diff options
-rw-r--r-- | CONTRIBUTING.md | 18 | ||||
-rw-r--r-- | docs/configuration-overview.rst | 6 | ||||
-rw-r--r-- | docs/firewall.rst | 7 | ||||
-rw-r--r-- | docs/interfaces/tunnel.rst | 24 | ||||
-rw-r--r-- | docs/nat.rst | 6 | ||||
-rw-r--r-- | docs/routing/bgp.rst | 6 | ||||
-rw-r--r-- | docs/services/webproxy.rst | 4 | ||||
-rw-r--r-- | docs/vpn/dmvpn.rst | 8 | ||||
-rw-r--r-- | docs/vpn/site2site_ipsec.rst | 44 |
9 files changed, 64 insertions, 59 deletions
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 9dcaeb1b..496659bb 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -10,12 +10,18 @@ Please check the documation, if you don't familiar with [sphinx-doc](http://http://www.sphinx-doc.org) or [reStructuredText](http://www.sphinx-doc.org/en/master/usage/restructuredtext/index.html) - Note the following RFCs, which describe the reserved public IP addresses and autonomous system numbers for the documentation. Please don't use other public address space. - - * [RFC5737](https://tools.ietf.org/html/rfc5737) - * [RFC3849](https://tools.ietf.org/html/rfc3849) - * [RFC5389](https://tools.ietf.org/html/rfc5398) - + Note the following RFCs, which describe the reserved public IP addresses and autonomous system numbers for the documentation. [RFC5737](https://tools.ietf.org/html/rfc5737), [RFC3849](https://tools.ietf.org/html/rfc3849), [RFC5389](https://tools.ietf.org/html/rfc5398), [RFC7042](https://tools.ietf.org/html/rfc7042) + + * 192.0.2.0/24 + * 198.51.100.0/24 + * 203.0.113.0/24 + * 2001:db8::/32 + * 16bit ASN: 64496 - 64511 + * 32bit ASN: 65536 - 65551 + * Unicast MAC Addresses: 00-53-00 to 00-53-FF + * Multicast MAC-Addresses: 90-10-00 to 90-10-FF + + Please don't use other public address space. 5. add the modified files diff --git a/docs/configuration-overview.rst b/docs/configuration-overview.rst index ada7ab64..1ed0938f 100644 --- a/docs/configuration-overview.rst +++ b/docs/configuration-overview.rst @@ -214,10 +214,10 @@ These commands are also relative to the level where they are executed and all re .. code-block:: sh [edit] - vyos@vyos# set interface ethernet eth0 address 1.2.3.4/24 + vyos@vyos# set interface ethernet eth0 address 203.0.113.6/24 [edit interfaces ethernet eth0] - vyos@vyos# set address 1.2.3.4/24 + vyos@vyos# set address 203.0.113.6/24 These two commands above are essentially the same, just executed from different levels in the hierarchy. @@ -227,7 +227,7 @@ Deleting an entry could also mean to reset it back to its default value if the e .. code-block:: sh [edit interfaces ethernet eth0] - vyos@vyos# delete address 1.2.3.4/24 + vyos@vyos# delete address 203.0.113.6/24 Any change you do on the configuration, will not take effect until committed using the `commit` command in configuration mode. diff --git a/docs/firewall.rst b/docs/firewall.rst index 023898db..f41bbcbb 100644 --- a/docs/firewall.rst +++ b/docs/firewall.rst @@ -113,12 +113,11 @@ Example Partial Config config-trap disable group { network-group BAD-NETWORKS { - network 1.2.3.0/24 - network 1.2.4.0/24 + network 198.51.100.0/24 + network 203.0.113.0/24 } network-group GOOD-NETWORKS { - network 4.5.6.0/24 - network 4.5.7.0/24 + network 192.0.2.0/24 } port-group BAD-PORTS { port 65535 diff --git a/docs/interfaces/tunnel.rst b/docs/interfaces/tunnel.rst index 14f02b1c..f466a714 100644 --- a/docs/interfaces/tunnel.rst +++ b/docs/interfaces/tunnel.rst @@ -98,8 +98,8 @@ The Cisco router defaults to 'gre ip' otherwise it would have to be configured a set interfaces tunnel tun100 address '10.0.0.1/30' set interfaces tunnel tun100 encapsulation 'gre' - set interfaces tunnel tun100 local-ip '198.18.0.2' - set interfaces tunnel tun100 remote-ip '198.18.2.2' + set interfaces tunnel tun100 local-ip '198.51.100.2' + set interfaces tunnel tun100 remote-ip '203.0.113.10' **Cisco IOS Router:** @@ -107,8 +107,8 @@ The Cisco router defaults to 'gre ip' otherwise it would have to be configured a interface Tunnel100 ip address 10.0.0.2 255.255.255.252 - tunnel source 198.18.2.2 - tunnel destination 198.18.0.2 + tunnel source 203.0.113.10 + tunnel destination 198.51.100.2 Troubleshooting ^^^^^^^^^^^^^^^ @@ -122,14 +122,14 @@ configurations that are discarding IP protocol 47 or blocking your source/desint .. code-block:: sh - vyos@vyos:~$ ping 198.18.2.2 interface 198.18.0.2 count 4 - PING 198.18.2.2 (198.18.2.2) from 198.18.0.2 : 56(84) bytes of data. - 64 bytes from 198.18.2.2: icmp_seq=1 ttl=254 time=0.807 ms - 64 bytes from 198.18.2.2: icmp_seq=2 ttl=254 time=1.50 ms - 64 bytes from 198.18.2.2: icmp_seq=3 ttl=254 time=0.624 ms - 64 bytes from 198.18.2.2: icmp_seq=4 ttl=254 time=1.41 ms + vyos@vyos:~$ ping 203.0.113.10 interface 198.51.100.2 count 4 + PING 203.0.113.10 (203.0.113.10) from 198.51.100.2 : 56(84) bytes of data. + 64 bytes from 203.0.113.10: icmp_seq=1 ttl=254 time=0.807 ms + 64 bytes from 203.0.113.10: icmp_seq=2 ttl=254 time=1.50 ms + 64 bytes from 203.0.113.10: icmp_seq=3 ttl=254 time=0.624 ms + 64 bytes from 203.0.113.10: icmp_seq=4 ttl=254 time=1.41 ms - --- 198.18.2.2 ping statistics --- + --- 203.0.113.10 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3007ms rtt min/avg/max/mdev = 0.624/1.087/1.509/0.381 ms @@ -139,7 +139,7 @@ configurations that are discarding IP protocol 47 or blocking your source/desint vyos@vyos:~$ show interfaces tunnel tun100 tun100@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1476 qdisc noqueue state UNKNOWN group default qlen 1000 - link/gre 198.18.0.2 peer 198.18.2.2 + link/gre 198.51.100.2 peer 203.0.113.10 inet 10.0.0.1/30 brd 10.0.0.3 scope global tun100 valid_lft forever preferred_lft forever inet6 fe80::5efe:c612:2/64 scope link diff --git a/docs/nat.rst b/docs/nat.rst index 66fb783e..5c3dadc4 100644 --- a/docs/nat.rst +++ b/docs/nat.rst @@ -249,16 +249,16 @@ one external interface: set interfaces ethernet eth0 address '192.168.1.1/24' set interfaces ethernet eth0 description 'Inside interface' - set interfaces ethernet eth1 address '1.2.3.4/24' + set interfaces ethernet eth1 address '192.0.2.30/24' set interfaces ethernet eth1 description 'Outside interface' set nat destination rule 2000 description '1-to-1 NAT example' - set nat destination rule 2000 destination address '1.2.3.4' + set nat destination rule 2000 destination address '192.0.2.30' set nat destination rule 2000 inbound-interface 'eth1' set nat destination rule 2000 translation address '192.168.1.10' set nat source rule 2000 description '1-to-1 NAT example' set nat source rule 2000 outbound-interface 'eth1' set nat source rule 2000 source address '192.168.1.10' - set nat source rule 2000 translation address '1.2.3.4' + set nat source rule 2000 translation address '192.0.2.30' Firewall rules are written as normal, using the internal IP address as the source of outbound rules and the destination of inbound rules. diff --git a/docs/routing/bgp.rst b/docs/routing/bgp.rst index ecd706ba..d2c60853 100644 --- a/docs/routing/bgp.rst +++ b/docs/routing/bgp.rst @@ -37,13 +37,13 @@ creating a static route:** .. code-block:: sh - set protocols static route 1.0.0.0/16 blackhole distance '254' + set protocols static route 172.16.0.0/16 blackhole distance '254' **Node 2:** .. code-block:: sh - set protocols static route 2.0.0.0/16 blackhole distance '254' + set protocols static route 172.17.0.0/16 blackhole distance '254' IPv6 @@ -81,7 +81,7 @@ creating a static route:** .. code-block:: sh - set protocols static route6 2a001:100:1::/48 blackhole distance '254' + set protocols static route6 2001:db8:1::/48 blackhole distance '254' **Node 2:** diff --git a/docs/services/webproxy.rst b/docs/services/webproxy.rst index 75f9993a..36571f75 100644 --- a/docs/services/webproxy.rst +++ b/docs/services/webproxy.rst @@ -135,9 +135,9 @@ So sometimes it is useful to bypass a transparent proxy: * To bypass the proxy for every request that is directed to a specific destination: - :code:`set service webproxy whitelist destination-address 1.2.3.4` + :code:`set service webproxy whitelist destination-address 198.51.100.33` - :code:`set service webproxy whitelist destination-address 4.5.6.0/24` + :code:`set service webproxy whitelist destination-address 192.0.2.0/24` * To bypass the proxy for every request that is coming from a specific source: diff --git a/docs/vpn/dmvpn.rst b/docs/vpn/dmvpn.rst index e5135727..5b206c57 100644 --- a/docs/vpn/dmvpn.rst +++ b/docs/vpn/dmvpn.rst @@ -121,13 +121,13 @@ HUB Example Configuration: .. code-block:: sh - set interfaces ethernet eth0 address '1.1.1.1/30' + set interfaces ethernet eth0 address '198.51.100.41/30' set interfaces ethernet eth1 address '192.168.1.1/24' set system host-name 'HUB' set interfaces tunnel tun0 address 10.0.0.1/24 set interfaces tunnel tun0 encapsulation gre - set interfaces tunnel tun0 local-ip 1.1.1.1 + set interfaces tunnel tun0 local-ip 198.51.100.41 set interfaces tunnel tun0 multicast enable set interfaces tunnel tun0 parameters ip key 1 @@ -256,7 +256,7 @@ SPOKE1 Example Configuration set interfaces tunnel tun0 parameters ip key 1 set protocols nhrp tunnel tun0 cisco-authentication 'SECRET' - set protocols nhrp tunnel tun0 map 10.0.0.1/24 nbma-address 1.1.1.1 + set protocols nhrp tunnel tun0 map 10.0.0.1/24 nbma-address 198.51.100.41 set protocols nhrp tunnel tun0 map 10.0.0.1/24 'register' set protocols nhrp tunnel tun0 multicast 'nhs' set protocols nhrp tunnel tun0 'redirect' @@ -379,7 +379,7 @@ SPOKE2 Example Configuration set interfaces tunnel tun0 parameters ip key 1 set protocols nhrp tunnel tun0 cisco-authentication SECRET - set protocols nhrp tunnel tun0 map 10.0.0.1/24 nbma-address 1.1.1.1 + set protocols nhrp tunnel tun0 map 10.0.0.1/24 nbma-address 198.51.100.41 set protocols nhrp tunnel tun0 map 10.0.0.1/24 register set protocols nhrp tunnel tun0 multicast nhs set protocols nhrp tunnel tun0 redirect diff --git a/docs/vpn/site2site_ipsec.rst b/docs/vpn/site2site_ipsec.rst index 9279c112..ff398dab 100644 --- a/docs/vpn/site2site_ipsec.rst +++ b/docs/vpn/site2site_ipsec.rst @@ -11,9 +11,9 @@ Example: * WAN interface on `eth1` * left subnet: `192.168.0.0/24` site1, server side (i.e. locality, actually there is no client or server roles) -* left local_ip: `1.1.1.1` # server side WAN IP +* left local_ip: `198.51.100.3` # server side WAN IP * right subnet: `10.0.0.0/24` site2,remote office side -* right local_ip: `2.2.2.2` # remote office side WAN IP +* right local_ip: `203.0.113.2` # remote office side WAN IP .. code-block:: sh @@ -30,15 +30,15 @@ Example: set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256' set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1' set vpn ipsec ipsec-interfaces interface 'eth1' - set vpn ipsec site-to-site peer 2.2.2.2 authentication mode 'pre-shared-secret' - set vpn ipsec site-to-site peer 2.2.2.2 authentication pre-shared-secret 'SomePreSharedKey' - set vpn ipsec site-to-site peer 2.2.2.2 ike-group 'office-srv-ike' - set vpn ipsec site-to-site peer 2.2.2.2 local-address '1.1.1.1' - set vpn ipsec site-to-site peer 2.2.2.2 tunnel 0 allow-nat-networks 'disable' - set vpn ipsec site-to-site peer 2.2.2.2 tunnel 0 allow-public-networks 'disable' - set vpn ipsec site-to-site peer 2.2.2.2 tunnel 0 esp-group 'office-srv-esp' - set vpn ipsec site-to-site peer 2.2.2.2 tunnel 0 local prefix '192.168.0.0/24' - set vpn ipsec site-to-site peer 2.2.2.2 tunnel 0 remote prefix '10.0.0.0/21' + set vpn ipsec site-to-site peer 203.0.113.2 authentication mode 'pre-shared-secret' + set vpn ipsec site-to-site peer 203.0.113.2 authentication pre-shared-secret 'SomePreSharedKey' + set vpn ipsec site-to-site peer 203.0.113.2 ike-group 'office-srv-ike' + set vpn ipsec site-to-site peer 203.0.113.2 local-address '198.51.100.3' + set vpn ipsec site-to-site peer 203.0.113.2 tunnel 0 allow-nat-networks 'disable' + set vpn ipsec site-to-site peer 203.0.113.2 tunnel 0 allow-public-networks 'disable' + set vpn ipsec site-to-site peer 203.0.113.2 tunnel 0 esp-group 'office-srv-esp' + set vpn ipsec site-to-site peer 203.0.113.2 tunnel 0 local prefix '192.168.0.0/24' + set vpn ipsec site-to-site peer 203.0.113.2 tunnel 0 remote prefix '10.0.0.0/21' # remote office config set vpn ipsec esp-group office-srv-esp compression 'disable' @@ -53,15 +53,15 @@ Example: set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256' set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1' set vpn ipsec ipsec-interfaces interface 'eth1' - set vpn ipsec site-to-site peer 1.1.1.1 authentication mode 'pre-shared-secret' - set vpn ipsec site-to-site peer 1.1.1.1 authentication pre-shared-secret 'SomePreSharedKey' - set vpn ipsec site-to-site peer 1.1.1.1 ike-group 'office-srv-ike' - set vpn ipsec site-to-site peer 1.1.1.1 local-address '2.2.2.2' - set vpn ipsec site-to-site peer 1.1.1.1 tunnel 0 allow-nat-networks 'disable' - set vpn ipsec site-to-site peer 1.1.1.1 tunnel 0 allow-public-networks 'disable' - set vpn ipsec site-to-site peer 1.1.1.1 tunnel 0 esp-group 'office-srv-esp' - set vpn ipsec site-to-site peer 1.1.1.1 tunnel 0 local prefix '10.0.0.0/21' - set vpn ipsec site-to-site peer 1.1.1.1 tunnel 0 remote prefix '192.168.0.0/24' + set vpn ipsec site-to-site peer 198.51.100.3 authentication mode 'pre-shared-secret' + set vpn ipsec site-to-site peer 198.51.100.3 authentication pre-shared-secret 'SomePreSharedKey' + set vpn ipsec site-to-site peer 198.51.100.3 ike-group 'office-srv-ike' + set vpn ipsec site-to-site peer 198.51.100.3 local-address '203.0.113.2' + set vpn ipsec site-to-site peer 198.51.100.3 tunnel 0 allow-nat-networks 'disable' + set vpn ipsec site-to-site peer 198.51.100.3 tunnel 0 allow-public-networks 'disable' + set vpn ipsec site-to-site peer 198.51.100.3 tunnel 0 esp-group 'office-srv-esp' + set vpn ipsec site-to-site peer 198.51.100.3 tunnel 0 local prefix '10.0.0.0/21' + set vpn ipsec site-to-site peer 198.51.100.3 tunnel 0 remote prefix '192.168.0.0/24' Show status of new setup: @@ -70,7 +70,7 @@ Show status of new setup: vyos@srv-gw0:~$ show vpn ike sa Peer ID / IP Local ID / IP ------------ ------------- - 2.2.2.2 1.1.1.1 + 203.0.113.2 198.51.100.3 State Encrypt Hash D-H Grp NAT-T A-Time L-Time ----- ------- ---- ------- ----- ------ ------ up aes256 sha1 5 no 734 3600 @@ -78,7 +78,7 @@ Show status of new setup: vyos@srv-gw0:~$ show vpn ipsec sa Peer ID / IP Local ID / IP ------------ ------------- - 2.2.2.2 1.1.1.1 + 203.0.113.2 198.51.100.3 Tunnel State Bytes Out/In Encrypt Hash NAT-T A-Time L-Time Proto ------ ----- ------------- ------- ---- ----- ------ ------ ----- 0 up 7.5M/230.6K aes256 sha1 no 567 1800 all |