diff options
| author | Yuriy Andamasov <yuriy@vyos.io> | 2026-05-02 17:54:19 +0300 |
|---|---|---|
| committer | Yuriy Andamasov <yuriy@vyos.io> | 2026-05-06 16:18:03 +0300 |
| commit | f7bab3007a9e0d0fef3ec551a677380a00b12d6a (patch) | |
| tree | f46b904bd00ad186308fbd3c9bedcdadf3b2aa05 /docs/configuration | |
| parent | fa54a080fac977157454beb0853daf0ac0e6af66 (diff) | |
| download | vyos-documentation-f7bab3007a9e0d0fef3ec551a677380a00b12d6a.tar.gz vyos-documentation-f7bab3007a9e0d0fef3ec551a677380a00b12d6a.zip | |
chore(swap): remove canary md-*.md files and docs/superpowers
- Remove 115 canary md-*.md files (incremental swap helpers no longer needed)
- Remove 8 files under docs/superpowers (project planning/design docs that
shouldn't ship in the documentation tree)
🤖 Generated by [robots](https://vyos.io)
Diffstat (limited to 'docs/configuration')
30 files changed, 0 insertions, 5653 deletions
diff --git a/docs/configuration/firewall/md-bridge.md b/docs/configuration/firewall/md-bridge.md deleted file mode 100644 index 42442ee7..00000000 --- a/docs/configuration/firewall/md-bridge.md +++ /dev/null @@ -1,673 +0,0 @@ ---- -lastproofread: '2026-03-28' ---- - -(firewall-configuration)= - -# Bridge Firewall Configuration - -## Overview - -Learn more about bridge firewall configuration -and related op-mode commands. - -The following commands are covered in this section: - -```{cfgcmd} set firewall bridge \<options\> -``` -From the main structure defined in -{doc}`Firewall Overview</configuration/firewall/index>` -in this section you can find detailed information only for the next part -of the general structure: -```none -- set firewall - * bridge - - forward - + filter - - input - + filter - - output - + filter - - prerouting - + filter - - name - + custom_name -``` -Traffic that is received by the router on an interface that is a member of a -bridge is processed on the **Bridge Layer**. Before the bridge decision is -made, all packets are analyzed at **Prerouting**. First filters can be applied -here, and also rules for ignoring connection tracking system can be configured. -The relevant configuration that acts in **prerouting** is: - - -- `set firewall bridge prerouting filter ...`. - - -For traffic that needs to be switched internally by the bridge, the base -chain is **forward**, and its base command for filtering is `set firewall -bridge forward filter ...`, which happens in stage 4, highlighted with red -color. - - -:::{figure} /_static/images/firewall-bridge-forward.png -::: - - -For traffic destined to the router itself or that needs to be routed -(assuming a layer3 bridge is configured), the base chain is **input**, and the -base command is `set firewall bridge input filter ...` and the path is: - - -:::{figure} /_static/images/firewall-bridge-input.png -::: - - -If it's not dropped, then the packet is sent to **IP Layer**, and will be -processed by the **IP Layer** firewall: IPv4 or IPv6 ruleset. Check once again -the {doc}`general packet flow diagram</configuration/firewall/index>` if -needed. - - -For traffic that originates from the bridge itself, the base chain is -**output**, and the base command is `set firewall bridge output filter -...`, and the path is: - - -:::{figure} /_static/images/firewall-bridge-output.png -::: - - -Custom bridge firewall chains can be created with the command `set firewall -bridge name <name> ...`. To use such a custom chain, a rule with action jump -and the appropriate target must be defined in a base chain. - - -## Bridge Rules - - -For firewall filtering, firewall rules need to be created. Each rule is -numbered, has an action to apply if the rule is matched, and the ability -to specify multiple matching criteria. Data packets go through the rules -from 1 - 999999, so order is crucial. At the first match the action of the -rule will be executed. - - -### Actions - - -If a rule is defined, an action must also be defined for it. This tells the -firewall what to do if all matching criteria in the rule are met. - - -In firewall bridge rules, the action can be: - - -- `accept`: accept the packet. -- `continue`: continue parsing next rule. -- `drop`: drop the packet. -- `jump`: jump to another custom chain. -- `return`: Return from the current chain and continue at the next rule - of the last chain. -- `queue`: Enqueue packet to userspace. -- `notrack`: ignore connection tracking system. This action is only - available in prerouting chain. -```{cfgcmd} set firewall bridge forward filter rule \<1-999999\> action [accept | continue | drop | jump | queue | return] -``` - -```{cfgcmd} set firewall bridge input filter rule \<1-999999\> action [accept | continue | drop | jump | queue | return] -``` - -```{cfgcmd} set firewall bridge output filter rule \<1-999999\> action [accept | continue | drop | jump | queue | return] -``` - -```{cfgcmd} set firewall bridge prerouting filter rule \<1-999999\> action [accept | continue | drop | jump | notrack | queue | return] -``` - -```{cfgcmd} set firewall bridge name \<name\> rule \<1-999999\> action [accept | continue | drop | jump | queue | return] - - -This required setting defines the action of the current rule. If action is -set to jump, then jump-target is also needed. -``` - -```{cfgcmd} set firewall bridge forward filter rule \<1-999999\> jump-target \<text\> -``` - -```{cfgcmd} set firewall bridge input filter rule \<1-999999\> jump-target \<text\> -``` - -```{cfgcmd} set firewall bridge output filter rule \<1-999999\> jump-target \<text\> -``` - -```{cfgcmd} set firewall bridge prerouting filter rule \<1-999999\> jump-target \<text\> -``` - -```{cfgcmd} set firewall bridge name \<name\> rule \<1-999999\> jump-target \<text\> - - -If action is set to ``queue``, use next command to specify the queue -target. Range is also supported: -``` - -```{cfgcmd} set firewall bridge forward filter rule \<1-999999\> queue \<0-65535\> -``` - -```{cfgcmd} set firewall bridge input filter rule \<1-999999\> queue \<0-65535\> -``` - -```{cfgcmd} set firewall bridge output filter rule \<1-999999\> queue \<0-65535\> -``` - -```{cfgcmd} set firewall bridge prerouting filter rule \<1-999999\> queue \<0-65535\> -``` - -```{cfgcmd} set firewall bridge name \<name\> rule \<1-999999\> queue \<0-65535\> - - -Also, if action is set to ``queue``, use next command to specify the queue -options. Possible options are ``bypass`` and ``fanout``: -``` - -```{cfgcmd} set firewall bridge forward filter rule \<1-999999\> queue-options bypass -``` - -```{cfgcmd} set firewall bridge input filter rule \<1-999999\> queue-options bypass -``` - -```{cfgcmd} set firewall bridge output filter rule \<1-999999\> queue-options bypass -``` - -```{cfgcmd} set firewall bridge prerouting filter rule \<1-999999\> queue-options bypass -``` - -```{cfgcmd} set firewall bridge name \<name\> rule \<1-999999\> queue-options bypass -``` - -```{cfgcmd} set firewall bridge forward filter rule \<1-999999\> queue-options fanout -``` - -```{cfgcmd} set firewall bridge input filter rule \<1-999999\> queue-options fanout -``` - -```{cfgcmd} set firewall bridge output filter rule \<1-999999\> queue-options fanout -``` - -```{cfgcmd} set firewall bridge prerouting filter rule \<1-999999\> queue-options fanout -``` - -```{cfgcmd} set firewall bridge name \<name\> rule \<1-999999\> queue-options fanout -``` -Also, **default-action** is an action that takes place whenever a packet does -not match any rule in its chain. For base chains, possible options for -**default-action** are **accept** or **drop**. -```{cfgcmd} set firewall bridge forward filter default-action [accept | drop] -``` - -```{cfgcmd} set firewall bridge input filter default-action [accept | drop] -``` - -```{cfgcmd} set firewall bridge output filter default-action [accept | drop] -``` - -```{cfgcmd} set firewall bridge prerouting filter default-action [accept | drop] -``` - -```{cfgcmd} set firewall bridge name \<name\> default-action [accept | continue | drop | jump | reject | return] - - -This sets the default action of the rule-set if a packet does not match -any of the rules in that chain. If default-action is set to ``jump``, then -``default-jump-target`` is also needed. Note that for base chains, default -action can only be set to ``accept`` or ``drop``, while on custom chains -more actions are available. -``` - -```{cfgcmd} set firewall bridge name \<name\> default-jump-target \<text\> - -To be used only when ``default-action`` is set to ``jump``. Use this -command to specify jump target for default rule. -``` -:::{note} -**Important note about default-actions:** -If the default action for any base chain is not defined, then the default -action is set to **accept** for that chain. For custom chains, if the -default action is not defined, then the default-action is set to **drop**. -::: - - -### Firewall Logs - - -You can enable logging for every firewall rule. If enabled, other log options -can be configured. -```{cfgcmd} set firewall bridge forward filter rule \<1-999999\> log -``` - -```{cfgcmd} set firewall bridge input filter rule \<1-999999\> log -``` - -```{cfgcmd} set firewall bridge output filter rule \<1-999999\> log -``` - -```{cfgcmd} set firewall bridge prerouting filter rule \<1-999999\> log -``` - -```{cfgcmd} set firewall bridge name \<name\> rule \<1-999999\> log - -Enable logging for the matched packet. If this configuration command is not -present, then the log is not enabled. -``` - -```{cfgcmd} set firewall bridge forward filter default-log -``` - -```{cfgcmd} set firewall bridge input filter default-log -``` - -```{cfgcmd} set firewall bridge output filter default-log -``` - -```{cfgcmd} set firewall bridge prerouting filter default-log -``` - -```{cfgcmd} set firewall bridge name \<name\> default-log - -Use this command to enable the logging of the default action on -the specified chain. -``` - -```{cfgcmd} set firewall bridge forward filter rule \<1-999999\> log-options level [emerg | alert | crit | err | warn | notice | info | debug] -``` - -```{cfgcmd} set firewall bridge input filter rule \<1-999999\> log-options level [emerg | alert | crit | err | warn | notice | info | debug] -``` - -```{cfgcmd} set firewall bridge output filter rule \<1-999999\> log-options level [emerg | alert | crit | err | warn | notice | info | debug] -``` - -```{cfgcmd} set firewall bridge prerouting filter rule \<1-999999\> log-options level [emerg | alert | crit | err | warn | notice | info | debug] -``` - -```{cfgcmd} set firewall bridge name \<name\> rule \<1-999999\> log-options level [emerg | alert | crit | err | warn | notice | info | debug] - - -Define log-level. Only applicable if rule log is enabled. -``` - -```{cfgcmd} set firewall bridge forward filter rule \<1-999999\> log-options group \<0-65535\> -``` - -```{cfgcmd} set firewall bridge input filter rule \<1-999999\> log-options group \<0-65535\> -``` - -```{cfgcmd} set firewall bridge output filter rule \<1-999999\> log-options group \<0-65535\> -``` - -```{cfgcmd} set firewall bridge prerouting filter rule \<1-999999\> log-options group \<0-65535\> -``` - -```{cfgcmd} set firewall bridge name \<name\> rule \<1-999999\> log-options group \<0-65535\> - - -Define the log group to send messages to. Only applicable if rule log is -enabled. -``` - -```{cfgcmd} set firewall bridge forward filter rule \<1-999999\> log-options snapshot-length \<0-9000\> -``` - -```{cfgcmd} set firewall bridge input filter rule \<1-999999\> log-options snapshot-length \<0-9000\> -``` - -```{cfgcmd} set firewall bridge output filter rule \<1-999999\> log-options snapshot-length \<0-9000\> -``` - -```{cfgcmd} set firewall bridge prerouting filter rule \<1-999999\> log-options snapshot-length \<0-9000\> -``` - -```{cfgcmd} set firewall bridge name \<name\> rule \<1-999999\> log-options snapshot-length \<0-9000\> - - -Define length of packet payload to include in netlink message. Only -applicable if rule log is enabled and the log group is defined. -``` - -```{cfgcmd} set firewall bridge forward filter rule \<1-999999\> log-options queue-threshold \<0-65535\> -``` - -```{cfgcmd} set firewall bridge input filter rule \<1-999999\> log-options queue-threshold \<0-65535\> -``` - -```{cfgcmd} set firewall bridge output filter rule \<1-999999\> log-options queue-threshold \<0-65535\> -``` - -```{cfgcmd} set firewall bridge prerouting filter rule \<1-999999\> log-options queue-threshold \<0-65535\> -``` - -```{cfgcmd} set firewall bridge name \<name\> rule \<1-999999\> log-options queue-threshold \<0-65535\> - - -Define the number of packets to queue inside the kernel before sending them -to userspace. Only applicable if rule log is enabled and the log group is -defined. -``` -### Firewall Description - - -You can define a description for reference for every custom chain. -```{cfgcmd} set firewall bridge name \<name\> description \<text\> - -Provide a rule-set description to a custom firewall chain. -``` - -```{cfgcmd} set firewall bridge forward filter rule \<1-999999\> description \<text\> -``` - -```{cfgcmd} set firewall bridge input filter rule \<1-999999\> description \<text\> -``` - -```{cfgcmd} set firewall bridge output filter rule \<1-999999\> description \<text\> -``` - -```{cfgcmd} set firewall bridge prerouting filter rule \<1-999999\> description \<text\> -``` - -```{cfgcmd} set firewall bridge name \<name\> rule \<1-999999\> description \<text\> - - -Provide a description for each rule. -``` -### Rule Status - - -By default, when you define a rule, it is enabled. In some cases, it is -useful to disable the rule instead of removing it. -```{cfgcmd} set firewall bridge forward filter rule \<1-999999\> disable -``` - -```{cfgcmd} set firewall bridge input filter rule \<1-999999\> disable -``` - -```{cfgcmd} set firewall bridge output filter rule \<1-999999\> disable -``` - -```{cfgcmd} set firewall bridge prerouting filter rule \<1-999999\> disable -``` - -```{cfgcmd} set firewall bridge name \<name\> rule \<1-999999\> disable - -Command for disabling a rule but keep it in the configuration. -``` -### Matching criteria - - -There are many matching criteria against which a packet can be tested. Refer -to {doc}`IPv4</configuration/firewall/ipv4>` and -{doc}`IPv6</configuration/firewall/ipv6>` matching criteria for more details. - - -Since bridges operate at layer 2, both matchers for IPv4 and IPv6 are -supported in bridge firewall configuration. Same applies to firewall groups. - - -Same specific matching criteria that can be used in bridge firewall are -described in this section: -```{cfgcmd} set firewall bridge forward filter rule \<1-999999\> ethernet-type [802.1q | 802.1ad | arp | ipv4 | ipv6] -``` - -```{cfgcmd} set firewall bridge input filter rule \<1-999999\> ethernet-type [802.1q | 802.1ad | arp | ipv4 | ipv6] -``` - -```{cfgcmd} set firewall bridge output filter rule \<1-999999\> ethernet-type [802.1q | 802.1ad | arp | ipv4 | ipv6] -``` - -```{cfgcmd} set firewall bridge prerouting filter rule \<1-999999\> ethernet-type [802.1q | 802.1ad | arp | ipv4 | ipv6] -``` - -```{cfgcmd} set firewall bridge name \<name\> rule \<1-999999\> ethernet-type [802.1q | 802.1ad | arp | ipv4 | ipv6] - - -Match based on the Ethernet type of the packet. -``` - -```{cfgcmd} set firewall bridge forward filter rule \<1-999999\> vlan ethernet-type [802.1q | 802.1ad | arp | ipv4 | ipv6] -``` - -```{cfgcmd} set firewall bridge input filter rule \<1-999999\> vlan ethernet-type [802.1q | 802.1ad | arp | ipv4 | ipv6] -``` - -```{cfgcmd} set firewall bridge output filter rule \<1-999999\> vlan ethernet-type [802.1q | 802.1ad | arp | ipv4 | ipv6] -``` - -```{cfgcmd} set firewall bridge prerouting filter rule \<1-999999\> vlan ethernet-type [802.1q | 802.1ad | arp | ipv4 | ipv6] -``` - -```{cfgcmd} set firewall bridge name \<name\> rule \<1-999999\> vlan ethernet-type [802.1q | 802.1ad | arp | ipv4 | ipv6] - - -Match based on the Ethernet type of the packet when it is VLAN tagged. -``` - -```{cfgcmd} set firewall bridge forward filter rule \<1-999999\> vlan id \<0-4096\> -``` - -```{cfgcmd} set firewall bridge input filter rule \<1-999999\> vlan id \<0-4096\> -``` - -```{cfgcmd} set firewall bridge output filter rule \<1-999999\> vlan id \<0-4096\> -``` - -```{cfgcmd} set firewall bridge prerouting filter rule \<1-999999\> vlan id \<0-4096\> -``` - -```{cfgcmd} set firewall bridge name \<name\> rule \<1-999999\> vlan id \<0-4096\> - - -Match based on VLAN identifier. Range is also supported. -``` - -```{cfgcmd} set firewall bridge forward filter rule \<1-999999\> vlan priority \<0-7\> -``` - -```{cfgcmd} set firewall bridge input filter rule \<1-999999\> vlan priority \<0-7\> -``` - -```{cfgcmd} set firewall bridge output filter rule \<1-999999\> vlan priority \<0-7\> -``` - -```{cfgcmd} set firewall bridge prerouting filter rule \<1-999999\> vlan priority \<0-7\> -``` - -```{cfgcmd} set firewall bridge name \<name\> rule \<1-999999\> vlan priority \<0-7\> - - -Match based on VLAN priority (Priority Code Point - PCP). Range is also -supported. -``` -### Packet Modifications - - -Starting from **VyOS-1.5-rolling-202410060007**, the firewall can modify -packets before they are sent out. This feaure provides more flexibility in -packet handling. -```{cfgcmd} set firewall bridge [prerouting | forward | output] filter rule \<1-999999\> set dscp \<0-63\> - - -Set a specific value of Differentiated Services Codepoint (DSCP). -``` - -```{cfgcmd} set firewall bridge [prerouting | forward | output] filter rule \<1-999999\> set mark \<1-2147483647\> - - -Set a specific packet mark value. -``` - -```{cfgcmd} set firewall bridge [prerouting | forward | output] filter rule \<1-999999\> set tcp-mss \<500-1460\> - - -Set the TCP-MSS (TCP maximum segment size) for the connection. -``` - -```{cfgcmd} set firewall bridge [prerouting | forward | output] filter rule \<1-999999\> set ttl \<0-255\> - - -Set the TTL (Time to Live) value. -``` - -```{cfgcmd} set firewall bridge [prerouting | forward | output] filter rule \<1-999999\> set hop-limit \<0-255\> - - -Set hop limit value. -``` - -```{cfgcmd} set firewall bridge [forward | output] filter rule \<1-999999\> set connection-mark \<0-2147483647\> - - -Set connection mark value. -``` -### Use IP firewall - -By default, for switched traffic, only the rules defined under `set firewall -bridge` are applied. There are two global-options that can be configured in -order to force deeper analysis of the packet on the IP layer. These options -are: -```{cfgcmd} set firewall global-options apply-to-bridged-traffic ipv4 - -This command enables the IPv4 firewall for bridged traffic. If this option -is used, packets are also parsed by rules defined in ``set firewall ipv4 -...`` -``` - -```{cfgcmd} set firewall global-options apply-to-bridged-traffic ipv6 - -This command enables the IPv6 firewall for bridged traffic. If this option -is used, packets are also parsed by rules defined in ``set firewall ipv6 -...`` -``` -## Operation-mode Firewall -### Rule-set overview -In this section you can find all useful firewall op-mode commands. -General commands for firewall configuration, counter and statistics: -```{opcmd} show firewall -``` - -```{opcmd} show firewall summary -``` - -```{opcmd} show firewall statistics -``` -And, to print only bridge firewall information: -```{opcmd} show firewall bridge -``` - -```{opcmd} show firewall bridge forward filter -``` - -```{opcmd} show firewall bridge forward filter rule \<rule\> -``` - -```{opcmd} show firewall bridge name \<name\> -``` - -```{opcmd} show firewall bridge name \<name\> rule \<rule\> -``` -### Show Firewall log -```{opcmd} show log firewall -``` - -```{opcmd} show log firewall bridge -``` - -```{opcmd} show log firewall bridge forward -``` - -```{opcmd} show log firewall bridge forward filter -``` - -```{opcmd} show log firewall bridge name \<name\> -``` - -```{opcmd} show log firewall bridge forward filter rule \<rule\> -``` - -```{opcmd} show log firewall bridge name \<name\> rule \<rule\> - -Show the logs of all firewall; show all bridge firewall logs; show all logs -for forward hook; show all logs for forward hook and priority filter; show -all logs for particular custom chain; show logs for specific Rule-Set. -``` -### Example -Configuration example: -```none -set firewall bridge forward filter default-action 'drop' -set firewall bridge forward filter default-log -set firewall bridge forward filter rule 10 action 'continue' -set firewall bridge forward filter rule 10 inbound-interface name 'eth2' -set firewall bridge forward filter rule 10 vlan id '22' -set firewall bridge forward filter rule 20 action 'drop' -set firewall bridge forward filter rule 20 inbound-interface group 'TRUNK-RIGHT' -set firewall bridge forward filter rule 20 vlan id '60' -set firewall bridge forward filter rule 30 action 'jump' -set firewall bridge forward filter rule 30 jump-target 'TEST' -set firewall bridge forward filter rule 30 outbound-interface name '!eth1' -set firewall bridge forward filter rule 35 action 'accept' -set firewall bridge forward filter rule 35 vlan id '11' -set firewall bridge forward filter rule 40 action 'continue' -set firewall bridge forward filter rule 40 destination mac-address '66:55:44:33:22:11' -set firewall bridge forward filter rule 40 source mac-address '11:22:33:44:55:66' -set firewall bridge name TEST default-action 'accept' -set firewall bridge name TEST default-log -set firewall bridge name TEST rule 10 action 'continue' -set firewall bridge name TEST rule 10 log -set firewall bridge name TEST rule 10 vlan priority '0' -``` -And op-mode commands: -```none -vyos@BRI:~$ show firewall bridge -Rulesets bridge Information - ---------------------------------- -bridge Firewall "forward filter" - -Rule Action Protocol Packets Bytes Conditions -------- -------- ---------- --------- ------- --------------------------------------------------------------------- -10 continue all 0 0 iifname "eth2" vlan id 22 continue -20 drop all 0 0 iifname @I_TRUNK-RIGHT vlan id 60 -30 jump all 2130 170688 oifname != "eth1" jump NAME_TEST -35 accept all 2080 168616 vlan id 11 accept -40 continue all 0 0 ether daddr 66:55:44:33:22:11 ether saddr 11:22:33:44:55:66 continue -default drop all 0 0 - ---------------------------------- -bridge Firewall "name TEST" - -Rule Action Protocol Packets Bytes Conditions -------- -------- ---------- --------- ------- -------------------------------------------------- -10 continue all 2130 170688 vlan pcp 0 prefix "[bri-NAM-TEST-10-C]" continue -default accept all 2130 170688 - -vyos@BRI:~$ -vyos@BRI:~$ show firewall bridge name TEST -Ruleset Information - ---------------------------------- -bridge Firewall "name TEST" - -Rule Action Protocol Packets Bytes Conditions -------- -------- ---------- --------- ------- -------------------------------------------------- -10 continue all 2130 170688 vlan pcp 0 prefix "[bri-NAM-TEST-10-C]" continue -default accept all 2130 170688 - -vyos@BRI:~$ -``` -Inspect logs: -```none -vyos@BRI:~$ show log firewall bridge -Dec 05 14:37:47 kernel: [bri-NAM-TEST-10-C]IN=eth1 OUT=eth2 ARP HTYPE=1 PTYPE=0x0800 OPCODE=1 MACSRC=50:00:00:04:00:00 IPSRC=10.11.11.101 MACDST=00:00:00:00:00:00 IPDST=10.11.11.102 -Dec 05 14:37:48 kernel: [bri-NAM-TEST-10-C]IN=eth1 OUT=eth2 ARP HTYPE=1 PTYPE=0x0800 OPCODE=1 MACSRC=50:00:00:04:00:00 IPSRC=10.11.11.101 MACDST=00:00:00:00:00:00 IPDST=10.11.11.102 -Dec 05 14:37:49 kernel: [bri-NAM-TEST-10-C]IN=eth1 OUT=eth2 ARP HTYPE=1 PTYPE=0x0800 OPCODE=1 MACSRC=50:00:00:04:00:00 IPSRC=10.11.11.101 MACDST=00:00:00:00:00:00 IPDST=10.11.11.102 -... -vyos@BRI:~$ show log firewall bridge forward filter -Dec 05 14:42:22 kernel: [bri-FWD-filter-default-D]IN=eth2 OUT=eth1 MAC=33:33:00:00:00:16:50:00:00:06:00:00:86:dd SRC=0000:0000:0000:0000:0000:0000:0000:0000 DST=ff02:0000:0000:0000:0000:0000:0000:0016 LEN=96 TC=0 HOPLIMIT=1 FLOWLBL=0 PROTO=ICMPv6 TYPE=143 CODE=0 -Dec 05 14:42:22 kernel: [bri-FWD-filter-default-D]IN=eth2 OUT=eth1 MAC=33:33:00:00:00:16:50:00:00:06:00:00:86:dd SRC=0000:0000:0000:0000:0000:0000:0000:0000 DST=ff02:0000:0000:0000:0000:0000:0000:0016 LEN=96 TC=0 HOPLIMIT=1 FLOWLBL=0 PROTO=ICMPv6 TYPE=143 CODE=0 -``` diff --git a/docs/configuration/firewall/md-global-options.md b/docs/configuration/firewall/md-global-options.md deleted file mode 100644 index 3a480472..00000000 --- a/docs/configuration/firewall/md-global-options.md +++ /dev/null @@ -1,214 +0,0 @@ ---- -lastproofread: '2026-03-30' ---- - -(firewall-global-options-configuration)= - -# Global Options Firewall Configuration - -## Overview - -Some firewall settings are global and affect the entire system. This section -provides information about these global options that you can configure using -the VyOS CLI. - -Configuration commands covered in this section: - -```{cfgcmd} set firewall global-options ... -``` -## Configuration -```{cfgcmd} set firewall global-options all-ping [enable | disable] - -By default, when VyOS receives an ICMP echo request packet destined for -itself, it answers with an ICMP echo reply, unless your firewall prevents -it. - -You can set firewall rules to accept, drop, or reject ICMP in, out, or -local traffic. You can also use the **firewall global-options all-ping** -command. This command affects only LOCAL traffic (packets destined for your -VyOS system), not IN or OUT traffic. - -:::{note} -**firewall global-options all-ping** affects only LOCAL traffic -and always behaves in the most restrictive way -::: -:::{code-block} none -set firewall global-options all-ping enable -::: -When you set this command, VyOS answers every ICMP echo request addressed -to itself, but that response occurs only if no other rule drops or rejects -local echo requests. In case of conflict, VyOS does not answer ICMP echo -requests. - -:::{code-block} none -set firewall global-options all-ping disable -::: -When you set this command, VyOS answers no ICMP echo requests addressed to -itself, regardless of where they come from or what specific rules accept -them. -``` - -```{cfgcmd} set firewall global-options apply-to-bridged-traffic [ipv4 | ipv6] - -Apply IPv4 or IPv6 firewall rules to bridged traffic. -``` - -```{cfgcmd} set firewall global-options broadcast-ping [enable | disable] - -Enable or disable the response to ICMP broadcast messages. The system -alters the following parameter: -* ``net.ipv4.icmp_echo_ignore_broadcasts`` -``` - -```{cfgcmd} set firewall global-options ip-src-route [enable | disable] -``` - -```{cfgcmd} set firewall global-options ipv6-src-route [enable | disable] - -Set whether VyOS accepts packets with a source route option. -The following sysctl parameters will be changed: -* ``net.ipv4.conf.all.accept_source_route`` -* ``net.ipv6.conf.all.accept_source_route`` -``` - -```{cfgcmd} set firewall global-options receive-redirects [enable | disable] -``` - -```{cfgcmd} set firewall global-options ipv6-receive-redirects [enable | disable] - -Allow VyOS to accept ICMPv4 and ICMPv6 redirect messages. -The following sysctl parameters will be changed: -* ``net.ipv4.conf.all.accept_redirects`` -* ``net.ipv6.conf.all.accept_redirects`` -``` - -```{cfgcmd} set firewall global-options send-redirects [enable | disable] - -Allow VyOS to send ICMPv4 redirect messages. -The following sysctl parameter will be changed: -* ``net.ipv4.conf.all.send_redirects`` -``` - -```{cfgcmd} set firewall global-options log-martians [enable | disable] - -Allow VyOS to log martian IPv4 packets. -The following sysctl parameter will be changed: -* ``net.ipv4.conf.all.log_martians`` -``` - -```{cfgcmd} set firewall global-options source-validation [strict | loose | disable] - -Set the IPv4 source validation mode. -The following sysctl parameter will be changed: -* ``net.ipv4.conf.all.rp_filter`` -``` - -```{cfgcmd} set firewall global-options syn-cookies [enable | disable] - -Allow VyOS to use IPv4 TCP SYN Cookies. -The following sysctl parameter will be changed: -* ``net.ipv4.tcp_syncookies`` -``` - -```{cfgcmd} set firewall global-options twa-hazards-protection [enable | disable] - -Enable or disable VyOS {rfc}`1337` conformance. -The following sysctl parameter will be changed: -* ``net.ipv4.tcp_rfc1337`` -``` - -```{cfgcmd} set firewall global-options state-policy established action [accept | drop | reject] -``` - -```{cfgcmd} set firewall global-options state-policy established log -``` - -```{cfgcmd} set firewall global-options state-policy established log-level [emerg | alert | crit | err | warn | notice | info | debug] - -Set the global setting for an established connection. -``` - -```{cfgcmd} set firewall global-options state-policy invalid action [accept | drop | reject] -``` - -```{cfgcmd} set firewall global-options state-policy invalid log -``` - -```{cfgcmd} set firewall global-options state-policy invalid log-level [emerg | alert | crit | err | warn | notice | info | debug] - -Set the global setting for invalid packets. -``` - -```{cfgcmd} set firewall global-options state-policy related action [accept | drop | reject] -``` - -```{cfgcmd} set firewall global-options state-policy related log -``` - -```{cfgcmd} set firewall global-options state-policy related log-level [emerg | alert | crit | err | warn | notice | info | debug] - -Set the global setting for related connections. -``` -VyOS supports setting timeouts for connections by connection type. You can -set timeout values for generic connections, ICMP connections, UDP -connections, or TCP connections in various states. -```{cfgcmd} set firewall global-options timeout icmp \<1-21474836\> - -:defaultvalue: -``` - -```{cfgcmd} set firewall global-options timeout other \<1-21474836\> - -:defaultvalue: -``` - -```{cfgcmd} set firewall global-options timeout tcp close \<1-21474836\> - -:defaultvalue: -``` - -```{cfgcmd} set firewall global-options timeout tcp close-wait \<1-21474836\> - -:defaultvalue: -``` - -```{cfgcmd} set firewall global-options timeout tcp established \<1-21474836\> - -:defaultvalue: -``` - -```{cfgcmd} set firewall global-options timeout tcp fin-wait \<1-21474836\> - -:defaultvalue: -``` - -```{cfgcmd} set firewall global-options timeout tcp last-ack \<1-21474836\> - -:defaultvalue: -``` - -```{cfgcmd} set firewall global-options timeout tcp syn-recv \<1-21474836\> - -:defaultvalue: -``` - -```{cfgcmd} set firewall global-options timeout tcp syn-sent \<1-21474836\> - -:defaultvalue: -``` - -```{cfgcmd} set firewall global-options timeout tcp time-wait \<1-21474836\> - -:defaultvalue: -``` - -```{cfgcmd} set firewall global-options timeout udp other \<1-21474836\> - -:defaultvalue: -``` - -```{cfgcmd} set firewall global-options timeout udp stream \<1-21474836\> -:defaultvalue: - -Set the timeout in seconds for a protocol or state. -```
\ No newline at end of file diff --git a/docs/configuration/firewall/md-groups.md b/docs/configuration/firewall/md-groups.md deleted file mode 100644 index 2e4bdec1..00000000 --- a/docs/configuration/firewall/md-groups.md +++ /dev/null @@ -1,419 +0,0 @@ ---- -lastproofread: '2026-03-30' ---- - -(firewall-groups-configuration)= - -# Firewall groups - -## Configuration - -Firewall groups represent collections of IP addresses, networks, ports, -MAC addresses, domains, or interfaces. You can reference a group in firewall, -NAT, and policy route rules as either a source or destination matcher, and/or -as inbound or outbound in the case of interface groups. - -### Address Groups - -An **address group** contains a single IP address or IP address range. - -```{cfgcmd} set firewall group address-group \<name\> address [address | address range] - -``` -```{cfgcmd} set firewall group ipv6-address-group \<name\> address \<address\> - -Define an IPv4 or IPv6 address group. - -:::{code-block} none -set firewall group address-group ADR-INSIDE-v4 address 192.168.0.1 -set firewall group address-group ADR-INSIDE-v4 address 10.0.0.1-10.0.0.8 -set firewall group ipv6-address-group ADR-INSIDE-v6 address 2001:db8::1 -::: -``` - -```{cfgcmd} set firewall group address-group \<name\> description \<text\> -``` - -```{cfgcmd} set firewall group ipv6-address-group \<name\> description \<text\> - -Provide an IPv4 or IPv6 address group description. -``` -### Remote Groups -A **remote-group** uses a URL that hosts a newline-delimited list of IPv4 -and/or IPv6 addresses, CIDRs, and ranges. VyOS pulls this list periodically -according to the frequency you define in the firewall **resolver-interval** -and loads matching entries into the group for use in rules. The list is cached -in persistent storage, so rules continue to function if updates fail. -```{cfgcmd} set firewall group remote-group \<name\> url \<http(s) url\> - -Specify a remote list of IPv4 and/or IPv6 addresses, ranges, and CIDRs -to fetch. -``` - -```{cfgcmd} set firewall group remote-group \<name\> description \<text\> - -Set a description for a remote group. -``` -The remote list format is flexible. VyOS attempts to parse the first word of -each line as an entry and skips lines it cannot match. Lines that begin with -an alphanumeric character but do not match valid IPv4 or IPv6 addresses, -ranges, or CIDRs are logged to the system log. The following examples show -acceptable formats that VyOS parses correctly: -```none -127.0.0.1 -127.0.0.0/24 -127.0.0.1-127.0.0.254 -2001:db8::1 -2001:db8:cafe::/48 -2001:db8:cafe::1-2001:db8:cafe::ffff -``` -### Network Groups -**Network groups** accept IP networks in CIDR notation. You can add specific -IP addresses as a 32-bit prefix. If you need to add a mix of addresses and -networks, use a network group. -```{cfgcmd} set firewall group network-group \<name\> network \<CIDR\> -``` - -```{cfgcmd} set firewall group ipv6-network-group \<name\> network \<CIDR\> - -Define an IPv4 or IPv6 network group. - -:::{code-block} none -set firewall group network-group NET-INSIDE-v4 network 192.168.0.0/24 -set firewall group network-group NET-INSIDE-v4 network 192.168.1.0/24 -set firewall group ipv6-network-group NET-INSIDE-v6 network 2001:db8::/64 -::: -``` - -```{cfgcmd} set firewall group network-group \<name\> description \<text\> -``` - -```{cfgcmd} set firewall group ipv6-network-group \<name\> description \<text\> - -Provide an IPv4 or IPv6 network group description. -``` -### Interface Groups -An **interface group** represents a collection of interfaces. -```{cfgcmd} set firewall group interface-group \<name\> interface \<text\> - -Define an interface group. -Wildcard ``*`` is supported. For example: ``eth3*``. -Prepend the character ``!`` to invert the criteria. For example: ``!eth2``. -``` - -```none -set firewall group interface-group LAN interface bond1001 -set firewall group interface-group LAN interface eth3* -``` - -```{cfgcmd} set firewall group interface-group \<name\> description \<text\> - -Provide an interface group description. -``` -### Port Groups -A **port group** represents only port numbers, not the protocol. You can -reference port groups for either TCP or UDP. Create TCP and UDP groups -separately to avoid accidentally filtering unnecessary ports. Specify port -ranges by using `-`. -```{cfgcmd} set firewall group port-group \<name\> port [portname | portnumber | startport-endport] - -Define a port group. A port name can be any name defined in -/etc/services. For example, ``http``. - -:::{code-block} none -set firewall group port-group PORT-TCP-SERVER1 port http -set firewall group port-group PORT-TCP-SERVER1 port 443 -set firewall group port-group PORT-TCP-SERVER1 port 5000-5010 -::: -``` - -```{cfgcmd} set firewall group port-group \<name\> description \<text\> - -Provide a port group description. -``` -### MAC Groups -A **mac group** represents a collection of mac addresses. -```{cfgcmd} set firewall group mac-group \<name\> mac-address \<mac-address\> - -Define a mac group. -``` - -```none -set firewall group mac-group MAC-G01 mac-address 88:a4:c2:15:b6:4f -set firewall group mac-group MAC-G01 mac-address 4c:d5:77:c0:19:81 -``` - -```{cfgcmd} set firewall group mac-group \<name\> description \<text\> - -Provide a MAC group description. -``` -### Domain Groups -A **domain group** represents a collection of domains. -```{cfgcmd} set firewall group domain-group \<name\> address \<domain\> - -Define a domain group. -``` - -```none -set firewall group domain-group DOM address example.com -``` - -```{cfgcmd} set firewall group domain-group \<name\> description \<text\> - -Provide a domain group description. -``` -### Dynamic Groups -Firewall dynamic groups differ from other groups because you can use them as -source/destination in firewall rules, and members are not defined statically -in VyOS configuration. Instead, firewall rules dynamically add members to -these groups. - -#### Defining Dynamic Address Groups -Dynamic address groups support both IPv4 and IPv6 families. Use these -commands to define dynamic IPv4 and IPv6 address groups: -```{cfgcmd} set firewall group dynamic-group address-group \<name\> -``` - -```{cfgcmd} set firewall group dynamic-group ipv6-address-group \<name\> -``` -Add description to firewall groups: -```{cfgcmd} set firewall group dynamic-group address-group \<name\> description <text> -``` - -```{cfgcmd} set firewall group dynamic-group ipv6-address-group \<name\> description <text> -``` -#### Adding elements to Dynamic Firewall Groups -After you define dynamic firewall groups, use them in firewall rules to -dynamically add elements to them. - -Commands used for this task are: -- Add destination IP address of the connection to a dynamic address group: -```{cfgcmd} set firewall ipv4 [forward | input | output] filter rule \<1-999999\> add-address-to-group destination-address address-group \<name\> -``` - -```{cfgcmd} set firewall ipv4 name \<name\> rule \<1-999999\> add-address-to-group destination-address address-group <name> -``` - -```{cfgcmd} set firewall ipv6 [forward | input | output] filter rule \<1-999999\> add-address-to-group destination-address address-group \<name\> -``` - -```{cfgcmd} set firewall ipv6 name \<name\> rule \<1-999999\> add-address-to-group destination-address address-group <name> -``` -- Add source IP address of the connection to a dynamic address group: -```{cfgcmd} set firewall ipv4 [forward | input | output] filter rule \<1-999999\> add-address-to-group source-address address-group \<name\> -``` - -```{cfgcmd} set firewall ipv4 name \<name\> rule \<1-999999\> add-address-to-group source-address address-group <name> -``` - -```{cfgcmd} set firewall ipv6 [forward | input | output] filter rule \<1-999999\> add-address-to-group source-address address-group \<name\> -``` - -```{cfgcmd} set firewall ipv6 name \<name\> rule \<1-999999\> add-address-to-group source-address address-group <name> -``` -You can define specific timeouts per rule. When a rule matches, the source or -destination address is added to the group, and the element remains in the group -until the timeout expires. If you do not define a timeout, the element remains -in the group until the next reboot or until you commit firewall configuration -changes. -```{cfgcmd} set firewall ipv4 [forward | input | output] filter rule \<1-999999\> add-address-to-group [destination-address | source-address] timeout <timeout> -``` - -```{cfgcmd} set firewall ipv4 name \<name\> rule \<1-999999\> add-address-to-group [destination-address | source-address] timeout \<timeout\> -``` - -```{cfgcmd} set firewall ipv6 [forward | input | output] filter rule \<1-999999\> add-address-to-group [destination-address | source-address] timeout <timeout> -``` - -```{cfgcmd} set firewall ipv6 name \<name\> rule \<1-999999\> add-address-to-group [destination-address | source-address] timeout \<timeout\> -``` -Timeout can be defined using seconds, minutes, hours or days: -```none -set firewall ipv6 name FOO rule 10 add-address-to-group source-address timeout -Possible completions: -<number>s Timeout value in seconds -<number>m Timeout value in minutes -<number>h Timeout value in hours -<number>d Timeout value in days -``` -#### Using Dynamic Firewall Groups -Like other firewall groups, you can use dynamic firewall groups in firewall -rules as matching options. For example: -```none -set firewall ipv4 input filter rule 10 source group dynamic-address-group FOO -set firewall ipv4 input filter rule 10 destination group dynamic-address-group BAR -``` -## Examples - -### General example -After you create firewall groups, you can reference them in firewall, NAT, -NAT66, and/or policy-route rules. The following example creates multiple -groups: -```none -set firewall group address-group SERVERS address 198.51.100.101 -set firewall group address-group SERVERS address 198.51.100.102 -set firewall group network-group TRUSTEDv4 network 192.0.2.0/30 -set firewall group network-group TRUSTEDv4 network 203.0.113.128/25 -set firewall group ipv6-network-group TRUSTEDv6 network 2001:db8::/64 -set firewall group interface-group LAN interface eth2.2001 -set firewall group interface-group LAN interface bon0 -set firewall group port-group PORT-SERVERS port http -set firewall group port-group PORT-SERVERS port 443 -set firewall group port-group PORT-SERVERS port 5000-5010 -``` -And next, some configuration example where groups are used: -```none -set firewall ipv4 output filter rule 10 action accept -set firewall ipv4 output filter rule 10 outbound-interface group !LAN -set firewall ipv4 forward filter rule 20 action accept -set firewall ipv4 forward filter rule 20 source group network-group TRUSTEDv4 -set firewall ipv6 input filter rule 10 action accept -set firewall ipv6 input filter rule 10 source group network-group TRUSTEDv6 -set nat destination rule 101 inbound-interface group LAN -set nat destination rule 101 destination group address-group SERVERS -set nat destination rule 101 protocol tcp -set nat destination rule 101 destination group port-group PORT-SERVERS -set nat destination rule 101 translation address 203.0.113.250 -set policy route PBR rule 201 destination group port-group PORT-SERVERS -set policy route PBR rule 201 protocol tcp -set policy route PBR rule 201 set table 15 -``` -### Port knocking example -You can use dynamic firewall groups with port knocking to secure access to -the router or any other device. The following example shows a 4-step port -knocking configuration: -```none -set firewall global-options state-policy established action 'accept' -set firewall global-options state-policy invalid action 'drop' -set firewall global-options state-policy related action 'accept' -set firewall group dynamic-group address-group ALLOWED -set firewall group dynamic-group address-group PN_01 -set firewall group dynamic-group address-group PN_02 -set firewall ipv4 input filter default-action 'drop' -set firewall ipv4 input filter rule 5 action 'accept' -set firewall ipv4 input filter rule 5 protocol 'icmp' -set firewall ipv4 input filter rule 10 action 'drop' -set firewall ipv4 input filter rule 10 add-address-to-group source-address address-group 'PN_01' -set firewall ipv4 input filter rule 10 add-address-to-group source-address timeout '2m' -set firewall ipv4 input filter rule 10 description 'Port_nock 01' -set firewall ipv4 input filter rule 10 destination port '9990' -set firewall ipv4 input filter rule 10 protocol 'tcp' -set firewall ipv4 input filter rule 20 action 'drop' -set firewall ipv4 input filter rule 20 add-address-to-group source-address address-group 'PN_02' -set firewall ipv4 input filter rule 20 add-address-to-group source-address timeout '3m' -set firewall ipv4 input filter rule 20 description 'Port_nock 02' -set firewall ipv4 input filter rule 20 destination port '9991' -set firewall ipv4 input filter rule 20 protocol 'tcp' -set firewall ipv4 input filter rule 20 source group dynamic-address-group 'PN_01' -set firewall ipv4 input filter rule 30 action 'drop' -set firewall ipv4 input filter rule 30 add-address-to-group source-address address-group 'ALLOWED' -set firewall ipv4 input filter rule 30 add-address-to-group source-address timeout '2h' -set firewall ipv4 input filter rule 30 description 'Port_nock 03' -set firewall ipv4 input filter rule 30 destination port '9992' -set firewall ipv4 input filter rule 30 protocol 'tcp' -set firewall ipv4 input filter rule 30 source group dynamic-address-group 'PN_02' -set firewall ipv4 input filter rule 99 action 'accept' -set firewall ipv4 input filter rule 99 description 'Port_nock 04 - Allow ssh' -set firewall ipv4 input filter rule 99 destination port '22' -set firewall ipv4 input filter rule 99 protocol 'tcp' -set firewall ipv4 input filter rule 99 source group dynamic-address-group 'ALLOWED' -``` -Before testing, we can check the members of firewall groups: -```none -vyos@vyos# run show firewall group -Firewall Groups - -Name Type References Members Timeout Expires -------- ---------------------- -------------------- ------------- --------- --------- -ALLOWED address_group(dynamic) ipv4-input-filter-30 N/D N/D N/D -PN_01 address_group(dynamic) ipv4-input-filter-10 N/D N/D N/D -PN_02 address_group(dynamic) ipv4-input-filter-20 N/D N/D N/D -[edit] -vyos@vyos# -``` -With this configuration, to gain SSH access to the router, the user must: - -1. Create a new TCP connection to destination port 9990. A new entry is added - to dynamic firewall group `PN_01`. - - ```none - vyos@vyos# run show firewall group - Firewall Groups - - Name Type References Members Timeout Expires - ------- ---------------------- -------------------- ------------- --------- --------- - ALLOWED address_group(dynamic) ipv4-input-filter-30 N/D N/D N/D - PN_01 address_group(dynamic) ipv4-input-filter-10 192.168.89.31 120 119 - PN_02 address_group(dynamic) ipv4-input-filter-20 N/D N/D N/D - [edit] - vyos@vyos# - ``` - -2. Create a new TCP connection to destination port 9991. A new entry is added - to dynamic firewall group `PN_02`. - - ```none - vyos@vyos# run show firewall group - Firewall Groups - - Name Type References Members Timeout Expires - ------- ---------------------- -------------------- ------------- --------- --------- - ALLOWED address_group(dynamic) ipv4-input-filter-30 N/D N/D N/D - PN_01 address_group(dynamic) ipv4-input-filter-10 192.168.89.31 120 106 - PN_02 address_group(dynamic) ipv4-input-filter-20 192.168.89.31 180 179 - [edit] - vyos@vyos# - ``` - -3. Create a new TCP connection to destination port 9992. A new entry is added - to dynamic firewall group `ALLOWED`. - - ```none - vyos@vyos# run show firewall group - Firewall Groups - - Name Type References Members Timeout Expires - ------- ---------------------- -------------------- ------------- --------- --------- - ALLOWED address_group(dynamic) ipv4-input-filter-30 192.168.89.31 7200 7199 - PN_01 address_group(dynamic) ipv4-input-filter-10 192.168.89.31 120 89 - PN_02 address_group(dynamic) ipv4-input-filter-20 192.168.89.31 180 170 - [edit] - vyos@vyos# - ``` - -4. Now you can connect via SSH to the router (assuming SSH is - configured). - -## Operation-mode -```{opcmd} show firewall group -``` - -```{opcmd} show firewall group \<name\> - -Display an overview of defined groups, including the firewall group name, -type, references (where the group is used), members, timeout, and -expiration (the last two only apply to dynamic firewall groups). -``` -Here is an example of such command: -```none -vyos@vyos:~$ show firewall group -Firewall Groups - -Name Type References Members Timeout Expires ------------- ---------------------- ---------------------- ---------------- --------- --------- -SERVERS address_group nat-destination-101 198.51.100.101 - 198.51.100.102 -ALLOWED address_group(dynamic) ipv4-input-filter-30 192.168.77.39 7200 7174 -PN_01 address_group(dynamic) ipv4-input-filter-10 192.168.0.245 120 112 - 192.168.77.39 120 85 -PN_02 address_group(dynamic) ipv4-input-filter-20 192.168.77.39 180 151 -LAN interface_group ipv4-output-filter-10 bon0 - nat-destination-101 eth2.2001 -TRUSTEDv6 ipv6_network_group ipv6-input-filter-10 2001:db8::/64 -TRUSTEDv4 network_group ipv4-forward-filter-20 192.0.2.0/30 - 203.0.113.128/25 -PORT-SERVERS port_group route-PBR-201 443 - route-PBR-201 5000-5010 - nat-destination-101 http -vyos@vyos:~$ -``` diff --git a/docs/configuration/firewall/md-ipv6.md b/docs/configuration/firewall/md-ipv6.md deleted file mode 100644 index bbbaec16..00000000 --- a/docs/configuration/firewall/md-ipv6.md +++ /dev/null @@ -1,1624 +0,0 @@ ---- -lastproofread: '2026-04-01' ---- - -(firewall-ipv6-configuration)= - -# IPv6 Firewall Configuration - -## Overview - -This section covers useful information about IPv6 firewall configuration and -appropriate operation-mode commands. - -This section describes the following configuration commands: - -```{cfgcmd} set firewall ipv6 ... -``` -To learn about the general traffic flow in VyOS firewalls, see {doc}`Firewall </configuration/firewall/index>`. -```none -- set firewall - * ipv6 - - forward - + filter - - input - + filter - - output - + filter - + raw - - prerouting - + raw - - name - + custom_name -``` -The router first receives all traffic and processes it in the **prerouting** -section. - - -This stage includes: - - -- **Firewall Prerouting**: commands found under `set firewall ipv6 - prerouting raw ...` -- {doc}`Conntrack Ignore</configuration/system/conntrack>`: `set system - conntrack ignore ipv6...` -- {doc}`Policy Route</configuration/policy/route>`: commands found under - `set policy route6 ...` -- {doc}`Destination NAT</configuration/nat/nat44>`: commands found under - `set nat66 destination ...` - - -For transit traffic that the router receives and forwards, the base chain is -**forward**. The following diagram shows a simplified packet flow for transit -traffic: - - -:::{figure} /_static/images/firewall-fwd-packet-flow.png -::: - - -Use `set firewall ipv6 forward filter ...` to configure filtering rules for -transit traffic. This command corresponds to stage 5 and is highlighted in red -in the diagram. - - -For traffic destined to the router, use the **input** chain. For traffic the -router generates, use the **output** chain. The following diagram shows the -packet flow for traffic destined to the router and traffic generated by the -router (starting from circle number 6): - - -:::{figure} /_static/images/firewall-input-packet-flow.png -::: - - -Use `set firewall ipv6 input filter ...` to configure traffic destined to -the router. - - -Use `set firewall ipv6 output ...` to configure traffic the router generates. -Two sub-chains are available: **filter** and **raw**: - - -- **Output Prerouting**: `set firewall ipv6 output raw ...`. - As described in **Prerouting**, the firewall processes rules in this - section before the connection tracking subsystem. -- **Output Filter**: `set firewall ipv6 output filter ...`. The firewall - processes rules in this section after the connection tracking subsystem. - - -:::{note} -**Important note about default-actions:** -If you do not define a default action for a base chain, the system sets -the default action to **accept** for that chain. For custom chains, if you -do not define a default action, the system sets the default-action to -**drop** -::: - - -Create custom firewall chains using the commands -`set firewall ipv6 name <name> ...`. To use the custom chain, define a -rule with **action jump** and the appropriate **target** in a base chain. - - -## Firewall - IPv6 Rules - - -Create firewall rules for firewall filtering. Each rule is numbered and has -an action to apply when the rule is matched. You can specify multiple matching -criteria. Packets go through rules from 1 - 999999, so order is crucial. The -firewall executes the action of the first matching rule. - - -### Actions - - -If you define a rule, you must define an action for it. The action tells the -firewall what to do when all criteria for that rule are met. - - -The action can be : - - -- `accept`: accept the packet. -- `continue`: continue parsing next rule. -- `drop`: drop the packet. -- `reject`: reject the packet. -- `jump`: jump to another custom chain. -- `return`: Return from the current chain and continue at the next rule - of the last chain. -- `queue`: Enqueue packet to userspace. -- `synproxy`: synproxy the packet. -```{cfgcmd} set firewall ipv6 forward filter rule \<1-999999\> action [accept | continue | drop | jump | queue | reject | return | synproxy] -``` - -```{cfgcmd} set firewall ipv6 input filter rule \<1-999999\> action [accept | continue | drop | jump | queue | reject | return | synproxy] -``` - -```{cfgcmd} set firewall ipv6 output filter rule \<1-999999\> action [accept | continue | drop | jump | queue | reject | return] -``` - -```{cfgcmd} set firewall ipv6 name \<name\> rule \<1-999999\> action [accept | continue | drop | jump | queue | reject | return] - - -This required setting defines the action of the current rule. If you set -the action to jump, you must also define a jump-target. -``` - -```{cfgcmd} set firewall ipv6 forward filter rule \<1-999999\> jump-target <text> -``` - -```{cfgcmd} set firewall ipv6 input filter rule \<1-999999\> jump-target <text> -``` - -```{cfgcmd} set firewall ipv6 output filter rule \<1-999999\> jump-target <text> -``` - -```{cfgcmd} set firewall ipv6 name \<name\> rule \<1-999999\> jump-target <text> - - -Use this command only when action is set to ``jump``. Specify the jump -target. -``` - -```{cfgcmd} set firewall ipv6 forward filter rule \<1-999999\> queue <0-65535> -``` - -```{cfgcmd} set firewall ipv6 input filter rule \<1-999999\> queue <0-65535> -``` - -```{cfgcmd} set firewall ipv6 output filter rule \<1-999999\> queue <0-65535> -``` - -```{cfgcmd} set firewall ipv6 name \<name\> rule \<1-999999\> queue <0-65535> - - -Use this command only when action is set to ``queue``. Specify the queue -target. Queue ranges are also supported. -``` - -```{cfgcmd} set firewall ipv6 forward filter rule \<1-999999\> queue-options bypass -``` - -```{cfgcmd} set firewall ipv6 input filter rule \<1-999999\> queue-options bypass -``` - -```{cfgcmd} set firewall ipv6 output filter rule \<1-999999\> queue-options bypass -``` - -```{cfgcmd} set firewall ipv6 name \<name\> rule \<1-999999\> queue-options bypass - - -Use this command only when action is set to ``queue``. This command allows -the packet to go through the firewall when no userspace software is connected -to the queue. -``` - -```{cfgcmd} set firewall ipv6 forward filter rule \<1-999999\> queue-options fanout -``` - -```{cfgcmd} set firewall ipv6 input filter rule \<1-999999\> queue-options fanout -``` - -```{cfgcmd} set firewall ipv6 output filter rule \<1-999999\> queue-options fanout -``` - -```{cfgcmd} set firewall ipv6 name \<name\> rule \<1-999999\> queue-options fanout - - -Use this command only when action is set to ``queue``. This command -distributes packets among multiple queues. -``` -Also, **default-action** is an action that takes place whenever a packet does -not match any rule in its chain. For base chains, possible options for -**default-action** are **accept** or **drop**. -```{cfgcmd} set firewall ipv6 forward filter default-action [accept | drop] -``` - -```{cfgcmd} set firewall ipv6 input filter default-action [accept | drop] -``` - -```{cfgcmd} set firewall ipv6 output filter default-action [accept | drop] -``` - -```{cfgcmd} set firewall ipv6 name \<name\> default-action [accept | drop | jump | queue | reject | return] - - -Set the default action of the rule-set if a packet does not match any rule -criteria. If you set default-action to ``jump``, you must also define -``default-jump-target``. For base chains, you can only set the default -action to ``accept`` or ``drop``. For custom chains, more actions are -available. -``` - -```{cfgcmd} set firewall ipv6 name \<name\> default-jump-target \<text\> - -To be used only when ``default-action`` is set to ``jump``. Use this -command to specify the jump target for the default rule. -``` -:::{note} -**Important note about default-actions:** -If you do not define the default action for a base chain, the system sets -the default action to **accept** for that chain. For custom chains, if you -do not define a default action, the system sets the default-action to -**drop**. -::: - - -### Firewall Logs - - -You can enable logging for each firewall rule. When enabled, you can also -define other log options. -```{cfgcmd} set firewall ipv6 forward filter rule \<1-999999\> log -``` - -```{cfgcmd} set firewall ipv6 input filter rule \<1-999999\> log -``` - -```{cfgcmd} set firewall ipv6 output filter rule \<1-999999\> log -``` - -```{cfgcmd} set firewall ipv6 name \<name\> rule \<1-999999\> log - -Enable logging for matched packets. If this configuration command is not -present, logging is disabled. -``` - -```{cfgcmd} set firewall ipv6 forward filter default-log -``` - -```{cfgcmd} set firewall ipv6 input filter default-log -``` - -```{cfgcmd} set firewall ipv6 output filter default-log -``` - -```{cfgcmd} set firewall ipv6 name \<name\> default-log - -Use this command to enable the logging of the default action on -the specified chain. -``` - -```{cfgcmd} set firewall ipv6 forward filter rule \<1-999999\> log-options level [emerg | alert | crit | err | warn | notice | info | debug] -``` - -```{cfgcmd} set firewall ipv6 input filter rule \<1-999999\> log-options level [emerg | alert | crit | err | warn | notice | info | debug] -``` - -```{cfgcmd} set firewall ipv6 output filter rule \<1-999999\> log-options level [emerg | alert | crit | err | warn | notice | info | debug] -``` - -```{cfgcmd} set firewall ipv6 name \<name\> rule \<1-999999\> log-options level [emerg | alert | crit | err | warn | notice | info | debug] - - -Define log-level. Only applicable if rule log is enabled. -``` - -```{cfgcmd} set firewall ipv6 forward filter rule \<1-999999\> log-options group <0-65535> -``` - -```{cfgcmd} set firewall ipv6 input filter rule \<1-999999\> log-options group <0-65535> -``` - -```{cfgcmd} set firewall ipv6 output filter rule \<1-999999\> log-options group <0-65535> -``` - -```{cfgcmd} set firewall ipv6 name \<name\> rule \<1-999999\> log-options group <0-65535> - - -Define the log group to send messages to. Only applicable if rule log is -enabled. -``` - -```{cfgcmd} set firewall ipv6 forward filter rule \<1-999999\> log-options snapshot-length <0-9000> -``` - -```{cfgcmd} set firewall ipv6 input filter rule \<1-999999\> log-options snapshot-length <0-9000> -``` - -```{cfgcmd} set firewall ipv6 output filter rule \<1-999999\> log-options snapshot-length <0-9000> -``` - -```{cfgcmd} set firewall ipv6 name \<name\> rule \<1-999999\> log-options snapshot-length <0-9000> - - -Define the length of packet payload to include in a netlink message. Only -applicable when rule logging is enabled and log group is defined. -``` - -```{cfgcmd} set firewall ipv6 forward filter rule \<1-999999\> log-options queue-threshold <0-65535> -``` - -```{cfgcmd} set firewall ipv6 input filter rule \<1-999999\> log-options queue-threshold <0-65535> -``` - -```{cfgcmd} set firewall ipv6 output filter rule \<1-999999\> log-options queue-threshold <0-65535> -``` - -```{cfgcmd} set firewall ipv6 name \<name\> rule \<1-999999\> log-options queue-threshold <0-65535> - - -Define the number of packets to queue inside the kernel before sending them -to userspace. Only applicable when rule logging is enabled and log group is -defined. -``` -### Firewall Description - - -For reference, you can define descriptions on every rule and custom chain. -```{cfgcmd} set firewall ipv6 name \<name\> description \<text\> - -Provide a rule-set description to a custom firewall chain. -``` - -```{cfgcmd} set firewall ipv6 forward filter rule \<1-999999\> description <text> -``` - -```{cfgcmd} set firewall ipv6 input filter rule \<1-999999\> description <text> -``` - -```{cfgcmd} set firewall ipv6 output filter rule \<1-999999\> description <text> -``` - -```{cfgcmd} set firewall ipv6 name \<name\> rule \<1-999999\> description \<text\> - -Provide a description for each rule. -``` -### Rule Status - - -New rules are enabled by default. In some cases, you may want to disable a -rule rather than remove it. -```{cfgcmd} set firewall ipv6 forward filter rule \<1-999999\> disable -``` - -```{cfgcmd} set firewall ipv6 input filter rule \<1-999999\> disable -``` - -```{cfgcmd} set firewall ipv6 output filter rule \<1-999999\> disable -``` - -```{cfgcmd} set firewall ipv6 name \<name\> rule \<1-999999\> disable - -Command for disabling a rule but keep it in the configuration. -``` -### Matching criteria - - -There are a lot of matching criteria against which the packet can be tested. -```{cfgcmd} set firewall ipv6 forward filter rule \<1-999999\> connection-status nat [destination | source] -``` - -```{cfgcmd} set firewall ipv6 input filter rule \<1-999999\> connection-status nat [destination | source] -``` - -```{cfgcmd} set firewall ipv6 output filter rule \<1-999999\> connection-status nat [destination | source] -``` - -```{cfgcmd} set firewall ipv6 name \<name\> rule \<1-999999\> connection-status nat [destination | source] - - -Match packets based on NAT connection status. -``` - -```{cfgcmd} set firewall ipv6 forward filter rule \<1-999999\> connection-mark <1-2147483647> -``` - -```{cfgcmd} set firewall ipv6 input filter rule \<1-999999\> connection-mark <1-2147483647> -``` - -```{cfgcmd} set firewall ipv6 output filter rule \<1-999999\> connection-mark <1-2147483647> -``` - -```{cfgcmd} set firewall ipv6 name \<name\> rule \<1-999999\> connection-mark <1-2147483647> - - -Match packets based on connection mark. -``` - -```{cfgcmd} set firewall ipv6 forward filter rule \<1-999999\> source address [address | addressrange | CIDR] -``` - -```{cfgcmd} set firewall ipv6 input filter rule \<1-999999\> source address [address | addressrange | CIDR] -``` - -```{cfgcmd} set firewall ipv6 output filter rule \<1-999999\> source address [address | addressrange | CIDR] -``` - -```{cfgcmd} set firewall ipv6 name \<name\> rule \<1-999999\> source address [address | addressrange | CIDR] -``` - -```{cfgcmd} set firewall ipv6 forward filter rule \<1-999999\> destination address [address | addressrange | CIDR] -``` - -```{cfgcmd} set firewall ipv6 input filter rule \<1-999999\> destination address [address | addressrange | CIDR] -``` - -```{cfgcmd} set firewall ipv6 output filter rule \<1-999999\> destination address [address | addressrange | CIDR] -``` - -```{cfgcmd} set firewall ipv6 name \<name\> rule \<1-999999\> destination address [address | addressrange | CIDR] - - -Match based on source or destination address. This is similar to network -groups, but you can negate the matching addresses here. - - -:::{code-block} none -set firewall ipv6 name FOO rule 100 source address 2001:db8::202 -::: -``` - -```{cfgcmd} set firewall ipv6 forward filter rule \<1-999999\> source address-mask [address] -``` - -```{cfgcmd} set firewall ipv6 input filter rule \<1-999999\> source address-mask [address] -``` - -```{cfgcmd} set firewall ipv6 output filter rule \<1-999999\> source address-mask [address] -``` - -```{cfgcmd} set firewall ipv6 name \<name\> rule \<1-999999\> source address-mask [address] -``` - -```{cfgcmd} set firewall ipv6 forward filter rule \<1-999999\> destination address-mask [address] -``` - -```{cfgcmd} set firewall ipv6 input filter rule \<1-999999\> destination address-mask [address] -``` - -```{cfgcmd} set firewall ipv6 output filter rule \<1-999999\> destination address-mask [address] -``` - -```{cfgcmd} set firewall ipv6 name \<name\> rule \<1-999999\> destination address-mask [address] - - -Apply an arbitrary netmask to mask addresses and match only a specific -portion. This is useful for IPv6 because rules remain valid when the IPv6 -prefix changes if the host portion of the system's IPv6 address is static. -Examples include SLAAC and [tokenised IPv6 addresses](https://datatracker.ietf.org/doc/id/draft-chown-6man-tokenised-ipv6-identifiers-02.txt) - - -This function works for both individual addresses and address groups. - - -% stop_vyoslinter - -:::{code-block} none -# Match any IPv6 address with the suffix ::0000:0000:0000:beef -set firewall ipv6 forward filter rule 100 destination address ::beef -set firewall ipv6 forward filter rule 100 destination address-mask ::ffff:ffff:ffff:ffff -# Address groups -set firewall group ipv6-address-group WEBSERVERS address ::1000 -set firewall group ipv6-address-group WEBSERVERS address ::2000 -set firewall ipv6 forward filter rule 200 source group address-group WEBSERVERS -set firewall ipv6 forward filter rule 200 source address-mask ::ffff:ffff:ffff:ffff -::: -% start_vyoslinter -``` - -```{cfgcmd} set firewall ipv6 forward filter rule \<1-999999\> source fqdn <fqdn> -``` - -```{cfgcmd} set firewall ipv6 input filter rule \<1-999999\> source fqdn <fqdn> -``` - -```{cfgcmd} set firewall ipv6 output filter rule \<1-999999\> source fqdn <fqdn> -``` - -```{cfgcmd} set firewall ipv6 name \<name\> rule \<1-999999\> source fqdn <fqdn> -``` - -```{cfgcmd} set firewall ipv6 forward filter rule \<1-999999\> destination fqdn <fqdn> -``` - -```{cfgcmd} set firewall ipv6 input filter rule \<1-999999\> destination fqdn <fqdn> -``` - -```{cfgcmd} set firewall ipv6 output filter rule \<1-999999\> destination fqdn <fqdn> -``` - -```{cfgcmd} set firewall ipv6 name \<name\> rule \<1-999999\> destination fqdn <fqdn> - - -Specify a Fully Qualified Domain Name as source or destination to match. -Ensure that the router can resolve the DNS query. -``` - -```{cfgcmd} set firewall ipv6 forward filter rule \<1-999999\> source geoip country-code <country> -``` - -```{cfgcmd} set firewall ipv6 input filter rule \<1-999999\> source geoip country-code <country> -``` - -```{cfgcmd} set firewall ipv6 output filter rule \<1-999999\> source geoip country-code <country> -``` - -```{cfgcmd} set firewall ipv6 name \<name\> rule \<1-999999\> source geoip country-code <country> -``` - -```{cfgcmd} set firewall ipv6 forward filter rule \<1-999999\> destination geoip country-code <country> -``` - -```{cfgcmd} set firewall ipv6 input filter rule \<1-999999\> destination geoip country-code <country> -``` - -```{cfgcmd} set firewall ipv6 output filter rule \<1-999999\> destination geoip country-code <country> -``` - -```{cfgcmd} set firewall ipv6 name \<name\> rule \<1-999999\> destination geoip country-code <country> -``` - -```{cfgcmd} set firewall ipv6 forward filter rule \<1-999999\> source geoip inverse-match -``` - -```{cfgcmd} set firewall ipv6 input filter rule \<1-999999\> source geoip inverse-match -``` - -```{cfgcmd} set firewall ipv6 output filter rule \<1-999999\> source geoip inverse-match -``` - -```{cfgcmd} set firewall ipv6 name \<name\> rule \<1-999999\> source geoip inverse-match -``` - -```{cfgcmd} set firewall ipv6 forward filter rule \<1-999999\> destination geoip inverse-match -``` - -```{cfgcmd} set firewall ipv6 input filter rule \<1-999999\> destination geoip inverse-match -``` - -```{cfgcmd} set firewall ipv6 output filter rule \<1-999999\> destination geoip inverse-match -``` - -```{cfgcmd} set firewall ipv6 name \<name\> rule \<1-999999\> destination geoip inverse-match - - -Match IP addresses based on their geolocation. For more information, see -[GeoIP matching](https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_matching). -Use inverse-match to match anything except the specified country codes. -``` -DB-IP.com provides data under CC-BY-4.0 license. Attribution is required and -redistribution is permitted, allowing VyOS to include a database in images -(approximately 3 MB compressed). The package includes a cron script that you -can manually call through op-mode update geoip to keep the database and rules -updated. -```{cfgcmd} set firewall ipv6 forward filter rule \<1-999999\> source mac-address <mac-address> -``` - -```{cfgcmd} set firewall ipv6 input filter rule \<1-999999\> source mac-address <mac-address> -``` - -```{cfgcmd} set firewall ipv6 output filter rule \<1-999999\> source mac-address <mac-address> -``` - -```{cfgcmd} set firewall ipv6 name \<name\> rule \<1-999999\> source mac-address <mac-address> - - -You can specify only a source MAC address to match. - - -:::{code-block} none -set firewall ipv6 input filter rule 100 source mac-address 00:53:00:11:22:33 -set firewall ipv6 input filter rule 101 source mac-address !00:53:00:aa:12:34 -::: -``` - -```{cfgcmd} set firewall ipv6 forward filter rule \<1-999999\> source port [1-65535 | portname | start-end] -``` - -```{cfgcmd} set firewall ipv6 input filter rule \<1-999999\> source port [1-65535 | portname | start-end] -``` - -```{cfgcmd} set firewall ipv6 output filter rule \<1-999999\> source port [1-65535 | portname | start-end] -``` - -```{cfgcmd} set firewall ipv6 name \<name\> rule \<1-999999\> source port [1-65535 | portname | start-end] -``` - -```{cfgcmd} set firewall ipv6 forward filter rule \<1-999999\> destination port [1-65535 | portname | start-end] -``` - -```{cfgcmd} set firewall ipv6 input filter rule \<1-999999\> destination port [1-65535 | portname | start-end] -``` - -```{cfgcmd} set firewall ipv6 output filter rule \<1-999999\> destination port [1-65535 | portname | start-end] -``` - -```{cfgcmd} set firewall ipv6 name \<name\> rule \<1-999999\> destination port [1-65535 | portname | start-end] - - -Specify a port by number or by name as defined in ``/etc/services``. - - -:::{code-block} none -set firewall ipv6 forward filter rule 10 source port '22' -set firewall ipv6 forward filter rule 11 source port '!http' -set firewall ipv6 forward filter rule 12 source port 'https' -::: -Multiple source ports can be specified as a comma-separated list. -The whole list can also be "negated" using ``!``. For example: - - -:::{code-block} none -set firewall ipv6 forward filter rule 10 source port '!22,https,3333-3338' -::: -``` - -```{cfgcmd} set firewall ipv6 forward filter rule \<1-999999\> source group address-group <name | !name> -``` - -```{cfgcmd} set firewall ipv6 input filter rule \<1-999999\> source group address-group <name | !name> -``` - -```{cfgcmd} set firewall ipv6 output filter rule \<1-999999\> source group address-group <name | !name> -``` - -```{cfgcmd} set firewall ipv6 name \<name\> rule \<1-999999\> source group address-group <name | !name> -``` - -```{cfgcmd} set firewall ipv6 forward filter rule \<1-999999\> destination group address-group <name | !name> -``` - -```{cfgcmd} set firewall ipv6 input filter rule \<1-999999\> destination group address-group <name | !name> -``` - -```{cfgcmd} set firewall ipv6 output filter rule \<1-999999\> destination group address-group <name | !name> -``` - -```{cfgcmd} set firewall ipv6 name \<name\> rule \<1-999999\> destination group address-group <name | !name> - - -Specify an address group. You can prepend the character ``!`` to invert the -matching criteria. -``` - -```{cfgcmd} set firewall ipv6 forward filter rule \<1-999999\> source group dynamic-address-group <name | !name> -``` - -```{cfgcmd} set firewall ipv6 input filter rule \<1-999999\> source group dynamic-address-group <name | !name> -``` - -```{cfgcmd} set firewall ipv6 output filter rule \<1-999999\> source group dynamic-address-group <name | !name> -``` - -```{cfgcmd} set firewall ipv6 name \<name\> rule \<1-999999\> source group dynamic-address-group <name | !name> -``` - -```{cfgcmd} set firewall ipv6 forward filter rule \<1-999999\> destination group dynamic-address-group <name | !name> -``` - -```{cfgcmd} set firewall ipv6 input filter rule \<1-999999\> destination group dynamic-address-group <name | !name> -``` - -```{cfgcmd} set firewall ipv6 output filter rule \<1-999999\> destination group dynamic-address-group <name | !name> -``` - -```{cfgcmd} set firewall ipv6 name \<name\> rule \<1-999999\> destination group dynamic-address-group <name | !name> - - -Specify a dynamic address group. You can prepend the character ``!`` to -invert the matching criteria. -``` - -```{cfgcmd} set firewall ipv6 forward filter rule \<1-999999\> source group network-group <name | !name> -``` - -```{cfgcmd} set firewall ipv6 input filter rule \<1-999999\> source group network-group <name | !name> -``` - -```{cfgcmd} set firewall ipv6 output filter rule \<1-999999\> source group network-group <name | !name> -``` - -```{cfgcmd} set firewall ipv6 name \<name\> rule \<1-999999\> source group network-group <name | !name> -``` - -```{cfgcmd} set firewall ipv6 forward filter rule \<1-999999\> destination group network-group <name | !name> -``` - -```{cfgcmd} set firewall ipv6 input filter rule \<1-999999\> destination group network-group <name | !name> -``` - -```{cfgcmd} set firewall ipv6 output filter rule \<1-999999\> destination group network-group <name | !name> -``` - -```{cfgcmd} set firewall ipv6 name \<name\> rule \<1-999999\> destination group network-group <name | !name> - - -Specify a network group. You can prepend the character ``!`` to invert the -matching criteria. -``` - -```{cfgcmd} set firewall ipv6 forward filter rule \<1-999999\> source group port-group <name | !name> -``` - -```{cfgcmd} set firewall ipv6 input filter rule \<1-999999\> source group port-group <name | !name> -``` - -```{cfgcmd} set firewall ipv6 output filter rule \<1-999999\> source group port-group <name | !name> -``` - -```{cfgcmd} set firewall ipv6 name \<name\> rule \<1-999999\> source group port-group <name | !name> -``` - -```{cfgcmd} set firewall ipv6 forward filter rule \<1-999999\> destination group port-group <name | !name> -``` - -```{cfgcmd} set firewall ipv6 input filter rule \<1-999999\> destination group port-group <name | !name> -``` - -```{cfgcmd} set firewall ipv6 output filter rule \<1-999999\> destination group port-group <name | !name> -``` - -```{cfgcmd} set firewall ipv6 name \<name\> rule \<1-999999\> destination group port-group <name | !name> - - -Specify a port group. You can prepend the character ``!`` to invert the -matching criteria. -``` - -```{cfgcmd} set firewall ipv6 forward filter rule \<1-999999\> source group domain-group <name | !name> -``` - -```{cfgcmd} set firewall ipv6 input filter rule \<1-999999\> source group domain-group <name | !name> -``` - -```{cfgcmd} set firewall ipv6 output filter rule \<1-999999\> source group domain-group <name | !name> -``` - -```{cfgcmd} set firewall ipv6 name \<name\> rule \<1-999999\> source group domain-group <name | !name> -``` - -```{cfgcmd} set firewall ipv6 forward filter rule \<1-999999\> destination group domain-group <name | !name> -``` - -```{cfgcmd} set firewall ipv6 input filter rule \<1-999999\> destination group domain-group <name | !name> -``` - -```{cfgcmd} set firewall ipv6 output filter rule \<1-999999\> destination group domain-group <name | !name> -``` - -```{cfgcmd} set firewall ipv6 name \<name\> rule \<1-999999\> destination group domain-group <name | !name> - - -Specify a domain group. You can prepend the character ``!`` to invert the -matching criteria. -``` - -```{cfgcmd} set firewall ipv6 forward filter rule \<1-999999\> source group mac-group <name | !name> -``` - -```{cfgcmd} set firewall ipv6 input filter rule \<1-999999\> source group mac-group <name | !name> -``` - -```{cfgcmd} set firewall ipv6 output filter rule \<1-999999\> source group mac-group <name | !name> -``` - -```{cfgcmd} set firewall ipv6 name \<name\> rule \<1-999999\> source group mac-group <name | !name> -``` - -```{cfgcmd} set firewall ipv6 forward filter rule \<1-999999\> destination group mac-group <name | !name> -``` - -```{cfgcmd} set firewall ipv6 input filter rule \<1-999999\> destination group mac-group <name | !name> -``` - -```{cfgcmd} set firewall ipv6 output filter rule \<1-999999\> destination group mac-group <name | !name> -``` - -```{cfgcmd} set firewall ipv6 name \<name\> rule \<1-999999\> destination group mac-group <name | !name> - - -Specify a MAC group. You can prepend the character ``!`` to invert the -matching criteria. -``` - -```{cfgcmd} set firewall ipv6 forward filter rule \<1-999999\> dscp [0-63 | start-end] -``` - -```{cfgcmd} set firewall ipv6 input filter rule \<1-999999\> dscp [0-63 | start-end] -``` - -```{cfgcmd} set firewall ipv6 output filter rule \<1-999999\> dscp [0-63 | start-end] -``` - -```{cfgcmd} set firewall ipv6 name \<name\> rule \<1-999999\> dscp [0-63 | start-end] -``` - -```{cfgcmd} set firewall ipv6 forward filter rule \<1-999999\> dscp-exclude [0-63 | start-end] -``` - -```{cfgcmd} set firewall ipv6 input filter rule \<1-999999\> dscp-exclude [0-63 | start-end] -``` - -```{cfgcmd} set firewall ipv6 output filter rule \<1-999999\> dscp-exclude [0-63 | start-end] -``` - -```{cfgcmd} set firewall ipv6 name \<name\> rule \<1-999999\> dscp-exclude [0-63 | start-end] - - -Match based on dscp value. -``` - -```{cfgcmd} set firewall ipv6 forward filter rule \<1-999999\> fragment [match-frag | match-non-frag] -``` - -```{cfgcmd} set firewall ipv6 input filter rule \<1-999999\> fragment [match-frag | match-non-frag] -``` - -```{cfgcmd} set firewall ipv6 output filter rule \<1-999999\> fragment [match-frag | match-non-frag] -``` - -```{cfgcmd} set firewall ipv6 name \<name\> rule \<1-999999\> fragment [match-frag | match-non-frag] - - -Match packets based on fragmentation. -``` - -```{cfgcmd} set firewall ipv6 forward filter rule \<1-999999\> icmpv6 [code | type] <0-255> -``` - -```{cfgcmd} set firewall ipv6 input filter rule \<1-999999\> icmpv6 [code | type] <0-255> -``` - -```{cfgcmd} set firewall ipv6 output filter rule \<1-999999\> icmpv6 [code | type] <0-255> -``` - -```{cfgcmd} set firewall ipv6 name \<name\> rule \<1-999999\> icmpv6 [code | type] <0-255> - - -Match packets based on ICMP or ICMPv6 code and type. -``` - -```{cfgcmd} set firewall ipv6 forward filter rule \<1-999999\> icmpv6 type-name <text> -``` - -```{cfgcmd} set firewall ipv6 input filter rule \<1-999999\> icmpv6 type-name <text> -``` - -```{cfgcmd} set firewall ipv6 output filter rule \<1-999999\> icmpv6 type-name <text> -``` - -```{cfgcmd} set firewall ipv6 name \<name\> rule \<1-999999\> icmpv6 type-name <text> - - -Match based on ICMPv6 type-name. Press **Tab** for information about -supported **type-name** criteria. -``` - -```{cfgcmd} set firewall ipv6 forward filter rule \<1-999999\> inbound-interface name <iface> -``` - -```{cfgcmd} set firewall ipv6 input filter rule \<1-999999\> inbound-interface name <iface> -``` - -```{cfgcmd} set firewall ipv6 name \<name\> rule \<1-999999\> inbound-interface name <iface> - - -Match based on inbound interface. You can use the wildcard ``*``. For -example: ``eth2*``. You can prepend the character ``!`` to invert the -matching criteria. For example ``!eth2`` -``` -:::{note} -If an interface is attached to a non-default VRF, when using -**inbound-interface**, use the VRF name. For example: -`set firewall ipv6 forward filter rule 10 inbound-interface name MGMT` -::: -```{cfgcmd} set firewall ipv6 forward filter rule \<1-999999\> inbound-interface group <iface_group> -``` - -```{cfgcmd} set firewall ipv6 input filter rule \<1-999999\> inbound-interface group <iface_group> -``` - -```{cfgcmd} set firewall ipv6 name \<name\> rule \<1-999999\> inbound-interface group <iface_group> - - -Match based on the inbound interface group. You can prepend the character -``!`` to invert the matching criteria. For example ``!IFACE_GROUP`` -``` - -```{cfgcmd} set firewall ipv6 forward filter rule \<1-999999\> outbound-interface name <iface> -``` - -```{cfgcmd} set firewall ipv6 output filter rule \<1-999999\> outbound-interface name <iface> -``` - -```{cfgcmd} set firewall ipv6 name \<name\> rule \<1-999999\> outbound-interface name <iface> - - -Match based on outbound interface. You can use the wildcard ``*``. For -example: ``eth2*``. You can prepend the character ``!`` to invert the -matching criteria. For example ``!eth2`` -``` -:::{note} -If an interface is attached to a non-default VRF, when using -**outbound-interface**, use the physical interface name. For example: -`set firewall ipv6 forward filter rule 10 outbound-interface name eth0` -::: -```{cfgcmd} set firewall ipv6 forward filter rule \<1-999999\> outbound-interface group <iface_group> -``` - -```{cfgcmd} set firewall ipv6 output filter rule \<1-999999\> outbound-interface group <iface_group> -``` - -```{cfgcmd} set firewall ipv6 name \<name\> rule \<1-999999\> outbound-interface group <iface_group> - - -Match based on outbound interface group. You can prepend the character ``!`` -to invert the matching criteria. For example ``!IFACE_GROUP`` -``` - -```{cfgcmd} set firewall ipv6 forward filter rule \<1-999999\> ipsec [match-ipsec-in | match-ipsec-out | match-none-in | match-none-out] -``` - -```{cfgcmd} set firewall ipv6 input filter rule \<1-999999\> ipsec [match-ipsec-in | match-none-in] -``` - -```{cfgcmd} set firewall ipv6 output filter rule \<1-999999\> ipsec [match-ipsec-out | match-none-out] -``` - -```{cfgcmd} set firewall ipv6 name \<name\> rule \<1-999999\> ipsec [match-ipsec-in | match-ipsec-out | match-none-in | match-none-out] - - -Match packets based on IPsec. -``` - -```{cfgcmd} set firewall ipv6 forward filter rule \<1-999999\> limit burst <0-4294967295> -``` - -```{cfgcmd} set firewall ipv6 input filter rule \<1-999999\> limit burst <0-4294967295> -``` - -```{cfgcmd} set firewall ipv6 output filter rule \<1-999999\> limit burst <0-4294967295> -``` - -```{cfgcmd} set firewall ipv6 name \<name\> rule \<1-999999\> limit burst <0-4294967295> - - -Match based on the maximum number of packets allowed to exceed the rate -limit. -``` - -```{cfgcmd} set firewall ipv6 forward filter rule \<1-999999\> limit rate <text> -``` - -```{cfgcmd} set firewall ipv6 input filter rule \<1-999999\> limit rate <text> -``` - -```{cfgcmd} set firewall ipv6 output filter rule \<1-999999\> limit rate <text> -``` - -```{cfgcmd} set firewall ipv6 name \<name\> rule \<1-999999\> limit rate <text> - - -Match based on the maximum average rate, specified as ``integer/unit``. -For example, specify ``5/minutes``. -``` - -```{cfgcmd} set firewall ipv6 forward filter rule \<1-999999\> packet-length <text> -``` - -```{cfgcmd} set firewall ipv6 input filter rule \<1-999999\> packet-length <text> -``` - -```{cfgcmd} set firewall ipv6 output filter rule \<1-999999\> packet-length <text> -``` - -```{cfgcmd} set firewall ipv6 name \<name\> rule \<1-999999\> packet-length <text> -``` - -```{cfgcmd} set firewall ipv6 forward filter rule \<1-999999\> packet-length-exclude <text> -``` - -```{cfgcmd} set firewall ipv6 input filter rule \<1-999999\> packet-length-exclude <text> -``` - -```{cfgcmd} set firewall ipv6 output filter rule \<1-999999\> packet-length-exclude <text> -``` - -```{cfgcmd} set firewall ipv6 name \<name\> rule \<1-999999\> packet-length-exclude <text> - - -Match based on packet length. You can specify multiple values from 1 to -65535 and ranges. -``` - -```{cfgcmd} set firewall ipv6 forward filter rule \<1-999999\> packet-type [broadcast | host | multicast | other] -``` - -```{cfgcmd} set firewall ipv6 input filter rule \<1-999999\> packet-type [broadcast | host | multicast | other] -``` - -```{cfgcmd} set firewall ipv6 output filter rule \<1-999999\> packet-type [broadcast | host | multicast | other] -``` - -```{cfgcmd} set firewall ipv6 name \<name\> rule \<1-999999\> packet-type [broadcast | host | multicast | other] - - -Match based on packet type. -``` - -```{cfgcmd} set firewall ipv6 forward filter rule \<1-999999\> protocol [<text> | <0-255> | all | tcp_udp] -``` - -```{cfgcmd} set firewall ipv6 input filter rule \<1-999999\> protocol [<text> | <0-255> | all | tcp_udp] -``` - -```{cfgcmd} set firewall ipv6 output filter rule \<1-999999\> protocol [<text> | <0-255> | all | tcp_udp] -``` - -```{cfgcmd} set firewall ipv6 name \<name\> rule \<1-999999\> protocol [<text> | <0-255> | all | tcp_udp] - - -Match based on protocol number or name as defined in ``/etc/protocols``. -Specify ``all`` for all protocols and ``tcp_udp`` for TCP and UDP packets. -Prepend ``!`` to negate the protocol selection. - - -:::{code-block} none -set firewall ipv6 input filter rule 10 protocol tcp -::: -``` - -```{cfgcmd} set firewall ipv6 forward filter rule \<1-999999\> recent count <1-255> -``` - -```{cfgcmd} set firewall ipv6 input filter rule \<1-999999\> recent count <1-255> -``` - -```{cfgcmd} set firewall ipv6 output filter rule \<1-999999\> recent count <1-255> -``` - -```{cfgcmd} set firewall ipv6 name \<name\> rule \<1-999999\> recent count <1-255> -``` - -```{cfgcmd} set firewall ipv6 forward filter rule \<1-999999\> recent time [second | minute | hour] -``` - -```{cfgcmd} set firewall ipv6 input filter rule \<1-999999\> recent time [second | minute | hour] -``` - -```{cfgcmd} set firewall ipv6 output filter rule \<1-999999\> recent time [second | minute | hour] -``` - -```{cfgcmd} set firewall ipv6 name \<name\> rule \<1-999999\> recent time [second | minute | hour] - - -Match packets based on recently seen sources. -``` - -```{cfgcmd} set firewall ipv6 forward filter rule \<1-999999\> tcp flags [not] <text> -``` - -```{cfgcmd} set firewall ipv6 input filter rule \<1-999999\> tcp flags [not] <text> -``` - -```{cfgcmd} set firewall ipv6 output filter rule \<1-999999\> tcp flags [not] <text> -``` - -```{cfgcmd} set firewall ipv6 name \<name\> rule \<1-999999\> tcp flags [not] <text> - - -Allowed values for TCP flags: ``ack``, ``cwr``, ``ecn``, ``fin``, ``psh``, -``rst``, ``syn``, and ``urg``. You can specify multiple values. To invert -the selection, use ``not``, as shown in the following example. - - -:::{code-block} none -set firewall ipv6 input filter rule 10 tcp flags 'ack' -set firewall ipv6 input filter rule 12 tcp flags 'syn' -set firewall ipv6 input filter rule 13 tcp flags not 'fin' -::: -``` - -```{cfgcmd} set firewall ipv6 forward filter rule \<1-999999\> state [established | invalid | new | related] -``` - -```{cfgcmd} set firewall ipv6 input filter rule \<1-999999\> state [established | invalid | new | related] -``` - -```{cfgcmd} set firewall ipv6 output filter rule \<1-999999\> state [established | invalid | new | related] -``` - -```{cfgcmd} set firewall ipv6 name \<name\> rule \<1-999999\> state [established | invalid | new | related] - - -Match based on packet state. -``` - -```{cfgcmd} set firewall ipv6 forward filter rule \<1-999999\> time startdate <text> -``` - -```{cfgcmd} set firewall ipv6 input filter rule \<1-999999\> time startdate <text> -``` - -```{cfgcmd} set firewall ipv6 output filter rule \<1-999999\> time startdate <text> -``` - -```{cfgcmd} set firewall ipv6 name \<name\> rule \<1-999999\> time startdate <text> -``` - -```{cfgcmd} set firewall ipv6 forward filter rule \<1-999999\> time starttime <text> -``` - -```{cfgcmd} set firewall ipv6 input filter rule \<1-999999\> time starttime <text> -``` - -```{cfgcmd} set firewall ipv6 output filter rule \<1-999999\> time starttime <text> -``` - -```{cfgcmd} set firewall ipv6 name \<name\> rule \<1-999999\> time starttime <text> -``` - -```{cfgcmd} set firewall ipv6 forward filter rule \<1-999999\> time stopdate <text> -``` - -```{cfgcmd} set firewall ipv6 input filter rule \<1-999999\> time stopdate <text> -``` - -```{cfgcmd} set firewall ipv6 output filter rule \<1-999999\> time stopdate <text> -``` - -```{cfgcmd} set firewall ipv6 name \<name\> rule \<1-999999\> time stopdate <text> -``` - -```{cfgcmd} set firewall ipv6 forward filter rule \<1-999999\> time stoptime <text> -``` - -```{cfgcmd} set firewall ipv6 input filter rule \<1-999999\> time stoptime <text> -``` - -```{cfgcmd} set firewall ipv6 output filter rule \<1-999999\> time stoptime <text> -``` - -```{cfgcmd} set firewall ipv6 name \<name\> rule \<1-999999\> time stoptime <text> -``` - -```{cfgcmd} set firewall ipv6 forward filter rule \<1-999999\> time weekdays <text> -``` - -```{cfgcmd} set firewall ipv6 input filter rule \<1-999999\> time weekdays <text> -``` - -```{cfgcmd} set firewall ipv6 output filter rule \<1-999999\> time weekdays <text> -``` - -```{cfgcmd} set firewall ipv6 name \<name\> rule \<1-999999\> time weekdays <text> - - -Match packets based on time criteria. -``` - -```{cfgcmd} set firewall ipv6 forward filter rule \<1-999999\> hop-limit <eq | gt | lt> <0-255> -``` - -```{cfgcmd} set firewall ipv6 input filter rule \<1-999999\> hop-limit <eq | gt | lt> <0-255> -``` - -```{cfgcmd} set firewall ipv6 output filter rule \<1-999999\> hop-limit <eq | gt | lt> <0-255> -``` - -```{cfgcmd} set firewall ipv6 name \<name\> rule \<1-999999\> hop-limit <eq | gt | lt> <0-255> - - -Match the hop-limit parameter. Use ``eq`` for equal, ``gt`` for greater than, -and ``lt`` for less than. -``` - -```{cfgcmd} set firewall ipv6 forward filter rule \<1-999999\> recent count <1-255> -``` - -```{cfgcmd} set firewall ipv6 input filter rule \<1-999999\> recent count <1-255> -``` - -```{cfgcmd} set firewall ipv6 output filter rule \<1-999999\> recent count <1-255> -``` - -```{cfgcmd} set firewall ipv6 name \<name\> rule \<1-999999\> recent count <1-255> -``` - -```{cfgcmd} set firewall ipv6 forward filter rule \<1-999999\> recent time <second | minute | hour> -``` - -```{cfgcmd} set firewall ipv6 input filter rule \<1-999999\> recent time <second | minute | hour> -``` - -```{cfgcmd} set firewall ipv6 output filter rule \<1-999999\> recent time <second | minute | hour> -``` - -```{cfgcmd} set firewall ipv6 name \<name\> rule \<1-999999\> recent time <second | minute | hour> - - -Match when the specified number of connections occur within the specified -time period. Use these criteria to block brute-force attempts. -``` -### Packet Modifications - - -The firewall can modify packets before sending them. -This feature provides more flexibility for packet handling. -```{cfgcmd} set firewall ipv6 prerouting raw rule \<1-999999\> set dscp <0-63> -``` - -```{cfgcmd} set firewall ipv6 forward filter rule \<1-999999\> set dscp <0-63> -``` - -```{cfgcmd} set firewall ipv6 output [filter | raw] rule \<1-999999\> set dscp <0-63> - - -Set a specific value of Differentiated Services Codepoint (DSCP). -``` - -```{cfgcmd} set firewall ipv6 prerouting raw rule \<1-999999\> set mark <1-2147483647> -``` - -```{cfgcmd} set firewall ipv6 forward filter rule \<1-999999\> set mark <1-2147483647> -``` - -```{cfgcmd} set firewall ipv6 output [filter | raw] rule \<1-999999\> set mark <1-2147483647> - - -Set a specific packet mark value. -``` - -```{cfgcmd} set firewall ipv6 prerouting raw rule \<1-999999\> set tcp-mss <500-1460> -``` - -```{cfgcmd} set firewall ipv6 forward filter rule \<1-999999\> set tcp-mss <500-1460> -``` - -```{cfgcmd} set firewall ipv6 output [filter | raw] rule \<1-999999\> set tcp-mss <500-1460> - - -Set the TCP-MSS (TCP maximum segment size) for the connection. -``` - -```{cfgcmd} set firewall ipv6 prerouting raw rule \<1-999999\> set hop-limit <0-255> -``` - -```{cfgcmd} set firewall ipv6 forward filter rule \<1-999999\> set hop-limit <0-255> -``` - -```{cfgcmd} set firewall ipv6 output [filter | raw] rule \<1-999999\> set hop-limit <0-255> - - -Set hop limit value. -``` - -```{cfgcmd} set firewall ipv6 forward filter rule \<1-999999\> set connection-mark <0-2147483647> -``` - -```{cfgcmd} set firewall ipv4 output [filter | raw] rule \<1-999999\> set connection-mark <0-2147483647> - - -Set connection mark value. -``` -## Synproxy - - -Synproxy connections -```{cfgcmd} set firewall ipv6 [input | forward] filter rule \<1-999999\> action synproxy -``` - -```{cfgcmd} set firewall ipv6 [input | forward] filter rule \<1-999999\> protocol tcp -``` - -```{cfgcmd} set firewall ipv6 [input | forward] filter rule \<1-999999\> synproxy tcp mss <501-65535> - - - Set the TCP MSS (maximum segment size) for the connection. -``` - -```{cfgcmd} set firewall ipv6 [input | forward] filter rule \<1-999999\> synproxy tcp window-scale <1-14> - - - Set the window scale factor for TCP window scaling. -``` -### Example synproxy - - -Requirements to enable synproxy: - - -- Traffic must be symmetric -- Synproxy relies on syncookies and TCP timestamps, ensure these are enabled -- Disable conntrack loose track option -```none - -set system sysctl parameter net.ipv4.tcp_timestamps value '1' - - -set system conntrack tcp loose disable - -set system conntrack ignore ipv6 rule 10 destination port '8080' - -set system conntrack ignore ipv6 rule 10 protocol 'tcp' - -set system conntrack ignore ipv6 rule 10 tcp flags syn - - -set firewall global-options syn-cookies 'enable' - -set firewall ipv6 input filter rule 10 action 'synproxy' - -set firewall ipv6 input filter rule 10 destination port '8080' - -set firewall ipv6 input filter rule 10 inbound-interface name 'eth1' - -set firewall ipv6 input filter rule 10 protocol 'tcp' - -set firewall ipv6 input filter rule 10 synproxy tcp mss '1460' - -set firewall ipv6 input filter rule 10 synproxy tcp window-scale '7' - -set firewall ipv6 input filter rule 1000 action 'drop' - -set firewall ipv6 input filter rule 1000 state invalid - -``` -## Operation-mode Firewall - - -### Rule-set overview -```{opcmd} show firewall - -Show a basic firewall overview for all rule-sets, not only for IPv6: - - -:::{code-block} none -vyos@vyos:~$ show firewall -Rulesets Information - - ---------------------------------- -IPv4 Firewall "forward filter" - - -Rule Action Protocol Packets Bytes Conditions -------- -------- ---------- --------- ------- ----------------------------------------- -5 jump all 0 0 iifname "eth1" jump NAME_VyOS_MANAGEMENT -10 jump all 0 0 oifname "eth1" jump NAME_WAN_IN -15 jump all 0 0 iifname "eth3" jump NAME_WAN_IN -default accept all - - ---------------------------------- -IPv4 Firewall "name VyOS_MANAGEMENT" - - -Rule Action Protocol Packets Bytes Conditions -------- -------- ---------- --------- ------- -------------------------------- -5 accept all 0 0 ct state established accept -10 drop all 0 0 ct state invalid -20 accept all 0 0 ip saddr @A_GOOD_GUYS accept -30 accept all 0 0 ip saddr @N_ENTIRE_RANGE accept -40 accept all 0 0 ip saddr @A_VyOS_SERVERS accept -50 accept icmp 0 0 meta l4proto icmp accept -default drop all 0 0 - - ---------------------------------- -IPv6 Firewall "forward filter" - - -Rule Action Protocol -------- -------- ---------- -5 jump all -10 jump all -15 jump all -default accept all - - ---------------------------------- -IPv6 Firewall "input filter" - - -Rule Action Protocol -------- -------- ---------- -5 jump all -default accept all - - ---------------------------------- -IPv6 Firewall "ipv6_name IPV6-VyOS_MANAGEMENT" - - -Rule Action Protocol -------- -------- ---------- -5 accept all -10 drop all -20 accept all -30 accept all -40 accept all -50 accept ipv6-icmp -default drop all -::: -``` - -```{opcmd} show firewall summary - -This will show you a summary of rule-sets and groups - - -:::{code-block} none -vyos@vyos:~$ show firewall summary -Ruleset Summary - - -IPv6 Ruleset: - - -Ruleset Hook Ruleset Priority Description --------------- -------------------- ------------------------- -forward filter -input filter -ipv6_name IPV6-VyOS_MANAGEMENT -ipv6_name IPV6-WAN_IN PUBLIC_INTERNET - - -IPv4 Ruleset: - - -Ruleset Hook Ruleset Priority Description --------------- ------------------ ------------------------- -forward filter -input filter -name VyOS_MANAGEMENT -name WAN_IN PUBLIC_INTERNET - - -Firewall Groups - - -Name Type References Members ------------------------ ------------------ ----------------------- ---------------- -PBX address_group WAN_IN-100 198.51.100.77 -SERVERS address_group WAN_IN-110 192.0.2.10 -WAN_IN-111 192.0.2.11 -WAN_IN-112 192.0.2.12 -WAN_IN-120 -WAN_IN-121 -WAN_IN-122 -SUPPORT address_group VyOS_MANAGEMENT-20 192.168.1.2 -WAN_IN-20 -PHONE_VPN_SERVERS address_group WAN_IN-160 10.6.32.2 -PINGABLE_ADRESSES address_group WAN_IN-170 192.168.5.2 -WAN_IN-171 -PBX ipv6_address_group IPV6-WAN_IN-100 2001:db8::1 -SERVERS ipv6_address_group IPV6-WAN_IN-110 2001:db8::2 -IPV6-WAN_IN-111 2001:db8::3 -IPV6-WAN_IN-112 2001:db8::4 -IPV6-WAN_IN-120 -IPV6-WAN_IN-121 -IPV6-WAN_IN-122 -SUPPORT ipv6_address_group IPV6-VyOS_MANAGEMENT-20 2001:db8::5 -IPV6-WAN_IN-20 -::: -``` - -```{opcmd} show firewall ipv6 [forward | input | output] filter -``` - -```{opcmd} show firewall ipv6 ipv6-name \<name\> - -This command will give an overview of a single rule-set. - - -:::{code-block} none -vyos@vyos:~$ show firewall ipv6 input filter -Ruleset Information - - ---------------------------------- -ipv6 Firewall "input filter" - - -Rule Action Protocol Packets Bytes Conditions -------- -------- ---------- --------- ------- ------------------------------------------------------------------------------ -10 jump all 13 1456 iifname "eth1" jump NAME6_INP-ETH1 -20 accept ipv6-icmp 10 1112 meta l4proto ipv6-icmp iifname "eth0" prefix "[ipv6-INP-filter-20-A]" accept -default accept all 14 1584 - - -vyos@vyos:~$ -::: -``` - -```{opcmd} show firewall ipv6 [forward | input | output] filter rule <1-999999> -``` - -```{opcmd} show firewall ipv6 name \<name\> rule \<1-999999\> -``` - -```{opcmd} show firewall ipv6 ipv6-name \<name\> rule \<1-999999\> - -This command will give an overview of a rule in a single rule-set -``` - -```{opcmd} show firewall group \<name\> - -Show an overview of defined groups, including the type, members, and where -the group is used. - - -:::{code-block} none -vyos@vyos:~$ show firewall group LAN -Firewall Groups - - -Name Type References Members ------------- ------------------ ----------------------- ---------------- -LAN ipv6_network_group IPV6-VyOS_MANAGEMENT-30 2001:db8::0/64 -IPV6-WAN_IN-30 -LAN network_group VyOS_MANAGEMENT-30 192.168.200.0/24 -WAN_IN-30 -::: -``` - -```{opcmd} show firewall statistics - -Show statistics of all rule-sets since the last boot. -``` -### Show Firewall log -```{opcmd} show log firewall -``` - -```{opcmd} show log firewall ipv6 -``` - -```{opcmd} show log firewall ipv6 [forward | input | output | name] -``` - -```{opcmd} show log firewall ipv6 [forward | input | output] filter -``` - -```{opcmd} show log firewall ipv6 name \<name\> -``` - -```{opcmd} show log firewall ipv6 [forward | input | output] filter rule \<rule\> -``` - -```{opcmd} show log firewall ipv6 name \<name\> rule \<rule\> - -Show firewall logs for all firewalls, all IPv6 firewalls, specific hooks, -specific priorities, specific custom chains, or specific rule-sets. -``` -### Example Partial Config -```none -firewall { - ipv6 { - input { - filter { - rule 10 { - action jump - inbound-interface { - name eth1 - } - jump-target INP-ETH1 - } - rule 20 { - action accept - inbound-interface { - name eth0 - } - log - protocol ipv6-icmp - } - } - } - name INP-ETH1 { - default-action drop - default-log - rule 10 { - action accept - protocol tcp_udp - } - } - } -} -``` -### Update geoip database -```{opcmd} update geoip - -Command used to update GeoIP database and firewall sets. -```
\ No newline at end of file diff --git a/docs/configuration/interfaces/md-index.md b/docs/configuration/interfaces/md-index.md deleted file mode 100644 index 9082cd80..00000000 --- a/docs/configuration/interfaces/md-index.md +++ /dev/null @@ -1,26 +0,0 @@ -# Interfaces - -```{toctree} -:includehidden: true -:maxdepth: 1 - -bonding -bridge -dummy -ethernet -geneve -l2tpv3 -loopback -macsec -openvpn -wireguard -pppoe -pseudo-ethernet -sstp-client -tunnel -virtual-ethernet -vti -vxlan -wireless -wwan -``` diff --git a/docs/configuration/loadbalancing/md-index.md b/docs/configuration/loadbalancing/md-index.md deleted file mode 100644 index 3241edb7..00000000 --- a/docs/configuration/loadbalancing/md-index.md +++ /dev/null @@ -1,15 +0,0 @@ ---- -lastproofread: '2026-04-06' ---- - -(load-balancing)= - -# Load-balancing - -```{toctree} -:includehidden: true -:maxdepth: 1 - -wan -haproxy -``` diff --git a/docs/configuration/md-index.md b/docs/configuration/md-index.md deleted file mode 100644 index 3e215502..00000000 --- a/docs/configuration/md-index.md +++ /dev/null @@ -1,23 +0,0 @@ -# Configuration Guide - -The following structure represents the CLI structure. - -```{toctree} -:includehidden: true -:maxdepth: 1 - -container/index -firewall/index -highavailability/index -interfaces/index -loadbalancing/index -nat/index -policy/index -pki/index -protocols/index -service/index -system/index -trafficpolicy/index -vpn/index -vrf/index -``` diff --git a/docs/configuration/nat/md-index.md b/docs/configuration/nat/md-index.md deleted file mode 100644 index 35e5d32b..00000000 --- a/docs/configuration/nat/md-index.md +++ /dev/null @@ -1,13 +0,0 @@ -(nat)= - -# NAT - -```{toctree} -:includehidden: true -:maxdepth: 1 - -nat44 -nat64 -nat66 -cgnat -``` diff --git a/docs/configuration/pki/md-index.md b/docs/configuration/pki/md-index.md deleted file mode 100644 index be59e30f..00000000 --- a/docs/configuration/pki/md-index.md +++ /dev/null @@ -1,551 +0,0 @@ ---- -lastproofread: '2024-01-05' ---- - -```{include} /_include/need_improvement.txt -``` - -(pki)= - -# PKI -VyOS 1.4 changed the way in how encryption keys or certificates are stored on the -system. In the pre VyOS 1.4 era, certificates got stored under /config and every -service referenced a file. That made copying a running configuration from system -A to system B a bit harder, as you had to copy the files and their permissions -by hand. - -{vytask}`T3642` describes a new CLI subsystem that serves as a "certstore" to -all services requiring any kind of encryption key(s). In short, public and -private certificates are now stored in PKCS#8 format in the regular VyOS CLI. -Keys can now be added, edited, and deleted using the regular set/edit/delete -CLI commands. - -VyOS not only can now manage certificates issued by 3rd party Certificate -Authorities, it can also act as a CA on its own. You can create your own root -CA and sign keys with it by making use of some simple op-mode commands. - -Don't be afraid that you need to re-do your configuration. Key transformation is -handled, as always, by our migration scripts, so this will be a smooth transition -for you! - -## Key Generation - -### Certificate Authority (CA) -VyOS now also has the ability to create CAs, keys, Diffie-Hellman and other -keypairs from an easy to access operational level command. -```{opcmd} generate pki ca - -Create a new {abbr}`CA (Certificate Authority)` and output the CAs public and -private key on the console. -``` - -```{opcmd} generate pki ca install \<name\> - -Create a new {abbr}`CA (Certificate Authority)` and output the CAs public and -private key on the console. - -:::{note} -In addition to the command above, the output is in a format which can be used -to directly import the key into the VyOS CLI by simply copy-pasting the output -from op-mode into configuration mode. - -``name`` is used for the VyOS CLI command to identify this key. This -key ``name`` is then used in the CLI configuration to reference the key -instance. -::: -``` - -```{opcmd} generate pki ca sign \<ca-name\> - -Create a new subordinate {abbr}`CA (Certificate Authority)` and sign it using -the private key referenced by ca-name. -``` - -```{opcmd} generate pki ca sign \<ca-name\> install \<name\> - -Create a new subordinate {abbr}`CA (Certificate Authority)` and sign it using -the private key referenced by `name`. - -:::{note} -In addition to the command above, the output is in a format which can be used -to directly import the key into the VyOS CLI by simply copy-pasting the output -from op-mode into configuration mode. - -``name`` is used for the VyOS CLI command to identify this key. This -key ``name`` is then used in the CLI configuration to reference the key -instance. -::: -``` -### Certificates -```{opcmd} generate pki certificate - -Create a new public/private keypair and output the certificate on the console. -``` - -```{opcmd} generate pki certificate install \<name\> - -Create a new public/private keypair and output the certificate on the console. - -:::{note} -In addition to the command above, the output is in a format which can be used -to directly import the key into the VyOS CLI by simply copy-pasting the output -from op-mode into configuration mode. - -``name`` is used for the VyOS CLI command to identify this key. This -key ``name`` is then used in the CLI configuration to reference the key -instance. -::: -``` - -```{opcmd} generate pki certificate self-signed - -Create a new self-signed certificate. The public/private is then shown on the -console. -``` - -```{opcmd} generate pki certificate self-signed install \<name\> - -Create a new self-signed certificate. The public/private is then shown on the -console. - -:::{note} -In addition to the command above, the output is in a format which can be used -to directly import the key into the VyOS CLI by simply copy-pasting the output -from op-mode into configuration mode. - -``name`` is used for the VyOS CLI command to identify this key. This -key ``name`` is then used in the CLI configuration to reference the key -instance. -::: -``` - -```{opcmd} generate pki certificate sign \<ca-name\> - -Create a new public/private keypair which is signed by the CA referenced by -ca-name. The signed certificate is then output to the console. -``` - -```{opcmd} generate pki certificate sign \<ca-name\> install \<name\> - -Create a new public/private keypair which is signed by the CA referenced by -ca-name. The signed certificate is then output to the console. - -:::{note} -In addition to the command above, the output is in a format which can be used -to directly import the key into the VyOS CLI by simply copy-pasting the output -from op-mode into configuration mode. - -``name`` is used for the VyOS CLI command to identify this key. This -key ``name`` is then used in the CLI configuration to reference the key -instance. -::: -``` -### Diffie-Hellman parameters -```{opcmd} generate pki dh - -Generate a new set of {abbr}`DH (Diffie-Hellman)` parameters. The key size -is requested by the CLI and defaults to 2048 bit. - -The generated parameters are then output to the console. -``` - -```{opcmd} generate pki dh install \<name\> - -Generate a new set of {abbr}`DH (Diffie-Hellman)` parameters. The key size -is requested by the CLI and defaults to 2048 bit. - -:::{note} -In addition to the command above, the output is in a format which can be used -to directly import the key into the VyOS CLI by simply copy-pasting the output -from op-mode into configuration mode. - -``name`` is used for the VyOS CLI command to identify this key. This -key ``name`` is then used in the CLI configuration to reference the key -instance. -::: -``` -### OpenVPN -```{opcmd} generate pki openvpn shared-secret - -Generate a new OpenVPN shared secret. The generated secret is the output to -the console. -``` - -```{opcmd} generate pki openvpn shared-secret install \<name\> - -Generate a new OpenVPN shared secret. The generated secret is the output to -the console. - -:::{note} -In addition to the command above, the output is in a format which can be used -to directly import the key into the VyOS CLI by simply copy-pasting the output -from op-mode into configuration mode. - -``name`` is used for the VyOS CLI command to identify this key. This -key ``name`` is then used in the CLI configuration to reference the key -instance. -::: -``` -### WireGuard -```{opcmd} generate pki wireguard key-pair - -Generate a new WireGuard public/private key portion and output the result to -the console. -``` - -```{opcmd} generate pki wireguard key-pair install \<interface\> - -Generate a new WireGuard public/private key portion and output the result to -the console. - -:::{note} -In addition to the command above, the output is in a format which can -be used to directly import the key into the VyOS CLI by simply copy-pasting -the output from op-mode into configuration mode. - -``interface`` is used for the VyOS CLI command to identify the WireGuard -interface where this private key is to be used. -::: -``` - -```{opcmd} generate pki wireguard preshared-key - -Generate a WireGuard pre-shared secret used for peers to communicate. -``` - -```{opcmd} generate pki wireguard preshared-key install \<peer\> - -Generate a WireGuard pre-shared secret used for peers to communicate. - -:::{note} -In addition to the command above, the output is in a format which can -be used to directly import the key into the VyOS CLI by simply copy-pasting -the output from op-mode into configuration mode. - -``peer`` is used for the VyOS CLI command to identify the WireGuard peer where -this secret is to be used. -::: -``` -## Key usage (CLI) -### CA (Certificate Authority) -```{cfgcmd} set pki ca \<name\> certificate - -Add the public CA certificate for the CA named `name` to the VyOS CLI. - -:::{note} -When loading the certificate you need to manually strip the -``-----BEGIN CERTIFICATE-----`` and ``-----END CERTIFICATE-----`` tags. -Also, the certificate/key needs to be presented in a single line without -line breaks (``\n``), this can be done using the following shell command: - -``$ tail -n +2 ca.pem | head -n -1 | tr -d '\n'`` -::: -``` - -```{cfgcmd} set pki ca \<name\> crl - -Certificate revocation list in PEM format. -``` - -```{cfgcmd} set pki ca \<name\> description - -A human readable description what this CA is about. -``` - -```{cfgcmd} set pki ca \<name\> private key - -Add the CAs private key to the VyOS CLI. This should never leave the system, -and is only required if you use VyOS as your certificate generator as -mentioned above. - -:::{note} -When loading the certificate you need to manually strip the -``-----BEGIN KEY-----`` and ``-----END KEY-----`` tags. Also, the -certificate/key needs to be presented in a single line without line -breaks (``\n``), this can be done using the following shell command: - -``$ tail -n +2 ca.key | head -n -1 | tr -d '\n'`` -::: -``` - -```{cfgcmd} set pki ca \<name\> private password-protected - -Mark the CAs private key as password protected. User is asked for the password -when the key is referenced. -``` -### Server Certificate -After we have imported the CA certificate(s) we can now import and add -certificates used by services on this router. -```{cfgcmd} set pki certificate \<name\> certificate - -Add public key portion for the certificate named `name` to the VyOS CLI. - -:::{note} -When loading the certificate you need to manually strip the -``-----BEGIN CERTIFICATE-----`` and ``-----END CERTIFICATE-----`` tags. -Also, the certificate/key needs to be presented in a single line without -line breaks (``\n``), this can be done using the following shell command: - -``$ tail -n +2 cert.pem | head -n -1 | tr -d '\n'`` -::: -``` - -```{cfgcmd} set pki certificate \<name\> description - -A human readable description what this certificate is about. -``` - -```{cfgcmd} set pki certificate \<name\> private key - -Add the private key portion of this certificate to the CLI. This should never -leave the system as it is used to decrypt the data. - -:::{note} -When loading the certificate you need to manually strip the -``-----BEGIN KEY-----`` and ``-----END KEY-----`` tags. Also, the -certificate/key needs to be presented in a single line without line -breaks (``\n``), this can be done using the following shell command: - -``$ tail -n +2 cert.key | head -n -1 | tr -d '\n'`` -::: -``` - -```{cfgcmd} set pki certificate \<name\> private password-protected - -Mark the private key as password protected. User is asked for the password -when the key is referenced. -``` - -```{cfgcmd} set pki certificate \<name\> revoke - -If CA is present, this certificate will be included in generated CRLs -``` -### Import files to PKI format -VyOS provides this utility to import existing certificates/key files directly -into PKI from op-mode. Previous to VyOS 1.4, certificates were stored under the -/config folder permanently and will be retained post upgrade. -```{opcmd} import pki ca \<name\> file \<Path to CA certificate file\> - -Import the public CA certificate from the defined file to VyOS CLI. -``` - -```{opcmd} import pki ca \<name\> key-file \<Path to private key file\> - -Import the CAs private key portion to the CLI. This should never leave the -system as it is used to decrypt the data. The key is required if you use -VyOS as your certificate generator. -``` - -```{opcmd} import pki certificate \<name\> file \<path to certificate\> - -Import the certificate from the file to VyOS CLI. -``` - -```{opcmd} import pki certificate \<name\> key-file \<path to private key\> - -Import the private key of the certificate to the VyOS CLI. This should never -leave the system as it is used to decrypt the data. -``` - -```{opcmd} import pki openvpn shared-secret \<name\> file \<path to OpenVPN secret key\> - -Import the OpenVPN shared secret stored in file to the VyOS CLI. -``` -#### ACME -The VyOS PKI subsystem can also be used to automatically retrieve Certificates -using the {abbr}`ACME (Automatic Certificate Management Environment)` protocol. -```{cfgcmd} set pki certificate \<name\> acme domain-name \<name\> - -Domain names to apply, multiple domain-names can be specified. - -This is a mandatory option -``` - -```{cfgcmd} set pki certificate \<name\> acme email \<address\> - -Email used for registration and recovery contact. - -This is a mandatory option -``` - -```{cfgcmd} set pki certificate \<name\> acme listen-address \<address\> - -The address the server listens to during http-01 challenge -``` - -```{cfgcmd} set pki certificate \<name\> acme rsa-key-size \<2048 | 3072 | 4096\> - -Size of the RSA key. - -This options defaults to 2048 -``` - -```{cfgcmd} set pki certificate \<name\> acme url \<url\> - -ACME Directory Resource URI. - -This defaults to https://acme-v02.api.letsencrypt.org/directory - -:::{note} -During initial deployment we recommend using the staging API -of LetsEncrypt to prevent and blacklisting of your system. The API -endpoint is https://acme-staging-v02.api.letsencrypt.org/directory -::: -``` -## Operation -VyOS operational mode commands are not only available for generating keys but -also to display them. -```{opcmd} show pki ca - -Show a list of installed {abbr}`CA (Certificate Authority)` certificates. - -:::{code-block} none -vyos@vyos:~$ show pki ca -Certificate Authorities: -Name Subject Issuer CN Issued Expiry Private Key Parent --------------- ------------------------------------------------------- ----------------- ------------------- ------------------- ------------- -------------- -DST_Root_CA_X3 CN=ISRG Root X1,O=Internet Security Research Group,C=US CN=DST Root CA X3 2021-01-20 19:14:03 2024-09-30 18:14:03 No N/A -R3 CN=R3,O=Let's Encrypt,C=US CN=ISRG Root X1 2020-09-04 00:00:00 2025-09-15 16:00:00 No DST_Root_CA_X3 -vyos_rw CN=VyOS RW CA,O=VyOS,L=Some-City,ST=Some-State,C=GB CN=VyOS RW CA 2021-07-05 13:46:03 2026-07-04 13:46:03 Yes N/A -::: -``` - -```{opcmd} show pki ca \<name\> - -Show only information for specified Certificate Authority. -``` - -```{opcmd} show pki certificate - -Show a list of installed certificates - -:::{code-block} none -vyos@vyos:~$ show pki certificate -Certificates: -Name Type Subject CN Issuer CN Issued Expiry Revoked Private Key CA Present ---------- ------ --------------------- ------------- ------------------- ------------------- --------- ------------- ------------- -ac2 Server CN=ac2.vyos.net CN=R3 2021-07-05 07:29:59 2021-10-03 07:29:58 No Yes Yes (R3) -rw_server Server CN=VyOS RW CN=VyOS RW CA 2021-07-05 13:48:02 2022-07-05 13:48:02 No Yes Yes (vyos_rw) -::: -``` - -```{opcmd} show pki certificate \<name\> - -Show only information for specified certificate. -``` - -```{opcmd} show pki crl - -Show a list of installed {abbr}`CRLs (Certificate Revocation List)`. -``` - -```{opcmd} renew certbot - -Manually trigger certificate renewal. This will be done twice a day. -``` -## Examples - -### Create a CA chain and leaf certificates -This configuration generates & installs into the VyOS PKI system a root -certificate authority, alongside two intermediary certificate authorities for -client & server certificates. These CAs are then used to generate a server -certificate for the router, and a client certificate for a user. -- `vyos_root_ca` is the root certificate authority. -- `vyos_client_ca` and `vyos_server_ca` are intermediary certificate authorities, - which are signed by the root CA. -- `vyos_cert` is a leaf server certificate used to identify the VyOS router, - signed by the server intermediary CA. -- `vyos_example_user` is a leaf client certificate used to identify a user, - signed by client intermediary CA. - -First, we create the root certificate authority. -```none -[edit] -vyos@vyos# run generate pki ca install vyos_root_ca -Enter private key type: [rsa, dsa, ec] (Default: rsa) rsa -Enter private key bits: (Default: 2048) 2048 -Enter country code: (Default: GB) GB -Enter state: (Default: Some-State) Some-State -Enter locality: (Default: Some-City) Some-City -Enter organization name: (Default: VyOS) VyOS -Enter common name: (Default: vyos.io) VyOS Root CA -Enter how many days certificate will be valid: (Default: 1825) 1825 -Note: If you plan to use the generated key on this router, do not encrypt the private key. -Do you want to encrypt the private key with a passphrase? [y/N] n -2 value(s) installed. Use "compare" to see the pending changes, and "commit" to apply. -``` -Secondly, we create the intermediary certificate authorities, which are used to -sign the leaf certificates. -```none -[edit] -vyos@vyos# run generate pki ca sign vyos_root_ca install vyos_server_ca -Do you already have a certificate request? [y/N] n -Enter private key type: [rsa, dsa, ec] (Default: rsa) rsa -Enter private key bits: (Default: 2048) 2048 -Enter country code: (Default: GB) GB -Enter state: (Default: Some-State) Some-State -Enter locality: (Default: Some-City) Some-City -Enter organization name: (Default: VyOS) VyOS -Enter common name: (Default: vyos.io) VyOS Intermediary Server CA -Enter how many days certificate will be valid: (Default: 1825) 1095 -Note: If you plan to use the generated key on this router, do not encrypt the private key. -Do you want to encrypt the private key with a passphrase? [y/N] n -2 value(s) installed. Use "compare" to see the pending changes, and "commit" to apply. - - -[edit] -vyos@vyos# run generate pki ca sign vyos_root_ca install vyos_client_ca -Do you already have a certificate request? [y/N] n -Enter private key type: [rsa, dsa, ec] (Default: rsa) rsa -Enter private key bits: (Default: 2048) 2048 -Enter country code: (Default: GB) GB -Enter state: (Default: Some-State) Some-State -Enter locality: (Default: Some-City) Some-City -Enter organization name: (Default: VyOS) VyOS -Enter common name: (Default: vyos.io) VyOS Intermediary Client CA -Enter how many days certificate will be valid: (Default: 1825) 1095 -Note: If you plan to use the generated key on this router, do not encrypt the private key. -Do you want to encrypt the private key with a passphrase? [y/N] n -2 value(s) installed. Use "compare" to see the pending changes, and "commit" to apply. -``` -Lastly, we can create the leaf certificates that devices and users will utilise. -```none -[edit] -vyos@vyos# run generate pki certificate sign vyos_server_ca install vyos_cert -Do you already have a certificate request? [y/N] n -Enter private key type: [rsa, dsa, ec] (Default: rsa) rsa -Enter private key bits: (Default: 2048) 2048 -Enter country code: (Default: GB) GB -Enter state: (Default: Some-State) Some-State -Enter locality: (Default: Some-City) Some-City -Enter organization name: (Default: VyOS) VyOS -Enter common name: (Default: vyos.io) vyos.net -Do you want to configure Subject Alternative Names? [y/N] y -Enter alternative names in a comma separate list, example: ipv4:1.1.1.1,ipv6:fe80::1,dns:vyos.net -Enter Subject Alternative Names: dns:vyos.net,dns:www.vyos.net -Enter how many days certificate will be valid: (Default: 365) 365 -Enter certificate type: (client, server) (Default: server) server -Note: If you plan to use the generated key on this router, do not encrypt the private key. -Do you want to encrypt the private key with a passphrase? [y/N] n -2 value(s) installed. Use "compare" to see the pending changes, and "commit" to apply. - - -[edit] -vyos@vyos# run generate pki certificate sign vyos_client_ca install vyos_example_user -Do you already have a certificate request? [y/N] n -Enter private key type: [rsa, dsa, ec] (Default: rsa) rsa -Enter private key bits: (Default: 2048) 2048 -Enter country code: (Default: GB) GB -Enter state: (Default: Some-State) Some-State -Enter locality: (Default: Some-City) Some-City -Enter organization name: (Default: VyOS) VyOS -Enter common name: (Default: vyos.io) Example User -Do you want to configure Subject Alternative Names? [y/N] y -Enter alternative names in a comma separate list, example: ipv4:1.1.1.1,ipv6:fe80::1,dns:vyos.net,rfc822:user@vyos.net -Enter Subject Alternative Names: rfc822:example.user@vyos.net -Enter how many days certificate will be valid: (Default: 365) 365 -Enter certificate type: (client, server) (Default: server) client -Note: If you plan to use the generated key on this router, do not encrypt the private key. -Do you want to encrypt the private key with a passphrase? [y/N] n -2 value(s) installed. Use "compare" to see the pending changes, and "commit" to apply. -``` diff --git a/docs/configuration/policy/md-as-path-list.md b/docs/configuration/policy/md-as-path-list.md deleted file mode 100644 index 1fcece91..00000000 --- a/docs/configuration/policy/md-as-path-list.md +++ /dev/null @@ -1,29 +0,0 @@ -# BGP - AS Path Policy - -VyOS provides policies commands exclusively for BGP traffic filtering and -manipulation: **as-path-list** is one of them. - -## Configuration - -### policy as-path-list - -```{cfgcmd} set policy as-path-list \<text\> - -Create as-path-policy identified by name `<text>`. -``` -```{cfgcmd} set policy as-path-list \<text\> description \<text\> - -Set description for as-path-list policy. -``` -```{cfgcmd} set policy as-path-list \<text\> rule \<1-65535\> action \<permit|deny\> - -Set action to take on entries matching this rule. -``` -```{cfgcmd} set policy as-path-list \<text\> rule \<1-65535\> description \<text\> - -Set description for rule. -``` -```{cfgcmd} set policy as-path-list \<text\> rule \<1-65535\> regex \<text\> - -Regular expression to match against an AS path. For example "64501 64502". -```
\ No newline at end of file diff --git a/docs/configuration/policy/md-community-list.md b/docs/configuration/policy/md-community-list.md deleted file mode 100644 index bdcf4140..00000000 --- a/docs/configuration/policy/md-community-list.md +++ /dev/null @@ -1,29 +0,0 @@ -# BGP - Community List - -VyOS provides policies commands exclusively for BGP traffic filtering and -manipulation: **community-list** is one of them. - -## Configuration - -### policy community-list - -```{cfgcmd} set policy community-list \<text\> - -Creat community-list policy identified by name `<text>`. -``` -```{cfgcmd} set policy community-list \<text\> description \<text\> - -Set description for community-list policy. -``` -```{cfgcmd} set policy community-list \<text\> rule \<1-65535\> action \<permit|deny\> - -Set action to take on entries matching this rule. -``` -```{cfgcmd} set policy community-list \<text\> rule \<1-65535\> description \<text\> - -Set description for rule. -``` -```{cfgcmd} set policy community-list \<text\> rule \<1-65535\> regex \<aa:nn|local-AS|no-advertise|no-export|additive\> - -Regular expression to match against a community-list. -```
\ No newline at end of file diff --git a/docs/configuration/policy/md-examples.md b/docs/configuration/policy/md-examples.md deleted file mode 100644 index 992aa82c..00000000 --- a/docs/configuration/policy/md-examples.md +++ /dev/null @@ -1,203 +0,0 @@ -# BGP Example - -**Policy definition:** - -```none -# Create policy -set policy route-map setmet rule 2 action 'permit' -set policy route-map setmet rule 2 set as-path prepend '2 2 2' - -# Apply policy to BGP -set protocols bgp system-as 1 -set protocols bgp neighbor 203.0.113.2 address-family ipv4-unicast route-map import 'setmet' -set protocols bgp neighbor 203.0.113.2 address-family ipv4-unicast soft-reconfiguration 'inbound' -``` - -Using 'soft-reconfiguration' we get the policy update without bouncing the -neighbor. - -**Routes learned before routing policy applied:** - -```none -vyos@vos1:~$ show ip bgp -BGP table version is 0, local router ID is 192.168.56.101 -Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, - r RIB-failure, S Stale, R Removed -Origin codes: i - IGP, e - EGP, ? - incomplete - - Network Next Hop Metric LocPrf Weight Path -*> 198.51.100.3/32 203.0.113.2 1 0 2 i < Path - -Total number of prefixes 1 -``` - -**Routes learned after routing policy applied:** - -```none -vyos@vos1:~$ show ip bgp -BGP table version is 0, local router ID is 192.168.56.101 -Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, - r RIB-failure, S Stale, R Removed -Origin codes: i - IGP, e - EGP, ? - incomplete - - Network Next Hop Metric LocPrf Weight Path -*> 198.51.100.3/32 203.0.113.2 1 0 2 2 2 2 i - -Total number of prefixes 1 -vyos@vos1:~$ -``` - -You now see the longer AS path. - -# Transparent Proxy - -The following example will show how VyOS can be used to redirect web -traffic to an external transparent proxy: - -```none -set policy route FILTER-WEB rule 1000 destination port 80 -set policy route FILTER-WEB rule 1000 protocol tcp -set policy route FILTER-WEB rule 1000 set table 100 -``` - -This creates a route policy called FILTER-WEB with one rule to set the -routing table for matching traffic (TCP port 80) to table ID 100 -instead of the default routing table. - -To create routing table 100 and add a new default gateway to be used by -traffic matching our route policy: - -```none -set protocols static table 100 route 0.0.0.0/0 next-hop 10.255.0.2 -``` - -This can be confirmed using the `show ip route table 100` operational -command. - -Finally, to apply the policy route to ingress traffic on our LAN -interface, we use: - -```none -set policy route FILTER-WEB interface eth1 -``` - -# Multiple Uplinks - -VyOS Policy-Based Routing (PBR) works by matching source IP address -ranges and forwarding the traffic using different routing tables. - -Routing tables that will be used in this example are: - -- `table 10` Routing table used for VLAN 10 (192.168.188.0/24) -- `table 11` Routing table used for VLAN 11 (192.168.189.0/24) -- `main` Routing table used by VyOS and other interfaces not - participating in PBR - -:::{figure} /_static/images/pbr_example_1.png -:alt: PBR multiple uplinks -:scale: 80 % - -Policy-Based Routing with multiple ISP uplinks -(source ./draw.io/pbr_example_1.drawio) -::: - -Add default routes for routing `table 10` and `table 11` - -```none -set protocols static table 10 route 0.0.0.0/0 next-hop 192.0.1.1 -set protocols static table 11 route 0.0.0.0/0 next-hop 192.0.2.2 -``` - -Add policy route matching VLAN source addresses - -```none -set policy route PBR rule 20 set table '10' -set policy route PBR rule 20 description 'Route VLAN10 traffic to table 10' -set policy route PBR rule 20 source address '192.168.188.0/24' - -set policy route PBR rule 30 set table '11' -set policy route PBR rule 30 description 'Route VLAN11 traffic to table 11' -set policy route PBR rule 30 source address '192.168.189.0/24' -``` - -Apply routing policy to **inbound** direction of out VLAN interfaces - -```none -set policy route 'PBR' interface eth0.10 -set policy route 'PBR' interface eth0.11 -``` - -**OPTIONAL:** Exclude Inter-VLAN traffic (between VLAN10 and VLAN11) -from PBR - -```none -set firewall group network-group VLANS-GR description 'VLANs networks' -set firewall group network-group VLANS-GR network '192.168.188.0/24' -set firewall group network-group VLANS-GR network '192.168.189.0/24' - -set policy route PBR rule 10 description 'VLAN10 <-> VLAN11 shortcut' -set policy route PBR rule 10 destination group network-group 'VLANS-GR' -set policy route PBR rule 10 set table 'main' -``` - -These commands allow the VLAN10 and VLAN11 hosts to communicate with -each other using the main routing table. - -## Local route - -The following example allows VyOS to use {abbr}`PBR (Policy-Based Routing)` -for traffic, which originated from the router itself. That solution for multiple -ISP's and VyOS router will respond from the same interface that the packet was -received. Also, it used, if we want that one VPN tunnel to be through one -provider, and the second through another. - -- `203.0.113.254` IP addreess on VyOS eth1 from ISP1 -- `192.168.2.254` IP addreess on VyOS eth2 from ISP2 -- `table 10` Routing table used for ISP1 -- `table 11` Routing table used for ISP2 - -```none -set policy local-route rule 101 set table '10' -set policy local-route rule 101 source address '203.0.113.254' -set policy local-route rule 102 set table '11' -set policy local-route rule 102 source address '192.0.2.254' -set protocols static table 10 route 0.0.0.0/0 next-hop '203.0.113.1' -set protocols static table 11 route 0.0.0.0/0 next-hop '192.0.2.2' -``` - -Add multiple source IP in one rule with same priority - -```none -set policy local-route rule 101 set table '10' -set policy local-route rule 101 source address '203.0.113.254' -set policy local-route rule 101 source address '203.0.113.253' -set policy local-route rule 101 source address '198.51.100.0/24' -``` - -# Clamp MSS for a specific IP - -This example shows how to target an MSS clamp (in our example to 1360 bytes) -to a specific destination IP. - -```none -set policy route IP-MSS-CLAMP rule 10 description 'Clamp TCP session MSS to 1360 for 198.51.100.30' -set policy route IP-MSS-CLAMP rule 10 destination address '198.51.100.30/32' -set policy route IP-MSS-CLAMP rule 10 protocol 'tcp' -set policy route IP-MSS-CLAMP rule 10 set tcp-mss '1360' -set policy route IP-MSS-CLAMP rule 10 tcp flags 'SYN' -``` - -To apply this policy to the correct interface, configure it on the -interface the inbound local host will send through to reach our -destined target host (in our example eth1). - -```none -set policy route IP-MSS-CLAMP interface eth1 -``` - -You can view that the policy is being correctly (or incorrectly) utilised -with the following command: - -```none -show policy route statistics -``` diff --git a/docs/configuration/policy/md-extcommunity-list.md b/docs/configuration/policy/md-extcommunity-list.md deleted file mode 100644 index fdfe6210..00000000 --- a/docs/configuration/policy/md-extcommunity-list.md +++ /dev/null @@ -1,32 +0,0 @@ -# BGP - Extended Community List - -VyOS provides policies commands exclusively for BGP traffic filtering and -manipulation: **extcommunity-list** is one of them. - -## Configuration - -### policy extcommunity-list - -```{cfgcmd} set policy extcommunity-list \<text\> - -Creat extcommunity-list policy identified by name \<text\>. -``` -```{cfgcmd} set policy extcommunity-list \<text\> description \<text\> - -Set description for extcommunity-list policy. -``` -```{cfgcmd} set policy extcommunity-list \<text\> rule \<1-65535\> action \<permit|deny\> - -Set action to take on entries matching this rule. -``` -```{cfgcmd} set policy extcommunity-list \<text\> rule \<1-65535\> description \<text\> - -Set description for rule. -``` -```{cfgcmd} set policy extcommunity-list \<text\> rule \<1-65535\> regex \<text\> -Regular expression to match against an extended community list, where text -could be: -* \<aa:nn:nn\>: Extended community list regular expression. -* \<rt aa:nn:nn\>: Route Target regular expression. -* \<soo aa:nn:nn\>: Site of Origin regular expression. -```
\ No newline at end of file diff --git a/docs/configuration/policy/md-index.md b/docs/configuration/policy/md-index.md deleted file mode 100644 index 29c9ca87..00000000 --- a/docs/configuration/policy/md-index.md +++ /dev/null @@ -1,47 +0,0 @@ ---- -lastproofread: '2021-07-12' ---- - -```{include} /_include/need_improvement.txt -``` - -# Policy -Policies are used for filtering and traffic management. With policies, network -administrators could filter and treat traffic -according to their needs. - -There could be a wide range of routing policies. Some examples are listed -below: -- Filter traffic based on source/destination address. -- Set some metric to routes learned from a particular neighbor. -- Set some attributes (like AS PATH or Community value) to advertised routes - to neighbors. -- Prefer a specific routing protocol routes over another routing protocol - running on the same router. - -Policies, in VyOS, are implemented using FRR filtering and route maps. Detailed -information of FRR could be found in <http://docs.frrouting.org/> - -## Policy Sections -```{toctree} -:includehidden: true -:maxdepth: 1 - -access-list -prefix-list -route -route-map -local-route -as-path-list -community-list -extcommunity-list -large-community-list -``` -## Examples -Examples of policies usage: -```{toctree} -:includehidden: true -:maxdepth: 1 - -examples -``` diff --git a/docs/configuration/policy/md-large-community-list.md b/docs/configuration/policy/md-large-community-list.md deleted file mode 100644 index 23b9a85a..00000000 --- a/docs/configuration/policy/md-large-community-list.md +++ /dev/null @@ -1,29 +0,0 @@ -# BGP - Large Community List - -VyOS provides policies commands exclusively for BGP traffic filtering and -manipulation: **large-community-list** is one of them. - -## Configuration - -### policy large-community-list - -```{cfgcmd} set policy large-community-list \<text\> - -Create large-community-list policy identified by name `<text>`. -``` -```{cfgcmd} set policy large-community-list \<text\> description \<text\> - -Set description for large-community-list policy. -``` -```{cfgcmd} set policy large-community-list \<text\> rule \<1-65535\> action \<permit|deny\> - -Set action to take on entries matching this rule. -``` -```{cfgcmd} set policy large-community-list \<text\> rule \<1-65535\> description \<text\> - -Set description for rule. -``` -```{cfgcmd} set policy large-community-list \<text\> rule \<1-65535\> regex \<aa:nn:nn\> - -Regular expression to match against a large community list. -```
\ No newline at end of file diff --git a/docs/configuration/policy/md-local-route.md b/docs/configuration/policy/md-local-route.md deleted file mode 100644 index 5b2297f7..00000000 --- a/docs/configuration/policy/md-local-route.md +++ /dev/null @@ -1,99 +0,0 @@ -# Local Route Policy - -Policies for local traffic are defined in this section. - -## Configuration - -### Local Route IPv4 - -```{cfgcmd} set policy local-route rule \<1-32765\> set table \<1-200|main\> - -Set the routing table to use for forwarding matching packets. -``` - -```{cfgcmd} set policy local-route rule \<1-32765\> set vrf \<vrf|default\> - -Set the VRF to use for forwarding matching packets. -``` - -```{cfgcmd} set policy local-route rule \<1-32765\> protocol \<protocol\> - -Match specified protocol (name or number). -``` - -```{cfgcmd} set policy local-route rule \<1-32765\> fwmark \<1-2147483647\> - -Match specified firewall mark (fwmark). -``` - -```{cfgcmd} set policy local-route rule \<1-32765\> source address \<x.x.x.x|x.x.x.x/x\> - -Match specified source address or prefix. -``` - -```{cfgcmd} set policy local-route rule \<1-32765\> source port \<1-65535\> - -Match specified source port. -``` - -```{cfgcmd} set policy local-route rule \<1-32765\> destination address \<x.x.x.x|x.x.x.x/x\> - -Match specified destination address or prefix. -``` - -```{cfgcmd} set policy local-route rule \<1-32765\> destination port \<1-65535\> - -Match specified destination port. -``` - -```{cfgcmd} set policy local-route rule \<1-32765\> inbound-interface \<interface\> - -Match specified inbound interface. -``` - -### Local Route IPv6 - -```{cfgcmd} set policy local-route6 rule \<1-32765\> set table \<1-200|main\> - -Set the routing table to use for forwarding matching packets. -``` - -```{cfgcmd} set policy local-route6 rule \<1-32765\> set vrf \<vrf|default\> - -Set the VRF to use for forwarding matching packets. -``` - -```{cfgcmd} set policy local-route6 rule \<1-32765\> protocol \<protocol\> - -Match specified protocol (name or number). -``` - -```{cfgcmd} set policy local-route6 rule \<1-32765\> fwmark \<1-2147483647\> - -Match specified firewall mark (fwmark). -``` - -```{cfgcmd} set policy local-route6 rule \<1-32765\> source address \<h:h:h:h:h:h:h:h|h:h:h:h:h:h:h:h/x\> - -Match specified source address or prefix. -``` - -```{cfgcmd} set policy local-route6 rule \<1-32765\> source port \<1-65535\> - -Match specified source port. -``` - -```{cfgcmd} set policy local-route6 rule \<1-32765\> destination address \<h:h:h:h:h:h:h:h|h:h:h:h:h:h:h:h/x\> - -Match specified destination address or prefix. -``` - -```{cfgcmd} set policy local-route6 rule \<1-32765\> destination port \<1-65535\> - -Match specified destination port. -``` - -```{cfgcmd} set policy local-route6 rule \<1-32765\> inbound-interface \<interface\> - -Match specified inbound interface. -```
\ No newline at end of file diff --git a/docs/configuration/policy/md-prefix-list.md b/docs/configuration/policy/md-prefix-list.md deleted file mode 100644 index 6a3e66e6..00000000 --- a/docs/configuration/policy/md-prefix-list.md +++ /dev/null @@ -1,145 +0,0 @@ -# Prefix List Policy - -Prefix lists provides the most powerful prefix based filtering mechanism. In -addition to access-list functionality, ip prefix-list has prefix length range -specification. - -If no ip prefix list is specified, it acts as permit. If ip prefix list is -defined, and no match is found, default deny is applied. - -Prefix filtering can be done using prefix-list and prefix-list6. - -## Configuration - -### IPv4 Prefix Lists (prefix-list) - -```{cfgcmd} set policy prefix-list \<text\> - -This command creates the new prefix-list policy, identified by `<text>`. -``` - -```{cfgcmd} set policy prefix-list \<text\> description \<text\> - -Set description for the prefix-list policy. -``` - -```{cfgcmd} set policy prefix-list \<text\> rule \<1-65535\> action \<permit|deny\> - -This command creates a new rule in the prefix-list and defines an action. -``` - -```{cfgcmd} set policy prefix-list \<text\> rule \<1-65535\> description \<text\> - -Set description for rule in the prefix-list. -``` - -```{cfgcmd} set policy prefix-list \<text\> rule \<1-65535\> prefix \<x.x.x.x/x\> - -Prefix to match against. -``` - -```{cfgcmd} set policy prefix-list \<text\> rule \<1-65535\> ge \<0-32\> - -Netmask greater than length. -``` - -```{cfgcmd} set policy prefix-list \<text\> rule \<1-65535\> le \<0-32\> - -Netmask less than length -``` - -### Example: IPv4 Prefix Lists (prefix-list) -This example creates an IPv4 prefix-list named PL4-EXAMPLE-NAME, defines 3 -rules each with 1 prefix, and matches le (less than/equal to) /32. - -```{cfgcmd} set policy prefix-list PL4-EXAMPLE-NAME rule 10 action 'permit' - -``` -```{cfgcmd} set policy prefix-list PL4-EXAMPLE-NAME rule 10 le '32' -``` - -```{cfgcmd} set policy prefix-list PL4-EXAMPLE-NAME rule 10 prefix '192.0.2.0/24' -``` - -```{cfgcmd} set policy prefix-list PL4-EXAMPLE-NAME rule 20 action 'permit' -``` - -```{cfgcmd} set policy prefix-list PL4-EXAMPLE-NAME rule 20 le '32' -``` - -```{cfgcmd} set policy prefix-list PL4-EXAMPLE-NAME rule 20 prefix '198.51.100.0/24' -``` - -```{cfgcmd} set policy prefix-list PL4-EXAMPLE-NAME rule 30 action 'permit' -``` - -```{cfgcmd} set policy prefix-list PL4-EXAMPLE-NAME rule 30 le '32' -``` - -```{cfgcmd} set policy prefix-list PL4-EXAMPLE-NAME rule 30 prefix '203.0.113.0/24' -``` -### IPv6 Prefix Lists (prefix-list6) -```{cfgcmd} set policy prefix-list6 \<text\> - -This command creates the new IPv6 prefix-list policy, identified by `<text>`. -``` - -```{cfgcmd} set policy prefix-list6 \<text\> description \<text\> - -Set description for the IPv6 prefix-list policy. -``` - -```{cfgcmd} set policy prefix-list6 \<text\> rule \<1-65535\> action \<permit|deny\> - -This command creates a new rule in the IPv6 prefix-list and defines an -action. -``` - -```{cfgcmd} set policy prefix-list6 \<text\> rule \<1-65535\> description \<text\> - -Set description for rule in IPv6 prefix-list. -``` - -```{cfgcmd} set policy prefix-list6 \<text\> rule \<1-65535\> prefix \<h:h:h:h:h:h:h:h/x\> - -IPv6 prefix. -``` - -```{cfgcmd} set policy prefix-list6 \<text\> rule \<1-65535\> ge \<0-128\> - -Netmask greater than length. -``` - -```{cfgcmd} set policy prefix-list6 \<text\> rule \<1-65535\> le \<0-128\> - -Netmask less than length -``` -### Example: IPv6 Prefix Lists (prefix-list6) -This example creates an IPv6 prefix-list6 named PL6-EXAMPLE-NAME, defines 3 -rules each with 1 prefix, and matches le (less than/equal to) /128. -```{cfgcmd} set policy prefix-list6 PL6-EXAMPLE-NAME rule 10 action 'permit' -``` - -```{cfgcmd} set policy prefix-list6 PL6-EXAMPLE-NAME rule 10 le '128' -``` - -```{cfgcmd} set policy prefix-list6 PL6-EXAMPLE-NAME rule 10 prefix '2001:db8:0:0::/64' -``` - -```{cfgcmd} set policy prefix-list6 PL6-EXAMPLE-NAME rule 20 action 'permit' -``` - -```{cfgcmd} set policy prefix-list6 PL6-EXAMPLE-NAME rule 20 le '128' -``` - -```{cfgcmd} set policy prefix-list6 PL6-EXAMPLE-NAME rule 20 prefix '2001:db8:0:1::/64' -``` - -```{cfgcmd} set policy prefix-list6 PL6-EXAMPLE-NAME rule 30 action 'permit' -``` - -```{cfgcmd} set policy prefix-list6 PL6-EXAMPLE-NAME rule 30 le '128' -``` - -```{cfgcmd} set policy prefix-list6 PL6-EXAMPLE-NAME rule 30 prefix '2001:db8:0:2::/64' -```
\ No newline at end of file diff --git a/docs/configuration/policy/md-route.md b/docs/configuration/policy/md-route.md deleted file mode 100644 index 6db28683..00000000 --- a/docs/configuration/policy/md-route.md +++ /dev/null @@ -1,416 +0,0 @@ -# Route and Route6 Policy - -IPv4 route and IPv6 route policies are defined in this section. These route -policies can then be associated to interfaces. - -## Rule-Sets - -A rule-set is a named collection of rules that can be applied to an interface. -Each rule is numbered, has an action to apply if the rule is matched, and the -ability to specify the criteria to match. Data packets go through the rules -from 1 - 999999, at the first match the action of the rule will be executed. - -```{cfgcmd} set policy route \<name\> description \<text\> - -``` -```{cfgcmd} set policy route6 \<name\> description \<text\> - -Provide a rule-set description. -``` - -```{cfgcmd} set policy route \<name\> default-log -``` - -```{cfgcmd} set policy route6 \<name\> default-log - -Option to log packets hitting default-action. -``` - -```{cfgcmd} set policy route \<name\> interface \<interface\> -``` - -```{cfgcmd} set policy route6 \<name\> interface \<interface\> - -Apply routing policy to interface -``` - -```{cfgcmd} set policy route \<name\> rule \<n\> description \<text\> -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> description \<text\> - -Provide a description for each rule. -``` - -```{cfgcmd} set policy route \<name\> rule \<n\> log \<enable|disable\> -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> log \<enable|disable\> - -Option to enable or disable log matching rule. -``` -### Matching criteria -There are a lot of matching criteria options available, both for -`policy route` and `policy route6`. These options are listed -in this section. -```{cfgcmd} set policy route \<name\> rule \<n\> connection-mark \<1-2147483647\> -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> connection-mark \<1-2147483647\> - -Set match criteria based on connection mark. -``` - -```{cfgcmd} set policy route \<name\> rule \<n\> mark \<match_criteria\> -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> mark \<match_criteria\> - -Match based on the firewall mark (fwmark), where \<match_criteria\> can be: - * \<0-2147483647\> a single fwmark - * !\<0-2147483647\> everything except a single fwmark - * <start-end> a range of marks - * !<start-end> everything except the range of marks - -:::{note} -When using the ``set table`` or ``set vrf`` commands the mark -settings are ignored and overwritten with a table-specific mark that -is set to 0x7FFFFFFF - the id of the table/VRF. -::: -``` - -```{cfgcmd} set policy route \<name\> rule \<n\> source address \<match_criteria\> -``` - -```{cfgcmd} set policy route \<name\> rule \<n\> destination address \<match_criteria\> -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> source address \<match_criteria\> -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> destination address \<match_criteria\> - -Set match criteria based on source or destination ipv4|ipv6 address, where -<match_criteria> could be: -``` -For ipv4: -: - \<x.x.x.x>: IP address to match. - - \<x.x.x.x/x>: Subnet to match. - - \<x.x.x.x>-\<x.x.x.x>: IP range to match. - - !\<x.x.x.x>: Match everything except the specified address. - - !\<x.x.x.x/x>: Match everything except the specified subnet. - - !\<x.x.x.x>-\<x.x.x.x>: Match everything except the specified range. - -And for ipv6: -: - \<h:h:h:h:h:h:h:h>: IPv6 address to match. - - \<h:h:h:h:h:h:h:h/x>: IPv6 prefix to match. - - \<h:h:h:h:h:h:h:h>-\<h:h:h:h:h:h:h:h>: IPv6 range to match. - - !\<h:h:h:h:h:h:h:h>: Match everything except the specified address. - - !\<h:h:h:h:h:h:h:h/x>: Match everything except the specified prefix. - - !\<h:h:h:h:h:h:h:h>-\<h:h:h:h:h:h:h:h>: Match everything except the - specified range. -```{cfgcmd} set policy route \<name\> rule \<n\> source group \<address-group|domain-group|mac-group|network-group|port-group\> \<text\> -``` - -```{cfgcmd} set policy route \<name\> rule \<n\> destination group \<address-group|domain-group|mac-group|network-group|port-group\> \<text\> -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> source group \<address-group|domain-group|mac-group|network-group|port-group\> \<text\> -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> destination group \<address-group|domain-group|mac-group|network-group|port-group\> \<text\> - -Set match criteria based on source or destination groups, where <text> -would be the group name/identifier. Prepend character '!' for inverted -matching criteria. -``` - -```{cfgcmd} set policy route \<name\> rule \<n\> destination port \<match_criteria\> -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> destination port \<match_criteria\> - -Set match criteria based on destination port, where \<match_criteria\> could -be: -* <port name>: Named port (any name in /etc/services, e.g., http). -* \<1-65535\>: Numbered port. -* <start>-<end>: Numbered port range (e.g., 1001-1005). - -Multiple destination ports can be specified as a comma-separated list. The -whole list can also be "negated" using '!'. For example: -'!22,telnet,http,123,1001-1005' -``` - -```{cfgcmd} set policy route \<name\> rule \<n\> disable -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> disable - -Option to disable rule. -``` - -```{cfgcmd} set policy route \<name\> rule \<n\> dscp \<text\> -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> dscp \<text\> -``` - -```{cfgcmd} set policy route \<name\> rule \<n\> dscp-exclude \<text\> -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> dscp-exclude \<text\> - -Match based on dscp value criteria. Multiple values from 0 to 63 -and ranges are supported. -``` - -```{cfgcmd} set policy route \<name\> rule \<n\> fragment \<match-grag|match-non-frag\> -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> fragment \<match-grag|match-non-frag\> - -Set IP fragment match, where: -* match-frag: Second and further fragments of fragmented packets. -* match-non-frag: Head fragments or unfragmented packets. -``` - -```{cfgcmd} set policy route \<name\> rule \<n\> icmp \<code | type\> -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> icmpv6 \<code | type\> - -Match based on icmp|icmpv6 code and type. -``` - -```{cfgcmd} set policy route \<name\> rule \<n\> icmp type-name \<text\> -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> icmpv6 type-name \<text\> - -Match based on icmp|icmpv6 type-name criteria. Use tab for information -about what type-name criteria are supported. -``` - -```{cfgcmd} set policy route \<name\> rule \<n\> ipsec \<match-ipsec|match-none\> -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> ipsec \<match-ipsec|match-none\> - -Set IPSec inbound match criterias, where: -* match-ipsec: match inbound IPsec packets. -* match-none: match inbound non-IPsec packets. -``` - -```{cfgcmd} set policy route \<name\> rule \<n\> limit burst \<0-4294967295\> -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> limit burst \<0-4294967295\> - -Set maximum number of packets to alow in excess of rate. -``` - -```{cfgcmd} set policy route \<name\> rule \<n\> limit rate \<text\> -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> limit rate \<text\> - -Set maximum average matching rate. Format for rate: integer/time_unit, where -time_unit could be any one of second, minute, hour or day.For example -1/second implies rule to be matched at an average of once per second. -``` - -```{cfgcmd} set policy route \<name\> rule \<n\> protocol \<text | 0-255 | tcp_udp | all \> -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> protocol \<text | 0-255 | tcp_udp | all \> - -Match a protocol criteria. A protocol number or a name which is defined in: -``/etc/protocols``. Special names are ``all`` for all protocols and -``tcp_udp`` for tcp and udp based packets. The ``!`` negates the selected -protocol. -``` - -```{cfgcmd} set policy route \<name\> rule \<n\> packet-length \<text\> -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> packet-length \<text\> -``` - -```{cfgcmd} set policy route \<name\> rule \<n\> packet-length-exclude \<text\> -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> packet-length-exclude \<text\> - -Match based on packet length criteria. Multiple values from 1 to 65535 -and ranges are supported. -``` - -```{cfgcmd} set policy route \<name\> rule \<n\> packet-type \[broadcast | host | multicast | other\] -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> packet-type \[broadcast | host | multicast | other\] - -Match based on packet type criteria. -``` - -```{cfgcmd} set policy route \<name\> rule \<n\> recent count \<1-255\> -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> recent count \<1-255\> -``` - -```{cfgcmd} set policy route \<name\> rule \<n\> recent time \<1-4294967295\> -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> recent time \<1-4294967295\> - -Set parameters for matching recently seen sources. This match could be used -by seeting count (source address seen more than <1-255> times) and/or time -(source address seen in the last <0-4294967295> seconds). -``` - -```{cfgcmd} set policy route \<name\> rule \<n\> state \<established | invalid | new | related\> -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> state \<established | invalid | new | related\> - -Set match criteria based on session state. -``` - -```{cfgcmd} set policy route \<name\> rule \<n\> tcp flags \<text\> -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> tcp flags \<text\> - -Set match criteria based on tcp flags. Allowed values for TCP flags: SYN ACK -FIN RST URG PSH ALL. When specifying more than one flag, flags should be -comma-separated. For example : value of 'SYN,!ACK,!FIN,!RST' will only match -packets with the SYN flag set, and the ACK, FIN and RST flags unset. -``` - -```{cfgcmd} set policy route \<name\> rule \<n\> time monthdays \<text\> -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> time monthdays \<text\> -``` - -```{cfgcmd} set policy route \<name\> rule \<n\> time startdate \<text\> -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> time startdate \<text\> -``` - -```{cfgcmd} set policy route \<name\> rule \<n\> time starttime \<text\> -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> time starttime \<text\> -``` - -```{cfgcmd} set policy route \<name\> rule \<n\> time stopdate \<text\> -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> time stopdate \<text\> -``` - -```{cfgcmd} set policy route \<name\> rule \<n\> time stoptime \<text\> -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> time stoptime \<text\> -``` - -```{cfgcmd} set policy route \<name\> rule \<n\> time weekdays \<text\> -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> time weekdays \<text\> -``` - -```{cfgcmd} set policy route \<name\> rule \<n\> time utc -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> time utc - -Time to match the defined rule. -``` - -```{cfgcmd} set policy route rule \<n\> ttl \<eq | gt | lt\> \<0-255\> - -Match time to live parameter, where 'eq' stands for 'equal'; 'gt' stands for -'greater than', and 'lt' stands for 'less than'. -``` - -```{cfgcmd} set policy route6 rule \<n\> hop-limit \<eq | gt | lt\> \<0-255\> - -Match hop-limit parameter, where 'eq' stands for 'equal'; 'gt' stands for -'greater than', and 'lt' stands for 'less than'. -``` -### Actions -When mathcing all patterns defined in a rule, then different actions can -be made. This includes droping the packet, modifying certain data, or -setting a different routing table. -```{cfgcmd} set policy route \<name\> rule \<n\> action drop -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> action drop - -Set rule action to drop. -``` - -```{cfgcmd} set policy route \<name\> rule \<n\> set connection-mark \<1-2147483647\> -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> set connection-mark \<1-2147483647\> - -Set a specific connection mark. -``` - -```{cfgcmd} set policy route \<name\> rule \<n\> set dscp \<0-63\> -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> set dscp \<0-63\> - -Set packet modifications: Packet Differentiated Services Codepoint (DSCP) -``` - -```{cfgcmd} set policy route \<name\> rule \<n\> set mark \<1-2147483647\> -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> set mark \<1-2147483647\> - -Set a specific packet mark. -``` - -```{cfgcmd} set policy route \<name\> rule \<n\> set table \<main | 1-200\> -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> set table \<main | 1-200\> - -Set the routing table to forward packet with. - -:::{note} -When using the ``set table`` or ``set vrf`` commands matching -against the mark is not possible, because it gets overwritten with a -table-specific mark that is 0x7FFFFFFF - the id of the table/VRF. -::: -``` - -```{cfgcmd} set policy route \<name\> rule \<n\> set tcp-mss \<500-1460\> -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> set tcp-mss \<500-1460\> - -Set packet modifications: Explicitly set TCP Maximum segment size value. -``` - -```{cfgcmd} set policy route \<name\> rule \<n\> set vrf \<default | text \> -``` - -```{cfgcmd} set policy route6 \<name\> rule \<n\> set vrf \<default | text \> - -Set the VRF to forward packet with. - -:::{note} -When using the ``set table`` or ``set vrf`` commands matching -against the mark is not possible, because it gets overwritten with a -table-specific mark that is 0x7FFFFFFF - the id of the table/VRF. -::: -```
\ No newline at end of file diff --git a/docs/configuration/protocols/md-index.md b/docs/configuration/protocols/md-index.md deleted file mode 100644 index 5f190ce1..00000000 --- a/docs/configuration/protocols/md-index.md +++ /dev/null @@ -1,25 +0,0 @@ -# Protocols - -```{toctree} -:includehidden: true -:maxdepth: 1 - -arp -babel -bfd -bgp -failover -igmp-proxy -isis -mpls -multicast -segment-routing -traffic-engineering -openfabric -ospf -pim -pim6 -rip -rpki -static -``` diff --git a/docs/configuration/service/md-index.md b/docs/configuration/service/md-index.md deleted file mode 100644 index 4018c5be..00000000 --- a/docs/configuration/service/md-index.md +++ /dev/null @@ -1,29 +0,0 @@ -# Service - -```{toctree} -:includehidden: true -:maxdepth: 1 - -broadcast-relay -config-sync -conntrack-sync -console-server -dhcp-relay -dhcp-server -dns -eventhandler -https -ipoe-server -lldp -mdns -monitoring -ntp -pppoe-server -router-advert -salt-minion -snmp -ssh -tftp-server -webproxy -suricata -``` diff --git a/docs/configuration/service/md-salt-minion.md b/docs/configuration/service/md-salt-minion.md deleted file mode 100644 index d7aa7664..00000000 --- a/docs/configuration/service/md-salt-minion.md +++ /dev/null @@ -1,50 +0,0 @@ -(saltminion)= - -# Salt-Minion - -[SaltStack] is Python-based, open-source -software for event-driven IT automation, remote task execution, and -configuration management. Supporting the "infrastructure as code" -approach to data center system and network deployment and management, -configuration automation, SecOps orchestration, vulnerability remediation, -and hybrid cloud control. - -## Requirements - -To use the Salt-Minion, a running Salt-Master is required. You can find more -in the [Salt Project Documentation](https://docs.saltproject.io/en/latest/contents.html) - -## Configuration - -```{cfgcmd} set service salt-minion hash \<type\> - - The hash type used when discovering file on master server (default: sha256) -``` - - -```{cfgcmd} set service salt-minion id \<id\> - -Explicitly declare ID for this minion to use (default: hostname) -``` - - -```{cfgcmd} set service salt-minion interval \<1-1440\> - -Interval in minutes between updates (default: 60) -``` - - -```{cfgcmd} set service salt-minion master \<hostname | IP\> - -The hostname or IP address of the master -``` - - -```{cfgcmd} set service salt-minion master-key \<key\> - -URL with signature of master for auth reply verification -``` -Please take a look in the Automation section to find some usefull -Examples. - -[saltstack]: https://saltproject.io/ diff --git a/docs/configuration/service/md-snmp.md b/docs/configuration/service/md-snmp.md deleted file mode 100644 index 6a5a66e5..00000000 --- a/docs/configuration/service/md-snmp.md +++ /dev/null @@ -1,255 +0,0 @@ -(snmp)= - -# SNMP - -{abbr}`SNMP (Simple Network Management Protocol)` is an Internet Standard -protocol for collecting and organizing information about managed devices on -IP networks and for modifying that information to change device behavior. -Devices that typically support SNMP include cable modems, routers, switches, -servers, workstations, printers, and more. - -SNMP is widely used in network management for network monitoring. SNMP exposes -management data in the form of variables on the managed systems organized in -a management information base ([MIB]) which describe the system status and -configuration. These variables can then be remotely queried (and, in some -circumstances, manipulated) by managing applications. - -Three significant versions of SNMP have been developed and deployed. SNMPv1 is -the original version of the protocol. More recent versions, SNMPv2c and SNMPv3, -feature improvements in performance, flexibility and security. - -SNMP is a component of the Internet Protocol Suite as defined by the Internet -Engineering Task Force (IETF). It consists of a set of standards for network -management, including an application layer protocol, a database schema, and a -set of data objects. - -## Overview and basic concepts - -In typical uses of SNMP, one or more administrative computers called managers -have the task of monitoring or managing a group of hosts or devices on a -computer network. Each managed system executes a software component called an -agent which reports information via SNMP to the manager. - -An SNMP-managed network consists of three key components: - -- Managed devices -- Agent - software which runs on managed devices -- Network management station (NMS) - software which runs on the manager - -A managed device is a network node that implements an SNMP interface that -allows unidirectional (read-only) or bidirectional (read and write) access to -node-specific information. Managed devices exchange node-specific information -with the NMSs. Sometimes called network elements, the managed devices can be -any type of device, including, but not limited to, routers, access servers, -switches, cable modems, bridges, hubs, IP telephones, IP video cameras, -computer hosts, and printers. - -An agent is a network-management software module that resides on a managed -device. An agent has local knowledge of management information and translates -that information to or from an SNMP-specific form. - -A network management station executes applications that monitor and control -managed devices. NMSs provide the bulk of the processing and memory resources -required for network management. One or more NMSs may exist on any managed -network. - -:::{figure} /_static/images/service_snmp_communication_principles_diagram.png -:alt: Principle of SNMP Communication -:scale: 20 % - -Image thankfully borrowed from -<https://en.wikipedia.org/wiki/File:SNMP_communication_principles_diagram.PNG> -which is under the GNU Free Documentation License -::: - -:::{note} -VyOS SNMP supports both IPv4 and IPv6. -::: - -## SNMP Protocol Versions - -VyOS itself supports [SNMPv2] (version 2) and [SNMPv3] (version 3) where the -later is recommended because of improved security (optional authentication and -encryption). - -### SNMPv2 - -SNMPv2 is the original and most commonly used version. For authorizing clients, -SNMP uses the concept of communities. Communities may have authorization set -to read only (this is most common) or to read and write (this option is not -actively used in VyOS). - -SNMP can work synchronously or asynchronously. In synchronous communication, -the monitoring system queries the router periodically. In asynchronous, the -router sends notification to the "trap" (the monitoring host). - -SNMPv2 does not support any authentication mechanisms, other than client source -address, so you should specify addresses of clients allowed to monitor the -router. Note that SNMPv2 also supports no encryption and always sends data in -plain text. - -#### Example - -```none -# Define a community -set service snmp community routers authorization ro - -# Allow monitoring access from the entire network -set service snmp community routers network 192.0.2.0/24 -set service snmp community routers network 2001::db8:ffff:eeee::/64 - -# Allow monitoring access from specific addresses -set service snmp community routers client 203.0.113.10 -set service snmp community routers client 203.0.113.20 - -# Define optional router information -set service snmp location "UK, London" -set service snmp contact "admin@example.com" - -# Trap target if you want asynchronous communication -set service snmp trap-target 203.0.113.10 - -# Listen only on specific IP addresses (port defaults to 161) -set service snmp listen-address 172.16.254.36 port 161 -set service snmp listen-address 2001:db8::f00::1 -``` - -### SNMPv3 - -SNMPv3 (version 3 of the SNMP protocol) introduced a whole slew of new security -related features that have been missing from the previous versions. Security -was one of the biggest weakness of SNMP until v3. Authentication in SNMP -Versions 1 and 2 amounts to nothing more than a password (community string) -sent in clear text between a manager and agent. Each SNMPv3 message contains -security parameters which are encoded as an octet string. The meaning of these -security parameters depends on the security model being used. - -The security approach in SNMPv3 targets: - -- Confidentiality – Encryption of packets to prevent snooping by an - unauthorized source. -- Integrity – Message integrity to ensure that a packet has not been tampered - while in transit including an optional packet replay protection mechanism. -- Authentication – to verify that the message is from a valid source. - -(snmp-v3-example)= - -#### Example - -- Let SNMP daemon listen only on IP address 192.0.2.1 -- Configure new SNMP user named "vyos" with password "vyos12345678" -- New user will use SHA/AES for authentication and privacy - -```none -set service snmp listen-address 192.0.2.1 -set service snmp location 'VyOS Datacenter' -set service snmp v3 engineid '000000000000000000000002' -set service snmp v3 group default mode 'ro' -set service snmp v3 group default view 'default' -set service snmp v3 user vyos auth plaintext-password 'vyos12345678' -set service snmp v3 user vyos auth type 'sha' -set service snmp v3 user vyos group 'default' -set service snmp v3 user vyos privacy plaintext-password 'vyos12345678' -set service snmp v3 user vyos privacy type 'aes' -set service snmp v3 view default oid 1 -``` - -After commit the plaintext passwords will be hashed and stored in your -configuration. The resulting CLI config will look like: - -```none -vyos@vyos# show service snmp - listen-address 192.0.2.1 { - } - location "VyOS Datacenter" - v3 { - engineid 000000000000000000000002 - group default { - mode ro - view default - } - user vyos { - auth { - encrypted-password 4e52fe55fd011c9c51ae2c65f4b78ca93dcafdfe - type sha - } - group default - privacy { - encrypted-password 4e52fe55fd011c9c51ae2c65f4b78ca93dcafdfe - type aes - } - } - view default { - oid 1 { - } - } - } -``` - -You can test the SNMPv3 functionality from any linux based system, just run the -following command: `snmpwalk -v 3 -u vyos -a SHA -A vyos12345678 -x AES --X vyos12345678 -l authPriv 192.0.2.1 .1` - -## VyOS MIBs - -All SNMP MIBs are located in each image of VyOS here: `/usr/share/snmp/mibs/` - -You are be able to download the files using SCP, once the SSH service -has been activated like so - -```none -scp -r vyos@your_router:/usr/share/snmp/mibs /your_folder/mibs -``` - -## SNMP Extensions - -To extend SNMP agent functionality, custom scripts can be executed every time -the agent is being called. This can be achieved by using -`arbitrary extensioncommands`. The first step is to create a functional -script of course, then upload it to your VyOS instance via the command -`scp your_script.sh vyos@your_router:/config/user-data`. -Once the script is uploaded, it needs to be configured via the command below. - -```none -set service snmp script-extensions extension-name my-extension script your_script.sh -commit -``` - -The OID `.1.3.6.1.4.1.8072.1.3.2.3.1.1.4.116.101.115.116`, once called, will -contain the output of the extension. - -```none -root@vyos:/home/vyos# snmpwalk -v2c -c public 127.0.0.1 nsExtendOutput1 -NET-SNMP-EXTEND-MIB::nsExtendOutput1Line."my-extension" = STRING: hello -NET-SNMP-EXTEND-MIB::nsExtendOutputFull."my-extension" = STRING: hello -NET-SNMP-EXTEND-MIB::nsExtendOutNumLines."my-extension" = INTEGER: 1 -NET-SNMP-EXTEND-MIB::nsExtendResult."my-extension" = INTEGER: 0 -``` - -## SolarWinds - -If you happen to use SolarWinds Orion as NMS you can also use the Device -Templates Management. A template for VyOS can be easily imported. - -Create a file named `VyOS-1.3.6.1.4.1.44641.ConfigMgmt-Commands` using the -following content: - -```none -<Configuration-Management Device="VyOS" SystemOID="1.3.6.1.4.1.44641"> - <Commands> - <Command Name="Reset" Value="set terminal width 0${CRLF}set terminal length 0"/> - <Command Name="Reboot" Value="reboot${CRLF}Yes"/> - <Command Name="EnterConfigMode" Value="configure"/> - <Command Name="ExitConfigMode" Value="commit${CRLF}exit"/> - <Command Name="DownloadConfig" Value="show configuration commands"/> - <Command Name="SaveConfig" Value="commit${CRLF}save"/> - <Command Name="Version" Value="show version"/> - <Command Name="MenuBased" Value="False"/> - <Command Name="VirtualPrompt" Value=":~"/> - </Commands> -</Configuration-Management> -``` - -[mib]: https://en.wikipedia.org/wiki/Management_information_base -[snmpv2]: https://en.wikipedia.org/wiki/Simple_Network_Management_Protocol#Version_2 -[snmpv3]: https://en.wikipedia.org/wiki/Simple_Network_Management_Protocol#Version_3 diff --git a/docs/configuration/system/md-index.md b/docs/configuration/system/md-index.md deleted file mode 100644 index e0b8a5a1..00000000 --- a/docs/configuration/system/md-index.md +++ /dev/null @@ -1,34 +0,0 @@ -# System - -```{toctree} -:includehidden: true -:maxdepth: 1 - -acceleration -conntrack -console -flow-accounting -frr -host-name -ip -ipv6 -lcd -login -name-server -option -proxy -sflow -syslog -sysctl -task-scheduler -time-zone -updates -watchdog -``` - -```{toctree} -:includehidden: true -:maxdepth: 1 - -default-route -``` diff --git a/docs/configuration/system/md-sysctl.md b/docs/configuration/system/md-sysctl.md deleted file mode 100644 index 90434fb2..00000000 --- a/docs/configuration/system/md-sysctl.md +++ /dev/null @@ -1,16 +0,0 @@ -(sysctl)= - -# Sysctl - -:::{note} -This page is a stub and needs expansion. Contributions -welcome via the [VyOS documentation repository](https://github.com/vyos/vyos-documentation). -::: - -This chapter describes how to configure kernel parameters at runtime. - -`sysctl` is used to modify kernel parameters at runtime. The parameters -available are those listed under /proc/sys/. - -```{cfgcmd} set system sysctl parameter \<parameter\> value \<value\> -```
\ No newline at end of file diff --git a/docs/configuration/system/md-updates.md b/docs/configuration/system/md-updates.md deleted file mode 100644 index 8734788f..00000000 --- a/docs/configuration/system/md-updates.md +++ /dev/null @@ -1,35 +0,0 @@ -# Updates - -VyOS supports online checking for updates - -## Configuration - -```{cfgcmd} set system update-check auto-check - -Configure auto-checking for new images -``` - -```{cfgcmd} set system update-check url \<url\> - -Configure a URL that contains information about images. -``` - -## Example - -```none -set system update-check auto-check -set system update-check url 'https://raw.githubusercontent.com/vyos/vyos-rolling-nightly-builds/main/version.json' -``` - -Check: - -```none -vyos@r4:~$ show system updates -Current version: 1.5-rolling-202312220023 - -Update available: 1.5-rolling-202312250024 -Update URL: https://github.com/vyos/vyos-rolling-nightly-builds/releases/download/1.5-rolling-202312250024/1.5-rolling-202312250024-amd64.iso -vyos@r4:~$ - -vyos@r4:~$ add system image latest -``` diff --git a/docs/configuration/vpn/ipsec/md-index.md b/docs/configuration/vpn/ipsec/md-index.md deleted file mode 100644 index cc40b6f8..00000000 --- a/docs/configuration/vpn/ipsec/md-index.md +++ /dev/null @@ -1,11 +0,0 @@ -# IPsec - -```{toctree} -:includehidden: true -:maxdepth: 1 - -ipsec_general -site2site_ipsec -remoteaccess_ipsec -troubleshooting_ipsec -``` diff --git a/docs/configuration/vpn/ipsec/md-remoteaccess_ipsec.md b/docs/configuration/vpn/ipsec/md-remoteaccess_ipsec.md deleted file mode 100644 index de553aec..00000000 --- a/docs/configuration/vpn/ipsec/md-remoteaccess_ipsec.md +++ /dev/null @@ -1,181 +0,0 @@ -(remoteaccess-ipsec)= - -# IPSec IKEv2 Remote Access VPN - -```{todo} -Convert raw command blocks in this file to cfgcmd/opcmd -directives for command coverage tracking. -``` - -Internet Key Exchange version 2 (IKEv2) is a tunneling protocol, based on IPsec, -that establishes a secure VPN communication between VPN devices, and defines -negotiation and authentication processes for IPsec security associations (SAs). -It is often known as IKEv2/IPSec or IPSec IKEv2 remote-access — or road-warriors -as others call it. - -Key exchange and payload encryption is done using IKE and ESP proposals as known -from IKEv1 but the connections are faster to establish, more reliable, and also -support roaming from IP to IP (called MOBIKE which makes sure your connection -does not drop when changing networks from e.g. WIFI to LTE and back). -Authentication can be achieved with X.509 certificates. - -## Setting up certificates: -First of all, we need to create a CA root certificate and server certificate -on the server side. - -```none -vyos@vpn.vyos.net# run generate pki ca install ca_root -Enter private key type: [rsa, dsa, ec] (Default: rsa) -Enter private key bits: (Default: 2048) -Enter country code: (Default: GB) -Enter state: (Default: Some-State) -Enter locality: (Default: Some-City) -Enter organization name: (Default: VyOS) -Enter common name: (Default: vyos.io) -Enter how many days certificate will be valid: (Default: 1825) -Note: If you plan to use the generated key on this router, do not encrypt the private key. -Do you want to encrypt the private key with a passphrase? [y/N] N -2 value(s) installed. Use "compare" to see the pending changes, and "commit" to apply. -[edit] - - -vyos@vpn.vyos.net# comp -[pki ca] -+ ca_root { -+ certificate "MIIDnTCCAoWgAwI…." -+ private { -+ key "MIIEvAIBADANBgkqhkiG9….” - -vyos@vpn.vyos.net# run generate pki certificate sign ca_root install server_cert -Do you already have a certificate request? [y/N] N -Enter private key type: [rsa, dsa, ec] (Default: rsa) -Enter private key bits: (Default: 2048) -Enter country code: (Default: GB) -Enter state: (Default: Some-State) -Enter locality: (Default: Some-City) -Enter organization name: (Default: VyOS) -Enter common name: (Default: vyos.io) vpn.vyos.net -Do you want to configure Subject Alternative Names? [y/N] N -Enter how many days certificate will be valid: (Default: 365) -Enter certificate type: (client, server) (Default: server) -Note: If you plan to use the generated key on this router, do not encrypt the private key. -Do you want to encrypt the private key with a passphrase? [y/N] N -2 value(s) installed. Use "compare" to see the pending changes, and "commit" to apply. - -vyos@vpn.vyos.net# comp -[pki certificate] -+ server_cert { -+ certificate "MIIDuzCCAqOgAwIBAgIUaSrCPWx………" -+ private { -+ key "MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBK….." -+ } -+ } -``` - -Once the command is completed, it will add the certificate to the configuration -session, to the pki subtree. You can then review the proposed changes and -commit them. - -## Setting up IPSec: -After the PKI certs are all set up we can start configuring our IPSec/IKE -proposals used for key-exchange end data encryption. The used encryption ciphers -and integrity algorithms vary from operating system to operating system. The -ones used in this example are validated to work on Windows 10. - -```none -set vpn ipsec esp-group ESP-RW lifetime '3600' -set vpn ipsec esp-group ESP-RW pfs 'disable' -set vpn ipsec esp-group ESP-RW proposal 10 encryption 'aes128gcm128' -set vpn ipsec esp-group ESP-RW proposal 10 hash 'sha256' - -set vpn ipsec ike-group IKE-RW key-exchange 'ikev2' -set vpn ipsec ike-group IKE-RW lifetime '7200' -set vpn ipsec ike-group IKE-RW proposal 10 dh-group '14' -set vpn ipsec ike-group IKE-RW proposal 10 encryption 'aes128gcm128' -set vpn ipsec ike-group IKE-RW proposal 10 hash 'sha256' -``` - -Every connection/remote-access pool we configure also needs a pool where we -can draw our client IP addresses from. We provide one IPv4 and IPv6 pool. -Authorized clients will receive an IPv4 address from the configured IPv4 prefix -and an IPv6 address from the IPv6 prefix. We can also send some DNS nameservers -down to our clients used on their connection. - -```none -set vpn ipsec remote-access pool ra-rw-ipv4 name-server '192.0.2.1' -set vpn ipsec remote-access pool ra-rw-ipv4 prefix '192.0.2.128/25' - -set vpn ipsec remote-access pool ra-rw-ipv6 name-server '2001:db8:1000::1' -set vpn ipsec remote-access pool ra-rw-ipv6 prefix '2001:db8:2000::/64' -``` - -## Setting up tunnel: - -```none -set vpn ipsec remote-access connection rw authentication local-id '192.0.2.1' -set vpn ipsec remote-access connection rw authentication server-mode 'x509' -set vpn ipsec remote-access connection rw authentication x509 ca-certificate 'ca_root' -set vpn ipsec remote-access connection rw authentication x509 certificate 'server_cert' -set vpn ipsec remote-access connection rw esp-group 'ESP-RW' -set vpn ipsec remote-access connection rw ike-group 'IKE-RW' -set vpn ipsec remote-access connection rw local-address '192.0.2.1' -set vpn ipsec remote-access connection rw pool 'ra-rw-ipv4' -set vpn ipsec remote-access connection rw pool 'ra-rw-ipv6' -``` - -VyOS also supports two different modes of authentication, local and RADIUS. -To create a new local user named "vyos" with a password of "vyos" use the -following commands. - -```none -set vpn ipsec remote-access connection rw authentication client-mode 'eap-mschapv2' -set vpn ipsec remote-access connection rw authentication local-users username vyos password 'vyos' -``` - -Some client operating systems like to see the servers certificate. The following -option causes the server to voluntarily send its certificate, even if it wasn't -requested. - -```none -set vpn ipsec remote-access connection rw authentication always-send-cert -``` - -## Client Configuration -Most operating systems include native client support for IPsec IKEv2 VPN -connections, and others typically have an app or add-on package which adds the -capability. -This section covers IPsec IKEv2 client configuration for Windows 10. - -VyOS provides a command to generate a connection profile used by Windows clients -that will connect to the "rw" connection on our VyOS server. - -:::{note} -Windows expects the server name to be also used in the server's -certificate common name, so it's best to use this DNS name for your VPN -connection. -::: - -```none -vyos@vpn.vyos.net:~$ generate ipsec profile windows-remote-access rw remote vpn.vyos.net - - -==== <snip> ==== -Add-VpnConnection -Name "VyOS IKEv2 VPN" -ServerAddress "vpn.vyos.net" -TunnelType "Ikev2" - -Set-VpnConnectionIPsecConfiguration -ConnectionName "VyOS IKEv2 VPN" -AuthenticationTransformConstants GCMAES128 -CipherTransformConstants -GCMAES128 -EncryptionMethod GCMAES128 -IntegrityCheckMethod SHA256128 -PfsGroup None -DHGroup "Group14" -PassThru -Force -==== </snip> ==== -``` - -Add the commands from Snippet in the Windows side via PowerShell. -Also import the root CA cert to the Windows “Trusted Root Certification -Authorities” and establish the connection. - -## Verification: - -```none -vyos@vpn.vyos.net:~$ show vpn ipsec remote-access summary - Connection ID Username Protocol State Uptime Tunnel IP Remote Host Remote ID IKE Proposal IPSec Proposal ---------------- ---------- ---------- ------- -------- ----------- ------------- ----------- ------------------------------------------ ------------------ - 5 vyos IKEv2 UP 37s 192.0.2.129 10.0.0.2 10.0.0.2 AES_GCM_16-128/PRF_HMAC_SHA2_256/MODP_2048 ESP:AES_GCM_16-128 -``` diff --git a/docs/configuration/vpn/ipsec/md-troubleshooting_ipsec.md b/docs/configuration/vpn/ipsec/md-troubleshooting_ipsec.md deleted file mode 100644 index 2dfd3fec..00000000 --- a/docs/configuration/vpn/ipsec/md-troubleshooting_ipsec.md +++ /dev/null @@ -1,302 +0,0 @@ -(troubleshooting-ipsec)= - -# Troubleshooting Site-to-Site VPN IPsec - -```{todo} -Convert raw command blocks in this file to cfgcmd/opcmd -directives for command coverage tracking. -``` - -## Introduction -This document describes the methodology to monitor and troubleshoot -Site-to-Site VPN IPsec. - -Steps for troubleshooting problems with Site-to-Site VPN IPsec: -: 1. Ping the remote site through the tunnel using the source and - destination IPs included in the policy. - 2. Check connectivity between the routers using the ping command - (if ICMP traffic is allowed). - 3. Check the IKE SAs' statuses. - 4. Check the IPsec SAs' statuses. - 5. Check logs to view debug messages. - -## Checking IKE SA Status -The next command shows IKE SAs' statuses. - -```none -vyos@vyos:~$ show vpn ike sa - -Peer ID / IP Local ID / IP ------------- ------------- -192.168.1.2 192.168.1.2 192.168.0.1 192.168.0.1 - - State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time - ----- ------ ------- ---- --------- ----- ------ ------ - up IKEv2 AES_CBC_128 HMAC_SHA1_96 MODP_2048 no 162 27023 -``` - -This command shows the next information: -: - IKE SA status. - - Selected IKE version. - - Selected Encryption, Hash and Diffie-Hellman Group. - - NAT-T. - - ID and IP of both peers. - - A-Time: established time, L-Time: time for next rekeying. - -## IPsec SA (CHILD SA) Status -The next commands show IPsec SAs' statuses. - -```none -vyos@vyos:~$ show vpn ipsec sa -Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal -------------- ------- -------- -------------- ---------------- ---------------- ----------- ---------------------------------- -PEER-tunnel-1 up 16m30s 168B/168B 2/2 192.168.1.2 192.168.1.2 AES_CBC_128/HMAC_SHA1_96/MODP_2048 -``` - -```none -vyos@vyos:~$ show vpn ipsec sa detail -PEER: #1, ESTABLISHED, IKEv2, 101275ac719d5a1b_i* 68ea4ec3bed3bf0c_r - local '192.168.0.1' @ 192.168.0.1[4500] - remote '192.168.1.2' @ 192.168.1.2[4500] - AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 - established 4054s ago, rekeying in 23131s - PEER-tunnel-1: #2, reqid 1, INSTALLED, TUNNEL, ESP:AES_CBC-128/HMAC_SHA1_96/MODP_2048 - installed 1065s ago, rekeying in 1998s, expires in 2535s - in c5821882, 168 bytes, 2 packets, 81s ago - out c433406a, 168 bytes, 2 packets, 81s ago - local 10.0.0.0/24 - remote 10.0.1.0/24 -``` - -These commands show the next information: -: - IPsec SA status. - - Uptime and time for the next rekeing. - - Amount of transferred data. - - Remote and local ID and IP. - - Selected Encryption, Hash and Diffie-Hellman Group. - - Mode (tunnel or transport). - - Remote and local prefixes which are use for policy. - -There is a possibility to view the summarized information of SAs' status - -```none -vyos@vyos:~$ show vpn ipsec connections -Connection State Type Remote address Local TS Remote TS Local id Remote id Proposal -------------- ------- ------ ---------------- ----------- ----------- ----------- ----------- ---------------------------------- -PEER up IKEv2 192.168.1.2 - - 192.168.0.1 192.168.1.2 AES_CBC/128/HMAC_SHA1_96/MODP_2048 -PEER-tunnel-1 up IPsec 192.168.1.2 10.0.0.0/24 10.0.1.0/24 192.168.0.1 192.168.1.2 AES_CBC/128/HMAC_SHA1_96/MODP_2048 -``` - -## Viewing Logs for Debugging -If IKE SAs or IPsec SAs are down, need to debug IPsec connectivity -using logs `show log ipsec` - -The next example of the successful IPsec connection initialization. - -```none -vyos@vyos:~$ show log ipsec -Jun 20 14:29:47 charon[2428]: 02[NET] <PEER|1> received packet: from 192.168.1.2[500] to 192.168.0.1[500] (472 bytes) -Jun 20 14:29:47 charon[2428]: 02[ENC] <PEER|1> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ] -Jun 20 14:29:47 charon-systemd[2428]: received packet: from 192.168.1.2[500] to 192.168.0.1[500] (472 bytes) -Jun 20 14:29:47 charon[2428]: 02[CFG] <PEER|1> selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 -Jun 20 14:29:47 charon-systemd[2428]: parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ] -Jun 20 14:29:47 charon-systemd[2428]: selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 -Jun 20 14:29:47 charon[2428]: 02[IKE] <PEER|1> authentication of '192.168.0.1' (myself) with pre-shared key -Jun 20 14:29:47 charon-systemd[2428]: authentication of '192.168.0.1' (myself) with pre-shared key -Jun 20 14:29:47 charon[2428]: 02[IKE] <PEER|1> establishing CHILD_SA PEER-tunnel-1{1} -Jun 20 14:29:47 charon-systemd[2428]: establishing CHILD_SA PEER-tunnel-1{1} -Jun 20 14:29:47 charon[2428]: 02[ENC] <PEER|1> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] -Jun 20 14:29:47 charon-systemd[2428]: generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] -Jun 20 14:29:47 charon[2428]: 02[NET] <PEER|1> sending packet: from 192.168.0.1[4500] to 192.168.1.2[4500] (268 bytes) -Jun 20 14:29:47 charon-systemd[2428]: sending packet: from 192.168.0.1[4500] to 192.168.1.2[4500] (268 bytes) -Jun 20 14:29:47 charon[2428]: 13[NET] <PEER|1> received packet: from 192.168.1.2[4500] to 192.168.0.1[4500] (220 bytes) -Jun 20 14:29:47 charon[2428]: 13[ENC] <PEER|1> parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ] -Jun 20 14:29:47 charon-systemd[2428]: received packet: from 192.168.1.2[4500] to 192.168.0.1[4500] (220 bytes) -Jun 20 14:29:47 charon[2428]: 13[IKE] <PEER|1> authentication of '192.168.1.2' with pre-shared key successful -Jun 20 14:29:47 charon-systemd[2428]: parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ] -Jun 20 14:29:47 charon[2428]: 13[IKE] <PEER|1> peer supports MOBIKE -Jun 20 14:29:47 charon-systemd[2428]: authentication of '192.168.1.2' with pre-shared key successful -Jun 20 14:29:47 charon[2428]: 13[IKE] <PEER|1> IKE_SA PEER[1] established between 192.168.0.1[192.168.0.1]...192.168.1.2[192.168.1.2] -Jun 20 14:29:47 charon-systemd[2428]: peer supports MOBIKE -Jun 20 14:29:47 charon[2428]: 13[IKE] <PEER|1> scheduling rekeying in 27703s -Jun 20 14:29:47 charon-systemd[2428]: IKE_SA PEER[1] established between 192.168.0.1[192.168.0.1]...192.168.1.2[192.168.1.2] -Jun 20 14:29:47 charon[2428]: 13[IKE] <PEER|1> maximum IKE_SA lifetime 30583s -Jun 20 14:29:47 charon-systemd[2428]: scheduling rekeying in 27703s -Jun 20 14:29:47 charon[2428]: 13[CFG] <PEER|1> selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ -Jun 20 14:29:47 charon-systemd[2428]: maximum IKE_SA lifetime 30583s -Jun 20 14:29:47 charon-systemd[2428]: selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ -Jun 20 14:29:47 charon[2428]: 13[IKE] <PEER|1> CHILD_SA PEER-tunnel-1{1} established with SPIs cb94fb3f_i ca99c8a9_o and TS 10.0.0.0/24 === 10.0.1.0/24 -Jun 20 14:29:47 charon-systemd[2428]: CHILD_SA PEER-tunnel-1{1} established with SPIs cb94fb3f_i ca99c8a9_o and TS 10.0.0.0/24 === 10.0.1.0/24 -``` - -## Troubleshooting Examples - -### IKE PROPOSAL are Different -In this situation, IKE SAs can be down or not active. - -```none -vyos@vyos:~$ show vpn ike sa -``` - -The problem is in IKE phase (Phase 1). The next step is checking debug logs. - -Responder Side: - -```none -Jun 23 07:36:33 charon[2440]: 01[CFG] <1> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 -Jun 23 07:36:33 charon-systemd[2440]: received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 -Jun 23 07:36:33 charon[2440]: 01[CFG] <1> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 -Jun 23 07:36:33 charon-systemd[2440]: configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 -Jun 23 07:36:33 charon[2440]: 01[IKE] <1> received proposals unacceptable -Jun 23 07:36:33 charon-systemd[2440]: received proposals unacceptable -Jun 23 07:36:33 charon[2440]: 01[ENC] <1> generating IKE_SA_INIT response 0 [ N(NO_PROP) ] -``` - -Initiator side: - -```none -Jun 23 07:36:32 charon-systemd[2444]: parsed IKE_SA_INIT response 0 [ N(NO_PROP) ] -Jun 23 07:36:32 charon[2444]: 14[IKE] <PEER|1> received NO_PROPOSAL_CHOSEN notify error -Jun 23 07:36:32 charon-systemd[2444]: received NO_PROPOSAL_CHOSEN notify error -``` - -The notification **NO_PROPOSAL_CHOSEN** means that the proposal mismatch. -On the Responder side there is concrete information where is mismatch. -Encryption **AES_CBC_128** is configured in IKE policy on the responder -but **AES_CBC_256** is configured on the initiator side. - -### PSK Secret Mismatch -In this situation, IKE SAs can be down or not active. - -```none -vyos@vyos:~$ show vpn ike sa -``` - -The problem is in IKE phase (Phase 1). The next step is checking debug logs. - -Responder: - -```none -Jun 23 08:07:26 charon-systemd[2440]: tried 1 shared key for '192.168.1.2' - '192.168.0.1', but MAC mismatched -Jun 23 08:07:26 charon[2440]: 13[ENC] <PEER|3> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] -``` - -Initiator side: - -```none -Jun 23 08:07:24 charon[2436]: 12[ENC] <PEER|1> parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ] -Jun 23 08:07:24 charon-systemd[2436]: parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ] -Jun 23 08:07:24 charon[2436]: 12[IKE] <PEER|1> received AUTHENTICATION_FAILED notify error -Jun 23 08:07:24 charon-systemd[2436]: received AUTHENTICATION_FAILED notify error -``` - -The notification **AUTHENTICATION_FAILED** means that the authentication -is failed. There is a reason to check PSK on both side. - -### ESP Proposal Mismatch -The output of **show** commands shows us that IKE SA is established but -IPSec SA is not. - -```none -vyos@vyos:~$ show vpn ike sa -Peer ID / IP Local ID / IP ------------- ------------- -192.168.1.2 192.168.1.2 192.168.0.1 192.168.0.1 - - State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time - ----- ------ ------- ---- --------- ----- ------ ------ - up IKEv2 AES_CBC_128 HMAC_SHA1_96 MODP_2048 no 158 26817 -``` - -```none -vyos@vyos:~$ show vpn ipsec sa -Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal ------------- ------- -------- -------------- ---------------- ---------------- ----------- ---------- -``` - -The next step is checking debug logs. - -Initiator side: - -```none -Jun 23 08:16:10 charon[3789]: 13[NET] <PEER|1> received packet: from 192.168.1.2[500] to 192.168.0.1[500] (472 bytes) -Jun 23 08:16:10 charon[3789]: 13[ENC] <PEER|1> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ] -Jun 23 08:16:10 charon-systemd[3789]: received packet: from 192.168.1.2[500] to 192.168.0.1[500] (472 bytes) -Jun 23 08:16:10 charon[3789]: 13[CFG] <PEER|1> selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 -Jun 23 08:16:10 charon-systemd[3789]: parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ] -Jun 23 08:16:10 charon-systemd[3789]: selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 -Jun 23 08:16:10 charon[3789]: 13[IKE] <PEER|1> authentication of '192.168.0.1' (myself) with pre-shared key -Jun 23 08:16:10 charon-systemd[3789]: authentication of '192.168.0.1' (myself) with pre-shared key -Jun 23 08:16:10 charon[3789]: 13[IKE] <PEER|1> establishing CHILD_SA PEER-tunnel-1{1} -Jun 23 08:16:10 charon-systemd[3789]: establishing CHILD_SA PEER-tunnel-1{1} -Jun 23 08:16:10 charon[3789]: 13[ENC] <PEER|1> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] -Jun 23 08:16:10 charon-systemd[3789]: generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] -Jun 23 08:16:10 charon[3789]: 13[NET] <PEER|1> sending packet: from 192.168.0.1[4500] to 192.168.1.2[4500] (268 bytes) -Jun 23 08:16:10 charon-systemd[3789]: sending packet: from 192.168.0.1[4500] to 192.168.1.2[4500] (268 bytes) -Jun 23 08:16:10 charon[3789]: 09[NET] <PEER|1> received packet: from 192.168.1.2[4500] to 192.168.0.1[4500] (140 bytes) -Jun 23 08:16:10 charon-systemd[3789]: received packet: from 192.168.1.2[4500] to 192.168.0.1[4500] (140 bytes) -Jun 23 08:16:10 charon[3789]: 09[ENC] <PEER|1> parsed IKE_AUTH response 1 [ IDr AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(NO_PROP) ] -Jun 23 08:16:10 charon-systemd[3789]: parsed IKE_AUTH response 1 [ IDr AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(NO_PROP) ] -Jun 23 08:16:10 charon[3789]: 09[IKE] <PEER|1> authentication of '192.168.1.2' with pre-shared key successful -Jun 23 08:16:10 charon-systemd[3789]: authentication of '192.168.1.2' with pre-shared key successful -Jun 23 08:16:10 charon[3789]: 09[IKE] <PEER|1> peer supports MOBIKE -Jun 23 08:16:10 charon-systemd[3789]: peer supports MOBIKE -Jun 23 08:16:10 charon[3789]: 09[IKE] <PEER|1> IKE_SA PEER[1] established between 192.168.0.1[192.168.0.1]...192.168.1.2[192.168.1.2] -Jun 23 08:16:10 charon-systemd[3789]: IKE_SA PEER[1] established between 192.168.0.1[192.168.0.1]...192.168.1.2[192.168.1.2] -Jun 23 08:16:10 charon[3789]: 09[IKE] <PEER|1> scheduling rekeying in 26975s -Jun 23 08:16:10 charon-systemd[3789]: scheduling rekeying in 26975s -Jun 23 08:16:10 charon[3789]: 09[IKE] <PEER|1> maximum IKE_SA lifetime 29855s -Jun 23 08:16:10 charon-systemd[3789]: maximum IKE_SA lifetime 29855s -Jun 23 08:16:10 charon[3789]: 09[IKE] <PEER|1> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built -Jun 23 08:16:10 charon-systemd[3789]: received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built -Jun 23 08:16:10 charon[3789]: 09[IKE] <PEER|1> failed to establish CHILD_SA, keeping IKE_SA -Jun 23 08:16:10 charon-systemd[3789]: failed to establish CHILD_SA, keeping IKE_SA -``` - -There are messages: **NO_PROPOSAL_CHOSEN** and -**failed to establish CHILD_SA** which refers that the problem is in -the IPsec(ESP) proposal mismatch. - -The reason of this problem is showed on the responder side. - -```none -Jun 23 08:16:12 charon[2440]: 01[CFG] <PEER|5> received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ -Jun 23 08:16:12 charon-systemd[2440]: received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ -Jun 23 08:16:12 charon[2440]: 01[CFG] <PEER|5> configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ -Jun 23 08:16:12 charon-systemd[2440]: configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ -Jun 23 08:16:12 charon[2440]: 01[IKE] <PEER|5> no acceptable proposal found -Jun 23 08:16:12 charon-systemd[2440]: no acceptable proposal found -Jun 23 08:16:12 charon[2440]: 01[IKE] <PEER|5> failed to establish CHILD_SA, keeping IKE_SA -``` - -Encryption **AES_CBC_128** is configured in IKE policy on the responder but **AES_CBC_256** -is configured on the initiator side. - -### Prefixes in Policies Mismatch -As in previous situation, IKE SA is in up state but IPsec SA is not up. -According to logs we can see **TS_UNACCEPTABLE** notification. It means -that prefixes (traffic selectors) mismatch on both sides - -Initiator: - -```none -Jun 23 14:13:17 charon[4996]: 11[IKE] <PEER|1> received TS_UNACCEPTABLE notify, no CHILD_SA built -Jun 23 14:13:17 charon-systemd[4996]: maximum IKE_SA lifetime 29437s -Jun 23 14:13:17 charon[4996]: 11[IKE] <PEER|1> failed to establish CHILD_SA, keeping IKE_SA -Jun 23 14:13:17 charon-systemd[4996]: received TS_UNACCEPTABLE notify, no CHILD_SA built -Jun 23 14:13:17 charon-systemd[4996]: failed to establish CHILD_SA, keeping IKE_SA -``` - -The reason of this problem is showed on the responder side. - -```none -Jun 23 14:13:19 charon[2440]: 01[IKE] <PEER|7> traffic selectors 10.0.2.0/24 === 10.0.0.0/24 unacceptable -Jun 23 14:13:19 charon-systemd[2440]: traffic selectors 10.0.2.0/24 === 10.0.0.0/24 unacceptable -Jun 23 14:13:19 charon[2440]: 01[IKE] <PEER|7> failed to establish CHILD_SA, keeping IKE_SA -Jun 23 14:13:19 charon-systemd[2440]: failed to establish CHILD_SA, keeping IKE_SA -Jun 23 14:13:19 charon[2440]: 01[ENC] <PEER|7> generating IKE_AUTH response 1 [ IDr AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(TS_UNACCEPT) ] -Jun 23 14:13:19 charon-systemd[2440]: generating IKE_AUTH response 1 [ IDr AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(TS_UNACCEPT) ] -``` - -Traffic selectors **10.0.2.0/24 === 10.0.0.0/24** are unacceptable on the -responder side. diff --git a/docs/configuration/vpn/md-index.md b/docs/configuration/vpn/md-index.md deleted file mode 100644 index 9b06e5df..00000000 --- a/docs/configuration/vpn/md-index.md +++ /dev/null @@ -1,14 +0,0 @@ -# VPN - -```{toctree} -:includehidden: true -:maxdepth: 1 - -ipsec/index -l2tp -openconnect -pptp -rsa-keys -sstp -dmvpn -``` diff --git a/docs/configuration/vpn/md-rsa-keys.md b/docs/configuration/vpn/md-rsa-keys.md deleted file mode 100644 index b224b514..00000000 --- a/docs/configuration/vpn/md-rsa-keys.md +++ /dev/null @@ -1,114 +0,0 @@ -# RSA-Keys - -```{todo} -Convert raw command blocks in this file to cfgcmd/opcmd -directives for command coverage tracking. -``` - -RSA can be used for services such as key exchanges and for encryption purposes. -To make IPSec work with dynamic address on one/both sides, we will have to use -RSA keys for authentication. They are very fast and easy to setup. - -First, on both routers run the operational command "generate pki key-pair -install \<key-pair nam>>". You may choose different length than 2048 of course. - -```none -vyos@left# run generate pki key-pair install ipsec-LEFT -Enter private key type: [rsa, dsa, ec] (Default: rsa) -Enter private key bits: (Default: 2048) -Note: If you plan to use the generated key on this router, do not encrypt the private key. -Do you want to encrypt the private key with a passphrase? [y/N] N -Configure mode commands to install key pair: -Do you want to install the public key? [Y/n] Y -set pki key-pair ipsec-LEFT public key 'MIIBIjANBgkqh...' -Do you want to install the private key? [Y/n] Y -set pki key-pair ipsec-LEFT private key 'MIIEvgIBADAN...' -[edit] -``` - -Configuration commands will display. -Note the command with the public key -(set pki key-pair ipsec-LEFT public key 'MIIBIjANBgkqh...'). -Then do the same on the opposite router: - -```none -vyos@left# run generate pki key-pair install ipsec-RIGHT -``` - -Note the command with the public key -(set pki key-pair ipsec-RIGHT public key 'FAAOCAQ8AMII...'). - -The noted public keys should be entered on the opposite routers. - -On the LEFT: - -```none -set pki key-pair ipsec-RIGHT public key 'FAAOCAQ8AMII...' -``` - -On the RIGHT: - -```none -set pki key-pair ipsec-LEFT public key 'MIIBIjANBgkqh...' -``` - -Now you are ready to setup IPsec. The key points: -1. Since both routers do not know their effective public addresses, - we set the local-address of the peer to "any". -2. On the initiator, we set the peer address to its public address, - but on the responder we only set the id. -3. On the initiator, we need to set the remote-id option so that it - can identify IKE traffic from the responder correctly. -4. On the responder, we need to set the local id so that initiator - can know who's talking to it for the point #3 to work. - -On the LEFT (static address): - -```none -set vpn ipsec interface eth0 - -set vpn ipsec esp-group MyESPGroup proposal 1 encryption aes128 -set vpn ipsec esp-group MyESPGroup proposal 1 hash sha1 - -set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group 2 -set vpn ipsec ike-group MyIKEGroup proposal 1 encryption aes128 -set vpn ipsec ike-group MyIKEGroup proposal 1 hash sha1 - -set vpn ipsec site-to-site peer @RIGHT authentication id LEFT -set vpn ipsec site-to-site peer @RIGHT authentication mode rsa -set vpn ipsec site-to-site peer @RIGHT authentication rsa local-key ipsec-LEFT -set vpn ipsec site-to-site peer @RIGHT authentication rsa remote-key ipsec-RIGHT -set vpn ipsec site-to-site peer @RIGHT authentication remote-id RIGHT -set vpn ipsec site-to-site peer @RIGHT default-esp-group MyESPGroup -set vpn ipsec site-to-site peer @RIGHT ike-group MyIKEGroup -set vpn ipsec site-to-site peer @RIGHT local-address 192.0.2.10 -set vpn ipsec site-to-site peer @RIGHT connection-type none -set vpn ipsec site-to-site peer @RIGHT tunnel 1 local prefix 192.168.99.1/32 # Additional loopback address on the local -set vpn ipsec site-to-site peer @RIGHT tunnel 1 remote prefix 192.168.99.2/32 # Additional loopback address on the remote -``` - -On the RIGHT (dynamic address): - -```none -set vpn ipsec interface eth0 - -set vpn ipsec esp-group MyESPGroup proposal 1 encryption aes128 -set vpn ipsec esp-group MyESPGroup proposal 1 hash sha1 - -set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group 2 -set vpn ipsec ike-group MyIKEGroup proposal 1 encryption aes128 -set vpn ipsec ike-group MyIKEGroup proposal 1 hash sha1 - -set vpn ipsec site-to-site peer 192.0.2.10 authentication id RIGHT -set vpn ipsec site-to-site peer 192.0.2.10 authentication mode rsa -set vpn ipsec site-to-site peer 192.0.2.10 authentication rsa local-key ipsec-RIGHT -set vpn ipsec site-to-site peer 192.0.2.10 authentication rsa remote-key ipsec-LEFT -set vpn ipsec site-to-site peer 192.0.2.10 authentication remote-id LEFT -set vpn ipsec site-to-site peer 192.0.2.10 connection-type initiate -set vpn ipsec site-to-site peer 192.0.2.10 default-esp-group MyESPGroup -set vpn ipsec site-to-site peer 192.0.2.10 ike-group MyIKEGroup -set vpn ipsec site-to-site peer 192.0.2.10 local-address any -set vpn ipsec site-to-site peer 192.0.2.10 tunnel 1 local prefix 192.168.99.2/32 # Additional loopback address on the local -set vpn ipsec site-to-site peer 192.0.2.10 tunnel 1 remote prefix 192.168.99.1/32 # Additional loopback address on the remote -``` - |
