -Sort the output by the specified key. Possible keys: expires, iaid_duid, ip, -last_comm, pool, remaining, state, type (default = ip) -``` -```{opcmd} show dhcpv6 server leases state \<state\> - -Show only leases with the specified state. Possible states: abandoned, -active, all, backup, expired, free, released, reset (default = active) -```
\ No newline at end of file diff --git a/docs/configuration/service/md-dns.md b/docs/configuration/service/md-dns.md deleted file mode 100644 index e7e9b457..00000000 --- a/docs/configuration/service/md-dns.md +++ /dev/null @@ -1,582 +0,0 @@ -(dns-forwarding)= - -# DNS Forwarding - -## Configuration - -VyOS provides DNS infrastructure for small networks. It is designed to be -lightweight and have a small footprint, suitable for resource constrained -routers and firewalls. For this we utilize PowerDNS recursor. - -The VyOS DNS forwarder does not require an upstream DNS server. It can serve as -a full recursive DNS server - but it can also forward queries to configurable -upstream DNS servers. By not configuring any upstream DNS servers you also -avoid being tracked by the provider of your upstream DNS server. - -```{cfgcmd} set service dns forwarding system - - Forward incoming DNS queries to the DNS servers configured under the ``system - name-server`` nodes. -``` - - -```{cfgcmd} set service dns forwarding dhcp \<interface\> - -Interfaces whose DHCP client nameservers to forward requests to. -``` - - -```{cfgcmd} set service dns forwarding name-server \<address\> port \<port\> - -Send all DNS queries to the IPv4/IPv6 DNS server specified under `<address>` -on optional port specified under `<port>`. The port defaults to 53. You can -configure multiple nameservers here. -``` - - -```{cfgcmd} set service dns forwarding domain \<domain-name\> name-server \<address\> - -Forward received queries for a particular domain -(specified via `domain-name`) to a given nameserver. Multiple nameservers -can be specified. You can use this feature for a DNS split-horizon -configuration. - -:::{note} -This also works for reverse-lookup zones (``18.172.in-addr.arpa``). -::: -``` - - -```{cfgcmd} set service dns forwarding domain \<domain-name\> addnta - -Add NTA (negative trust anchor) for this domain. This must be set if the -domain does not support DNSSEC. -``` - - -```{cfgcmd} set service dns forwarding domain \<domain-name\> recursion-desired - -Set the "recursion desired" bit in requests to the upstream nameserver. -``` - - -```{cfgcmd} set service dns forwarding allow-from \<network\> - -Given the fact that open DNS recursors could be used on DDoS amplification -attacks, you must configure the networks which are allowed to use this -recursor. A network of ``0.0.0.0/0`` or ``::/0`` would allow all IPv4 and -IPv6 networks to query this server. This is generally a bad idea. -``` - - -```{cfgcmd} set service dns forwarding dnssec \<off | process-no-validate | process | log-fail | validate\> - -The PowerDNS recursor has 5 different levels of DNSSEC processing, which can -be set with the dnssec setting. In order from least to most processing, these -are: - -* **off** In this mode, no DNSSEC processing takes place. The recursor will -not set the DNSSEC OK (DO) bit in the outgoing queries and will ignore the -DO and AD bits in queries. - -* **process-no-validate** In this mode the recursor acts as a "security -aware, non-validating" nameserver, meaning it will set the DO-bit on -outgoing queries and will provide DNSSEC related RRsets (NSEC, RRSIG) to -clients that ask for them (by means of a DO-bit in the query), except for -zones provided through the auth-zones setting. It will not do any -validation in this mode, not even when requested by the client. - -* **process** When dnssec is set to process the behavior is similar to -process-no-validate. However, the recursor will try to validate the data -if at least one of the DO or AD bits is set in the query; in that case, -it will set the AD-bit in the response when the data is validated -successfully, or send SERVFAIL when the validation comes up bogus. - -* **log-fail** In this mode, the recursor will attempt to validate all data -it retrieves from authoritative servers, regardless of the client's DNSSEC -desires, and will log the validation result. This mode can be used to -determine the extra load and amount of possibly bogus answers before -turning on full-blown validation. Responses to client queries are the same -as with process. - -* **validate** The highest mode of DNSSEC processing. In this mode, all -queries will be validated and will be answered with a SERVFAIL in case of -bogus data, regardless of the client's request. - -:::{note} -The popular Unix/Linux ``dig`` tool sets the AD-bit in the query. -This might lead to unexpected query results when testing. Set ``+noad`` -on the ``dig`` command line when this is the case. -::: - -:::{note} -The ``CD``-bit is honored correctly for process and validate. For -log-fail, failures will be logged too. -::: -``` - - -```{cfgcmd} set service dns forwarding ignore-hosts-file - -Do not use the local ``/etc/hosts`` file in name resolution. VyOS DHCP -server will use this file to add resolvers to assigned addresses. -``` - - -```{cfgcmd} set service dns forwarding cache-size \<0-2147483647\> - -Maximum number of DNS cache entries. 1 million per CPU core will generally -suffice for most installations. - -This defaults to 10000. -``` - - -```{cfgcmd} set service dns forwarding negative-ttl \<0-7200\> - -A query for which there is authoritatively no answer is cached to quickly -deny a record's existence later on, without putting a heavy load on the -remote server. In practice, caches can become saturated with hundreds of -thousands of hosts which are tried only once. - -This setting, which defaults to 3600 seconds, puts a maximum on the amount -of time negative entries are cached. -``` - - -```{cfgcmd} set service dns forwarding timeout \<10-60000\> - -The number of milliseconds to wait for a remote authoritative server to -respond before timing out and responding with SERVFAIL. - -This setting defaults to 1500 and is valid between 10 and 60000. -``` - - -```{cfgcmd} set service dns forwarding listen-address \<address\> - -The local IPv4 or IPv6 addresses to bind the DNS forwarder to. The forwarder -will listen on this address for incoming connections. -``` - - -```{cfgcmd} set service dns forwarding source-address \<address\> - -The local IPv4 or IPv6 addresses to use as a source address for sending queries. -The forwarder will send forwarded outbound DNS requests from this address. -``` - - -```{cfgcmd} set service dns forwarding no-serve-rfc1918 - -This makes the server authoritatively not aware of: 10.in-addr.arpa, -168.192.in-addr.arpa, 16-31.172.in-addr.arpa, which enabling upstream -DNS server(s) to be used for reverse lookups of these zones. -``` - -### Authoritative zones - - -The VyOS DNS forwarder can also be configured to host authoritative records for a domain. - -```{cfgcmd} set service dns forwarding authoritative-domain \<domain-name\> disable - -Disable hosting authoritative zone for `<domain-name>` without deleting from -configuration. -``` - - -```{cfgcmd} set service dns forwarding authoritative-domain \<domain-name\> records \<type\> \<name\> disable - -Disable specific record without deleting it from configuration. -``` - - -```{cfgcmd} set service dns forwarding authoritative-domain \<domain-name\> records \<type\> \<name\> ttl \<seconds\> - -Set the {abbr}`TTL (Time-to-live)` for the record in seconds. Default is 300 seconds. -``` - -#### Record types - - -Below are a list of record types available to be configured within VyOS. Some records -support special `<name>` keywords: - - -- `@` Use @ as record name to set the record for the root domain. -- `any` Use any as record name to configure the record as a wildcard. - -```{cfgcmd} set service dns forwarding authoritative-domain \<domain-name\> records a \<name\> address \<x.x.x.x\> - -Set an {abbr}`A (Address)` record. Supports ``@`` and ``any`` keywords. -``` - - -```{cfgcmd} set service dns forwarding authoritative-domain \<domain-name\> records aaaa \<name\> address \<h:h:h:h:h:h:h:h\> - -Set an {abbr}`AAAA (IPv6 Address)` record. Supports ``@`` and ``any`` keywords. -``` - - -```{cfgcmd} set service dns forwarding authoritative-domain \<domain-name\> records cname \<name\> target \<target-domain-name\> - -Set an {abbr}`CNAME (Canonical name)` record. Supports ``@`` keyword. -``` - - -```{cfgcmd} set service dns forwarding authoritative-domain \<domain-name\> records naptr \<name\> rule \<rule-number\> \<option\> \<value\> - -Set an {abbr}`NAPTR (Naming authority pointer)` record. Supports ``@`` keyword. -NAPTR records support the following options: - -* **lookup-a** A Flag. - -* **lookup-srv** S flag. - -* **order** Rule order. Requires `<value>`. - -* **preference** Rule preference. Requires `<value>`. Defaults to 0 if not set. - -* **protocol-specific** P flag. - -* **regexp** Regular expression. Requires `<value>`. - -* **replacement** Replacement DNS name. - -* **resolve-uri** U flag. - -* **service** Service type. Requires `<value>`. -``` - - -```{cfgcmd} set service dns forwarding authoritative-domain \<domain-name\> records ns \<name\> target \<target-name\> - -Set an {abbr}`NS (Nameserver)` record. -``` - - -```{cfgcmd} set service dns forwarding authoritative-domain \<domain-name\> records ptr \<name\> target \<target-name\> - -Set an {abbr}`PTR (Pointer record)` record. Supports ``@`` keyword. -``` - - -```{cfgcmd} set service dns forwarding authoritative-domain \<domain-name\> records spf \<name\> value \<value\> - -Set an {abbr}`SPF (Sender policy framework)` record. Supports ``@`` keyword. -``` - - -```{cfgcmd} set service dns forwarding authoritative-domain \<domain-name\> records srv \<name\> entry \<entry-number\> [hostname | port | priority | weight] \<value\> - -Set an {abbr}`SRV (Service)` record. Supports ``@`` keyword. -``` - - -```{cfgcmd} set service dns forwarding authoritative-domain \<domain-name\> records txt \<name\> value \<value\> - -Set an {abbr}`TXT (Text)` record. Supports ``@`` keyword. -``` - -## Example - - -A VyOS router with two interfaces - eth0 (WAN) and eth1 (LAN) - is required to -implement a split-horizon DNS configuration for example.com. - - -In this scenario: - - -- All DNS requests for example.com must be forwarded to a DNS server - at 192.0.2.254 and 2001:db8:cafe::1 -- All other DNS requests will be forwarded to a different set of DNS servers at - 192.0.2.1, 192.0.2.2, 2001:db8::1:ffff and 2001:db8::2:ffff -- The VyOS DNS forwarder will only listen for requests on the eth1 (LAN) - interface addresses - 192.168.1.254 for IPv4 and 2001:db8::ffff for IPv6 -- The VyOS DNS forwarder will only accept lookup requests from the - LAN subnets - 192.168.1.0/24 and 2001:db8::/64 -- The VyOS DNS forwarder will pass reverse lookups for 10.in-addr.arpa, - 168.192.in-addr.arpa, 16-31.172.in-addr.arpa zones to upstream server. - -```none -set service dns forwarding domain example.com name-server 192.0.2.254 -set service dns forwarding domain example.com name-server 2001:db8:cafe::1 -set service dns forwarding name-server 192.0.2.1 -set service dns forwarding name-server 192.0.2.2 -set service dns forwarding name-server 192.0.2.3 port 853 -set service dns forwarding name-server 2001:db8::1:ffff -set service dns forwarding name-server 2001:db8::2:ffff -set service dns forwarding name-server 2001:db8::3:ffff port 8053 -set service dns forwarding listen-address 192.168.1.254 -set service dns forwarding listen-address 2001:db8::ffff -set service dns forwarding allow-from 192.168.1.0/24 -set service dns forwarding allow-from 2001:db8::/64 -set service dns forwarding no-serve-rfc1918 -``` - -## Operation - -```{opcmd} reset dns forwarding \<all | domain\> - -Resets the local DNS forwarding cache database. You can reset the cache -for all entries or only for entries to a specific domain. -``` - - -```{opcmd} restart dns forwarding - -Restarts the DNS recursor process. This also invalidates the local DNS -forwarding cache. -``` - -(dynamic-dns)= - -# Dynamic DNS - -VyOS is able to update a remote DNS record when an interface gets a new IP -address. In order to do so, VyOS includes [ddclient], a Perl script written for -this only one purpose. - -[ddclient] uses two methods to update a DNS record. The first one will send -updates directly to the DNS daemon, in compliance with {rfc}`2136`. The second -one involves a third party service, like DynDNS.com or any other such -service provider. This method uses HTTP requests to transmit the new IP address. -You can configure both in VyOS. -(dns-dynamic-config)= - -## Configuration -### {rfc}`2136` Based - -```{cfgcmd} set service dns dynamic name \<service-name\> address interface \<interface\> - - Create new dynamic DNS update configuration which will update the IP - address assigned to `<interface>` on the service you configured under - `<service-name>`. -``` - - -```{cfgcmd} set service dns dynamic name \<service-name\> description \<text\> - -Set description `<text>` for dynamic DNS service being configured. -``` - - -```{cfgcmd} set service dns dynamic name \<service-name\> key \<filename\> - -File identified by `<filename>` containing the TSIG authentication key for RFC2136 -nsupdate on remote DNS server. -``` - - -```{cfgcmd} set service dns dynamic name \<service-name\> server \<server\> - -Configure the DNS `<server>` IP/FQDN used when updating this dynamic -assignment. -``` - - -```{cfgcmd} set service dns dynamic name \<service-name\> zone \<zone\> - -Configure DNS `<zone>` to be updated. -``` - - -```{cfgcmd} set service dns dynamic name \<service-name\> host-name \<record\> - -Configure DNS `<record>` which should be updated. This can be set multiple times. -``` - - -```{cfgcmd} set service dns dynamic name \<service-name\> ttl \<ttl\> - -Configure optional TTL value on the given resource record. This defaults to -600 seconds. -``` - - -```{cfgcmd} set service dns dynamic interval \<60-3600\> - -Specify interval in seconds to wait between Dynamic DNS updates. -The default is 300 seconds. -``` - -(dns-dynamic-example)= - - -#### Example - - -- Register DNS record `example.vyos.io` on DNS server `ns1.vyos.io` -- Use auth key file at `/config/auth/my.key` -- Set TTL to 300 seconds - -```none -# Configuration commands entered: -# -set service dns dynamic name 'VyOS-DNS' address interface 'eth0' -set service dns dynamic name 'VyOS-DNS' description 'RFC 2136 dynamic dns service' -set service dns dynamic name 'VyOS-DNS' key '/config/auth/my.key' -set service dns dynamic name 'VyOS-DNS' server 'ns1.vyos.io' -set service dns dynamic name 'VyOS-DNS' zone 'vyos.io' -set service dns dynamic name 'VyOS-DNS' host-name 'example.vyos.io' -set service dns dynamic name 'VyOS-DNS' protocol 'nsupdate' -set service dns dynamic name 'VyOS-DNS' ttl '300' - -# Resulting config: -# -vyos@vyos# show service dns dynamic - name VyOS-DNS { - address { - interface eth0 - } - description "RFC 2136 dynamic dns service" - host-name example.vyos.io - key /config/auth/my.key - protocol nsupdate - server ns1.vyos.io - ttl 300 - zone vyos.io - } -``` - -This will render the following [ddclient] configuration entry: - -```none -# ddclient configuration for interface "eth0": -# - -# Web service dynamic DNS configuration for VyOS-DNS: [nsupdate, example.vyos.io] -use=if, \ -if=eth0, \ -protocol=nsupdate, \ -server=ns1.vyos.io, \ -zone=vyos.io, \ -password='/config/auth/my.key', \ -ttl=300 \ -example.vyos.io -``` - -:::{note} -You can also keep different DNS zone updated. Just create a new -config node: `set service dns dynamic interface <interface> rfc2136 -<other-service-name>` -::: - - -### HTTP based services - - -VyOS is also able to use any service relying on protocols supported by ddclient. - - -To use such a service, one must define a login, password, one or multiple -hostnames, protocol and server. - -```{cfgcmd} set service dns dynamic name \<service-name\> address interface \<interface\> - -Create new dynamic DNS update configuration which will update the IP -address assigned to `<interface>` on the service you configured under -`<service-name>`. -``` - - -```{cfgcmd} set service dns dynamic name \<service-name\> description \<text\> - -Set description `<text>` for dynamic DNS service being configured. -``` - - -```{cfgcmd} set service dns dynamic name \<service-name\> host-name \<hostname\> - -Setup the dynamic DNS hostname `<hostname>` associated with the DynDNS -provider identified by `<service-name>`. -``` - - -```{cfgcmd} set service dns dynamic name \<service-name\> username \<username\> - -Configure `<username>` used when authenticating the update request for -DynDNS service identified by `<service-name>`. -``` - - -```{cfgcmd} set service dns dynamic name \<service-name\> password \<password\> - -Configure `<password>` used when authenticating the update request for -DynDNS service identified by `<service-name>`. -``` - - -```{cfgcmd} set service dns dynamic name \<service-name\> protocol \<protocol\> - -When a ``custom`` DynDNS provider is used, the protocol used for communicating -to the provider must be specified under `<protocol>`. See the embedded -completion helper when entering above command for available protocols. -``` - - -```{cfgcmd} set service dns dynamic name \<service-name\> server \<server\> - -When a ``custom`` DynDNS provider is used the `<server>` where update -requests are being sent to must be specified. -``` - - -```{cfgcmd} set service dns dynamic name \<service-name\> ip-version 'ipv6' - -Allow explicit IPv6 address for the interface. -``` - -#### Example: - -Use deSEC (dedyn.io) as your preferred provider: - -```none -set service dns dynamic name dedyn description 'deSEC dynamic dns service' -set service dns dynamic name dedyn username 'myusername' -set service dns dynamic name dedyn password 'mypassword' -set service dns dynamic name dedyn host-name 'myhostname.dedyn.io' -set service dns dynamic name dedyn protocol 'dyndns2' -set service dns dynamic name dedyn server 'update.dedyn.io' -set service dns dynamic name dedyn address interface 'eth0' -``` - -:::{note} -Multiple services can be used per interface. Just specify as many -services per interface as you like! -::: -#### Example IPv6 only: - -```none -set service dns dynamic name dedyn description 'deSEC ipv6 dynamic dns service' -set service dns dynamic name dedyn username 'myusername' -set service dns dynamic name dedyn password 'mypassword' -set service dns dynamic name dedyn host-name 'myhostname.dedyn.io' -set service dns dynamic name dedyn protocol 'dyndns2' -set service dns dynamic name dedyn ip-version 'ipv6' -set service dns dynamic name dedyn server 'update6.dedyn.io' -set service dns dynamic name dedyn address interface 'eth0' -``` - -### Running Behind NAT - -By default, [ddclient] will update a dynamic dns record using the IP address -directly attached to the interface. If your VyOS instance is behind NAT, your -record will be updated to point to your internal IP. - -[ddclient] has another way to determine the WAN IP address. This is controlled -by: - -```{cfgcmd} set service dns dynamic name \<service-name\> address web \<url\> - -Use configured `<url>` to determine your IP address. [ddclient] will load -`<url>` and tries to extract your IP address from the response. -``` -```{cfgcmd} set service dns dynamic name \<service-name\> address web skip \<pattern\> - -ddclient will skip any address located before the string set in `<pattern>`. -``` - -[ddclient]: https://github.com/ddclient/ddclient diff --git a/docs/configuration/service/md-eventhandler.md b/docs/configuration/service/md-eventhandler.md deleted file mode 100644 index af4a5c02..00000000 --- a/docs/configuration/service/md-eventhandler.md +++ /dev/null @@ -1,129 +0,0 @@ -(event-handler)= - -# Event Handler - -## Event Handler Technology Overview - -Event handler allows you to execute scripts when a string that matches -a regex or a regex with a service name appears in journald logs. You -can pass variables, arguments, and a full matching string to the script. - -## How to configure Event Handler - -> [1. Create an event handler] -> -> [2. Add regex to the script] -> -> [3. Add a full path to the script] -> -> [4. Add optional parameters] - -## Event Handler Configuration Steps - -### 1. Create an event handler - -```{eval-rst} -.. cfgcmd:: set service event-handler event <event-handler name> -``` - -> -> This is an optional command because the event handler will be -> automatically created after any of the next commands. - -### 2. Add regex to the script - -% -% .. cfgcmd:: set service event-handler event <event-handler name> filter pattern <regex> - -% -% This is a mandatory command. Sets regular expression to match -% against log string message. -% -% .. note:: The regular expression matches if and only if the entire -% string matches the pattern. - -### 3. Add a full path to the script - -% -% .. cfgcmd:: set service event-handler event <event-handler name> script path <path to script> - -% -% This is a mandatory command. Sets the full path to the script. -% The script file must be executable. - -### 4. Add optional parameters - -% -% .. cfgcmd:: set service event-handler event <event-handler name> filter syslog-identifier <syslogid name> - -% -% This is an optional command. Filters log messages by syslog-identifier. - -% -% .. cfgcmd:: set service event-handler event <event-handler name> script environment <env name> value <env value> - -% -% This is an optional command. Adds environment and its value to the -% script. Use separate commands for each environment. -% -% One implicit environment exists. -% -% * ``message``: Full message that has triggered the script. - -% -% .. cfgcmd:: set service event-handler event <event-handler name> script arguments <arguments> - -% -% This is an optional command. Adds arguments to the script. -% Arguments must be separated by spaces. -% -% .. note:: We don't recommend to use arguments. Using environments -% is more preferable. - -## Example - -> Event handler that monitors the state of interface eth0. - -% -% .. code-block:: none -% -% set service event-handler event INTERFACE_STATE_DOWN filter pattern '.*eth0.*,RUNNING,.*->.*' -% set service event-handler event INTERFACE_STATE_DOWN filter syslog-identifier 'netplugd' -% set service event-handler event INTERFACE_STATE_DOWN script environment interface_action value 'down' -% set service event-handler event INTERFACE_STATE_DOWN script environment interface_name value 'eth0' -% set service event-handler event INTERFACE_STATE_DOWN script path '/config/scripts/eventhandler.py' -% -% Event handler script -% -% .. code-block:: none -% -% #!/usr/bin/env python3 -% # -% # VyOS event-handler script example -% from os import environ -% import subprocess -% from sys import exit -% -% # Perform actions according to requirements -% def process_event() -> None: -% # Get variables -% message_text = environ.get('message') -% interface_name = environ.get('interface_name') -% interface_action = environ.get('interface_action') -% # Print the message that triggered this script -% print(f'Logged message: {message_text}') -% # Prepare a command to run -% command = f'sudo ip link set {interface_name} {interface_action}'.split() -% # Execute a command -% subprocess.run(command) -% -% if __name__ == '__main__': -% try: -% # Run script actions and exit -% process_event() -% exit(0) -% except Exception as err: -% # Exit properly in case if something in the script goes wrong -% print(f'Error running script: {err}') -% exit(1) - diff --git a/docs/configuration/service/md-https.md b/docs/configuration/service/md-https.md deleted file mode 100644 index 184fd088..00000000 --- a/docs/configuration/service/md-https.md +++ /dev/null @@ -1,138 +0,0 @@ -(http-api)= - -# HTTP API - -VyOS provide an HTTP API. You can use it to execute op-mode commands, -update VyOS, set or delete config. - -Please take a look at the {ref}`vyosapi` page for an detailed how-to. - -## Configuration - -```{cfgcmd} set service https allow-client address \<address\> - -Only allow certain IP addresses or prefixes to access the https -webserver. -``` - -```{cfgcmd} set service https certificates ca-certificate \<name\> - -Use CA certificate from PKI subsystem -``` - -```{cfgcmd} set service https certificates certificate \<name\> - -Use certificate from PKI subsystem -``` - -```{cfgcmd} set service https certificates dh-params \<name\> - -Use {abbr}`DH (Diffie–Hellman)` parameters from PKI subsystem. -Must be at least 2048 bits in length. -``` - -```{cfgcmd} set service https listen-address \<address\> - -Webserver should only listen on specified IP address -``` - -```{cfgcmd} set service https port \<number\> - -Webserver should listen on specified port. - -Default: 443 -``` - -```{cfgcmd} set service https enable-http-redirect - -Enable automatic redirect from http to https. -``` - -```{cfgcmd} set service https tls-version \<1.2 | 1.3\> - -Select TLS version used. - -This defaults to both 1.2 and 1.3. -``` - -```{cfgcmd} set service https vrf \<name\> - -Start Webserver in given VRF. -``` - -```{cfgcmd} set service https request-body-size-limit \<size\> - -Set the maximum request body size in megabytes. Default is 1MB. -``` - - -### API - -```{cfgcmd} set service https api keys id \<name\> key \<apikey\> - -Set a named api key. Every key has the same, full permissions -on the system. -``` - - -### REST - -```{cfgcmd} set service https api rest - -Enable REST API -``` - -```{cfgcmd} set service https api rest debug - -To enable debug messages. Available via {opcmd}`show log` or -{opcmd}`monitor log` -``` - -```{cfgcmd} set service https api rest strict - -Enforce strict path checking. -``` - - -### GraphQL - -```{cfgcmd} set service https api graphql introspection - -Enable GraphQL Schema introspection. -``` - -:::{note} -Do not leave introspection enabled in production, it is a security risk. -::: - -```{cfgcmd} set service https api graphql authentication type \<key | token\> - -Set the authentication type for GraphQL, default option is key. Available options are: -* ``key`` use API keys configured in ``service https api keys`` -* ``token`` use JWT tokens. -``` - -```{cfgcmd} set service https api graphql authentication expiration - -Set the lifetime for JWT tokens in seconds. Default is 3600 seconds. -``` - -```{cfgcmd} set service https api graphql authentication secret-length - -Set the byte length of the JWT secret. Default is 32. -``` - -```{cfgcmd} set service https api graphql cors allow-origin \<origin\> - -Allow cross-origin requests from \<origin\>. -``` - - -## Example Configuration - -Setting REST API and an API-KEY is the minimal configuration to get a working API Endpoint. - -```none -set service https api keys id MY-HTTPS-API-ID key MY-HTTPS-API-PLAINTEXT-KEY -set service https api rest -``` diff --git a/docs/configuration/service/md-index.md b/docs/configuration/service/md-index.md deleted file mode 100644 index 8642e72a..00000000 --- a/docs/configuration/service/md-index.md +++ /dev/null @@ -1,27 +0,0 @@ -# Service - -<div class="toctree" maxdepth="1" includehidden=""> - -broadcast-relay -config-sync -conntrack-sync -console-server -dhcp-relay -dhcp-server -dns -eventhandler -https -ipoe-server -lldp -mdns -monitoring -ntp -pppoe-server -router-advert -salt-minion -snmp -ssh -tftp-server -webproxy - -</div> diff --git a/docs/configuration/service/md-ipoe-server.md b/docs/configuration/service/md-ipoe-server.md deleted file mode 100644 index 88ec4f51..00000000 --- a/docs/configuration/service/md-ipoe-server.md +++ /dev/null @@ -1,512 +0,0 @@ -(ipoe-server)= - -# IPoE Server - -VyOS utilizes [accel-ppp] to provide {abbr}`IPoE (Internet Protocol over -Ethernet)` server functionality. It can be used with local authentication -(mac-address) or a connected RADIUS server. - -IPoE is a method of delivering an IP payload over an Ethernet-based access -network or an access network using bridged Ethernet over Asynchronous Transfer -Mode (ATM) without using PPPoE. It directly encapsulates the IP datagrams in -Ethernet frames, using the standard {rfc}`894` encapsulation. - -The use of IPoE addresses the disadvantage that PPP is unsuited for multicast -delivery to multiple users. Typically, IPoE uses Dynamic Host Configuration -Protocol and Extensible Authentication Protocol to provide the same -functionality as PPPoE, but in a less robust manner. - -:::{note} -Please be aware, due to an upstream bug, config changes/commits -will restart the ppp daemon and will reset existing IPoE sessions, -in order to become effective. -::: - -## Configuring IPoE Server - -IPoE can be configured on different interfaces, it will depend on each specific -situation which interface will provide IPoE to clients. The client's mac address -and the incoming interface is being used as control parameter, to authenticate -a client. - -The example configuration below will assign an IP to the client on the incoming -interface eth1 with the client mac address 00:50:79:66:68:00. Other DHCP -discovery requests will be ignored, unless the client mac has been enabled in -the configuration. - -```none -set interfaces ethernet eth1 address '192.168.0.1/24' -set service ipoe-server authentication interface eth1.100 mac 00:50:79:66:68:00 -set service ipoe-server authentication interface eth1.101 mac 00:50:79:66:68:01 -set service ipoe-server authentication mode 'local' -set service ipoe-server client-ip-pool IPOE-POOL range '192.168.0.2-192.168.0.254' -set service ipoe-server default-pool 'IPOE-POOL' -set service ipoe-server gateway-address '192.168.0.1/24' -set service ipoe-server interface eth1 mode 'l2' -set service ipoe-server interface eth1 network 'vlan' -set service ipoe-server interface eth1 vlan '100-200' -``` - -```{cfgcmd} set service ipoe-server authentication interface \<interface\> mac \<MAC\> - -Creates local IPoE user with username=\*\*\<interface\>\*\* and -password=\*\*\<MAC\>\*\* (mac-address) -``` - - -```{cfgcmd} set service ipoe-server authentication mode \<local | radius\> - -Set authentication backend. The configured authentication backend is used -for all queries. - -* **radius**: All authentication queries are handled by a configured RADIUS -server. -* **local**: All authentication queries are handled locally. -* **noauth**: Authentication disabled -``` - - -```{cfgcmd} set service ipoe-server client-ip-pool \<POOL-NAME\> range \<x.x.x.x-x.x.x.x | x.x.x.x/x\> - -Use this command to define the first IP address of a pool of -addresses to be given to IPoE clients. If notation ``x.x.x.x-x.x.x.x``, -it must be within a /24 subnet. If notation ``x.x.x.x/x`` is -used there is possibility to set host/netmask. -``` - - -```{cfgcmd} set service ipoe-server default-pool \<POOL-NAME\> - -Use this command to define default address pool name. -``` - - -```{cfgcmd} set service ipoe-server gateway-address \<x.x.x.x/x\> - -Specifies address to be used as server ip address if radius can assign -only client address. In such case if client address is matched network -and mask then specified address and mask will be used. You can specify -multiple such options. -``` - - -```{cfgcmd} set service ipoe-server interface \<interface\> mode \<l2 | l3\> - -> Specifies the client connectivity mode. - -* **l2**: It means that clients are on same network where interface -is.\*\*(default)\*\* -* **l3**: It means that client are behind some router. -``` - - -```{cfgcmd} set service ipoe-server interface \<interface\> network \<shared | vlan\> - -Specify where interface is shared by multiple users or it is vlan-per-user. - -* **shared**: Multiple clients share the same network. **(default)** -* **vlan**: One VLAN per client. -``` - - -```none -vyos@vyos:~$ show ipoe-server sessions - - ifname | username | calling-sid | ip | rate-limit | type | comp | state | uptime ---------+----------+-------------------+-------------+------------+------+------+--------+---------- - ipoe0 | eth1.100 | 00:50:79:66:68:00 | 192.168.0.2 | | ipoe | | active | 00:04:55 - ipoe1 | eth1.101 | 00:50:79:66:68:01 | 192.168.0.3 | | ipoe | | active | 00:04:44 -``` - -## Configuring RADIUS authentication - - -To enable RADIUS based authentication, the authentication mode needs to be -changed within the configuration. Previous settings like the local users, still -exists within the configuration, however they are not used if the mode has been -changed from local to radius. Once changed back to local, it will use all local -accounts again. - -```none -set service ipoe-server authentication mode radius -``` - - -```{cfgcmd} set service ipoe-server authentication radius server \<server\> key \<secret\> - -Configure RADIUS *\<server\>* and its required shared *\<secret\>* for -communicating with the RADIUS server. -``` - -Since the RADIUS server would be a single point of failure, multiple RADIUS -servers can be setup and will be used subsequentially. -For example: - -```none -set service ipoe-server authentication radius server 10.0.0.1 key 'foo' -set service ipoe-server authentication radius server 10.0.0.2 key 'foo' -``` - -:::{note} -Some RADIUS severs use an access control list which allows or denies -queries, make sure to add your VyOS router to the allowed client list. -::: - - -### RADIUS source address - - -If you are using OSPF as IGP, always the closest interface connected to the -RADIUS server is used. With VyOS 1.2 you can bind all outgoing RADIUS requests -to a single source IP e.g. the loopback interface. - -```{cfgcmd} set service ipoe-server authentication radius source-address \<address\> - -Source IPv4 address used in all RADIUS server queires. -``` - -:::{note} -The ``source-address`` must be configured on one of VyOS interface. -Best practice would be a loopback or dummy interface. -::: - - -### RADIUS advanced options - -```{cfgcmd} set service ipoe-server authentication radius server \<server\> port \<port\> - -Configure RADIUS *\<server\>* and its required port for authentication requests. -``` - - -```{cfgcmd} set service ipoe-server authentication radius server \<server\> fail-time \<time\> - -Mark RADIUS server as offline for this given *\<time\>* in seconds. -``` - - -```{cfgcmd} set service ipoe-server authentication radius server \<server\> disable - -Temporary disable this RADIUS server. -``` - - -```{cfgcmd} set service ipoe-server authentication radius acct-timeout \<timeout\> - -Timeout to wait reply for Interim-Update packets. (default 3 seconds) -``` - - -```{cfgcmd} set service ipoe-server authentication radius dynamic-author server \<address\> - -Specifies IP address for Dynamic Authorization Extension server (DM/CoA). -This IP must exist on any VyOS interface or it can be ``0.0.0.0``. -``` - - -```{cfgcmd} set service ipoe-server authentication radius dynamic-author port \<port\> - -UDP port for Dynamic Authorization Extension server (DM/CoA) -``` - - -```{cfgcmd} set service ipoe-server authentication radius dynamic-author key \<secret\> - -Secret for Dynamic Authorization Extension server (DM/CoA) -``` - - -```{cfgcmd} set service ipoe-server authentication radius max-try \<number\> - -Maximum number of tries to send Access-Request/Accounting-Request queries -``` - - -```{cfgcmd} set service ipoe-server authentication radius timeout \<timeout\> - -Timeout to wait response from server (seconds) -``` - - -```{cfgcmd} set service ipoe-server authentication radius nas-identifier \<identifier\> - -Value to send to RADIUS server in NAS-Identifier attribute and to be matched -in DM/CoA requests. -``` - - -```{cfgcmd} set service ipoe-server authentication radius nas-ip-address \<address\> - -Value to send to RADIUS server in NAS-IP-Address attribute and to be matched -in DM/CoA requests. Also DM/CoA server will bind to that address. -``` - - -```{cfgcmd} set service ipoe-server authentication radius source-address \<address\> - -Source IPv4 address used in all RADIUS server queires. -``` - - -```{cfgcmd} set service ipoe-server authentication radius rate-limit attribute \<attribute\> - -Specifies which RADIUS server attribute contains the rate limit information. -The default attribute is *Filter-Id*. -``` - -:::{note} -If you set a custom RADIUS attribute you must define it on both -dictionaries at RADIUS server and client. -::: - -```{cfgcmd} set service ipoe-server authentication radius rate-limit enable - -Enables bandwidth shaping via RADIUS. -``` - - -```{cfgcmd} set service ipoe-server authentication radius rate-limit vendor - -Specifies the vendor dictionary, dictionary needs to be in -/usr/share/accel-ppp/radius. -``` - -Received RADIUS attributes have a higher priority than parameters defined within -the CLI configuration, refer to the explanation below. - - -### Allocation clients ip addresses by RADIUS - - -If the RADIUS server sends the attribute ``Framed-IP-Address`` then this IP -address will be allocated to the client and the option ``default-pool`` within the CLI -config is being ignored. - - -If the RADIUS server sends the attribute ``Framed-Pool``, IP address will be allocated -from a predefined IP pool whose name equals the attribute value. - - -If the RADIUS server sends the attribute ``Stateful-IPv6-Address-Pool``, IPv6 address -will be allocated from a predefined IPv6 pool ``prefix`` whose name equals the attribute value. - - -If the RADIUS server sends the attribute ``Delegated-IPv6-Prefix-Pool``, IPv6 -delegation pefix will be allocated from a predefined IPv6 pool ``delegate`` -whose name equals the attribute value. - - -:::{note} -``Stateful-IPv6-Address-Pool`` and ``Delegated-IPv6-Prefix-Pool`` are defined in -RFC6911. If they are not defined in your RADIUS server, add new [dictionary]. -::: - - -User interface can be put to VRF context via RADIUS Access-Accept packet, or change -it via RADIUS CoA. ``Accel-VRF-Name`` is used from these purposes. It is custom [ACCEL-PPP attribute]. -Define it in your RADIUS server. - - -## IPv6 - -```{cfgcmd} set service ipoe-server client-ipv6-pool \<IPv6-POOL-NAME\> prefix \<address\> mask \<number-of-bits\> - -Use this comand to set the IPv6 address pool from which an IPoE client -will get an IPv6 prefix of your defined length (mask) to terminate the -IPoE endpoint at their side. The mask length can be set from 48 to 128 -bit long, the default value is 64. -``` - - -```{cfgcmd} set service ipoe-server client-ipv6-pool \<IPv6-POOL-NAME\> delegate \<address\> delegation-prefix \<number-of-bits\> - -Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on -IPoE. You will have to set your IPv6 pool and the length of the -delegation prefix. From the defined IPv6 pool you will be handing out -networks of the defined length (delegation-prefix). The length of the -delegation prefix can be set from 32 to 64 bit long. -``` - - -```{cfgcmd} set service ipoe-server default-ipv6-pool \<IPv6-POOL-NAME\> - -Use this command to define default IPv6 address pool name. -``` - - -```none -set service ipoe-server client-ipv6-pool IPv6-POOL delegate '2001:db8:8003::/48' delegation-prefix '56' -set service ipoe-server client-ipv6-pool IPv6-POOL prefix '2001:db8:8002::/48' mask '64' -set service ipoe-server default-ipv6-pool IPv6-POOL -``` - -## Scripting - -```{cfgcmd} set service ipoe-server extended-scripts on-change \<path_to_script\> - -Script to run when session interface changed by RADIUS CoA handling -``` - - -```{cfgcmd} set service ipoe-server extended-scripts on-down \<path_to_script\> - -Script to run when session interface going to terminate -``` - - -```{cfgcmd} set service ipoe-server extended-scripts on-pre-up \<path_to_script\> - -Script to run before session interface comes up -``` - - -```{cfgcmd} set service ipoe-server extended-scripts on-up \<path_to_script\> - -Script to run when session interface is completely configured and started -``` - -## Advanced Options - - -### Authentication Advanced Options - -```{cfgcmd} set service ipoe-server authentication interface \<interface\> mac \<MAC\> vlan \<vlan-id\> - -VLAN monitor for automatic creation of VLAN interfaces for specific user on specific \<interface\> -``` - - -```{cfgcmd} set service ipoe-server authentication interface \<interface\> mac \<MAC\> rate-limit download \<bandwidth\> - -Download bandwidth limit in kbit/s for user on interface *\<interface\>*. -``` - - -```{cfgcmd} set service ipoe-server authentication interface \<interface\> mac \<MAC\> rate-limit upload \<bandwidth\> - -Upload bandwidth limit in kbit/s for for user on interface *\<interface\>*. -``` - -### Client IP Pool Advanced Options - -```{cfgcmd} set service ipoe-server client-ip-pool \<POOL-NAME\> next-pool \<NEXT-POOL-NAME\> - -Use this command to define the next address pool name. -``` - -### Advanced Interface Options - -```{cfgcmd} set service ipoe-server interface \<interface\> client-subnet \<x.x.x.x/x\> - -Specify local range of ip address to give to dhcp clients. First IP in range is router IP. -If you need more customization use *client-ip-pool* -``` - - -```{cfgcmd} set service ipoe-server interface \<interface\> external-dhcp dhcp-relay \<x.x.x.x\> - -Specify DHCPv4 relay IP address to pass requests to. If specified giaddr is also needed. -``` - - -```{cfgcmd} set service ipoe-server interface \<interface\> external-dhcp giaddr \<x.x.x.x\> - -Specifies relay agent IP addre -``` - -### Global Advanced options - -```{cfgcmd} set service ipoe-server description \<description\> - -Set description. -``` -```{cfgcmd} set service ipoe-server limits burst \<value\> - -Burst count -``` -```{cfgcmd} set service ipoe-server limits connection-limit \<value\> - -Acceptable rate of connections (e.g. 1/min, 60/sec) -``` -```{cfgcmd} set service ipoe-server limits timeout \<value\> - -Timeout in seconds -``` -```{cfgcmd} set service ipoe-server max-concurrent-sessions - -Maximum number of concurrent session start attempts -``` -```{cfgcmd} set service ipoe-server name-server \<address\> - -Connected client should use *\<address\>* as their DNS server. This -command accepts both IPv4 and IPv6 addresses. Up to two nameservers -can be configured for IPv4, up to three for IPv6. -``` -```{cfgcmd} set service ipoe-server shaper fwmark \<1-2147483647\> - -Match firewall mark value -``` -```{cfgcmd} set service ipoe-server snmp master-agent - -Enable SNMP -``` - -## Monitoring - -```{opcmd} show ipoe-server sessions - -Use this command to locally check the active sessions in the IPoE -server. -``` -```none -vyos@vyos:~$ show ipoe-server sessions -ifname | username | calling-sid | ip | rate-limit | type | comp | state | uptime -----------+----------+-------------------+-------------+------------+------+------+--------+---------- - eth1.100 | eth1.100 | 0c:98:bd:b8:00:01 | 192.168.0.3 | | ipoe | | active | 03:03:58 -``` - -```none -vyos@vyos:~$ show ipoe-server statistics -uptime: 0.03:31:36 -cpu: 0% -mem(rss/virt): 6044/101360 kB -core: - mempool_allocated: 148628 - mempool_available: 144748 - thread_count: 1 - thread_active: 1 - context_count: 10 - context_sleeping: 0 - context_pending: 0 - md_handler_count: 6 - md_handler_pending: 0 - timer_count: 1 - timer_pending: 0 -sessions: - starting: 0 - active: 1 - finishing: 0 -ipoe: - starting: 0 - active: 1 - delayed: 0 -``` - -## Toubleshooting - -```none -vyos@vyos:~$ show log ipoe-server - -Feb 27 14:29:27 vyos accel-ipoe[2262]: eth1.100:: recv [DHCPv4 Discover xid=55df9228 chaddr=0c:98:bd:b8:00:01 <Message-Type Discover> <Request-IP 192.168.0.3> <Host-Name vyos> <Request-List Subnet,Broadcast,Router,DNS,Classless-Route,Domain-Name,MTU>] -Feb 27 14:29:27 vyos accel-ipoe[2262]: eth1.100:eth1.100: eth1.100: authentication succeeded -Feb 27 14:29:27 vyos accel-ipoe[2262]: eth1.100:eth1.100: send [DHCPv4 Offer xid=55df9228 yiaddr=192.168.0.4 chaddr=0c:98:bd:b8:00:01 <Message-Type Offer> <Server-ID 192.168.0.1> <Lease-Time 600> <T1 300> <T2 525> <Router 192.168.0.1> <Subnet 255.255.255.0>] -Feb 27 14:29:27 vyos accel-ipoe[2262]: eth1.100:eth1.100: recv [DHCPv4 Request xid=55df9228 chaddr=0c:98:bd:b8:00:01 <Message-Type Request> <Server-ID 192.168.0.1> <Request-IP 192.168.0.4> <Host-Name vyos> <Request-List Subnet,Broadcast,Router,DNS,Classless-Route,Domain-Name,MTU>] -Feb 27 14:29:27 vyos accel-ipoe[2262]: eth1.100:eth1.100: ipoe: activate session -Feb 27 14:29:27 vyos accel-ipoe[2262]: eth1.100:eth1.100: ipoe: no free IPv6 address -Feb 27 14:29:27 vyos accel-ipoe[2262]: eth1.100:eth1.100: ipoe: session started -Feb 27 14:29:27 vyos accel-ipoe[2262]: eth1.100:eth1.100: send [DHCPv4 Ack xid=55df9228 yiaddr=192.168.0.4 chaddr=0c:98:bd:b8:00:01 <Message-Type Ack> <Server-ID 192.168.0.1> <Lease-Time 600> <T1 300> <T2 525> <Router 192.168.0.1> <Subnet 255.255.255.0>] -``` - -[accel-ppp]: https://accel-ppp.org/ -[accel-ppp attribute]: https://github.com/accel-ppp/accel-ppp/blob/master/accel-pppd/radius/dict/dictionary.accel -[dictionary]: https://github.com/accel-ppp/accel-ppp/blob/master/accel-pppd/radius/dict/dictionary.rfc6911 diff --git a/docs/configuration/service/md-lldp.md b/docs/configuration/service/md-lldp.md deleted file mode 100644 index 7fdba6c8..00000000 --- a/docs/configuration/service/md-lldp.md +++ /dev/null @@ -1,154 +0,0 @@ -(lldp)= - -# LLDP - -{abbr}`LLDP (Link Layer Discovery Protocol)` is a vendor-neutral link layer -protocol in the Internet Protocol Suite used by network devices for advertising -their identity, capabilities, and neighbors on an IEEE 802 local area network, -principally wired Ethernet. The protocol is formally referred to by the IEEE -as Station and Media Access Control Connectivity Discovery specified in IEEE -802.1AB and IEEE 802.3-2012 section 6 clause 79. - -LLDP performs functions similar to several proprietary protocols, such as -{abbr}`CDP (Cisco Discovery Protocol)`, -{abbr}`FDP (Foundry Discovery Protocol)`, -{abbr}`NDP (Nortel Discovery Protocol)` and {abbr}`LLTD (Link Layer Topology -Discovery)`. - -Information gathered with LLDP is stored in the device as a {abbr}`MIB -(Management Information Database)` and can be queried with {abbr}`SNMP (Simple -Network Management Protocol)` as specified in {rfc}`2922`. The topology of an -LLDP-enabled network can be discovered by crawling the hosts and querying this -database. Information that may be retrieved include: - -- System Name and Description -- Port name and description -- VLAN name -- IP management address -- System capabilities (switching, routing, etc.) -- MAC/PHY information -- MDI power -- Link aggregation - -## Configuration - -```{cfgcmd} set service lldp - -Enable LLDP service -``` - -```{cfgcmd} set service lldp management-address \<address\> - -Define IPv4/IPv6 management address transmitted via LLDP. Multiple addresses -can be defined. Only addresses connected to the system will be transmitted. -``` - -```{cfgcmd} set service lldp interface \<interface\> - -Enable transmission of LLDP information on given \<interface\>. You can also -say ``all`` here so LLDP is turned on on every interface. -``` - -```{cfgcmd} set service lldp interface \<interface\> mode [disable|rx-tx|rx|tx] - -Configure the administrative status of the given port. - -By default, all ports are configured to be in rx-tx mode. This means they -can receive and transmit LLDP frames. - -In rx mode, they won't emit any frames. In tx mode, they won't receive -any frames. In disabled mode, no frame will be sent and any incoming frame -will be discarded. -``` - -```{cfgcmd} set service lldp snmp - -Enable SNMP queries of the LLDP database -``` - -```{cfgcmd} set service lldp legacy-protocols \<cdp|edp|fdp|sonmp\> - -Enable given legacy protocol on this LLDP instance. Legacy protocols include: -* ``cdp`` - Listen for CDP for Cisco routers/switches -* ``edp`` - Listen for EDP for Extreme routers/switches -* ``fdp`` - Listen for FDP for Foundry routers/switches -* ``sonmp`` - Listen for SONMP for Nortel routers/switches -``` - - -## Operation - -```{opcmd} show lldp neighbors - -Displays information about all neighbors discovered via LLDP. - -:::{code-block} none -vyos@vyos:~$ show lldp neighbors -Capability Codes: R - Router, B - Bridge, W - Wlan r - Repeater, S - Station - D - Docsis, T - Telephone, O - Other - -Device ID Local Proto Cap Platform Port ID ---------- ----- ----- --- -------- ------- -BR2.vyos.net eth0 LLDP R VyOS 1.2.4 eth1 -BR3.vyos.net eth0 LLDP RB VyOS 1.2.4 eth2 -SW1.vyos.net eth0 LLDP B Cisco IOS Software GigabitEthernet0/6 -::: -``` - -```{opcmd} show lldp neighbors detail - -Get detailed information about LLDP neighbors. - -:::{code-block} none -vyos@vyos:~$ show lldp neighbors detail -------------------------------------------------------------------------------- -LLDP neighbors: -------------------------------------------------------------------------------- -Interface: eth0, via: LLDP, RID: 28, Time: 0 day, 00:24:33 -Chassis: - ChassisID: mac 00:53:00:01:02:c9 - SysName: BR2.vyos.net - SysDescr: VyOS 1.3-rolling-201912230217 - MgmtIP: 192.0.2.1 - MgmtIP: 2001:db8::ffff - Capability: Bridge, on - Capability: Router, on - Capability: Wlan, off - Capability: Station, off -Port: - PortID: mac 00:53:00:01:02:c9 - PortDescr: eth0 - TTL: 120 - PMD autoneg: supported: no, enabled: no - MAU oper type: 10GigBaseCX4 - X copper over 8 pair 100-Ohm balanced cable -VLAN: 201 eth0.201 -VLAN: 205 eth0.205 -LLDP-MED: - Device Type: Network Connectivity Device - Capability: Capabilities, yes - Capability: Policy, yes - Capability: Location, yes - Capability: MDI/PSE, yes - Capability: MDI/PD, yes - Capability: Inventory, yes - Inventory: - Hardware Revision: None - Software Revision: 4.19.89-amd64-vyos - Firmware Revision: 6.00 - Serial Number: VMware-42 1d 83 b9 fe c1 bd b2-7 - Manufacturer: VMware, Inc. - Model: VMware Virtual Platform - Asset ID: No Asset Tag -------------------------------------------------------------------------------- -::: -``` - -```{opcmd} show lldp neighbors interface \<interface\> - -Show LLDP neighbors connected via interface \<interface\>. -``` - -```{opcmd} show log lldp - -Used for troubleshooting. -```
\ No newline at end of file diff --git a/docs/configuration/service/md-mdns.md b/docs/configuration/service/md-mdns.md deleted file mode 100644 index 6ff1804b..00000000 --- a/docs/configuration/service/md-mdns.md +++ /dev/null @@ -1,138 +0,0 @@ -# mDNS Repeater - -Starting with VyOS 1.2 a {abbr}`mDNS (Multicast DNS)` repeater functionality is -provided. Additional information can be obtained from -<https://en.wikipedia.org/wiki/Multicast_DNS>. - -Multicast DNS uses the reserved address `224.0.0.251`, which is -`"administratively scoped"` and does not leave the subnet. mDNS repeater -retransmits mDNS packets from one interface to other interfaces. This enables -support for devices using mDNS discovery (like network printers, Apple Airplay, -Chromecast, various IP based home-automation devices etc) across multiple VLANs. - -Since the mDNS protocol sends the {abbr}`AA(Authoritative Answer)` records in -the packet itself, the repeater does not need to forge the source address. -Instead, the source address is of the interface that repeats the packet. - -:::{note} -You can not run this in a VRRP setup, if multiple mDNS repeaters -are launched in a subnet you will experience the mDNS packet storm death! -::: - -## Configuration - -```{eval-rst} -.. cfgcmd:: set service mdns repeater interface <interface> - - To enable mDNS repeater you need to configure at least two interfaces so that - all incoming mDNS packets from one interface configured here can be - re-broadcasted to any other interface(s) configured under this section. -``` - -```{eval-rst} -.. cfgcmd:: set service mdns repeater disable - - mDNS repeater can be temporarily disabled without deleting the service using -``` - -```{eval-rst} -.. cfgcmd:: set service mdns repeater ip-version <ipv4 | ipv6 | both> - - mDNS repeater can be enabled either on IPv4 socket or on IPv6 socket or both - to re-broadcast. By default, mDNS repeater will listen on both IPv4 and IPv6. -``` - -```{eval-rst} -.. cfgcmd:: set service mdns repeater allow-service <service> - - mDNS repeater can be configured to re-broadcast only specific services. By - default, all services are re-broadcasted. -``` - -```{eval-rst} -.. cfgcmd:: set service mdns repeater browse-domain <domain> - - Allow listing additional custom domains to be browsed (in addition to the - default ``local``) so that they can be reflected. -``` - -```{eval-rst} -.. cfgcmd:: set service mdns repeater cache-entries <entries> - - Specify how many resource records are cached per interface. Bigger values - allow mDNS work correctly in large LANs but also increase memory consumption. - - Defaults to: 4096 -``` - -## Firewall recommendations - -Unlike typical routed traffic, mDNS packets relayed between interfaces do not -traverse the FORWARD hook chain in the firewall. Instead, they are processed -through the following hooks: - -> - **INPUT**: For packets received by the local system -> - **OUTPUT**: For packets sent from the local system - -To control or allow mDNS packet forwarding via the relay, you must define -appropriate rules in the INPUT and OUTPUT directions. Rules in the FORWARD -direction will have no effect on mDNS relay traffic. - -```none -set firewall ipv4 input filter rule 10 action 'accept' -set firewall ipv4 input filter rule 10 destination address '224.0.0.251' -set firewall ipv4 input filter rule 10 destination port '5353' -set firewall ipv4 input filter rule 10 protocol 'udp' -set firewall ipv4 output filter rule 10 action 'accept' -set firewall ipv4 output filter rule 10 destination address '224.0.0.251' -set firewall ipv4 output filter rule 10 destination port '5353' -set firewall ipv4 output filter rule 10 protocol 'udp' -``` - -## Example - -To listen on both `eth0` and `eth1` mDNS packets and also repeat packets -received on `eth0` to `eth1` (and vice-versa) use the following commands: - -```none -set service mdns repeater interface 'eth0' -set service mdns repeater interface 'eth1' -``` - -To allow only specific services, for example `_airplay._tcp` or `_ipp._tcp`, -(instead of all services) to be re-broadcasted, use the following command: - -```none -set service mdns repeater allow-service '_airplay._tcp' -set service mdns repeater allow-service '_ipp._tcp' -``` - -To allow listing additional custom domain, for example -`openthread.thread.home.arpa`, so that it can reflected in addition to the -default `local`, use the following command: - -```none -set service mdns repeater browse-domain 'openthread.thread.home.arpa' -``` - -## Operation - -```{eval-rst} -.. opcmd:: restart mdns repeater - - Restart mDNS repeater service. -``` - -```{eval-rst} -.. opcmd:: show log mdns repeater - - Show logs for mDNS repeater service. -``` - -```{eval-rst} -.. opcmd:: monitor log mdns repeater - - Follow the logs for mDNS repeater service. -``` - -[multicast dns]: https://en.wikipedia.org/wiki/Multicast_DNS diff --git a/docs/configuration/service/md-monitoring.md b/docs/configuration/service/md-monitoring.md deleted file mode 100644 index a6bf2605..00000000 --- a/docs/configuration/service/md-monitoring.md +++ /dev/null @@ -1,334 +0,0 @@ -# Monitoring - -VyOS supports monitoring through Telegraf as well as through Prometheus exporters. - -## Telegraf - -Telegraf is the open source server agent to help you collect metrics, events -and logs from your routers. - -The following Telegraf plugins are configurable to export metrics and logs: -: - Azure Data Explorer - - Prometheus Client - - Splunk - - InfluxDB - - Loki - -### Azure data explorer - -Telegraf output plugin [azure-data-explorer]. - -```{cfgcmd} set service monitoring telegraf azure-data-explorer authentication client-id \<client-id\> - - Authentication application client-id. -``` - - -```{cfgcmd} set service monitoring telegraf azure-data-explorer authentication client-secret \<client-secret\> - -Authentication application client-secret. -``` - - -```{cfgcmd} set service monitoring telegraf azure-data-explorer authentication tenant-id \<tenant-id\> - -Authentication application tenant-id -``` - - -```{cfgcmd} set service monitoring telegraf azure-data-explorer database \<name\> - -Remote database name. -``` - - -```{cfgcmd} set service monitoring telegraf azure-data-explorer group-metrics \<single-table | table-per-metric\> - -Type of metrics grouping when push to Azure Data Explorer. The default is -``table-per-metric``. -``` - - -```{cfgcmd} set service monitoring telegraf azure-data-explorer table \<name\> - -Name of the single table Only if set group-metrics single-table. -``` - - -```{cfgcmd} set service monitoring telegraf azure-data-explorer url \<url\> - -Remote URL. -``` - -### Prometheus client - -Telegraf output plugin [prometheus-client] -This plugin allows export of Telegraf metrics to Prometheus, -for Prometheus native metrics through exporters see section below. - -```{cfgcmd} set service monitoring telegraf prometheus-client - - Output plugin Prometheus client -``` - - -```{cfgcmd} set service monitoring telegraf prometheus-client allow-from \<prefix\> - -Networks allowed to query this server -``` - - -```{cfgcmd} set service monitoring telegraf prometheus-client authentication username \<username\> - -HTTP basic authentication username -``` - - -```{cfgcmd} set service monitoring telegraf prometheus-client authentication password \<password\> - -HTTP basic authentication username -``` - - -```{cfgcmd} set service monitoring telegraf prometheus-client listen-address \<address\> - -Local IP addresses to listen on -``` - - -```{cfgcmd} set service monitoring telegraf prometheus-client metric-version \<1 | 2\> - -Metris version, the default is ``2`` -``` - - -```{cfgcmd} set service monitoring telegraf prometheus-client port \<port\> - -Port number used by connection, default is ``9273`` -``` - -Example: - -```none -set service monitoring telegraf prometheus-client -``` - - -```none -vyos@r14:~$ curl --silent localhost:9273/metrics | egrep -v "#" | grep cpu_usage_system -cpu_usage_system{cpu="cpu-total",host="r14"} 0.20040080160320556 -cpu_usage_system{cpu="cpu0",host="r14"} 0.17182130584191915 -cpu_usage_system{cpu="cpu1",host="r14"} 0.22896393817971655 -``` - -### Splunk - - -Telegraf output plugin [splunk] HTTP Event Collector. - -```{cfgcmd} set service monitoring telegraf splunk authentication insecure - -Use TLS but skip host validation -``` - - -```{cfgcmd} set service monitoring telegraf splunk authentication token \<token\> - -Authorization token -``` - - -```{cfgcmd} set service monitoring telegraf splunk authentication url \<url\> - -Remote URL to Splunk collector -``` - -Example: - -```none -set service monitoring telegraf splunk authentication insecure -set service monitoring telegraf splunk authentication token 'xxxxf5b8-xxxx-452a-xxxx-43828911xxxx' -set service monitoring telegraf splunk url 'https://192.0.2.10:8088/services/collector' -``` - -### InfluxDB - - -Telegraf output plugin [influxdb] to write metrics to `InfluxDB` via HTTP. - -```{cfgcmd} set service monitoring telegraf influxdb authentication organization \<organization\> - -Authentication organization name -``` - - -```{cfgcmd} set service monitoring telegraf influxdb authentication token \<token\> - -Authentication token -``` - - -```{cfgcmd} set service monitoring telegraf bucket \<bucket\> - -Remote ``InfluxDB`` bucket name -``` - - -```{cfgcmd} set service monitoring telegraf influxdb port \<port\> - -Remote port -``` - - -```{cfgcmd} set service monitoring telegraf influxdb url \<url\> - -Remote URL -``` - -Example: - -```none -set service monitoring telegraf influxdb authentication organization 'vyos' -set service monitoring telegraf influxdb authentication token 'ZAml9Uy5wrhA...==' -set service monitoring telegraf influxdb bucket 'bucket_vyos' -set service monitoring telegraf influxdb port '8086' -set service monitoring telegraf influxdb url 'http://r1.influxdb2.local' -``` - -### Loki - -Telegraf can be used to send logs to [loki] using tags as labels. - -```{cfgcmd} set service monitoring telegraf loki port \<port\> - - Remote Loki port - - Default is 3100 -``` - - -```{cfgcmd} set service monitoring telegraf loki url \<url\> - -Remote Loki url -``` - - -```{cfgcmd} set service monitoring telegraf loki authentication username \<username\> -``` - -```{cfgcmd} set service monitoring telegraf loki authentication password \<password\> - -HTTP basic authentication. - -If either is set both must be set. -``` - -```{cfgcmd} set service monitoring telegraf loki metric-name-label \<label\> - -Label to use for the metric name when sending metrics. - -If set to an empty string, the label will not be added. -This is NOT recommended, as it makes it impossible to differentiate -between multiple metrics. -``` - -## Prometheus - - -The following Prometheus exporters are configurable to export metrics: -: - Node Exporter - - FRR Exporter - - -### Node Exporter - - -Prometheus [node_exporter] which provides a wide range of hardware and OS metrics. - -```{cfgcmd} set service monitoring prometheus node-exporter listen-address \<address\> - -Configure the address node_exporter is listening on. -``` - -```{cfgcmd} set service monitoring prometheus node-exporter port \<port\> - -Configure the port number node_exporter is listening on. -``` - -```{cfgcmd} set service monitoring prometheus node-exporter vrf \<name\> - -Configure name of the {abbr}`VRF (Virtual Routing and Forwarding)` instance. -``` - -```{cfgcmd} set service monitoring prometheus node-exporter collectors textfile - -Configure textfile collector to export custom metrics read from -`/run/node_exporter/collector` -``` - -### FRR Exporter - -Prometheus [frr_exporter] which provides free range routing metrics. - -```{cfgcmd} set service monitoring prometheus frr-exporter listen-address \<address\> - -Configure the address frr_exporter is listening on. - -``` - -```{cfgcmd} set service monitoring prometheus frr-exporter port \<port\> - -Configure the port number frr_exporter is listening on. -``` - -```{cfgcmd} set service monitoring prometheus frr-exporter vrf \<name\> - -Configure name of the {abbr}`VRF (Virtual Routing and Forwarding)` instance. -``` - -### Blackbox Exporter - -Prometheus [blackbox_exporter] which allows probing of endpoints over -HTTP, HTTPS, DNS, TCP, ICMP and gRPC . - -```{cfgcmd} set service monitoring prometheus blackbox-exporter listen-address \<address\> - -Configure the address blackbox_exporter is listening on. -``` -```{cfgcmd} set service monitoring prometheus blackbox-exporter port \<port\> - -Configure the port number blackbox_exporter is listening on. -``` -```{cfgcmd} set service monitoring prometheus blackbox-exporter vrf \<name\> - -Configure name of the {abbr}`VRF (Virtual Routing and Forwarding)` instance. -``` - -#### Configuring modules - -Blackbox exporter can be configured with different modules for probing DNS or ICMP. - -DNS module example: - -```none -set service monitoring prometheus blackbox-exporter modules dns name dns4 preferred-ip-protocol ipv4 -set service monitoring prometheus blackbox-exporter modules dns name dns4 query-name vyos.io -set service monitoring prometheus blackbox-exporter modules dns name dns4 query-type A -``` - -ICMP module example: - -```none -set service monitoring prometheus blackbox-exporter modules icmp name ping6 preferred-ip-protocol ipv6 -set service monitoring prometheus blackbox-exporter modules icmp name ping6 ip-protocol-fallback -set service monitoring prometheus blackbox-exporter modules icmp name ping6 timeout 3 -``` - -[azure-data-explorer]: <https://github.com/influxdata/telegraf/tree/master/plugins/outputs/azure_data_explorer> -[blackbox_exporter]: <https://github.com/prometheus/blackbox_exporter> -[frr_exporter]: <https://github.com/tynany/frr_exporter> -[influxdb]: <https://github.com/influxdata/telegraf/tree/master/plugins/outputs/influxdb_v2> -[loki]: https://github.com/influxdata/telegraf/tree/master/plugins/outputs/loki -[node_exporter]: <https://github.com/prometheus/node_exporter> -[prometheus-client]: <https://github.com/influxdata/telegraf/tree/master/plugins/outputs/prometheus_client> -[splunk]: <https://www.splunk.com/en_us/blog/it/splunk-metrics-via-telegraf.html> diff --git a/docs/configuration/service/md-ntp.md b/docs/configuration/service/md-ntp.md deleted file mode 100644 index c8c1dee3..00000000 --- a/docs/configuration/service/md-ntp.md +++ /dev/null @@ -1,202 +0,0 @@ -(ntp)= - -# NTP - -{abbr}`NTP (Network Time Protocol`) is a networking protocol for clock -synchronization between computer systems over packet-switched, variable-latency -data networks. In operation since before 1985, NTP is one of the oldest Internet -protocols in current use. - -NTP is intended to synchronize all participating computers to within a few -milliseconds of {abbr}`UTC (Coordinated Universal Time)`. It uses the -intersection algorithm, a modified version of Marzullo's algorithm, to select -accurate time servers and is designed to mitigate the effects of variable -network latency. NTP can usually maintain time to within tens of milliseconds -over the public Internet, and can achieve better than one millisecond accuracy -in local area networks under ideal conditions. Asymmetric routes and network -congestion can cause errors of 100 ms or more. - -The protocol is usually described in terms of a client-server model, but can as -easily be used in peer-to-peer relationships where both peers consider the other -to be a potential time source. Implementations send and receive timestamps using -{abbr}`UDP (User Datagram Protocol)` on port number 123. - -NTP supplies a warning of any impending leap second adjustment, but no -information about local time zones or daylight saving time is transmitted. - -The current protocol is version 4 (NTPv4), which is a proposed standard as -documented in {rfc}`5905`. It is backward compatible with version 3, specified -in {rfc}`1305`. - -:::{note} -VyOS 1.4 uses chrony instead of ntpd (see {vytask}`T3008`) which will -no longer accept anonymous NTP requests as in VyOS 1.3. All configurations -will be migrated to keep the anonymous functionality. For new setups if you -have clients using your VyOS installation as NTP server, you must specify -the `allow-client` directive. -::: - -## Configuration - -```{cfgcmd} set service ntp server \<address\> - - Configure one or more servers for synchronisation. Server name can be either - an IP address or {abbr}`FQDN (Fully Qualified Domain Name)`. - - There are 3 default NTP server set. You are able to change them. - - * ``time1.vyos.net`` - * ``time2.vyos.net`` - * ``time3.vyos.net`` -``` - - -```{cfgcmd} set service ntp server \<address\> \<noselect | nts | pool | prefer | ptp | interleave\> - -Configure one or more attributes to the given NTP server. - -* ``noselect`` marks the server as unused, except for display purposes. The -server is discarded by the selection algorithm. - -* ``nts`` enables Network Time Security (NTS) for the server as specified -in {rfc}`8915` - -* ``pool`` mobilizes persistent client mode association with a number of -remote servers. - -* ``prefer`` marks the server as preferred. All other things being equal, -this host will be chosen for synchronization among a set of correctly -operating hosts. - -* ``ptp`` enables the PTP transport for this server (see {ref}`ptp-transport`). - -* ``interleave`` enables NTP interleaved mode (see [draft-ntp-interleaved-modes]), which can improve -synchronization accuracy and stability when supported by both parties. -``` - - -```{cfgcmd} set service ntp listen-address \<address\> - -NTP process will only listen on the specified IP address. You must specify -the `<address>` and optionally the permitted clients. Multiple listen -addresses for same IP family is no longer supported. Only one IPv4 and one -IPv6 address can be configured, using separate commands for each. -``` - - -```{cfgcmd} set service ntp allow-client address \<address\> - -List of networks or client addresses permitted to contact this NTP server. - -Multiple networks/client IP addresses can be configured. -``` - - -```{cfgcmd} set service ntp vrf \<name\> - -Specify name of the {abbr}`VRF (Virtual Routing and Forwarding)` instance. -``` - - -```{cfgcmd} set service ntp leap-second [ignore|smear|system|timezone] - -Define how to handle leap-seconds. - -* `ignore`: No correction is applied to the clock for the leap second. The -clock will be corrected later in normal operation when new measurements are -made and the estimated offset includes the one second error. - -* `smear`: When smearing a leap second, the leap status is suppressed on the -server and the served time is corrected slowly by slewing instead of -stepping. The clients do not need any special configuration as they do not -know there is any leap second and they follow the server time which -eventually brings them back to UTC. Care must be taken to ensure they use -only NTP servers which smear the leap second in exactly the same way for -synchronisation. - -* `system`: When inserting a leap second, the kernel steps the system clock -backwards by one second when the clock gets to 00:00:00 UTC. When deleting -a leap second, it steps forward by one second when the clock gets to -23:59:59 UTC. - -* `timezone`: This directive specifies a timezone in the system timezone -database which chronyd can use to determine when will the next leap second -occur and what is the current offset between TAI and UTC. It will -periodically check if 23:59:59 and 23:59:60 are valid times in the -timezone. This normally works with the right/UTC timezone which is the -default -``` - -## Hardware Timestamping of NTP Packets - - -The chrony daemon on VyOS can leverage NIC hardware capabilities to record the -exact time packets are received on the interface, as well as when packets were -actually transmitted. This provides improved accuracy and stability when the -system is under load, as queuing and OS context switching can introduce a -variable delay between when the packet is received on the network and when it -is actually processed by the NTP daemon. - - -Hardware timestamping depends on NIC support. Some NICs can be configured to -apply timestamps to any incoming packet, while others only support applying -timestamps to specific protocols (e.g. PTP). - - -When timestamping is enabled on an interface, chrony's default behavior is to -try to configure the interface to only timestamp NTP packets. If this mode is -not supported, chrony will attempt to set it to timestamp all packets. If -neither option is supported (e.g. the NIC can only timestamp received PTP -packets), chrony will leverage timestamping on transmitted packets only, which -still provides some benefit. - -```{cfgcmd} set service ntp timestamp interface \<interface\> - -Configures hardware timestamping on the interface \<interface\>. The special -value `all` can also be specified to enable timestamping on all interfaces -that support it. - -Configure the timestamping behavior with the following option: - -* ``receive-filter [all|ntp|ptp|none]`` selects the receive filter mode, -which controls which inbound packets the NIC applies timestamps to. The -selected mode must be supported by the NIC, or timestamping will be -disabled for the interface. -``` - -The following `receive-filter` modes can be selected: -- *all*: All received packets will be timestamped. -- *ntp*: Only received NTP protocol packets will be timestamped. -- *ptp*: Only received PTP protocol packets will be timestamped. Combined with - the PTP transport for NTP packets, this can be leveraged to take advantage of - hardware timestamping on NICs that only support the ptp filter mode. -- *none*: No received packets will be timestamped. Hardware timestamping of - transmitted packets will still be leveraged, if supported by the NIC. -(ptp-transport)= - -## PTP Transport of NTP Packets - -The Precision Time Protocol (IEEE 1588) is a local network time synchronization -protocol that provides high precision time synchronization by leveraging -hardware clocks in NICs and other network elements. VyOS does not currently -support standards-based PTP, which can be deployed independently of -NTP. - -For networks consisting of VyOS and other Linux systems running relatively -recent versions of the chrony daemon, NTP packets can be "tunneled" over -PTP. NTP over PTP provides the best of both worlds, leveraging hardware support -for timestamping PTP packets while retaining the configuration flexibility and -fault tolerance of NTP. - -```{cfgcmd} set service ntp ptp - -Enables the NTP daemon PTP transport. The NTP daemon will listen on the -configured PTP port. Note that one or more servers must be individually -enabled for PTP before the daemon will synchronize over the transport. -``` -```{cfgcmd} set service ntp ptp port \<port\> - -Configures the PTP port. By default, the standard port 319 is used. -``` - -[draft-ntp-interleaved-modes]: https://datatracker.ietf.org/doc/draft-ietf-ntp-interleaved-modes/07/ diff --git a/docs/configuration/service/md-pppoe-server.md b/docs/configuration/service/md-pppoe-server.md deleted file mode 100644 index 32881845..00000000 --- a/docs/configuration/service/md-pppoe-server.md +++ /dev/null @@ -1,753 +0,0 @@ ---- -lastproofread: '2022-09-17' ---- - -(pppoe-server)= - -# PPPoE Server - -VyOS utilizes [accel-ppp](https://accel-ppp.org/) to provide PPPoE server functionality. It can -be used with local authentication or a connected RADIUS server. - -:::{note} -Please be aware, due to an upstream bug, config -changes/commits will restart the ppp daemon and will reset existing -PPPoE connections from connected users, in order to become effective. -::: - -## Configuring PPPoE Server - -```none -set service pppoe-server access-concentrator PPPoE-Server -set service pppoe-server authentication mode local -set service pppoe-server authentication local-users username test password 'test' -set service pppoe-server client-ip-pool PPPOE-POOL range 192.168.255.2-192.168.255.254 -set service pppoe-server default-pool 'PPPOE-POOL' -set service pppoe-server gateway-address 192.168.255.1 -set service pppoe-server interface eth0 -``` - -```{cfgcmd} set service pppoe-server access-concentrator \<name\> - - Use this command to set a name for this PPPoE-server access - concentrator. -``` - - -```{cfgcmd} set service pppoe-server authentication mode \<local | radius\> - -Set authentication backend. The configured authentication backend is used -for all queries. - -* **radius**: All authentication queries are handled by a configured RADIUS -server. -* **local**: All authentication queries are handled locally. -* **noauth**: Authentication disabled. -``` - - -```{cfgcmd} set service pppoe-server authentication local-users username \<name\> password \<password\> - -Create `<user>` for local authentication on this system. The users password -will be set to `<pass>`. -``` - - -```{cfgcmd} set service pppoe-server client-ip-pool \<POOL-NAME\> range \<x.x.x.x-x.x.x.x | x.x.x.x/x\> - -Use this command to define the first IP address of a pool of -addresses to be given to pppoe clients. If notation ``x.x.x.x-x.x.x.x``, -it must be within a /24 subnet. If notation ``x.x.x.x/x`` is -used there is possibility to set host/netmask. -``` - - -```{cfgcmd} set service pppoe-server default-pool \<POOL-NAME\> - -Use this command to define default address pool name. -``` - - -```{cfgcmd} set service pppoe-server interface \<interface\> - -Use this command to define the interface the PPPoE server will use to -listen for PPPoE clients. -``` - - -```{cfgcmd} set service pppoe-server gateway-address \<address\> - -Specifies single `<gateway>` IP address to be used as local address of PPP -interfaces. -``` - -## Configuring RADIUS authentication - -To enable RADIUS based authentication, the authentication mode needs to be -changed within the configuration. Previous settings like the local users, still -exists within the configuration, however they are not used if the mode has been -changed from local to radius. Once changed back to local, it will use all local -accounts again. - -```none -set service pppoe-server authentication mode radius -``` - -```{cfgcmd} set service pppoe-server authentication radius server \<server\> key \<secret\> - -Configure RADIUS `<server>` and its required shared `<secret>` for -communicating with the RADIUS server. -``` - -Since the RADIUS server would be a single point of failure, multiple RADIUS -servers can be setup and will be used subsequentially. -For example: - -```none -set service pppoe-server authentication radius server 10.0.0.1 key 'foo' -set service pppoe-server authentication radius server 10.0.0.2 key 'foo' -``` - -:::{note} -Some RADIUS severs use an access control list which allows or denies -queries, make sure to add your VyOS router to the allowed client list. -::: - - -### RADIUS source address - - -If you are using OSPF as IGP, always the closest interface connected to the -RADIUS server is used. With VyOS 1.2 you can bind all outgoing RADIUS requests -to a single source IP e.g. the loopback interface. - -```{cfgcmd} set service pppoe-server authentication radius source-address \<address\> - -Source IPv4 address used in all RADIUS server queires. -``` - -:::{note} -The `source-address` must be configured on one of VyOS interface. -Best practice would be a loopback or dummy interface. -::: - - -### RADIUS advanced options - -```{cfgcmd} set service pppoe-server authentication radius server \<server\> port \<port\> - -Configure RADIUS `<server>` and its required port for authentication requests. -``` - - -```{cfgcmd} set service pppoe-server authentication radius server \<server\> fail-time \<time\> - -Mark RADIUS server as offline for this given `<time>` in seconds. -``` - - -```{cfgcmd} set service pppoe-server authentication radius server \<server\> disable - -Temporary disable this RADIUS server. -``` - - -```{cfgcmd} set service pppoe-server authentication radius acct-timeout \<timeout\> - -Timeout to wait reply for Interim-Update packets. (default 3 seconds) -``` - - -```{cfgcmd} set service pppoe-server authentication radius dynamic-author server \<address\> - -Specifies IP address for Dynamic Authorization Extension server (DM/CoA). -This IP must exist on any VyOS interface or it can be ``0.0.0.0``. -``` - - -```{cfgcmd} set service pppoe-server authentication radius dynamic-author port \<port\> - -UDP port for Dynamic Authorization Extension server (DM/CoA) -``` - - -```{cfgcmd} set service pppoe-server authentication radius dynamic-author key \<secret\> - -Secret for Dynamic Authorization Extension server (DM/CoA) -``` - - -```{cfgcmd} set service pppoe-server authentication radius max-try \<number\> - -Maximum number of tries to send Access-Request/Accounting-Request queries -``` - - -```{cfgcmd} set service pppoe-server authentication radius timeout \<timeout\> - -Timeout to wait response from server (seconds) -``` - - -```{cfgcmd} set service pppoe-server authentication radius nas-identifier \<identifier\> - -Value to send to RADIUS server in NAS-Identifier attribute and to be matched -in DM/CoA requests. -``` - - -```{cfgcmd} set service pppoe-server authentication radius nas-ip-address \<address\> - -Value to send to RADIUS server in NAS-IP-Address attribute and to be matched -in DM/CoA requests. Also DM/CoA server will bind to that address. -``` - - -```{cfgcmd} set service pppoe-server authentication radius source-address \<address\> - -Source IPv4 address used in all RADIUS server queires. -``` - - -```{cfgcmd} set service pppoe-server authentication radius rate-limit attribute \<attribute\> - -Specifies which RADIUS server attribute contains the rate limit information. -The default attribute is ``Filter-Id``. -``` - -:::{note} -If you set a custom RADIUS attribute you must define it on both -dictionaries at RADIUS server and client. -::: - -```{cfgcmd} set service pppoe-server authentication radius rate-limit enable - -Enables bandwidth shaping via RADIUS. -``` - - -```{cfgcmd} set service pppoe-server authentication radius rate-limit vendor - -Specifies the vendor dictionary, dictionary needs to be in -/usr/share/accel-ppp/radius. -``` - -Received RADIUS attributes have a higher priority than parameters defined within -the CLI configuration, refer to the explanation below. - - -### Allocation clients ip addresses by RADIUS - - -If the RADIUS server sends the attribute `Framed-IP-Address` then this IP -address will be allocated to the client and the option `default-pool` -within the CLI config is being ignored. - - -If the RADIUS server sends the attribute `Framed-Pool`, IP address will -be allocated from a predefined IP pool whose name equals the attribute value. - - -If the RADIUS server sends the attribute `Stateful-IPv6-Address-Pool`, -IPv6 address will be allocated from a predefined IPv6 pool `prefix` -whose name equals the attribute value. - - -If the RADIUS server sends the attribute `Delegated-IPv6-Prefix-Pool`, -IPv6 delegation pefix will be allocated from a predefined IPv6 pool `delegate` -whose name equals the attribute value. - - -:::{note} -`Stateful-IPv6-Address-Pool` and `Delegated-IPv6-Prefix-Pool` -are defined in RFC6911. If they are not defined in your RADIUS server, -add new [dictionary]. -::: - - -User interface can be put to VRF context via RADIUS Access-Accept packet, -or change it via RADIUS CoA. `Accel-VRF-Name` is used from these purposes. -It is custom [ACCEL-PPP attribute]. Define it in your RADIUS server. - - -### Renaming clients interfaces by RADIUS - - -If the RADIUS server uses the attribute `NAS-Port-Id`, ppp tunnels will be -renamed. - - -:::{note} -The value of the attribute `NAS-Port-Id` must be less than 16 -characters, otherwise the interface won't be renamed. -::: - - -## Automatic VLAN Creation - -```{cfgcmd} set service pppoe-server interface \<interface\> vlan \<id | range\> - -VLAN's can be created by Accel-ppp on the fly via the use of a Kernel module -named ``vlan_mon``, which is monitoring incoming vlans and creates the -necessary VLAN if required and allowed. VyOS supports the use of either -VLAN ID's or entire ranges, both values can be defined at the same time for -an interface. - -When configured, PPPoE will create the necessary VLANs when required. Once -the user session has been cancelled and the VLAN is not needed anymore, VyOS -will remove it again. -``` - - -```none -set service pppoe-server interface eth3 vlan 100 -set service pppoe-server interface eth3 vlan 200 -set service pppoe-server interface eth3 vlan 500-1000 -set service pppoe-server interface eth3 vlan 2000-3000 -``` - -## Bandwidth Shaping - - -Bandwidth rate limits can be set for local users or RADIUS based -attributes. - - -### For Local Users - -```{cfgcmd} set service pppoe-server authentication local-users username \<user\> rate-limit download \<bandwidth\> - -Download bandwidth limit in kbit/s for `<user>`. -``` - - -```{cfgcmd} set service pppoe-server authentication local-users username \<user\> rate-limit upload \<bandwidth\> - -Upload bandwidth limit in kbit/s for `<user>`. -``` -```none -set service pppoe-server access-concentrator 'ACN' -set service pppoe-server authentication local-users username foo password 'bar' -set service pppoe-server authentication local-users username foo rate-limit download '20480' -set service pppoe-server authentication local-users username foo rate-limit upload '10240' -set service pppoe-server authentication mode 'local' -set service pppoe-server client-ip-pool IP-POOL range '10.1.1.100/24' -set service pppoe-server default-pool 'IP-POOL' -set service pppoe-server name-server '10.100.100.1' -set service pppoe-server name-server '10.100.200.1' -set service pppoe-server interface 'eth1' -set service pppoe-server gateway-address '10.1.1.2' -``` - -Once the user is connected, the user session is using the set limits and -can be displayed via `show pppoe-server sessions`. - -```none -show pppoe-server sessions -ifname | username | ip | calling-sid | rate-limit | state | uptime | rx-bytes | tx-bytes --------+----------+------------+-------------------+-------------+--------+----------+----------+---------- -ppp0 | foo | 10.1.1.100 | 00:53:00:ba:db:15 | 20480/10240 | active | 00:00:11 | 214 B | 76 B -``` - -### For RADIUS users - -The current attribute `Filter-Id` is being used as default and can be -setup within RADIUS: - -Filter-Id=2000/3000 (means 2000Kbit down-stream rate and 3000Kbit -up-stream rate) - -The command below enables it, assuming the RADIUS connection has been -setup and is working. - -```{cfgcmd} set service pppoe-server authentication radius rate-limit enable - - Use this command to enable bandwidth shaping via RADIUS. -``` - -Other attributes can be used, but they have to be in one of the -dictionaries in */usr/share/accel-ppp/radius*. - - -## Load Balancing - -```{cfgcmd} set service pppoe-server pado-delay \<number-of-ms\> sessions \<number-of-sessions\> - -Use this command to enable the delay of PADO (PPPoE Active Discovery -Offer) packets, which can be used as a session balancing mechanism -with other PPPoE servers. -``` - - -```none -set service pppoe-server pado-delay 50 sessions '500' -set service pppoe-server pado-delay 100 sessions '1000' -set service pppoe-server pado-delay 300 sessions '3000' -``` - -In the example above, the first 499 sessions connect without delay. PADO -packets will be delayed 50 ms for connection from 500 to 999, this trick -allows other PPPoE servers send PADO faster and clients will connect to -other servers. Last command says that this PPPoE server can serve only -3000 clients. - - -## IPv6 - -```{cfgcmd} set service pppoe-server ppp-options ipv6 \<require | prefer | allow | deny\> - -Specifies IPv6 negotiation preference. - -* **require** - Require IPv6 negotiation -* **prefer** - Ask client for IPv6 negotiation, do not fail if it rejects -* **allow** - Negotiate IPv6 only if client requests -* **deny** - Do not negotiate IPv6 (default value) -``` - - -```{cfgcmd} set service pppoe-server client-ipv6-pool \<IPv6-POOL-NAME\> prefix \<address\> mask \<number-of-bits\> - -Use this comand to set the IPv6 address pool from which an PPPoE client -will get an IPv6 prefix of your defined length (mask) to terminate the -PPPoE endpoint at their side. The mask length can be set from 48 to 128 -bit long, the default value is 64. -``` - - -```{cfgcmd} set service pppoe-server client-ipv6-pool \<IPv6-POOL-NAME\> delegate \<address\> delegation-prefix \<number-of-bits\> - -Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on -PPPoE. You will have to set your IPv6 pool and the length of the -delegation prefix. From the defined IPv6 pool you will be handing out -networks of the defined length (delegation-prefix). The length of the -delegation prefix can be set from 32 to 64 bit long. -``` - - -```{cfgcmd} set service pppoe-server default-ipv6-pool \<IPv6-POOL-NAME\> - -Use this command to define default IPv6 address pool name. -``` - - -```none -set service pppoe-server ppp-options ipv6 allow -set service pppoe-server client-ipv6-pool IPv6-POOL delegate '2001:db8:8003::/48' delegation-prefix '56' -set service pppoe-server client-ipv6-pool IPv6-POOL prefix '2001:db8:8002::/48' mask '64' -set service pppoe-server default-ipv6-pool IPv6-POOL -``` - -### IPv6 Advanced Options - -```{cfgcmd} set service pppoe-server ppp-options ipv6-accept-peer-interface-id - -Accept peer interface identifier. By default is not defined. -``` - - -```{cfgcmd} set service pppoe-server ppp-options ipv6-interface-id \<random | x:x:x:x\> - -Specifies fixed or random interface identifier for IPv6. -By default is fixed. - -* **random** - Random interface identifier for IPv6 -* **x:x:x:x** - Specify interface identifier for IPv6 -``` - - -```{cfgcmd} set service pppoe-server ppp-options ipv6-interface-id \<random | x:x:x:x\> - -Specifies peer interface identifier for IPv6. By default is fixed. - -* **random** - Random interface identifier for IPv6 -* **x:x:x:x** - Specify interface identifier for IPv6 -* **ipv4-addr** - Calculate interface identifier from IPv4 address. -* **calling-sid** - Calculate interface identifier from calling-station-id. -``` - -## Scripting - -```{cfgcmd} set service pppoe-server extended-scripts on-change \<path_to_script\> - -Script to run when session interface changed by RADIUS CoA handling -``` - - -```{cfgcmd} set service pppoe-server extended-scripts on-down \<path_to_script\> - -Script to run when session interface going to terminate -``` - - -```{cfgcmd} set service pppoe-server extended-scripts on-pre-up \<path_to_script\> - -Script to run before session interface comes up -``` - - -```{cfgcmd} set service pppoe-server extended-scripts on-up \<path_to_script\> - -Script to run when session interface is completely configured and started -``` - -## Advanced Options - - -### Authentication Advanced Options - -```{cfgcmd} set service pppoe-server authentication local-users username \<user\> disable - -Disable `<user>` account. -``` - - -```{cfgcmd} set service pppoe-server authentication local-users username \<user\> static-ip \<address\> - -Assign static IP address to `<user>` account. -``` - - -```{cfgcmd} set service pppoe-server authentication protocols \<pap | chap | mschap | mschap-v2\> - -Require the peer to authenticate itself using one of the following protocols: -pap, chap, mschap, mschap-v2. -``` - -### Client IP Pool Advanced Options - -```{cfgcmd} set service pppoe-server client-ip-pool \<POOL-NAME\> next-pool \<NEXT-POOL-NAME\> - -Use this command to define the next address pool name. -``` - -### PPP Advanced Options - -```{cfgcmd} set service pppoe-server ppp-options disable-ccp - -Disable Compression Control Protocol (CCP). -CCP is enabled by default. -``` - - -```{cfgcmd} set service pppoe-server ppp-options interface-cache \<number\> - -Specifies number of interfaces to keep in cache. It means that don’t -destroy interface after corresponding session is destroyed, instead -place it to cache and use it later for new sessions repeatedly. -This should reduce kernel-level interface creation/deletion rate lack. -Default value is **0**. -``` - - -```{cfgcmd} set service pppoe-server ppp-options ipv4 \<require | prefer | allow | deny\> - -Specifies IPv4 negotiation preference. - -* **require** - Require IPv4 negotiation -* **prefer** - Ask client for IPv4 negotiation, do not fail if it rejects -* **allow** - Negotiate IPv4 only if client requests (Default value) -* **deny** - Do not negotiate IPv4 -``` - - -```{cfgcmd} set service pppoe-server ppp-options lcp-echo-failure \<number\> - -Defines the maximum `<number>` of unanswered echo requests. Upon reaching the -value `<number>`, the session will be reset. Default value is **3**. -``` - - -```{cfgcmd} set service pppoe-server ppp-options lcp-echo-interval \<interval\> - -If this option is specified and is greater than 0, then the PPP module will -send LCP pings of the echo request every `<interval>` seconds. -Default value is **30**. -``` - - -```{cfgcmd} set service pppoe-server ppp-options lcp-echo-timeout - -Specifies timeout in seconds to wait for any peer activity. If this option -specified it turns on adaptive lcp echo functionality and "lcp-echo-failure" -is not used. Default value is **0**. -``` - - -```{cfgcmd} set service pppoe-server ppp-options min-mtu \<number\> - -Defines minimum acceptable MTU. If client will try to negotiate less then -specified MTU then it will be NAKed or disconnected if rejects greater MTU. -Default value is **100**. -``` - - -```{cfgcmd} set service pppoe-server ppp-options mppe \<require | prefer | deny\> - -Specifies {abbr}`MPPE (Microsoft Point-to-Point Encryption)` negotiation -preference. - -* **require** - ask client for mppe, if it rejects drop connection -* **prefer** - ask client for mppe, if it rejects don't fail. (Default value) -* **deny** - deny mppe - -Default behavior - don't ask client for mppe, but allow it if client wants. -Please note that RADIUS may override this option by MS-MPPE-Encryption-Policy -attribute. -``` - - -```{cfgcmd} set service pppoe-server ppp-options mru \<number\> - -Defines preferred MRU. By default is not defined. -``` - -### Global Advanced options - -```{cfgcmd} set service pppoe-server description \<description\> - -Set description. -``` - - -```{cfgcmd} set service pppoe-server limits burst \<value\> - -Burst count -``` - - -```{cfgcmd} set service pppoe-server limits connection-limit \<value\> - -Acceptable rate of connections (e.g. 1/min, 60/sec) -``` - - -```{cfgcmd} set service pppoe-server limits timeout \<value\> - -Timeout in seconds -``` - - -```{cfgcmd} set service pppoe-server mtu - -Maximum Transmission Unit (MTU) (default: **1492**) -``` - - -```{cfgcmd} set service pppoe-server max-concurrent-sessions - -Maximum number of concurrent session start attempts -``` - - -```{cfgcmd} set service pppoe-server name-server \<address\> - -Connected client should use `<address>` as their DNS server. This -command accepts both IPv4 and IPv6 addresses. Up to two nameservers -can be configured for IPv4, up to three for IPv6. -``` - - -```{cfgcmd} set service pppoe-server service-name \<names\> - -Specifies Service-Name to respond. If absent any Service-Name is -acceptable and client’s Service-Name will be sent back. Also possible -set multiple service-names: `sn1,sn2,sn3` -``` - -Per default the user session is being replaced if a second -authentication request succeeds. Such session requests can be either -denied or allowed entirely, which would allow multiple sessions for a -user in the latter case. If it is denied, the second session is being -rejected even if the authentication succeeds, the user has to terminate -its first session and can then authentication again. - -```{cfgcmd} set service pppoe-server session-control - -* **disable**: Disables session control. -* **deny**: Deny second session authorization. -* **replace**: Terminate first session when second is authorized **(default)** -``` - - -```{cfgcmd} set service pppoe-server shaper fwmark \<1-2147483647\> - -Match firewall mark value -``` - - -```{cfgcmd} set service pppoe-server snmp master-agent - -Enable SNMP -``` - - -```{cfgcmd} set service pppoe-server wins-server \<address\> - -Windows Internet Name Service (WINS) servers propagated to client -``` - -## Monitoring - -```{opcmd} show pppoe-server sessions - -Use this command to locally check the active sessions in the PPPoE -server. -``` -```none -show pppoe-server sessions -ifname | username | ip | calling-sid | rate-limit | state | uptime | rx-bytes | tx-bytes --------+----------+------------+-------------------+-------------+--------+----------+----------+---------- -ppp0 | foo | 10.1.1.100 | 00:53:00:ba:db:15 | 20480/10240 | active | 00:00:11 | 214 B | 76 B -``` - -## Examples -### IPv4 - -The example below uses ACN as access-concentrator name, assigns an -address from the pool 10.1.1.100-111, terminates at the local endpoint -10.1.1.1 and serves requests only on eth1. - -```none -set service pppoe-server access-concentrator 'ACN' -set service pppoe-server authentication local-users username foo password 'bar' -set service pppoe-server authentication mode 'local' -set service pppoe-server client-ip-pool IP-POOL range '10.1.1.100-10.1.1.111' -set service pppoe-server default-pool 'IP-POOL' -set service pppoe-server interface eth1 -set service pppoe-server gateway-address '10.1.1.2' -set service pppoe-server name-server '10.100.100.1' -set service pppoe-server name-server '10.100.200.1' -``` - -### Dual-Stack IPv4/IPv6 provisioning with Prefix Delegation - -The example below covers a dual-stack configuration. - -```none -set service pppoe-server authentication local-users username test password 'test' -set service pppoe-server authentication mode 'local' -set service pppoe-server client-ip-pool IP-POOL range '192.168.0.1/24' -set service pppoe-server default-pool 'IP-POOL' -set service pppoe-server client-ipv6-pool IPv6-POOL delegate '2001:db8:8003::/48' delegation-prefix '56' -set service pppoe-server client-ipv6-pool IPV6-POOL prefix '2001:db8:8002::/48' mask '64' -set service pppoe-server default-ipv6-pool IPv6-POOL -set service pppoe-server ppp-options ipv6 allow -set service pppoe-server name-server '10.1.1.1' -set service pppoe-server name-server '2001:db8:4860::8888' -set service pppoe-server interface 'eth2' -set service pppoe-server gateway-address '10.100.100.1' -``` - -The client, once successfully authenticated, will receive an IPv4 and an -IPv6 /64 address to terminate the PPPoE endpoint on the client side and -a /56 subnet for the clients internal use. - -```none -vyos@pppoe-server:~$ sh pppoe-server sessions - ifname | username | ip | ip6 | ip6-dp | calling-sid | rate-limit | state | uptime | rx-bytes | tx-bytes ---------+----------+-------------+--------------------------+---------------------+-------------------+------------+--------+----------+----------+---------- - ppp0 | test | 192.168.0.1 | 2001:db8:8002:0:200::/64 | 2001:db8:8003::1/56 | 00:53:00:12:42:eb | | active | 00:00:49 | 875 B | 2.1 KiB -``` - -[accel-ppp attribute]: https://github.com/accel-ppp/accel-ppp/blob/master/accel-pppd/radius/dict/dictionary.accel -[dictionary]: https://github.com/accel-ppp/accel-ppp/blob/master/accel-pppd/radius/dict/dictionary.rfc6911 diff --git a/docs/configuration/service/md-router-advert.md b/docs/configuration/service/md-router-advert.md deleted file mode 100644 index 10753105..00000000 --- a/docs/configuration/service/md-router-advert.md +++ /dev/null @@ -1,121 +0,0 @@ -(router-advert)= - -# Router Advertisements - -{abbr}`RAs (Router advertisements)` are described in {rfc}`4861#section-4.6.2`. -They are part of what is known as {abbr}`SLAAC (Stateless Address -Autoconfiguration)`. - -Supported interface types: - -> - bonding -> - bridge -> - ethernet -> - geneve -> - l2tpv3 -> - openvpn -> - pseudo-ethernet -> - tunnel -> - vxlan -> - wireguard -> - wireless -> - wwan - -## Configuration - -```{cfgcmd} set service router-advert interface \<interface\> ... -``` - -```{eval-rst} -.. csv-table:: - :header: "Field", "VyOS Option", "Description" - :widths: 10, 10, 20 - - "Cur Hop Limit", "hop-limit", "Hop count field of the outgoing RA packets" - """Managed address configuration"" flag", "managed-flag", "Tell hosts to use the administered stateful protocol (i.e. DHCP) for autoconfiguration" - """Other configuration"" flag", "other-config-flag", "Tell hosts to use the administered (stateful) protocol (i.e. DHCP) for autoconfiguration of other (non-address) information" - "MTU","link-mtu","Link MTU value placed in RAs, excluded in RAs if unset" - "Router Lifetime","default-lifetime","Lifetime associated with the default router in units of seconds" - "Reachable Time","reachable-time","Time, in milliseconds, that a node assumes a neighbor is reachable after having received a reachability confirmation" - "Retransmit Timer","retrans-timer","Time in milliseconds between retransmitted Neighbor Solicitation messages" - "Default Router Preference","default-preference","Preference associated with the default router" - "Interval", "interval", "Min and max intervals between unsolicited multicast RAs" - "DNSSL", "dnssl", "DNS search list to advertise" - "Name Server", "name-server", "Advertise DNS server per https://tools.ietf.org/html/rfc6106" - "Auto Ignore Prefix", "auto-ignore", "Exclude a prefix from being advertised when the wildcard ::/64 prefix is used" - "Captive Portal", "captive-portal", "Advertise a URL pointing to an RFC 8908-compliant API to tell hosts that they are behind a captive portal" -``` - -### Advertising a Prefix - -```{cfgcmd} set service router-advert interface \<interface\> prefix \<prefix/mask\> - -:::{note} -You can also opt for using ::/64 as prefix for your {abbr}`RAs (Router -Advertisements)`. This is a special wildcard prefix that will emit {abbr}`RAs (Router Advertisements)` for every prefix assigned to the interface. -This comes in handy when using dynamically obtained prefixes from DHCPv6-PD. -::: -``` -```{eval-rst} -.. csv-table:: - :header: "VyOS Field", "Description" - :widths: 10,30 - - "decrement-lifetime", "Lifetime is decremented by the number of seconds since the last RA - use in conjunction with a DHCPv6-PD prefix" - "deprecate-prefix", "Upon shutdown, this option will deprecate the prefix by announcing it in the shutdown RA" - "no-autonomous-flag","Prefix can not be used for stateless address auto-configuration" - "no-on-link-flag","Prefix can not be used for on-link determination" - "preferred-lifetime","Time in seconds that the prefix will remain preferred (default 4 hours)" - "valid-lifetime","Time in seconds that the prefix will remain valid (default: 30 days)" -``` - -### Advertising a NAT64 Prefix - -```{cfgcmd} set service router-advert interface \<interface\> nat64prefix \<prefix/mask\> - -Enable PREF64 option as outlined in {rfc}`8781`. - -NAT64 prefix mask must be one of: /32, /40, /48, /56, /64 or 96. - -:::{note} -The well known NAT64 prefix is ``64:ff9b::/96`` -::: -``` -```{eval-rst} -.. csv-table:: - :header: "VyOS Field", "Description" - :widths: 10,30 - - "valid-lifetime","Time in seconds that the prefix will remain valid (default: 65528 seconds)" -``` - -### Disabling Advertisements - -To disable advertisements without deleting the configuration: - -```{cfgcmd} set service router-advert interface \<interface\> no-send-advert - -If set, the router will no longer send periodic router advertisements and -will not respond to router solicitations. -``` - -```{cfgcmd} set service router-advert interface \<interface\> no-send-interval - -Advertisement Interval Option (specified by Mobile IPv6) is always included in -Router Advertisements unless this option is set. -``` - -## Example - -Your LAN connected on eth0 uses prefix `2001:db8:beef:2::/64` with the router -beeing `2001:db8:beef:2::1` - -```none -set interfaces ethernet eth0 address 2001:db8:beef:2::1/64 - -set service router-advert interface eth0 default-preference 'high' -set service router-advert interface eth0 name-server '2001:db8::1' -set service router-advert interface eth0 name-server '2001:db8::2' -set service router-advert interface eth0 other-config-flag -set service router-advert interface eth0 prefix 2001:db8:beef:2::/64 -``` diff --git a/docs/configuration/service/md-salt-minion.md b/docs/configuration/service/md-salt-minion.md deleted file mode 100644 index e6f99752..00000000 --- a/docs/configuration/service/md-salt-minion.md +++ /dev/null @@ -1,51 +0,0 @@ -(saltminion)= - -# Salt-Minion - -[SaltStack] is Python-based, open-source -software for event-driven IT automation, remote task execution, and -configuration management. Supporting the "infrastructure as code" -approach to data center system and network deployment and management, -configuration automation, SecOps orchestration, vulnerability remediation, -and hybrid cloud control. - -## Requirements - -To use the Salt-Minion, a running Salt-Master is required. You can find more -in the [Salt Project Documentation](https://docs.saltproject.io/en/latest/contents.html) - -## Configuration - -```{cfgcmd} set service salt-minion hash \<type\> - - The hash type used when discovering file on master server (default: sha256) -``` - - -```{cfgcmd} set service salt-minion id \<id\> - -Explicitly declare ID for this minion to use (default: hostname) -``` - - -```{cfgcmd} set service salt-minion interval \<1-1440\> - -Interval in minutes between updates (default: 60) -``` - - -```{cfgcmd} set service salt-minion master \<hostname | IP\> - -The hostname or IP address of the master -``` - - -```{cfgcmd} set service salt-minion master-key \<key\> - -URL with signature of master for auth reply verification -``` - -Please take a look in the Automation section to find some usefull -Examples. - -[saltstack]: https://saltproject.io/ diff --git a/docs/configuration/service/md-snmp.md b/docs/configuration/service/md-snmp.md deleted file mode 100644 index 153fa029..00000000 --- a/docs/configuration/service/md-snmp.md +++ /dev/null @@ -1,259 +0,0 @@ -# SNMP - -<div class="todo"> - -Convert raw command blocks in this file to cfgcmd/opcmd -directives for command coverage tracking. - -</div> - -`SNMP (Simple Network Management Protocol)` is an Internet Standard -protocol for collecting and organizing information about managed devices on -IP networks and for modifying that information to change device behavior. -Devices that typically support SNMP include cable modems, routers, switches, -servers, workstations, printers, and more. - -SNMP is widely used in network management for network monitoring. SNMP exposes -management data in the form of variables on the managed systems organized in -a management information base ([MIB](https://en.wikipedia.org/wiki/Management_information_base)) which describe the system status and -configuration. These variables can then be remotely queried (and, in some -circumstances, manipulated) by managing applications. - -Three significant versions of SNMP have been developed and deployed. SNMPv1 is -the original version of the protocol. More recent versions, SNMPv2c and SNMPv3, -feature improvements in performance, flexibility and security. - -SNMP is a component of the Internet Protocol Suite as defined by the Internet -Engineering Task Force (IETF). It consists of a set of standards for network -management, including an application layer protocol, a database schema, and a -set of data objects. - -## Overview and basic concepts - -In typical uses of SNMP, one or more administrative computers called managers -have the task of monitoring or managing a group of hosts or devices on a -computer network. Each managed system executes a software component called an -agent which reports information via SNMP to the manager. - -An SNMP-managed network consists of three key components: - -- Managed devices -- Agent - software which runs on managed devices -- Network management station (NMS) - software which runs on the manager - -A managed device is a network node that implements an SNMP interface that -allows unidirectional (read-only) or bidirectional (read and write) access to -node-specific information. Managed devices exchange node-specific information -with the NMSs. Sometimes called network elements, the managed devices can be -any type of device, including, but not limited to, routers, access servers, -switches, cable modems, bridges, hubs, IP telephones, IP video cameras, -computer hosts, and printers. - -An agent is a network-management software module that resides on a managed -device. An agent has local knowledge of management information and translates -that information to or from an SNMP-specific form. - -A network management station executes applications that monitor and control -managed devices. NMSs provide the bulk of the processing and memory resources -required for network management. One or more NMSs may exist on any managed -network. - -<figure> -<img src="/_static/images/service_snmp_communication_principles_diagram.webp" alt="Principle of SNMP Communication" /> -<figcaption>Image thankfully borrowed from -<a href="https://en.wikipedia.org/wiki/File:SNMP_communication_principles_diagram.PNG">https://en.wikipedia.org/wiki/File:SNMP_communication_principles_diagram.PNG</a> -which is under the GNU Free Documentation License</figcaption> -</figure> - -<div class="note"> - -<div class="title"> - -Note - -</div> - -VyOS SNMP supports both IPv4 and IPv6. - -</div> - -## SNMP Protocol Versions - -VyOS itself supports [SNMPv2](https://en.wikipedia.org/wiki/Simple_Network_Management_Protocol#Version_2) (version 2) and [SNMPv3](https://en.wikipedia.org/wiki/Simple_Network_Management_Protocol#Version_3) (version 3) where the -later is recommended because of improved security (optional authentication and -encryption). - -### SNMPv2 - -SNMPv2 is the original and most commonly used version. For authorizing clients, -SNMP uses the concept of communities. Communities may have authorization set -to read only (this is most common) or to read and write (this option is not -actively used in VyOS). - -SNMP can work synchronously or asynchronously. In synchronous communication, -the monitoring system queries the router periodically. In asynchronous, the -router sends notification to the "trap" (the monitoring host). - -SNMPv2 does not support any authentication mechanisms, other than client source -address, so you should specify addresses of clients allowed to monitor the -router. Note that SNMPv2 also supports no encryption and always sends data in -plain text. - -#### Example - -``` none -# Define a community -set service snmp community routers authorization ro - -# Allow monitoring access from the entire network -set service snmp community routers network 192.0.2.0/24 -set service snmp community routers network 2001::db8:ffff:eeee::/64 - -# Allow monitoring access from specific addresses -set service snmp community routers client 203.0.113.10 -set service snmp community routers client 203.0.113.20 - -# Define optional router information -set service snmp location "UK, London" -set service snmp contact "admin@example.com" - -# Trap target if you want asynchronous communication -set service snmp trap-target 203.0.113.10 - -# Listen only on specific IP addresses (port defaults to 161) -set service snmp listen-address 172.16.254.36 port 161 -set service snmp listen-address 2001:db8::f00::1 -``` - -### SNMPv3 - -SNMPv3 (version 3 of the SNMP protocol) introduced a whole slew of new security -related features that have been missing from the previous versions. Security -was one of the biggest weakness of SNMP until v3. Authentication in SNMP -Versions 1 and 2 amounts to nothing more than a password (community string) -sent in clear text between a manager and agent. Each SNMPv3 message contains -security parameters which are encoded as an octet string. The meaning of these -security parameters depends on the security model being used. - -The security approach in SNMPv3 targets: - -- Confidentiality – Encryption of packets to prevent snooping by an - unauthorized source. -- Integrity – Message integrity to ensure that a packet has not been tampered - while in transit including an optional packet replay protection mechanism. -- Authentication – to verify that the message is from a valid source. - -#### Example - -- Let SNMP daemon listen only on IP address 192.0.2.1 -- Configure new SNMP user named "vyos" with password "vyos12345678" -- New user will use SHA/AES for authentication and privacy - -``` none -set service snmp listen-address 192.0.2.1 -set service snmp location 'VyOS Datacenter' -set service snmp v3 engineid '000000000000000000000002' -set service snmp v3 group default mode 'ro' -set service snmp v3 group default view 'default' -set service snmp v3 user vyos auth plaintext-password 'vyos12345678' -set service snmp v3 user vyos auth type 'sha' -set service snmp v3 user vyos group 'default' -set service snmp v3 user vyos privacy plaintext-password 'vyos12345678' -set service snmp v3 user vyos privacy type 'aes' -set service snmp v3 view default oid 1 -``` - -After commit the plaintext passwords will be hashed and stored in your -configuration. The resulting CLI config will look like: - -``` none -vyos@vyos# show service snmp - listen-address 192.0.2.1 { - } - location "VyOS Datacenter" - v3 { - engineid 000000000000000000000002 - group default { - mode ro - view default - } - user vyos { - auth { - encrypted-password 4e52fe55fd011c9c51ae2c65f4b78ca93dcafdfe - type sha - } - group default - privacy { - encrypted-password 4e52fe55fd011c9c51ae2c65f4b78ca93dcafdfe - type aes - } - } - view default { - oid 1 { - } - } - } -``` - -You can test the SNMPv3 functionality from any linux based system, just run the -following command: `snmpwalk -v 3 -u vyos -a SHA -A vyos12345678 -x AES -X vyos12345678 -l authPriv 192.0.2.1 .1` - -## VyOS MIBs - -All SNMP MIBs are located in each image of VyOS here: `/usr/share/snmp/mibs/` - -You are be able to download the files using SCP, once the SSH service -has been activated like so - -``` none -scp -r vyos@your_router:/usr/share/snmp/mibs /your_folder/mibs -``` - -## SNMP Extensions - -To extend SNMP agent functionality, custom scripts can be executed every time -the agent is being called. This can be achieved by using -`arbitrary extensioncommands`. The first step is to create a functional -script of course, then upload it to your VyOS instance via the command -`scp your_script.sh vyos@your_router:/config/user-data`. -Once the script is uploaded, it needs to be configured via the command below. - -``` none -set service snmp script-extensions extension-name my-extension script your_script.sh -commit -``` - -The OID `.1.3.6.1.4.1.8072.1.3.2.3.1.1.4.116.101.115.116`, once called, will -contain the output of the extension. - -``` none -root@vyos:/home/vyos# snmpwalk -v2c -c public 127.0.0.1 nsExtendOutput1 -NET-SNMP-EXTEND-MIB::nsExtendOutput1Line."my-extension" = STRING: hello -NET-SNMP-EXTEND-MIB::nsExtendOutputFull."my-extension" = STRING: hello -NET-SNMP-EXTEND-MIB::nsExtendOutNumLines."my-extension" = INTEGER: 1 -NET-SNMP-EXTEND-MIB::nsExtendResult."my-extension" = INTEGER: 0 -``` - -## SolarWinds - -If you happen to use SolarWinds Orion as NMS you can also use the Device -Templates Management. A template for VyOS can be easily imported. - -Create a file named `VyOS-1.3.6.1.4.1.44641.ConfigMgmt-Commands` using the -following content: - -``` none -<Configuration-Management Device="VyOS" SystemOID="1.3.6.1.4.1.44641"> - <Commands> - <Command Name="Reset" Value="set terminal width 0${CRLF}set terminal length 0"/> - <Command Name="Reboot" Value="reboot${CRLF}Yes"/> - <Command Name="EnterConfigMode" Value="configure"/> - <Command Name="ExitConfigMode" Value="commit${CRLF}exit"/> - <Command Name="DownloadConfig" Value="show configuration commands"/> - <Command Name="SaveConfig" Value="commit${CRLF}save"/> - <Command Name="Version" Value="show version"/> - <Command Name="MenuBased" Value="False"/> - <Command Name="VirtualPrompt" Value=":~"/> - </Commands> -</Configuration-Management> -``` diff --git a/docs/configuration/service/md-ssh.md b/docs/configuration/service/md-ssh.md deleted file mode 100644 index d873cbee..00000000 --- a/docs/configuration/service/md-ssh.md +++ /dev/null @@ -1,366 +0,0 @@ -(ssh)= - -# SSH - -{abbr}`SSH (Secure Shell)` is a cryptographic network protocol for operating -network services securely over an unsecured network. The standard TCP port for -SSH is 22. The best known example application is for remote login to computer -systems by users. - -SSH provides a secure channel over an unsecured network in a client-server -architecture, connecting an SSH client application with an SSH server. Common -applications include remote command-line login and remote command execution, -but any network service can be secured with SSH. The protocol specification -distinguishes between two major versions, referred to as SSH-1 and SSH-2. - -The most visible application of the protocol is for access to shell accounts -on Unix-like operating systems, but it sees some limited use on Windows as -well. In 2015, Microsoft announced that they would include native support for -SSH in a future release. - -SSH was designed as a replacement for Telnet and for unsecured remote shell -protocols such as the Berkeley rlogin, rsh, and rexec protocols. -Those protocols send information, notably passwords, in plaintext, -rendering them susceptible to interception and disclosure using packet -analysis. The encryption used by SSH is intended to provide confidentiality -and integrity of data over an unsecured network, such as the Internet. - -:::{note} -VyOS 1.1 supported login as user `root`. This has been removed due -to tighter security in VyOS 1.2. -::: - -:::{seealso} -SSH {ref}`ssh_key_based_authentication` -::: - -## Configuration - -```{cfgcmd} set service ssh port \<port\> - -Enabling SSH only requires you to specify the port ``<port>`` you want SSH to -listen on. By default, SSH runs on port 22. -``` - - -```{cfgcmd} set service ssh listen-address \<address\> - -Specify IPv4/IPv6 listen address of SSH server. Multiple addresses can be -defined. -``` - - -```{cfgcmd} set service ssh cipher \<cipher\> - -Define allowed ciphers used for the SSH connection. A number of allowed -ciphers can be specified, use multiple occurrences to allow multiple ciphers. - -List of supported ciphers: ``3des-cbc``, ``aes128-cbc``, ``aes192-cbc``, -``aes256-cbc``, ``aes128-ctr``, ``aes192-ctr``, ``aes256-ctr``, -``aes128-gcm@openssh.com``, ``aes256-gcm@openssh.com``, -``chacha20-poly1305@openssh.com`` -``` - - -```{cfgcmd} set service ssh disable-password-authentication - -Disable password based authentication. Login via SSH keys only. This hardens -security! -``` - - -```{cfgcmd} set service ssh fido pin-required - -Require FIDO2 keys to attest that a user has been verified (e.g. via a PIN). -``` - - -````{cfgcmd} set service ssh fido touch-required - -Require FIDO2 keys to attest that a user is physically present. - -VyOS supports SSH authentication using FIDO2-backed keys generated by OpenSSH. -Two FIDO2 key types are supported by OpenSSH: ``ed25519-sk``, ``ecdsa-sk`` - -Generic FIDO2-backed SSH key generation example: - -:::{code-block} none -ssh-keygen -t ecdsa-sk -O verify-required -C "fido2-ssh-key" -::: - -```{eval-rst} -During key generation, OpenSSH will: - * Request user presence (for example, a physical touch or confirmation) - * Optionally request user verification (PIN), if supported by the authenticator - * Create a local key handle file and a corresponding public key (``.pub``) -``` - -The private key material never leaves the authenticator device. - -VyOS configuration example: - -:::{code-block} none -# Generate a FIDO2 SSH key on the client system -# Copy the public key to the VyOS instance -set system login user vyos authentication public-keys fido key '<public-key>' -set system login user vyos authentication public-keys fido type 'sk-ecdsa-sha2-nistp256@openssh.com' -set service ssh fido touch-required -::: - -You can now log into the system using: ``ssh -i ~/.ssh/id_fido_key vyos@192.0.2.1`` -```` - - -```{cfgcmd} set service ssh disable-host-validation - -Disable the host validation through reverse DNS lookups - can speedup login -time when reverse lookup is not possible. -``` - - -```{cfgcmd} set service ssh mac \<mac\> - -Specifies the available {abbr}`MAC (Message Authentication Code)` algorithms. -The MAC algorithm is used in protocol version 2 for data integrity protection. -Multiple algorithms can be provided by using multiple commands, defining -one algorithm per command. - -List of supported MACs: ``hmac-md5``, ``hmac-md5-96``, ``hmac-ripemd160``, -``hmac-sha1``, ``hmac-sha1-96``, ``hmac-sha2-256``, ``hmac-sha2-512``, -``umac-64@openssh.com``, ``umac-128@openssh.com``, -``hmac-md5-etm@openssh.com``, ``hmac-md5-96-etm@openssh.com``, -``hmac-ripemd160-etm@openssh.com``, ``hmac-sha1-etm@openssh.com``, -``hmac-sha1-96-etm@openssh.com``, ``hmac-sha2-256-etm@openssh.com``, -``hmac-sha2-512-etm@openssh.com``, ``umac-64-etm@openssh.com``, -``umac-128-etm@openssh.com`` -``` - - -```{cfgcmd} set service ssh access-control \<allow | deny\> \<group | user\> \<name\> - -Add access-control directive to allow or deny users and groups. Directives -are processed in the following order of precedence: ``deny-users``, -``allow-users``, ``deny-groups`` and ``allow-groups``. -``` - - -```{cfgcmd} set service ssh client-keepalive-interval \<interval\> - -Specify timeout interval for keepalive message in seconds. -``` - - -```{cfgcmd} set service ssh key-exchange \<kex\> - -Specify allowed {abbr}`KEX (Key Exchange)` algorithms. - -List of supported algorithms: ``diffie-hellman-group1-sha1``, -``diffie-hellman-group14-sha1``, ``diffie-hellman-group14-sha256``, -``diffie-hellman-group16-sha512``, ``diffie-hellman-group18-sha512``, -``diffie-hellman-group-exchange-sha1``, -``diffie-hellman-group-exchange-sha256``, -``ecdh-sha2-nistp256``, ``ecdh-sha2-nistp384``, ``ecdh-sha2-nistp521``, -``curve25519-sha256`` and ``curve25519-sha256@libssh.org``. -``` - - -```{cfgcmd} set service ssh loglevel \<quiet | fatal | error | info | verbose\> - -Set the ``sshd`` log level. The default is ``info``. -``` - - -```{cfgcmd} set service ssh vrf \<name\> - -Specify name of the {abbr}`VRF (Virtual Routing and Forwarding)` instance. -``` - - -```{cfgcmd} set service ssh pubkey-accepted-algorithm \<name\> - -Specifies the signature algorithms that will be accepted for public key -authentication - -List of supported algorithms: ``ssh-ed25519``, -``ssh-ed25519-cert-v01@openssh.com``, ``sk-ssh-ed25519@openssh.com``, -``sk-ssh-ed25519-cert-v01@openssh.com``, ``ecdsa-sha2-nistp256``, -``ecdsa-sha2-nistp256-cert-v01@openssh.com``, ``ecdsa-sha2-nistp384``, -``ecdsa-sha2-nistp384-cert-v01@openssh.com``, ``ecdsa-sha2-nistp521``, -``ecdsa-sha2-nistp521-cert-v01@openssh.com``, -``sk-ecdsa-sha2-nistp256@openssh.com``, -``sk-ecdsa-sha2-nistp256-cert-v01@openssh.com``, -``webauthn-sk-ecdsa-sha2-nistp256@openssh.com``, -``ssh-dss``, ``ssh-dss-cert-v01@openssh.com``, ``ssh-rsa``, -``ssh-rsa-cert-v01@openssh.com``, ``rsa-sha2-256``, -``rsa-sha2-256-cert-v01@openssh.com``, ``rsa-sha2-512``, -``rsa-sha2-512-cert-v01@openssh.com`` -``` - - -```{cfgcmd} set service ssh trusted-user-ca \<name\> - -Specify the name of the OpenSSH key-pair that acts as certificate authority -and will be used to verify user certificates. - -You can use it by adding the OpenSSH key-pair under the PKI subsystem. - -Example: - -:::{code-block} none -# Generate key-pair acting as CA -$ ssh-keygen -f vyos-ssh-ca.key - -# Generate key for user: vyos_testca -$ ssh-keygen -f vyos_testca -C "vyos_tesca@vyos.net" - -# Sign public key from user vyos_testca and insert principal names: vyos, vyos_testca -# with a key lifetime of two weeks - after which the key is unusable -$ ssh-keygen -s vyos-ssh-ca.key -I vyos_testca@vyos.net -n vyos,vyos_testca -V +2w vyos_testca.pub - -$ set system login user vyos_testca -$ set pki openssh test_ca public key AAAAB3N..... -$ set pki openssh test_ca public type ssh-rsa -$ set service ssh trusted-user-ca test_ca -::: -You can now log into the system using: ``ssh -i vyos_testca vyos_testca@vyos.test.com`` -``` - -## Dynamic-protection - -Protects host from brute-force attacks against -SSH. Log messages are parsed, line-by-line, for recognized patterns. If an -attack, such as several login failures within a few seconds, is detected, the -offending IP is blocked. Offenders are unblocked after a set interval. - -```{cfgcmd} set service ssh dynamic-protection - -Allow ``ssh`` dynamic-protection. -``` -```{cfgcmd} set service ssh dynamic-protection allow-from \<address | prefix\> - -Whitelist of addresses and networks. Always allow inbound connections from -these systems. -``` -```{cfgcmd} set service ssh dynamic-protection block-time \<sec\> - -Block source IP in seconds. Subsequent blocks increase by a factor of 1.5 -The default is 120. -``` -```{cfgcmd} set service ssh dynamic-protection detect-time \<sec\> - -Remember source IP in seconds before reset their score. The default is 1800. -``` -```{cfgcmd} set service ssh dynamic-protection threshold \<sec\> - -Block source IP when their cumulative attack score exceeds threshold. The -default is 30. -``` - -(ssh-operation)= - -## Operation - -```{opcmd} restart ssh - -Restart the SSH daemon process, the current session is not affected, only the -background daemon is restarted. -``` -```{opcmd} generate ssh server-key - -Re-generated the public/private keyportion which SSH uses to secure -connections. - -:::{note} -Already learned known_hosts files of clients need an update as the -public key will change. -::: -``` -```{opcmd} generate ssh client-key /path/to/private_key - -Re-generated a known pub/private keyfile which can be used to connect to -other services (e.g. RPKI cache). - -Example: - -:::{code-block} none -vyos@vyos:~$ generate ssh client-key /config/auth/id_rsa_rpki -Generating public/private rsa key pair. -Your identification has been saved in /config/auth/id_rsa_rpki. -Your public key has been saved in /config/auth/id_rsa_rpki.pub. -The key fingerprint is: -SHA256:XGv2PpdOzVCzpmEzJZga8hTRq7B/ZYL3fXaioLFLS5Q vyos@vyos -The key's randomart image is: -+---[RSA 2048]----+ -| oo | -| ..o | -| . o.o.. o.| -| o+ooo o.o| -| Eo* =.o | -| o = +.o*+ | -| = o *.o.o| -| o * +.o+.+| -| =.. o=.oo| -+----[SHA256]-----+ -::: -Two new files ``/config/auth/id_rsa_rpki`` and -``/config/auth/id_rsa_rpki.pub`` -will be created. -``` -```{opcmd} generate public-key-command user \<username\> path \<location\> - -> Generate the configuration mode commands to add a public key for -> {ref}`ssh_key_based_authentication`. -> ``<location>`` can be a local path or a URL pointing at a remote file. -> -> Supported remote protocols are FTP, FTPS, HTTP, HTTPS, SCP/SFTP and TFTP. - -Example: - -:::{code-block} none -alyssa@vyos:~$ generate public-key-command user alyssa path sftp://example.net/home/alyssa/.ssh/id_rsa.pub -# To add this key as an embedded key, run the following commands: -configure -set system login user alyssa authentication public-keys alyssa@example.net key AAA... -set system login user alyssa authentication public-keys alyssa@example.net type ssh-rsa -commit -save -exit - -ben@vyos:~$ generate public-key-command user ben path ~/.ssh/id_rsa.pub -# To add this key as an embedded key, run the following commands: -configure -set system login user ben authentication public-keys ben@vyos key AAA... -set system login user ben authentication public-keys ben@vyos type ssh-dss -commit -save -exit -::: -``` -```{opcmd} show log ssh - -Show SSH server log. -``` -```{opcmd} monitor log ssh - -Follow the SSH server log. -``` -```{opcmd} show log ssh dynamic-protection - -Show SSH dynamic-protection log. -``` -```{opcmd} monitor log ssh dynamic-protection - -Follow the SSH dynamic-protection log. -``` -```{opcmd} show ssh dynamic-protection - -Show list of IPs currently blocked by SSH dynamic-protection. -``` -```{opcmd} show ssh fingerprints - -Show SSH server public key fingerprints. -``` -```{opcmd} show ssh fingerprints ascii - -Show SSH server public key fingerprints, including a visual ASCII art representation. -```
\ No newline at end of file diff --git a/docs/configuration/service/md-tftp-server.md b/docs/configuration/service/md-tftp-server.md deleted file mode 100644 index f4a6c34c..00000000 --- a/docs/configuration/service/md-tftp-server.md +++ /dev/null @@ -1,78 +0,0 @@ -(tftp-server)= - -# TFTP Server - -{abbr}`TFTP (Trivial File Transfer Protocol)` is a simple, lockstep file -transfer protocol which allows a client to get a file from or put a file onto -a remote host. One of its primary uses is in the early stages of nodes booting -from a local area network. TFTP has been used for this application because it -is very simple to implement. - -## Configuration - -```{cfgcmd} set service tftp-server directory \<directory\> - -Enable TFTP service by specifying the `<directory>` which will be used to serve -files. -``` - -:::{hint} -Choose your `directory` location carefully or you will loose the -content on image upgrades. Any directory under `/config` is save at this -will be migrated. -::: - -```{cfgcmd} set service tftp-server listen-address \<address\> - -Configure the IPv4 or IPv6 listen address of the TFTP server. Multiple IPv4 and -IPv6 addresses can be given. There will be one TFTP server instances listening -on each IP address. -``` - -```{cfgcmd} set service tftp-server listen-address \<address\> vrf \<name\> -``` - -Additional option to run TFTP server in the {abbr}`VRF (Virtual Routing and Forwarding)` context - -:::{note} -Configuring a listen-address is essential for the service to work. -::: -```{cfgcmd} set service tftp-server allow-upload - -Optional, if you want to enable uploads, else TFTP server will act as a -read-only server. -``` - -### Example - -Provide TFTP server listening on both IPv4 and IPv6 addresses `192.0.2.1` and -`2001:db8::1` serving the content from `/config/tftpboot`. Uploading via -TFTP to this server is disabled. - -The resulting configuration will look like: - -```none -vyos@vyos# show service - tftp-server { - directory /config/tftpboot - listen-address 2001:db8::1 - listen-address 192.0.2.1 - } -``` - -### Verification - -Client: - -```none -vyos@RTR2:~$ tftp -p -l /config/config.boot -r backup 192.0.2.1 -backup1 100% |******************************| 723 0:00:00 ETA -``` - -Server: - -```none -vyos@RTR1# ls -ltr /config/tftpboot/ -total 1 --rw-rw-rw- 1 tftp tftp 1995 May 19 16:02 backup -``` diff --git a/docs/configuration/service/md-webproxy.md b/docs/configuration/service/md-webproxy.md deleted file mode 100644 index 28156b2b..00000000 --- a/docs/configuration/service/md-webproxy.md +++ /dev/null @@ -1,459 +0,0 @@ -(webproxy)= - -# Webproxy - -The proxy service in VyOS is based on [Squid] and some related modules. - -[Squid] is a caching and forwarding HTTP web proxy. It has a wide variety of -uses, including speeding up a web server by caching repeated requests, caching -web, DNS and other computer network lookups for a group of people sharing -network resources, and aiding security by filtering traffic. Although primarily -used for HTTP and FTP, Squid includes limited support for several other -protocols including Internet Gopher, SSL,[6] TLS and HTTPS. Squid does not -support the SOCKS protocol. - -URL Filtering is provided by [SquidGuard]. - -## Configuration - -```{cfgcmd} set service webproxy append-domain \<domain\> - -Use this command to specify a domain name to be appended to domain-names -within URLs that do not include a dot ``.`` the domain is appended. - -Example: to be appended is set to ``vyos.net`` and the URL received is -``www/foo.html``, the system will use the generated, final URL of -``www.vyos.net/foo.html``. - -:::{code-block} none -set service webproxy append-domain vyos.net -::: -``` - - -```{cfgcmd} set service webproxy cache-size \<size\> - -The size of the on-disk Proxy cache is user configurable. The Proxies default -cache-size is configured to 100 MB. - -Unit of this command is MB. - -:::{code-block} none -set service webproxy cache-size 1024 -::: -``` - - -```{cfgcmd} set service webproxy default-port \<port\> - -Specify the port used on which the proxy service is listening for requests. -This port is the default port used for the specified listen-address. - -Default port is 3128. - -:::{code-block} none -set service webproxy default-port 8080 -::: -``` - - -```{cfgcmd} set service webproxy domain-block \<domain\> - -Used to block specific domains by the Proxy. Specifying "vyos.net" will block -all access to vyos.net, and specifying ".xxx" will block all access to URLs -having an URL ending on .xxx. - -:::{code-block} none -set service webproxy domain-block vyos.net -::: -``` - - -```{cfgcmd} set service webproxy domain-noncache \<domain\> - -Allow access to sites in a domain without retrieving them from the Proxy -cache. Specifying "vyos.net" will allow access to vyos.net but the pages -accessed will not be cached. It useful for working around problems with -"If-Modified-Since" checking at certain sites. - -:::{code-block} none -set service webproxy domain-noncache vyos.net -::: -``` - - -```{cfgcmd} set service webproxy listen-address \<address\> - -Specifies proxy service listening address. The listen address is the IP -address on which the web proxy service listens for client requests. - -For security, the listen address should only be used on internal/trusted -networks! - -:::{code-block} none -set service webproxy listen-address 192.0.2.1 -::: -``` - - -```{cfgcmd} set service webproxy listen-address \<address\> disable-transparent - -Disables web proxy transparent mode at a listening address. - -In transparent proxy mode, all traffic arriving on port 80 and destined for -the Internet is automatically forwarded through the proxy. This allows -immediate proxy forwarding without configuring client browsers. - -Non-transparent proxying requires that the client browsers be configured with -the proxy settings before requests are redirected. The advantage of this is -that the client web browser can detect that a proxy is in use and can behave -accordingly. In addition, web-transmitted malware can sometimes be blocked by -a non-transparent web proxy, since they are not aware of the proxy settings. - -:::{code-block} none -set service webproxy listen-address 192.0.2.1 disable-transparent -::: -``` - - -```{cfgcmd} set service webproxy listen-address \<address\> port \<port\> - -Sets the listening port for a listening address. This overrides the default -port of 3128 on the specific listen address. - -:::{code-block} none -set service webproxy listen-address 192.0.2.1 port 8080 -::: -``` -```{cfgcmd} set service webproxy reply-block-mime \<mime\> - -Used to block a specific mime-type. - -:::{code-block} none -# block all PDFs -set service webproxy reply-block-mime application/pdf -::: -``` -```{cfgcmd} set service webproxy reply-body-max-size \<size\> - -Specifies the maximum size of a reply body in KB, used to limit the reply -size. - -All reply sizes are accepted by default. - -:::{code-block} none -set service webproxy reply-body-max-size 2048 -::: -``` - - -```{cfgcmd} set service webproxy safe-ports \<port\> - -Add new port to Safe-ports acl. Ports included by default in Safe-ports acl: -21, 70, 80, 210, 280, 443, 488, 591, 777, 873, 1025-65535 -``` - - -```{cfgcmd} set service webproxy ssl-safe-ports \<port\> - -Add new port to SSL-ports acl. Ports included by default in SSL-ports acl: -443 -``` - -### Authentication - -The embedded Squid proxy can use LDAP to authenticate users against a company -wide directory. The following configuration is an example of how to use Active -Directory as authentication backend. Queries are done via LDAP. - -```{cfgcmd} set service webproxy authentication children \<number\> - -Maximum number of authenticator processes to spawn. If you start too few -Squid will have to wait for them to process a backlog of credential -verifications, slowing it down. When password verifications are done via a -(slow) network you are likely to need lots of authenticator processes. - -This defaults to 5. - -:::{code-block} none -set service webproxy authentication children 10 -::: -``` - - -```{cfgcmd} set service webproxy authentication credentials-ttl \<time\> - -Specifies how long squid assumes an externally validated username:password -pair is valid for - in other words how often the helper program is called for -that user. Set this low to force revalidation with short lived passwords. - -Time is in minutes and defaults to 60. - -:::{code-block} none -set service webproxy authentication credentials-ttl 120 -::: -``` -```{cfgcmd} set service webproxy authentication method \<ldap\> - -Proxy authentication method, currently only LDAP is supported. - -:::{code-block} none -set service webproxy authentication method ldap -::: -``` - - -```{cfgcmd} set service webproxy authentication realm - -Specifies the protection scope (aka realm name) which is to be reported to -the client for the authentication scheme. It is commonly part of the text -the user will see when prompted for their username and password. - -:::{code-block} none -set service webproxy authentication realm "VyOS proxy auth" -::: -``` - -#### LDAP - -```{cfgcmd} set service webproxy authentication ldap base-dn \<base-dn\> - -Specifies the base DN under which the users are located. - -:::{code-block} none -set service webproxy authentication ldap base-dn DC=vyos,DC=net -::: -``` -```{cfgcmd} set service webproxy authentication ldap bind-dn \<bind-dn\> - -The DN and password to bind as while performing searches. - -:::{code-block} none -set service webproxy authentication ldap bind-dn CN=proxyuser,CN=Users,DC=vyos,DC=net -::: -``` - - -```{cfgcmd} set service webproxy authentication ldap filter-expression \<expr\> - -LDAP search filter to locate the user DN. Required if the users are in a -hierarchy below the base DN, or if the login name is not what builds the user -specific part of the users DN. - -The search filter can contain up to 15 occurrences of %s which will be -replaced by the username, as in "uid=%s" for {rfc}`2037` directories. For a -detailed description of LDAP search filter syntax see {rfc}`2254`. - -:::{code-block} none -set service webproxy authentication ldap filter-expression (cn=%s) -::: -``` - - -```{cfgcmd} set service webproxy authentication ldap password \<password\> - -The DN and password to bind as while performing searches. As the password -needs to be printed in plain text in your Squid configuration it is strongly -recommended to use a account with minimal associated privileges. This to limit -the damage in case someone could get hold of a copy of your Squid -configuration file. - -:::{code-block} none -set service webproxy authentication ldap password vyos -::: -``` - - -```{cfgcmd} set service webproxy authentication ldap persistent-connection - -Use a persistent LDAP connection. Normally the LDAP connection is only open -while validating a username to preserve resources at the LDAP server. This -option causes the LDAP connection to be kept open, allowing it to be reused -for further user validations. - -Recommended for larger installations. - -:::{code-block} none -set service webproxy authentication ldap persistent-connection -::: -``` - - -```{cfgcmd} set service webproxy authentication ldap port \<port\> - -Specify an alternate TCP port where the ldap server is listening if other than -the default LDAP port 389. - -:::{code-block} none -set service webproxy authentication ldap port 389 -::: -``` - - -```{cfgcmd} set service webproxy authentication ldap server \<server\> - -Specify the LDAP server to connect to. - -:::{code-block} none -set service webproxy authentication ldap server ldap.vyos.net -::: -``` -```{cfgcmd} set service webproxy authentication ldap use-ssl - -Use TLS encryption. - -:::{code-block} none -set service webproxy authentication ldap use-ssl -::: -``` -```{cfgcmd} set service webproxy authentication ldap username-attribute \<attr\> - -Specifies the name of the DN attribute that contains the username/login. -Combined with the base DN to construct the users DN when no search filter is -specified (filter-expression). - -Defaults to 'uid' - -:::{note} -This can only be done if all your users are located directly under -the same position in the LDAP tree and the login name is used for naming -each user object. If your LDAP tree does not match these criterias or if you -want to filter who are valid users then you need to use a search filter to -search for your users DN (filter-expression). -::: - -:::{code-block} none -set service webproxy authentication ldap username-attribute uid -::: -``` - - -```{cfgcmd} set service webproxy authentication ldap version \<2 | 3\> - -LDAP protocol version. Defaults to 3 if not specified. - -:::{code-block} none -set service webproxy authentication ldap version 2 -::: -``` - -### URL filtering - -```{include} /_include/need_improvement.txt -``` -```{cfgcmd} set service webproxy url-filtering disable - -Disables web filtering without discarding configuration. - -:::{code-block} none -set service webproxy url-filtering disable -::: -``` - -## Operation - -```{include} /_include/need_improvement.txt -``` - -### Filtering -#### Update - -If you want to use existing blacklists you have to create/download a database -first. Otherwise you will not be able to commit the config changes. - -```{opcmd} update webproxy blacklists - -Download/Update complete blacklist - -:::{code-block} none -vyos@vyos:~$ update webproxy blacklists -Warning: No url-filtering blacklist installed -Would you like to download a default blacklist? [confirm][y] -Connecting to ftp.univ-tlse1.fr (193.49.48.249:21) -blacklists.gz 100% |*************************************************************************************************************| 17.0M 0:00:00 ETA -Uncompressing blacklist... -Checking permissions... -Skip link for [ads] -> [publicite] -Building DB for [adult/domains] - 2467177 entries -Building DB for [adult/urls] - 67798 entries -Skip link for [aggressive] -> [agressif] -Building DB for [agressif/domains] - 348 entries -Building DB for [agressif/urls] - 36 entries -Building DB for [arjel/domains] - 69 entries -... -Building DB for [webmail/domains] - 374 entries -Building DB for [webmail/urls] - 9 entries -The webproxy daemon must be restarted -Would you like to restart it now? [confirm][y] -[ ok ] Restarting squid (via systemctl): squid.service. -vyos@vyos:~$ -::: -``` -```{opcmd} update webproxy blacklists category \<category\> - -Download/Update partial blacklist. - -Use tab completion to get a list of categories. -``` - -- To auto update the blacklist files - - `set service webproxy url-filtering squidguard auto-update update-hour 23` - -- To configure blocking add the following to the configuration - - `set service webproxy url-filtering squidguard block-category ads` - - `set service webproxy url-filtering squidguard block-category malware` - -#### Bypassing the webproxy - -```{include} /_include/need_improvement.txt -``` - -Some services don't work correctly when being handled via a web proxy. -So sometimes it is useful to bypass a transparent proxy: - -- To bypass the proxy for every request that is directed to a specific - destination: - - `set service webproxy whitelist destination-address 198.51.100.33` - - `set service webproxy whitelist destination-address 192.0.2.0/24` - -- To bypass the proxy for every request that is coming from a specific source: - - `set service webproxy whitelist source-address 192.168.1.2` - - `set service webproxy whitelist source-address 192.168.2.0/24` - - (This can be useful when a called service has many and/or often changing - destination addresses - e.g. Netflix.) - -## Examples - -```none -vyos@vyos# show service webproxy - authentication { - children 5 - credentials-ttl 60 - ldap { - base-dn DC=example,DC=local - bind-dn CN=proxyuser,CN=Users,DC=example,DC=local - filter-expression (cn=%s) - password Qwert1234 - server ldap.example.local - username-attribute cn - } - method ldap - realm "VyOS Webproxy" - } - cache-size 100 - default-port 3128 - listen-address 192.168.188.103 { - disable-transparent - } -``` - -[squid]: http://www.squid-cache.org/ -[squidguard]: http://www.squidguard.org/ diff --git a/docs/configuration/system/md-acceleration.md b/docs/configuration/system/md-acceleration.md deleted file mode 100644 index 871129e6..00000000 --- a/docs/configuration/system/md-acceleration.md +++ /dev/null @@ -1,158 +0,0 @@ -(acceleration)= - -# Acceleration - -In this command tree, all hardware acceleration options will be handled. -At the moment only [Intel® QAT] is supported - -## Intel® QAT - -```{opcmd} show system acceleration qat - -use this command to check if there is an Intel® QAT supported Processor in your system. - -:::{code-block} none -vyos@vyos:~$ show system acceleration qat -01:00.0 Co-processor [0b40]: Intel Corporation Atom Processor C3000 Series QuickAssist Technology [8086:19e2] (rev 11) -::: - -if there is non device the command will show `` `No QAT device found` `` -``` - -```{cfgcmd} set system acceleration qat - -if there is a supported device, enable Intel® QAT -``` - - -```{opcmd} show system acceleration qat status - -Check if the Intel® QAT device is up and ready to do the job. - -:::{code-block} none -vyos@vyos:~$ show system acceleration qat status -Checking status of all devices. -There is 1 QAT acceleration device(s) in the system: -qat_dev0 - type: c3xxx, inst_id: 0, node_id: 0, bsf: 0000:01:00.0, #accel: 3 #engines: 6 state: up -::: -``` - - -### Operation Mode - -```{opcmd} show system acceleration qat device \<device\> config - -Show the full config uploaded to the QAT device. -``` - - -```{opcmd} show system acceleration qat device \<device\> flows - -Get an overview over the encryption counters. -``` - - -```{opcmd} show system acceleration qat interrupts - -Show binded qat device interrupts to certain core. -``` - - -### Example - -Let's build a simple VPN between 2 Intel® QAT ready devices. - -Side A: - -``` -set interfaces vti vti1 address '192.168.1.2/24' -set vpn ipsec authentication psk right id '10.10.10.2' -set vpn ipsec authentication psk right id '10.10.10.1' -set vpn ipsec authentication psk right secret 'Qwerty123' -set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes256' -set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha256' -set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '14' -set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes256' -set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha256' -set vpn ipsec interface 'eth0' -set vpn ipsec site-to-site peer right authentication local-id '10.10.10.2' -set vpn ipsec site-to-site peer right authentication mode 'pre-shared-secret' -set vpn ipsec site-to-site peer right authentication remote-id '10.10.10.1' -set vpn ipsec site-to-site peer right connection-type 'initiate' -set vpn ipsec site-to-site peer right default-esp-group 'MyESPGroup' -set vpn ipsec site-to-site peer right ike-group 'MyIKEGroup' -set vpn ipsec site-to-site peer right local-address '10.10.10.2' -set vpn ipsec site-to-site peer right remote-address '10.10.10.1' -set vpn ipsec site-to-site peer right vti bind 'vti1' -``` - -Side B: - -``` -set interfaces vti vti1 address '192.168.1.1/24' -set vpn ipsec authentication psk left id '10.10.10.2' -set vpn ipsec authentication psk left id '10.10.10.1' -set vpn ipsec authentication psk left secret 'Qwerty123' -set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes256' -set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha256' -set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '14' -set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes256' -set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha256' -set vpn ipsec interface 'eth0' -set vpn ipsec site-to-site peer left authentication local-id '10.10.10.1' -set vpn ipsec site-to-site peer left authentication mode 'pre-shared-secret' -set vpn ipsec site-to-site peer left authentication remote-id '10.10.10.2' -set vpn ipsec site-to-site peer left connection-type 'initiate' -set vpn ipsec site-to-site peer left default-esp-group 'MyESPGroup' -set vpn ipsec site-to-site peer left ike-group 'MyIKEGroup' -set vpn ipsec site-to-site peer left local-address '10.10.10.1' -set vpn ipsec site-to-site peer left remote-address '10.10.10.2' -set vpn ipsec site-to-site peer left vti bind 'vti1' -``` - -a bandwidth test over the VPN got these results: - -``` -Connecting to host 192.168.1.2, port 5201 -[ 9] local 192.168.1.1 port 51344 connected to 192.168.1.2 port 5201 -[ ID] Interval Transfer Bitrate Retr Cwnd -[ 9] 0.00-1.01 sec 32.3 MBytes 268 Mbits/sec 0 196 KBytes -[ 9] 1.01-2.03 sec 32.5 MBytes 268 Mbits/sec 0 208 KBytes -[ 9] 2.03-3.03 sec 32.5 MBytes 271 Mbits/sec 0 208 KBytes -[ 9] 3.03-4.04 sec 32.5 MBytes 272 Mbits/sec 0 208 KBytes -[ 9] 4.04-5.00 sec 31.2 MBytes 272 Mbits/sec 0 208 KBytes -[ 9] 5.00-6.01 sec 32.5 MBytes 272 Mbits/sec 0 234 KBytes -[ 9] 6.01-7.04 sec 32.5 MBytes 265 Mbits/sec 0 234 KBytes -[ 9] 7.04-8.04 sec 32.5 MBytes 272 Mbits/sec 0 234 KBytes -[ 9] 8.04-9.04 sec 32.5 MBytes 273 Mbits/sec 0 336 KBytes -[ 9] 9.04-10.00 sec 31.2 MBytes 272 Mbits/sec 0 336 KBytes -- - - - - - - - - - - - - - - - - - - - - - - - - -[ ID] Interval Transfer Bitrate Retr -[ 9] 0.00-10.00 sec 322 MBytes 270 Mbits/sec 0 sender -[ 9] 0.00-10.00 sec 322 MBytes 270 Mbits/sec receiver -``` - -with {cfgcmd}`set system acceleration qat` on both systems the bandwidth -increases. - -``` -Connecting to host 192.168.1.2, port 5201 -[ 9] local 192.168.1.1 port 51340 connected to 192.168.1.2 port 5201 -[ ID] Interval Transfer Bitrate Retr Cwnd -[ 9] 0.00-1.00 sec 97.3 MBytes 817 Mbits/sec 0 1000 KBytes -[ 9] 1.00-2.00 sec 92.5 MBytes 776 Mbits/sec 0 1.07 MBytes -[ 9] 2.00-3.00 sec 92.5 MBytes 776 Mbits/sec 0 820 KBytes -[ 9] 3.00-4.00 sec 92.5 MBytes 776 Mbits/sec 0 899 KBytes -[ 9] 4.00-5.00 sec 91.2 MBytes 765 Mbits/sec 0 972 KBytes -[ 9] 5.00-6.00 sec 92.5 MBytes 776 Mbits/sec 0 1.02 MBytes -[ 9] 6.00-7.00 sec 92.5 MBytes 776 Mbits/sec 0 1.08 MBytes -[ 9] 7.00-8.00 sec 92.5 MBytes 776 Mbits/sec 0 1.14 MBytes -[ 9] 8.00-9.00 sec 91.2 MBytes 765 Mbits/sec 0 915 KBytes -[ 9] 9.00-10.00 sec 92.5 MBytes 776 Mbits/sec 0 1000 KBytes -- - - - - - - - - - - - - - - - - - - - - - - - - -[ ID] Interval Transfer Bitrate Retr -[ 9] 0.00-10.00 sec 927 MBytes 778 Mbits/sec 0 sender -[ 9] 0.00-10.01 sec 925 MBytes 775 Mbits/sec receiver -``` - -[intel® qat]: https://www.intel.com/content/www/us/en/architecture-and-technology/intel-quick-assist-technology-overview.html diff --git a/docs/configuration/system/md-conntrack.md b/docs/configuration/system/md-conntrack.md deleted file mode 100644 index f83f0684..00000000 --- a/docs/configuration/system/md-conntrack.md +++ /dev/null @@ -1,218 +0,0 @@ -# Conntrack - -VyOS can be configured to track connections using the connection -tracking subsystem. Connection tracking becomes operational once either -stateful firewall or NAT is configured. - -## Configure - -```{cfgcmd} set system conntrack table-size \<1-50000000\> -:defaultvalue: - -The connection tracking table contains one entry for each connection being -tracked by the system. -``` - -```{cfgcmd} set system conntrack expect-table-size \<1-50000000\> -:defaultvalue: - -The connection tracking expect table contains one entry for each expected -connection related to an existing connection. These are generally used by -“connection tracking helper” modules such as FTP. -The default size of the expect table is 2048 entries. -``` - -```{cfgcmd} set system conntrack hash-size \<1-50000000\> -:defaultvalue: - -Set the size of the hash table. The connection tracking hash table makes -searching the connection tracking table faster. The hash table uses -“buckets” to record entries in the connection tracking table. -``` - -```{eval-rst} -.. cfgcmd:: set system conntrack modules ftp -.. cfgcmd:: set system conntrack modules h323 -.. cfgcmd:: set system conntrack modules nfs -.. cfgcmd:: set system conntrack modules pptp -.. cfgcmd:: set system conntrack modules sip -.. cfgcmd:: set system conntrack modules sqlnet -.. cfgcmd:: set system conntrack modules tftp - - Configure the connection tracking protocol helper modules. - All modules are enable by default. - - | Use `delete system conntrack modules` to deactive all modules. - | Or, for example ftp, `delete system conntrack modules ftp`. -``` - -```{cfgcmd} set system conntrack tcp half-open-connections \<1-21474836\> -:defaultvalue: - -Set the maximum number of TCP half-open connections. -``` - -```{cfgcmd} set system conntrack tcp loose \<enable | disable\> -:defaultvalue: - -Policy to track previously established connections. -``` - -```{cfgcmd} set system conntrack tcp max-retrans \<1-2147483647\> -:defaultvalue: - -Set the number of TCP maximum retransmit attempts. -``` - -### Contrack Timeouts - -You can define custom timeout values to apply to a specific subset of -connections, based on a packet and flow selector. To do this, you need to -create a rule defining the packet and flow selector. - -```{eval-rst} -.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> - description <test> - - Set a rule description. - -.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> - destination address <ip-address> -.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> - source address <ip-address> - - Set a destination and/or source address. Accepted input for ipv4: - - .. code-block:: none - - set system conntrack timeout custom ipv4 rule <1-999999> [source | destination] address - Possible completions: - <x.x.x.x> IPv4 address to match - <x.x.x.x/x> IPv4 prefix to match - <x.x.x.x>-<x.x.x.x> IPv4 address range to match - !<x.x.x.x> Match everything except the specified address - !<x.x.x.x/x> Match everything except the specified prefix - !<x.x.x.x>-<x.x.x.x> Match everything except the specified range - - set system conntrack timeout custom ipv6 rule <1-999999> [source | destination] address - Possible completions: - <h:h:h:h:h:h:h:h> IP address to match - <h:h:h:h:h:h:h:h/x> Subnet to match - <h:h:h:h:h:h:h:h>-<h:h:h:h:h:h:h:h> - IP range to match - !<h:h:h:h:h:h:h:h> Match everything except the specified address - !<h:h:h:h:h:h:h:h/x> Match everything except the specified prefix - !<h:h:h:h:h:h:h:h>-<h:h:h:h:h:h:h:h> - Match everything except the specified range - -.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> - destination port <value> -.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> - source port <value> - - Set a destination and/or source port. Accepted input: - - .. code-block:: none - - <port name> Named port (any name in /etc/services, e.g., http) - <1-65535> Numbered port - <start>-<end> Numbered port range (e.g., 1001-1005) - - Multiple destination ports can be specified as a comma-separated list. - The whole list can also be "negated" using '!'. For example: - `!22,telnet,http,123,1001-1005`` - -.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> - protocol tcp close <1-21474836> -.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> - protocol tcp close-wait <1-21474836> -.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> - protocol tcp established <1-21474836> -.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> - protocol tcp fin-wait <1-21474836> -.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> - protocol tcp last-ack <1-21474836> -.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> - protocol tcp syn-recv <1-21474836> -.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> - protocol tcp syn-sent <1-21474836> -.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> - protocol tcp time-wait <1-21474836> -.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> - protocol udp replied <1-21474836> -.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> - protocol udp unreplied <1-21474836> - - Set the timeout in seconds for a protocol or state in a custom rule. -``` - -### Conntrack ignore rules - -:::{note} -**Important note about conntrack ignore rules:** -Starting from vyos-1.5-rolling-202406120020, ignore rules can be defined in -``set firewall [ipv4 | ipv6] prerouting raw ...``. It's expected that in -the future the conntrack ignore rules will be removed. - -> Customized ignore rules, based on a packet and flow selector. -::: - -```{eval-rst} -.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999> - description <text> -.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999> - destination address <ip-address> -.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999> - destination port <port> -.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999> - inbound-interface <interface> -.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999> - protocol <protocol> -.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999> - source address <ip-address> -.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999> - source port <port> -.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999> - tcp flags [not] <text> - - Allowed values fpr TCP flags: ``ack``, ``cwr``, ``ecn``, ``fin``, ``psh``, - ``rst``, ``syn`` and ``urg``. Multiple values are supported, and for - inverted selection use ``not``, as shown in the example. -``` - -### Conntrack log - -```{eval-rst} -.. cfgcmd:: set system conntrack log event destroy -.. cfgcmd:: set system conntrack log event new -.. cfgcmd:: set system conntrack log event update - - Log the connection tracking events per type. - -.. cfgcmd:: set system conntrack log event destroy icmp -.. cfgcmd:: set system conntrack log event destroy other -.. cfgcmd:: set system conntrack log event destroy tcp -.. cfgcmd:: set system conntrack log event destroy udp -.. cfgcmd:: set system conntrack log event new icmp -.. cfgcmd:: set system conntrack log event new other -.. cfgcmd:: set system conntrack log event new tcp -.. cfgcmd:: set system conntrack log event new udp -.. cfgcmd:: set system conntrack log event update icmp -.. cfgcmd:: set system conntrack log event update other -.. cfgcmd:: set system conntrack log event update tcp -.. cfgcmd:: set system conntrack log event update udp - - Log the connection tracking events per protocol. - -.. cfgcmd:: set system conntrack log timestamp - - Turn on flow-based timestamp extension. - -.. cfgcmd:: set system conntrack log queue-size <100-999999> - - Manage internal queue size, default size is 4096 events. - -.. cfgcmd:: set system conntrack log log-level <info | debug> - - Manage log level -```
\ No newline at end of file diff --git a/docs/configuration/system/md-console.md b/docs/configuration/system/md-console.md deleted file mode 100644 index 9017fa30..00000000 --- a/docs/configuration/system/md-console.md +++ /dev/null @@ -1,59 +0,0 @@ -(serial-console)= - -# Serial Console - -For the average user a serial console has no advantage over a console offered -by a directly attached keyboard and screen. Serial consoles are much slower, -taking up to a second to fill a 80 column by 24 line screen. Serial consoles -generally only support non-proportional ASCII text, with limited support for -languages other than English. - -There are some scenarios where serial consoles are useful. System administration -of remote computers is usually done using {ref}`ssh`, but there are times when -access to the console is the only way to diagnose and correct software failures. -Major upgrades to the installed distribution may also require console access. - -```{cfgcmd} set system console device \<device\> - -Defines the specified device as a system console. Available console devices -can be (see completion helper): -* ``ttySN`` - Serial device name -* ``ttyAMAN``- Serial device name for some arm64 systems -* ``ttyUSBX`` - USB Serial device name -* ``hvc0`` - Xen console -``` - -```{cfgcmd} set system console device \<device\> kernel - -When set, the selected serial console is used as the kernel boot console. -When removed, the kernel boot console falls back to tty0. - -:::{note} -Only one serial console can carry the ``kernel`` option. -When VyOS is installed via serial console, this option is set automatically -for the serial interface used during installation; usually ``ttyS0`` or -``ttyAMA0``. -::: -``` - -```{cfgcmd} set system console device \<device\> speed \<speed\> - -The speed (baudrate) of the console device. Supported values are: -* ``1200`` - 1200 bps -* ``2400`` - 2400 bps -* ``4800`` - 4800 bps -* ``9600`` - 9600 bps -* ``19200`` - 19,200 bps -* ``38400`` - 38,400 bps (default for Xen console) -* ``57600`` - 57,600 bps -* ``115200`` - 115,200 bps (default for serial console) - -:::{note} -If you use USB to serial converters for connecting to your VyOS -appliance please note that most of them use software emulation without flow -control. This means you should start with a common baud rate (most likely -9600 baud) as otherwise you probably can not connect to the device using -high speed baud rates as your serial converter simply can not process this -data rate. -::: -```
\ No newline at end of file diff --git a/docs/configuration/system/md-default-route.md b/docs/configuration/system/md-default-route.md deleted file mode 100644 index 9f2793d1..00000000 --- a/docs/configuration/system/md-default-route.md +++ /dev/null @@ -1,40 +0,0 @@ -(default-gateway)= - -# Default Gateway/Route - -In the past (VyOS 1.1) used a gateway-address configured under the system tree -({cfgcmd}`set system gateway-address <address>`), this is no longer supported -and existing configurations are migrated to the new CLI command. - -## Configuration - -```{cfgcmd} set protocols static route 0.0.0.0/0 next-hop \<address\> - -Specify static route into the routing table sending all non local traffic -to the nexthop address \<address\>. -``` - -```{cfgcmd} delete protocols static route 0.0.0.0/0 - -Delete default route from the system. -``` - - -## Operation - -```{opcmd} show ip route 0.0.0.0 - -Show routing table entry for the default route. - -:::{code-block} none -vyos@vyos:~$ show ip route 0.0.0.0 -Routing entry for 0.0.0.0/0 -Known via "static", distance 10, metric 0, best -Last update 09:46:30 ago -* 172.18.201.254, via eth0.201 -::: -``` - -:::{seealso} -Configuration of {ref}`routing-static` -::: diff --git a/docs/configuration/system/md-flow-accounting.md b/docs/configuration/system/md-flow-accounting.md deleted file mode 100644 index 0b5198a1..00000000 --- a/docs/configuration/system/md-flow-accounting.md +++ /dev/null @@ -1,270 +0,0 @@ -# Flow Accounting - -VyOS supports flow-accounting for both IPv4 and IPv6 traffic. The system acts -as a flow exporter, and you are free to use it with any compatible collector. - -Flows can be exported via protocol NetFlow (versions 5, 9 and -10/IPFIX). Additionally, you may save flows to an in-memory table -internally in a router. - -<div class="warning"> - -<div class="title"> - -Warning - -</div> - -You need to disable the in-memory table in production environments! -Using `IMT (In-Memory Table)` may lead to heavy CPU overloading and -unstable flow-accounting behavior. - -</div> - -## NetFlow / IPFIX - -NetFlow is a feature that was introduced on Cisco routers around 1996 that -provides the ability to collect IP network traffic as it enters or exits an -interface. By analyzing the data provided by NetFlow, a network administrator -can determine things such as the source and destination of traffic, class of -service, and the causes of congestion. A typical flow monitoring setup (using -NetFlow) consists of three main components: - -- **exporter**: aggregates packets into flows and exports flow records towards - one or more flow collectors -- **collector**: responsible for reception, storage and pre-processing of flow - data received from a flow exporter -- **application**: analyzes received flow data in the context of intrusion - detection or traffic profiling, for example - -For connectionless protocols as like ICMP and UDP, a flow is considered -complete once no more packets for this flow appear after configurable timeout. - -NetFlow is usually enabled on a per-interface basis to limit load on the router -components involved in NetFlow, or to limit the amount of NetFlow records -exported. - -## Configuration - -<div class="warning"> - -<div class="title"> - -Warning - -</div> - -Using NetFlow on routers with high traffic levels may lead to -high CPU usage and may affect the router's performance. In such cases, -consider using sFlow instead. - -</div> - -In order for flow accounting information to be collected and displayed for an -interface, the interface must be configured for flow accounting. - -<div class="cfgcmd"> - -set system flow-accounting interface \<interface\> - -Configure and enable collection of flow information for the interface -identified by <span class="title-ref">\<interface\></span>. - -You can configure multiple interfaces which would participate in flow -accounting. - -</div> - -<div class="note"> - -<div class="title"> - -Note - -</div> - -Will be recorded only packets/flows on **incoming** direction in -configured interfaces by default. - -</div> - -By default, recorded flows will be saved internally and can be listed with the -CLI command. You may disable using the local in-memory table with the command: - -<div class="cfgcmd"> - -set system flow-accounting disable-imt - -If you need to sample also egress traffic, you may want to -configure egress flow-accounting: - -</div> - -<div class="cfgcmd"> - -set system flow-accounting enable-egress - -Internally, in flow-accounting processes exist a buffer for data exchanging -between core process and plugins (each export target is a separated plugin). -If you have high traffic levels or noted some problems with missed records -or stopping exporting, you may try to increase a default buffer size (10 -MiB) with the next command: - -</div> - -<div class="cfgcmd"> - -set system flow-accounting buffer-size \<buffer size\> - -In case, if you need to catch some logs from flow-accounting daemon, you may -configure logging facility: - -</div> - -<div class="cfgcmd"> - -set system flow-accounting syslog-facility \<facility\> - -Configure the syslog facility used for flow-accounting log messages. -Available facilities follow standard syslog conventions (e.g., -`daemon`, `local0` through `local7`). - -</div> - -### Flow Export - -In addition to displaying flow accounting information locally, one can also -exported them to a collection server. - -#### NetFlow - -<div class="cfgcmd"> - -set system flow-accounting netflow version \<version\> - -There are multiple versions available for the NetFlow data. The <span class="title-ref">\<version\></span> -used in the exported flow data can be configured here. The following -versions are supported: - -- **5** - Most common version, but restricted to IPv4 flows only -- **9** - NetFlow version 9 (default) -- **10** - `IPFIX (IP Flow Information Export)` as per `3917` - -</div> - -<div class="cfgcmd"> - -set system flow-accounting netflow server \<address\> - -Configure address of NetFlow collector. NetFlow server at <span class="title-ref">\<address\></span> can -be both listening on an IPv4 or IPv6 address. - -</div> - -<div class="cfgcmd"> - -set system flow-accounting netflow source-ip \<address\> - -IPv4 or IPv6 source address of NetFlow packets - -</div> - -<div class="cfgcmd"> - -set system flow-accounting netflow engine-id \<id\> - -NetFlow engine-id which will appear in NetFlow data. The range is 0 to 255. - -</div> - -<div class="cfgcmd"> - -set system flow-accounting netflow sampling-rate \<rate\> - -Use this command to configure the sampling rate for flow accounting. The -system samples one in every <span class="title-ref">\<rate\></span> packets, where <span class="title-ref">\<rate\></span> is the value -configured for the sampling-rate option. The advantage of sampling every n -packets, where n \> 1, allows you to decrease the amount of processing -resources required for flow accounting. The disadvantage of not sampling -every packet is that the statistics produced are estimates of actual data -flows. - -Per default every packet is sampled (that is, the sampling rate is 1). - -</div> - -<div class="cfgcmd"> - -set system flow-accounting netflow timeout expiry-interval -\<interval\> - -Specifies the interval at which Netflow data will be sent to a collector. As -per default, Netflow data will be sent every 60 seconds. - -You may also additionally configure timeouts for different types of -connections. - -</div> - -<div class="cfgcmd"> - -set system flow-accounting netflow max-flows \<n\> - -If you want to change the maximum number of flows, which are tracking -simultaneously, you may do this with this command (default 8192). - -</div> - -### Example: - -NetFlow v5 example: - -``` none -set system flow-accounting netflow engine-id 100 -set system flow-accounting netflow version 5 -set system flow-accounting netflow server 192.168.2.10 port 2055 -``` - -## Operation - -Once flow accounting is configured on an interfaces it provides the ability to -display captured network traffic information for all configured interfaces. - -<div class="opcmd"> - -show flow-accounting interface \<interface\> - -Show flow accounting information for given <span class="title-ref">\<interface\></span>. - -``` none -vyos@vyos:~$ show flow-accounting interface eth0 -IN_IFACE SRC_MAC DST_MAC SRC_IP DST_IP SRC_PORT DST_PORT PROTOCOL TOS PACKETS FLOWS BYTES ----------- ----------------- ----------------- ------------------------ --------------- ---------- ---------- ---------- ----- --------- ------- ------- -eth0 00:53:01:a8:28:ac ff:ff:ff:ff:ff:ff 192.0.2.2 255.255.255.255 5678 5678 udp 0 1 1 178 -eth0 00:53:01:b2:2f:34 33:33:ff:00:00:00 fe80::253:01ff:feb2:2f34 ff02::1:ff00:0 0 0 ipv6-icmp 0 2 1 144 -eth0 00:53:01:1a:b4:53 33:33:ff:00:00:00 fe80::253:01ff:fe1a:b453 ff02::1:ff00:0 0 0 ipv6-icmp 0 1 1 72 -eth0 00:53:01:b2:22:48 00:53:02:58:a2:92 192.0.2.100 192.0.2.14 40152 22 tcp 16 39 1 2064 -eth0 00:53:01:c8:33:af ff:ff:ff:ff:ff:ff 192.0.2.3 255.255.255.255 5678 5678 udp 0 1 1 154 -eth0 00:53:01:b2:22:48 00:53:02:58:a2:92 192.0.2.100 192.0.2.14 40006 22 tcp 16 146 1 9444 -eth0 00:53:01:b2:22:48 00:53:02:58:a2:92 192.0.2.100 192.0.2.14 0 0 icmp 192 27 1 4455 -``` - -</div> - -<div class="opcmd"> - -show flow-accounting interface \<interface\> host \<address\> - -Show flow accounting information for given <span class="title-ref">\<interface\></span> for a specific host -only. - -``` none -vyos@vyos:~$ show flow-accounting interface eth0 host 192.0.2.14 -IN_IFACE SRC_MAC DST_MAC SRC_IP DST_IP SRC_PORT DST_PORT PROTOCOL TOS PACKETS FLOWS BYTES ----------- ----------------- ----------------- ----------- ---------- ---------- ---------- ---------- ----- --------- ------- ------- -eth0 00:53:01:b2:22:48 00:53:02:58:a2:92 192.0.2.100 192.0.2.14 40006 22 tcp 16 197 2 12940 -eth0 00:53:01:b2:22:48 00:53:02:58:a2:92 192.0.2.100 192.0.2.14 40152 22 tcp 16 94 1 4924 -eth0 00:53:01:b2:22:48 00:53:02:58:a2:92 192.0.2.100 192.0.2.14 0 0 icmp 192 36 1 5877 -``` - -</div> diff --git a/docs/configuration/system/md-frr.md b/docs/configuration/system/md-frr.md deleted file mode 100644 index 1741e286..00000000 --- a/docs/configuration/system/md-frr.md +++ /dev/null @@ -1,45 +0,0 @@ -(system-frr)= - -# FRR - -VyOS uses [FRRouting](https://frrouting.org/) as the control plane for dynamic -and static routing. The routing daemon behavior can be adjusted during runtime, -but requires either a restart of the routing daemon, or a reboot of the system. - -```{cfgcmd} set system frr bmp - -Enable {abbr}`BMP (BGP Monitoring Protocol)` support. -``` - -```{cfgcmd} set system frr descriptors \<numer\> - -This allows the operator to control the number of open file descriptors -each daemon is allowed to start with. If the operator plans to run bgp with -several thousands of peers then this is where we would modify FRR to allow -this to happen. -``` - -```{cfgcmd} set system frr irdp - -Enable ICMP Router Discovery Protocol support. -``` - -```{cfgcmd} set system frr profile \<traditional | datacenter\> - -Select an FRR profile to adapt its default settings. If unset, the -traditional profile is applied. -``` - -```{cfgcmd} set system frr snmp \<daemon\> - -Enable SNMP support for an individual routing daemon. - -Supported daemons: -- bgpd -- isisd -- ldpd -- ospf6d -- ospfd -- ripd -- zebra -```
\ No newline at end of file diff --git a/docs/configuration/system/md-host-name.md b/docs/configuration/system/md-host-name.md deleted file mode 100644 index 81840d1f..00000000 --- a/docs/configuration/system/md-host-name.md +++ /dev/null @@ -1,70 +0,0 @@ -(host-information)= - -# Host Information - -This section describes the system's host information and how to configure them, -it covers the following topics: - -- Host name -- Domain -- IP address -- Aliases - -## Hostname - -A hostname is the label (name) assigned to a network device (a host) on a -network and is used to distinguish one device from another on specific networks -or over the internet. On the other hand this will be the name which appears on -the command line prompt. - -```{cfgcmd} set system host-name \<hostname\> - - The hostname can be up to 63 characters. A hostname - must start and end with a letter or digit, and have as interior characters - only letters, digits, or a hyphen. - - The default hostname used is `vyos`. -``` - -## Domain Name - - -A domain name is the label (name) assigned to a computer network and is thus -unique. VyOS appends the domain name as a suffix to any unqualified name. For -example, if you set the domain name `example.com`, and you would ping the -unqualified name of `crux`, then VyOS qualifies the name to `crux.example.com`. - -```{cfgcmd} set system domain-name \<domain\> - -Configure system domain name. A domain name must start and end with a letter -or digit, and have as interior characters only letters, digits, or a hyphen. -``` - -## Static Hostname Mapping - - -How an IP address is assigned to an interface in {ref}`ethernet-interface`. -This section shows how to statically map an IP address to a hostname for local -(meaning on this VyOS instance) name resolution. This is the VyOS equivalent to -`/etc/hosts` file entries. - - -:::{note} -Do *not* manually edit `/etc/hosts`. This file will automatically be -regenerated on boot based on the settings in this section, which means you'll -lose all your manual edits. Instead, configure static host mappings as follows. -::: - -```{cfgcmd} set system static-host-mapping host-name \<hostname\> inet \<address\> - -Create a static hostname mapping which will always resolve the name -`<hostname>` to IP address `<address>`. -``` -```{cfgcmd} set system static-host-mapping host-name \<hostname\> alias \<alias\> - -Create named `<alias>` for the configured static mapping for `<hostname>`. -Thus the address configured as {cfgcmd}`set system static-host-mapping -host-name <hostname> inet <address>` can be reached via multiple names. - -Multiple aliases can be specified per host-name. -```
\ No newline at end of file diff --git a/docs/configuration/system/md-index.md b/docs/configuration/system/md-index.md deleted file mode 100644 index e0b8a5a1..00000000 --- a/docs/configuration/system/md-index.md +++ /dev/null @@ -1,34 +0,0 @@ -# System - -```{toctree} -:includehidden: true -:maxdepth: 1 - -acceleration -conntrack -console -flow-accounting -frr -host-name -ip -ipv6 -lcd -login -name-server -option -proxy -sflow -syslog -sysctl -task-scheduler -time-zone -updates -watchdog -``` - -```{toctree} -:includehidden: true -:maxdepth: 1 - -default-route -``` diff --git a/docs/configuration/system/md-ip.md b/docs/configuration/system/md-ip.md deleted file mode 100644 index 717ee57d..00000000 --- a/docs/configuration/system/md-ip.md +++ /dev/null @@ -1,126 +0,0 @@ -# IP - -## System configuration commands - -```{cfgcmd} set system ip disable-forwarding - -Use this command to disable IPv4 forwarding on all interfaces. -``` - -```{cfgcmd} set system ip disable-directed-broadcast - -Use this command to disable IPv4 directed broadcast forwarding on all -interfaces. - -If set, IPv4 directed broadcast forwarding will be completely disabled -regardless of whether per-interface directed broadcast forwarding is -enabled or not. -``` - -```{cfgcmd} set system ip arp table-size \<number\> - -Use this command to define the maximum number of entries to keep in -the ARP cache (1024, 2048, 4096, 8192, 16384, 32768). -``` - -```{cfgcmd} set system ip multipath layer4-hashing - -Use this command to use Layer 4 information for IPv4 ECMP hashing. -``` - -```{cfgcmd} set system ip import-table \<table-id\> - -Use this command to immport the table, by given table id, into the main RIB. -``` - -```{cfgcmd} set system ip import-table \<table-id\> distance \<distance\> - -Use this command to override the default distance when importing routers -from the alternate table. -``` - -```{cfgcmd} set system ip import-table \<table-id\> route-map \<route-map\> - -Use this command to filter routes that are imported into the main table -from alternate table using route-map. -``` - - -### Zebra/Kernel route filtering - -Zebra supports prefix-lists and Route Maps to match routes received from -other FRR components. The permit/deny facilities provided by these commands -can be used to filter which routes zebra will install in the kernel. - -```{cfgcmd} set system ip protocol \<protocol\> route-map \<route-map\> - -Apply a route-map filter to routes for the specified protocol. The following -protocols can be used: any, babel, bgp, eigrp, isis, ospf, rip, static - -:::{note} -If you choose any as the option that will cause all protocols that -are sending routes to zebra. -::: -``` - - -### Nexthop Tracking - -Nexthop tracking resolve nexthops via the default route by default. This is enabled -by default for a traditional profile of FRR which we use. It and can be disabled if -you do not want to e.g. allow BGP to peer across the default route. - -```{cfgcmd} set system ip nht no-resolve-via-default - -Do not allow IPv4 nexthop tracking to resolve via the default route. This -parameter is configured per-VRF, so the command is also available in the VRF -subnode. -``` - - -## Operational commands - -### show commands - -See below the different parameters available for the IPv4 **show** command: - -```none -vyos@vyos:~$ show ip -Possible completions: - access-list Show all IP access-lists - as-path-access-list - Show all as-path-access-lists - bgp Show Border Gateway Protocol (BGP) information - community-list - Show IP community-lists - extcommunity-list - Show extended IP community-lists - forwarding Show IP forwarding status - groups Show IP multicast group membership - igmp Show IGMP (Internet Group Management Protocol) information - large-community-list - Show IP large-community-lists - multicast Show IP multicast - ospf Show IPv4 Open Shortest Path First (OSPF) routing information - pim Show PIM (Protocol Independent Multicast) information - ports Show IP ports in use by various system services - prefix-list Show all IP prefix-lists - protocol Show IP route-maps per protocol - rip Show Routing Information Protocol (RIP) information - route Show IP routes -``` - - -### reset commands - -And the different IPv4 **reset** commands available: - -```none -vyos@vyos:~$ reset ip -Possible completions: - arp Reset Address Resolution Protocol (ARP) cache - bgp Clear Border Gateway Protocol (BGP) statistics or status - igmp IGMP clear commands - multicast IP multicast routing table - route Reset IP route -``` diff --git a/docs/configuration/system/md-ipv6.md b/docs/configuration/system/md-ipv6.md deleted file mode 100644 index ee0a6ade..00000000 --- a/docs/configuration/system/md-ipv6.md +++ /dev/null @@ -1,193 +0,0 @@ -# IPv6 - -## System configuration commands - -```{cfgcmd} set system ipv6 disable-forwarding - - Use this command to disable IPv6 forwarding on all interfaces. -``` - - -```{cfgcmd} set system ipv6 neighbor table-size \<number\> - -Use this command to define the maximum number of entries to keep in -the Neighbor cache (1024, 2048, 4096, 8192, 16384, 32768). -``` - - -```{cfgcmd} set system ipv6 strict-dad - -Use this command to disable IPv6 operation on interface when -Duplicate Address Detection fails on Link-Local address. -``` - - -```{cfgcmd} set system ipv6 multipath layer4-hashing - -Use this command to user Layer 4 information for ECMP hashing. -``` - -### Zebra/Kernel route filtering - - -Zebra supports prefix-lists and Route Maps to match routes received from -other FRR components. The permit/deny facilities provided by these commands -can be used to filter which routes zebra will install in the kernel. - -```{cfgcmd} set system ipv6 protocol \<protocol\> route-map \<route-map\> - -Apply a route-map filter to routes for the specified protocol. The following -protocols can be used: any, babel, bgp, isis, ospfv3, ripng, static - -:::{note} -If you choose any as the option that will cause all protocols that -are sending routes to zebra. -::: -``` - -### Nexthop Tracking - - -Nexthop tracking resolve nexthops via the default route by default. This is enabled -by default for a traditional profile of FRR which we use. It and can be disabled if -you do not want to e.g. allow BGP to peer across the default route. - -```{cfgcmd} set system ipv6 nht no-resolve-via-default - -Do not allow IPv6 nexthop tracking to resolve via the default route. This -parameter is configured per-VRF, so the command is also available in the VRF -subnode. -``` - -## Operational commands - - -### Show commands - -```{opcmd} show ipv6 neighbors - -Use this command to show IPv6 Neighbor Discovery Protocol information. -``` - - -```{opcmd} show ipv6 groups - -Use this command to show IPv6 multicast group membership. -``` - - -```{opcmd} show ipv6 forwarding - -Use this command to show IPv6 forwarding status. -``` - - -```{opcmd} show ipv6 route - -Use this command to show IPv6 routes. - -Check the many parameters available for the show ipv6 route command: - -:::{code-block} none -vyos@vyos:~$ show ipv6 route -Possible completions: - <Enter> Execute the current command - <X:X::X:X> Show IPv6 routes of given address or prefix - <X:X::X:X/M> - bgp Show IPv6 BGP routes - cache Show kernel IPv6 route cache - connected Show IPv6 connected routes - forward Show kernel IPv6 route table - isis Show IPv6 ISIS routes - kernel Show IPv6 kernel routes - ospfv3 Show IPv6 OSPF6 routes - ripng Show IPv6 RIPNG routes - static Show IPv6 static routes - summary Show IPv6 routes summary - table Show IP routes in policy table - tag Show only routes with tag - vrf Show IPv6 routes in VRF -::: -``` -```{opcmd} show ipv6 prefix-list - - Use this command to show all IPv6 prefix lists - - There are different parameters for getting prefix-list information: - - :::{code-block} none - vyos@vyos:~$ show ipv6 prefix-list - Possible completions: - <Enter> Execute the current command - <WORD> Show specified IPv6 prefix-list - detail Show detail of IPv6 prefix-lists - summary Show summary of IPv6 prefix-lists - ::: -``` - - -```{opcmd} show ipv6 access-list - -Use this command to show all IPv6 access lists - -You can also specify which IPv6 access-list should be shown: - -:::{code-block} none -vyos@vyos:~$ show ipv6 access-list -Possible completions: - <Enter> Execute the current command - <text> Show specified IPv6 access-list -::: -``` -```{opcmd} show ipv6 ospfv3 - - Use this command to get information about OSPFv3. - - You can get more specific OSPFv3 information by using the parameters - shown below: - - :::{code-block} none - vyos@vyos:~$ show ipv6 ospfv3 - Possible completions: - <Enter> Execute the current command - area Show OSPFv3 spf-tree information - border-routers - Show OSPFv3 border-router (ABR and ASBR) information - database Show OSPFv3 Link state database information - interface Show OSPFv3 interface information - linkstate Show OSPFv3 linkstate routing information - neighbor Show OSPFv3 neighbor information - redistribute Show OSPFv3 redistribute External information - route Show OSPFv3 routing table information - ::: -``` - - -```{opcmd} show ipv6 ripng - -Use this command to get information about the RIPNG protocol -``` - - -```{opcmd} show ipv6 ripng status - -Use this command to show the status of the RIPNG protocol -``` - -### Reset commands - -```{opcmd} reset bgp ipv6 \<address\> - -Use this command to clear Border Gateway Protocol statistics or -status. -``` -```{opcmd} reset ipv6 neighbors \<address | interface\> - -Use this command to reset IPv6 Neighbor Discovery Protocol cache for -an address or interface. -``` -```{opcmd} reset ipv6 route cache - -Use this command to flush the kernel IPv6 route cache. -An address can be added to flush it only for that route. -```
\ No newline at end of file diff --git a/docs/configuration/system/md-lcd.md b/docs/configuration/system/md-lcd.md deleted file mode 100644 index c857ae34..00000000 --- a/docs/configuration/system/md-lcd.md +++ /dev/null @@ -1,46 +0,0 @@ -(system-display)= - -# System Display (LCD) - -The system LCD {abbr}`LCD (Liquid-crystal display)` option is for users running -VyOS on hardware that features an LCD display. This is typically a small display -built in an 19 inch rack-mountable appliance. Those displays are used to show -runtime data. - -To configure your LCD display you must first identify the used hardware, and -connectivity of the display to your system. This can be any serial port -(`ttySxx`) or serial via USB or even old parallel port interfaces. - -## Configuration - -```{eval-rst} -.. cfgcmd:: set system lcd device <device> - - This is the name of the physical interface used to connect to your LCD - display. Tab completion is supported and it will list you all available - serial interface. - - For serial via USB port information please refor to: {ref}`hardware_usb`. -``` - -```{eval-rst} -.. cfgcmd:: set system lcd model <model> - - This is the LCD model used in your system. - - At the time of this writing the following displays are supported: - - * Crystalfontz CFA-533 - - * Crystalfontz CFA-631 - - * Crystalfontz CFA-633 - - * Crystalfontz CFA-635 - - .. note:: We can't support all displays from the beginning. If your display - type is missing, please create a feature request via Phabricator_. -``` - -```{include} /_include/common-references.txt -``` diff --git a/docs/configuration/system/md-login.md b/docs/configuration/system/md-login.md deleted file mode 100644 index 288d30a8..00000000 --- a/docs/configuration/system/md-login.md +++ /dev/null @@ -1,604 +0,0 @@ ---- -lastproofread: '2026-01-12' ---- - -(user-management)= - -# Login/user management - -The default VyOS user account (`vyos`), as well as newly created user accounts, -possess full system configuration privileges. These accounts are granted sudo -privileges, allowing them to execute commands as the root user. - -VyOS supports both local authentication and remote authentication via -{abbr}`RADIUS (Remote Authentication Dial-In User Service)`/ {abbr}`TACACS+ -(Terminal Access Controller Access-Control System)`. - -## Local authentication - -```{cfgcmd} set system login user \<name\> full-name "\<string\>" - -**Configure the real name or description for a system user.** - -If the description includes spaces, enclose ``<string>`` in double quotes. - -If the user ``<name>`` already exists, the command updates the current -description. If not, it creates a new user with the specified description. -``` - -```{cfgcmd} set system login user \<name\> authentication plaintext-password \<password\> - -**Configure a password for a system user.** - -Enter the password in plaintext. Upon ``commit``, VyOS hashes the password for -secure storage and removes the plaintext value. - -If the user ``<name>`` already exists, the command updates the current password. -If not, it creates a new user with the specified plaintext password. -``` - -```{cfgcmd} set system login user \<name\> authentication encrypted-password \<password\> - -**Configure a pre-encrypted password for a system user.** - -Enter the password in its hashed format. Upon ``commit``, VyOS stores this value -directly without modification. - -If the user ``<name>`` already exists, the command updates the current password. -If not, it creates a new user with the specified pre-encrypted password. -``` - -```{cfgcmd} set system login user \<name\> authentication principal \<principal\> - -**Configure an SSH certificate principal for a system user.** - -Enter the principal (a string included in the user's signed SSH certificate). -Upon ``commit``, VyOS stores this mapping, allowing the user to log in if the -certificate they present contains this principal. - -If the user ``<name>`` already exists, the command updates the principal. If not, -it creates a new user linked to the specified principal. - -**If not configured**, the principal defaults to ``<name>``. -``` - -```{cfgcmd} set system login user \<name\> disable - -**Disable a system user account.** - -VyOS locks the account, preventing the user from logging in. -``` - -(ssh_key_based_authentication)= - -## Key-based authentication - -Key-based authentication is the recommended method for securing SSH access in -VyOS. It uses a **public/private key pair** to verify user identity without -requiring a password. To authorize access, you assign **SSH public keys** to -user accounts on the router, while SSH private keys remain on local devices. -VyOS allows assigning multiple SSH public keys to a single user account, which -is useful for accessing a router from different devices. - -### Generate the key pair - -Generate an SSH key pair on your **local machine** using the `ssh-keygen` -command. This creates two files: -- **Private key** (e.g., `id_rsa`): Remains on your local machine and must - never be shared. -- **Public key** (e.g., `id_rsa.pub`): Is used to configure the VyOS user - account. By default, it is saved to `~/.ssh/id_rsa.pub`. - -Each SSH public key consists of three parts, separated by spaces: -- **Encryption algorithm type:** `ssh-rsa`, `ssh-ed25519`, etc. -- **Key:** The actual data (a long string beginning with `AAAA...`). -- **Comment:** An identifier for your reference (e.g., `user@host`). - -Only the encryption algorithm type and key parts are required to -configure the authorization entry in VyOS. The comment part is optional. - -:::{seealso} -{ref}`SSH operation <ssh_operation>` -::: - -:::{warning} -SSH key strings are long. When copying and pasting, ensure your -terminal does not insert line breaks. The key must be entered as a **single -line** to function correctly. -::: - -### Configure the router - -To configure SSH public key authentication for a user account, run the -following two commands using the same `<identifier>`: - -```{cfgcmd} set system login user \<username\> authentication public-keys \<identifier\> key \<key\> - -**Configure the SSH public key for the user account.** -* ``<identifier>``: A unique label that identifies this specific key entry. -* ``<key>``: The actual string of characters from your public key. -``` - -```{cfgcmd} set system login user \<username\> authentication public-keys \<identifier\> type \<type\> - -**Configure the SSH key's encryption type.** - -The following encryption algorithm types are available: - -* ``ecdsa-sha2-nistp256`` -* ``ecdsa-sha2-nistp384`` -* ``ecdsa-sha2-nistp521`` -* ``ssh-dss`` -* ``ssh-ed25519`` -* ``ssh-rsa`` - -:::{note} -To assign multiple SSH public keys to a user account, repeat the -commands above with a unique identifier for each key. -::: -``` - -```{cfgcmd} set system login user \<username\> authentication public-keys \<identifier\> options \<options\> - -**Configure specific restrictions or behaviors for an SSH public key.** - -``<options>``: A string of comma-separated values that define permissions -or restrictions for this key. - -The command accepts standard OpenSSH options listed in the router's -``~/.ssh/authorized_keys`` file. - -To include a ``"`` character in the options string, use ``"``. - -For example, to restrict allowed source IP addresses for an SSH public key, -use: ``from="10.0.0.0/24"``. -``` - - -## OTP-based MFA - -VyOS lets you enhance user access security by enabling {abbr}`OTP (One-time -password)`-based {abbr}`MFA (Multi-factor Authentication)` for individual -users. Users with {abbr}`OTP (One-time password)`-based {abbr}`MFA -(Multi-factor Authentication)` must enter a valid {abbr}`OTP (One-time -password)` along with their password at login. Users without {abbr}`OTP -(One-time password)`-based {abbr}`MFA (Multi-factor Authentication)` use -standard authentication. - -```{cfgcmd} set system login user \<username\> authentication otp key \<key\> - -**Configure** {abbr}`OTP (One-time password)`**-based** {abbr}`MFA -(Multi-factor Authentication)` **for a user.** - -``<key>``: A Base32-encoded secret key. This key must be added to the user's -authenticator app to generate valid {abbr}`OTPs (One-time passwords)`. - -**When configured**, the user is required to enter their password followed by -a valid OTP for all subsequent logins. -``` - - -### OTP settings - -```{cfgcmd} set system login user \<username\> authentication otp rate-limit \<limit\> - -**Configure the number of** {abbr}`OTP (One-time password)` **authentication -attempts allowed within a specified time period.** - -If this limit is exceeded, the user is temporarily blocked. - -The default value is 3 attempts. The valid range is 1 to 10 attempts. -``` - -```{cfgcmd} set system login user \<username\> authentication otp rate-time \<seconds\> - -**Configure the time period, in seconds, for tracking** {abbr}`OTP (One-time -password)` **authentication attempts.** - -The default value is 30 seconds. The valid range is 1 to 600 seconds. -``` - -```{cfgcmd} set system login user \<username\> authentication otp window-size \<size\> - -**Configure the** {abbr}`OTP (One-time password)` **window size for a user.** - -The {abbr}`OTP (One-time password)` window size defines the number of -concurrently valid {abbr}`OTPs (One-time passwords)` that the authentication -server accepts. This setting assumes a new token is generated every 30 seconds. - -The default value is 3. This permits 3 concurrent codes: the code for the -current 30-second interval, the preceding code, and the following code. This -allows up to 30 seconds of time skew between the authentication server and -client. - -If the window size is increased to 17, the system permits 17 concurrent codes -(the current code, the 8 preceding codes, and the 8 following codes). This -allows for a time skew of up to 4 minutes. - -The valid range is 1 to 21. -``` - - -### Generate an OTP-key - -Use the following command to generate an OTP key: - -```{cfgcmd} generate system login username \<username\> otp-key hotp-time rate-limit \<1-10\> rate-time \<15-600\> window-size \<1-21\> -``` - -Key generation example: - -```none -vyos@vyos:~$ generate system login username otptester otp-key hotp-time rate-limit 2 rate-time 20 window-size 5 -# You can share it with the user, he just needs to scan the QR in his OTP app -# username: otptester -# OTP KEY: J5A64ERPMGJOZXY6FMHHLKXKANNI6TCY -# OTP URL: otpauth://totp/otptester@vyos?secret=J5A64ERPMGJOZXY6FMHHLKXKANNI6TCY&digits=6&period=30 -█████████████████████████████████████████████ -█████████████████████████████████████████████ -████ ▄▄▄▄▄ █▀█ █▄ ▀▄▀▄█▀▄ ▀█▀ █ ▄▄▄▄▄ ████ -████ █ █ █▀▀▀█ ▄▀ █▄▀ ▀▄ ▄ ▀ ▄█ █ █ ████ -████ █▄▄▄█ █▀ █▀▀██▄▄ █ █ ██ ▀▄▀ █ █▄▄▄█ ████ -████▄▄▄▄▄▄▄█▄▀ ▀▄█ █ ▀ █ █ █ █▄█▄█▄▄▄▄▄▄▄████ -████ ▄ █▄ ▄ ▀▄▀▀▀▀▄▀▄▀▄▄▄▀▀▄▄▄ █ █▄█ █████ -████▄▄ ██▀▄▄▄▀▀█▀ ▄ ▄▄▄ ▄▀ ▀ █ ▄ ▄ ██▄█ ████ -█████▄ ██▄▄▀█▄█▄█▄ ▀█▄▀▄ ▀█▀▄ █▄▄▄ ▄ ▄████ -████▀▀▄ ▄█▀▄▀ ▄█▀█▀▄▄▄▀█▄ ██▄▄▄ ▀█ █ ████ -████ ▄▀▄█▀▄▄█▀▀▄▀▀▀▀█ ▄▀▄▀ ▄█ ▀▄ ▄ ▄▀ █▄████ -████▄ ██ ▀▄▀▀ ▄█▀ ▄ ██ ▀█▄█ ▄█ ▄ ▀▄ ▄▄ ████ -████▄█▀▀▄ ▄▄ █▄█▄█▄ █▄▄▀▄▄▀▀▄▄██▀ ▄▀▄▄ ▀▄████ -████▀▄▀ ▄ ▄▀█ ▄ ▄█▀ █ ▀▄▄ ▄█▀ ▄▄ ▀▄▄ ████ -████ ▀███▄ █▄█▄▀▀▀▀▄ ▄█▄▄▀ ▀███ ▄▄█▄▄ ▄████ -████ ███▀ ▄▄▀▀██▀ ▄▀▄█▄▄▄ ██▄▄▀▄▀ ███▄ ▄████ -████▄████▄▄▄▀▄ █▄█▄▀▄▄▄▄██▀ ▄▀ ▄ ▄▄▄ █▄▄█████ -████ ▄▄▄▄▄ █▄▄▄ ▄█▀█▀▀▀▀█▀█▀ █▄█ █▄█ ▄█ ████ -████ █ █ █ ██▄▀▀▀▀▄▄▄▀ ▄▄▄ ▀ ▄ ▄ ▄▄████ -████ █▄▄▄█ █ ▀▀█▀ ▄▄█ █▄▄██▀▀█▀ █▄▀▄██▄█ ████ -████▄▄▄▄▄▄▄█▄█▄█▄█▄▄▄▄▄█▄▄▄█▄██████▄██▄▄▄████ -█████████████████████████████████████████████ -█████████████████████████████████████████████ -# To add this OTP key to configuration, run the following commands: -set system login user otptester authentication otp key 'J5A64ERPMGJOZXY6FMHHLKXKANNI6TCY' -set system login user otptester authentication otp rate-limit '2' -set system login user otptester authentication otp rate-time '20' -set system login user otptester authentication otp window-size '5' -``` - -### Display the OTP key for a user - -Use the following command to display the {abbr}`OTP (One-time password)` -key for a user: - -```{cfgcmd} sh system login authentication user \<username\> otp \<full | key-b32 | qrcode | uri\> -``` - -Example: - -```none -vyos@vyos:~$ sh system login authentication user otptester otp full -# You can share the OTP key with the user. They just need to scan the QR in their OTP app. -# username: otptester -# OTP KEY: J5A64ERPMGJOZXY6FMHHLKXKANNI6TCY -# OTP URL: otpauth://totp/otptester@vyos?secret=J5A64ERPMGJOZXY6FMHHLKXKANNI6TCY&digits=6&period=30 -█████████████████████████████████████████████ -█████████████████████████████████████████████ -████ ▄▄▄▄▄ █▀█ █▄ ▀▄▀▄█▀▄ ▀█▀ █ ▄▄▄▄▄ ████ -████ █ █ █▀▀▀█ ▄▀ █▄▀ ▀▄ ▄ ▀ ▄█ █ █ ████ -████ █▄▄▄█ █▀ █▀▀██▄▄ █ █ ██ ▀▄▀ █ █▄▄▄█ ████ -████▄▄▄▄▄▄▄█▄▀ ▀▄█ █ ▀ █ █ █ █▄█▄█▄▄▄▄▄▄▄████ -████ ▄ █▄ ▄ ▀▄▀▀▀▀▄▀▄▀▄▄▄▀▀▄▄▄ █ █▄█ █████ -████▄▄ ██▀▄▄▄▀▀█▀ ▄ ▄▄▄ ▄▀ ▀ █ ▄ ▄ ██▄█ ████ -█████▄ ██▄▄▀█▄█▄█▄ ▀█▄▀▄ ▀█▀▄ █▄▄▄ ▄ ▄████ -████▀▀▄ ▄█▀▄▀ ▄█▀█▀▄▄▄▀█▄ ██▄▄▄ ▀█ █ ████ -████ ▄▀▄█▀▄▄█▀▀▄▀▀▀▀█ ▄▀▄▀ ▄█ ▀▄ ▄ ▄▀ █▄████ -████▄ ██ ▀▄▀▀ ▄█▀ ▄ ██ ▀█▄█ ▄█ ▄ ▀▄ ▄▄ ████ -████▄█▀▀▄ ▄▄ █▄█▄█▄ █▄▄▀▄▄▀▀▄▄██▀ ▄▀▄▄ ▀▄████ -████▀▄▀ ▄ ▄▀█ ▄ ▄█▀ █ ▀▄▄ ▄█▀ ▄▄ ▀▄▄ ████ -████ ▀███▄ █▄█▄▀▀▀▀▄ ▄█▄▄▀ ▀███ ▄▄█▄▄ ▄████ -████ ███▀ ▄▄▀▀██▀ ▄▀▄█▄▄▄ ██▄▄▀▄▀ ███▄ ▄████ -████▄████▄▄▄▀▄ █▄█▄▀▄▄▄▄██▀ ▄▀ ▄ ▄▄▄ █▄▄█████ -████ ▄▄▄▄▄ █▄▄▄ ▄█▀█▀▀▀▀█▀█▀ █▄█ █▄█ ▄█ ████ -████ █ █ █ ██▄▀▀▀▀▄▄▄▀ ▄▄▄ ▀ ▄ ▄ ▄▄████ -████ █▄▄▄█ █ ▀▀█▀ ▄▄█ █▄▄██▀▀█▀ █▄▀▄██▄█ ████ -████▄▄▄▄▄▄▄█▄█▄█▄█▄▄▄▄▄█▄▄▄█▄██████▄██▄▄▄████ -█████████████████████████████████████████████ -█████████████████████████████████████████████ -# To add this OTP key to configuration, run the following commands: -set system login user otptester authentication otp key 'J5A64ERPMGJOZXY6FMHHLKXKANNI6TCY' -set system login user otptester authentication otp rate-limit '2' -set system login user otptester authentication otp rate-time '20' -set system login user otptester authentication otp window-size '5' -``` - -Once {abbr}`OTP (One-time password)`-based {abbr}`MFA (Multi-factor -Authentication)` is configured for a user account, this user must enter their -standard password followed by the current 6-digit OTP code at login. For -example, if the user's password is `vyosrocks` and the OTP is `817454`, they -should enter `vyosrocks817454`. - -## RADIUS authentication - -For large-scale deployments, managing individual user accounts across multiple -VyOS instances is inefficient. VyOS supports centralized authentication via -{abbr}`RADIUS (Remote Authentication Dial-In User Service)`, consolidating user -account management on a single backend server. - -### Configuration - -```{cfgcmd} set system login radius server \<address\> key \<secret\> - -**Configure the** {abbr}`RADIUS (Remote Authentication Dial-In User Service)` -**server's IP address and shared secret.** - -The shared secret is used to verify the router's identity and to encrypt user -passwords during authentication. - -You can configure multiple {abbr}`RADIUS (Remote Authentication Dial-In User -Service)` servers. -``` - -```{cfgcmd} set system login radius server \<address\> port \<port\> - -**Configure the UDP port for communication with the** {abbr}`RADIUS (Remote -Authentication Dial-In User Service)` **server.** - -The default port is 1812. -``` - -```{cfgcmd} set system login radius server \<address\> disable - -**Disable a** {abbr}`RADIUS (Remote Authentication Dial-In User Service)` -**server from the authentication process.** - -Disabling a specific {abbr}`RADIUS (Remote Authentication Dial-In User -Service)` server doesn’t remove its configuration settings (the server’s IP -address and shared secret). -``` - -```{cfgcmd} set system login radius server \<address\> timeout \<timeout\> - -Configure the duration, in seconds, that the VyOS router waits for a -response from the {abbr}`RADIUS (Remote Authentication Dial-In User Service)` -server after sending an authentication request. - -If the server does not respond within this timeframe, the VyOS router tries to -connect to another configured server or falls back to local authentication. -``` - -```{cfgcmd} set system login radius source-address \<address\> - -**Configure the source IP address the router uses for** {abbr}`RADIUS (Remote -Authentication Dial-In User Service)` **authentication requests.** - -A consistent source IP address is recommended as RADIUS servers typically -accept requests only from known, trusted IP addresses. - -If not explicitly defined, the router uses the current egress interface -address, which may change (e.g., due to a link outage), causing authentication -failures. -``` - -```{cfgcmd} set system login radius vrf \<name\> - -**Configure the router to send all** {abbr}`RADIUS (Remote Authentication -Dial-In User Service)` **authentication requests via a specific VRF.** - -By default, {abbr}`RADIUS (Remote Authentication Dial-In User Service)` -authentication requests are sent via the global routing table. -``` - -### Configuration example - -```none -set system login radius server 192.168.0.2 key 'test-vyos' -set system login radius server 192.168.0.2 port '1812' -set system login radius server 192.168.0.2 timeout '5' -set system login radius source-address '192.168.0.1' -``` - -If communication with the {abbr}`RADIUS (Remote Authentication Dial-In User -Service)` server fails, the router falls back to local user authentication. -During this process, users may experience a login delay while the system waits -for the {abbr}`RADIUS (Remote Authentication Dial-In User Service)` request to -time out. This delay depends on the configured timeout value. - -:::{hint} -To grant administrative privileges to {abbr}`RADIUS (Remote -Authentication Dial-In User Service)`-authenticated users, the server must -return the Cisco-AV-Pair attribute set to `shell:priv-lvl=15`. Otherwise, users -receive standard privileges and cannot perform configuration tasks. -::: - -## TACACS+ authentication - -In addition to {abbr}`RADIUS (Remote Authentication Dial-In User Service)`, -VyOS supports {abbr}`TACACS+ (Terminal Access Controller Access Control -System)`, which is commonly used in large enterprise environments. - -Unlike {abbr}`RADIUS (Remote Authentication Dial-In User Service)`, -{abbr}`TACACS+ (Terminal Access Controller Access Control System)` separates -Authentication, Authorization, and Accounting (AAA) into independent processes -and encrypts the entire packet body for enhanced security. - -{abbr}`TACACS+ (Terminal Access Controller Access Control System)` is defined -in {rfc}`8907`. -(tacacs-configuration)= - -### Configuration - -```{cfgcmd} set system login tacacs server \<address\> key \<secret\> - -**Configure the** {abbr}`TACACS+ (Terminal Access Controller Access Control -System)` **server IP address and shared secret.** - -Unlike {abbr}`RADIUS (Remote Authentication Dial-In User Service)`, which -encrypts only passwords, {abbr}`TACACS+ (Terminal Access Controller Access -Control System)` encrypts the entire packet body for enhanced security. - -You can configure multiple {abbr}`TACACS+ (Terminal Access Controller Access -Control System)` servers. -``` - -```{cfgcmd} set system login tacacs server \<address\> port \<port\> - -**Configure the TCP port for communication with the** {abbr}`TACACS+ (Terminal -Access Controller Access Control System)` **server.** - -The default port is 49. -``` - -```{cfgcmd} set system login tacacs server \<address\> disable - -**Disable a** {abbr}`TACACS+ (Terminal Access Controller Access Control -System)` **server from the authentication process.** - -Disabling a specific {abbr}`TACACS+ (Terminal Access Controller Access Control -System)` server doesn’t remove its configuration settings (the server’s IP -address and shared secret). -``` - -```{cfgcmd} set system login tacacs server \<address\> timeout \<timeout\> - -Configure the duration, in seconds, that the VyOS router waits for a -response from the {abbr}`TACACS+ (Terminal Access Controller Access -Control System)` server after sending an authentication request. - -If the server does not respond within this timeframe, the VyOS router tries -to connect to another configured server or falls back to local authentication. -``` - -```{cfgcmd} set system login tacacs source-address \<address\> - -**Configure the source IP address the router uses for** -{abbr}`TACACS+ (Terminal Access Controller Access Control System)` -**authentication requests.** - -A consistent source IP address is recommended as {abbr}`TACACS+ (Terminal -Access Controller Access Control System)` servers typically accept requests -only from known, trusted IP addresses. - -If not explicitly defined, the router uses the current egress interface address, -which may change (e.g., due to a link outage), causing authentication failures. -``` - -```{cfgcmd} set system login tacacs vrf \<name\> - -Configure the router to send all {abbr}`TACACS+ (Terminal Access Controller -Access Control System)` authentication requests via a specific VRF. - -By default, {abbr}`TACACS+ (Terminal Access Controller Access Control System)` -authentication requests are sent via the global routing table. -``` - -(login-tacacs-example)= - -### Configuration example - -```none -set system login tacacs server 192.168.0.2 key 'test-vyos' -set system login tacacs server 192.168.0.2 port '49' -set system login tacacs source-address '192.168.0.1' -``` - -If communication with the {abbr}`TACACS+ (Terminal Access Controller Access -Control System)` server fails, the router falls back to local user -authentication. - -## Login banners - -VyOS allows you to configure **pre-login** and **post-login** banners. -Pre-login banners are typically used for system identification, legal disclaimers, or security warnings -displayed before authentication, while post-login banners provide system -information or operational notices to users after login. - -```{cfgcmd} set system login banner pre-login \<message\> - -Configure a message to be shown to users before the ``username`` and ``password`` -prompts appear. -``` - -```{cfgcmd} set system login banner post-login \<message\> - -Configure a message to be shown to users after successful authentication. -``` -:::{note} -Use `\\n` to insert line breaks in multi-line banner messages. -::: - -## Login session limits - -```{cfgcmd} set system login max-login-session \<number\> - -**Configure the maximum number of concurrent login sessions.** -``` -:::{note} -If you limit concurrent login sessions, you must also configure a -session `<timeout>`. This clears inactive sessions and prevents blocking new -login attempts. -::: -```{cfgcmd} set system login timeout \<timeout\> - -**Configure the login session timeout, in seconds.** - -Idle login sessions are terminated after this period. -``` - -## Configuration examples - -Example 1: Multi-key SSH with MFA and source restrictions - -In this configuration, `User1` and `User2` both use the vyos user account, -each with a unique SSH key. `User1` is restricted to authentication from a -single IP address. - -For both users, password-based logins require {abbr}`OTP (One-time password)` --based {abbr}`MFA (Multi-factor Authentication)`. - -```none -set system login user vyos authentication public-keys 'User1' key "AAAAB3Nz...KwEW" -set system login user vyos authentication public-keys 'User1' type ssh-rsa -set system login user vyos authentication public-keys 'User1' options "from="192.168.0.100"" - -set system login user vyos authentication public-keys 'User2' key "AAAAQ39x...fbV3" -set system login user vyos authentication public-keys 'User2' type ssh-rsa - -set system login user vyos authentication otp key OHZ3OJ7U2N25BK4G7SOFFJTZDTCFUUE2 -set system login user vyos authentication plaintext-password vyos -``` - -Example 2: Containerized {abbr}`TACACS+ (Terminal Access Controller Access Control System)` -deployment with redundancy. - -In this configuration, the VyOS router hosts its own authentication -infrastructure using two containerized {abbr}`TACACS+ (Terminal Access -Controller Access Control System)` servers (`tacacs1` and `tacacs2`) on a -private network for redundancy. - -System logins are authenticated against credentials stored within these internal -containers rather than the router's local user database. - -First, download the image in operational mode: - -```none -add container image lfkeitel/tacacs_plus:latest -``` - -Next, configure the containers in configuration mode: - -```none -set container network tac-test prefix '100.64.0.0/24' - -set container name tacacs1 image 'lfkeitel/tacacs_plus:latest' -set container name tacacs1 network tac-test address '100.64.0.11' - -set container name tacacs2 image 'lfkeitel/tacacs_plus:latest' -set container name tacacs2 network tac-test address '100.64.0.12' - -set system login tacacs server 100.64.0.11 key 'tac_plus_key' -set system login tacacs server 100.64.0.12 key 'tac_plus_key' - -commit -``` - -You can now log in via SSH or console using `admin/admin` credentials supplied -by the container image. diff --git a/docs/configuration/system/md-name-server.md b/docs/configuration/system/md-name-server.md deleted file mode 100644 index 9090ba5f..00000000 --- a/docs/configuration/system/md-name-server.md +++ /dev/null @@ -1,65 +0,0 @@ -(system-dns)= - -# System DNS - -:::{warning} -If you are configuring a VRF for management purposes, there is -currently no way to force system DNS traffic via a specific VRF. -::: - -This section describes configuring DNS on the system, namely: - -> - DNS name servers -> - Domain search order - -## DNS name servers - -```{cfgcmd} set system name-server \<address\> - -Use this command to specify a DNS server for the system to be used -for DNS lookups. More than one DNS server can be added, configuring -one at a time. Both IPv4 and IPv6 addresses are supported. -``` - - -### Example - -In this example, some *OpenNIC* servers are used, two IPv4 addresses -and two IPv6 addresses: - -```none -set system name-server 176.9.37.132 -set system name-server 195.10.195.195 -set system name-server 2a01:4f8:161:3441::1 -set system name-server 2a00:f826:8:2::195 -``` - - -## Domain search order - -In order for the system to use and complete unqualified host names, a -list can be defined which will be used for domain searches. - -```{cfgcmd} set system domain-search \<domain\> - -Use this command to define domains, one at a time, so that the system -uses them to complete unqualified host names. Maximum: 6 entries. -``` - -:::{note} -Domain names can include letters, numbers, hyphens and periods -with a maximum length of 253 characters. -::: - -(name-server-domain-search-order-example)= - -### Example - -The system is configured to attempt domain completion in the following -order: vyos.io (first), vyos.net (second) and vyos.network (last): - -```none -set system domain-search vyos.io -set system domain-search vyos.net -set system domain-search vyos.network -``` diff --git a/docs/configuration/system/md-option.md b/docs/configuration/system/md-option.md deleted file mode 100644 index c7a6ccf2..00000000 --- a/docs/configuration/system/md-option.md +++ /dev/null @@ -1,190 +0,0 @@ -(system-option)= - -# Option - -This chapter describe the possibilities of advanced system behavior. - -## General - -```{cfgcmd} set system option ctrl-alt-delete \<ignore | reboot | poweroff\> - -Action which will be run once the ctrl-alt-del keystroke is received. -``` - -```{cfgcmd} set system option reboot-on-panic - -Automatically reboot system on kernel panic after 60 seconds. -``` - -```{cfgcmd} set system option reboot-on-upgrade-failure \<timeout\> - -Automatically reboot after `timeout` minutes into the previous running -image, that was used to perform the image upgrade. - -Reboot `timeout` is configurable in minutes. This gives the user the change -to log into the system and perform some analysis before automatic rebooting. - -Automatic reboot can be cancelled after login using: {opcmd}`reboot cancel` -``` - -```{cfgcmd} set system option startup-beep - -Play an audible beep to the system speaker when system is ready. -``` - -```{cfgcmd} set system option root-partition-auto-resize - -Enables the root partition auto-extension and resizes to the maximum -available space on system boot. -``` - - -### Kernel - -```{cfgcmd} set system option kernel disable-mitigations - -Disable all optional CPU mitigations. This improves system performance, -but it may also expose users to several CPU vulnerabilities. - -This will add the following option to the Kernel commandline: -* ``mitigations=off`` - -:::{note} -Setting will only become active with the next reboot! -::: -``` - -```{cfgcmd} set system option kernel disable-power-saving - -This will add the following two options to the Kernel commandline: -* ``intel_idle.max_cstate=0`` Disable intel_idle and fall back on acpi_idle -* ``processor.max_cstate=1`` Limit processor to maximum C-state 1 - -:::{note} -Setting will only become active with the next reboot! -::: -``` - -```{cfgcmd} set system option kernel amd-pstate-driver \<mode\> - -Enables and configures p-state driver for modern AMD Ryzen and Epyc CPUs. - -The available modes are: -* ``active`` This is the low-level firmware control mode based on the profile -set and the system governor has no effect. -* ``passive`` The driver allows the system governor to manage CPU frequency -while providing available performance states. -* ``guided`` The driver allows to set desired performance levels and the firmware -selects a performance level in this range and fitting to the current workload. - -This will add the following two options to the Kernel commandline: -* ``initcall_blacklist=acpi_cpufreq_init`` Disable default ACPI CPU frequency scale -* ``amd_pstate={mode}`` Sets the p-state mode - -:::{note} -Setting will only become active with the next reboot! -::: - -:::{seealso} -<https://docs.kernel.org/admin-guide/pm/amd-pstate.html> -::: -``` - -```{cfgcmd} set system option kernel quiet - -Suppress most kernel messages during boot. This is useful for systems with -embedded serial console interfaces to speed up the boot process. -``` - - -## HTTP client - -```{cfgcmd} set system option http-client source-address \<address\> - -Several commands utilize cURL to initiate transfers. Configure the local -source IPv4/IPv6 address used for all cURL operations. -``` - -```{cfgcmd} set system option http-client source-interface \<interface\> - -Several commands utilize curl to initiate transfers. Configure the local -source interface used for all CURL operations. -``` - -:::{note} -`source-address` and `source-interface` can not be used at the same -time. -::: - -## SSH client - -```{cfgcmd} set system option ssh-client source-address \<address\> - -Use the specified address on the local machine as the source address of the -connection. Only useful on systems with more than one address. -``` - -```{cfgcmd} set system option ssh-client source-interface \<interface\> - -Use the address of the specified interface on the local machine as the -source address of the connection. -``` - - -## Keyboard Layout - -When starting a VyOS live system (the installation CD) the configured keyboard -layout defaults to US. As this might not suite everyone's use case you can adjust -the used keyboard layout on the system console. - -```{cfgcmd} set system option keyboard-layout \<us | fr | de | fi | no | dk\> - -Change system keyboard layout to given language. - -Defaults to ``us``. - -:::{note} -Changing the keymap only has an effect on the system console, using -SSH or Serial remote access to the device is not affected as the keyboard -layout here corresponds to your access system. -::: -``` - -(system-options-performance)= - -## Performance - -As more and more routers run on Hypervisors, expecially with a {abbr}`NOS -(Network Operating System)` as VyOS, it makes fewer and fewer sense to use -static resource bindings like `smp-affinity` as present in VyOS 1.2 and -earlier to pin certain interrupt handlers to specific CPUs. - -We now utilize `tuned` for dynamic resource balancing based on profiles. - -:::{seealso} -<https://access.redhat.com/sites/default/files/attachments/201501-perf-brief-low-latency-tuning-rhel7-v2.1.pdf> -::: - -```{cfgcmd} set system option performance \< throughput | latency \> - -Configure one of the predefined system performance profiles. - -* ``throughput``: A server profile focused on improving network throughput. - This profile favors performance over power savings by setting - ``intel_pstate`` and ``max_perf_pct=100`` and increasing kernel network - buffer sizes. - - It enables transparent huge pages, and uses cpupower to set the performance - cpufreq governor. It also sets ``kernel.sched_min_granularity_ns`` to 10 us, - ``kernel.sched_wakeup_granularity_ns`` to 15 uss, and ``vm.dirty_ratio`` to - 40%. - -* ``latency``: A server profile focused on lowering network latency. - This profile favors performance over power savings by setting - ``intel_pstate`` and ``min_perf_pct=100``. - - It disables transparent huge pages, and automatic NUMA balancing. It also - uses cpupower to set the performance cpufreq governor, and requests a - cpu_dma_latency value of 1. It also sets busy_read and busy_poll times to - 50 us, and tcp_fastopen to 3. -```
\ No newline at end of file diff --git a/docs/configuration/system/md-proxy.md b/docs/configuration/system/md-proxy.md deleted file mode 100644 index 286e835f..00000000 --- a/docs/configuration/system/md-proxy.md +++ /dev/null @@ -1,27 +0,0 @@ -(system-proxy)= - -# System Proxy - -Some IT environments require the use of a proxy to connect to the Internet. -Without this configuration VyOS updates could not be installed directly by -using the {opcmd}`add system image` command ({ref}`update_vyos`). - -```{cfgcmd} set system proxy url \<url\> - -Set proxy for all connections initiated by VyOS, including HTTP, HTTPS, and -FTP (anonymous ftp). -``` -```{cfgcmd} set system proxy port \<port\> - -Configure proxy port if it does not listen to the default port 80. -``` -```{cfgcmd} set system proxy username \<username\> - -Some proxys require/support the "basic" HTTP authentication scheme as per -{rfc}`7617`, thus a username can be configured. -``` -```{cfgcmd} set system proxy password \<password\> - -Some proxys require/support the "basic" HTTP authentication scheme as per -{rfc}`7617`, thus a password can be configured. -```
\ No newline at end of file diff --git a/docs/configuration/system/md-sflow.md b/docs/configuration/system/md-sflow.md deleted file mode 100644 index 350bbdd8..00000000 --- a/docs/configuration/system/md-sflow.md +++ /dev/null @@ -1,66 +0,0 @@ -# sFlow - -VyOS supports sFlow accounting for both IPv4 and IPv6 traffic. The system acts as a flow exporter, and you are free to use it with any compatible collector. - -sFlow is a technology that enables monitoring of network traffic by sending sampled packets to a collector device. - -The sFlow accounting based on hsflowd <https://sflow.net/> - -## Configuration - -```{cfgcmd} set system sflow agent-address \<address\> - -Configure sFlow agent IPv4 or IPv6 address -``` -```{cfgcmd} set system sflow agent-interface \<interface\> - -Configure agent IP address associated with this interface. -``` -```{cfgcmd} set system sflow drop-monitor-limit \<limit\> - - Dropped packets reported on DROPMON Netlink channel by Linux kernel are exported via the standard sFlow v5 extension for reporting dropped packets -``` - - -```{cfgcmd} set system sflow interface \<interface\> - -Configure and enable collection of flow information for the interface identified by \<interface\>. - -You can configure multiple interfaces which would participate in sflow accounting. -``` -```{cfgcmd} set system sflow polling \<sec\> - - Configure schedule counter-polling in seconds (default: 30) -``` - - -```{cfgcmd} set system sflow sampling-rate \<rate\> - -Use this command to configure the sampling rate for sFlow accounting (default: 1000) -``` - - -```{cfgcmd} set system sflow server \<address\> port \<port\> - -Configure address of sFlow collector. sFlow server at \<address\> can be both listening on an IPv4 or IPv6 address. -``` - - -```{cfgcmd} set system sflow enable-egress - -Use this command to if you need to sample also egress traffic -``` - -## Example - -```none -set system sflow agent-address '192.0.2.14' -set system sflow agent-interface 'eth0' -set system sflow drop-monitor-limit '50' -set system sflow interface 'eth0' -set system sflow interface 'eth1' -set system sflow polling '30' -set system sflow sampling-rate '1000' -set system sflow server 192.0.2.1 port '6343' -set system sflow server 203.0.113.23 port '6343' -``` diff --git a/docs/configuration/system/md-sysctl.md b/docs/configuration/system/md-sysctl.md deleted file mode 100644 index 5476ed28..00000000 --- a/docs/configuration/system/md-sysctl.md +++ /dev/null @@ -1,26 +0,0 @@ -# Sysctl - -<div class="note"> - -<div class="title"> - -Note - -</div> - -This page is a stub and needs expansion. -Contributions welcome via the -VyOS [documentation repository](https://github.com/vyos/vyos-documentation). - -</div> - -This chapeter describes how to configure kernel parameters at runtime. - -`sysctl` is used to modify kernel parameters at runtime. The parameters -available are those listed under /proc/sys/. - -<div class="cfgcmd"> - -set system sysctl parameter \<parameter\> value \<value\> - -</div> diff --git a/docs/configuration/system/md-syslog.md b/docs/configuration/system/md-syslog.md deleted file mode 100644 index ae30d272..00000000 --- a/docs/configuration/system/md-syslog.md +++ /dev/null @@ -1,450 +0,0 @@ -(syslog)= - -# Syslog - -## Overview - -By default, VyOS provides a minimal logging configuration with local storage -and log rotation. All errors, including local7 messages, are saved to a local -file. Emergency alerts are sent to the console. - -To change these settings, enter configuration mode. - -## Syslog configuration - -Syslog supports logging to multiple destinations: a local file, a console, or -a remote syslog server over UDP or TCP. - -The syslog configuration is organized into the following categories: - -- Global settings -- Local logging -- Console logging -- Remote logging -- TLS-encrypted remote logging - -### Global settings - -Configure the general behavior of the syslog service. - -```{cfgcmd} set system syslog marker interval \<number\> - -**Configure the interval, in seconds, for sending syslog mark messages.** - -Syslog mark messages confirm the logging service is operational. - -Default: 1200 seconds. -``` - -```{cfgcmd} set system syslog marker disable - -Disable sending syslog mark messages. -``` - -```{cfgcmd} set system syslog preserve-fqdn - -**Configure how the logging device's hostname appears in log messages sent -to a remote syslog server.** - -If configured, the device includes its {abbr}`FQDN (Fully Qualified Domain -Name)` in log messages, even if the syslog server is in the same domain. -``` - - -### Local logging - -Configure which log messages to save to a local log file. - -```{cfgcmd} set system syslog local \<filename\> facility \<keyword\> level \<keyword\> - -**Configure syslog to save log messages for a specific facility and -severity level to \`\`/var/log/messages\`\`.** - -Refer to the tables below for valid facility and severity options. -``` - -(syslog-console)= - -### Console logging - -Configure which log messages to send to `/dev/console`. - -```{cfgcmd} set system syslog console facility \<keyword\> level \<keyword\> - -**Configure syslog to send log messages for a specific facility and severity -level to the device's console.** - -Refer to the tables below for valid facility and severity options. -``` - -(syslog-remote)= - -### Remote logging - -Configure **remote logging** to send log messages to a remote syslog server. - -Remote logging does not affect either **local** or **console logging** and -runs in parallel with them. Remote logging supports sending log messages -to multiple hosts. - -```{cfgcmd} set system syslog remote \<address\> facility \<keyword\> level \<keyword\> - -**Configure log transmission to the remote syslog server for a specific -facility and severity level.** - -The server’s address can be specified using either a {abbr}`FQDN (Fully -Qualified Domain Name)` or an IP address. - -Refer to the tables below for valid facility and severity options. -``` - -```{cfgcmd} set system syslog remote \<address\> protocol \<udp | tcp\> - -**Configure the protocol for log transmission.** - -The protocol can be either UDP or TCP. By default, log messages are sent -over UDP. -``` - -```{cfgcmd} set system syslog remote \<address\> port \<port\> - -**Configure the port for log transmission.** - -By default, the standard port 514 is used. -``` - -```{cfgcmd} set system syslog remote \<address\> format include-timezone - -**Configure log transmission in the RFC 5424 format.** - -The RFC 5424 format includes the timezone in the timestamp. For example: - -:::{code-block} none -<34>1 2003-10-11T22:14:15.003-07:00 mymachine.example.com su - ID47 - BOM’su root’ failed for lonvick on /dev/pts/8. -::: - -By default, log messages are sent in the RFC 3164 format. For example: - -:::{code-block} none -<34>Oct 11 22:14:15 mymachine su: ‘su root’ failed for lonvick on /dev/pts/8 -::: -``` - -```{cfgcmd} set system syslog remote \<address\> format octet-counted - -**Enable octet-counted framing for log transmission.** - -When enabled, multi-line log messages are sent without splitting. Ensure -the remote server supports octet-counted framing to avoid parsing errors. - -Octet-counted framing is not available for the UDP protocol. -``` - -```{cfgcmd} set system syslog remote \<address\> vrf \<name\> - -Configure the {abbr}`VRF (Virtual Routing and Forwarding)` instance -for log transmission. -``` - -```{cfgcmd} set system syslog remote \<address\> source-address \<address\> - -Configure the source IP address (IPv4 or IPv6) for log transmission. -``` - - -#### {abbr}`TLS (Transport Layer Security)`-encrypted remote logging - -VyOS supports {abbr}`TLS (Transport Layer Security)`-encrypted remote logging -over TCP to ensure secure transmission of syslog data to remote syslog servers. - -**Prerequisites**: Before configuring {abbr}`TLS (Transport Layer -Security)`-encrypted remote logging, ensure you have: -- A valid remote syslog server address. -- Valid {abbr}`CA (Certificate Authority)` and client certificates uploaded - to the local {abbr}`PKI (Public Key Infrastructure)` storage. -- The **remote syslog transport protocol** is set to **TCP**: - - ```none - set system syslog remote <address> protocol tcp - ``` - -:::{note} -{abbr}`TLS (Transport Layer Security)`-encrypted remote logging is -**not supported** over **UDP**. -::: -```{cfgcmd} set system syslog remote \<address\> tls - -Enable TLS-encrypted remote logging. - -``` - -```{cfgcmd} set system syslog remote \<address\> tls ca-certificate \<ca_name\> - -**Configure the** {abbr}`CA (Certificate Authority)` **certificate.** - -The syslog client uses the {abbr}`CA (Certificate Authority)` certificate to -verify the identity of the remote syslog server. - -The {abbr}`CA (Certificate Authority)` certificate is required for **all** -authentication modes except ``anon``. - -``` - -```{cfgcmd} set system syslog remote \<address\> tls certificate \<cert_name\> - -**Configure the client certificate.** - -The remote syslog server uses the client certificate to verify the identity -of the syslog client. - -The client certificate is required if the remote syslog server enforces -client certificate verification. - -``` - -````{cfgcmd} set system syslog remote \<address\> tls auth-mode \<anon | fingerprint | certvalid | name\> - -**Configure the authentication mode.** - -The authentication mode defines how the syslog client verifies the syslog -server's identity. - -The following authentication modes are available: - -```{eval-rst} -* ``anon`` **(default)**: Allows encrypted connections without verifying the syslog - server's identity. This mode is **not recommended**, as it is vulnerable to - :abbr:`MITM (Man-in-the-Middle)` attacks. -* ``fingerprint``: Verifies the server’s certificate fingerprint against the - value preconfigured with: - - .. code-block:: none - - set system syslog remote <address> tls permitted-peer <peer> - -* ``certvalid``: Verifies the server certificate is signed by a trusted - :abbr:`CA (Certificate Authority)`, skipping :abbr:`CN (Common Name)` check. -* ``name``: Verifies that: - - * The server’s certificate is signed by a trusted :abbr:`CA (Certificate - Authority)`. - * The :abbr:`CN (Common Name)` in the certificate matches the value - preconfigured with: - - .. code-block:: none - - set system syslog remote <address> tls permitted-peer <peer> - - This is a **recommended** secure mode for production environments. -``` - -```` - -```{cfgcmd} set system syslog remote \<address\> tls permitted-peer \<peer\> - -**Configure the peer certificate identifiers.** - -The certificate identifier format depends on the authentication mode: -* ``fingerprint``: Enter the expected certificate fingerprints (SHA-1 or -SHA-256). -* ``name``: Enter the expected certificate {abbr}`CNs (Common Names)`. - -For ``anon`` and ``certvalid`` authentication modes, certificate identifiers -are not required. - -``` - -#### Examples: - -```none -# Example of 'anon' authentication mode -set system syslog remote 10.10.2.3 facility all level debug -set system syslog remote 10.10.2.3 port 6514 -set system syslog remote 10.10.2.3 protocol tcp -set system syslog remote 10.10.2.3 tls auth-mode anon -# or just use 'set system syslog remote 10.10.2.3 tls' - -# Example of 'certvalid' authentication mode -set system syslog remote elk.example.com facility all level debug -set system syslog remote elk.example.com port 6514 -set system syslog remote elk.example.com protocol tcp -set system syslog remote elk.example.com tls ca-certificate my-ca -set system syslog remote elk.example.com tls auth-mode certvalid - -# Example of 'fingerprint' authentication mode -set system syslog remote syslog.example.com facility all level debug -set system syslog remote syslog.example.com port 6514 -set system syslog remote syslog.example.com protocol tcp -set system syslog remote syslog.example.com tls ca-certificate my-ca -set system syslog remote syslog.example.com tls auth-mode fingerprint -set system syslog remote syslog.example.com tls permitted-peers 'SHA1:10:C4:26:...,SHA256:7B:4B:10:...' - -# Example of 'name' authentication mode -set system syslog remote graylog.example.com facility all level debug -set system syslog remote graylog.example.com port 6514 -set system syslog remote graylog.example.com protocol tcp -set system syslog remote graylog.example.com tls ca-certificate my-ca -set system syslog remote graylog.example.com tls certificate syslog-client -set system syslog remote graylog.example.com tls auth-mode name -set system syslog remote graylog.example.com tls permitted-peers 'graylog.example.com' -``` - -#### Security recommendations - -- For secure deployments, always use the `name` authentication mode. It - ensures that the server is validated by a trusted {abbr}`CA (Certificate - Authority)` and that the hostname matches the certificate. -- Use the `anon` authentication mode only in testing environments, as it - doesn't provide server authentication. -- Ensure private keys are generated, stored, and maintained exclusively within - the {doc}`PKI system </configuration/pki/index>`. -(syslog_facilities)= - -## Syslog facilities - -This section lists facilities used by syslog. Most facility names are self- -explanatory. The local0–local7 facilities are used for custom purposes, such as -logging from network nodes and equipment. Facility assignment is flexible and -should be tailored to your company's needs. Consider facilities as categorization -tools, rather than strict directives. - -```{eval-rst} -+----------+----------+----------------------------------------------------+ -| Facility | Keyword | Description | -| code | | | -+==========+==========+====================================================+ -| | all | All facilities | -+----------+----------+----------------------------------------------------+ -| 0 | kern | Kernel messages | -+----------+----------+----------------------------------------------------+ -| 1 | user | User-level messages | -+----------+----------+----------------------------------------------------+ -| 2 | mail | Mail system | -+----------+----------+----------------------------------------------------+ -| 3 | daemon | System daemons | -+----------+----------+----------------------------------------------------+ -| 4 | auth | Security/authentication messages | -+----------+----------+----------------------------------------------------+ -| 5 | syslog | Messages generated internally by syslog | -+----------+----------+----------------------------------------------------+ -| 6 | lpr | Line printer subsystem | -+----------+----------+----------------------------------------------------+ -| 7 | news | Network news subsystem | -+----------+----------+----------------------------------------------------+ -| 8 | uucp | UUCP subsystem | -+----------+----------+----------------------------------------------------+ -| 9 | cron | Clock daemon | -+----------+----------+----------------------------------------------------+ -| 10 | security | Security/authentication messages | -+----------+----------+----------------------------------------------------+ -| 11 | ftp | FTP daemon | -+----------+----------+----------------------------------------------------+ -| 12 | ntp | NTP subsystem | -+----------+----------+----------------------------------------------------+ -| 13 | logaudit | Log audit | -+----------+----------+----------------------------------------------------+ -| 14 | logalert | Log alert | -+----------+----------+----------------------------------------------------+ -| 15 | clock | clock daemon (note 2) | -+----------+----------+----------------------------------------------------+ -| 16 | local0 | local use 0 (local0) | -+----------+----------+----------------------------------------------------+ -| 17 | local1 | local use 1 (local1) | -+----------+----------+----------------------------------------------------+ -| 18 | local2 | local use 2 (local2) | -+----------+----------+----------------------------------------------------+ -| 19 | local3 | local use 3 (local3) | -+----------+----------+----------------------------------------------------+ -| 20 | local4 | local use 4 (local4) | -+----------+----------+----------------------------------------------------+ -| 21 | local5 | local use 5 (local5) | -+----------+----------+----------------------------------------------------+ -| 22 | local6 | local use 6 (local6) | -+----------+----------+----------------------------------------------------+ -| 23 | local7 | local use 7 (local7) | -+----------+----------+----------------------------------------------------+ -``` - -(syslog_severity_level)= - -## Severity levels - -```{eval-rst} -+-------+---------------+---------+-------------------------------------------+ -| Value | Severity | Keyword | Description | -+=======+===============+=========+===========================================+ -| | | all | Log everything. | -+-------+---------------+---------+-------------------------------------------+ -| 0 | Emergency | emerg | System is unusable - a panic condition. | -+-------+---------------+---------+-------------------------------------------+ -| 1 | Alert | alert | Action must be taken immediately - A | -| | | | condition that should be corrected | -| | | | immediately, such as a corrupted system | -| | | | database. | -+-------+---------------+---------+-------------------------------------------+ -| 2 | Critical | crit | Critical conditions - e.g., hard drive | -| | | | errors. | -+-------+---------------+---------+-------------------------------------------+ -| 3 | Error | err | Error conditions. | -+-------+---------------+---------+-------------------------------------------+ -| 4 | Warning | warning | Warning conditions. | -+-------+---------------+---------+-------------------------------------------+ -| 5 | Notice | notice | Normal but significant conditions - | -| | | | conditions that are not error conditions, | -| | | | but that may require special handling. | -+-------+---------------+---------+-------------------------------------------+ -| 6 | Informational | info | Informational messages. | -+-------+---------------+---------+-------------------------------------------+ -| 7 | Debug | debug | Debug-level messages - Messages that | -| | | | contain information normally of use only | -| | | | when debugging a program. | -+-------+---------------+---------+-------------------------------------------+ -``` - -## Display logs - -```{opcmd} show log [all | authorization | cluster | conntrack-sync | ...] - -**Display logs for a specific category on the console.** - -Use tab completion to view a list of available categories. - -If no category is specified, all logs are shown. - -``` - -````{opcmd} show log image \<name\> [all | authorization | directory | file \<file name\> | tail \<lines\>] - -**Display logs for a specific image on the console.** - -Available log categories: - -```{eval-rst} -.. list-table:: - :widths: 25 75 - :header-rows: 0 - - * - all - - Displays the contents of system log files of the specified image. - * - authorization - - Displays authorization attempts of the specified image. - * - directory - - Displays user-defined log files of the specified image. - * - file <file name> - - Displays the contents of a specified user-defined log file of the specified - image. - * - tail - - Displays last lines of the system log of the specified image. - * - <lines> - - Number of lines to be displayed, default 10. -``` - -```` - -If no category is specified, the contents of the main syslog file are -displayed. - -:::{hint} -Use `show log | strip-private` to hide private data -when displaying your logs. -::: diff --git a/docs/configuration/system/md-task-scheduler.md b/docs/configuration/system/md-task-scheduler.md deleted file mode 100644 index 94ca9f4d..00000000 --- a/docs/configuration/system/md-task-scheduler.md +++ /dev/null @@ -1,45 +0,0 @@ -(task-scheduler)= - -# Task Scheduler - -The task scheduler allows you to execute tasks on a given schedule. It makes -use of UNIX [cron]. - -:::{note} -All scripts executed this way are executed as root user - this may -be dangerous. Together with {ref}`command-scripting` this can be used for -automating (re-)configuration. -::: - -```{cfgcmd} set system task-scheduler task \<task\> interval \<interval\> - -Specify the time interval when `<task>` should be executed. The interval -is specified as number with one of the following suffixes: -* ``none`` - Execution interval in minutes -* ``m`` - Execution interval in minutes -* ``h`` - Execution interval in hours -* ``d`` - Execution interval in days - -:::{note} -If suffix is omitted, minutes are implied. -::: -``` - -```{cfgcmd} set system task-scheduler task \<task\> crontab-spec \<spec\> - -Set execution time in common cron time format. A cron `<spec>` of -``30 */6 * * *`` would execute the `<task>` at minute 30 past every 6th hour. -``` - -```{cfgcmd} set system task-scheduler task \<task\> executable path \<path\> - -Specify absolute `<path>` to script which will be run when `<task>` is -executed. -``` - -```{cfgcmd} set system task-scheduler task \<task\> executable arguments \<args\> - -Arguments which will be passed to the executable. -``` - -[cron]: https://en.wikipedia.org/wiki/Cron diff --git a/docs/configuration/system/md-time-zone.md b/docs/configuration/system/md-time-zone.md deleted file mode 100644 index 2279a773..00000000 --- a/docs/configuration/system/md-time-zone.md +++ /dev/null @@ -1,17 +0,0 @@ -(timezone)= - -# Time Zone - -Time Zone setting is very important as e.g all your logfile entries will be -based on the configured zone. Without proper time zone configuration it will -be very difficult to compare logfiles from different systems. - -```{cfgcmd} set system time-zone \<timezone\> - -Specify the systems \<timezone\> as the Region/Location that best defines -your location. For example, specifying US/Pacific sets the time zone to US -Pacific time. - -Command completion can be used to list available time zones. The adjustment -for daylight time will take place automatically based on the time of year. -```
\ No newline at end of file diff --git a/docs/configuration/system/md-updates.md b/docs/configuration/system/md-updates.md deleted file mode 100644 index c82d37be..00000000 --- a/docs/configuration/system/md-updates.md +++ /dev/null @@ -1,36 +0,0 @@ -# Updates - -VyOS supports online checking for updates - -## Configuration - -```{cfgcmd} set system update-check auto-check - -Configure auto-checking for new images -``` - -```{cfgcmd} set system update-check url \<url\> - -Configure a URL that contains information about images. -``` - - -## Example - -```none -set system update-check auto-check -set system update-check url 'https://raw.githubusercontent.com/vyos/vyos-rolling-nightly-builds/main/version.json' -``` - -Check: - -```none -vyos@r4:~$ show system updates -Current version: 1.5-rolling-202312220023 - -Update available: 1.5-rolling-202312250024 -Update URL: https://github.com/vyos/vyos-rolling-nightly-builds/releases/download/1.5-rolling-202312250024/1.5-rolling-202312250024-amd64.iso -vyos@r4:~$ - -vyos@r4:~$ add system image latest -``` diff --git a/docs/configuration/system/md-watchdog.md b/docs/configuration/system/md-watchdog.md deleted file mode 100644 index 700051a6..00000000 --- a/docs/configuration/system/md-watchdog.md +++ /dev/null @@ -1,212 +0,0 @@ -(system-watchdog)= - -# Watchdog - -VyOS supports hardware watchdog timers to automatically reboot the system if -it becomes unresponsive. This is particularly useful for remote or embedded -systems where physical access is limited. - -A watchdog timer is a hardware or software mechanism that automatically resets -the system if the operating system stops responding within a configured timeout -period. The system will periodically notify the watchdog that it is still -running. If the watchdog is not notified within the timeout period, the watchdog -will reset the system. - -## Configuration - -The watchdog feature is configured under the `system watchdog` configuration -tree. The presence of the `system watchdog` node enables the watchdog feature. - -```{cfgcmd} set system watchdog - -Enable watchdog support. - -The watchdog is enabled only when a watchdog device is available as -``/dev/watchdog0``. - -:::{note} -If multiple watchdog devices are present, only the first watchdog -device is supported (VyOS uses ``/dev/watchdog0`` only). -::: -If ``/dev/watchdog0`` does not exist and no module is configured, commit will -fail. If a module is configured but ``/dev/watchdog0`` still cannot be -created, VyOS will emit a warning and will not enable the systemd watchdog. -``` - -```{cfgcmd} set system watchdog module \<module-name\> - -Specify the kernel watchdog driver module to load for ``/dev/watchdog0``. - -The configured module must be a watchdog driver module, not an arbitrary -kernel module. - -**In most cases, this option is not required** as the kernel will -automatically load the appropriate watchdog driver for your system. Use this -option if the kernel fails to load the required driver, or when you want to -use the software watchdog (``softdog``). - -Common modules include: -* ``softdog`` - Software watchdog timer (available on all systems) -* ``iTCO_wdt`` - Intel TCO watchdog timer -* ``sp5100_tco`` - AMD SP5100 TCO watchdog timer -* ``i6300esb`` - Intel 6300ESB watchdog timer -* ``ipmi_watchdog`` - IPMI watchdog timer - -:::{warning} -``softdog`` is not a hardware watchdog. It is implemented using -kernel timers and therefore depends on the Linux kernel continuing to run. -In some fault conditions (for example, a kernel hang), ``softdog`` may not -be able to trigger a reset. - -Prefer a hardware watchdog driver whenever possible, as hardware watchdogs -can operate independently of the operating system. -::: - -If no module is specified, VyOS will use an existing ``/dev/watchdog0`` -device if available. - -:::{note} -If a module is specified but a different driver is actually bound -to ``watchdog0``, VyOS will emit a warning during commit. -::: -Example: - -:::{code-block} none -set system watchdog module softdog -::: -``` - -```{cfgcmd} set system watchdog timeout \<seconds\> -:defaultvalue: - -Set the watchdog timeout for normal runtime operation in seconds. - -Valid range: 1-65535 seconds - -:::{note} -Some watchdog drivers expose minimum and maximum supported runtime -timeouts via sysfs. When available, VyOS validates ``timeout`` against -those driver limits during commit. -::: - -This is the interval during which the system must respond to the watchdog. -If the system does not respond within this time, the watchdog will trigger -a reboot. - -Example: - -:::{code-block} none -set system watchdog timeout 30 -::: -``` - -```{cfgcmd} set system watchdog shutdown-timeout \<seconds\> -:defaultvalue: - -Set the watchdog timeout during system shutdown in seconds. - -Valid range: 60-65535 seconds - -This extended timeout allows the system to complete a graceful shutdown -without triggering the watchdog. - -:::{warning} -Setting this value too low (below 120 seconds) may cause -unclean shutdowns, as the system may not have enough time to properly -stop all services and flush disk buffers. The recommended minimum value -is 120 seconds. -::: -Example: - -:::{code-block} none -set system watchdog shutdown-timeout 180 -::: -``` - -```{cfgcmd} set system watchdog reboot-timeout \<seconds\> -:defaultvalue: - -Set the watchdog timeout during system reboot in seconds. - -Valid range: 60-65535 seconds - -This extended timeout allows the system to complete the reboot process -without triggering the watchdog during the transition. - -:::{warning} -Setting this value too low (below 120 seconds) may cause -unclean reboots, as the system may not have enough time to properly -stop all services before restarting. The recommended minimum value -is 120 seconds. -::: -Example: - -:::{code-block} none -set system watchdog reboot-timeout 180 -::: -``` - - -## Examples - -### Basic Configuration with Software Watchdog - -This example configures a basic software watchdog with default timeouts: - -```none -set system watchdog module softdog -``` - -This will: -- Enable the watchdog feature -- Load the `softdog` kernel module -- Use a 10-second runtime timeout (default) -- Use 120-second shutdown and reboot timeouts (default) - -### Advanced Configuration - -This example shows a more customized configuration suitable for a production -system: - -```none -set system watchdog module iTCO_wdt -set system watchdog timeout 30 -set system watchdog shutdown-timeout 300 -set system watchdog reboot-timeout 300 -``` - -This configuration: - -- Enables the watchdog feature -- Loads the Intel TCO hardware watchdog module -- Sets a 30-second runtime timeout -- Allows 5 minutes for shutdown and reboot operations - -## Best Practices - -- **Start with conservative timeouts**: Use longer timeouts initially and - reduce them as you gain confidence in system stability. -- **Test before deployment**: Verify the watchdog works as expected in a - non-production environment before deploying to production systems. -- **Choose appropriate modules**: Use hardware watchdog modules (like - `iTCO_wdt`) when available, as they are more reliable than software - watchdogs. -- **Consider shutdown time**: Set `shutdown-timeout` and `reboot-timeout` - values high enough to allow for normal shutdown procedures, especially on - systems with many services or slow storage. -- **Monitor watchdog events**: Check system logs after any unexpected reboots - to determine if the watchdog triggered the reboot. -- **Remote systems**: For systems without physical console access, use - conservative timeout values to avoid false-positive reboots during high - load conditions. - -:::{note} -The watchdog configuration takes effect immediately after commit, -but systemd must be reloaded. This happens automatically during commit. -::: - -:::{warning} -Incorrect watchdog configuration on remote systems can result -in unexpected reboots. Always test watchdog settings in a controlled -environment before deploying to production systems. -::: diff --git a/docs/configuration/trafficpolicy/md-index.md b/docs/configuration/trafficpolicy/md-index.md deleted file mode 100644 index 18f133fc..00000000 --- a/docs/configuration/trafficpolicy/md-index.md +++ /dev/null @@ -1,1403 +0,0 @@ -(qos)= - -# Traffic Policy - -## QoS - -The generic name of Quality of Service or Traffic Control involves -things like shaping traffic, scheduling or dropping packets, which -are the kind of things you may want to play with when you have, for -instance, a bandwidth bottleneck in a link and you want to somehow -prioritize some type of traffic over another. - -[tc] is a powerful tool for Traffic Control found at the Linux kernel. -However, its configuration is often considered a cumbersome task. -Fortunately, VyOS eases the job through its CLI, while using `tc` as -backend. - -### How to make it work - -In order to have VyOS Traffic Control working you need to follow 2 -steps: - -> 1. **Create a traffic policy**. -> 2. **Apply the traffic policy to an interface ingress or egress**. - -But before learning to configure your policy, we will warn you -about the different units you can use and also show you what *classes* -are and how they work, as some policies may require you to configure -them. - -### Units - -When configuring your traffic policy, you will have to set data rate -values, watch out the units you are managing, it is easy to get confused -with the different prefixes and suffixes you can use. VyOS will always -show you the different units you can use. - -#### Prefixes - -They can be **decimal** prefixes. - -```none -kbit (10^3) kilobit per second -mbit (10^6) megabit per second -gbit (10^9) gigabit per second -tbit (10^12) terabit per second - -kbps (8*10^3) kilobyte per second -mbps (8*10^6) megabyte per second -gbps (8*10^9) gigabyte per second -tbps (8*10^12) terabyte per second -``` - -Or **binary** prefixes. - -```none -kibit (2^10 = 1024) kibibit per second -mibit (2^20 = 1024^2) mebibit per second -gibit (2^30 = 1024^3) gibibit per second -tbit (2^40 = 1024^4) tebibit per second - -kibps (1024*8) kibibyte (KiB) per second -mibps (1024^2*8) mebibyte (MiB) per second -gibps (1024^3*8) gibibyte (GiB) per second -tibps (1024^4*8) tebibyte (TiB) per second -``` - -#### Suffixes - -A *bit* is written as **bit**, - -```none -kbit (kilobits per second) -mbit (megabits per second) -gbit (gigabits per second) -tbit (terabits per second) -``` - -while a *byte* is written as a single **b**. - -```none -kbps (kilobytes per second) -mbps (megabytes per second) -gbps (gigabytes per second) -``` - -(classes)= - -### Classes - -In the {ref}`creating_a_traffic_policy` section you will see that -some of the policies use *classes*. Those policies let you distribute -traffic into different classes according to different parameters you can -choose. So, a class is just a specific type of traffic you select. - -The ultimate goal of classifying traffic is to give each class a -different treatment. - -#### Matching traffic - -In order to define which traffic goes into which class, you define -filters (that is, the matching criteria). Packets go through these matching -rules (as in the rules of a firewall) and, if a packet matches the filter, it -is assigned to that class. - -In VyOS, a class is identified by a number you can choose when -configuring it. - -:::{note} -The meaning of the Class ID is not the same for every type of -policy. Normally policies just need a meaningless number to identify -a class (Class ID), but that does not apply to every policy. -The number of a class in a Priority Queue it does not only -identify it, it also defines its priority. -::: - - -```none -set qos policy <policy> <policy-name> class <class-ID> match <class-matching-rule-name> -``` - - -In the command above, we set the type of policy we are going to -work with and the name we choose for it; a class (so that we can -differentiate some traffic) and an identifiable number for that class; -then we configure a matching rule (or filter) and a name for it. - -A class can have multiple match filters: - -```none -set qos policy shaper MY-SHAPER class 30 match HTTP -set qos policy shaper MY-SHAPER class 30 match HTTPs -``` - -A match filter can contain multiple criteria and will match traffic if -all those criteria are true. - -For example: - -```none -set qos policy shaper MY-SHAPER class 30 match HTTP ip protocol tcp -set qos policy shaper MY-SHAPER class 30 match HTTP ip source port 80 -``` - -This will match TCP traffic with source port 80. - -There are many parameters you will be able to use in order to match the -traffic you want for a class: - -> - **Ethernet (protocol, destination address or source address)** -> - **Interface name** -> - **IPv4 (DSCP value, maximum packet length, protocol, source address,** -> **destination address, source port, destination port or TCP flags)** -> - **IPv6 (DSCP value, maximum payload length, protocol, source address,** -> **destination address, source port, destination port or TCP flags)** -> - **Firewall mark** -> - **VLAN ID** - -When configuring your filter, you can use the `Tab` key to see the many -different parameters you can configure. - -```none -vyos@vyos# set qos policy shaper MY-SHAPER class 30 match MY-FIRST-FILTER -Possible completions: - description Description - > ether Ethernet header match - interface Interface to use - > ip Match IP protocol header - > ipv6 Match IPV6 protocol header - mark Match on mark applied by firewall - vif Virtual Local Area Network (VLAN) ID for this match -``` - -As shown in the example above, one of the possibilities to match packets -is based on marks done by the firewall, -[that can give you a great deal of flexibility]. - -You can also write a description for a filter: - - -```none -set qos policy shaper MY-SHAPER class 30 match MY-FIRST-FILTER description "My filter description" -``` - - -:::{note} -An IPv4 TCP filter will only match packets with an IPv4 header -length of 20 bytes (which is the majority of IPv4 packets anyway). - -IPv6 TCP filters will only match IPv6 packets with no header -extension, see <https://en.wikipedia.org/wiki/IPv6_packet#Extension_headers> -::: - -#### Traffic Match Group - -In some case where we need to have an organization of our matching selection, -in order to be more flexible and organize with our filter definition. We can -apply traffic match groups, allowing us to create distinct filter groups within -our policy and define various parameters for each group: - -```none -set qos traffic-match-group <group_name> match <match_name> -Possible completions: - description Description - > ip Match IP protocol header - > ipv6 Match IPv6 protocol header - mark Match on mark applied by firewall - vif Virtual Local Area Network (VLAN) ID for this match -``` - -inherit matches from another group - -```none -set qos traffic-match-group <group_name> match-group <match_group_name> -``` - -A match group can contain multiple criteria and inherit them in the same policy. - -For example: - -```none -set qos traffic-match-group Mission-Critical match AF31 ip dscp 'AF31' -set qos traffic-match-group Mission-Critical match AF32 ip dscp 'AF42' -set qos traffic-match-group Mission-Critical match CS3 ip dscp 'CS3' -set qos traffic-match-group Streaming-Video match AF11 ip dscp 'AF11' -set qos traffic-match-group Streaming-Video match AF41 ip dscp 'AF41' -set qos traffic-match-group Streaming-Video match AF43 ip dscp 'AF43' -set qos policy shaper VyOS-HTB class 10 bandwidth '30%' -set qos policy shaper VyOS-HTB class 10 description 'Multimedia' -set qos policy shaper VyOS-HTB class 10 match CS4 ip dscp 'CS4' -set qos policy shaper VyOS-HTB class 10 match-group 'Streaming-Video' -set qos policy shaper VyOS-HTB class 10 priority '1' -set qos policy shaper VyOS-HTB class 10 queue-type 'fair-queue' -set qos policy shaper VyOS-HTB class 20 description 'MC' -set qos policy shaper VyOS-HTB class 20 match-group 'Mission-Critical' -set qos policy shaper VyOS-HTB class 20 priority '2' -set qos policy shaper VyOS-HTB class 20 queue-type 'fair-queue' -set qos policy shaper VyOS-HTB default bandwidth '20%' -set qos policy shaper VyOS-HTB default queue-type 'fq-codel' -``` - -In this example, we can observe that different DSCP criteria are defined based -on our QoS configuration within the same policy group. - -#### Default - -Often you will also have to configure your *default* traffic in the same -way you do with a class. *Default* can be considered a class as it -behaves like that. It contains any traffic that did not match any -of the defined classes, so it is like an open class, a class without -matching filters. - -#### Class treatment - -Once a class has a filter configured, you will also have to define what -you want to do with the traffic of that class, what specific -Traffic-Control treatment you want to give it. You will have different -possibilities depending on the Traffic Policy you are configuring. - - -```none -vyos@vyos# set qos policy shaper MY-SHAPER class 30 -Possible completions: - bandwidth Available bandwidth for this policy (default: auto) - burst Burst size for this class (default: 15k) - ceiling Bandwidth limit for this class - codel-quantum - Deficit in the fair queuing algorithm (default 1514) - description Description - flows Number of flows into which the incoming packets are classified(default 1024) - interval Interval used to measure the delay (default 100) -+> match Class matching rule name - priority Priority for rule evaluation - queue-limit Maximum queue size - queue-type Queue type for default traffic (default: fq-codel) - set-dscp Change the Differentiated Services (DiffServ) field in the IP header - target Acceptable minimum standing/persistent queue delay (default: 5) -``` - - -For instance, with {code}`set qos policy shaper MY-SHAPER -class 30 set-dscp EF` you would be modifying the DSCP field value of packets in -that class to Expedite Forwarding. - -> DSCP values as per {rfc}`2474` and {rfc}`4595`: -> -> | Binary value | Configured value | Drop rate | Description | -> | ------------ | ---------------- | --------- | ---------------------------- | -> | 101110 | 46 | - | Expedited forwarding (EF) | -> | 000000 | 0 | - | Best effort traffic, default | -> | 001010 | 10 | Low | Assured Forwarding(AF) 11 | -> | 001100 | 12 | Medium | Assured Forwarding(AF) 12 | -> | 001110 | 14 | High | Assured Forwarding(AF) 13 | -> | 010010 | 18 | Low | Assured Forwarding(AF) 21 | -> | 010100 | 20 | Medium | Assured Forwarding(AF) 22 | -> | 010110 | 22 | High | Assured Forwarding(AF) 23 | -> | 011010 | 26 | Low | Assured Forwarding(AF) 31 | -> | 011100 | 28 | Medium | Assured Forwarding(AF) 32 | -> | 011110 | 30 | High | Assured Forwarding(AF) 33 | -> | 100010 | 34 | Low | Assured Forwarding(AF) 41 | -> | 100100 | 36 | Medium | Assured Forwarding(AF) 42 | -> | 100110 | 38 | High | Assured Forwarding(AF) 43 | - -(embed)= - -#### Embedding one policy into another one - -Often we need to embed one policy into another one. It is possible to do -so on classful policies, by attaching a new policy into a class. For -instance, you might want to apply different policies to the different -classes of a Round-Robin policy you have configured. - -A common example is the case of some policies which, in order to be -effective, they need to be applied to an interface that is directly -connected where the bottleneck is. If your router is not -directly connected to the bottleneck, but some hop before it, you can -emulate the bottleneck by embedding your non-shaping policy into a -classful shaping one so that it takes effect. - -You can configure a policy into a class through the `queue-type` -setting. - -```none -set qos policy shaper FQ-SHAPER bandwidth 4gbit -set qos policy shaper FQ-SHAPER default bandwidth 100% -set qos policy shaper FQ-SHAPER default queue-type fq-codel -``` - -As shown in the last command of the example above, the `queue-type` -setting allows these combinations. You will be able to use it -in many policies. - -:::{note} -Some policies already include other embedded policies inside. -That is the case of [Shaper]: each of its classes use fair-queue -unless you change it. -::: - -(creating_a_traffic_policy)= - -### Creating a traffic policy - -VyOS lets you control traffic in many different ways, here we will cover -every possibility. You can configure as many policies as you want, but -you will only be able to apply one policy per interface and direction -(inbound or outbound). - -Some policies can be combined, you will be able to [embed] a different -policy that will be applied to a class of the main policy. - -:::{hint} -**If you are looking for a policy for your outbound traffic** -but you don't know which one you need and you don't want to go -through every possible policy shown here, **our bet is that highly -likely you are looking for a** [Shaper] **policy and you want to** -{ref}`set its queues <embed>` **as FQ-CoDel**. -::: - -#### Drop Tail - -**Queueing discipline:** - - PFIFO (Packet First In First Out). - -**Applies to:** - - Outbound traffic. - -This the simplest queue possible you can apply to your traffic. Traffic -must go through a finite queue before it is actually sent. You must -define how many packets that queue can contain. - -When a packet is to be sent, it will have to go through that queue, so -the packet will be placed at the tail of it. When the packet completely -goes through it, it will be dequeued emptying its place in the queue and -being eventually handed to the NIC to be actually sent out. - -Despite the Drop-Tail policy does not slow down packets, if many packets -are to be sent, they could get dropped when trying to get enqueued at -the tail. This can happen if the queue has still not been able to -release enough packets from its head. - -This is the policy that requires the lowest resources for the same -amount of traffic. But **very likely you do not need it as you cannot -get much from it. Sometimes it is used just to enable logging.** - -```{eval-rst} -.. cfgcmd:: set qos policy drop-tail <policy-name> queue-limit - <number-of-packets> - - Use this command to configure a drop-tail policy (PFIFO). Choose a - unique name for this policy and the size of the queue by setting the - number of packets it can contain (maximum 4294967295). - -``` - -#### Fair Queue - -**Queueing discipline:** - - SFQ (Stochastic Fairness Queuing). - -**Applies to:** - - Outbound traffic. - -Fair Queue is a work-conserving scheduler which schedules the -transmission of packets based on flows, that is, it balances traffic -distributing it through different sub-queues in order to ensure -fairness so that each flow is able to send data in turn, preventing any -single one from drowning out the rest. - -```{eval-rst} -.. cfgcmd:: set qos policy fair-queue <policy-name> - - Use this command to create a Fair-Queue policy and give it a name. - It is based on the Stochastic Fairness Queueing and can be applied to - outbound traffic. -``` - -In order to separate traffic, Fair Queue uses a classifier based on -source address, destination address and source port. The algorithm -enqueues packets to hash buckets based on those tree parameters. -Each of these buckets should represent a unique flow. Because multiple -flows may get hashed to the same bucket, the hashing algorithm is -perturbed at configurable intervals so that the unfairness lasts only -for a short while. Perturbation may however cause some inadvertent -packet reordering to occur. An advisable value could be 10 seconds. - -One of the uses of Fair Queue might be the mitigation of Denial of -Service attacks. - -```{eval-rst} -.. cfgcmd:: set qos policy fair-queue <policy-name> hash-interval <seconds> - - Use this command to define a Fair-Queue policy, based on the - Stochastic Fairness Queueing, and set the number of seconds at which - a new queue algorithm perturbation will occur (maximum 4294967295). -``` - -When dequeuing, each hash-bucket with data is queried in a round robin -fashion. You can configure the length of the queue. - -```{eval-rst} -.. cfgcmd:: set qos policy fair-queue <policy-name> queue-limit <limit> - - Use this command to define a Fair-Queue policy, based on the - Stochastic Fairness Queueing, and set the number of maximum packets - allowed to wait in the queue. Any other packet will be dropped. -``` - -:::{note} -Fair Queue is a non-shaping (work-conserving) policy, so it -will only be useful if your outgoing interface is really full. If it -is not, VyOS will not own the queue and Fair Queue will have no -effect. If there is bandwidth available on the physical link, you can -[embed] Fair-Queue into a classful shaping policy to make sure it owns -the queue. -::: - -(fq-codel)= - -#### FQ-CoDel - -**Queueing discipline** - - Fair/Flow Queue CoDel. - -**Applies to:** - - Outbound Traffic. - -The FQ-CoDel policy distributes the traffic into 1024 FIFO queues and -tries to provide good service between all of them. It also tries to keep -the length of all the queues short. - -FQ-CoDel fights bufferbloat and reduces latency without the need of -complex configurations. It has become the new default Queueing -Discipline for the interfaces of some GNU/Linux distributions. - -It uses a stochastic model to classify incoming packets into -different flows and is used to provide a fair share of the bandwidth to -all the flows using the queue. Each flow is managed by the CoDel -queuing discipline. Reordering within a flow is avoided since Codel -internally uses a FIFO queue. - -FQ-CoDel is based on a modified Deficit Round Robin ([DRR]) queue -scheduler with the CoDel Active Queue Management (AQM) algorithm -operating on each queue. - -:::{note} -FQ-Codel is a non-shaping (work-conserving) policy, so it -will only be useful if your outgoing interface is really full. If it -is not, VyOS will not own the queue and FQ-Codel will have no -effect. If there is bandwidth available on the physical link, you can -[embed] FQ-Codel into a classful shaping policy to make sure it owns -the queue. If you are not sure if you need to embed your FQ-CoDel -policy into a Shaper, do it. -::: - -FQ-CoDel is tuned to run ok with its default parameters at 10Gbit -speeds. It might work ok too at other speeds without configuring -anything, but here we will explain some cases when you might want to -tune its parameters. - -When running it at 1Gbit and lower, you may want to reduce the -`queue-limit` to 1000 packets or less. In rates like 10Mbit, you may -want to set it to 600 packets. - -If you are using FQ-CoDel embedded into [Shaper] and you have large rates -(100Mbit and above), you may consider increasing `quantum` to 8000 or -higher so that the scheduler saves CPU. - -On low rates (below 40Mbit) you may want to tune `quantum` down to -something like 300 bytes. - -At very low rates (below 3Mbit), besides tuning `quantum` (300 keeps -being ok) you may also want to increase `target` to something like 15ms -and increase `interval` to something around 150 ms. - -```{eval-rst} -.. cfgcmd:: set qos policy fq-codel <policy name> codel-quantum <bytes> - - Use this command to configure an fq-codel policy, set its name and - the maximum number of bytes (default: 1514) to be dequeued from a - queue at once. -``` - -```{eval-rst} -.. cfgcmd:: set qos policy fq-codel <policy name> flows <number-of-flows> - - Use this command to configure an fq-codel policy, set its name and - the number of sub-queues (default: 1024) into which packets are - classified. -``` - -```{eval-rst} -.. cfgcmd:: set qos policy fq-codel <policy name> interval <milliseconds> - - Use this command to configure an fq-codel policy, set its name and - the time period used by the control loop of CoDel to detect when a - persistent queue is developing, ensuring that the measured minimum - delay does not become too stale (default: 100ms). -``` - -```{eval-rst} -.. cfgcmd:: set qos policy fq-codel <policy-name> queue-limit - <number-of-packets> - - Use this command to configure an fq-codel policy, set its name, and - define a hard limit on the real queue size. When this limit is - reached, new packets are dropped (default: 10240 packets). -``` - -```{eval-rst} -.. cfgcmd:: set qos policy fq-codel <policy-name> target <milliseconds> - - Use this command to configure an fq-codel policy, set its name, and - define the acceptable minimum standing/persistent queue delay. This - minimum delay is identified by tracking the local minimum queue delay - that packets experience (default: 5ms). - -``` - -##### Example - -A simple example of an FQ-CoDel policy working inside a Shaper one. - -```none -set qos policy shaper FQ-CODEL-SHAPER bandwidth 2gbit -set qos policy shaper FQ-CODEL-SHAPER default bandwidth 100% -set qos policy shaper FQ-CODEL-SHAPER default queue-type fq-codel -``` - -#### Limiter - -**Queueing discipline:** - - Ingress policer. - -**Applies to:** - - Inbound traffic. - -Limiter is one of those policies that uses [classes] (Ingress qdisc is -actually a classless policy but filters do work in it). - -The limiter performs basic ingress policing of traffic flows. Multiple -classes of traffic can be defined and traffic limits can be applied to -each class. Although the policer uses a token bucket mechanism -internally, it does not have the capability to delay a packet as a -shaping mechanism does. Traffic exceeding the defined bandwidth limits -is directly dropped. A maximum allowed burst can be configured too. - -You can configure classes (up to 4090) with different settings and a -default policy which will be applied to any traffic not matching any of -the configured classes. - -:::{note} -In the case you want to apply some kind of **shaping** to your -**inbound** traffic, check the [ingress-shaping] section. -::: - -```{eval-rst} -.. cfgcmd:: set qos policy limiter <policy-name> class <class ID> match - <match-name> description <description> - - Use this command to configure an Ingress Policer, defining its name, - a class identifier (1-4090), a class matching rule name and its - description. - -``` - -Once the matching rules are set for a class, you can start configuring -how you want matching traffic to behave. - -```{eval-rst} -.. cfgcmd:: set qos policy limiter <policy-name> class <class-ID> bandwidth - <rate> - - Use this command to configure an Ingress Policer, defining its name, - a class identifier (1-4090) and the maximum allowed bandwidth for - this class. - -``` - -```{eval-rst} -.. cfgcmd:: set qos policy limiter <policy-name> class <class-ID> burst - <burst-size> - - Use this command to configure an Ingress Policer, defining its name, - a class identifier (1-4090) and the burst size in bytes for this - class (default: 15). - -``` - -```{eval-rst} -.. cfgcmd:: set qos policy limiter <policy-name> default bandwidth <rate> - - Use this command to configure an Ingress Policer, defining its name - and the maximum allowed bandwidth for its default policy. - -``` - -```{eval-rst} -.. cfgcmd:: set qos policy limiter <policy-name> default burst <burst-size> - - Use this command to configure an Ingress Policer, defining its name - and the burst size in bytes (default: 15) for its default policy. - -``` - -```{eval-rst} -.. cfgcmd:: set qos policy limiter <policy-name> class <class ID> priority - <value> - - Use this command to configure an Ingress Policer, defining its name, - a class identifier (1-4090), and the priority (0-20, default 20) in - which the rule is evaluated (the lower the number, the higher the - priority). - - -``` - -#### Network Emulator - -**Queueing discipline:** - - netem (Network Emulator) + TBF (Token Bucket Filter). - -**Applies to:** - - Outbound traffic. - -VyOS Network Emulator policy emulates the conditions you can suffer in a -real network. You will be able to configure things like rate, burst, -delay, packet loss, packet corruption or packet reordering. - -This could be helpful if you want to test how an application behaves -under certain network conditions. - -```{eval-rst} -.. cfgcmd:: set qos policy network-emulator <policy-name> bandwidth <rate> - - Use this command to configure the maximum rate at which traffic will - be shaped in a Network Emulator policy. Define the name of the policy - and the rate. -``` - -```{eval-rst} -.. cfgcmd:: set qos policy network-emulator <policy-name> burst <burst-size> - - Use this command to configure the burst size of the traffic in a - Network Emulator policy. Define the name of the Network Emulator - policy and its traffic burst size (it will be configured through the - Token Bucket Filter qdisc). Default:15kb. It will only take effect if - you have configured its bandwidth too. -``` - -```{eval-rst} -.. cfgcmd:: set qos policy network-emulator <policy-name> delay - <delay> - - Use this command to configure a Network Emulator policy defining its - name and the fixed amount of time you want to add to all packet going - out of the interface. The latency will be added through the - Token Bucket Filter qdisc. It will only take effect if you have - configured its bandwidth too. You can use secs, ms and us. Default: - 50ms. -``` - -```{eval-rst} -.. cfgcmd:: set qos policy network-emulator <policy-name> corruption - <percent> - - Use this command to emulate noise in a Network Emulator policy. Set - the policy name and the percentage of corrupted packets you want. A - random error will be introduced in a random position for the chosen - percent of packets. -``` - -```{eval-rst} -.. cfgcmd:: set qos policy network-emulator <policy-name> loss - <percent> - - Use this command to emulate packet-loss conditions in a Network - Emulator policy. Set the policy name and the percentage of loss - packets your traffic will suffer. -``` - -```{eval-rst} -.. cfgcmd:: set traffic-policy network-emulator <policy-name> reordering - <percent> - - Use this command to emulate packet-reordering conditions in a Network - Emulator policy. Set the policy name and the percentage of reordered - packets your traffic will suffer. -``` - -```{eval-rst} -.. cfgcmd:: set traffic-policy network-emulator <policy-name> queue-limit - <limit> - - Use this command to define the length of the queue of your Network - Emulator policy. Set the policy name and the maximum number of - packets (1-4294967295) the queue may hold queued at a time. - - -``` - -#### Priority Queue - -**Queueing discipline:** - - PRIO. - -**Applies to:** - - Outbound traffic. - -The Priority Queue is a classful scheduling policy. It does not delay -packets (Priority Queue is not a shaping policy), it simply dequeues -packets according to their priority. - -:::{note} -Priority Queue, as other non-shaping policies, is only useful -if your outgoing interface is really full. If it is not, VyOS will -not own the queue and Priority Queue will have no effect. If there is -bandwidth available on the physical link, you can [embed] Priority -Queue into a classful shaping policy to make sure it owns the queue. -In that case packets can be prioritized based on DSCP. -::: - -Up to seven queues -defined as [classes] with different priorities- can -be configured. Packets are placed into queues based on associated match -criteria. Packets are transmitted from the queues in priority order. If -classes with a higher priority are being filled with packets -continuously, packets from lower priority classes will only be -transmitted after traffic volume from higher priority classes decreases. - -:::{note} -In Priority Queue we do not define classes with a meaningless -class ID number but with a class priority number (1-7). The lower the -number, the higher the priority. -::: - -As with other policies, you can define different type of matching rules -for your classes: - -```none -vyos@vyos# set qos policy priority-queue MY-PRIO class 3 match MY-MATCH-RULE -Possible completions: - description Description - > ether Ethernet header match - interface Interface to use - > ip Match IP protocol header - > ipv6 Match IPV6 protocol header - mark Match on mark applied by firewall - vif Virtual Local Area Network (VLAN) ID for this match -``` - -As with other policies, you can [embed] other policies into the classes -(and default) of your Priority Queue policy through the `queue-type` -setting: - -```none -vyos@vyos# set qos policy priority-queue MY-PRIO class 3 queue-type -Possible completions: - drop-tail First-In-First-Out (FIFO) (default) - fq-codel Fair Queue Codel - fair-queue Stochastic Fair Queue (SFQ) - priority Priority queueing - random-detect - Random Early Detection (RED) -``` - -```{eval-rst} -.. cfgcmd:: set qos policy priority-queue <policy-name> class <class-ID> - queue-limit <limit> - - Use this command to configure a Priority Queue policy, set its name, - set a class with a priority from 1 to 7 and define a hard limit on - the real queue size. When this limit is reached, new packets are - dropped. - - -``` - -(random-detect)= - -#### Random-Detect - -**Queueing discipline:** - - Generalized Random Early Drop. - -**Applies to:** - - Outbound traffic. - -A simple Random Early Detection (RED) policy would start randomly -dropping packets from a queue before it reaches its queue limit thus -avoiding congestion. That is good for TCP connections as the gradual -dropping of packets acts as a signal for the sender to decrease its -transmission rate. - -In contrast to simple RED, VyOS' Random-Detect uses a Generalized Random -Early Detect policy that provides different virtual queues based on the -IP Precedence value so that some virtual queues can drop more packets -than others. - -This is achieved by using the first three bits of the ToS (Type of -Service) field to categorize data streams and, in accordance with the -defined precedence parameters, a decision is made. - -IP precedence as defined in {rfc}`791`: - -> | Precedence | Priority | -> | ---------- | -------------------- | -> | 7 | Network Control | -> | 6 | Internetwork Control | -> | 5 | CRITIC/ECP | -> | 4 | Flash Override | -> | 3 | Flash | -> | 2 | Immediate | -> | 1 | Priority | -> | 0 | Routine | - -Random-Detect could be useful for heavy traffic. One use of this -algorithm might be to prevent a backbone overload. But only for TCP -(because dropped packets could be retransmitted), not for UDP. - -```{eval-rst} -.. cfgcmd:: set qos policy random-detect <policy-name> bandwidth <bandwidth> - - Use this command to configure a Random-Detect policy, set its name - and set the available bandwidth for this policy. It is used for - calculating the average queue size after some idle time. It should be - set to the bandwidth of your interface. Random Detect is not a - shaping policy, this command will not shape. -``` - -```{eval-rst} -.. cfgcmd:: set qos policy random-detect <policy-name> precedence - <IP-precedence-value> average-packet <bytes> - - Use this command to configure a Random-Detect policy and set its - name, then state the IP Precedence for the virtual queue you are - configuring and what the size of its average-packet should be - (in bytes, default: 1024). -``` - -:::{note} -When configuring a Random-Detect policy: **the higher the -precedence number, the higher the priority**. -::: - -```{eval-rst} -.. cfgcmd:: set qos policy random-detect <policy-name> precedence - <IP-precedence-value> mark-probability <value> - - Use this command to configure a Random-Detect policy and set its - name, then state the IP Precedence for the virtual queue you are - configuring and what its mark (drop) probability will be. Set the - probability by giving the N value of the fraction 1/N (default: 10). - -``` - -```{eval-rst} -.. cfgcmd:: set qos policy random-detect <policy-name> precedence - <IP-precedence-value> maximum-threshold <packets> - - Use this command to configure a Random-Detect policy and set its - name, then state the IP Precedence for the virtual queue you are - configuring and what its maximum threshold for random detection will - be (from 0 to 4096 packets, default: 18). At this size, the marking - (drop) probability is maximal. -``` - -```{eval-rst} -.. cfgcmd:: set qos policy random-detect <policy-name> precedence - <IP-precedence-value> minimum-threshold <packets> - - Use this command to configure a Random-Detect policy and set its - name, then state the IP Precedence for the virtual queue you are - configuring and what its minimum threshold for random detection will - be (from 0 to 4096 packets). If this value is exceeded, packets - start being eligible for being dropped. - -``` - -The default values for the minimum-threshold depend on IP precedence: - -> | Precedence | default min-threshold | -> | ---------- | --------------------- | -> | 7 | 16 | -> | 6 | 15 | -> | 5 | 14 | -> | 4 | 13 | -> | 3 | 12 | -> | 2 | 11 | -> | 1 | 10 | -> | 0 | 9 | - -```{eval-rst} -.. cfgcmd:: set qos policy random-detect <policy-name> precedence - <IP-precedence-value> queue-limit <packets> - - Use this command to configure a Random-Detect policy and set its - name, then name the IP Precedence for the virtual queue you are - configuring and what the maximum size of its queue will be (from 1 to - 1-4294967295 packets). Packets are dropped when the current queue - length reaches this value. - -``` - -If the average queue size is lower than the **min-threshold**, an -arriving packet will be placed in the queue. - -In the case the average queue size is between **min-threshold** and -**max-threshold**, then an arriving packet would be either dropped or -placed in the queue, it will depend on the defined **mark-probability**. - -If the current queue size is larger than **queue-limit**, -then packets will be dropped. The average queue size depends on its -former average size and its current one. - -If **max-threshold** is set but **min-threshold is not, then -\*\*min-threshold** is scaled to 50% of **max-threshold**. - -In principle, values must be -{code}`min-threshold` < {code}`max-threshold` < {code}`queue-limit`. - -#### Rate Control - -**Queueing discipline:** - - Token Bucket Filter. - -**Applies to:** - - Outbound traffic. - -Rate-Control is a classless policy that limits the packet flow to a set -rate. It is a pure shaper, it does not schedule traffic. Traffic is -filtered based on the expenditure of tokens. Tokens roughly correspond -to bytes. - -Short bursts can be allowed to exceed the limit. On creation, the -Rate-Control traffic is stocked with tokens which correspond to the -amount of traffic that can be burst in one go. Tokens arrive at a steady -rate, until the bucket is full. - -```{eval-rst} -.. cfgcmd:: set qos policy rate-control <policy-name> bandwidth <rate> - - Use this command to configure a Rate-Control policy, set its name - and the rate limit you want to have. -``` - -```{eval-rst} -.. cfgcmd:: set qos policy rate-control <policy-name> burst <burst-size> - - Use this command to configure a Rate-Control policy, set its name - and the size of the bucket in bytes which will be available for - burst. - -``` - -As a reference: for 10mbit/s on Intel, you might need at least 10kbyte -buffer if you want to reach your configured rate. - -A very small buffer will soon start dropping packets. - -```{eval-rst} -.. cfgcmd:: set qos policy rate-control <policy-name> latency - - Use this command to configure a Rate-Control policy, set its name - and the maximum amount of time a packet can be queued (default: 50 - ms). - -``` - -Rate-Control is a CPU-friendly policy. You might consider using it when -you just simply want to slow traffic down. - -(drr)= - -#### Round Robin - -**Queueing discipline:** - - Deficit Round Robin. - -**Applies to:** - - Outbound traffic. - -The round-robin policy is a classful scheduler that divides traffic in -different [classes] you can configure (up to 4096). You can [embed] a -new policy into each of those classes (default included). - -Each class is assigned a deficit counter (the number of bytes that a -flow is allowed to transmit when it is its turn) initialized to quantum. -Quantum is a parameter you configure which acts like a credit of fix -bytes the counter receives on each round. Then the Round-Robin policy -starts moving its Round Robin pointer through the queues. If the deficit -counter is greater than the packet's size at the head of the queue, this -packet will be sent and the value of the counter will be decremented by -the packet size. Then, the size of the next packet will be compared to -the counter value again, repeating the process. Once the queue is empty -or the value of the counter is insufficient, the Round-Robin pointer -will move to the next queue. If the queue is empty, the value of the -deficit counter is reset to 0. - -At every round, the deficit counter adds the quantum so that even large -packets will have their opportunity to be dequeued. - -```{eval-rst} -.. cfgcmd:: set qos policy round-robin <policy name> class - <class-ID> quantum <packets> - - Use this command to configure a Round-Robin policy, set its name, set - a class ID, and the quantum for that class. The deficit counter will - add that value each round. -``` - -```{eval-rst} -.. cfgcmd:: set qos policy round-robin <policy name> class - <class ID> queue-limit <packets> - - Use this command to configure a Round-Robin policy, set its name, set - a class ID, and the queue size in packets. -``` - -As with other policies, Round-Robin can [embed] another policy into a -class through the `queue-type` setting. - -```none -vyos@vyos# set qos policy round-robin DRR class 10 queue-type -Possible completions: - drop-tail First-In-First-Out (FIFO) (default) - fq-codel Fair Queue Codel - fair-queue Stochastic Fair Queue (SFQ) - priority Priority queueing based - random-detect - Random Early Detection (RED) -``` - -(shaper)= - -#### Shaper - -**Queueing discipline:** - - Hierarchical Token Bucket. - -**Applies to:** - - Outbound traffic. - -The Shaper policy does not guarantee a low delay, but it does guarantee -bandwidth to different traffic classes and also lets you decide how to -allocate more traffic once the guarantees are met. - -Each class can have a guaranteed part of the total bandwidth defined for -the whole policy, so all those shares together should not be higher -than the policy's whole bandwidth. - -If guaranteed traffic for a class is met and there is room for more -traffic, the ceiling parameter can be used to set how much more -bandwidth could be used. If guaranteed traffic is met and there are -several classes willing to use their ceilings, the priority parameter -will establish the order in which that additional traffic will be -allocated. Priority can be any number from 0 to 7. The lower the number, -the higher the priority. - -```{eval-rst} -.. cfgcmd:: set qos policy shaper <policy-name> bandwidth <rate> - - Use this command to configure a Shaper policy, set its name - and the maximum bandwidth for all combined traffic. - -``` - -```{eval-rst} -.. cfgcmd:: set qos policy shaper <policy-name> class <class-ID> bandwidth - <rate> - - Use this command to configure a Shaper policy, set its name, define - a class and set the guaranteed traffic you want to allocate to that - class. -``` - -```{eval-rst} -.. cfgcmd:: set qos policy shaper <policy-name> class <class-ID> burst - <bytes> - - Use this command to configure a Shaper policy, set its name, define - a class and set the size of the `tocken bucket`_ in bytes, which will - be available to be sent at ceiling speed (default: 15Kb). -``` - -```{eval-rst} -.. cfgcmd:: set qos policy shaper <policy-name> class <class-ID> ceiling - <bandwidth> - - Use this command to configure a Shaper policy, set its name, define - a class and set the maximum speed possible for this class. The - default ceiling value is the bandwidth value. -``` - -```{eval-rst} -.. cfgcmd:: set qos policy shaper <policy-name> class <class-ID> priority - <0-7> - - Use this command to configure a Shaper policy, set its name, define - a class and set the priority for usage of available bandwidth once - guarantees have been met. The lower the priority number, the higher - the priority. The default priority value is 0, the highest priority. - -``` - -As with other policies, Shaper can [embed] other policies into its -classes through the `queue-type` setting and then configure their -parameters. - -```none -vyos@vyos# set qos policy shaper HTB class 10 queue-type -Possible completions: - fq-codel Fair Queue Codel (default) - fair-queue Stochastic Fair Queue (SFQ) - drop-tail First-In-First-Out (FIFO) - priority Priority queueing - random-detect - Random Early Detection (RED) -``` - - -```none -vyos@vyos# set qos policy shaper HTB class 10 -Possible completions: - bandwidth Available bandwidth for this policy (default: auto) - burst Burst size for this class (default: 15k) - ceiling Bandwidth limit for this class - codel-quantum - Deficit in the fair queuing algorithm (default 1514) - description Description - flows Number of flows into which the incoming packets are classified (default 1024) - interval Interval used to measure the delay (default 100) -+> match Class matching rule name - priority Priority for rule evaluation - queue-limit Maximum queue size (packets) - queue-type Queue type for default traffic (default: fq-codel) - set-dscp Change the Differentiated Services (DiffServ) field in the IP header - target Acceptable minimum standing/persistent queue delay (default: 5) -``` - - -:::{note} -If you configure a class for **VoIP traffic**, don't give it any -*ceiling*, otherwise new VoIP calls could start when the link is -available and get suddenly dropped when other classes start using -their assigned *bandwidth* share. -::: - -(traffic-policy-shaper-example)= - -##### Example - -A simple example of Shaper using priorities. - - -```none -set qos policy shaper MY-HTB bandwidth '50mbit' -set qos policy shaper MY-HTB class 10 bandwidth '20%' -set qos policy shaper MY-HTB class 10 match DSCP ip dscp 'EF' -set qos policy shaper MY-HTB class 10 queue-type 'fq-codel' -set qos policy shaper MY-HTB class 20 bandwidth '10%' -set qos policy shaper MY-HTB class 20 ceiling '50%' -set qos policy shaper MY-HTB class 20 match PORT666 ip destination port '666' -set qos policy shaper MY-HTB class 20 priority '3' -set qos policy shaper MY-HTB class 20 queue-type 'fair-queue' -set qos policy shaper MY-HTB class 30 bandwidth '10%' -set qos policy shaper MY-HTB class 30 ceiling '50%' -set qos policy shaper MY-HTB class 30 match ADDRESS30 ip source address '192.168.30.0/24' -set qos policy shaper MY-HTB class 30 priority '5' -set qos policy shaper MY-HTB class 30 queue-type 'fair-queue' -set qos policy shaper MY-HTB default bandwidth '10%' -set qos policy shaper MY-HTB default ceiling '100%' -set qos policy shaper MY-HTB default priority '7' -set qos policy shaper MY-HTB default queue-type 'fair-queue' -``` - - -(cake)= - -#### CAKE - -**Queueing discipline:** - - Deficit mode. - -**Applies to:** - - Outbound traffic. - -[Common Applications Kept Enhanced] (CAKE) is a comprehensive queue management -system, implemented as a queue discipline (qdisc) for the Linux kernel. It is -designed to replace and improve upon the complex hierarchy of simple qdiscs -presently required to effectively tackle the bufferbloat problem at the network -edge. - -```{eval-rst} -.. cfgcmd:: set qos policy cake <text> bandwidth <value> - - Set the shaper bandwidth, either as an explicit bitrate or a percentage - of the interface bandwidth. -``` - -```{eval-rst} -.. cfgcmd:: set qos policy cake <text> description - - Set a description for the shaper. -``` - -```{eval-rst} -.. cfgcmd:: set qos policy cake <text> flow-isolation blind - - Disables flow isolation, all traffic passes through a single queue. -``` - -```{eval-rst} -.. cfgcmd:: set qos policy cake <text> flow-isolation dst-host - - Flows are defined only by destination address. -``` - -```{eval-rst} -.. cfgcmd:: set qos policy cake <text> flow-isolation dual-dst-host - - Flows are defined by the 5-tuple. Fairness is applied first over destination - addresses, then over individual flows. -``` - -```{eval-rst} -.. cfgcmd:: set qos policy cake <text> flow-isolation dual-src-host - - Flows are defined by the 5-tuple. Fairness is applied first over source - addresses, then over individual flows. -``` - -```{eval-rst} -.. cfgcmd:: set qos policy cake <text> flow-isolation flow - - Flows are defined by the entire 5-tuple (source IP address, source port, - destination IP address, destination port, transport protocol). -``` - -```{eval-rst} -.. cfgcmd:: set qos policy cake <text> flow-isolation host - - Flows are defined by source-destination host pairs. -``` - -```{eval-rst} -.. cfgcmd:: set qos policy cake <text> flow-isolation nat - - Perform NAT lookup before applying flow-isolation rules. -``` - -```{eval-rst} -.. cfgcmd:: set qos policy cake <text> flow-isolation src-host - - Flows are defined only by source address. -``` - -```{eval-rst} -.. cfgcmd:: set qos policy cake <text> flow-isolation triple-isolate - - **(Default)** Flows are defined by the 5-tuple, fairness is applied - over source and destination addresses and also over individual flows. -``` - -```{eval-rst} -.. cfgcmd:: set qos policy cake <text> rtt - - Defines the round-trip time used for active queue management (AQM) in - milliseconds. The default value is 100. - -``` - -### Applying a traffic policy - -Once a traffic-policy is created, you can apply it to an interface: - -```none -set qos interface eth0 egress WAN-OUT -``` - -You can only apply one policy per interface and direction, but you could -reuse a policy on different interfaces and directions: - -```none -set qos interface eth0 ingress WAN-IN -set qos interface eth0 egress WAN-OUT -set qos interface eth1 ingress LAN-IN -set qos interface eth1 egress LAN-OUT -set qos interface eth2 ingress LAN-IN -set qos interface eth2 egress LAN-OUT -set qos interface eth3 ingress TWO-WAY-POLICY -set qos interface eth3 egress TWO-WAY-POLICY -set qos interface eth4 ingress TWO-WAY-POLICY -set qos interface eth4 egress TWO-WAY-POLICY -``` - -(ingress-shaping)= - -### The case of ingress shaping - -**Applies to:** - - Inbound traffic. - -For the ingress traffic of an interface, there is only one policy you -can directly apply, a **Limiter** policy. You cannot apply a shaping -policy directly to the ingress traffic of any interface because shaping -only works for outbound traffic. - -This workaround lets you apply a shaping policy to the ingress traffic -by first redirecting it to an in-between virtual interface -([Intermediate Functional Block]). There, in that virtual interface, -you will be able to apply any of the policies that work for outbound -traffic, for instance, a shaping one. - -That is how it is possible to do the so-called "ingress shaping". - -```none -set qos policy shaper MY-INGRESS-SHAPING bandwidth 1000kbit -set qos policy shaper MY-INGRESS-SHAPING default bandwidth 1000kbit -set qos policy shaper MY-INGRESS-SHAPING default queue-type fair-queue - -set qos interface ifb0 egress MY-INGRESS-SHAPING -set interfaces ethernet eth0 redirect ifb0 - -set interfaces input ifb0 -``` - -:::{warning} -Do not configure IFB as the first step. First create everything else -of your traffic-policy, and then you can configure IFB. -Otherwise you might get the `RTNETLINK answer: File exists` error, -which can be solved with `sudo ip link delete ifb0`. -::: - - - -[common applications kept enhanced]: https://www.bufferbloat.net/projects/codel/wiki/Cake/ -[hfsc]: https://en.wikipedia.org/wiki/Hierarchical_fair-service_curve -[intermediate functional block]: https://www.linuxfoundation.org/collaborate/workgroups/networking/ifb -[tc]: https://en.wikipedia.org/wiki/Tc_(Linux) -[that can give you a great deal of flexibility]: https://blog.vyos.io/using-the-policy-route-and-packet-marking-for-custom-qos-matches -[tocken bucket]: https://en.wikipedia.org/wiki/Token_bucket diff --git a/docs/configuration/vpn/ipsec/md-index.md b/docs/configuration/vpn/ipsec/md-index.md deleted file mode 100644 index db9656e5..00000000 --- a/docs/configuration/vpn/ipsec/md-index.md +++ /dev/null @@ -1,10 +0,0 @@ -# IPsec - -<div class="toctree" maxdepth="1" includehidden=""> - -ipsec_general -site2site_ipsec -remoteaccess_ipsec -troubleshooting_ipsec - -</div> diff --git a/docs/configuration/vpn/ipsec/md-ipsec_general.md b/docs/configuration/vpn/ipsec/md-ipsec_general.md deleted file mode 100644 index ca04eefe..00000000 --- a/docs/configuration/vpn/ipsec/md-ipsec_general.md +++ /dev/null @@ -1,442 +0,0 @@ -(ipsec_general)= - -# IPsec General Information - -## Information about IPsec - -IPsec is the framework used to secure data. -IPsec accomplishes these goals by providing authentication, -encryption of IP network packets, key exchange, and key management. -VyOS uses Strongswan package to implement IPsec. - -**Authentication Header (AH)** is defined in {rfc}`4302`. It creates -a hash using the IP header and data payload, and prepends it to the -packet. This hash is used to validate that the data has not been -changed during transfer over the network. - -**Encapsulating Security Payload (ESP)** is defined in {rfc}`4303`. -It provides encryption and authentication of the data. - -There are two IPsec modes: -: **IPsec Transport Mode**: - - : In transport mode, an IPSec header (AH or ESP) is inserted - between the IP header and the upper layer protocol header. - - **IPsec Tunnel Mode:** - - : In tunnel mode, the original IP packet is encapsulated in - another IP datagram, and an IPsec header (AH or ESP) is - inserted between the outer and inner headers. - -:::{figure} /_static/images/ESP_AH.webp -:alt: AH and ESP in Transport Mode and Tunnel Mode -:scale: 80 % -::: - -## IKE (Internet Key Exchange) - -The default IPsec method for secure key negotiation is the Internet Key -Exchange (IKE) protocol. IKE is designed to provide mutual authentication -of systems, as well as to establish a shared secret key to create IPsec -security associations. A security association (SA) includes all relevant -attributes of the connection, including the cryptographic algorithm used, -the IPsec mode, the encryption key, and other parameters related to the -transmission of data over the VPN connection. - -### IKEv1 - -IKEv1 is the older version and is still used today. Nowadays, most -manufacturers recommend using IKEv2 protocol. - -IKEv1 is described in the next RFCs: {rfc}`2409` (IKE), {rfc}`3407` -(IPsec DOI), {rfc}`3947` (NAT-T), {rfc}`3948` (UDP Encapsulation -of ESP Packets), {rfc}`3706` (DPD) - -IKEv1 operates in two phases to establish these IKE and IPsec SAs: -: - **Phase 1** provides mutual authentication of the IKE peers and - establishment of the session key. This phase creates an IKE SA (a - security association for IKE) using a DH exchange, cookies, and an - ID exchange. Once an IKE SA is established, all IKE communication - between the initiator and responder is protected with encryption - and an integrity check that is authenticated. The purpose of IKE - phase 1 is to facilitate a secure channel between the peers so that - phase 2 negotiations can occur securely. IKE phase 1 offers two modes: - Main and Aggressive. - - > - **Main Mode** is used for site-to-site VPN connections. - > - **Aggressive Mode** is used for remote access VPN connections. - - - **Phase 2** provides for the negotiation and establishment of the - IPsec SAs using ESP or AH to protect IP data traffic. - -### IKEv2 - -IKEv2 is described in {rfc}`7296`. The biggest difference between IKEv1 and -IKEv2 is that IKEv2 is much simpler and more reliable than IKEv1 because -fewer messages are exchanged during the establishment of the VPN and -additional security capabilities are available. - -### IKE Authentication - -VyOS supports 3 authentication methods. -: - **Pre-shared keys**: In this method, both peers of the IPsec - tunnel must have the same preshared keys. - - **Digital certificates**: PKI is used in this method. - - **RSA-keys**: If the RSA-keys method is used in your IKE policy, - you need to make sure each peer has the other peer’s public keys. - -## DPD (Dead Peer Detection) - -This is a mechanism used to detect when a VPN peer is no longer active. -This mechanism has different algorithms in IKEv1 and IKEv2 in VyOS. -DPD Requests are sent as ISAKMP R-U-THERE messages and DPD Responses -are sent as ISAKMP R-U-THERE-ACK messages. In IKEv1, DPD sends messages -every configured interval. The remote peer is considered unreachable -if no response to these packets is received within the DPD timeout. -In IKEv2, DPD sends messages every configured interval. If one request -is not responded, Strongswan execute its retransmission algorithm with -its timers. [IKEv2 Retransmission] - -## Post-Quantum Preshared Keys (PPK) - -Post-Quantum Preshared Keys help provide some quantum resistance to IPSec -tunnels when a post-quantum key exchange algorithm such as ML-KEM is not -available. The use of PPKs in IKEv2 is described in {rfc}`8784`. - -```{eval-rst} -.. cfgmod:: edit vpn authentication ppk <name> -``` - -PPKs can be configued within VyOS under the `vpn ipsec authentication ppk` -config. - -```{eval-rst} -.. cfgmod:: set vpn authentication ppk <name> secret-type <plaintext|hex|base64> -``` - -PPKs need an id and a secret value. The ID and the secret must match if PPKs are -required for a successful IPsec connection. The secret can be plain text, a -hex value, or a Base64 value. The default is plain text. If using another -type of value, you must define the secret type. - -```{eval-rst} -.. cfgmod:: set vpn ipsec site-to-site <name> ppk id <id> -``` - -To use a PPK within a site-to-site or remote access connection, define the PPK -id under the connection. - -```{eval-rst} -.. cfgmod:: set vpn ipsec site-to-site <name> ppk required -``` - -Optionally, you can require the use of PPK to have a successful connection. - -```{eval-rst} -.. cfgmod:: show vpn ipsec connections -``` - -You can view the PPK column for information on if PPK is configured, and -if it is in use. The output is in the format of `<configured> / <in use>`. -The options for configured are none if not conifugred, opt if configured -but optional, and req is configured and required. The in use will show yes -Possible values of the `configured` field are `none` if not conifgured, `opt` if configured -but optional, and `req` is configured and required. The in use will show yes - -## Configuration IKE - -### IKE (Internet Key Exchange) Attributes - -VyOS IKE group has the next options: - -```{eval-rst} -.. cfgcmd:: set vpn ipsec ike-group <name> close-action <action> - - Defines the action to take if the remote peer unexpectedly - closes a CHILD_SA: - - * **none** - Set action to none (default), - * **trap** - Installs a trap policy (IPsec policy without Security - Association) for the CHILD_SA and traffic matching these policies - will trigger acquire events that cause the daemon to establish the - required IKE/IPsec SAs. - * **start** - Tries to immediately re-create the CHILD_SA. -``` - -```{eval-rst} -.. cfgcmd:: set vpn ipsec ike-group <name> ikev2-reauth - - Whether rekeying of an IKE_SA should also reauthenticate - the peer. In IKEv1, reauthentication is always done. - Setting this parameter enables remote host re-authentication - during an IKE rekey. -``` - -```{eval-rst} -.. cfgcmd:: set vpn ipsec ike-group <name> key-exchange - - Which protocol should be used to initialize the connection - If not set both protocols are handled and connections will - use IKEv2 when initiating, but accept any protocol version - when responding: - - * **ikev1** - Use IKEv1 for Key Exchange. - * **ikev2** - Use IKEv2 for Key Exchange. -``` - -```{eval-rst} -.. cfgcmd:: set vpn ipsec ike-group <name> lifetime - - IKE lifetime in seconds <0-86400> (default 28800). -``` - -```{eval-rst} -.. cfgcmd:: set vpn ipsec ike-group <name> mode - - IKEv1 Phase 1 Mode Selection: - - * **main** - Use Main mode for Key Exchanges in the IKEv1 Protocol - (Recommended Default). - * **aggressive** - Use Aggressive mode for Key Exchanges in the IKEv1 - protocol aggressive mode is much more insecure compared to Main mode. -``` - -```{eval-rst} -.. cfgcmd:: set vpn ipsec ike-group <name> proposal <number> dh-group <dh-group number> - - Dh-group. Default value is **2**. -``` - -```{eval-rst} -.. cfgcmd:: set vpn ipsec ike-group <name> proposal <number> encryption <encryption> - - Encryption algorithm. Default value is **aes128**. -``` - -```{eval-rst} -.. cfgcmd:: set vpn ipsec ike-group <name> proposal <number> hash <hash> - - Hash algorithm. Default value is **sha1**. -``` - -```{eval-rst} -.. cfgcmd:: set vpn ipsec ike-group <name> proposal <number> prf <prf> - - Pseudo-random function. - -``` - -### DPD (Dead Peer Detection) Configuration - -```{eval-rst} -.. cfgcmd:: set vpn ipsec ike-group <name> dead-peer-detection action <action> - - Action to perform for this CHILD_SA on DPD timeout. - - * **trap** - Installs a trap policy (IPsec policy without Security - Association), which will catch matching traffic and tries to - re-negotiate the tunnel on-demand. - * **clear** - Closes the CHILD_SA and does not take further action - (default). - * **restart** - Immediately tries to re-negotiate the CHILD_SA - under a fresh IKE_SA. -``` - -```{eval-rst} -.. cfgcmd:: set vpn ipsec ike-group <name> dead-peer-detection interval <interval> - - Keep-alive interval in seconds <2-86400> (default 30). -``` - -```{eval-rst} -.. cfgcmd:: set vpn ipsec ike-group <name> dead-peer-detection timeout <timeout> - - Keep-alive timeout in seconds <2-86400> (default 120) **IKEv1 only** -``` - -### ESP (Encapsulating Security Payload) Attributes - -In VyOS, ESP attributes are specified through ESP groups. -Multiple proposals can be specified in a single group. - -VyOS ESP group has the next options: - -```{eval-rst} -.. cfgcmd:: set vpn ipsec esp-group <name> compression - - Enables the IPComp(IP Payload Compression) protocol which allows - compressing the content of IP packets. -``` - -```{eval-rst} -.. cfgcmd:: set vpn ipsec esp-group <name> disable-rekey - - Do not locally initiate a re-key of the SA, remote peer must - re-key before expiration. -``` - -```{eval-rst} -.. cfgcmd:: set vpn ipsec esp-group <name> life-bytes <bytes> - - ESP life in bytes <1024-26843545600000>. Number of bytes - transmitted over an IPsec SA before it expires. -``` - -```{eval-rst} -.. cfgcmd:: set vpn ipsec esp-group <name> life-packets <packets> - - ESP life in packets <1000-26843545600000>. - Number of packets transmitted over an IPsec SA before it expires. -``` - -```{eval-rst} -.. cfgcmd:: set vpn ipsec esp-group <name> lifetime <timeout> - - ESP lifetime in seconds <30-86400> (default 3600). - How long a particular instance of a connection (a set of - encryption/authentication keys for user packets) should last, - from successful negotiation to expiry. -``` - -```{eval-rst} -.. cfgcmd:: set vpn ipsec esp-group <name> mode <mode> - - The type of the connection: - - * **tunnel** - Tunnel mode (default). - * **transport** - Transport mode. -``` - -```{eval-rst} -.. cfgcmd:: set vpn ipsec esp-group <name> pfs < dh-group> - - Whether Perfect Forward Secrecy of keys is desired on the - connection's keying channel and defines a Diffie-Hellman group for - PFS: - - * **enable** - Inherit Diffie-Hellman group from IKE group (default). - * **disable** - Disable PFS. - * **<dh-group>** - Defines a Diffie-Hellman group for PFS. -``` - -```{eval-rst} -.. cfgcmd:: set vpn ipsec esp-group <name> proposal <number> encryption <encryption> - - Encryption algorithm. Default value is **aes128**. -``` - -```{eval-rst} -.. cfgcmd:: set vpn ipsec esp-group <name> proposal <number> hash <hash> - - Hash algorithm. Default value is **sha1**. -``` - -### Global IPsec Settings - -```{eval-rst} -.. cfgcmd:: set vpn ipsec interface <name> - - Interface name to restrict outbound IPsec policies. There is a possibility - to specify multiple interfaces. If an interfaces are not specified, IPsec - policies apply to all interfaces. - -``` - -```{eval-rst} -.. cfgcmd:: set vpn ipsec log level <number> - - Level of logging. Default value is **0**. -``` - -```{eval-rst} -.. cfgcmd:: set vpn ipsec log subsystem <name> - - Subsystem of the daemon. -``` - -### Options - -```{eval-rst} -.. cfgcmd:: set vpn ipsec options disable-route-autoinstall - - Do not automatically install routes to remote - networks. -``` - -```{eval-rst} -.. cfgcmd:: set vpn ipsec options flexvpn - - Allows FlexVPN vendor ID payload (IKEv2 only). Send the Cisco - FlexVPN vendor ID payload (IKEv2 only), which is required in order to make - Cisco brand devices allow negotiating a local traffic selector (from - strongSwan's point of view) that is not the assigned virtual IP address if - such an address is requested by strongSwan. Sending the Cisco FlexVPN - vendor ID prevents the peer from narrowing the initiator's local traffic - selector and allows it to e.g. negotiate a TS of 0.0.0.0/0 == 0.0.0.0/0 - instead. This has been tested with a "tunnel mode ipsec ipv4" Cisco - template but should also work for GRE encapsulation. -``` - -```{eval-rst} -.. cfgcmd:: set vpn ipsec options interface <name> - - Interface Name to use. The name of the interface on which - virtual IP addresses should be installed. If not specified the addresses - will be installed on the outbound interface. -``` - -```{eval-rst} -.. cfgcmd:: set vpn ipsec options virtual-ip - - Allows the installation of virtual-ip addresses. -``` - -### IKEv2 Retransmission - -If the peer does not respond on DPD packet, the router starts retransmission procedure. - -The following formula is used to calculate the timeout: - -```none -relative timeout = timeout * base ^ (attempts-1) -``` - -```{eval-rst} -.. cfgcmd:: set vpn ipsec options retransmission attempts - - Number of attempts before the peer is considered to be in the down state. - Default value is **5**. -``` - -```{eval-rst} -.. cfgcmd:: set vpn ipsec options retransmission base - - Base number of exponential backoff. Default value is **1.8**. -``` - -```{eval-rst} -.. cfgcmd:: set vpn ipsec options retransmission timeout - - Timeout in seconds before the first retransmission. Default value is **4**. -``` - -Using the default values, packets are retransmitted as follows: - -```{eval-rst} -+-----------+-------------+------------------+------------------+ -| Attempts | Formula | Relative timeout | Absolute timeout | -+-----------+-------------+------------------+------------------+ -| 1 | 4 * 1.8 ^ 0 | 4s | 4s | -+-----------+-------------+------------------+------------------+ -| 2 | 4 * 1.8 ^ 1 | 7s | 11s | -+-----------+-------------+------------------+------------------+ -| 3 | 4 * 1.8 ^ 2 | 13s | 24s | -+-----------+-------------+------------------+------------------+ -| 4 | 4 * 1.8 ^ 3 | 23s | 47s | -+-----------+-------------+------------------+------------------+ -| 5 | 4 * 1.8 ^ 4 | 42s | 89s | -+-----------+-------------+------------------+------------------+ -| peer down | 4 * 1.8 ^ 5 | 76s | 165s | -+-----------+-------------+------------------+------------------+ -``` diff --git a/docs/configuration/vpn/ipsec/md-remoteaccess_ipsec.md b/docs/configuration/vpn/ipsec/md-remoteaccess_ipsec.md deleted file mode 100644 index 5051860e..00000000 --- a/docs/configuration/vpn/ipsec/md-remoteaccess_ipsec.md +++ /dev/null @@ -1,184 +0,0 @@ -(remoteaccess-ipsec)= - -# IPSec IKEv2 Remote Access VPN - -```{eval-rst} -.. TODO:: Convert raw command blocks in this file to cfgcmd/opcmd - directives for command coverage tracking. -``` - -Internet Key Exchange version 2 (IKEv2) is a tunneling protocol, based on IPsec, -that establishes a secure VPN communication between VPN devices, and defines -negotiation and authentication processes for IPsec security associations (SAs). -It is often known as IKEv2/IPSec or IPSec IKEv2 remote-access — or road-warriors -as others call it. - -Key exchange and payload encryption is done using IKE and ESP proposals as known -from IKEv1 but the connections are faster to establish, more reliable, and also -support roaming from IP to IP (called MOBIKE which makes sure your connection -does not drop when changing networks from e.g. WIFI to LTE and back). -Authentication can be achieved with X.509 certificates. - -## Setting up certificates: - -First of all, we need to create a CA root certificate and server certificate -on the server side. - -```none -vyos@vpn.vyos.net# run generate pki ca install ca_root -Enter private key type: [rsa, dsa, ec] (Default: rsa) -Enter private key bits: (Default: 2048) -Enter country code: (Default: GB) -Enter state: (Default: Some-State) -Enter locality: (Default: Some-City) -Enter organization name: (Default: VyOS) -Enter common name: (Default: vyos.io) -Enter how many days certificate will be valid: (Default: 1825) -Note: If you plan to use the generated key on this router, do not encrypt the private key. -Do you want to encrypt the private key with a passphrase? [y/N] N -2 value(s) installed. Use "compare" to see the pending changes, and "commit" to apply. -[edit] - - -vyos@vpn.vyos.net# comp -[pki ca] -+ ca_root { -+ certificate "MIIDnTCCAoWgAwI…." -+ private { -+ key "MIIEvAIBADANBgkqhkiG9….” - -vyos@vpn.vyos.net# run generate pki certificate sign ca_root install server_cert -Do you already have a certificate request? [y/N] N -Enter private key type: [rsa, dsa, ec] (Default: rsa) -Enter private key bits: (Default: 2048) -Enter country code: (Default: GB) -Enter state: (Default: Some-State) -Enter locality: (Default: Some-City) -Enter organization name: (Default: VyOS) -Enter common name: (Default: vyos.io) vpn.vyos.net -Do you want to configure Subject Alternative Names? [y/N] N -Enter how many days certificate will be valid: (Default: 365) -Enter certificate type: (client, server) (Default: server) -Note: If you plan to use the generated key on this router, do not encrypt the private key. -Do you want to encrypt the private key with a passphrase? [y/N] N -2 value(s) installed. Use "compare" to see the pending changes, and "commit" to apply. - -vyos@vpn.vyos.net# comp -[pki certificate] -+ server_cert { -+ certificate "MIIDuzCCAqOgAwIBAgIUaSrCPWx………" -+ private { -+ key "MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBK….." -+ } -+ } -``` - -Once the command is completed, it will add the certificate to the configuration -session, to the pki subtree. You can then review the proposed changes and -commit them. - -## Setting up IPSec: - -After the PKI certs are all set up we can start configuring our IPSec/IKE -proposals used for key-exchange end data encryption. The used encryption ciphers -and integrity algorithms vary from operating system to operating system. The -ones used in this example are validated to work on Windows 10. - -```none -set vpn ipsec esp-group ESP-RW lifetime '3600' -set vpn ipsec esp-group ESP-RW pfs 'disable' -set vpn ipsec esp-group ESP-RW proposal 10 encryption 'aes128gcm128' -set vpn ipsec esp-group ESP-RW proposal 10 hash 'sha256' - -set vpn ipsec ike-group IKE-RW key-exchange 'ikev2' -set vpn ipsec ike-group IKE-RW lifetime '7200' -set vpn ipsec ike-group IKE-RW proposal 10 dh-group '14' -set vpn ipsec ike-group IKE-RW proposal 10 encryption 'aes128gcm128' -set vpn ipsec ike-group IKE-RW proposal 10 hash 'sha256' -``` - -Every connection/remote-access pool we configure also needs a pool where we -can draw our client IP addresses from. We provide one IPv4 and IPv6 pool. -Authorized clients will receive an IPv4 address from the configured IPv4 prefix -and an IPv6 address from the IPv6 prefix. We can also send some DNS nameservers -down to our clients used on their connection. - -```none -set vpn ipsec remote-access pool ra-rw-ipv4 name-server '192.0.2.1' -set vpn ipsec remote-access pool ra-rw-ipv4 prefix '192.0.2.128/25' - -set vpn ipsec remote-access pool ra-rw-ipv6 name-server '2001:db8:1000::1' -set vpn ipsec remote-access pool ra-rw-ipv6 prefix '2001:db8:2000::/64' -``` - -## Setting up tunnel: - -```none -set vpn ipsec remote-access connection rw authentication local-id '192.0.2.1' -set vpn ipsec remote-access connection rw authentication server-mode 'x509' -set vpn ipsec remote-access connection rw authentication x509 ca-certificate 'ca_root' -set vpn ipsec remote-access connection rw authentication x509 certificate 'server_cert' -set vpn ipsec remote-access connection rw esp-group 'ESP-RW' -set vpn ipsec remote-access connection rw ike-group 'IKE-RW' -set vpn ipsec remote-access connection rw local-address '192.0.2.1' -set vpn ipsec remote-access connection rw pool 'ra-rw-ipv4' -set vpn ipsec remote-access connection rw pool 'ra-rw-ipv6' -``` - -VyOS also supports two different modes of authentication, local and RADIUS. -To create a new local user named "vyos" with a password of "vyos" use the -following commands. - -```none -set vpn ipsec remote-access connection rw authentication client-mode 'eap-mschapv2' -set vpn ipsec remote-access connection rw authentication local-users username vyos password 'vyos' -``` - -Some client operating systems like to see the servers certificate. The following -option causes the server to voluntarily send its certificate, even if it wasn't -requested. - -```none -set vpn ipsec remote-access connection rw authentication always-send-cert -``` - -## Client Configuration - -Most operating systems include native client support for IPsec IKEv2 VPN -connections, and others typically have an app or add-on package which adds the -capability. -This section covers IPsec IKEv2 client configuration for Windows 10. - -VyOS provides a command to generate a connection profile used by Windows clients -that will connect to the "rw" connection on our VyOS server. - -:::{note} -Windows expects the server name to be also used in the server's -certificate common name, so it's best to use this DNS name for your VPN -connection. -::: - -```none -vyos@vpn.vyos.net:~$ generate ipsec profile windows-remote-access rw remote vpn.vyos.net - - -==== <snip> ==== -Add-VpnConnection -Name "VyOS IKEv2 VPN" -ServerAddress "vpn.vyos.net" -TunnelType "Ikev2" - -Set-VpnConnectionIPsecConfiguration -ConnectionName "VyOS IKEv2 VPN" -AuthenticationTransformConstants GCMAES128 -CipherTransformConstants -GCMAES128 -EncryptionMethod GCMAES128 -IntegrityCheckMethod SHA256128 -PfsGroup None -DHGroup "Group14" -PassThru -Force -==== </snip> ==== -``` - -Add the commands from Snippet in the Windows side via PowerShell. -Also import the root CA cert to the Windows “Trusted Root Certification -Authorities” and establish the connection. - -## Verification: - -```none -vyos@vpn.vyos.net:~$ show vpn ipsec remote-access summary - Connection ID Username Protocol State Uptime Tunnel IP Remote Host Remote ID IKE Proposal IPSec Proposal ---------------- ---------- ---------- ------- -------- ----------- ------------- ----------- ------------------------------------------ ------------------ - 5 vyos IKEv2 UP 37s 192.0.2.129 10.0.0.2 10.0.0.2 AES_GCM_16-128/PRF_HMAC_SHA2_256/MODP_2048 ESP:AES_GCM_16-128 -``` diff --git a/docs/configuration/vpn/ipsec/md-site2site_ipsec.md b/docs/configuration/vpn/ipsec/md-site2site_ipsec.md deleted file mode 100644 index a1a7d124..00000000 --- a/docs/configuration/vpn/ipsec/md-site2site_ipsec.md +++ /dev/null @@ -1,829 +0,0 @@ -(size2site-ipsec)= - -# IPsec Site-to-Site VPN - -## IPsec Site-to-Site VPN Types - -VyOS supports two types of IPsec VPN: Policy-based IPsec VPN and Route-based -IPsec VPN. - -### Policy-based VPN - -Policy-based VPN is based on static configured policies. Each policy creates -individual IPSec SA. Traffic matches these SAs encrypted and directed to the -remote peer. - -### Route-Based VPN - -Route-based VPN is based on secure traffic passing over Virtual Tunnel -Interfaces (VTIs). This type of IPsec VPNs allows using routing protocols. - -## Configuration Site-to-Site VPN - -### Requirements and Prerequisites for Site-to-Site VPN - -**Negotiated parameters that need to match** - -Phase 1 -: - IKE version - - Authentication - - Encryption - - Hashing - - PRF - - Lifetime - - :::{note} - Strongswan recommends to use the same lifetime value on both peers - ::: - -Phase 2 -: - Encryption - - Hashing - - PFS - - Mode (tunnel or transport) - - Lifetime - - :::{note} - Strongswan recommends to use the same lifetime value on both peers - ::: - - - Remote and Local networks in SA must be compatible on both peers - -### Configuration Steps for Site-to-Site VPN - -The next example shows the configuration one of the router participating in -IPsec VPN. - -Tunnel information: -: - Phase 1: - : - encryption: AES256 - - hash: SHA256 - - PRF: SHA256 - - DH: 14 - - lifetime: 28800 - - Phase 2: - : - IPsec mode: tunnel - - encryption: AES256 - - hash: SHA256 - - PFS: inherited from DH Phase 1 - - lifetime: 3600 - - If Policy based VPN is used - : - Remote network is 192.168.50.0/24. Local network is 192.168.10.0/24 - - If Route based VPN is used - : - IP of the VTI interface is 10.0.0.1/30 - -:::{note} -We do not recommend using policy-based vpn and route-based vpn configurations to the same peer. -::: - -**1. Configure ike-group (IKE Phase 1)** - -```none -set vpn ipsec ike-group IKE close-action 'start' -set vpn ipsec ike-group IKE key-exchange 'ikev1' -set vpn ipsec ike-group IKE lifetime '28800' -set vpn ipsec ike-group IKE proposal 10 dh-group '14' -set vpn ipsec ike-group IKE proposal 10 encryption 'aes256' -set vpn ipsec ike-group IKE proposal 10 hash 'sha256' -set vpn ipsec ike-group IKE proposal 10 prf 'prfsha256' -``` - -**2. Configure ESP-group (IKE Phase 2)** - -```none -set vpn ipsec esp-group ESP lifetime '3600' -set vpn ipsec esp-group ESP mode 'tunnel' -set vpn ipsec esp-group ESP pfs 'enable' -set vpn ipsec esp-group ESP proposal 10 encryption 'aes256' -set vpn ipsec esp-group ESP proposal 10 hash 'sha256' -``` - -**3. Specify interface facing to the protected destination.** - -```none -set vpn ipsec interface eth0 -``` - -**4. Configure PSK keys and authentication ids for this key if authentication type is PSK** - -```none -set vpn ipsec authentication psk PSK-KEY id '192.168.0.2' -set vpn ipsec authentication psk PSK-KEY id '192.168.5.2' -set vpn ipsec authentication psk PSK-KEY secret 'vyos' -``` - -To set base64 secret encode plaintext password to base64 and set secret-type - -```none -echo -n "vyos" | base64 -dnlvcw== -``` - -```none -set vpn ipsec authentication psk PSK-KEY secret 'dnlvcw==' -set vpn ipsec authentication psk PSK-KEY secret-type base64 -``` - -**5. Configure peer and apply IKE-group and esp-group to peer.** - -```none -set vpn ipsec site-to-site peer PEER1 authentication local-id '192.168.0.2' -set vpn ipsec site-to-site peer PEER1 authentication mode 'pre-shared-secret' -set vpn ipsec site-to-site peer PEER1 authentication remote-id '192.168.5.2' -set vpn ipsec site-to-site peer PEER1 connection-type 'initiate' -set vpn ipsec site-to-site peer PEER1 default-esp-group 'ESP' -set vpn ipsec site-to-site peer PEER1 ike-group 'IKE' -set vpn ipsec site-to-site peer PEER1 local-address '192.168.0.2' -set vpn ipsec site-to-site peer PEER1 remote-address '192.168.5.2' - -Peer selects the key from step 4 according to local-id/remote-id pair. -``` - -**6. Depends to vpn type (route-based vpn or policy-based vpn).** - -> **6.1 For Policy-based VPN configure SAs using tunnel command specifying remote and local networks.** -> -> > ```none -> > set vpn ipsec site-to-site peer PEER1 tunnel 1 local prefix '192.168.10.0/24' -> > set vpn ipsec site-to-site peer PEER1 tunnel 1 remote prefix '192.168.50.0/24' -> > ``` -> -> **6.2 For Route-based VPN create VTI interface, set IP address to this interface and bind this interface to the vpn peer.** -> -> > ```none -> > set interfaces vti vti1 address 10.0.0.1/30 -> > set vpn ipsec site-to-site peer PEER1 vti bind vti1 -> > set vpn ipsec options disable-route-autoinstall -> > ``` -> > -> > Create routing between local networks via VTI interface using dynamic or -> > static routing. -> > -> > ```none -> > set protocol static route 192.168.50.0/24 next-hop 10.0.0.2 -> > ``` - -### Initiator and Responder Connection Types - -In Site-to-Site IPsec VPN it is recommended that one peer should be an -initiator and the other - the responder. The initiator actively establishes -the VPN tunnel. The responder passively waits for the remote peer to -establish the VPN tunnel. Depends on selected role it is recommended -select proper values for close-action and DPD action. - -The result of wrong value selection can be unstable work of the VPN. -: - Duplicate CHILD SA creation. - - None of the VPN sides initiates the tunnel establishment. - -Below flow-chart could be a quick reference for the close-action -combination depending on how the peer is configured. - -:::{figure} /_static/images/IPSec_close_action_settings.webp -::: - -Similar combinations are applicable for the dead-peer-detection. - -### Detailed Configuration Commands - -#### PSK Key Authentication - -```{eval-rst} -.. cfgcmd:: set vpn ipsec authentication psk <name> dhcp-interface - - ID for authentication generated from DHCP address - dynamically. -``` - -```{eval-rst} -.. cfgcmd:: set vpn ipsec authentication psk id <id> - - static ID's for authentication. In general local and remote - address ``<x.x.x.x>``, ``<h:h:h:h:h:h:h:h>`` or ``%any``. -``` - -```{eval-rst} -.. cfgcmd:: set vpn ipsec authentication psk secret <secret> - - A predefined shared secret used in configured mode - ``pre-shared-secret``. Base64-encoded secrets are allowed if - `secret-type base64` is configured. -``` - -```{eval-rst} -.. cfgcmd:: set vpn ipsec authentication psk secret-type <type> - - Specifies the secret type: - - * **plaintext** - Plain text type (default value). - * **base64** - Base64 type. -``` - -#### Peer Configuration - -##### Peer Authentication Commands - -```{eval-rst} -.. cfgcmd:: set vpn ipsec site-to-site peer <name> authentication mode <mode> - - Mode for authentication between VyOS and remote peer: - - * **pre-shared-secret** - Use predefined shared secret phrase. - * **rsa** - Use simple shared RSA key. - * **x509** - Use certificates infrastructure for authentication. - -``` - -```{eval-rst} -.. cfgcmd:: set vpn ipsec site-to-site peer <name> authentication local-id <id> - - ID for the local VyOS router. If defined, during the authentication - it will be send to remote peer. -``` - -```{eval-rst} -.. cfgcmd:: set vpn ipsec site-to-site peer <name> authentication remote-id <id> - - ID for remote peer, instead of using peer name or - address. Useful in case if the remote peer is behind NAT - or if ``mode x509`` is used. -``` - -```{eval-rst} -.. cfgcmd:: set vpn ipsec site-to-site peer <name> authentication rsa local-key <key> - - Name of PKI key-pair with local private key. -``` - -```{eval-rst} -.. cfgcmd:: set vpn ipsec site-to-site peer <name> authentication rsa remote-key <key> - - Name of PKI key-pair with remote public key. -``` - -```{eval-rst} -.. cfgcmd:: set vpn ipsec site-to-site peer <name> authentication rsa passphrase <passphrase> - - Local private key passphrase. -``` - -```{eval-rst} -.. cfgcmd:: set vpn ipsec site-to-site peer <name> authentication use-x509-id <id> - - Use local ID from x509 certificate. Cannot be used when - ``id`` is defined. -``` - -```{eval-rst} -.. cfgcmd:: set vpn ipsec site-to-site peer <name> authentication x509 ca-certificate <name> - - Name of CA certificate in PKI configuration. Using for authenticating - remote peer in x509 mode. -``` - -```{eval-rst} -.. cfgcmd:: set vpn ipsec site-to-site peer <name> authentication x509 certificate <name> - - Name of certificate in PKI configuration, which will be used - for authenticating local router on remote peer. -``` - -```{eval-rst} -.. cfgcmd:: set vpn ipsec authentication x509 passphrase <passphrase> - - Private key passphrase, if needed. -``` - -##### Global Peer Configuration Commands - -```{eval-rst} -.. cfgcmd:: set vpn ipsec site-to-site peer <name> connection-type <type> - - Operational mode defines how to handle this connection process. - - * **initiate** - does initial connection to remote peer immediately - after configuring and after boot. In this mode the connection will - not be restarted in case of disconnection, therefore should be used - only together with DPD or another session tracking methods. - - * **trap** - does not try to initiate a connection to a remote - peer immediately. Instead, it installs a trap policy that will - trigger IKE negotiation and establish the IPsec session when - matching traffic is sent from the local side. This can be useful - when there is no direct connectivity to the peer due to firewall - or NAT in the middle of the local and remote side. - - .. warning:: The ``trap`` mode is not needed in most environments - and can lead to connection confusion or unintended tunnel uptime - behavior if used incorrectly. Using this mode requires careful - coordination with parameters such as ``close-action`` and DPD. - For most deployments, use ``initiate`` and ``none`` as described below. - - * **none** - loads the connection only, which then can be manually - initiated or used as a responder configuration. - - .. note:: For most site-to-site VPNs, configure one peer - with ``connection-type initiate`` (active side) and the other peer - with ``connection-type none`` (passive side) to - ensure stable and predictable tunnel behavior. - When using ``connection-type initiate``, you must also configure - DPD or another session tracking method (such as ``close-action``) - to automatically re-establish the tunnel after a disconnection. - Otherwise, the tunnel will not reconnect automatically if it goes down. -``` - -```{eval-rst} -.. cfgcmd:: set vpn ipsec site-to-site peer <name> default-esp-group <name> - - Name of ESP group to use by default for traffic encryption. - Might be overwritten by individual settings for tunnel or VTI - interface binding. -``` - -```{eval-rst} -.. cfgcmd:: set vpn ipsec site-to-site peer <name> description <description> - - Description for this peer. -``` - -```{eval-rst} -.. cfgcmd:: set vpn ipsec site-to-site peer <name> dhcp-interface <interface> - - Specify the interface which IP address, received from DHCP for IPSec - connection with this peer, will be used as ``local-address``. -``` - -```{eval-rst} -.. cfgcmd:: set vpn ipsec site-to-site peer <name> force-udp-encapsulation - - Force encapsulation of ESP into UDP datagrams. Useful in case if - between local and remote side is firewall or NAT, which not - allows passing plain ESP packets between them. -``` - -```{eval-rst} -.. cfgcmd:: set vpn ipsec site-to-site peer <name> ike-group <name> - - Name of IKE group to use for key exchanges. -``` - -```{eval-rst} -.. cfgcmd:: set vpn ipsec site-to-site peer <name> local-address <address> - - Local IP address for IPsec connection with this peer. - If defined ``any``, then an IP address which configured on interface with - default route will be used. -``` - -```{eval-rst} -.. cfgcmd:: set vpn ipsec site-to-site peer <name> remote-address <address> - - Remote IP address or hostname for IPsec connection. IPv4 or IPv6 - address is used when a peer has a public static IP address. Hostname - is a DNS name which could be used when a peer has a public IP - address and DNS name, but an IP address could be changed from time - to time. -``` - -```{eval-rst} -.. cfgcmd:: set vpn ipsec site-to-site peer <name> replay-window <size> - - IPsec replay window to configure for CHILD_SAs - (default: 32), a value of 0 disables IPsec replay protection. -``` - -```{eval-rst} -.. cfgcmd:: set vpn ipsec site-to-site peer <name> virtual-address <address> - - Defines a virtual IP address which is requested by the initiator and - one or several IPv4 and/or IPv6 addresses are assigned from multiple - pools by the responder. The wildcard addresses 0.0.0.0 and :: - request an arbitrary address, specific addresses may be defined. -``` - -##### CHILD SAs Configuration Commands - -###### Policy-Based CHILD SAs Configuration Commands - -Every configured tunnel under peer configuration is a new CHILD SA. - -```{eval-rst} -.. cfgcmd:: set vpn ipsec site-to-site peer <name> tunnel <number> disable - - Disable this tunnel. -``` - -```{eval-rst} -.. cfgcmd:: set vpn ipsec site-to-site peer <name> tunnel <number> esp-group <name> - - Specify ESP group for this CHILD SA. -``` - -```{eval-rst} -.. cfgcmd:: set vpn ipsec site-to-site peer <name> tunnel <number> priority <number> - - Priority for policy-based IPsec VPN tunnels (lowest value more - preferable). -``` - -```{eval-rst} -.. cfgcmd:: set vpn ipsec site-to-site peer <name> tunnel <number> protocol <name> - - Define the protocol for match traffic, which should be encrypted and - send to this peer. -``` - -```{eval-rst} -.. cfgcmd:: set vpn ipsec site-to-site peer <name> tunnel <number> local prefix <network> - - IP network at the local side. -``` - -```{eval-rst} -.. cfgcmd:: set vpn ipsec site-to-site peer <name> tunnel <number> local port <number> - - Local port number. Have effect only when used together with - ``prefix``. -``` - -```{eval-rst} -.. cfgcmd:: set vpn ipsec site-to-site peer <name> tunnel <number> remote prefix <network> - - IP network at the remote side. -``` - -```{eval-rst} -.. cfgcmd:: set vpn ipsec site-to-site peer <name> tunnel <number> remote port <number> - - Remote port number. Have effect only when used together with - ``prefix``. -``` - -###### Route-Based CHILD SAs Configuration Commands - -To configure route-based VPN it is enough to create vti interface and -bind it to the peer. Any traffic, which will be send to VTI interface -will be encrypted and send to this peer. Using VTI makes IPsec -configuration much flexible and easier in complex situation, and -allows to dynamically add/delete remote networks, reachable via a -peer, as in this mode router don't need to create additional SA/policy -for each remote network. - -:::{warning} -When using site-to-site IPsec with VTI interfaces, -be sure to disable route autoinstall. -::: - -```none -set vpn ipsec options disable-route-autoinstall -``` - -```{eval-rst} -.. cfgcmd:: set vpn ipsec site-to-site peer <name> vti bind <interface> - - VTI interface to bind to this peer. -``` - -```{eval-rst} -.. cfgcmd:: set vpn ipsec site-to-site peer <name> vti esp-group <name> - - ESP group for encrypt traffic, passed this VTI interface. -``` - -Traffic-selectors parameters for traffic that should pass via vti -interface. - -```{eval-rst} -.. cfgcmd:: set vpn ipsec site-to-site peer <name> vti traffic-selector local prefix <network> - - Local prefix for interesting traffic. -``` - -```{eval-rst} -.. cfgcmd:: set vpn ipsec site-to-site peer <name> vti traffic-selector remote prefix <network> - - Remote prefix for interesting traffic. -``` - -### IPsec Op-mode Commands - -```{eval-rst} -.. opcmd:: show vpn ike sa - - Shows active IKE SAs information. -``` - -```{eval-rst} -.. opcmd:: show vpn ike secrets - - Shows configured authentication keys. -``` - -```{eval-rst} -.. opcmd:: show vpn ike status - - Shows Strongswan daemon status. -``` - -```{eval-rst} -.. opcmd:: show vpn ipsec connections - - Shows summary status of all configured IKE and IPsec SAs. -``` - -```{eval-rst} -.. opcmd:: show vpn ipsec sa [detail] - - Shows active IPsec SAs information. -``` - -```{eval-rst} -.. opcmd:: show vpn ipsec status - - Shows status of IPsec process. -``` - -```{eval-rst} -.. opcmd:: show vpn ipsec policy - - Shows the in-kernel crypto policies. -``` - -```{eval-rst} -.. opcmd:: show vpn ipsec state - - Shows the in-kernel crypto state. -``` - -```{eval-rst} -.. opcmd:: show log ipsec - - Shows IPsec logs. -``` - -```{eval-rst} -.. opcmd:: reset vpn ipsec site-to-site all - - Clear all ipsec connection and reinitiate them if VyOS is configured - as initiator. -``` - -```{eval-rst} -.. opcmd:: reset vpn ipsec site-to-site peer <name> - - Clear all peer IKE SAs with IPsec SAs and reinitiate them if VyOS is - configured as initiator. -``` - -```{eval-rst} -.. opcmd:: reset vpn ipsec site-to-site peer <name> tunnel <number> - - Clear scpecific IPsec SA and reinitiate it if VyOS is configured as - initiator. -``` - -```{eval-rst} -.. opcmd:: reset vpn ipsec site-to-site peer <name> vti <number> - - Clear IPsec SA which is map to vti interface of this peer and - reinitiate it if VyOS is configured as initiator. -``` - -```{eval-rst} -.. opcmd:: restart ipsec - - Restart Strongswan daemon. -``` - -## Examples: - -### Policy-Based VPN Example - -**PEER1:** - -- WAN interface on `eth0` -- `eth0` interface IP: `10.0.1.2/30` -- `dum0` interface IP: `192.168.0.1/24` (for testing purposes) -- Initiator - -**PEER2:** - -- WAN interface on `eth0` -- `eth0` interface IP: `10.0.2.2/30` -- `dum0` interface IP: `192.168.1.0/24` (for testing purposes) -- Responder - -```none -# PEER1 -set interfaces dummy dum0 address '192.168.0.1/32' -set interfaces ethernet eth0 address '10.0.1.2/30' -set protocols static route 0.0.0.0/0 next-hop 10.0.1.1 -set vpn ipsec authentication psk AUTH-PSK id '10.0.1.2' -set vpn ipsec authentication psk AUTH-PSK id '10.0.2.2' -set vpn ipsec authentication psk AUTH-PSK secret 'test' -set vpn ipsec esp-group ESP-GRPOUP lifetime '3600' -set vpn ipsec esp-group ESP-GRPOUP proposal 10 encryption 'aes256' -set vpn ipsec esp-group ESP-GRPOUP proposal 10 hash 'sha1' -set vpn ipsec ike-group IKE-GROUP close-action 'start' -set vpn ipsec ike-group IKE-GROUP dead-peer-detection action 'restart' -set vpn ipsec ike-group IKE-GROUP dead-peer-detection interval '30' -set vpn ipsec ike-group IKE-GROUP dead-peer-detection timeout '120' -set vpn ipsec ike-group IKE-GROUP key-exchange 'ikev1' -set vpn ipsec ike-group IKE-GROUP lifetime '28800' -set vpn ipsec ike-group IKE-GROUP proposal 10 dh-group '14' -set vpn ipsec ike-group IKE-GROUP proposal 10 encryption 'aes256' -set vpn ipsec ike-group IKE-GROUP proposal 10 hash 'sha1' -set vpn ipsec interface 'eth0' -set vpn ipsec site-to-site peer PEER2 authentication local-id '10.0.1.2' -set vpn ipsec site-to-site peer PEER2 authentication mode 'pre-shared-secret' -set vpn ipsec site-to-site peer PEER2 authentication remote-id '10.0.2.2' -set vpn ipsec site-to-site peer PEER2 connection-type 'initiate' -set vpn ipsec site-to-site peer PEER2 default-esp-group 'ESP-GRPOUP' -set vpn ipsec site-to-site peer PEER2 ike-group 'IKE-GROUP' -set vpn ipsec site-to-site peer PEER2 local-address '10.0.1.2' -set vpn ipsec site-to-site peer PEER2 remote-address '10.0.2.2' -set vpn ipsec site-to-site peer PEER2 tunnel 0 local prefix '192.168.0.0/24' -set vpn ipsec site-to-site peer PEER2 tunnel 0 remote prefix '192.168.1.0/24' - - -# PEER2 -set interfaces dummy dum0 address '192.168.1.1/32' -set interfaces ethernet eth0 address '10.0.2.2/30' -set protocols static route 0.0.0.0/0 next-hop 10.0.2.1 -set vpn ipsec authentication psk AUTH-PSK id '10.0.1.2' -set vpn ipsec authentication psk AUTH-PSK id '10.0.2.2' -set vpn ipsec authentication psk AUTH-PSK secret 'test' -set vpn ipsec esp-group ESP-GRPOUP lifetime '3600' -set vpn ipsec esp-group ESP-GRPOUP proposal 10 encryption 'aes256' -set vpn ipsec esp-group ESP-GRPOUP proposal 10 hash 'sha1' -set vpn ipsec ike-group IKE-GROUP close-action 'none' -set vpn ipsec ike-group IKE-GROUP dead-peer-detection action 'clear' -set vpn ipsec ike-group IKE-GROUP dead-peer-detection interval '30' -set vpn ipsec ike-group IKE-GROUP dead-peer-detection timeout '120' -set vpn ipsec ike-group IKE-GROUP key-exchange 'ikev1' -set vpn ipsec ike-group IKE-GROUP lifetime '28800' -set vpn ipsec ike-group IKE-GROUP proposal 10 dh-group '14' -set vpn ipsec ike-group IKE-GROUP proposal 10 encryption 'aes256' -set vpn ipsec ike-group IKE-GROUP proposal 10 hash 'sha1' -set vpn ipsec interface 'eth0' -set vpn ipsec site-to-site peer PEER1 authentication local-id '10.0.2.2' -set vpn ipsec site-to-site peer PEER1 authentication mode 'pre-shared-secret' -set vpn ipsec site-to-site peer PEER1 authentication remote-id '10.0.1.2' -set vpn ipsec site-to-site peer PEER1 connection-type 'none' -set vpn ipsec site-to-site peer PEER1 default-esp-group 'ESP-GRPOUP' -set vpn ipsec site-to-site peer PEER1 ike-group 'IKE-GROUP' -set vpn ipsec site-to-site peer PEER1 local-address '10.0.2.2' -set vpn ipsec site-to-site peer PEER1 remote-address '10.0.1.2' -set vpn ipsec site-to-site peer PEER1 tunnel 0 local prefix '192.168.1.0/24' -set vpn ipsec site-to-site peer PEER1 tunnel 0 remote prefix '192.168.0.0/24' -``` - -Show status of policy-based IPsec VPN setup: - -```none -vyos@PEER2:~$ show vpn ike sa -Peer ID / IP Local ID / IP ------------- ------------- -10.0.1.2 10.0.1.2 10.0.2.2 10.0.2.2 - - State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time - ----- ------ ------- ---- --------- ----- ------ ------ - up IKEv1 AES_CBC_256 HMAC_SHA1_96 MODP_2048 no 1254 25633 - - -vyos@srv-gw0:~$ show vpn ipsec sa -Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal --------------- ------- -------- -------------- ---------------- ---------------- ----------- ---------------------------------- -PEER1-tunnel-0 up 20m42s 0B/0B 0/0 10.0.1.2 10.0.1.2 AES_CBC_256/HMAC_SHA1_96/MODP_2048 - -vyos@PEER2:~$ show vpn ipsec connections -Connection State Type Remote address Local TS Remote TS Local id Remote id Proposal --------------- ------- ------ ---------------- -------------- -------------- ---------- ----------- ---------------------------------- -PEER1 up IKEv1 10.0.1.2 - - 10.0.2.2 10.0.1.2 AES_CBC/256/HMAC_SHA1_96/MODP_2048 -PEER1-tunnel-0 up IPsec 10.0.1.2 192.168.1.0/24 192.168.0.0/24 10.0.2.2 10.0.1.2 AES_CBC/256/HMAC_SHA1_96/MODP_2048 -``` - -If there is SNAT rules on eth0, need to add exclude rule - -```none -# PEER1 side -set nat source rule 10 destination address '192.168.1.0/24' -set nat source rule 10 'exclude' -set nat source rule 10 outbound-interface name 'eth0' -set nat source rule 10 source address '192.168.0.0/24' - -# PEER2 side -set nat source rule 10 destination address '192.168.0.0/24' -set nat source rule 10 'exclude' -set nat source rule 10 outbound-interface name 'eth0' -set nat source rule 10 source address '192.168.1.0/24' -``` - -### Route-Based VPN Example - -**PEER1:** - -- WAN interface on `eth0` -- `eth0` interface IP: `10.0.1.2/30` -- 'vti0' interface IP: `10.100.100.1/30` -- `dum0` interface IP: `192.168.0.1/24` (for testing purposes) -- Role: Initiator - -**PEER2:** - -- WAN interface on `eth0` -- `eth0` interface IP: `10.0.2.2/30` -- 'vti0' interface IP: `10.100.100.2/30` -- `dum0` interface IP: `192.168.1.0/24` (for testing purposes) -- Role: Responder - -```none -# PEER1 -set interfaces dummy dum0 address '192.168.0.1/32' -set interfaces ethernet eth0 address '10.0.1.2/30' -set interfaces vti vti0 address '10.100.100.1/30' -set protocols static route 0.0.0.0/0 next-hop 10.0.1.1 -set protocols static route 192.168.1.0/24 next-hop 10.100.100.2 -set vpn ipsec authentication psk AUTH-PSK id '10.0.1.2' -set vpn ipsec authentication psk AUTH-PSK id '10.0.2.2' -set vpn ipsec authentication psk AUTH-PSK secret 'test' -set vpn ipsec esp-group ESP-GRPOUP lifetime '3600' -set vpn ipsec esp-group ESP-GRPOUP proposal 10 encryption 'aes256' -set vpn ipsec esp-group ESP-GRPOUP proposal 10 hash 'sha1' -set vpn ipsec ike-group IKE-GROUP close-action 'start' -set vpn ipsec ike-group IKE-GROUP dead-peer-detection action 'restart' -set vpn ipsec ike-group IKE-GROUP dead-peer-detection interval '30' -set vpn ipsec ike-group IKE-GROUP key-exchange 'ikev2' -set vpn ipsec ike-group IKE-GROUP lifetime '28800' -set vpn ipsec ike-group IKE-GROUP proposal 10 dh-group '14' -set vpn ipsec ike-group IKE-GROUP proposal 10 encryption 'aes256' -set vpn ipsec ike-group IKE-GROUP proposal 10 hash 'sha1' -set vpn ipsec interface 'eth0' -set vpn ipsec options disable-route-autoinstall -set vpn ipsec site-to-site peer PEER2 authentication local-id '10.0.1.2' -set vpn ipsec site-to-site peer PEER2 authentication mode 'pre-shared-secret' -set vpn ipsec site-to-site peer PEER2 authentication remote-id '10.0.2.2' -set vpn ipsec site-to-site peer PEER2 connection-type 'initiate' -set vpn ipsec site-to-site peer PEER2 default-esp-group 'ESP-GRPOUP' -set vpn ipsec site-to-site peer PEER2 ike-group 'IKE-GROUP' -set vpn ipsec site-to-site peer PEER2 local-address '10.0.1.2' -set vpn ipsec site-to-site peer PEER2 remote-address '10.0.2.2' -set vpn ipsec site-to-site peer PEER2 vti bind 'vti0' - - -# PEER2 -set interfaces dummy dum0 address '192.168.1.1/32' -set interfaces ethernet eth0 address '10.0.2.2/30' -set interfaces vti vti0 address '10.100.100.2/30' -set protocols static route 0.0.0.0/0 next-hop 10.0.2.1 -set protocols static route 192.168.0.0/24 next-hop 10.100.100.1 -set vpn ipsec authentication psk AUTH-PSK id '10.0.1.2' -set vpn ipsec authentication psk AUTH-PSK id '10.0.2.2' -set vpn ipsec authentication psk AUTH-PSK secret 'test' -set vpn ipsec esp-group ESP-GRPOUP lifetime '3600' -set vpn ipsec esp-group ESP-GRPOUP proposal 10 encryption 'aes256' -set vpn ipsec esp-group ESP-GRPOUP proposal 10 hash 'sha1' -set vpn ipsec ike-group IKE-GROUP close-action 'none' -set vpn ipsec ike-group IKE-GROUP dead-peer-detection action 'clear' -set vpn ipsec ike-group IKE-GROUP dead-peer-detection interval '30' -set vpn ipsec ike-group IKE-GROUP key-exchange 'ikev2' -set vpn ipsec ike-group IKE-GROUP lifetime '28800' -set vpn ipsec ike-group IKE-GROUP proposal 10 dh-group '14' -set vpn ipsec ike-group IKE-GROUP proposal 10 encryption 'aes256' -set vpn ipsec ike-group IKE-GROUP proposal 10 hash 'sha1' -set vpn ipsec interface 'eth0' -set vpn ipsec options disable-route-autoinstall -set vpn ipsec site-to-site peer PEER1 authentication local-id '10.0.2.2' -set vpn ipsec site-to-site peer PEER1 authentication mode 'pre-shared-secret' -set vpn ipsec site-to-site peer PEER1 authentication remote-id '10.0.1.2' -set vpn ipsec site-to-site peer PEER1 connection-type 'none' -set vpn ipsec site-to-site peer PEER1 default-esp-group 'ESP-GRPOUP' -set vpn ipsec site-to-site peer PEER1 ike-group 'IKE-GROUP' -set vpn ipsec site-to-site peer PEER1 local-address '10.0.2.2' -set vpn ipsec site-to-site peer PEER1 remote-address '10.0.1.2' -set vpn ipsec site-to-site peer PEER1 vti bind 'vti0' -``` - -Show status of route-based IPsec VPN setup: - -```none -vyos@PEER2:~$ show vpn ike sa -Peer ID / IP Local ID / IP ------------- ------------- -10.0.1.2 10.0.1.2 10.0.2.2 10.0.2.2 - - State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time - ----- ------ ------- ---- --------- ----- ------ ------ - up IKEv2 AES_CBC_256 HMAC_SHA1_96 MODP_2048 no 404 27650 - -vyos@PEER2:~$ show vpn ipsec sa -Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal ------------- ------- -------- -------------- ---------------- ---------------- ----------- ---------------------------------- -PEER1-vti up 3m28s 0B/0B 0/0 10.0.1.2 10.0.1.2 AES_CBC_256/HMAC_SHA1_96/MODP_2048 - -vyos@PEER2:~$ show vpn ipsec connections -Connection State Type Remote address Local TS Remote TS Local id Remote id Proposal ------------- ------- ------ ---------------- ---------- ----------- ---------- ----------- ---------------------------------- -PEER1 up IKEv2 10.0.1.2 - - 10.0.2.2 10.0.1.2 AES_CBC/256/HMAC_SHA1_96/MODP_2048 -PEER1-vti up IPsec 10.0.1.2 0.0.0.0/0 0.0.0.0/0 10.0.2.2 10.0.1.2 AES_CBC/256/HMAC_SHA1_96/MODP_2048 - ::/0 ::/0 -``` diff --git a/docs/configuration/vpn/ipsec/md-troubleshooting_ipsec.md b/docs/configuration/vpn/ipsec/md-troubleshooting_ipsec.md deleted file mode 100644 index 80c92378..00000000 --- a/docs/configuration/vpn/ipsec/md-troubleshooting_ipsec.md +++ /dev/null @@ -1,310 +0,0 @@ -# Troubleshooting Site-to-Site VPN IPsec - -<div class="todo"> - -Convert raw command blocks in this file to cfgcmd/opcmd -directives for command coverage tracking. - -</div> - -## Introduction - -This document describes the methodology to monitor and troubleshoot -Site-to-Site VPN IPsec. - -Steps for troubleshooting problems with Site-to-Site VPN IPsec: -1. Ping the remote site through the tunnel using the source and - destination IPs included in the policy. -2. Check connectivity between the routers using the ping command - (if ICMP traffic is allowed). -3. Check the IKE SAs' statuses. -4. Check the IPsec SAs' statuses. -5. Check logs to view debug messages. - -## Checking IKE SA Status - -The next command shows IKE SAs' statuses. - -``` none -vyos@vyos:~$ show vpn ike sa - -Peer ID / IP Local ID / IP ------------- ------------- -192.168.1.2 192.168.1.2 192.168.0.1 192.168.0.1 - - State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time - ----- ------ ------- ---- --------- ----- ------ ------ - up IKEv2 AES_CBC_128 HMAC_SHA1_96 MODP_2048 no 162 27023 -``` - -This command shows the next information: -- IKE SA status. -- Selected IKE version. -- Selected Encryption, Hash and Diffie-Hellman Group. -- NAT-T. -- ID and IP of both peers. -- A-Time: established time, L-Time: time for next rekeying. - -## IPsec SA (CHILD SA) Status - -The next commands show IPsec SAs' statuses. - -``` none -vyos@vyos:~$ show vpn ipsec sa -Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal -------------- ------- -------- -------------- ---------------- ---------------- ----------- ---------------------------------- -PEER-tunnel-1 up 16m30s 168B/168B 2/2 192.168.1.2 192.168.1.2 AES_CBC_128/HMAC_SHA1_96/MODP_2048 -``` - -``` none -vyos@vyos:~$ show vpn ipsec sa detail -PEER: #1, ESTABLISHED, IKEv2, 101275ac719d5a1b_i* 68ea4ec3bed3bf0c_r - local '192.168.0.1' @ 192.168.0.1[4500] - remote '192.168.1.2' @ 192.168.1.2[4500] - AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 - established 4054s ago, rekeying in 23131s - PEER-tunnel-1: #2, reqid 1, INSTALLED, TUNNEL, ESP:AES_CBC-128/HMAC_SHA1_96/MODP_2048 - installed 1065s ago, rekeying in 1998s, expires in 2535s - in c5821882, 168 bytes, 2 packets, 81s ago - out c433406a, 168 bytes, 2 packets, 81s ago - local 10.0.0.0/24 - remote 10.0.1.0/24 -``` - -These commands show the next information: -- IPsec SA status. -- Uptime and time for the next rekeing. -- Amount of transferred data. -- Remote and local ID and IP. -- Selected Encryption, Hash and Diffie-Hellman Group. -- Mode (tunnel or transport). -- Remote and local prefixes which are use for policy. - -There is a possibility to view the summarized information of SAs' status - -``` none -vyos@vyos:~$ show vpn ipsec connections -Connection State Type Remote address Local TS Remote TS Local id Remote id Proposal -------------- ------- ------ ---------------- ----------- ----------- ----------- ----------- ---------------------------------- -PEER up IKEv2 192.168.1.2 - - 192.168.0.1 192.168.1.2 AES_CBC/128/HMAC_SHA1_96/MODP_2048 -PEER-tunnel-1 up IPsec 192.168.1.2 10.0.0.0/24 10.0.1.0/24 192.168.0.1 192.168.1.2 AES_CBC/128/HMAC_SHA1_96/MODP_2048 -``` - -## Viewing Logs for Debugging - -If IKE SAs or IPsec SAs are down, need to debug IPsec connectivity -using logs `show log ipsec` - -The next example of the successful IPsec connection initialization. - -``` none -vyos@vyos:~$ show log ipsec -Jun 20 14:29:47 charon[2428]: 02[NET] <PEER|1> received packet: from 192.168.1.2[500] to 192.168.0.1[500] (472 bytes) -Jun 20 14:29:47 charon[2428]: 02[ENC] <PEER|1> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ] -Jun 20 14:29:47 charon-systemd[2428]: received packet: from 192.168.1.2[500] to 192.168.0.1[500] (472 bytes) -Jun 20 14:29:47 charon[2428]: 02[CFG] <PEER|1> selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 -Jun 20 14:29:47 charon-systemd[2428]: parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ] -Jun 20 14:29:47 charon-systemd[2428]: selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 -Jun 20 14:29:47 charon[2428]: 02[IKE] <PEER|1> authentication of '192.168.0.1' (myself) with pre-shared key -Jun 20 14:29:47 charon-systemd[2428]: authentication of '192.168.0.1' (myself) with pre-shared key -Jun 20 14:29:47 charon[2428]: 02[IKE] <PEER|1> establishing CHILD_SA PEER-tunnel-1{1} -Jun 20 14:29:47 charon-systemd[2428]: establishing CHILD_SA PEER-tunnel-1{1} -Jun 20 14:29:47 charon[2428]: 02[ENC] <PEER|1> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] -Jun 20 14:29:47 charon-systemd[2428]: generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] -Jun 20 14:29:47 charon[2428]: 02[NET] <PEER|1> sending packet: from 192.168.0.1[4500] to 192.168.1.2[4500] (268 bytes) -Jun 20 14:29:47 charon-systemd[2428]: sending packet: from 192.168.0.1[4500] to 192.168.1.2[4500] (268 bytes) -Jun 20 14:29:47 charon[2428]: 13[NET] <PEER|1> received packet: from 192.168.1.2[4500] to 192.168.0.1[4500] (220 bytes) -Jun 20 14:29:47 charon[2428]: 13[ENC] <PEER|1> parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ] -Jun 20 14:29:47 charon-systemd[2428]: received packet: from 192.168.1.2[4500] to 192.168.0.1[4500] (220 bytes) -Jun 20 14:29:47 charon[2428]: 13[IKE] <PEER|1> authentication of '192.168.1.2' with pre-shared key successful -Jun 20 14:29:47 charon-systemd[2428]: parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ] -Jun 20 14:29:47 charon[2428]: 13[IKE] <PEER|1> peer supports MOBIKE -Jun 20 14:29:47 charon-systemd[2428]: authentication of '192.168.1.2' with pre-shared key successful -Jun 20 14:29:47 charon[2428]: 13[IKE] <PEER|1> IKE_SA PEER[1] established between 192.168.0.1[192.168.0.1]...192.168.1.2[192.168.1.2] -Jun 20 14:29:47 charon-systemd[2428]: peer supports MOBIKE -Jun 20 14:29:47 charon[2428]: 13[IKE] <PEER|1> scheduling rekeying in 27703s -Jun 20 14:29:47 charon-systemd[2428]: IKE_SA PEER[1] established between 192.168.0.1[192.168.0.1]...192.168.1.2[192.168.1.2] -Jun 20 14:29:47 charon[2428]: 13[IKE] <PEER|1> maximum IKE_SA lifetime 30583s -Jun 20 14:29:47 charon-systemd[2428]: scheduling rekeying in 27703s -Jun 20 14:29:47 charon[2428]: 13[CFG] <PEER|1> selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ -Jun 20 14:29:47 charon-systemd[2428]: maximum IKE_SA lifetime 30583s -Jun 20 14:29:47 charon-systemd[2428]: selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ -Jun 20 14:29:47 charon[2428]: 13[IKE] <PEER|1> CHILD_SA PEER-tunnel-1{1} established with SPIs cb94fb3f_i ca99c8a9_o and TS 10.0.0.0/24 === 10.0.1.0/24 -Jun 20 14:29:47 charon-systemd[2428]: CHILD_SA PEER-tunnel-1{1} established with SPIs cb94fb3f_i ca99c8a9_o and TS 10.0.0.0/24 === 10.0.1.0/24 -``` - -## Troubleshooting Examples - -### IKE PROPOSAL are Different - -In this situation, IKE SAs can be down or not active. - -``` none -vyos@vyos:~$ show vpn ike sa -``` - -The problem is in IKE phase (Phase 1). The next step is checking debug logs. - -Responder Side: - -``` none -Jun 23 07:36:33 charon[2440]: 01[CFG] <1> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 -Jun 23 07:36:33 charon-systemd[2440]: received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 -Jun 23 07:36:33 charon[2440]: 01[CFG] <1> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 -Jun 23 07:36:33 charon-systemd[2440]: configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 -Jun 23 07:36:33 charon[2440]: 01[IKE] <1> received proposals unacceptable -Jun 23 07:36:33 charon-systemd[2440]: received proposals unacceptable -Jun 23 07:36:33 charon[2440]: 01[ENC] <1> generating IKE_SA_INIT response 0 [ N(NO_PROP) ] -``` - -Initiator side: - -``` none -Jun 23 07:36:32 charon-systemd[2444]: parsed IKE_SA_INIT response 0 [ N(NO_PROP) ] -Jun 23 07:36:32 charon[2444]: 14[IKE] <PEER|1> received NO_PROPOSAL_CHOSEN notify error -Jun 23 07:36:32 charon-systemd[2444]: received NO_PROPOSAL_CHOSEN notify error -``` - -The notification **NO_PROPOSAL_CHOSEN** means that the proposal mismatch. -On the Responder side there is concrete information where is mismatch. -Encryption **AES_CBC_128** is configured in IKE policy on the responder -but **AES_CBC_256** is configured on the initiator side. - -### PSK Secret Mismatch - -In this situation, IKE SAs can be down or not active. - -``` none -vyos@vyos:~$ show vpn ike sa -``` - -The problem is in IKE phase (Phase 1). The next step is checking debug logs. - -Responder: - -``` none -Jun 23 08:07:26 charon-systemd[2440]: tried 1 shared key for '192.168.1.2' - '192.168.0.1', but MAC mismatched -Jun 23 08:07:26 charon[2440]: 13[ENC] <PEER|3> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] -``` - -Initiator side: - -``` none -Jun 23 08:07:24 charon[2436]: 12[ENC] <PEER|1> parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ] -Jun 23 08:07:24 charon-systemd[2436]: parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ] -Jun 23 08:07:24 charon[2436]: 12[IKE] <PEER|1> received AUTHENTICATION_FAILED notify error -Jun 23 08:07:24 charon-systemd[2436]: received AUTHENTICATION_FAILED notify error -``` - -The notification **AUTHENTICATION_FAILED** means that the authentication -is failed. There is a reason to check PSK on both side. - -### ESP Proposal Mismatch - -The output of **show** commands shows us that IKE SA is established but -IPSec SA is not. - -``` none -vyos@vyos:~$ show vpn ike sa -Peer ID / IP Local ID / IP ------------- ------------- -192.168.1.2 192.168.1.2 192.168.0.1 192.168.0.1 - - State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time - ----- ------ ------- ---- --------- ----- ------ ------ - up IKEv2 AES_CBC_128 HMAC_SHA1_96 MODP_2048 no 158 26817 -``` - -``` none -vyos@vyos:~$ show vpn ipsec sa -Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal ------------- ------- -------- -------------- ---------------- ---------------- ----------- ---------- -``` - -The next step is checking debug logs. - -Initiator side: - -``` none -Jun 23 08:16:10 charon[3789]: 13[NET] <PEER|1> received packet: from 192.168.1.2[500] to 192.168.0.1[500] (472 bytes) -Jun 23 08:16:10 charon[3789]: 13[ENC] <PEER|1> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ] -Jun 23 08:16:10 charon-systemd[3789]: received packet: from 192.168.1.2[500] to 192.168.0.1[500] (472 bytes) -Jun 23 08:16:10 charon[3789]: 13[CFG] <PEER|1> selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 -Jun 23 08:16:10 charon-systemd[3789]: parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ] -Jun 23 08:16:10 charon-systemd[3789]: selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 -Jun 23 08:16:10 charon[3789]: 13[IKE] <PEER|1> authentication of '192.168.0.1' (myself) with pre-shared key -Jun 23 08:16:10 charon-systemd[3789]: authentication of '192.168.0.1' (myself) with pre-shared key -Jun 23 08:16:10 charon[3789]: 13[IKE] <PEER|1> establishing CHILD_SA PEER-tunnel-1{1} -Jun 23 08:16:10 charon-systemd[3789]: establishing CHILD_SA PEER-tunnel-1{1} -Jun 23 08:16:10 charon[3789]: 13[ENC] <PEER|1> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] -Jun 23 08:16:10 charon-systemd[3789]: generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] -Jun 23 08:16:10 charon[3789]: 13[NET] <PEER|1> sending packet: from 192.168.0.1[4500] to 192.168.1.2[4500] (268 bytes) -Jun 23 08:16:10 charon-systemd[3789]: sending packet: from 192.168.0.1[4500] to 192.168.1.2[4500] (268 bytes) -Jun 23 08:16:10 charon[3789]: 09[NET] <PEER|1> received packet: from 192.168.1.2[4500] to 192.168.0.1[4500] (140 bytes) -Jun 23 08:16:10 charon-systemd[3789]: received packet: from 192.168.1.2[4500] to 192.168.0.1[4500] (140 bytes) -Jun 23 08:16:10 charon[3789]: 09[ENC] <PEER|1> parsed IKE_AUTH response 1 [ IDr AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(NO_PROP) ] -Jun 23 08:16:10 charon-systemd[3789]: parsed IKE_AUTH response 1 [ IDr AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(NO_PROP) ] -Jun 23 08:16:10 charon[3789]: 09[IKE] <PEER|1> authentication of '192.168.1.2' with pre-shared key successful -Jun 23 08:16:10 charon-systemd[3789]: authentication of '192.168.1.2' with pre-shared key successful -Jun 23 08:16:10 charon[3789]: 09[IKE] <PEER|1> peer supports MOBIKE -Jun 23 08:16:10 charon-systemd[3789]: peer supports MOBIKE -Jun 23 08:16:10 charon[3789]: 09[IKE] <PEER|1> IKE_SA PEER[1] established between 192.168.0.1[192.168.0.1]...192.168.1.2[192.168.1.2] -Jun 23 08:16:10 charon-systemd[3789]: IKE_SA PEER[1] established between 192.168.0.1[192.168.0.1]...192.168.1.2[192.168.1.2] -Jun 23 08:16:10 charon[3789]: 09[IKE] <PEER|1> scheduling rekeying in 26975s -Jun 23 08:16:10 charon-systemd[3789]: scheduling rekeying in 26975s -Jun 23 08:16:10 charon[3789]: 09[IKE] <PEER|1> maximum IKE_SA lifetime 29855s -Jun 23 08:16:10 charon-systemd[3789]: maximum IKE_SA lifetime 29855s -Jun 23 08:16:10 charon[3789]: 09[IKE] <PEER|1> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built -Jun 23 08:16:10 charon-systemd[3789]: received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built -Jun 23 08:16:10 charon[3789]: 09[IKE] <PEER|1> failed to establish CHILD_SA, keeping IKE_SA -Jun 23 08:16:10 charon-systemd[3789]: failed to establish CHILD_SA, keeping IKE_SA -``` - -There are messages: **NO_PROPOSAL_CHOSEN** and -**failed to establish CHILD_SA** which refers that the problem is in -the IPsec(ESP) proposal mismatch. - -The reason of this problem is showed on the responder side. - -``` none -Jun 23 08:16:12 charon[2440]: 01[CFG] <PEER|5> received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ -Jun 23 08:16:12 charon-systemd[2440]: received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ -Jun 23 08:16:12 charon[2440]: 01[CFG] <PEER|5> configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ -Jun 23 08:16:12 charon-systemd[2440]: configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ -Jun 23 08:16:12 charon[2440]: 01[IKE] <PEER|5> no acceptable proposal found -Jun 23 08:16:12 charon-systemd[2440]: no acceptable proposal found -Jun 23 08:16:12 charon[2440]: 01[IKE] <PEER|5> failed to establish CHILD_SA, keeping IKE_SA -``` - -Encryption **AES_CBC_128** is configured in IKE policy on the -responder but **AES_CBC_256** is configured on the initiator side. - -### Prefixes in Policies Mismatch - -As in previous situation, IKE SA is in up state but IPsec SA is not up. -According to logs we can see **TS_UNACCEPTABLE** notification. It means -that prefixes (traffic selectors) mismatch on both sides - -Initiator: - -``` none -Jun 23 14:13:17 charon[4996]: 11[IKE] <PEER|1> received TS_UNACCEPTABLE notify, no CHILD_SA built -Jun 23 14:13:17 charon-systemd[4996]: maximum IKE_SA lifetime 29437s -Jun 23 14:13:17 charon[4996]: 11[IKE] <PEER|1> failed to establish CHILD_SA, keeping IKE_SA -Jun 23 14:13:17 charon-systemd[4996]: received TS_UNACCEPTABLE notify, no CHILD_SA built -Jun 23 14:13:17 charon-systemd[4996]: failed to establish CHILD_SA, keeping IKE_SA -``` - -The reason of this problem is showed on the responder side. - -``` none -Jun 23 14:13:19 charon[2440]: 01[IKE] <PEER|7> traffic selectors 10.0.2.0/24 === 10.0.0.0/24 unacceptable -Jun 23 14:13:19 charon-systemd[2440]: traffic selectors 10.0.2.0/24 === 10.0.0.0/24 unacceptable -Jun 23 14:13:19 charon[2440]: 01[IKE] <PEER|7> failed to establish CHILD_SA, keeping IKE_SA -Jun 23 14:13:19 charon-systemd[2440]: failed to establish CHILD_SA, keeping IKE_SA -Jun 23 14:13:19 charon[2440]: 01[ENC] <PEER|7> generating IKE_AUTH response 1 [ IDr AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(TS_UNACCEPT) ] -Jun 23 14:13:19 charon-systemd[2440]: generating IKE_AUTH response 1 [ IDr AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(TS_UNACCEPT) ] -``` - -Traffic selectors **10.0.2.0/24 === 10.0.0.0/24** are unacceptable on the -responder side. diff --git a/docs/configuration/vpn/md-dmvpn.md b/docs/configuration/vpn/md-dmvpn.md deleted file mode 100644 index 16c9d40c..00000000 --- a/docs/configuration/vpn/md-dmvpn.md +++ /dev/null @@ -1,446 +0,0 @@ -(vpn-dmvpn)= - -# DMVPN - -{abbr}`DMVPN (Dynamic Multipoint Virtual Private Network)` is a dynamic -{abbr}`VPN (Virtual Private Network)` technology originally developed by Cisco. -While their implementation was somewhat proprietary, the underlying -technologies are actually standards based. The three technologies are: - -- {abbr}`NHRP (Next Hop Resolution Protocol)` {rfc}`2332` -- {abbr}`mGRE (Multipoint Generic Routing Encapsulation)` {rfc}`1702` -- {abbr}`IPSec (IP Security)` - too many RFCs to list, but start with - {rfc}`4301` - -NHRP provides the dynamic tunnel endpoint discovery mechanism (endpoint -registration, and endpoint discovery/lookup), mGRE provides the tunnel -encapsulation itself, and the IPSec protocols handle the key exchange, and -crypto mechanism. - -In short, DMVPN provides the capability for creating a dynamic-mesh VPN -network without having to pre-configure (static) all possible tunnel end-point -peers. - -:::{note} -DMVPN only automates the tunnel endpoint discovery and setup. A -complete solution also incorporates the use of a routing protocol. BGP is -particularly well suited for use with DMVPN. -::: - -:::{figure} /_static/images/vpn_dmvpn_topology01.webp -:alt: Baseline DMVPN topology -:scale: 40 % - -Baseline DMVPN topology -::: - -## Configuration - -### Tunnel interface configuration - -NHRP never handles routing of prefixes itself. You need to run some real routing -protocol (e.g. BGP) to advertise routes over the tunnels. What nhrpd does it -establishes ‘shortcut routes’ that optimizes the routing protocol to avoid going -through extra nodes in NBMA GRE mesh. - -NHRP does route NHRP domain addresses individually using per-host prefixes. -This is similar to Cisco FlexVPN, but in contrast to opennhrp which uses -a generic subnet route. - -To create NBMA GRE tunnel you might use the following: - -```none -set interfaces tunnel tun100 address '10.0.0.1/32' -set interfaces tunnel tun100 enable-multicast -set interfaces tunnel tun100 encapsulation 'gre' -set interfaces tunnel tun100 ip adjust-mss '1360' -set interfaces tunnel tun100 mtu '1400' -set interfaces tunnel tun100 parameters ip key '42' -set interfaces tunnel tun100 source-interface 'eth0' -``` - -- Please refer to the {ref}`tunnel-interface` documentation for the individual - tunnel related options. - - :::{note} - The IP-address is assigned as host prefix to tunnel interface. - NHRP will automatically create additional host routes pointing to tunnel interface - when a connection with these hosts is established. - ::: - -The tunnel interface subnet prefix should be announced by routing protocol -from the hub nodes (e.g. BGP ‘network’ announce). This allows the routing -protocol to decide which is the closest hub and determine the relay hub on -prefix basis when direct tunnel is not established. - -### NHRP protocol configuration - -```{eval-rst} -.. cfgcmd:: set protocols nhrp tunnel <tunnel> authentication <secret> - - Enables Cisco style authentication on NHRP packets. This embeds the - plaintext password to the outgoing NHRP packets. Maximum length of - the password is 8 characters. -``` - -```{eval-rst} -.. cfgcmd:: set protocols nhrp tunnel <tunnel> holdtime <timeout> - - Holdtime is the number of seconds that have to pass before stopping to - advertise an NHRP NBMA address as valid. It also controls how often NHRP - registration requests are sent. By default registrations are sent every - one third of the holdtime -``` - -```{eval-rst} -.. cfgcmd:: set protocols nhrp tunnel <tunnel> map tunnel-ip <tunnel-ip> - nbma <nbma-ip> - - * **tunnel-ip** - Tunnel ip address in format **x.x.x.x**. - * **nbma-ip** - NBMA ip address in format **x.x.x.x** or **local** - - Map an IP address of a station to the station’s NBMA address. -``` - -```{eval-rst} -.. cfgcmd:: set protocols nhrp tunnel <tunnel> mtu <mtu> - - Configure NHRP advertised MTU. -``` - -```{eval-rst} -.. cfgcmd:: set protocols nhrp tunnel <tunnel> multicast <nbma-ip> - - * **nbma-ip** - NBMA ip address in format **x.x.x.x** or **dynamic** - - Sends multicast packets to the specified NBMA address. If dynamic is specified - then destination NBMA address (or addresses) are learnt dynamically. -``` - -```{eval-rst} -.. cfgcmd:: set protocols nhrp tunnel <tunnel> network-id <network-id> - - * **network-id** - NHRP network id <1-4294967295> - - Enable NHRP on this interface and set the interface’s network ID. The network ID - is used to allow creating multiple nhrp domains on a router when multiple interfaces - are configured on the router. Interfaces configured with the same ID are part of the - same logical NBMA network. The ID is a local only parameter and is not sent to other - NHRP nodes and so IDs on different nodes do not need to match. When NHRP packets are - received on an interface they are assigned to the local NHRP domain for that interface. -``` - -```{eval-rst} -.. cfgcmd:: set protocols nhrp tunnel <tunnel> nhs tunnel-ip <tunnel-ip> nbma <nbma-ip> - - * **tunnel-ip** - Tunnel ip address in format **x.x.x.x** or **dynamic** - * **nbma-ip** - NBMA ip address in format **x.x.x.x** - - Configure the Next Hop Server address and its NBMA address. If dynamic is specified - then Next Hop Server can have dynamic address which maps to its NBMA address. -``` - -```{eval-rst} -.. cfgcmd:: set protocols nhrp tunnel <tunnel> redirect - - This enable redirect replies on the NHS similar to ICMP redirects except this is - managed by the nhrp protocol. This setting allows spokes to communicate with each - others directly. -``` - -```{eval-rst} -.. cfgcmd:: set protocols nhrp tunnel <tunnel> registration-no-unique - - Allow the client to not set the unique flag in the NHRP packets. This is useful when - a station has a dynamic IP address that could change over time. -``` - -```{eval-rst} -.. cfgcmd:: set protocols nhrp tunnel <tunnel> shortcut - - Enable shortcut (spoke-to-spoke) tunnels to allow NHC to talk to each others directly - after establishing a connection without going through the hub. -``` - -### IPSEC configuration - -- Please refer to the {ref}`ipsec_general` documentation for the individual IPSec - related options. - -:::{note} -NHRP daemon based on FRR nhrpd. It controls IPSEC. That's why 'close-action' -parameter in IKE configuration always is set to 'close' and 'dead-peer-detection action' -always is set to 'clear'. -::: - -```{eval-rst} -.. cfgcmd:: set vpn ipsec profile <profile-name> authentication mode pre-shared-secret - - Set preshared secret mode authentication -``` - -```{eval-rst} -.. cfgcmd:: set vpn ipsec profile <profile-name> authentication pre-shared-secret <secret> - - Set preshared secret -``` - -```{eval-rst} -.. cfgcmd:: set vpn ipsec profile <profile-name> bind tunnel <tunnel name> - - Bind IPSEC profile to the specific tunnel interface. -``` - -```{eval-rst} -.. cfgcmd:: set vpn ipsec profile <profile-name> esp-group 'ESP-HUB' - - Map ESP group to IPSEC profile -``` - -```{eval-rst} -.. cfgcmd:: set vpn ipsec profile <profile-name> ike-group 'IKE-HUB' - - Map IKE group to IPSEC profile -``` - -## Monitoring - -```{eval-rst} -.. opcmd:: show ip nhrp cache - - Forwarding cache information. -``` - -```{eval-rst} -.. opcmd:: show ip nhrp nhs - - Next hop server information. -``` - -```{eval-rst} -.. opcmd:: show ip nhrp shortcut - - Shortcut information. -``` - -## Example - -This blueprint uses VyOS as the DMVPN Hub and Cisco IOSv 15.5(3)M and VyOS as -multiple spoke sites. - -:::{figure} /_static/images/blueprint-dmvpn.webp -:align: center -:alt: DMVPN Network Topology Diagram -:width: 70% - -DMVPN Network Topology Diagram -::: - -Each node (Hub and Spoke) uses an IP address from the network 10.0.0.0/24. - -The below referenced IP address `192.168.0.2` is used as example address -representing a global unicast address under which the HUB can be contacted by -each and every individual spoke. - -(dmvpn-example-configuration)= - -### Configuration - -#### Hub - -##### VyOS-HUB-1 - -```none -set interfaces ethernet eth0 address '192.168.0.2/30' - -set interfaces tunnel tun100 address '10.0.0.100/32' -set interfaces tunnel tun100 enable-multicast -set interfaces tunnel tun100 encapsulation 'gre' -set interfaces tunnel tun100 parameters ip key '42' -set interfaces tunnel tun100 source-interface 'eth0' - -set protocols nhrp tunnel tun100 authentication 'test123' -set protocols nhrp tunnel tun100 holdtime '300' -set protocols nhrp tunnel tun100 multicast 'dynamic' -set protocols nhrp tunnel tun100 network-id '1' -set protocols nhrp tunnel tun100 redirect -set protocols nhrp tunnel tun100 registration-no-unique - -set protocols static route 0.0.0.0/0 next-hop 192.168.0.1 - -set vpn ipsec esp-group ESP-HUB lifetime '1800' -set vpn ipsec esp-group ESP-HUB mode 'transport' -set vpn ipsec esp-group ESP-HUB pfs 'dh-group2' -set vpn ipsec esp-group ESP-HUB proposal 1 encryption 'aes256' -set vpn ipsec esp-group ESP-HUB proposal 1 hash 'sha1' -set vpn ipsec ike-group IKE-HUB key-exchange 'ikev1' -set vpn ipsec ike-group IKE-HUB lifetime '3600' -set vpn ipsec ike-group IKE-HUB proposal 1 dh-group '2' -set vpn ipsec ike-group IKE-HUB proposal 1 encryption 'aes256' -set vpn ipsec ike-group IKE-HUB proposal 1 hash 'sha1' -set vpn ipsec interface 'eth0' -set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret' -set vpn ipsec profile NHRPVPN authentication pre-shared-secret 'secret' -set vpn ipsec profile NHRPVPN bind tunnel 'tun100' -set vpn ipsec profile NHRPVPN esp-group 'ESP-HUB' -set vpn ipsec profile NHRPVPN ike-group 'IKE-HUB' -``` - -:::{note} -Setting this up on AWS will require a "Custom Protocol Rule" for -protocol number "47" (GRE) Allow Rule in TWO places. Firstly on the VPC -Network ACL, and secondly on the security group network ACL attached to the -EC2 instance. This has been tested as working for the official AMI image on -the AWS Marketplace. (Locate the correct VPC and security group by navigating -through the details pane below your EC2 instance in the AWS console). -::: - -#### Spokes - -> The individual spoke configurations only differ in interface IP addresses. - -##### VyOS-Spoke-1 and VyOS-Spoke-2 - -```none -set interfaces ethernet eth0 address '192.168.1.2/30' - -set interfaces tunnel tun100 address '10.0.0.1/32' -set interfaces tunnel tun100 enable-multicast -set interfaces tunnel tun100 encapsulation 'gre' -set interfaces tunnel tun100 parameters ip key '42' -set interfaces tunnel tun100 source-interface 'eth0' - -set protocols nhrp tunnel tun100 authentication 'test123' -set protocols nhrp tunnel tun100 holdtime '300' -set protocols nhrp tunnel tun100 multicast 'dynamic' -set protocols nhrp tunnel tun100 network-id '1' -set protocols nhrp tunnel tun100 nhs tunnel-ip dynamic nbma '192.168.0.2' -set protocols nhrp tunnel tun100 registration-no-unique -set protocols nhrp tunnel tun100 shortcut - -set protocols static route 0.0.0.0/0 next-hop 192.168.1.1 -set protocols static route 10.0.0.0/24 next-hop 10.0.0.100 - -set vpn ipsec esp-group ESP-HUB lifetime '1800' -set vpn ipsec esp-group ESP-HUB mode 'transport' -set vpn ipsec esp-group ESP-HUB pfs 'dh-group2' -set vpn ipsec esp-group ESP-HUB proposal 1 encryption 'aes256' -set vpn ipsec esp-group ESP-HUB proposal 1 hash 'sha1' -set vpn ipsec ike-group IKE-HUB key-exchange 'ikev1' -set vpn ipsec ike-group IKE-HUB lifetime '3600' -set vpn ipsec ike-group IKE-HUB proposal 1 dh-group '2' -set vpn ipsec ike-group IKE-HUB proposal 1 encryption 'aes256' -set vpn ipsec ike-group IKE-HUB proposal 1 hash 'sha1' -set vpn ipsec interface 'eth0' -set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret' -set vpn ipsec profile NHRPVPN authentication pre-shared-secret 'secret' -set vpn ipsec profile NHRPVPN bind tunnel 'tun100' -set vpn ipsec profile NHRPVPN esp-group 'ESP-HUB' -set vpn ipsec profile NHRPVPN ike-group 'IKE-HUB' -``` - -##### Cisco-Spoke-3 - -```none -crypto isakmp policy 10 - encr aes 256 - authentication pre-share - group 2 - lifetime 3600 -crypto isakmp key secret address 0.0.0.0 -! -! -crypto ipsec transform-set DMVPNESP esp-aes 256 esp-sha-hmac - mode transport -! -crypto ipsec profile DMVPNPROFILE - set security-association lifetime seconds 1800 - set transform-set DMVPNESP - set pfs group2 -! -! -! -! -! -! -! -interface Tunnel100 - ip address 10.0.0.3 255.255.255.0 - no ip redirects - ip nhrp authentication test123 - ip nhrp map multicast dynamic - ip nhrp network-id 1 - ip nhrp holdtime 300 - ip nhrp nhs 10.0.0.100 nbma 192.168.0.2 - ip nhrp registration no-unique - ip nhrp redirect -tunnel source GigabitEthernet0/0 - tunnel mode gre multipoint - tunnel key 42 - tunnel protection ipsec profile DMVPNPROFILE -! -interface GigabitEthernet0/0 - ip address 192.168.3.2 255.255.255.252 - duplex auto - speed auto - media-type rj45 -! -ip route 0.0.0.0 0.0.0.0 192.168.3.1 -``` - -##### Monitoring DMVPN Network - -Let send ICMP packets from VyOS-SPOKE-1 to Cisco-SPOKE-3 - -```none -vyos@vyos:~$ ping 10.0.0.3 -PING 10.0.0.3 (10.0.0.3) 56(84) bytes of data. -64 bytes from 10.0.0.3: icmp_seq=1 ttl=255 time=3.44 ms -64 bytes from 10.0.0.3: icmp_seq=2 ttl=255 time=3.07 ms -^C ---- 10.0.0.3 ping statistics --- -2 packets transmitted, 2 received, 0% packet loss, time 1002ms -rtt min/avg/max/mdev = 3.072/3.257/3.442/0.185 ms -``` - -##### Monitoring on HUB - -```none -vyos@vyos:~$ show ip nhrp cache -Iface Type Protocol NBMA Claimed NBMA Flags Identity -tun100 dynamic 10.0.0.1 192.168.1.2 192.168.1.2 T 192.168.1.2 -tun100 dynamic 10.0.0.3 192.168.3.2 192.168.3.2 T 192.168.3.2 -tun100 dynamic 10.0.0.2 192.168.2.2 192.168.2.2 T 192.168.2.2 -tun100 local 10.0.0.100 192.168.0.2 192.168.0.2 - - -vyos@vyos:~$ show vpn ipsec sa -Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal --------------------------- ------- -------- -------------- ---------------- ---------------- ----------- ---------------------------------- -dmvpn-NHRPVPN-tun100-child up 3m46s 230B/270B 2/2 192.168.1.2 192.168.1.2 AES_CBC_256/HMAC_SHA1_96/MODP_1024 -dmvpn-NHRPVPN-tun100-child up 5m48s 460B/540B 4/4 192.168.2.2 192.168.2.2 AES_CBC_256/HMAC_SHA1_96/MODP_1024 -dmvpn-NHRPVPN-tun100-child up 16m26s 1K/1K 13/12 192.168.3.2 192.168.3.2 AES_CBC_256/HMAC_SHA1_96/MODP_1024 -``` - -##### Monitoring on Spokes - -```none -vyos@vyos:~$ show ip nhrp cache -Iface Type Protocol NBMA Claimed NBMA Flags Identity -tun100 local 10.0.0.1 192.168.1.2 192.168.1.2 - -tun100 dynamic 10.0.0.3 192.168.3.2 192.168.3.2 T 192.168.3.2 -tun100 nhs 10.0.0.100 192.168.0.2 192.168.0.2 T 192.168.0.2 - -vyos@vyos:~$ show ip nhrp nhs -Iface FQDN NBMA Protocol -tun100 192.168.0.2 192.168.0.2 10.0.0.100 - -vyos@vyos:~$ show ip nhrp shortcut -Type Prefix Via Identity -dynamic 10.0.0.3/32 10.0.0.3 192.168.3.2 - -vyos@vyos:~$ show vpn ipsec sa -Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal --------------------------- ------- -------- -------------- ---------------- ---------------- ----------- ---------------------------------- -dmvpn-NHRPVPN-tun100-child up 6m43s 898B/695B 7/6 192.168.0.2 192.168.0.2 AES_CBC_256/HMAC_SHA1_96/MODP_1024 -dmvpn-NHRPVPN-tun100-child up 49s 215B/187B 2/2 192.168.3.2 192.168.3.2 AES_CBC_256/HMAC_SHA1_96/MODP_1024 -``` diff --git a/docs/configuration/vpn/md-index.md b/docs/configuration/vpn/md-index.md deleted file mode 100644 index 0d4fb293..00000000 --- a/docs/configuration/vpn/md-index.md +++ /dev/null @@ -1,13 +0,0 @@ -# VPN - -<div class="toctree" maxdepth="1" includehidden=""> - -dmvpn -ipsec/index -l2tp -openconnect -pptp -rsa-keys -sstp - -</div> diff --git a/docs/configuration/vpn/md-l2tp.md b/docs/configuration/vpn/md-l2tp.md deleted file mode 100644 index d932d095..00000000 --- a/docs/configuration/vpn/md-l2tp.md +++ /dev/null @@ -1,624 +0,0 @@ -(l2tp)= - -# L2TP - -VyOS utilizes [accel-ppp] to provide L2TP server functionality. It can be used -with local authentication or a connected RADIUS server. - -## Configuring L2TP Server - -```none -set vpn l2tp remote-access authentication mode local -set vpn l2tp remote-access authentication local-users username test password 'test' -set vpn l2tp remote-access client-ip-pool L2TP-POOL range 192.168.255.2-192.168.255.254 -set vpn l2tp remote-access default-pool 'L2TP-POOL' -set vpn l2tp remote-access outside-address 192.0.2.2 -set vpn l2tp remote-access gateway-address 192.168.255.1 -``` - -```{cfgcmd} set vpn l2tp remote-access authentication mode \<local | radius\> - -Set authentication backend. The configured authentication backend is used -for all queries. - -* **radius**: All authentication queries are handled by a configured RADIUS - server. -* **local**: All authentication queries are handled locally. -``` - - -```{cfgcmd} set vpn l2tp remote-access authentication local-users username \<user\> password \<pass\> - -Create `<user>` for local authentication on this system. The users password -will be set to `<pass>`. -``` - - -```{cfgcmd} set vpn l2tp remote-access client-ip-pool \<POOL-NAME\> range \<x.x.x.x-x.x.x.x | x.x.x.x/x\> - -Use this command to define the first IP address of a pool of -addresses to be given to l2tp clients. If notation ``x.x.x.x-x.x.x.x``, -it must be within a /24 subnet. If notation ``x.x.x.x/x`` is -used there is possibility to set host/netmask. -``` - - -```{cfgcmd} set vpn l2tp remote-access default-pool \<POOL-NAME\> - -Use this command to define default address pool name. -``` - - -```{cfgcmd} set vpn l2tp remote-access gateway-address \<gateway\> - -Specifies single `<gateway>` IP address to be used as local address of PPP -interfaces. -``` - - -## Configuring IPsec - -```none -set vpn ipsec interface eth0 -set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret -set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret secret -``` - - -```{cfgcmd} set vpn ipsec interface \<INTERFACE\> - -Use this command to define IPsec interface. -``` - - -```{cfgcmd} set vpn l2tp remote-access ipsec-settings authentication mode \<pre-shared-secret | x509\> - -Set mode for IPsec authentication between VyOS and L2TP clients. -``` - - -```{cfgcmd} set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret \<secret\> - -Set predefined shared secret phrase. -``` - -If a local firewall policy is in place on your external interface you will need -to allow the ports below: -- UDP port 500 (IKE) -- IP protocol number 50 (ESP) -- UDP port 1701 for IPsec - -As well as the below to allow NAT-traversal (when NAT is detected by the -VPN client, ESP is encapsulated in UDP for NAT-traversal): - -- UDP port 4500 (NAT-T) - -Example: - -```none -set firewall ipv4 name OUTSIDE-LOCAL rule 40 action 'accept' -set firewall ipv4 name OUTSIDE-LOCAL rule 40 protocol 'esp' -set firewall ipv4 name OUTSIDE-LOCAL rule 41 action 'accept' -set firewall ipv4 name OUTSIDE-LOCAL rule 41 destination port '500' -set firewall ipv4 name OUTSIDE-LOCAL rule 41 protocol 'udp' -set firewall ipv4 name OUTSIDE-LOCAL rule 42 action 'accept' -set firewall ipv4 name OUTSIDE-LOCAL rule 42 destination port '4500' -set firewall ipv4 name OUTSIDE-LOCAL rule 42 protocol 'udp' -set firewall ipv4 name OUTSIDE-LOCAL rule 43 action 'accept' -set firewall ipv4 name OUTSIDE-LOCAL rule 43 destination port '1701' -set firewall ipv4 name OUTSIDE-LOCAL rule 43 ipsec 'match-ipsec' -set firewall ipv4 name OUTSIDE-LOCAL rule 43 protocol 'udp' -``` - -To allow VPN-clients access via your external address, a NAT rule is required: - -```none -set nat source rule 110 outbound-interface name 'eth0' -set nat source rule 110 source address '192.168.255.0/24' -set nat source rule 110 translation address masquerade -``` - - -## Configuring RADIUS authentication - -To enable RADIUS based authentication, the authentication mode needs to be -changed within the configuration. Previous settings like the local users, still -exists within the configuration, however they are not used if the mode has been -changed from local to radius. Once changed back to local, it will use all local -accounts again. - -```none -set vpn l2tp remote-access authentication mode radius -``` - -```{cfgcmd} set vpn l2tp remote-access authentication radius server \<server\> key \<secret\> - -Configure RADIUS `<server>` and its required shared `<secret>` for -communicating with the RADIUS server. -``` - -Since the RADIUS server would be a single point of failure, multiple RADIUS -servers can be setup and will be used subsequentially. -For example: - -```none -set vpn l2tp remote-access authentication radius server 10.0.0.1 key 'foo' -set vpn l2tp remote-access authentication radius server 10.0.0.2 key 'foo' -``` - -:::{note} -Some RADIUS severs use an access control list which allows or denies -queries, make sure to add your VyOS router to the allowed client list. -::: - -### RADIUS source address - -If you are using OSPF as your IGP, use the interface connected closest to the -RADIUS server. You can bind all outgoing RADIUS requests to a single source IP -e.g. the loopback interface. - -```{cfgcmd} set vpn l2tp remote-access authentication radius source-address \<address\> - -Source IPv4 address used in all RADIUS server queires. -``` - -:::{note} -The `source-address` must be configured to that of an interface. -Best practice would be a loopback or dummy interface. -::: - -### RADIUS advanced options - -```{cfgcmd} set vpn l2tp remote-access authentication radius server \<server\> port \<port\> - -Configure RADIUS `<server>` and its required port for authentication requests. -``` - -```{cfgcmd} set vpn l2tp remote-access authentication radius server \<server\> fail-time \<time\> - -Mark RADIUS server as offline for this given `<time>` in seconds. -``` - -```{cfgcmd} set vpn l2tp remote-access authentication radius server \<server\> disable - -Temporary disable this RADIUS server. -``` - -```{cfgcmd} set vpn l2tp remote-access authentication radius acct-timeout \<timeout\> - -Timeout to wait reply for Interim-Update packets. (default 3 seconds) -``` - -```{cfgcmd} set vpn l2tp remote-access authentication radius dynamic-author server \<address\> - -Specifies IP address for Dynamic Authorization Extension server (DM/CoA). -This IP must exist on any VyOS interface or it can be ``0.0.0.0``. -``` - -```{cfgcmd} set vpn l2tp remote-access authentication radius dynamic-author port \<port\> - -UDP port for Dynamic Authorization Extension server (DM/CoA) -``` - -```{cfgcmd} set vpn l2tp remote-access authentication radius dynamic-author key \<secret\> - -Secret for Dynamic Authorization Extension server (DM/CoA) -``` - -```{cfgcmd} set vpn l2tp remote-access authentication radius max-try \<number\> - -Maximum number of tries to send Access-Request/Accounting-Request queries -``` - -```{cfgcmd} set vpn l2tp remote-access authentication radius timeout \<timeout\> - -Timeout to wait response from server (seconds) -``` - -```{cfgcmd} set vpn l2tp remote-access authentication radius nas-identifier \<identifier\> - -Value to send to RADIUS server in NAS-Identifier attribute and to be matched -in DM/CoA requests. -``` - -```{cfgcmd} set vpn l2tp remote-access authentication radius nas-ip-address \<address\> - -Value to send to RADIUS server in NAS-IP-Address attribute and to be matched -in DM/CoA requests. Also DM/CoA server will bind to that address. -``` - -```{cfgcmd} set vpn l2tp remote-access authentication radius source-address \<address\> - -Source IPv4 address used in all RADIUS server queires. -``` - -```{cfgcmd} set vpn l2tp remote-access authentication radius rate-limit attribute \<attribute\> - -Specifies which RADIUS server attribute contains the rate limit information. -The default attribute is `Filter-Id`. -``` - -:::{note} -If you set a custom RADIUS attribute you must define it on both -dictionaries on the RADIUS server and client. -::: - -```{cfgcmd} set vpn l2tp remote-access authentication radius rate-limit enable - -Enables bandwidth shaping via RADIUS. -``` - -```{cfgcmd} set vpn l2tp remote-access authentication radius rate-limit vendor - -Specifies the vendor dictionary. This dictionary needs to be present in -/usr/share/accel-ppp/radius. -``` - -Received RADIUS attributes have a higher priority than parameters defined within -the CLI configuration, refer to the explanation below. - -### Allocation clients ip addresses by RADIUS - -If the RADIUS server sends the attribute `Framed-IP-Address` then this IP -address will be allocated to the client and the option `default-pool` within -the CLI config will be ignored. - -If the RADIUS server sends the attribute `Framed-Pool`, then the IP address -will be allocated from a predefined IP pool whose name equals the attribute -value. - -If the RADIUS server sends the attribute `Stateful-IPv6-Address-Pool`, the -IPv6 address will be allocated from a predefined IPv6 pool `prefix` whose -name equals the attribute value. - -If the RADIUS server sends the attribute `Delegated-IPv6-Prefix-Pool`, an -IPv6 delegation prefix will be allocated from a predefined IPv6 pool -`delegate` whose name equals the attribute value. - -:::{note} -`Stateful-IPv6-Address-Pool` and `Delegated-IPv6-Prefix-Pool` are defined in -RFC6911. If they are not defined in your RADIUS server, add new [dictionary]. -::: - -The client's interface can be put into a VRF context via a RADIUS Access-Accept -packet, or changed via RADIUS CoA. `Accel-VRF-Name` is used for these -purposes. This is a custom [ACCEL-PPP attribute]. Define it in your RADIUS -server. - -### Renaming clients interfaces by RADIUS - -If the RADIUS server uses the attribute `NAS-Port-Id`, ppp tunnels will be -renamed. - -:::{note} -The value of the attribute `NAS-Port-Id` must be less than 16 -characters, otherwise the interface won't be renamed. -::: - -## Configuring LNS (L2TP Network Server) - -LNS are often used to connect to a LAC (L2TP Access Concentrator). - -```{cfgcmd} set vpn l2tp remote-access lns host-name \<hostname\> - -Sent to the client (LAC) in the Host-Name attribute -``` - -```{cfgcmd} set vpn l2tp remote-access lns shared-secret \<secret\> - -Tunnel password used to authenticate the client (LAC) -``` - -To explain the usage of LNS follow our blueprint {ref}`examples-lac-lns`. - -## IPv6 - -```{cfgcmd} set vpn l2tp remote-access ppp-options ipv6 \<require | prefer | allow | deny\> - -Specifies IPv6 negotiation preference. -* **require** - Require IPv6 negotiation -* **prefer** - Ask client for IPv6 negotiation, do not fail if it rejects -* **allow** - Negotiate IPv6 only if client requests -* **deny** - Do not negotiate IPv6 (default value) -``` - -```{cfgcmd} set vpn l2tp remote-access client-ipv6-pool \<IPv6-POOL-NAME\> prefix \<address\> mask \<number-of-bits\> - -Use this comand to set the IPv6 address pool from which an l2tp client will -get an IPv6 prefix of your defined length (mask) to terminate the l2tp -endpoint at their side. The mask length can be set between 48 and 128 bits -long, the default value is 64. -``` - -```{cfgcmd} set vpn l2tp remote-access client-ipv6-pool \<IPv6-POOL-NAME\> delegate \<address\> delegation-prefix \<number-of-bits\> - -Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on l2tp. -You will have to set your IPv6 pool and the length of the delegation -prefix. From the defined IPv6 pool you will be handing out networks of the -defined length (delegation-prefix). The length of the delegation prefix can -be between 32 and 64 bits long. -``` - -```{cfgcmd} set vpn l2tp remote-access default-ipv6-pool \<IPv6-POOL-NAME\> - -Use this command to define default IPv6 address pool name. -``` - -```none -set vpn l2tp remote-access ppp-options ipv6 allow -set vpn l2tp remote-access client-ipv6-pool IPv6-POOL delegate '2001:db8:8003::/48' delegation-prefix '56' -set vpn l2tp remote-access client-ipv6-pool IPv6-POOL prefix '2001:db8:8002::/48' mask '64' -set vpn l2tp remote-access default-ipv6-pool IPv6-POOL -``` - - -### IPv6 Advanced Options - -```{cfgcmd} set vpn l2tp remote-access ppp-options ipv6-accept-peer-interface-id - -Accept peer interface identifier. By default this is not defined. -``` - -```{cfgcmd} set vpn l2tp remote-access ppp-options ipv6-interface-id \<random | x:x:x:x\> - -Specifies if a fixed or random interface identifier is used for IPv6. The -default is fixed. -* **random** - Random interface identifier for IPv6 -* **x:x:x:x** - Specify interface identifier for IPv6 -``` - -```{cfgcmd} set vpn l2tp remote-access ppp-options ipv6-interface-id \<random | x:x:x:x\> - -Specifies the peer interface identifier for IPv6. The default is fixed. -* **random** - Random interface identifier for IPv6 -* **x:x:x:x** - Specify interface identifier for IPv6 -* **ipv4-addr** - Calculate interface identifier from IPv4 address. -* **calling-sid** - Calculate interface identifier from calling-station-id. -``` - - -## Scripting - -```{cfgcmd} set vpn l2tp remote-access extended-scripts on-change \<path_to_script\> - -Script to run when the session interface is changed by RADIUS CoA handling -``` - -```{cfgcmd} set vpn l2tp remote-access extended-scripts on-down \<path_to_script\> - -Script to run when the session interface is about to terminate -``` - -```{cfgcmd} set vpn l2tp remote-access extended-scripts on-pre-up \<path_to_script\> - -Script to run before the session interface comes up -``` - -```{cfgcmd} set vpn l2tp remote-access extended-scripts on-up \<path_to_script\> - -Script to run when the session interface is completely configured and started -``` - - -## Advanced Options - -### Authentication Advanced Options - -```{cfgcmd} set vpn l2tp remote-access authentication local-users username \<user\> disable - -Disable `<user>` account. -``` - -```{cfgcmd} set vpn l2tp remote-access authentication local-users username \<user\> static-ip \<address\> - -Assign a static IP address to `<user>` account. -``` - -```{cfgcmd} set vpn l2tp remote-access authentication local-users username \<user\> rate-limit download \<bandwidth\> - -Rate limit the download bandwidth for `<user>` to `<bandwidth>` kbit/s. -``` - -```{cfgcmd} set vpn l2tp remote-access authentication local-users username \<user\> rate-limit upload \<bandwidth\> - -Rate limit the upload bandwidth for `<user>` to `<bandwidth>` kbit/s -``` - -```{cfgcmd} set vpn l2tp remote-access authentication protocols \<pap | chap | mschap | mschap-v2\> - -Require the peer to authenticate itself using one of the following protocols: -pap, chap, mschap, mschap-v2. -``` - - -### Client IP Pool Advanced Options - -```{cfgcmd} set vpn l2tp remote-access client-ip-pool \<POOL-NAME\> next-pool \<NEXT-POOL-NAME\> - -Use this command to define the next address pool name. -``` - - -### PPP Advanced Options - -```{cfgcmd} set vpn l2tp remote-access ppp-options disable-ccp - -Disable Compression Control Protocol (CCP). -CCP is enabled by default. -``` - -```{cfgcmd} set vpn l2tp remote-access ppp-options interface-cache \<number\> - -Specifies number of interfaces to cache. This prevents interfaces from being -removed once the corresponding session is destroyed. Instead, interfaces are -cached for later use in new sessions. This should reduce the kernel-level -interface creation/deletion rate. -Default value is **0**. -``` - -```{cfgcmd} set vpn l2tp remote-access ppp-options ipv4 \<require | prefer | allow | deny\> - -Specifies IPv4 negotiation preference. -* **require** - Require IPv4 negotiation -* **prefer** - Ask client for IPv4 negotiation, do not fail if it rejects -* **allow** - Negotiate IPv4 only if client requests (Default value) -* **deny** - Do not negotiate IPv4 -``` - -```{cfgcmd} set vpn l2tp remote-access ppp-options lcp-echo-failure \<number\> - -Defines the maximum `<number>` of unanswered echo requests. Upon reaching the -value `<number>`, the session will be reset. Default value is **3**. -``` - -```{cfgcmd} set vpn l2tp remote-access ppp-options lcp-echo-interval \<interval\> - -If this option is specified and is greater than 0, then the PPP module will -send LCP echo requests every `<interval>` seconds. -Default value is **30**. -``` - -```{cfgcmd} set vpn l2tp remote-access ppp-options lcp-echo-timeout - -Specifies timeout in seconds to wait for any peer activity. If this option is -specified it turns on adaptive lcp echo functionality and "lcp-echo-failure" -is not used. Default value is **0**. -``` - -```{cfgcmd} set vpn l2tp remote-access ppp-options min-mtu \<number\> - -Defines the minimum acceptable MTU. If a client tries to negotiate an MTU -lower than this it will be NAKed, and disconnected if it rejects a greater -MTU. -Default value is **100**. -``` - -```{cfgcmd} set vpn l2tp remote-access ppp-options mppe \<require | prefer | deny\> - -Specifies {abbr}`MPPE (Microsoft Point-to-Point Encryption)` negotiation -preference. -* **require** - ask client for mppe, if it rejects drop connection -* **prefer** - ask client for mppe, if it rejects don't fail. (Default value) -* **deny** - deny mppe - -Default behavior - don't ask the client for mppe, but allow it if the client -wants. Please note that RADIUS may override this option with the -MS-MPPE-Encryption-Policy attribute. -``` - -```{cfgcmd} set vpn l2tp remote-access ppp-options mru \<number\> - -Defines preferred MRU. By default is not defined. -``` - - -### Global Advanced options - -```{cfgcmd} set vpn l2tp remote-access description \<description\> - -Set description. -``` - -```{cfgcmd} set vpn l2tp remote-access limits burst \<value\> - -Burst count -``` - -```{cfgcmd} set vpn l2tp remote-access limits connection-limit \<value\> - -Maximum accepted connection rate (e.g. 1/min, 60/sec) -``` - -```{cfgcmd} set vpn l2tp remote-access limits timeout \<value\> - -Timeout in seconds -``` - -```{cfgcmd} set vpn l2tp remote-access mtu - -Maximum Transmission Unit (MTU) (default: **1436**) -``` - -```{cfgcmd} set vpn l2tp remote-access max-concurrent-sessions - -Maximum number of concurrent session start attempts -``` - -```{cfgcmd} set vpn l2tp remote-access name-server \<address\> - -Connected clients should use `<address>` as their DNS server. This command -accepts both IPv4 and IPv6 addresses. Up to two nameservers can be configured -for IPv4, up to three for IPv6. -``` - -```{cfgcmd} set vpn l2tp remote-access shaper fwmark \<1-2147483647\> - -Match firewall mark value -``` - -```{cfgcmd} set vpn l2tp remote-access snmp master-agent - -Enable SNMP -``` - -```{cfgcmd} set vpn l2tp remote-access wins-server \<address\> - -Windows Internet Name Service (WINS) servers propagated to client -``` - - -## Monitoring - -```none -vyos@vyos:~$ show l2tp-server sessions - ifname | username | ip | ip6 | ip6-dp | calling-sid | rate-limit | state | uptime | rx-bytes | tx-bytes ---------+----------+---------------+-----+--------+-------------+------------+--------+----------+----------+---------- - l2tp0 | test | 192.168.255.3 | | | 192.168.0.36 | | active | 02:01:47 | 7.7 KiB | 1.2 KiB -``` - -```none -vyos@vyos:~$ show l2tp-server statistics - uptime: 0.02:49:49 -cpu: 0% -mem(rss/virt): 5920/100892 kB -core: - mempool_allocated: 133202 - mempool_available: 131770 - thread_count: 1 - thread_active: 1 - context_count: 5 - context_sleeping: 0 - context_pending: 0 - md_handler_count: 3 - md_handler_pending: 0 - timer_count: 0 - timer_pending: 0 -sessions: - starting: 0 - active: 0 - finishing: 0 -l2tp: - tunnels: - starting: 0 - active: 0 - finishing: 0 - sessions (control channels): - starting: 0 - active: 0 - finishing: 0 - sessions (data channels): - starting: 0 - active: 0 - finishing: 0 -``` - -[accel-ppp]: https://accel-ppp.org/ -[accel-ppp attribute]: https://github.com/accel-ppp/accel-ppp/blob/master/accel-pppd/radius/dict/dictionary.accel -[cloudflare]: https://blog.cloudflare.com/announcing-1111 -[dictionary]: https://github.com/accel-ppp/accel-ppp/blob/master/accel-pppd/radius/dict/dictionary.rfc6911 -[freeradius]: https://freeradius.org -[google public dns]: https://developers.google.com/speed/public-dns -[network policy server]: <https://en.wikipedia.org/wiki/Network_Policy_Server> -[opennic]: https://www.opennic.org/ -[quad9]: https://quad9.net -[radius]: https://en.wikipedia.org/wiki/RADIUS diff --git a/docs/configuration/vpn/md-openconnect.md b/docs/configuration/vpn/md-openconnect.md deleted file mode 100644 index 80749eab..00000000 --- a/docs/configuration/vpn/md-openconnect.md +++ /dev/null @@ -1,363 +0,0 @@ -# OpenConnect - -<div class="todo"> - -Convert raw command blocks in this file to cfgcmd/opcmd -directives for command coverage tracking. - -</div> - -OpenConnect-compatible server feature has been available since Equuleus (1.3). -Openconnect VPN supports SSL connection and offers full network access. SSL VPN -network extension connects the end-user system to the corporate network with -access controls based only on network layer information, such as destination IP -address and port number. So, it provides safe communication for all types of -device traffic across public networks and private networks, also encrypts the -traffic with SSL protocol. - -The remote user will use the openconnect client to connect to the router and -will receive an IP address from a VPN pool, allowing full access to the -network. - -## Configuration - -### SSL Certificates - -We need to generate the certificate which authenticates users who attempt to -access the network resource through the SSL VPN tunnels. The following commands -will create a self signed certificates and will be stored in configuration: - -``` none -run generate pki ca install <CA name> -run generate pki certificate sign <CA name> install <Server name> -``` - -We can also create the certificates using Certbot which is an easy-to-use -client that fetches a certificate from Let's Encrypt an open certificate -authority launched by the EFF, Mozilla, and others and deploys it to a web -server. - -``` none -sudo certbot certonly --standalone --preferred-challenges http -d <domain name> -``` - -### Server Configuration - -``` none -set vpn openconnect authentication local-users username <user> password <pass> -set vpn openconnect authentication mode <local password|radius|certificate> -set vpn openconnect network-settings client-ip-settings subnet <subnet> -set vpn openconnect network-settings name-server <address> -set vpn openconnect network-settings name-server <address> -set vpn openconnect ssl ca-certificate <pki-ca-name> -set vpn openconnect ssl certificate <pki-cert-name> -set vpn openconnect ssl passphrase <pki-password> -``` - -### 2FA OTP support - -Instead of password only authentication, 2FA password -authentication + OTP key can be used. Alternatively, OTP authentication only, -without a password, can be used. -To do this, an OTP configuration must be added to the configuration above: - -``` none -set vpn openconnect authentication mode local <password-otp|otp> -set vpn openconnect authentication local-users username <user> otp <key> -set vpn openconnect authentication local-users username <user> interval <interval (optional)> -set vpn openconnect authentication local-users username <user> otp-length <otp-length (optional)> -set vpn openconnect authentication local-users username <user> token-type <token-type (optional)> -``` - -For generating an OTP key in VyOS, you can use the CLI command -(operational mode): - -``` none -generate openconnect username <user> otp-key hotp-time -``` - -### User Certificate Authentication - -You can configure users to be authenticated by certificate by setting -the authentication mode to certificate, and defining what field (by OID) -in the certificate will be used to identify the username. Two pre-defined - -shortcuts for Common Name (OID 2.5.4.3) and User ID -(OID 0.9.2342.19200300.100.1.1) have been provided as cn or uid. - -Otherwise a specific OID value must be provided. - -The user's certificate must be signed by the certificate authority -defined in the configuration for it to be validated for -authentication. - -``` none -set vpn openconnect authentication mode certificate -set vpn openconnect authentication mode certificate user-identifier-field cn -set vpn openconnect ssl ca-certificate <cert> -``` - -## Verification - -``` none -vyos@vyos:~$ sh openconnect-server sessions -interface username ip remote IP RX TX state uptime ------------ ---------- ------------- ----------- ------- --------- --------- -------- -sslvpn0 tst 172.20.20.198 192.168.6.1 0 bytes 152 bytes connected 3s -``` - -<div class="note"> - -<div class="title"> - -Note - -</div> - -It is compatible with Cisco (R) AnyConnect (R) clients. - -</div> - -## Example - -### SSL Certificates generation - -Follow the instructions to generate CA cert (in configuration mode): - -``` none -vyos@vyos# run generate pki ca install ca-ocserv -Enter private key type: [rsa, dsa, ec] (Default: rsa) -Enter private key bits: (Default: 2048) -Enter country code: (Default: GB) US -Enter state: (Default: Some-State) Delaware -Enter locality: (Default: Some-City) Mycity -Enter organization name: (Default: VyOS) MyORG -Enter common name: (Default: vyos.io) oc-ca -Enter how many days certificate will be valid: (Default: 1825) 3650 -Note: If you plan to use the generated key on this router, do not encrypt the private key. -Do you want to encrypt the private key with a passphrase? [y/N] N -2 value(s) installed. Use "compare" to see the pending changes, and "commit" to apply. -[edit] -``` - -Follow the instructions to generate server cert (in configuration mode): - -``` none -vyos@vyos# run generate pki certificate sign ca-ocserv install srv-ocserv -Do you already have a certificate request? [y/N] N -Enter private key type: [rsa, dsa, ec] (Default: rsa) -Enter private key bits: (Default: 2048) -Enter country code: (Default: GB) US -Enter state: (Default: Some-State) Delaware -Enter locality: (Default: Some-City) Mycity -Enter organization name: (Default: VyOS) MyORG -Enter common name: (Default: vyos.io) oc-srv -Do you want to configure Subject Alternative Names? [y/N] N -Enter how many days certificate will be valid: (Default: 365) 1830 -Enter certificate type: (client, server) (Default: server) -Note: If you plan to use the generated key on this router, do not encrypt the private key. -Do you want to encrypt the private key with a passphrase? [y/N] N -2 value(s) installed. Use "compare" to see the pending changes, and "commit" to apply. -[edit] -``` - -Each of the install command should be applied to the configuration and commited -before using under the openconnect configuration: - -``` none -vyos@vyos# commit -[edit] -vyos@vyos# save -Saving configuration to '/config/config.boot'... -Done -[edit] -``` - -### Openconnect Configuration - -Simple setup with one user added and password authentication: - -``` none -set vpn openconnect authentication local-users username tst password 'OC_bad_Secret' -set vpn openconnect authentication mode local password -set vpn openconnect network-settings client-ip-settings subnet '172.20.20.0/24' -set vpn openconnect network-settings name-server '10.1.1.1' -set vpn openconnect network-settings name-server '10.1.1.2' -set vpn openconnect ssl ca-certificate 'ca-ocserv' -set vpn openconnect ssl certificate 'srv-ocserv' -``` - -To enable the HTTP security headers in the configuration file, use the command: - -``` none -set vpn openconnect http-security-headers -``` - -### Adding a 2FA with an OTP-key - -First the OTP keys must be generated and sent to the user and to the -configuration: - -``` none -vyos@vyos:~$ generate openconnect username tst otp-key hotp-time -# You can share it with the user, he just needs to scan the QR in his OTP app -# username: tst -# OTP KEY: 5PA4SGYTQSGOBO3H3EQSSNCUNZAYAPH2 -# OTP URL: otpauth://totp/tst@vyos?secret=5PA4SGYTQSGOBO3H3EQSSNCUNZAYAPH2&digits=6&period=30 -█████████████████████████████████████████ -█████████████████████████████████████████ -████ ▄▄▄▄▄ █▀ ██▄▀ ▄█▄▀▀▄▄▄▄██ ▄▄▄▄▄ ████ -████ █ █ █▀ █▄▄▀▀▀▄█ ▄▄▀▄ █ █ █ ████ -████ █▄▄▄█ █▀█▀▄▄▀ ▄▀ █▀ ▀▄██ █▄▄▄█ ████ -████▄▄▄▄▄▄▄█▄█▄▀ ▀▄█ ▀ ▀ ▀ █▄█▄▄▄▄▄▄▄████ -████ ▄▄▄▀▄▄ ▄███▀▄▀█▄██▀ ▀▄ ▀▄█ ▀ ▀████ -████ ▀▀ ▀ ▄█▄ ▀ ▀▄ ▄█▀ ▄█ ▄▀▀▄██ █████ -████▄ █▄▀▀▄█▀ ▀█▄█▄▄▄▄ ▄▀█▀▀█ ▀ ▄ ▀█▀████ -█████ ▀█▀▄▄ █ ▀▄▄ ▄█▄ ▀█▀▀ █▀ ▄█████ -████▀██▀█▄▄ ▀▀▀▀█▄▀ ▀█▄▄▀▀▀ ▀ ▀█▄██▀▀████ -████▄ ▄ ▄▀▄██▀█ ▄ ▀▄██ ▄▄ ▀▀▄█▄██ ▄█████ -████▀▀ ▄▀ ▄ ▀█▀█▀█ █▀█▄▄▀█▀█▄██▄▄█ ▀████ -████ █ ▀█▄▄█▄ ▀ ▄▄▀▀ ▀ █▄█▀████ █▀ ▀████ -████▄██▄██▄█▀ ▄▀ ▄▄▀▄ ▄▀█ ▄ ▄▄▄ ▀█▄ ████ -████ ▄▄▄▄▄ █▄ ▀█▄█ ▄ ▀ ▄ ▄ █▄█ ▄▀▄█████ -████ █ █ █ ▀▄██▄▄▀█▄▀▄██▄▀ ▄ ▀██▀████ -████ █▄▄▄█ █ ██▀▄▄ ▀▄▄▀█▀ ▀█ ▄▀█ ▀██████ -████▄▄▄▄▄▄▄█▄███▄███▄█▄▄▄▄█▄▄█▄██▄█▄█████ -█████████████████████████████████████████ -█████████████████████████████████████████ -# To add this OTP key to configuration, run the following commands: -set vpn openconnect authentication local-users username tst otp key 'ebc1c91b13848ce0bb67d9212934546e41803cfa' -``` - -Next it is necessary to configure 2FA for OpenConnect: - -``` none -set vpn openconnect authentication mode local password-otp -set vpn openconnect authentication local-users username tst otp key 'ebc1c91b13848ce0bb67d9212934546e41803cfa' -``` - -Now when connecting the user will first be asked for the password -and then the OTP key. - -<div class="warning"> - -<div class="title"> - -Warning - -</div> - -When using Time-based one-time password (TOTP) (OTP HOTP-time), -be sure that the time on the server and the -OTP token generator are synchronized by NTP - -</div> - -To display the configured OTP user settings, use the command: - -``` none -show openconnect-server user <username> otp <full|key-b32|key-hex|qrcode|uri> -``` - -### Identity Based Configuration - -OpenConnect supports a subset of it's configuration options to be applied on a -per user/group basis, for configuration purposes we refer to this functionality -as "Identity based config". The following [OpenConnect Server Manual](https://ocserv.gitlab.io/www/manual.html#:~:text=Configuration%20files%20that%20will%20be%20applied%20per%20user%20connection%20or%0A%23%20per%20group) -outlines the set of configuration options that are allowed. This can be -leveraged to apply different sets of configs to different users or groups of -users. - -``` none -sudo mkdir -p /config/auth/ocserv/config-per-user -sudo touch /config/auth/ocserv/default-user.conf - -set vpn openconnect authentication identity-based-config mode user -set vpn openconnect authentication identity-based-config directory /config/auth/ocserv/config-per-user -set vpn openconnect authentication identity-based-config default-config /config/auth/ocserv/default-user.conf -``` - -<div class="warning"> - -<div class="title"> - -Warning - -</div> - -The above directory and default-config must be a child directory -of /config/auth, since files outside this directory are not persisted after an -image upgrade. - -</div> - -Once you commit the above changes you can create a config file in the -/config/auth/ocserv/config-per-user directory that matches a username of a -user you have created e.g. "tst". Now when logging in with the "tst" user the -config options you set in this file will be loaded. - -Be sure to set a sane default config in the default config file, this will be -loaded in the case that a user is authenticated and no file is found in the -configured directory matching the users username/group. - -``` none -sudo nano /config/auth/ocserv/config-per-user/tst -``` - -The same configuration options apply when Identity based config is configured -in group mode except that group mode can only be used with RADIUS -authentication. - -<div class="warning"> - -<div class="title"> - -Warning - -</div> - -OpenConnect server matches the filename in a case sensitive -manner, make sure the username/group name you configure matches the -filename exactly. - -</div> - -### Configuring RADIUS accounting - -OpenConnect can be configured to send accounting information to a -RADIUS server to capture user session data such as time of -connect/disconnect, data transferred, and so on. - -Configure an accounting server and enable accounting with: - -``` none -set vpn openconnect accounting mode radius -set vpn openconnect accounting radius server 172.20.20.10 -set vpn openconnect accounting radius server 172.20.20.10 port 1813 -set vpn openconnect accounting radius server 172.20.20.10 key your_radius_secret -``` - -<div class="warning"> - -<div class="title"> - -Warning - -</div> - -The RADIUS accounting feature must be used with the OpenConnect -authentication mode RADIUS. It cannot be used with local authentication. -You must configure the OpenConnect authentication mode to "radius". - -</div> - -An example of the data captured by a FREERADIUS server with sql accounting: - -``` none -mysql> SELECT username, nasipaddress, acctstarttime, acctstoptime, acctinputoctets, acctoutputoctets, callingstationid, framedipaddress, connectinfo_start FROM radacct; -+----------+---------------+---------------------+---------------------+-----------------+------------------+-------------------+-----------------+-----------------------------------+ -| username | nasipaddress | acctstarttime | acctstoptime | acctinputoctets | acctoutputoctets | callingstationid | framedipaddress | connectinfo_start | -+----------+---------------+---------------------+---------------------+-----------------+------------------+-------------------+-----------------+-----------------------------------+ -| test | 198.51.100.15 | 2023-01-13 00:59:15 | 2023-01-13 00:59:21 | 10606 | 152 | 192.168.6.1 | 172.20.20.198 | Open AnyConnect VPN Agent v8.05-1 | -+----------+---------------+---------------------+---------------------+-----------------+------------------+-------------------+-----------------+-----------------------------------+ -``` diff --git a/docs/configuration/vpn/md-pptp.md b/docs/configuration/vpn/md-pptp.md deleted file mode 100644 index 5df63755..00000000 --- a/docs/configuration/vpn/md-pptp.md +++ /dev/null @@ -1,594 +0,0 @@ -(pptp)= - -# PPTP-Server - -The Point-to-Point Tunneling Protocol (PPTP) has been implemented in VyOS only -for backwards compatibility. PPTP has many well known security issues and you -should use one of the many other new VPN implementations. - -## Configuring PPTP Server - -```none -set vpn pptp remote-access authentication mode local -set vpn pptp remote-access authentication local-users username test password 'test' -set vpn pptp remote-access client-ip-pool PPTP-POOL range 192.168.255.2-192.168.255.254 -set vpn pptp remote-access default-pool 'PPTP-POOL' -set vpn pptp remote-access outside-address 192.0.2.2 -set vpn pptp remote-access gateway-address 192.168.255.1 -``` - -```{cfgcmd} set vpn pptp remote-access authentication mode \<local | radius\> - -Set authentication backend. The configured authentication backend is used -for all queries. -* **radius**: All authentication queries are handled by a configured RADIUS -server. -* **local**: All authentication queries are handled locally. -* **noauth**: Authentication disabled. -``` - -```{cfgcmd} set vpn pptp remote-access authentication local-users username \<user\> password \<pass\> - -Create `<user>` for local authentication on this system. The users password -will be set to `<pass>`. -``` - -```{cfgcmd} set vpn pptp remote-access client-ip-pool \<POOL-NAME\> range \<x.x.x.x-x.x.x.x | x.x.x.x/x\> - -Use this command to define the first IP address of a pool of -addresses to be given to PPTP clients. If notation ``x.x.x.x-x.x.x.x``, -it must be within a /24 subnet. If notation ``x.x.x.x/x`` is -used there is possibility to set host/netmask. -``` - -```{cfgcmd} set vpn pptp remote-access default-pool \<POOL-NAME\> - -Use this command to define default address pool name. -``` - -```{cfgcmd} set vpn pptp remote-access gateway-address \<gateway\> - -Specifies single `<gateway>` IP address to be used as local address of PPP -interfaces. -``` - - -## Configuring RADIUS authentication - -To enable RADIUS based authentication, the authentication mode needs to be -changed within the configuration. Previous settings like the local users, still -exists within the configuration, however they are not used if the mode has been -changed from local to radius. Once changed back to local, it will use all local -accounts again. - -```none -set vpn pptp remote-access authentication mode radius -``` - -```{cfgcmd} set vpn pptp remote-access authentication radius server \<server\> key \<secret\> - -Configure RADIUS `<server>` and its required shared `<secret>` for -communicating with the RADIUS server. -``` - -Since the RADIUS server would be a single point of failure, multiple RADIUS -servers can be setup and will be used subsequentially. -For example: - -```none -set vpn pptp remote-access authentication radius server 10.0.0.1 key 'foo' -set vpn pptp remote-access authentication radius server 10.0.0.2 key 'foo' -``` - -:::{note} -Some RADIUS severs use an access control list which allows or denies -queries, make sure to add your VyOS router to the allowed client list. -::: - -### RADIUS source address - -If you are using OSPF as IGP, always the closest interface connected to the -RADIUS server is used. You can bind all outgoing RADIUS requests -to a single source IP e.g. the loopback interface. - -```{cfgcmd} set vpn pptp remote-access authentication radius source-address \<address\> - -Source IPv4 address used in all RADIUS server queires. -``` - -:::{note} -Some RADIUS severs use an access control list which allows or denies -queries, make sure to add your VyOS router to the allowed client list. -::: - -### RADIUS advanced options - -```{cfgcmd} set vpn pptp remote-access authentication radius server \<server\> port \<port\> - -Configure RADIUS `<server>` and its required port for authentication requests. -``` - -```{cfgcmd} set vpn pptp remote-access authentication radius server \<server\> fail-time \<time\> - -Mark RADIUS server as offline for this given `<time>` in seconds. -``` - -```{cfgcmd} set vpn pptp remote-access authentication radius server \<server\> disable - -Temporary disable this RADIUS server. -``` - -```{cfgcmd} set vpn pptp remote-access authentication radius acct-timeout \<timeout\> - -Timeout to wait reply for Interim-Update packets. (default 3 seconds) -``` - -```{cfgcmd} set vpn pptp remote-access authentication radius dynamic-author server \<address\> - -Specifies IP address for Dynamic Authorization Extension server (DM/CoA). -This IP must exist on any VyOS interface or it can be ``0.0.0.0``. -``` - -```{cfgcmd} set vpn pptp remote-access authentication radius dynamic-author port \<port\> - -UDP port for Dynamic Authorization Extension server (DM/CoA) -``` - -```{cfgcmd} set vpn pptp remote-access authentication radius dynamic-author key \<secret\> - -Secret for Dynamic Authorization Extension server (DM/CoA) -``` - -```{cfgcmd} set vpn pptp remote-access authentication radius max-try \<number\> - -Maximum number of tries to send Access-Request/Accounting-Request queries -``` - -```{cfgcmd} set vpn pptp remote-access authentication radius timeout \<timeout\> - -Timeout to wait response from server (seconds) -``` - -```{cfgcmd} set vpn pptp remote-access authentication radius nas-identifier \<identifier\> - -Value to send to RADIUS server in NAS-Identifier attribute and to be matched -in DM/CoA requests. -``` - -```{cfgcmd} set vpn pptp remote-access authentication radius nas-ip-address \<address\> - -Value to send to RADIUS server in NAS-IP-Address attribute and to be matched -in DM/CoA requests. Also DM/CoA server will bind to that address. -``` - -```{cfgcmd} set vpn pptp remote-access authentication radius source-address \<address\> - -Source IPv4 address used in all RADIUS server queires. -``` - -```{cfgcmd} set vpn pptp remote-access authentication radius rate-limit attribute \<attribute\> - -Specifies which RADIUS server attribute contains the rate limit information. -The default attribute is `Filter-Id`. -``` - -:::{note} -If you set a custom RADIUS attribute you must define it on both -dictionaries at RADIUS server and client. -::: - -```{cfgcmd} set vpn pptp remote-access authentication radius rate-limit enable - -Enables bandwidth shaping via RADIUS. -``` - -```{cfgcmd} set vpn pptp remote-access authentication radius rate-limit vendor - -Specifies the vendor dictionary, dictionary needs to be in -/usr/share/accel-ppp/radius. -``` - -Received RADIUS attributes have a higher priority than parameters defined within -the CLI configuration, refer to the explanation below. - -### Allocation clients ip addresses by RADIUS - -If the RADIUS server sends the attribute `Framed-IP-Address` then this IP -address will be allocated to the client and the option `default-pool` within the CLI -config is being ignored. - -If the RADIUS server sends the attribute `Framed-Pool`, IP address will be allocated -from a predefined IP pool whose name equals the attribute value. - -If the RADIUS server sends the attribute `Stateful-IPv6-Address-Pool`, IPv6 address -will be allocated from a predefined IPv6 pool `prefix` whose name equals the attribute value. - -If the RADIUS server sends the attribute `Delegated-IPv6-Prefix-Pool`, IPv6 -delegation pefix will be allocated from a predefined IPv6 pool `delegate` -whose name equals the attribute value. - -:::{note} -`Stateful-IPv6-Address-Pool` and `Delegated-IPv6-Prefix-Pool` are defined in -RFC6911. If they are not defined in your RADIUS server, add new [dictionary]. -::: - -User interface can be put to VRF context via RADIUS Access-Accept packet, or change -it via RADIUS CoA. `Accel-VRF-Name` is used from these purposes. It is custom [ACCEL-PPP attribute]. -Define it in your RADIUS server. - -### Renaming clients interfaces by RADIUS - -If the RADIUS server uses the attribute `NAS-Port-Id`, ppp tunnels will be -renamed. - -:::{note} -The value of the attribute `NAS-Port-Id` must be less than 16 -characters, otherwise the interface won't be renamed. -::: - -## IPv6 - -```{cfgcmd} set vpn pptp remote-access ppp-options ipv6 \<require | prefer | allow | deny\> - -Specifies IPv6 negotiation preference. -* **require** - Require IPv6 negotiation -* **prefer** - Ask client for IPv6 negotiation, do not fail if it rejects -* **allow** - Negotiate IPv6 only if client requests -* **deny** - Do not negotiate IPv6 (default value) -``` - -```{cfgcmd} set vpn pptp remote-access client-ipv6-pool \<IPv6-POOL-NAME\> prefix \<address\> mask \<number-of-bits\> - -Use this comand to set the IPv6 address pool from which an PPTP client -will get an IPv6 prefix of your defined length (mask) to terminate the -PPTP endpoint at their side. The mask length can be set from 48 to 128 -bit long, the default value is 64. -``` - -```{cfgcmd} set vpn pptp remote-access client-ipv6-pool \<IPv6-POOL-NAME\> delegate \<address\> delegation-prefix \<number-of-bits\> - -Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on -PPTP. You will have to set your IPv6 pool and the length of the -delegation prefix. From the defined IPv6 pool you will be handing out -networks of the defined length (delegation-prefix). The length of the -delegation prefix can be set from 32 to 64 bit long. -``` - -```{cfgcmd} set vpn pptp remote-access default-ipv6-pool \<IPv6-POOL-NAME\> - -Use this command to define default IPv6 address pool name. -``` - -```none -set vpn pptp remote-access ppp-options ipv6 allow -set vpn pptp remote-access client-ipv6-pool IPv6-POOL delegate '2001:db8:8003::/48' delegation-prefix '56' -set vpn pptp remote-access client-ipv6-pool IPv6-POOL prefix '2001:db8:8002::/48' mask '64' -set vpn pptp remote-access default-ipv6-pool IPv6-POOL -``` - - -### IPv6 Advanced Options - -```{cfgcmd} set vpn pptp remote-access ppp-options ipv6-accept-peer-interface-id - -Accept peer interface identifier. By default is not defined. -``` - -```{cfgcmd} set vpn pptp remote-access ppp-options ipv6-interface-id \<random | x:x:x:x\> - -Specifies fixed or random interface identifier for IPv6. -By default is fixed. -* **random** - Random interface identifier for IPv6 -* **x:x:x:x** - Specify interface identifier for IPv6 -``` - -```{cfgcmd} set vpn pptp remote-access ppp-options ipv6-interface-id \<random | x:x:x:x\> - -Specifies peer interface identifier for IPv6. By default is fixed. -* **random** - Random interface identifier for IPv6 -* **x:x:x:x** - Specify interface identifier for IPv6 -* **ipv4-addr** - Calculate interface identifier from IPv4 address. -* **calling-sid** - Calculate interface identifier from calling-station-id. -``` - - -## Scripting - -```{cfgcmd} set vpn pptp remote-access extended-scripts on-change \<path_to_script\> - -Script to run when session interface changed by RADIUS CoA handling -``` - -```{cfgcmd} set vpn pptp remote-access extended-scripts on-down \<path_to_script\> - -Script to run when session interface going to terminate -``` - -```{cfgcmd} set vpn pptp remote-access extended-scripts on-pre-up \<path_to_script\> - -Script to run before session interface comes up -``` - -```{cfgcmd} set vpn pptp remote-access extended-scripts on-up \<path_to_script\> - -Script to run when session interface is completely configured and started -``` - - -## Advanced Options - -### Authentication Advanced Options - -```{cfgcmd} set vpn pptp remote-access authentication local-users username \<user\> disable - -Disable `<user>` account. -``` - -```{cfgcmd} set vpn pptp remote-access authentication local-users username \<user\> static-ip \<address\> - -Assign static IP address to `<user>` account. -``` - -```{cfgcmd} set vpn pptp remote-access authentication local-users username \<user\> rate-limit download \<bandwidth\> - -Download bandwidth limit in kbit/s for `<user>`. -``` - -```{cfgcmd} set vpn pptp remote-access authentication local-users username \<user\> rate-limit upload \<bandwidth\> - -Upload bandwidth limit in kbit/s for `<user>`. -``` - -```{cfgcmd} set vpn pptp remote-access authentication protocols \<pap | chap | mschap | mschap-v2\> - -Require the peer to authenticate itself using one of the following protocols: -pap, chap, mschap, mschap-v2. -``` - - -### Client IP Pool Advanced Options - -```{cfgcmd} set vpn pptp remote-access client-ip-pool \<POOL-NAME\> next-pool \<NEXT-POOL-NAME\> - -Use this command to define the next address pool name. -``` - - -### PPP Advanced Options - -```{cfgcmd} set vpn pptp remote-access ppp-options disable-ccp - -Disable Compression Control Protocol (CCP). -CCP is enabled by default. -``` - -```{cfgcmd} set vpn pptp remote-access ppp-options interface-cache \<number\> - -Specifies number of interfaces to keep in cache. It means that don’t -destroy interface after corresponding session is destroyed, instead -place it to cache and use it later for new sessions repeatedly. -This should reduce kernel-level interface creation/deletion rate lack. -Default value is **0**. -``` - -```{cfgcmd} set vpn pptp remote-access ppp-options ipv4 \<require | prefer | allow | deny\> - -Specifies IPv4 negotiation preference. -* **require** - Require IPv4 negotiation -* **prefer** - Ask client for IPv4 negotiation, do not fail if it rejects -* **allow** - Negotiate IPv4 only if client requests (Default value) -* **deny** - Do not negotiate IPv4 -``` - -```{cfgcmd} set vpn pptp remote-access ppp-options lcp-echo-failure \<number\> - -Defines the maximum `<number>` of unanswered echo requests. Upon reaching the -value `<number>`, the session will be reset. Default value is **3**. -``` - -```{cfgcmd} set vpn pptp remote-access ppp-options lcp-echo-interval \<interval\> - -If this option is specified and is greater than 0, then the PPP module will -send LCP pings of the echo request every `<interval>` seconds. -Default value is **30**. -``` - -```{cfgcmd} set vpn pptp remote-access ppp-options lcp-echo-timeout - -Specifies timeout in seconds to wait for any peer activity. If this option -specified it turns on adaptive lcp echo functionality and "lcp-echo-failure" -is not used. Default value is **0**. -``` - -```{cfgcmd} set vpn pptp remote-access ppp-options min-mtu \<number\> - -Defines minimum acceptable MTU. If client will try to negotiate less then -specified MTU then it will be NAKed or disconnected if rejects greater MTU. -Default value is **100**. -``` - -```{cfgcmd} set vpn pptp remote-access ppp-options mppe \<require | prefer | deny\> - -Specifies {abbr}`MPPE (Microsoft Point-to-Point Encryption)` negotiation -preference. -* **require** - ask client for mppe, if it rejects drop connection -* **prefer** - ask client for mppe, if it rejects don't fail. (Default value) -* **deny** - deny mppe - -Default behavior - don't ask client for mppe, but allow it if client wants. -Please note that RADIUS may override this option by MS-MPPE-Encryption-Policy -attribute. -``` - -```{cfgcmd} set vpn pptp remote-access ppp-options mru \<number\> - -Defines preferred MRU. By default is not defined. -``` - - -### Global Advanced options - -```{cfgcmd} set vpn pptp remote-access description \<description\> - -Set description. -``` - -```{cfgcmd} set vpn pptp remote-access limits burst \<value\> - -Burst count -``` - -```{cfgcmd} set vpn pptp remote-access limits connection-limit \<value\> - -Acceptable rate of connections (e.g. 1/min, 60/sec) -``` - -```{cfgcmd} set vpn pptp remote-access limits timeout \<value\> - -Timeout in seconds -``` - -```{cfgcmd} set vpn pptp remote-access mtu - -Maximum Transmission Unit (MTU) (default: **1436**) -``` - -```{cfgcmd} set vpn pptp remote-access max-concurrent-sessions - -Maximum number of concurrent session start attempts -``` - -```{cfgcmd} set vpn pptp remote-access name-server \<address\> - -Connected client should use `<address>` as their DNS server. This -command accepts both IPv4 and IPv6 addresses. Up to two nameservers -can be configured for IPv4, up to three for IPv6. -``` - -```{cfgcmd} set vpn pptp remote-access shaper fwmark \<1-2147483647\> - -Match firewall mark value -``` - -```{cfgcmd} set vpn pptp remote-access snmp master-agent - -Enable SNMP -``` - -```{cfgcmd} set vpn pptp remote-access wins-server \<address\> - -Windows Internet Name Service (WINS) servers propagated to client -``` - - -## Monitoring - -```{opcmd} show pptp-server sessions - -Use this command to locally check the active sessions in the PPTP -server. -``` - -```none -vyos@vyos:~$ show pptp-server sessions - ifname | username | ip | ip6 | ip6-dp | calling-sid | rate-limit | state | uptime | rx-bytes | tx-bytes ---------+----------+----------+-----+--------+----------------+------------+--------+----------+----------+---------- - pptp0 | test | 10.0.0.2 | | | 192.168.10.100 | | active | 00:01:26 | 6.9 KiB | 220 B -``` - -```none -vyos@vyos:~$ show pptp-server statistics - uptime: 0.00:04:52 -cpu: 0% -mem(rss/virt): 5504/100176 kB -core: - mempool_allocated: 152007 - mempool_available: 149007 - thread_count: 1 - thread_active: 1 - context_count: 6 - context_sleeping: 0 - context_pending: 0 - md_handler_count: 6 - md_handler_pending: 0 - timer_count: 2 - timer_pending: 0 -sessions: - starting: 0 - active: 1 - finishing: 0 -pptp: - starting: 0 - active: 1 -``` - - -## Troubleshooting - -```none -vyos@vyos:~$sudo journalctl -u accel-ppp@pptp -b 0 - -Feb 29 14:58:57 vyos accel-pptp[4629]: pptp: new connection from 192.168.10.100 -Feb 29 14:58:57 vyos accel-pptp[4629]: :: recv [PPTP Start-Ctrl-Conn-Request <Version 1> <Framing 1> <Bearer 1> <Max-Chan 0>] -Feb 29 14:58:57 vyos accel-pptp[4629]: :: send [PPTP Start-Ctrl-Conn-Reply <Version 1> <Result 1> <Error 0> <Framing 3> <Bearer 3> <Max-Chan 1>] -Feb 29 14:58:57 vyos accel-pptp[4629]: :: recv [PPTP Outgoing-Call-Request <Call-ID 2961> <Call-Serial 2> <Min-BPS 300> <Max-BPS 100000000> <Bearer 3> <Framing 3> <Window-Size 64> <Delay 0>] -Feb 29 14:58:57 vyos accel-pptp[4629]: :: send [PPTP Outgoing-Call-Reply <Call-ID 2> <Peer-Call-ID 2961> <Result 1> <Error 0> <Cause 0> <Speed 100000000> <Window-Size 64> <Delay 0> <Channel 0>] -Feb 29 14:58:57 vyos accel-pptp[4629]: :: lcp_layer_init -Feb 29 14:58:57 vyos accel-pptp[4629]: :: auth_layer_init -Feb 29 14:58:57 vyos accel-pptp[4629]: :: ccp_layer_init -Feb 29 14:58:57 vyos accel-pptp[4629]: :: ipcp_layer_init -Feb 29 14:58:57 vyos accel-pptp[4629]: :: ipv6cp_layer_init -Feb 29 14:58:57 vyos accel-pptp[4629]: :: ppp establishing -Feb 29 14:58:57 vyos accel-pptp[4629]: :: lcp_layer_start -Feb 29 14:58:57 vyos accel-pptp[4629]: :: send [LCP ConfReq id=75 <auth PAP> <mru 1436> <magic 483920bd>] -Feb 29 14:58:57 vyos accel-pptp[4629]: :: recv [PPTP Set-Link-Info] -Feb 29 14:58:57 vyos accel-pptp[4629]: :: recv [LCP ConfReq id=0 <mru 1400> <magic 0142785a> <pcomp> <accomp> < d 3 6 >] -Feb 29 14:58:57 vyos accel-pptp[4629]: :: send [LCP ConfRej id=0 <pcomp> <accomp> < d 3 6 >] -Feb 29 14:58:57 vyos accel-pptp[4629]: :: recv [LCP ConfReq id=1 <mru 1400> <magic 0142785a>] -Feb 29 14:58:57 vyos accel-pptp[4629]: :: send [LCP ConfAck id=1] -Feb 29 14:59:00 vyos accel-pptp[4629]: :: fsm timeout 9 -Feb 29 14:59:00 vyos accel-pptp[4629]: :: send [LCP ConfReq id=75 <auth PAP> <mru 1436> <magic 483920bd>] -Feb 29 14:59:00 vyos accel-pptp[4629]: :: recv [LCP ConfNak id=75 <auth MSCHAP-v2>] -Feb 29 14:59:00 vyos accel-pptp[4629]: :: send [LCP ConfReq id=76 <auth CHAP-md5> <mru 1436> <magic 483920bd>] -Feb 29 14:59:00 vyos accel-pptp[4629]: :: recv [LCP ConfNak id=76 <auth MSCHAP-v2>] -Feb 29 14:59:00 vyos accel-pptp[4629]: :: send [LCP ConfReq id=77 <auth MSCHAP-v1> <mru 1436> <magic 483920bd>] -Feb 29 14:59:00 vyos accel-pptp[4629]: :: recv [LCP ConfNak id=77 <auth MSCHAP-v2>] -Feb 29 14:59:00 vyos accel-pptp[4629]: :: send [LCP ConfReq id=78 <auth MSCHAP-v2> <mru 1436> <magic 483920bd>] -Feb 29 14:59:00 vyos accel-pptp[4629]: :: recv [LCP ConfAck id=78 <auth MSCHAP-v2> <mru 1436> <magic 483920bd>] -Feb 29 14:59:00 vyos accel-pptp[4629]: :: lcp_layer_started -Feb 29 14:59:00 vyos accel-pptp[4629]: :: auth_layer_start -Feb 29 14:59:00 vyos accel-pptp[4629]: :: send [MSCHAP-v2 Challenge id=1 <8aa758781676e6a8e85c11963ee010>] -Feb 29 14:59:00 vyos accel-pptp[4629]: :: recv [LCP Ident id=2 <MSRASV5.20>] -Feb 29 14:59:00 vyos accel-pptp[4629]: :: recv [LCP Ident id=3 <MSRAS-0-MSEDGEWIN10>] -Feb 29 14:59:00 vyos accel-pptp[4629]: [43B blob data] -Feb 29 14:59:00 vyos accel-pptp[4629]: :: recv [PPTP Set-Link-Info] -Feb 29 14:59:00 vyos accel-pptp[4629]: :: recv [MSCHAP-v2 Response id=1 <90c21af1091f745e8bf22388b058>, <e695ae5aae274c88a3fa1ee3dc9057aece4d53c87b9fea>, F=0, name="test"] -Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: connect: ppp0 <--> pptp(192.168.10.100) -Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: ppp connected -Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: send [MSCHAP-v2 Success id=1 "S=347F417CF04BEBBC7F75CFA7F43474C36FB218F9 M=Authentication succeeded"] -Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: test: authentication succeeded -Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: auth_layer_started -Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: ccp_layer_start -Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: send [CCP ConfReq id=b9 <mppe +H -M +S -L -D -C>] -Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: ipcp_layer_start -Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: ipv6cp_layer_start -Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: IPV6CP: discarding packet -Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: send [LCP ProtoRej id=122 <8057>] -Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: recv [IPCP ConfReq id=6 <addr 0.0.0.0> <dns1 0.0.0.0> <wins1 0.0.0.0> <dns2 0.0.0.0> <wins2 0.0.0.0>] -Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: send [IPCP ConfReq id=3b <addr 10.0.0.1>] -Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: send [IPCP ConfRej id=6 <dns1 0.0.0.0> <wins1 0.0.0.0> <dns2 0.0.0.0> <wins2 0.0.0.0>] -Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: recv [LCP ProtoRej id=7 <80fd>] -Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: ccp_layer_finished -Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: recv [IPCP ConfAck id=3b <addr 10.0.0.1>] -Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: recv [IPCP ConfReq id=8 <addr 0.0.0.0>] -Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: send [IPCP ConfNak id=8 <addr 10.0.0.2>] -Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: recv [IPCP ConfReq id=9 <addr 10.0.0.2>] -Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: send [IPCP ConfAck id=9] -Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: ipcp_layer_started -Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: rename interface to 'pptp0' -Feb 29 14:59:00 vyos accel-pptp[4629]: pptp0:test: pptp: ppp started -``` - -[accel-ppp]: https://accel-ppp.org/ -[accel-ppp attribute]: https://github.com/accel-ppp/accel-ppp/blob/master/accel-pppd/radius/dict/dictionary.accel -[dictionary]: https://github.com/accel-ppp/accel-ppp/blob/master/accel-pppd/radius/dict/dictionary.rfc6911 diff --git a/docs/configuration/vpn/md-rsa-keys.md b/docs/configuration/vpn/md-rsa-keys.md deleted file mode 100644 index 91a5c24e..00000000 --- a/docs/configuration/vpn/md-rsa-keys.md +++ /dev/null @@ -1,116 +0,0 @@ -# RSA-Keys - -<div class="todo"> - -Convert raw command blocks in this file to cfgcmd/opcmd -directives for command coverage tracking. - -</div> - -RSA can be used for services such as key exchanges and for encryption purposes. -To make IPSec work with dynamic address on one/both sides, we will have to use -RSA keys for authentication. They are very fast and easy to setup. - -First, on both routers run the operational command "generate pki key-pair -install \<key-pair name\>". You may choose different length than 2048 of course. - -``` none -vyos@left# run generate pki key-pair install ipsec-LEFT -Enter private key type: [rsa, dsa, ec] (Default: rsa) -Enter private key bits: (Default: 2048) -Note: If you plan to use the generated key on this router, do not encrypt the private key. -Do you want to encrypt the private key with a passphrase? [y/N] N -Configure mode commands to install key pair: -Do you want to install the public key? [Y/n] Y -set pki key-pair ipsec-LEFT public key 'MIIBIjANBgkqh...' -Do you want to install the private key? [Y/n] Y -set pki key-pair ipsec-LEFT private key 'MIIEvgIBADAN...' -[edit] -``` - -Configuration commands will display. -Note the command with the public key -(set pki key-pair ipsec-LEFT public key 'MIIBIjANBgkqh...'). -Then do the same on the opposite router: - -``` none -vyos@left# run generate pki key-pair install ipsec-RIGHT -``` - -Note the command with the public key -(set pki key-pair ipsec-RIGHT public key 'FAAOCAQ8AMII...'). - -The noted public keys should be entered on the opposite routers. - -On the LEFT: - -``` none -set pki key-pair ipsec-RIGHT public key 'FAAOCAQ8AMII...' -``` - -On the RIGHT: - -``` none -set pki key-pair ipsec-LEFT public key 'MIIBIjANBgkqh...' -``` - -Now you are ready to setup IPsec. The key points: - -1. Since both routers do not know their effective public addresses, - we set the local-address of the peer to "any". -2. On the initiator, we set the peer address to its public address, - but on the responder we only set the id. -3. On the initiator, we need to set the remote-id option so that it - can identify IKE traffic from the responder correctly. -4. On the responder, we need to set the local id so that initiator - can know who's talking to it for the point \#3 to work. - -On the LEFT (static address): - -``` none -set vpn ipsec interface eth0 - -set vpn ipsec esp-group MyESPGroup proposal 1 encryption aes128 -set vpn ipsec esp-group MyESPGroup proposal 1 hash sha1 - -set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group 2 -set vpn ipsec ike-group MyIKEGroup proposal 1 encryption aes128 -set vpn ipsec ike-group MyIKEGroup proposal 1 hash sha1 - -set vpn ipsec site-to-site peer @RIGHT authentication id LEFT -set vpn ipsec site-to-site peer @RIGHT authentication mode rsa -set vpn ipsec site-to-site peer @RIGHT authentication rsa local-key ipsec-LEFT -set vpn ipsec site-to-site peer @RIGHT authentication rsa remote-key ipsec-RIGHT -set vpn ipsec site-to-site peer @RIGHT authentication remote-id RIGHT -set vpn ipsec site-to-site peer @RIGHT default-esp-group MyESPGroup -set vpn ipsec site-to-site peer @RIGHT ike-group MyIKEGroup -set vpn ipsec site-to-site peer @RIGHT local-address 192.0.2.10 -set vpn ipsec site-to-site peer @RIGHT connection-type none -set vpn ipsec site-to-site peer @RIGHT tunnel 1 local prefix 192.168.99.1/32 # Additional loopback address on the local -set vpn ipsec site-to-site peer @RIGHT tunnel 1 remote prefix 192.168.99.2/32 # Additional loopback address on the remote -``` - -On the RIGHT (dynamic address): - -``` none -set vpn ipsec interface eth0 - -set vpn ipsec esp-group MyESPGroup proposal 1 encryption aes128 -set vpn ipsec esp-group MyESPGroup proposal 1 hash sha1 - -set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group 2 -set vpn ipsec ike-group MyIKEGroup proposal 1 encryption aes128 -set vpn ipsec ike-group MyIKEGroup proposal 1 hash sha1 - -set vpn ipsec site-to-site peer 192.0.2.10 authentication id RIGHT -set vpn ipsec site-to-site peer 192.0.2.10 authentication mode rsa -set vpn ipsec site-to-site peer 192.0.2.10 authentication rsa local-key ipsec-RIGHT -set vpn ipsec site-to-site peer 192.0.2.10 authentication rsa remote-key ipsec-LEFT -set vpn ipsec site-to-site peer 192.0.2.10 authentication remote-id LEFT -set vpn ipsec site-to-site peer 192.0.2.10 connection-type initiate -set vpn ipsec site-to-site peer 192.0.2.10 default-esp-group MyESPGroup -set vpn ipsec site-to-site peer 192.0.2.10 ike-group MyIKEGroup -set vpn ipsec site-to-site peer 192.0.2.10 local-address any -set vpn ipsec site-to-site peer 192.0.2.10 tunnel 1 local prefix 192.168.99.2/32 # Additional loopback address on the local -set vpn ipsec site-to-site peer 192.0.2.10 tunnel 1 remote prefix 192.168.99.1/32 # Additional loopback address on the remote -``` diff --git a/docs/configuration/vpn/md-sstp.md b/docs/configuration/vpn/md-sstp.md deleted file mode 100644 index 54383cc6..00000000 --- a/docs/configuration/vpn/md-sstp.md +++ /dev/null @@ -1,698 +0,0 @@ -(sstp)= - -# SSTP Server - -{abbr}`SSTP (Secure Socket Tunneling Protocol)` is a form of {abbr}`VPN -(Virtual Private Network)` tunnel that provides a mechanism to transport PPP -traffic through an SSL/TLS channel. SSL/TLS provides transport-level security -with key negotiation, encryption and traffic integrity checking. The use of -SSL/TLS over TCP port 443 allows SSTP to pass through virtually all firewalls -and proxy servers except for authenticated web proxies. - -SSTP is available for Linux, BSD, and Windows. - -VyOS utilizes [accel-ppp](https://accel-ppp.org/) to provide SSTP server functionality. We support both -local and RADIUS authentication. - -As SSTP provides PPP via a SSL/TLS channel the use of either publicly signed -certificates or private PKI is required. - -## Configuring SSTP Server - -### Certificates - -Using our documentation chapter - {ref}`pki` generate and install CA and Server certificate - -```none -vyos@vyos:~$ generate pki ca install CA -``` - -```none -vyos@vyos:~$ generate pki certificate sign CA install Server -``` - - -### Configuration - -```none -set vpn sstp authentication local-users username test password 'test' -set vpn sstp authentication mode 'local' -set vpn sstp client-ip-pool SSTP-POOL range '10.0.0.2-10.0.0.100' -set vpn sstp default-pool 'SSTP-POOL' -set vpn sstp gateway-address '10.0.0.1' -set vpn sstp ssl ca-certificate 'CA1' -set vpn sstp ssl certificate 'Server' -``` - -```{cfgcmd} set vpn sstp authentication mode \<local | radius\> - -Set authentication backend. The configured authentication backend is used -for all queries. -* **radius**: All authentication queries are handled by a configured RADIUS -server. -* **local**: All authentication queries are handled locally. -``` - -```{cfgcmd} set vpn sstp authentication local-users username \<user\> password \<pass\> - -Create `<user>` for local authentication on this system. The users password -will be set to `<pass>`. -``` - -```{cfgcmd} set vpn sstp client-ip-pool \<POOL-NAME\> range \<x.x.x.x-x.x.x.x | x.x.x.x/x\> - -Use this command to define the first IP address of a pool of -addresses to be given to SSTP clients. If notation ``x.x.x.x-x.x.x.x``, -it must be within a /24 subnet. If notation ``x.x.x.x/x`` is -used there is possibility to set host/netmask. -``` - -```{cfgcmd} set vpn sstp default-pool \<POOL-NAME\> - -Use this command to define default address pool name. -``` - -```{cfgcmd} set vpn sstp gateway-address \<gateway\> - -Specifies single `<gateway>` IP address to be used as local address of PPP -interfaces. -``` - -```{cfgcmd} set vpn sstp ssl ca-certificate \<file\> - -Name of installed certificate authority certificate. -``` - -```{cfgcmd} set vpn sstp ssl certificate \<file\> - -Name of installed server certificate. -``` - - -## Configuring RADIUS authentication - -To enable RADIUS based authentication, the authentication mode needs to be -changed within the configuration. Previous settings like the local users still -exist within the configuration, however they are not used if the mode has been -changed from local to radius. Once changed back to local, it will use all local -accounts again. - -```none -set vpn sstp authentication mode radius -``` - -```{cfgcmd} set vpn sstp authentication radius server \<server\> key \<secret\> - -Configure RADIUS `<server>` and its required shared `<secret>` for -communicating with the RADIUS server. -``` - -Since the RADIUS server would be a single point of failure, multiple RADIUS -servers can be setup and will be used subsequentially. -For example: - -```none -set vpn sstp authentication radius server 10.0.0.1 key 'foo' -set vpn sstp authentication radius server 10.0.0.2 key 'foo' -``` - -:::{note} -Some RADIUS severs use an access control list which allows or denies -queries, make sure to add your VyOS router to the allowed client list. -::: - -### RADIUS source address - -If you are using OSPF as your IGP, use the interface connected closest to the -RADIUS server. You can bind all outgoing RADIUS requests to a single source IP -e.g. the loopback interface. - -```{cfgcmd} set vpn sstp authentication radius source-address \<address\> - -Source IPv4 address used in all RADIUS server queires. -``` - -:::{note} -The `source-address` must be configured to that of an interface. -Best practice would be a loopback or dummy interface. -::: - -### RADIUS advanced options - -```{cfgcmd} set vpn sstp authentication radius server \<server\> port \<port\> - -Configure RADIUS `<server>` and its required port for authentication requests. -``` - -```{cfgcmd} set vpn sstp authentication radius server \<server\> fail-time \<time\> - -Mark RADIUS server as offline for this given `<time>` in seconds. -``` - -```{cfgcmd} set vpn sstp authentication radius server \<server\> disable - -Temporary disable this RADIUS server. -``` - -```{cfgcmd} set vpn sstp authentication radius acct-timeout \<timeout\> - -Timeout to wait reply for Interim-Update packets. (default 3 seconds) -``` - -```{cfgcmd} set vpn sstp authentication radius dynamic-author server \<address\> - -Specifies IP address for Dynamic Authorization Extension server (DM/CoA). -This IP must exist on any VyOS interface or it can be ``0.0.0.0``. -``` - -```{cfgcmd} set vpn sstp authentication radius dynamic-author port \<port\> - -UDP port for Dynamic Authorization Extension server (DM/CoA) -``` - -```{cfgcmd} set vpn sstp authentication radius dynamic-author key \<secret\> - -Secret for Dynamic Authorization Extension server (DM/CoA) -``` - -```{cfgcmd} set vpn sstp authentication radius max-try \<number\> - -Maximum number of tries to send Access-Request/Accounting-Request queries -``` - -```{cfgcmd} set vpn sstp authentication radius timeout \<timeout\> - -Timeout to wait response from server (seconds) -``` - -```{cfgcmd} set vpn sstp authentication radius nas-identifier \<identifier\> - -Value to send to RADIUS server in NAS-Identifier attribute and to be matched -in DM/CoA requests. -``` - -```{cfgcmd} set vpn sstp authentication radius nas-ip-address \<address\> - -Value to send to RADIUS server in NAS-IP-Address attribute and to be matched -in DM/CoA requests. Also DM/CoA server will bind to that address. -``` - -```{cfgcmd} set vpn sstp authentication radius source-address \<address\> - -Source IPv4 address used in all RADIUS server queires. -``` - -```{cfgcmd} set vpn sstp authentication radius rate-limit attribute \<attribute\> - -Specifies which RADIUS server attribute contains the rate limit information. -The default attribute is `Filter-Id`. -``` - -:::{note} -If you set a custom RADIUS attribute you must define it on both -dictionaries on the RADIUS server and client. -::: - -```{cfgcmd} set vpn sstp authentication radius rate-limit enable - -Enables bandwidth shaping via RADIUS. -``` - -```{cfgcmd} set vpn sstp authentication radius rate-limit vendor - -Specifies the vendor dictionary, This dictionary needs to be present in -/usr/share/accel-ppp/radius. -``` - -Received RADIUS attributes have a higher priority than parameters defined within -the CLI configuration, refer to the explanation below. - -### Allocation clients ip addresses by RADIUS - -If the RADIUS server sends the attribute `Framed-IP-Address` then this IP -address will be allocated to the client and the option `default-pool` within -the CLI config will being ignored. - -If the RADIUS server sends the attribute `Framed-Pool`, then the IP address -will be allocated from a predefined IP pool whose name equals the attribute -value. - -If the RADIUS server sends the attribute `Stateful-IPv6-Address-Pool`, the -IPv6 address will be allocated from a predefined IPv6 pool `prefix` whose -name equals the attribute value. - -If the RADIUS server sends the attribute `Delegated-IPv6-Prefix-Pool`, an -IPv6 delegation prefix will be allocated from a predefined IPv6 pool `delegate` -whose name equals the attribute value. - -:::{note} -`Stateful-IPv6-Address-Pool` and `Delegated-IPv6-Prefix-Pool` are defined in -RFC6911. If they are not defined in your RADIUS server, add new [dictionary]. -::: - -The client's interface can be put into a VRF context via a RADIUS Access-Accept -packet, or changed via RADIUS CoA. `Accel-VRF-Name` is used for these -purposes. This is a custom [ACCEL-PPP attribute]. Define it in your RADIUS -server. - -### Renaming clients interfaces by RADIUS - -If the RADIUS server uses the attribute `NAS-Port-Id`, ppp tunnels will be -renamed. - -:::{note} -The value of the attribute `NAS-Port-Id` must be less than 16 -characters, otherwise the interface won't be renamed. -::: - -## IPv6 - -```{cfgcmd} set vpn sstp ppp-options ipv6 \<require | prefer | allow | deny\> - -Specifies IPv6 negotiation preference. -* **require** - Require IPv6 negotiation -* **prefer** - Ask client for IPv6 negotiation, do not fail if it rejects -* **allow** - Negotiate IPv6 only if client requests -* **deny** - Do not negotiate IPv6 (default value) -``` - -```{cfgcmd} set vpn sstp client-ipv6-pool \<IPv6-POOL-NAME\> prefix \<address\> mask \<number-of-bits\> - -Use this comand to set the IPv6 address pool from which an SSTP client will -get an IPv6 prefix of your defined length (mask) to terminate the SSTP -endpoint at their side. The mask length can be set between 48 and 128 bits -long, the default value is 64. -``` - -```{cfgcmd} set vpn sstp client-ipv6-pool \<IPv6-POOL-NAME\> delegate \<address\> delegation-prefix \<number-of-bits\> - -Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on SSTP. You -will have to set your IPv6 pool and the length of the delegation prefix. From -the defined IPv6 pool you will be handing out networks of the defined length -(delegation-prefix). The length of the delegation prefix can be set between -32 and 64 bits long. -``` - -```{cfgcmd} set vpn sstp default-ipv6-pool \<IPv6-POOL-NAME\> - -Use this command to define default IPv6 address pool name. -``` - -```none -set vpn sstp ppp-options ipv6 allow -set vpn sstp client-ipv6-pool IPv6-POOL delegate '2001:db8:8003::/48' delegation-prefix '56' -set vpn sstp client-ipv6-pool IPv6-POOL prefix '2001:db8:8002::/48' mask '64' -set vpn sstp default-ipv6-pool IPv6-POOL -``` - - -### IPv6 Advanced Options - -```{cfgcmd} set vpn sstp ppp-options ipv6-accept-peer-interface-id - -Accept peer interface identifier. By default this is not defined. -``` - -```{cfgcmd} set vpn sstp ppp-options ipv6-interface-id \<random | x:x:x:x\> - -Specifies if a fixed or random interface identifier is used for IPv6. The -default is fixed. -* **random** - Random interface identifier for IPv6 -* **x:x:x:x** - Specify interface identifier for IPv6 -``` - -```{cfgcmd} set vpn sstp ppp-options ipv6-interface-id \<random | x:x:x:x\> - -Specifies the peer interface identifier for IPv6. The default is fixed. -* **random** - Random interface identifier for IPv6 -* **x:x:x:x** - Specify interface identifier for IPv6 -* **ipv4-addr** - Calculate interface identifier from IPv4 address. -* **calling-sid** - Calculate interface identifier from calling-station-id. -``` - - -## Scripting - -```{cfgcmd} set vpn sstp extended-scripts on-change \<path_to_script\> - -Script to run when the session interface is changed by RADIUS CoA handling -``` - -```{cfgcmd} set vpn sstp extended-scripts on-down \<path_to_script\> - -Script to run when the session interface about to terminate -``` - -```{cfgcmd} set vpn sstp extended-scripts on-pre-up \<path_to_script\> - -Script to run before the session interface comes up -``` - -```{cfgcmd} set vpn sstp extended-scripts on-up \<path_to_script\> - -Script to run when the session interface is completely configured and started -``` - - -## Advanced Options - -### Authentication Advanced Options - -```{cfgcmd} set vpn sstp authentication local-users username \<user\> disable - -Disable `<user>` account. -``` - -```{cfgcmd} set vpn sstp authentication local-users username \<user\> static-ip \<address\> - -Assign a static IP address to `<user>` account. -``` - -```{cfgcmd} set vpn sstp authentication local-users username \<user\> rate-limit download \<bandwidth\> - -Rate limit the download bandwidth for `<user>` to `<bandwidth>` kbit/s. -``` - -```{cfgcmd} set vpn sstp authentication local-users username \<user\> rate-limit upload \<bandwidth\> - -Rate limit the upload bandwidth for `<user>` to `<bandwidth>` kbit/s. -``` - -```{cfgcmd} set vpn sstp authentication protocols \<pap | chap | mschap | mschap-v2\> - -Require the peer to authenticate itself using one of the following protocols: -pap, chap, mschap, mschap-v2. -``` - - -### Client IP Pool Advanced Options - -```{cfgcmd} set vpn sstp client-ip-pool \<POOL-NAME\> next-pool \<NEXT-POOL-NAME\> - -Use this command to define the next address pool name. -``` - - -### PPP Advanced Options - -```{cfgcmd} set vpn sstp ppp-options disable-ccp - -Disable Compression Control Protocol (CCP). -CCP is enabled by default. -``` - -```{cfgcmd} set vpn sstp ppp-options interface-cache \<number\> - -Specifies number of interfaces to cache. This prevents interfaces from being -removed once the corresponding session is destroyed. Instead, interfaces are -cached for later use in new sessions. This should reduce the kernel-level -interface creation/deletion rate. -Default value is **0**. -``` - -```{cfgcmd} set vpn sstp ppp-options ipv4 \<require | prefer | allow | deny\> - -Specifies IPv4 negotiation preference. -* **require** - Require IPv4 negotiation -* **prefer** - Ask client for IPv4 negotiation, do not fail if it rejects -* **allow** - Negotiate IPv4 only if client requests (Default value) -* **deny** - Do not negotiate IPv4 -``` - -```{cfgcmd} set vpn sstp ppp-options lcp-echo-failure \<number\> - -Defines the maximum `<number>` of unanswered echo requests. Upon reaching the -value `<number>`, the session will be reset. Default value is **3**. -``` - -```{cfgcmd} set vpn sstp ppp-options lcp-echo-interval \<interval\> - -If this option is specified and is greater than 0, then the PPP module will -send LCP echo requests every `<interval>` seconds. -Default value is **30**. -``` - -```{cfgcmd} set vpn sstp ppp-options lcp-echo-timeout - -Specifies timeout in seconds to wait for any peer activity. If this option is -specified it turns on adaptive lcp echo functionality and "lcp-echo-failure" -is not used. Default value is **0**. -``` - -```{cfgcmd} set vpn sstp ppp-options min-mtu \<number\> - -Defines the minimum acceptable MTU. If a client tries to negotiate an MTU -lower than this it will be NAKed, and disconnected if it rejects a greater -MTU. -Default value is **100**. -``` - -```{cfgcmd} set vpn sstp ppp-options mppe \<require | prefer | deny\> - -Specifies {abbr}`MPPE (Microsoft Point-to-Point Encryption)` negotiation -preference. -* **require** - ask client for mppe, if it rejects drop connection -* **prefer** - ask client for mppe, if it rejects don't fail. (Default value) -* **deny** - deny mppe - -Default behavior - don't ask the client for mppe, but allow it if the client -wants. Please note that RADIUS may override this option by MS-MPPE-Encryption-Policy -attribute. -``` - -```{cfgcmd} set vpn sstp ppp-options mru \<number\> - -Defines preferred MRU. By default is not defined. -``` - - -### Global Advanced options - -```{cfgcmd} set vpn sstp description \<description\> - -Set description. -``` - -```{cfgcmd} set vpn sstp limits burst \<value\> - -Burst count -``` - -```{cfgcmd} set vpn sstp limits connection-limit \<value\> - -Maximum accepted connection rate (e.g. 1/min, 60/sec) -``` - -```{cfgcmd} set vpn sstp limits timeout \<value\> - -Timeout in seconds -``` - -```{cfgcmd} set vpn sstp mtu - -Maximum Transmission Unit (MTU) (default: **1500**) -``` - -```{cfgcmd} set vpn sstp max-concurrent-sessions - -Maximum number of concurrent session start attempts -``` - -```{cfgcmd} set vpn sstp name-server \<address\> - -Connected clients should use `<address>` as their DNS server. This command -accepts both IPv4 and IPv6 addresses. Up to two nameservers can be configured -for IPv4, up to three for IPv6. -``` - -```{cfgcmd} set vpn sstp shaper fwmark \<1-2147483647\> - -Match firewall mark value -``` - -```{cfgcmd} set vpn sstp snmp master-agent - -Enable SNMP -``` - -```{cfgcmd} set vpn sstp wins-server \<address\> - -Windows Internet Name Service (WINS) servers propagated to client -``` - -```{cfgcmd} set vpn sstp host-name \<hostname\> - -If this option is given, only SSTP connections to the specified host -and with the same TLS SNI will be allowed. -``` - - -## Configuring SSTP client - -Once you have setup your SSTP server there comes the time to do some basic -testing. The Linux client used for testing is called [sstpc]. [sstpc] requires a -PPP configuration/peer file. - -If you use a self-signed certificate, do not forget to install CA on the client side. - -The following PPP configuration tests MSCHAP-v2: - -```none -$ cat /etc/ppp/peers/vyos -usepeerdns -#require-mppe -#require-pap -require-mschap-v2 -noauth -lock -refuse-pap -refuse-eap -refuse-chap -refuse-mschap -#refuse-mschap-v2 -nobsdcomp -nodeflate -debug -``` - -You can now "dial" the peer with the follwoing command: `sstpc --log-level 4 ---log-stderr --user vyos --password vyos vpn.example.com -- call vyos`. - -A connection attempt will be shown as: - -```none -$ sstpc --log-level 4 --log-stderr --user vyos --password vyos vpn.example.com -- call vyos - -Mar 22 13:29:12 sstpc[12344]: Resolved vpn.example.com to 192.0.2.1 -Mar 22 13:29:12 sstpc[12344]: Connected to vpn.example.com -Mar 22 13:29:12 sstpc[12344]: Sending Connect-Request Message -Mar 22 13:29:12 sstpc[12344]: SEND SSTP CRTL PKT(14) -Mar 22 13:29:12 sstpc[12344]: TYPE(1): CONNECT REQUEST, ATTR(1): -Mar 22 13:29:12 sstpc[12344]: ENCAP PROTO(1): 6 -Mar 22 13:29:12 sstpc[12344]: RECV SSTP CRTL PKT(48) -Mar 22 13:29:12 sstpc[12344]: TYPE(2): CONNECT ACK, ATTR(1): -Mar 22 13:29:12 sstpc[12344]: CRYPTO BIND REQ(4): 40 -Mar 22 13:29:12 sstpc[12344]: Started PPP Link Negotiation -Mar 22 13:29:15 sstpc[12344]: Sending Connected Message -Mar 22 13:29:15 sstpc[12344]: SEND SSTP CRTL PKT(112) -Mar 22 13:29:15 sstpc[12344]: TYPE(4): CONNECTED, ATTR(1): -Mar 22 13:29:15 sstpc[12344]: CRYPTO BIND(3): 104 -Mar 22 13:29:15 sstpc[12344]: Connection Established - -$ ip addr show ppp0 -164: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1452 qdisc fq_codel state UNKNOWN group default qlen 3 - link/ppp promiscuity 0 - inet 100.64.2.2 peer 100.64.1.1/32 scope global ppp0 - valid_lft forever preferred_lft forever -``` - - -## Monitoring - -```{opcmd} show sstp-server sessions - -Use this command to locally check the active sessions in the SSTP -server. -``` - -```none -vyos@vyos:~$ show sstp-server sessions - ifname | username | ip | ip6 | ip6-dp | calling-sid | rate-limit | state | uptime | rx-bytes | tx-bytes ---------+----------+----------+-----+--------+----------------+------------+--------+----------+----------+---------- - sstp0 | test | 10.0.0.2 | | | 192.168.10.100 | | active | 00:15:46 | 16.3 KiB | 210 B -``` - -```none -vyos@vyos:~$ show sstp-server statistics - uptime: 0.01:21:54 -cpu: 0% -mem(rss/virt): 6688/100464 kB -core: - mempool_allocated: 149420 - mempool_available: 146092 - thread_count: 1 - thread_active: 1 - context_count: 6 - context_sleeping: 0 - context_pending: 0 - md_handler_count: 7 - md_handler_pending: 0 - timer_count: 2 - timer_pending: 0 -sessions: - starting: 0 - active: 1 - finishing: 0 -sstp: - starting: 0 - active: 1 -``` - - -## Troubleshooting - -```none -vyos@vyos:~$sudo journalctl -u accel-ppp@sstp -b 0 - -Feb 28 17:03:04 vyos accel-sstp[2492]: sstp: new connection from 192.168.10.100:49852 -Feb 28 17:03:04 vyos accel-sstp[2492]: sstp: starting -Feb 28 17:03:04 vyos accel-sstp[2492]: sstp: started -Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [HTTP <SSTP_DUPLEX_POST /sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/ HTTP/1.1>] -Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [HTTP <SSTPCORRELATIONID: {48B82435-099A-4158-A987-052E7570CFAA}>] -Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [HTTP <Content-Length: 18446744073709551615>] -Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [HTTP <Host: vyos.io>] -Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [HTTP <HTTP/1.1 200 OK>] -Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [HTTP <Date: Wed, 28 Feb 2024 17:03:04 GMT>] -Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [HTTP <Content-Length: 18446744073709551615>] -Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [SSTP SSTP_MSG_CALL_CONNECT_REQUEST] -Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [SSTP SSTP_MSG_CALL_CONNECT_ACK] -Feb 28 17:03:04 vyos accel-sstp[2492]: :: lcp_layer_init -Feb 28 17:03:04 vyos accel-sstp[2492]: :: auth_layer_init -Feb 28 17:03:04 vyos accel-sstp[2492]: :: ccp_layer_init -Feb 28 17:03:04 vyos accel-sstp[2492]: :: ipcp_layer_init -Feb 28 17:03:04 vyos accel-sstp[2492]: :: ipv6cp_layer_init -Feb 28 17:03:04 vyos accel-sstp[2492]: :: ppp establishing -Feb 28 17:03:04 vyos accel-sstp[2492]: :: lcp_layer_start -Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [LCP ConfReq id=56 <auth PAP> <mru 1452> <magic 1cd9ad05>] -Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [LCP ConfReq id=0 <mru 4091> <magic 345f64ca> <pcomp> <accomp> < d 3 6 >] -Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [LCP ConfRej id=0 <pcomp> <accomp> < d 3 6 >] -Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [LCP ConfReq id=1 <mru 4091> <magic 345f64ca>] -Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [LCP ConfNak id=1 <mru 1452>] -Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [LCP ConfReq id=2 <mru 1452> <magic 345f64ca>] -Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [LCP ConfAck id=2] -Feb 28 17:03:07 vyos accel-sstp[2492]: :: fsm timeout 9 -Feb 28 17:03:07 vyos accel-sstp[2492]: :: send [LCP ConfReq id=56 <auth PAP> <mru 1452> <magic 1cd9ad05>] -Feb 28 17:03:07 vyos accel-sstp[2492]: :: recv [LCP ConfAck id=56 <auth PAP> <mru 1452> <magic 1cd9ad05>] -Feb 28 17:03:07 vyos accel-sstp[2492]: :: lcp_layer_started -Feb 28 17:03:07 vyos accel-sstp[2492]: :: auth_layer_start -Feb 28 17:03:07 vyos accel-sstp[2492]: :: recv [LCP Ident id=3 <MSRASV5.20>] -Feb 28 17:03:07 vyos accel-sstp[2492]: :: recv [LCP Ident id=4 <MSRAS-0-MSEDGEWIN10>] -Feb 28 17:03:07 vyos accel-sstp[2492]: [50B blob data] -Feb 28 17:03:07 vyos accel-sstp[2492]: :: recv [PAP AuthReq id=3] -Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: connect: ppp0 <--> sstp(192.168.10.100:49852) -Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: ppp connected -Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: send [PAP AuthAck id=3 "Authentication succeeded"] -Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: test: authentication succeeded -Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: auth_layer_started -Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: ccp_layer_start -Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: ipcp_layer_start -Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: ipv6cp_layer_start -Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: recv [SSTP SSTP_MSG_CALL_CONNECTED] -Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: IPV6CP: discarding packet -Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: send [LCP ProtoRej id=88 <8057>] -Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: recv [IPCP ConfReq id=7 <addr 0.0.0.0> <dns1 0.0.0.0> <wins1 0.0.0.0> <dns2 0.0.0.0> <wins2 0.0.0.0>] -Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: send [IPCP ConfReq id=25 <addr 10.0.0.1>] -Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: send [IPCP ConfRej id=7 <dns1 0.0.0.0> <wins1 0.0.0.0> <dns2 0.0.0.0> <wins2 0.0.0.0>] -Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: recv [IPCP ConfAck id=25 <addr 10.0.0.1>] -Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: recv [IPCP ConfReq id=8 <addr 0.0.0.0>] -Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: send [IPCP ConfNak id=8 <addr 10.0.0.5>] -Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: recv [IPCP ConfReq id=9 <addr 10.0.0.5>] -Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: send [IPCP ConfAck id=9] -Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: ipcp_layer_started -Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: rename interface to 'sstp0' -Feb 28 17:03:07 vyos accel-sstp[2492]: sstp0:test: sstp: ppp: started -``` - -[accel-ppp attribute]: https://github.com/accel-ppp/accel-ppp/blob/master/accel-pppd/radius/dict/dictionary.accel -[dictionary]: https://github.com/accel-ppp/accel-ppp/blob/master/accel-pppd/radius/dict/dictionary.rfc6911 -[sstpc]: https://github.com/reliablehosting/sstp-client diff --git a/docs/configuration/vrf/md-index.md b/docs/configuration/vrf/md-index.md deleted file mode 100644 index 5b94ad8f..00000000 --- a/docs/configuration/vrf/md-index.md +++ /dev/null @@ -1,621 +0,0 @@ ---- -lastproofread: '2021-07-07' ---- - -(vrf)= - -# VRF - -{abbr}`VRF (Virtual Routing and Forwarding)` devices combined with ip rules -provides the ability to create virtual routing and forwarding domains (aka -VRFs, VRF-lite to be specific) in the Linux network stack. One use case is the -multi-tenancy problem where each tenant has their own unique routing tables and -in the very least need different default gateways. - -## Configuration - -A VRF device is created with an associated route table. Network interfaces are -then enslaved to a VRF device. - -```{eval-rst} -.. cfgcmd:: set vrf name <name> table <id> - - Create a new VRF instance with `<name>` and `<id>`. The name is used when placing - individual interfaces into the VRF. - - .. note:: A routing table ID can not be modified once it is assigned. It can - only be changed by deleting and re-adding the VRF instance. -``` - -```{eval-rst} -.. cfgcmd:: set vrf bind-to-all - - By default the scope of the port bindings for unbound sockets is limited to - the default VRF. That is, it will not be matched by packets arriving on - interfaces enslaved to a VRF and processes may bind to the same port if - they bind to a VRF. - - TCP & UDP services running in the default VRF context (ie., not bound to any - VRF device) can work across all VRF domains by enabling this option. -``` - -### Zebra/Kernel route filtering - -Zebra supports prefix-lists and Route Maps to match routes received from -other FRR components. The permit/deny facilities provided by these commands -can be used to filter which routes zebra will install in the kernel. - -```{eval-rst} -.. cfgcmd:: set vrf <name> ip protocol <protocol> route-map <route-map> - - Apply a route-map filter to routes for the specified protocol. - - The following protocols can be used: any, babel, bgp, eigrp, - isis, ospf, rip, static - - .. note:: If you choose any as the option that will cause all protocols that - are sending routes to zebra. -``` - -```{eval-rst} -.. cfgcmd:: set vrf <name> ipv6 protocol <protocol> route-map <route-map> - - Apply a route-map filter to routes for the specified protocol. - - The following protocols can be used: any, babel, bgp, isis, - ospfv3, ripng, static - - .. note:: If you choose any as the option that will cause all protocols that - are sending routes to zebra. -``` - -### Nexthop Tracking - -Nexthop tracking resolve nexthops via the default route by default. This is enabled -by default for a traditional profile of FRR which we use. It and can be disabled if -you do not want to e.g. allow BGP to peer across the default route. - -```{eval-rst} -.. cfgcmd:: set vrf name <name> ip nht no-resolve-via-default - - Do not allow IPv4 nexthop tracking to resolve via the default route. This - parameter is configured per-VRF, so the command is also available in the VRF - subnode. -``` - -```{eval-rst} -.. cfgcmd:: set vrf name <name> ipv6 nht no-resolve-via-default - - Do not allow IPv6 nexthop tracking to resolve via the default route. This - parameter is configured per-VRF, so the command is also available in the VRF - subnode. -``` - -### Interfaces - -When VRFs are used it is not only mandatory to create a VRF but also the VRF -itself needs to be assigned to an interface. - -```{eval-rst} -.. cfgcmd:: set interfaces <dummy | ethernet | bonding | bridge | pppoe> - <interface> vrf <name> - - Assign interface identified by `<interface>` to VRF named `<name>`. -``` - -### Routing - -:::{note} -VyOS 1.4 (sagitta) introduced dynamic routing support for VRFs. -::: - -Currently dynamic routing is supported for the following protocols: - -- {ref}`routing-bgp` -- {ref}`routing-isis` -- {ref}`routing-ospf` -- {ref}`routing-ospfv3` -- {ref}`routing-static` - -The CLI configuration is same as mentioned in above articles. The only -difference is, that each routing protocol used, must be prefixed with the `vrf -name <name>` command. - -#### Example - -The following commands would be required to set options for a given dynamic -routing protocol inside a given vrf: - -- {ref}`routing-bgp`: `set vrf name <name> protocols bgp ...` -- {ref}`routing-isis`: `set vrf name <name> protocols isis ...` -- {ref}`routing-ospf`: `set vrf name <name> protocols ospf ...` -- {ref}`routing-ospfv3`: `set vrf name <name> protocols ospfv3 ...` -- {ref}`routing-static`: `set vrf name <name> protocols static ...` - -### Services - -Currently the following services can be created isolated in VRFs - -- {ref}`dhcp-server` - -The CLI configuration is same as mentioned in above articles. The only -difference is, that each service used, must be prefixed with the `vrf -name <name>` command. - -#### Example - -The following commands would be required to set options for a given service -inside a given vrf: - -- {ref}`dhcp-server`: `set vrf name <name> service dhcp-server ...` -- {ref}`dhcp-server`: `set vrf name <name> service dhcpv6-server ...` - -## Operation - -It is not sufficient to only configure a VRF but VRFs must be maintained, too. -For VRF maintenance the following operational commands are in place. - -```{eval-rst} -.. opcmd:: show vrf - - Lists VRFs that have been created - - .. code-block:: none - - vyos@vyos:~$ show vrf - VRF name state mac address flags interfaces - -------- ----- ----------- ----- ---------- - blue up 00:53:12:d8:74:24 noarp,master,up,lower_up dum200,eth0.302 - red up 00:53:de:02:df:aa noarp,master,up,lower_up dum100,eth0.300,bond0.100,peth0 - - .. note:: Command should probably be extended to list also the real - interfaces assigned to this one VRF to get a better overview. -``` - -```{eval-rst} -.. opcmd:: show vrf <name> - - .. code-block:: none - - vyos@vyos:~$ show vrf name blue - VRF name state mac address flags interfaces - -------- ----- ----------- ----- ---------- - blue up 00:53:12:d8:74:24 noarp,master,up,lower_up dum200,eth0.302 -``` - -```{eval-rst} -.. opcmd:: show ip route vrf <name> - - Display IPv4 routing table for VRF identified by `<name>`. - - .. code-block:: none - - vyos@vyos:~$ show ip route vrf blue - Codes: K - kernel route, C - connected, S - static, R - RIP, - O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, - T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP, - F - PBR, f - OpenFabric, - > - selected route, * - FIB route, q - queued route, r - rejected route - - VRF blue: - K 0.0.0.0/0 [255/8192] unreachable (ICMP unreachable), 00:00:50 - S>* 172.16.0.0/16 [1/0] via 192.0.2.1, dum1, 00:00:02 - C>* 192.0.2.0/24 is directly connected, dum1, 00:00:06 - -``` - -```{eval-rst} -.. opcmd:: show ipv6 route vrf <name> - - Display IPv6 routing table for VRF identified by `<name>`. - - .. code-block:: none - - vyos@vyos:~$ show ipv6 route vrf red - Codes: K - kernel route, C - connected, S - static, R - RIPng, - O - OSPFv3, I - IS-IS, B - BGP, N - NHRP, T - Table, - v - VNC, V - VNC-Direct, A - Babel, D - SHARP, F - PBR, - f - OpenFabric, - > - selected route, * - FIB route, q - queued route, r - rejected route - - VRF red: - K ::/0 [255/8192] unreachable (ICMP unreachable), 00:43:20 - C>* 2001:db8::/64 is directly connected, dum1, 00:02:19 - C>* fe80::/64 is directly connected, dum1, 00:43:19 - K>* ff00::/8 [0/256] is directly connected, dum1, 00:43:19 - -``` - -```{eval-rst} -.. opcmd:: ping <host> vrf <name> - - The ping command is used to test whether a network host is reachable or not. - - Ping uses ICMP protocol's mandatory ECHO_REQUEST datagram to elicit an - ICMP ECHO_RESPONSE from a host or gateway. ECHO_REQUEST datagrams (pings) - will have an IP and ICMP header, followed by "struct timeval" and an - arbitrary number of pad bytes used to fill out the packet. - - When doing fault isolation with ping, you should first run it on the local - host, to verify that the local network interface is up and running. Then, - continue with hosts and gateways further down the road towards your - destination. Round-trip time and packet loss statistics are computed. - - Duplicate packets are not included in the packet loss calculation, although - the round-trip time of these packets is used in calculating the minimum/ - average/maximum round-trip time numbers. - - .. note:: Ping command can be interrupted at any given time using ``<Ctrl>+c``. - A brief statistic is shown afterwards. - - .. code-block:: none - - vyos@vyos:~$ ping 192.0.2.1 vrf red - PING 192.0.2.1 (192.0.2.1) 56(84) bytes of data. - 64 bytes from 192.0.2.1: icmp_seq=1 ttl=64 time=0.070 ms - 64 bytes from 192.0.2.1: icmp_seq=2 ttl=64 time=0.078 ms - ^C - --- 192.0.2.1 ping statistics --- - 2 packets transmitted, 2 received, 0% packet loss, time 4ms - rtt min/avg/max/mdev = 0.070/0.074/0.078/0.004 ms -``` - -```{eval-rst} -.. opcmd:: traceroute vrf <name> [ipv4 | ipv6] <host> - - Displays the route packets taken to a network host utilizing VRF instance - identified by `<name>`. When using the IPv4 or IPv6 option, displays the - route packets taken to the given hosts IP address family. This option is - useful when the host is specified as a hostname rather than an IP address. -``` - -```{eval-rst} -.. opcmd:: force vrf <name> - - Join a given VRF. This will open a new subshell within the specified VRF. - - The prompt is adjusted to reflect this change in both config and op-mode. - - .. code-block:: none - - vyos@vyos:~$ force vrf blue - vyos@vyos(vrf:blue):~$ -``` - -(vrf-example)= - -## Example - -### VRF route leaking - -The following example topology was built using EVE-NG. - -:::{figure} /_static/images/vrf-example-topology-01.webp -:alt: VRF topology example - -VRF route leaking -::: - -- PC1 is in the `default` VRF and acting as e.g. a "fileserver" -- PC2 is in VRF `blue` which is the development department -- PC3 and PC4 are connected to a bridge device on router `R1` which is in VRF - `red`. Say this is the HR department. -- R1 is managed through an out-of-band network that resides in VRF `mgmt` - -(vrf-example-configuration)= - -#### Configuration - -```none -set interfaces bridge br10 address '10.30.0.254/24' -set interfaces bridge br10 member interface eth3 -set interfaces bridge br10 member interface eth4 -set interfaces bridge br10 vrf 'red' - -set interfaces ethernet eth0 address 'dhcp' -set interfaces ethernet eth0 vrf 'mgmt' -set interfaces ethernet eth1 address '10.0.0.254/24' -set interfaces ethernet eth2 address '10.20.0.254/24' -set interfaces ethernet eth2 vrf 'blue' - -set protocols static route 10.20.0.0/24 interface eth2 vrf 'blue' -set protocols static route 10.30.0.0/24 interface br10 vrf 'red' - -set service ssh disable-host-validation -set service ssh vrf 'mgmt' - -set system name-server 'eth0' - -set vrf name blue protocols static route 10.0.0.0/24 interface eth1 vrf 'default' -set vrf name blue table '3000' -set vrf name mgmt table '1000' -set vrf name red protocols static route 10.0.0.0/24 interface eth1 vrf 'default' -set vrf name red table '2000' -``` - -### VRF and NAT - -(vrf-nat-configuration)= - -#### Configuration - -```none -set interfaces ethernet eth0 address '172.16.50.12/24' -set interfaces ethernet eth0 vrf 'red' - -set interfaces ethernet eth1 address '192.168.130.100/24' -set interfaces ethernet eth1 vrf 'blue' - -set nat destination rule 110 description 'NAT ssh- INSIDE' -set nat destination rule 110 destination port '2022' -set nat destination rule 110 inbound-interface name 'eth0' -set nat destination rule 110 protocol 'tcp' -set nat destination rule 110 translation address '192.168.130.40' - -set nat source rule 100 outbound-interface name 'eth0' -set nat source rule 100 protocol 'all' -set nat source rule 100 source address '192.168.130.0/24' -set nat source rule 100 translation address 'masquerade' - -set service ssh vrf 'red' - -set vrf bind-to-all -set vrf name blue protocols static route 0.0.0.0/0 next-hop 172.16.50.1 vrf 'red' -set vrf name blue protocols static route 172.16.50.0/24 interface eth0 vrf 'red' -set vrf name blue table '1010' - -set vrf name red protocols static route 0.0.0.0/0 next-hop 172.16.50.1 -set vrf name red protocols static route 192.168.130.0/24 interface eth1 vrf 'blue' -set vrf name red table '2020' -``` - -(vrf-example-operation)= - -#### Operation - -After committing the configuration we can verify all leaked routes are -installed, and try to ICMP ping PC1 from PC3. - -```none -PCS> ping 10.0.0.1 - -84 bytes from 10.0.0.1 icmp_seq=1 ttl=63 time=1.943 ms -84 bytes from 10.0.0.1 icmp_seq=2 ttl=63 time=1.618 ms -84 bytes from 10.0.0.1 icmp_seq=3 ttl=63 time=1.745 ms -``` - -> - -```none -VPCS> show ip - -NAME : VPCS[1] -IP/MASK : 10.30.0.1/24 -GATEWAY : 10.30.0.254 -DNS : -MAC : 00:50:79:66:68:0f -``` - -##### VRF default routing table - -```none -vyos@R1:~$ show ip route -Codes: K - kernel route, C - connected, S - static, R - RIP, - O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, - T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP, - F - PBR, f - OpenFabric, - > - selected route, * - FIB route, q - queued, r - rejected, b - backup - -C>* 10.0.0.0/24 is directly connected, eth1, 00:07:44 -S>* 10.20.0.0/24 [1/0] is directly connected, eth2 (vrf blue), weight 1, 00:07:38 -S>* 10.30.0.0/24 [1/0] is directly connected, br10 (vrf red), weight 1, 00:07:38 -``` - -##### VRF red routing table - -```none -vyos@R1:~$ show ip route vrf red -Codes: K - kernel route, C - connected, S - static, R - RIP, - O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, - T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP, - F - PBR, f - OpenFabric, - > - selected route, * - FIB route, q - queued, r - rejected, b - backup - -VRF red: -K>* 0.0.0.0/0 [255/8192] unreachable (ICMP unreachable), 00:07:57 -S>* 10.0.0.0/24 [1/0] is directly connected, eth1 (vrf default), weight 1, 00:07:40 -C>* 10.30.0.0/24 is directly connected, br10, 00:07:54 -``` - -##### VRF blue routing table - -```none -vyos@R1:~$ show ip route vrf blue -Codes: K - kernel route, C - connected, S - static, R - RIP, - O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, - T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP, - F - PBR, f - OpenFabric, - > - selected route, * - FIB route, q - queued, r - rejected, b - backup - -VRF blue: -K>* 0.0.0.0/0 [255/8192] unreachable (ICMP unreachable), 00:08:00 -S>* 10.0.0.0/24 [1/0] is directly connected, eth1 (vrf default), weight 1, 00:07:44 -C>* 10.20.0.0/24 is directly connected, eth2, 00:07:53 -``` - -# L3VPN VRFs - -{abbr}`L3VPN VRFs ( Layer 3 Virtual Private Networks )` bgpd supports for -IPv4 RFC 4364 and IPv6 RFC 4659. L3VPN routes, and their associated VRF -MPLS labels, can be distributed to VPN SAFI neighbors in the default, i.e., -non VRF, BGP instance. VRF MPLS labels are reached using core MPLS labels -which are distributed using LDP or BGP labeled unicast. -bgpd also supports inter-VRF route leaking. - -(l3vpn-vrf-route-leaking)= - -## VRF Route Leaking - -BGP routes may be leaked (i.e. copied) between a unicast VRF RIB and the VPN -SAFI RIB of the default VRF for use in MPLS-based L3VPNs. Unicast routes may -also be leaked between any VRFs (including the unicast RIB of the default BGP -instance). A shortcut syntax is also available for specifying leaking from -one VRF to another VRF using the default instance’s VPN RIB as the intemediary -. A common application of the VRF-VRF feature is to connect a customer’s -private routing domain to a provider’s VPN service. Leaking is configured from -the point of view of an individual VRF: import refers to routes leaked from VPN -to a unicast VRF, whereas export refers to routes leaked from a unicast VRF to -VPN. - -:::{note} -Routes exported from a unicast VRF to the VPN RIB must be augmented -by two parameters: - -> an RD / RTLIST - -Configuration for these exported routes must, at a minimum, specify -these two parameters. -::: - -(l3vpn-vrf-example-configuration)= - -## Configuration - -Configuration of route leaking between a unicast VRF RIB and the VPN SAFI RIB -of the default VRF is accomplished via commands in the context of a VRF -address-family. - -```{eval-rst} -.. cfgcmd:: set vrf name <name> protocols bgp address-family - <ipv4-unicast|ipv6-unicast> rd vpn export <asn:nn|address:nn> - - Specifies the route distinguisher to be added to a route exported from the - current unicast VRF to VPN. -``` - -```{eval-rst} -.. cfgcmd:: set vrf name <name> protocols bgp address-family - <ipv4-unicast|ipv6-unicast> route-target vpn <import|export|both> - [RTLIST] - - Specifies the route-target list to be attached to a route (export) or the - route-target list to match against (import) when exporting/importing - between the current unicast VRF and VPN.The RTLIST is a space-separated - list of route-targets, which are BGP extended community values as - described in Extended Communities Attribute. -``` - -```{eval-rst} -.. cfgcmd:: set vrf name <name> protocols bgp address-family - <ipv4-unicast|ipv6-unicast> label vpn export <0-1048575|auto> - - Enables an MPLS label to be attached to a route exported from the current - unicast VRF to VPN. If the value specified is auto, the label value is - automatically assigned from a pool maintained. -``` - -```{eval-rst} -.. cfgcmd:: set vrf name <name> protocols bgp address-family - <ipv4-unicast|ipv6-unicast> label vpn allocation-mode per-nexthop - - Select how labels are allocated in the given VRF. By default, the per-vrf - mode is selected, and one label is used for all prefixes from the VRF. The - per-nexthop will use a unique label for all prefixes that are reachable via - the same nexthop. -``` - -```{eval-rst} -.. cfgcmd:: set vrf name <name> protocols bgp address-family - <ipv4-unicast|ipv6-unicast> route-map vpn <import|export> - [route-map <name>] - - Specifies an optional route-map to be applied to routes imported or - exported between the current unicast VRF and VPN. -``` - -```{eval-rst} -.. cfgcmd:: set vrf name <name> protocols bgp address-family - <ipv4-unicast|ipv6-unicast> <import|export> vpn - - Enables import or export of routes between the current unicast VRF and VPN. -``` - -```{eval-rst} -.. cfgcmd:: set vrf name <name> protocols bgp address-family - <ipv4-unicast|ipv6-unicast> import vrf <name> - - Shortcut syntax for specifying automatic leaking from vrf VRFNAME to the - current VRF using the VPN RIB as intermediary. The RD and RT are auto - derived and should not be specified explicitly for either the source or - destination VRF’s. -``` - -```{eval-rst} -.. cfgcmd:: set vrf name <name> protocols bgp address-family - <ipv4-unicast|ipv6-unicast> route-map vrf import - [route-map <name>] - - Specifies an optional route-map to be applied to routes imported from VRFs. -``` - -```{eval-rst} -.. cfgcmd:: set vrf name <name> protocols bgp interface <interface> mpls - forwarding - - It is possible to permit BGP install VPN prefixes without transport labels. - This configuration will install VPN prefixes originated from an e-bgp session, - and with the next-hop directly connected. -``` - -(l3vpn-vrf-example-operation)= - -## Operation - -It is not sufficient to only configure a L3VPN VRFs but L3VPN VRFs must be -maintained, too.For L3VPN VRF maintenance the following operational commands -are in place. - -```{eval-rst} -.. opcmd:: show bgp <ipv4|ipv6> vpn - - Print active IPV4 or IPV6 routes advertised via the VPN SAFI. - - .. code-block:: none - - BGP table version is 2, local router ID is 10.0.1.1, vrf id 0 - Default local pref 100, local AS 65001 - Status codes: s suppressed, d damped, h history, * valid, > best, = multipath, - i internal, r RIB-failure, S Stale, R Removed - Nexthop codes: @NNN nexthop's vrf id, < announce-nh-self - Origin codes: i - IGP, e - EGP, ? - incomplete - - Network Next Hop Metric LocPrf Weight Path - Route Distinguisher: 10.50.50.1:1011 - *>i10.50.50.0/24 10.0.0.7 0 100 0 i - UN=10.0.0.7 EC{65035:1011} label=80 type=bgp, subtype=0 - Route Distinguisher: 10.60.60.1:1011 - *>i10.60.60.0/24 10.0.0.10 0 100 0 i - UN=10.0.0.10 EC{65035:1011} label=80 type=bgp, subtype=0 -``` - -```{eval-rst} -.. opcmd:: show bgp <ipv4|ipv6> vpn summary - - Print a summary of neighbor connections for the specified AFI/SAFI - combination. - - .. code-block:: none - - BGP router identifier 10.0.1.1, local AS number 65001 vrf-id 0 - BGP table version 0 - RIB entries 9, using 1728 bytes of memory - Peers 4, using 85 KiB of memory - Peer groups 1, using 64 bytes of memory - - Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd PfxSnt - 10.0.0.7 4 65001 2860 2870 0 0 0 1d23h34m 2 10 - -``` - -```{include} /_include/common-references.txt -``` |
