diff options
83 files changed, 647 insertions, 647 deletions
| diff --git a/docs/appendix/commandtree/configmode.rst b/docs/appendix/commandtree/configmode.rst index e286e85f..29dc43d0 100644 --- a/docs/appendix/commandtree/configmode.rst +++ b/docs/appendix/commandtree/configmode.rst @@ -3,7 +3,7 @@  Configuration mode  ------------------ -.. code-block:: console +.. code-block:: none    confirm           Confirm prior commit-confirm    comment           Add comment to this configuration element @@ -39,21 +39,21 @@ The command cannot be used at the top of the configuration hierarchy, only on su  To add a comment to a section, while being already at the proper section level: -.. code-block:: console +.. code-block:: none    [edit <section>]    vyos@vyos# comment "Type Comment Here"  To add a comment directly to a section, from the top or a higher section: -.. code-block:: console +.. code-block:: none    [edit]    vyos@vyos# comment <section> "Type Comment Here"  To remove a comment, add a blank comment to overwrite: -.. code-block:: console +.. code-block:: none    [edit <section>]    vyos@vyos# comment "" @@ -63,7 +63,7 @@ Examples  To add a comment to the "interfaces" section: -.. code-block:: console +.. code-block:: none    [edit]    vyos@vyos# edit interfaces @@ -74,7 +74,7 @@ To add a comment to the "interfaces" section:  The comment would then appear like this: -.. code-block:: console +.. code-block:: none    [edit]    vyos@vyos# show @@ -86,7 +86,7 @@ The comment would then appear like this:  An important thing to note is that since the comment is added on top of the section, it will not appear if the ``show <section>`` command is used. With the above example, the ``show interfaces`` command would return starting after the "interfaces {" line, hiding the comment: -.. code-block:: console +.. code-block:: none    [edit]    vyos@vyos# show interfaces @@ -96,7 +96,7 @@ An important thing to note is that since the comment is added on top of the sect  To add a comment to the interfaces section from the top: -.. code-block:: console +.. code-block:: none    [edit]    vyos@vyos# comment interfaces "test" @@ -104,7 +104,7 @@ To add a comment to the interfaces section from the top:  The comment can be added to any node that already exists, even if it's multiple levels lower: -.. code-block:: console +.. code-block:: none    [edit]    vyos@vyos# comment interfaces ethernet eth0 vif 222 address "Far down comment" @@ -119,7 +119,7 @@ To discard the changes without committing, use the ``discard`` command. The ``co  The confirm keyword can be added, see ``commit-confirm``. A comment can be entered, it will appear in the commit log. -.. code-block:: console +.. code-block:: none    [edit]    vyos@vyos# commit @@ -134,7 +134,7 @@ The ``commit-confirm`` command commits the proposed changes to the configuration  If the ``confirm`` command is not entered before the timer expiration, the configuration will be rolled back and VyOS will reboot.  The default timer value is 10 minutes, but a custom value can be entered. -.. code-block:: console +.. code-block:: none    [edit]    vyos@vyos# commit-confirm @@ -149,7 +149,7 @@ Compare  VyOS maintains backups of previous configurations. To compare configuration revisions in configuration mode, use the compare command: -.. code-block:: console +.. code-block:: none    [edit]    vyos@vyos# compare @@ -178,7 +178,7 @@ The ``copy`` command allows you to copy a configuration object.  Copy the configuration entrys from a firewall name WAN rule 1 to rule 2. -.. code-block:: console +.. code-block:: none    [edit firewall name WAN]    vyos@vyos# show @@ -212,7 +212,7 @@ The ``delte`` command is to delete a configuration entry.  This Example delete the hole ``service tftp-server`` section. -.. code-block:: console +.. code-block:: none    delete service tftp-server @@ -221,7 +221,7 @@ Discard  The ``discard`` command removes all pending configuration changes. -.. code-block:: console +.. code-block:: none    [edit]    vyos@vyos# discard @@ -235,7 +235,7 @@ The ``edit`` command allows you to navigate down into the configuration tree.  To get back to an upper level, use the ``up`` command or use the ``top`` command to get back to the upper most level.  The ``[edit]`` text displays where the user is located in the configuration tree. -.. code-block:: console +.. code-block:: none    [edit]    vyos@vyos# edit interfaces @@ -255,14 +255,14 @@ The ``exit`` command doesn't save the configuration, only the ``save`` command d  Exiting from a configuration level: -.. code-block:: console +.. code-block:: none    [edit interfaces ethernet eth0]    vyos@vyos# exit  Exiting from configuration mode: -.. code-block:: console +.. code-block:: none    [edit]    vyos@vyos# exit @@ -271,14 +271,14 @@ Exiting from configuration mode:  Exiting from operational mode: -.. code-block:: console +.. code-block:: none    vyos@vyos:~$ exit    logout  Error message when trying to exit with uncommitted changes: -.. code-block:: console +.. code-block:: none    vyos@vyos# exit    Cannot exit: configuration modified. @@ -287,7 +287,7 @@ Error message when trying to exit with uncommitted changes:  Warning message when exiting with unsaved changes: -.. code-block:: console +.. code-block:: none    [edit]    vyos@vyos# exit @@ -298,7 +298,7 @@ Load  The ``load`` command load a configuration from a local or remote file. You have to be use ``commit`` to make the change active -.. code-block:: console +.. code-block:: none    <Enter>				Load from system config file    <file>				Load from file on local machine @@ -310,7 +310,7 @@ The ``load`` command load a configuration from a local or remote file. You have    tftp://<host>/<file>			Load from file on remote machine -.. code-block:: console +.. code-block:: none    [edit]    vyos@vyos# load @@ -324,7 +324,7 @@ Loadkey  Copies the content of a public key to the ~/.ssh/authorized_keys file. -.. code-block:: console +.. code-block:: none    loadkey <username> [tab] @@ -342,7 +342,7 @@ The ``merge`` command merge the config from a local or remote file with the runn  In the example below exist a ``default-firewall.config`` file with some common firewall rules you saved earlier. -.. code-block:: console +.. code-block:: none    [edit]    vyos@vyos# show firewall @@ -384,7 +384,7 @@ The ``rename`` command allows you to rename or move a configuration object.  See here how to move the configuration entrys from vlanid 3 to 2 -.. code-block:: console +.. code-block:: none    [edit interfaces ethernet eth1]    vyos@vyos# show @@ -418,7 +418,7 @@ Rollback  You can ``rollback`` configuration using the rollback command, however this command will currently trigger a system reboot.  Use the compare command to verify the configuration you want to rollback to. -.. code-block:: console +.. code-block:: none    vyos@vyos# compare 1    [edit system] @@ -436,7 +436,7 @@ Run  The ``run`` command allows you to execute any operational mode commands without exiting the configuration session. -.. code-block:: console +.. code-block:: none    [edit]    vyos@vyos# run show interfaces @@ -451,7 +451,7 @@ Save  The ``save`` command saves the current configuration to non-volatile storage. VyOS also supports saving and loading configuration remotely using SCP, FTP, or TFTP. -.. code-block:: console +.. code-block:: none    <Enter>				Save to system config file    <file>				Save to file on local machine @@ -465,7 +465,7 @@ Set  The ``set`` command create all configuration entrys -.. code-block:: console +.. code-block:: none    [edit]    vyos@vyos# set protocols static route 0.0.0.0/0 next-hop 192.168.1.1 @@ -477,7 +477,7 @@ The ``show`` command in the configuration mode displays the configuration and sh  Show the hole config, the address and description of eth1 is moving to vlan 2 if you commit the changes. -.. code-block:: console +.. code-block:: none    [edit]    vyos@vyos# show diff --git a/docs/appendix/commandtree/operationmode.rst b/docs/appendix/commandtree/operationmode.rst index 96c7a631..8092f248 100644 --- a/docs/appendix/commandtree/operationmode.rst +++ b/docs/appendix/commandtree/operationmode.rst @@ -8,7 +8,7 @@ After this is the first view after the login.  Please see :ref:`cli` for navigation in the CLI -.. code-block:: console +.. code-block:: none    vyos@vyos:~$ [tab] @@ -44,7 +44,7 @@ Please see :ref:`cli` for navigation in the CLI  Add  ^^^ -.. code-block:: console +.. code-block:: none   raid         Add a RAID set element   system       Add an item to a system facility @@ -52,7 +52,7 @@ Add  Clear  ^^^^^ -.. code-block:: console +.. code-block:: none    console            Clear screen    firewall           Clear firewall statistics @@ -69,13 +69,13 @@ Clone  The ``clone`` command allows you to clone a configuration from a system image to another one, or from the running config to another system image.  To clone the running config to a system image: -.. code-block:: console +.. code-block:: none    clone system config <system-image> from running  To clone from system image A to system image B: -.. code-block:: console +.. code-block:: none    clone system config <system-image-B> from <system-image-A> @@ -85,7 +85,7 @@ Configure  The ``configure`` command allows you to enter configuration mode. -.. code-block:: console +.. code-block:: none    vyos@vyos:~$ configure    [edit] @@ -97,7 +97,7 @@ Connect  The ``connect`` command allows you to bring up a connection oriented interface, like a pppoe interface. -.. code-block:: console +.. code-block:: none    connect interface <interface> @@ -108,7 +108,7 @@ The ``copy`` command allows you to copy a file to your running config or over im  It can look like this example: -.. code-block:: console +.. code-block:: none    vyos@vyos:~$  copy file [tab]    Possible completions: @@ -127,7 +127,7 @@ It can look like this example:  To copy from file A to file B: -.. code-block:: console +.. code-block:: none    copy <file A> to <file B> @@ -135,7 +135,7 @@ To copy from file A to file B:  Delete  ^^^^^^ -.. code-block:: console +.. code-block:: none    conntrack     Delete Conntrack entries    file          Delete files in a particular image @@ -149,14 +149,14 @@ Disconnect  The ``disconnect`` command allows you to take down a connection oriented interface, like a pppoe interface. -.. code-block:: console +.. code-block:: none    disconnect interface <interface>  Force  ^^^^^ -.. code-block:: console +.. code-block:: none    arp           Send gratuitous ARP request or reply    cluster       Force a cluster state transition @@ -167,14 +167,14 @@ Format  The ``format`` command allows you to format a disk the same way as another one. -.. code-block:: console +.. code-block:: none    format disk <target> like <source>  Generate  ^^^^^^^^ -.. code-block:: console +.. code-block:: none    openvpn       OpenVPN key generation tool    ssh-server-key @@ -188,7 +188,7 @@ Install  The ``install`` command allows you to install the system image on the disk. -.. code-block:: console +.. code-block:: none    install image @@ -198,7 +198,7 @@ Monitor  ``monitor`` can be used to continually view what is happening on the router. -.. code-block:: console +.. code-block:: none    bandwidth     Monitor interface bandwidth in real time    bandwidth-test @@ -232,7 +232,7 @@ Ping  The ``ping`` command allows you to send an ICMP-EchoRequest packet and display the ICMP-EchoReply received. -.. code-block:: console +.. code-block:: none    <hostname>    Send Internet Control Message Protocol (ICMP) echo request    <x.x.x.x> @@ -244,7 +244,7 @@ Poweroff  The ``poweroff`` command allows you to properly shut down the VyOS instance. Without any modifier, the command is executed immediately. -.. code-block:: console +.. code-block:: none    <Enter>       Execute the current command    at            Poweroff at a specific time @@ -256,7 +256,7 @@ Reboot  ^^^^^^  The ``reboot`` command allows you to properly restart the VyOS instance. Without any modifier, the command is executed immediately. -.. code-block:: console +.. code-block:: none    <Enter>       Execute the current command    at            Poweroff at a specific time @@ -269,7 +269,7 @@ Release  The ``release`` command allows you to release a DHCP or DHCPv6 lease. -.. code-block:: console +.. code-block:: none    vyos@vyos:~$ release dhcp interface <int>    vyos@vyos:~$ release dhcpv6 interface <int> @@ -280,7 +280,7 @@ Rename  The ``rename`` command allows you to rename a system image. -.. code-block:: console +.. code-block:: none   rename system image <currentname> <newname> @@ -290,7 +290,7 @@ Renew  The ``renew`` command allows you to renew a DHCP or DHCPv6 lease. -.. code-block:: console +.. code-block:: none    vyos@vyos:~$ renew dhcp interface <int>    vyos@vyos:~$ renew dhcpv6 interface <int> @@ -298,7 +298,7 @@ The ``renew`` command allows you to renew a DHCP or DHCPv6 lease.  Reset  ^^^^^ -.. code-block:: console +.. code-block:: none    conntrack     Reset all currently tracked connections    conntrack-sync @@ -315,7 +315,7 @@ Reset  Restart  ^^^^^^^ -.. code-block:: console +.. code-block:: none    cluster       Restart cluster node    conntrack-sync @@ -335,7 +335,7 @@ Restart  Set  ^^^ -.. code-block:: console +.. code-block:: none    <OPTION>      Bash builtin set command    console       Control console behaviors @@ -346,7 +346,7 @@ Set  Show  ^^^^ -.. code-block:: console +.. code-block:: none    arp           Show Address Resolution Protocol (ARP) information    bridge        Show bridging information @@ -410,7 +410,7 @@ In the past the ``telnet`` command allowed you to connect remotely to another de  Telnet is unencrypted and should not use anymore. But its nice to test if an TCP Port to a host is open. -.. code-block:: console +.. code-block:: none    vyos@vyos:~$ telnet 192.168.1.3 443    Trying 192.168.1.3... @@ -426,7 +426,7 @@ Traceroute  The ``traceroute`` command allows you to trace the path taken to a particular device. -.. code-block:: console +.. code-block:: none    <hostname>    Track network path to specified node    <x.x.x.x> @@ -438,7 +438,7 @@ The ``traceroute`` command allows you to trace the path taken to a particular de  Update  ^^^^^^ -.. code-block:: console +.. code-block:: none    dns           Update DNS information    webproxy      Update webproxy
\ No newline at end of file diff --git a/docs/appendix/examples/azure-vpn-bgp.rst b/docs/appendix/examples/azure-vpn-bgp.rst index 896f43d4..57f82396 100644 --- a/docs/appendix/examples/azure-vpn-bgp.rst +++ b/docs/appendix/examples/azure-vpn-bgp.rst @@ -52,7 +52,7 @@ Vyos configuration  - Configure the IKE and ESP settings to match a subset    of those supported by Azure: -.. code-block:: console +.. code-block:: none    set vpn ipsec esp-group AZURE compression 'disable'    set vpn ipsec esp-group AZURE lifetime '3600' @@ -73,26 +73,26 @@ Vyos configuration  - Enable IPsec on eth0 -.. code-block:: console +.. code-block:: none    set vpn ipsec ipsec-interfaces interface 'eth0'  - Configure a VTI with a dummy IP address -.. code-block:: console +.. code-block:: none    set interfaces vti vti1 address '10.10.1.5/32'    set interfaces vti vti1 description 'Azure Tunnel'  - Clamp the VTI's MSS to 1350 to avoid PMTU blackholes. -.. code-block:: console +.. code-block:: none    set firewall options interface vti1 adjust-mss 1350  - Configure the VPN tunnel -.. code-block:: console +.. code-block:: none    set vpn ipsec site-to-site peer 203.0.113.2 authentication id '198.51.100.3'    set vpn ipsec site-to-site peer 203.0.113.2 authentication mode 'pre-shared-secret' @@ -108,13 +108,13 @@ Vyos configuration  - **Important**: Add an interface route to reach Azure's BGP listener -.. code-block:: console +.. code-block:: none    set protocols static interface-route 10.0.0.4/32 next-hop-interface vti1  - Configure your BGP settings -.. code-block:: console +.. code-block:: none    set protocols bgp 64499 neighbor 10.0.0.4 remote-as '65540'    set protocols bgp 64499 neighbor 10.0.0.4 address-family ipv4-unicast soft-reconfiguration 'inbound' @@ -123,6 +123,6 @@ Vyos configuration  - **Important**: Disable connected check \ -.. code-block:: console +.. code-block:: none    set protocols bgp 64499 neighbor 10.0.0.4 disable-connected-check diff --git a/docs/appendix/examples/azure-vpn-dual-bgp.rst b/docs/appendix/examples/azure-vpn-dual-bgp.rst index 27007709..cbe9a4d9 100644 --- a/docs/appendix/examples/azure-vpn-dual-bgp.rst +++ b/docs/appendix/examples/azure-vpn-dual-bgp.rst @@ -55,7 +55,7 @@ Vyos configuration  - Configure the IKE and ESP settings to match a subset    of those supported by Azure: -.. code-block:: console +.. code-block:: none    set vpn ipsec esp-group AZURE compression 'disable'    set vpn ipsec esp-group AZURE lifetime '3600' @@ -76,13 +76,13 @@ Vyos configuration  - Enable IPsec on eth0 -.. code-block:: console +.. code-block:: none    set vpn ipsec ipsec-interfaces interface 'eth0'  - Configure two VTIs with a dummy IP address each -.. code-block:: console +.. code-block:: none    set interfaces vti vti1 address '10.10.1.5/32'    set interfaces vti vti1 description 'Azure Primary Tunnel' @@ -92,14 +92,14 @@ Vyos configuration  - Clamp the VTI's MSS to 1350 to avoid PMTU blackholes. -.. code-block:: console +.. code-block:: none    set firewall options interface vti1 adjust-mss 1350    set firewall options interface vti2 adjust-mss 1350  - Configure the VPN tunnels -.. code-block:: console +.. code-block:: none    set vpn ipsec site-to-site peer 203.0.113.2 authentication id '198.51.100.3'    set vpn ipsec site-to-site peer 203.0.113.2 authentication mode 'pre-shared-secret' @@ -127,14 +127,14 @@ Vyos configuration  - **Important**: Add an interface route to reach both Azure's BGP listeners -.. code-block:: console +.. code-block:: none    set protocols static interface-route 10.0.0.4/32 next-hop-interface vti1    set protocols static interface-route 10.0.0.5/32 next-hop-interface vti2  - Configure your BGP settings -.. code-block:: console +.. code-block:: none    set protocols bgp 64499 neighbor 10.0.0.4 remote-as '65540'    set protocols bgp 64499 neighbor 10.0.0.4 address-family ipv4-unicast soft-reconfiguration 'inbound' @@ -149,7 +149,7 @@ Vyos configuration  - **Important**: Disable connected check, otherwise the routes learned    from Azure will not be imported into the routing table. -.. code-block:: console +.. code-block:: none    set protocols bgp 64499 neighbor 10.0.0.4 disable-connected-check    set protocols bgp 64499 neighbor 10.0.0.5 disable-connected-check diff --git a/docs/appendix/examples/bgp-ipv6-unnumbered.rst b/docs/appendix/examples/bgp-ipv6-unnumbered.rst index 0aceee01..0e5f48b4 100644 --- a/docs/appendix/examples/bgp-ipv6-unnumbered.rst +++ b/docs/appendix/examples/bgp-ipv6-unnumbered.rst @@ -10,7 +10,7 @@ Configuration  - Router A: -.. code-block:: console +.. code-block:: none    set protocols bgp 65020 address-family ipv4-unicast redistribute connected    set protocols bgp 65020 address-family ipv6-unicast redistribute connected @@ -29,7 +29,7 @@ Configuration  - Router B: -.. code-block:: console +.. code-block:: none    set protocols bgp 65021 address-family ipv4-unicast redistribute connected    set protocols bgp 65021 address-family ipv6-unicast redistribute connected @@ -51,7 +51,7 @@ Results  - Router A: -.. code-block:: console +.. code-block:: none    vyos@vyos:~$ show interfaces    Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down @@ -64,7 +64,7 @@ Results                     192.168.0.1/32                     ::1/128 -.. code-block:: console +.. code-block:: none    vyos@vyos:~$ show ip route    Codes: K - kernel route, C - connected, S - static, R - RIP, @@ -79,7 +79,7 @@ Results    B>* 192.168.0.2/32 [20/0] via fe80::a00:27ff:fe3b:7ed2, eth2, 00:05:07      *                       via fe80::a00:27ff:fe7b:4000, eth1, 00:05:07 -.. code-block:: console +.. code-block:: none    vyos@vyos:~$ ping 192.168.0.2    PING 192.168.0.2 (192.168.0.2) 56(84) bytes of data. @@ -93,7 +93,7 @@ Results    5 packets transmitted, 5 received, 0% packet loss, time 4086ms    rtt min/avg/max/mdev = 0.575/0.612/0.682/0.047 ms -.. code-block:: console +.. code-block:: none    vyos@vyos:~$ show ip bgp summary @@ -112,7 +112,7 @@ Results  - Router B: -.. code-block:: console +.. code-block:: none    vyos@vyos:~$ show interfaces    Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down @@ -125,7 +125,7 @@ Results                     192.168.0.2/32                     ::1/128 -.. code-block:: console +.. code-block:: none    vyos@vyos:~$ show ip route    Codes: K - kernel route, C - connected, S - static, R - RIP, @@ -140,7 +140,7 @@ Results      *                       via fe80::a00:27ff:fe93:e142, eth2, 00:06:18    C>* 192.168.0.2/32 is directly connected, lo, 00:44:11 -.. code-block:: console +.. code-block:: none    vyos@vyos:~$ ping 192.168.0.1    PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data. @@ -153,7 +153,7 @@ Results    4 packets transmitted, 4 received, 0% packet loss, time 3051ms    rtt min/avg/max/mdev = 0.427/0.598/0.782/0.155 ms -.. code-block:: console +.. code-block:: none    vyos@vyos:~$ show ip bgp summary    IPv4 Unicast Summary: diff --git a/docs/appendix/examples/dmvpn.rst b/docs/appendix/examples/dmvpn.rst index 4ccce3d9..30ca8e86 100644 --- a/docs/appendix/examples/dmvpn.rst +++ b/docs/appendix/examples/dmvpn.rst @@ -9,7 +9,7 @@ General infomration can be found in the :ref:`vpn-dmvpn` chapter.  Configuration  ^^^^^^^^^^^^^ -.. code-block:: console +.. code-block:: none    set interfaces tunnel tun100 address '172.16.253.134/29'    set interfaces tunnel tun100 encapsulation 'gre' @@ -54,7 +54,7 @@ Cisco IOS Spoke  This example is verified with a Cisco 2811 platform running IOS 15.1(4)M9 and  VyOS 1.1.7 (helium) up to VyOS 1.2 (Crux). -.. code-block:: console +.. code-block:: none    Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 15.1(4)M9, RELEASE SOFTWARE (fc3)    Technical Support: http://www.cisco.com/techsupport @@ -65,7 +65,7 @@ VyOS 1.1.7 (helium) up to VyOS 1.2 (Crux).  Use this configuration on your Cisco device: -.. code-block:: console +.. code-block:: none    crypto pki token default removal timeout 0    crypto keyring DMVPN diff --git a/docs/appendix/examples/ha.rst b/docs/appendix/examples/ha.rst index 1c37463c..6dbc0334 100644 --- a/docs/appendix/examples/ha.rst +++ b/docs/appendix/examples/ha.rst @@ -94,7 +94,7 @@ Bonding on Hardware Router  Create a LACP bond on the hardware router. We are assuming that eth0 and eth1 are connected to port 8 on both switches, and that those ports are configured as a Port-Channel. -.. code-block:: console +.. code-block:: none     set interfaces bonding bond0 description 'Switch Port-Channel'     set interfaces bonding bond0 hash-policy 'layer2' @@ -111,14 +111,14 @@ VLAN 100 and 201 will have floating IP addresses, but VLAN50 does not, as this i  For the hardware router, replace ``eth0`` with ``bond0``. As (almost) every command is identical, this will not be specified unless different things need to be performed on different hosts. -.. code-block:: console +.. code-block:: none     set interfaces ethernet eth0 vif 50 address '192.0.2.21/24'  In this case, the hardware router has a different IP, so it would be -.. code-block:: console +.. code-block:: none     set interfaces ethernet bond0 vif 50 address '192.0.2.22/24' @@ -128,7 +128,7 @@ Add (temporary) default route, and enable SSH  It is assumed that the routers provided by upstream are capable of acting as a default router. Add that as a static route, and enable SSH so you can now SSH into the routers, rather than using the console. -.. code-block:: console +.. code-block:: none     set protocols static route 0.0.0.0/0 next-hop 192.0.2.11     set service ssh @@ -158,7 +158,7 @@ This has a floating IP address of 10.200.201.1, using virtual router ID 201. The  router1  ~~~~~~~ -.. code-block:: console +.. code-block:: none     set interfaces ethernet eth0 vif 201 address 10.200.201.2/24     set high-availability vrrp group int hello-source-address '10.200.201.2' @@ -173,7 +173,7 @@ router1  router2  ~~~~~~~ -.. code-block:: console +.. code-block:: none     set interfaces ethernet bond0 vif 201 address 10.200.201.3/24     set high-availability vrrp group int hello-source-address '10.200.201.3' @@ -194,7 +194,7 @@ The virtual router ID is just a random number between 1 and 254, and can be set  router1  ~~~~~~~ -.. code-block:: console +.. code-block:: none     set interfaces ethernet eth0 vif 100 address 203.0.113.2/24     set high-availability vrrp group public hello-source-address '203.0.113.2' @@ -209,7 +209,7 @@ router1  router2  ~~~~~~~ -.. code-block:: console +.. code-block:: none     set interfaces ethernet bond0 vif 100 address 203.0.113.3/24     set high-availability vrrp group public hello-source-address '203.0.113.3' @@ -226,7 +226,7 @@ Create vrrp sync-group  The sync group is used to replicate connection tracking. It needs to be assigned to a random VRRP group, and we are creating a sync group called ``sync`` using the vrrp group ``int``. -.. code-block:: console +.. code-block:: none     set high-availability vrrp sync-group sync member 'int' @@ -236,7 +236,7 @@ Testing  At this point, you should be able to see both IP addresses when you run ``show interfaces``\ , and ``show vrrp`` should show both interfaces in MASTER state (and SLAVE state on router2). -.. code-block:: console +.. code-block:: none     vyos@router1:~$ show vrrp     Name      Interface      VRID  State    Last Transition @@ -254,7 +254,7 @@ NAT and conntrack-sync  Masquerade Traffic originating from 10.200.201.0/24 that is heading out the public interface.  Note we explicitly exclude the primary upstream network so that BGP or OSPF traffic doesn't accidentally get NAT'ed. -.. code-block:: console +.. code-block:: none     set nat source rule 10 destination address '!192.0.2.0/24'     set nat source rule 10 outbound-interface 'eth0.50' @@ -267,7 +267,7 @@ Configure conntrack-sync and disable helpers  Most conntrack modules cause more problems than they're worth, especially in a complex network. Turn them off by default, and if you need to turn them on later, you can do so. -.. code-block:: console +.. code-block:: none     set system conntrack modules ftp disable     set system conntrack modules gre disable @@ -279,7 +279,7 @@ Most conntrack modules cause more problems than they're worth, especially in a c  Now enable replication between nodes. Replace eth0.201 with bond0.201 on the hardware router. -.. code-block:: console +.. code-block:: none     set service conntrack-sync accept-protocol 'tcp,udp,icmp'     set service conntrack-sync event-listen-queue-size '8' @@ -315,7 +315,7 @@ router1  Replace the 99.99.99.99 with whatever the other router's IP address is. -.. code-block:: console +.. code-block:: none     set interfaces wireguard wg01 address '10.254.60.1/30'     set interfaces wireguard wg01 description 'router1-to-offsite1' @@ -339,7 +339,7 @@ offsite1  This is connecting back to the STATIC IP of router1, not the floating. -.. code-block:: console +.. code-block:: none     set interfaces wireguard wg01 address '10.254.60.2/30'     set interfaces wireguard wg01 description 'offsite1-to-router1' @@ -373,7 +373,7 @@ This filter is applied to ``redistribute connected``.  If we WERE to advertise i  via their default route, establish the connection, and then OSPF would say '192.0.2.0/24 is available via this tunnel', at which point  the tunnel would break, OSPF would drop the routes, and then 192.0.2.0/24 would be reachable via default again. This is called 'flapping'. -.. code-block:: console +.. code-block:: none     set policy access-list 150 description 'Outbound OSPF Redistribution'     set policy access-list 150 rule 10 action 'permit' @@ -394,7 +394,7 @@ Create Import Filter  We only want to import networks we know about. Our OSPF peer should only be advertising networks in the 10.201.0.0/16 range. Note that this is an INVERSE MATCH. You deny in access-list 100 to accept the route. -.. code-block:: console +.. code-block:: none     set policy access-list 100 description 'Inbound OSPF Routes from Peers'     set policy access-list 100 rule 10 action 'deny' @@ -415,7 +415,7 @@ Enable OSPF  Every router **must** have a unique router-id.  The 'reference-bandwidth' is used because when OSPF was originally designed, the idea of a link faster than 1gbit was unheard of, and it does not scale correctly. -.. code-block:: console +.. code-block:: none     set protocols ospf area 0.0.0.0 authentication 'md5'     set protocols ospf area 0.0.0.0 network '10.254.60.0/24' @@ -440,7 +440,7 @@ As a reminder, only advertise routes that you are the default router for. This i  192.0.2.0/24 network, because if that was announced into OSPF, the other routers would try to connect to that  network over a tunnel that connects to that network! -.. code-block:: console +.. code-block:: none     set protocols ospf access-list 150 export 'connected'     set protocols ospf redistribute connected @@ -458,7 +458,7 @@ Priorities  Set the cost on the secondary links to be 200. This means that they will not be used unless the primary links are down. -.. code-block:: console +.. code-block:: none     set interfaces wireguard wg01 ip ospf cost '10'     set interfaces wireguard wg02 ip ospf cost '200' @@ -476,7 +476,7 @@ router1  The ``redistribute ospf`` command is there purely as an example of how this can be expanded. In this walkthrough, it will be filtered by BGPOUT rule 10000, as it is not 203.0.113.0/24. -.. code-block:: console +.. code-block:: none     set policy prefix-list BGPOUT description 'BGP Export List'     set policy prefix-list BGPOUT rule 10 action 'deny' diff --git a/docs/appendix/examples/ospf-unnumbered.rst b/docs/appendix/examples/ospf-unnumbered.rst index 923e0286..47f3011c 100644 --- a/docs/appendix/examples/ospf-unnumbered.rst +++ b/docs/appendix/examples/ospf-unnumbered.rst @@ -10,7 +10,7 @@ Configuration  - Router A: -.. code-block:: console +.. code-block:: none    set interfaces ethernet eth0 address '10.0.0.1/24'    set interfaces ethernet eth1 address '192.168.0.1/32' @@ -27,7 +27,7 @@ Configuration  - Router B: -.. code-block:: console +.. code-block:: none    set interfaces ethernet eth0 address '10.0.0.2/24'    set interfaces ethernet eth1 address '192.168.0.2/32' @@ -48,7 +48,7 @@ Results  - Router A: -.. code-block:: console +.. code-block:: none    vyos@vyos:~$ show interfaces    Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down @@ -61,7 +61,7 @@ Results                     192.168.0.1/32                     ::1/128 -.. code-block:: console +.. code-block:: none    vyos@vyos:~$ show ip route    Codes: K - kernel route, C - connected, S - static, R - RIP, @@ -83,7 +83,7 @@ Results  - Router B: -.. code-block:: console +.. code-block:: none    vyos@vyos:~$ show interfaces    Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down @@ -96,7 +96,7 @@ Results                     192.168.0.2/32                     ::1/128 -.. code-block:: console +.. code-block:: none    vyos@vyos:~$ show ip route    Codes: K - kernel route, C - connected, S - static, R - RIP, diff --git a/docs/appendix/examples/tunnelbroker-ipv6.rst b/docs/appendix/examples/tunnelbroker-ipv6.rst index e8fc9a8b..2977604d 100644 --- a/docs/appendix/examples/tunnelbroker-ipv6.rst +++ b/docs/appendix/examples/tunnelbroker-ipv6.rst @@ -17,7 +17,7 @@ Setting up the initial tunnel  - Set up the initial IPv6 tunnel. Replace the field below from the fields on the `Tunnelbroker.net <https://www.tunnelbroker.net/>`_ tunnel information page. -.. code-block:: console +.. code-block:: none      conf      set interfaces tunnel tun0 address Client_IPv6_from_Tunnelbroker    # This will be your VyOS install's public IPv6 address @@ -34,7 +34,7 @@ Setting up the initial tunnel  - At this point you should be able to ping an IPv6 address. Try pinging Google: -.. code-block:: console +.. code-block:: none     ping6 -c2 2001:4860:4860::8888 @@ -47,7 +47,7 @@ Setting up the initial tunnel  - Assuming the pings are successful, you need to add some DNS servers. Some options: -.. code-block:: console +.. code-block:: none     set system name-server 2001:4860:4860::8888  # Google     set system name-server 2001:4860:4860::8844  # Google @@ -57,7 +57,7 @@ Setting up the initial tunnel  - You should now be able to ping something by IPv6 DNS name: -.. code-block:: console +.. code-block:: none     # ping6 -c2 one.one.one.one     PING one.one.one.one(one.one.one.one) 56 data bytes @@ -87,7 +87,7 @@ Single LAN Setup  Single LAN setup where eth1 is your LAN interface.  Use the /64 (all the xxxx should be replaced with the information from your `Routed /64` tunnel): -.. code-block:: console +.. code-block:: none     set interfaces ethernet eth1 address '2001:470:xxxx:xxxx::1/64'     set interfaces ethernet eth1 ipv6 router-advert name-server '2001:4860:4860::8888' @@ -118,7 +118,7 @@ In the above examples, 1,2,ffff are all chosen by you.  You can use 1-ffff (1-65  So, when your LAN is eth1, your DMZ is eth2, your cameras live on eth3, etc: -.. code-block:: console +.. code-block:: none     set interfaces ethernet eth1 address '2001:470:xxxx:1::1/64'     set interfaces ethernet eth1 ipv6 router-advert name-server '2001:4860:4860::8888' diff --git a/docs/appendix/examples/zone-policy.rst b/docs/appendix/examples/zone-policy.rst index 66cc3338..7a25d063 100644 --- a/docs/appendix/examples/zone-policy.rst +++ b/docs/appendix/examples/zone-policy.rst @@ -8,7 +8,7 @@ Native IPv4 and IPv6  We have three networks. -.. code-block:: console +.. code-block:: none    WAN - 172.16.10.0/24, 2001:0DB8:0:9999::0/64    LAN - 192.168.100.0/24, 2001:0DB8:0:AAAA::0/64 @@ -25,7 +25,7 @@ WAN is on VLAN 10, LAN on VLAN 20, and DMZ on VLAN 30.  It will look something like this: -.. code-block:: console +.. code-block:: none    interfaces {        ethernet eth0 { @@ -80,7 +80,7 @@ ruleset.  In rules, it is good to keep them named consistently. As the number of rules  you have grows, the more consistency you have, the easier your life will be. -.. code-block:: console +.. code-block:: none    Rule 1 - State Established, Related    Rule 2 - State Invalid @@ -105,7 +105,7 @@ significant headaches when trying to troubleshoot a connectivity issue.  To add logging to the default rule, do: -.. code-block:: console +.. code-block:: none    set firewall name <ruleSet> enable-default-log @@ -143,7 +143,7 @@ The following are the rules that were created for this example  (may not be complete), both in IPv4 and IPv6. If there is no IP specified,  then the source/destination address is not explicit. -.. code-block:: console +.. code-block:: none    WAN – DMZ:192.168.200.200 – tcp/80    WAN – DMZ:192.168.200.200 – tcp/443 @@ -195,7 +195,7 @@ then the source/destination address is not explicit.  Since we have 4 zones, we need to setup the following rulesets. -.. code-block:: console +.. code-block:: none    Lan-wan    Lan-local @@ -217,7 +217,7 @@ connection attempts.  This is an example of the three base rules. -.. code-block:: console +.. code-block:: none    name wan-lan {      default-action drop @@ -241,7 +241,7 @@ This is an example of the three base rules.  Here is an example of an IPv6 DMZ-WAN ruleset. -.. code-block:: console +.. code-block:: none    ipv6-name dmz-wan-6 {      default-action drop @@ -317,7 +317,7 @@ zone-policy.  Start by setting the interface and default action for each zone. -.. code-block:: console +.. code-block:: none    set zone-policy zone dmz default-action drop    set zone-policy zone dmz interface eth0.30 @@ -342,7 +342,7 @@ LAN, WAN, DMZ, local and TUN (tunnel)  v6 pairs would be: -.. code-block:: console +.. code-block:: none    lan-tun    lan-local @@ -363,7 +363,7 @@ You would have to add a couple of rules on your wan-local ruleset to allow proto  Something like: -.. code-block:: console +.. code-block:: none    rule 400 {      action accept diff --git a/docs/appendix/migrate-from-vyatta.rst b/docs/appendix/migrate-from-vyatta.rst index 7ca64c16..051d7cef 100644 --- a/docs/appendix/migrate-from-vyatta.rst +++ b/docs/appendix/migrate-from-vyatta.rst @@ -30,7 +30,7 @@ You just use ``add system image``, as if it was a new VC release (see  is to verify the new images digital signature. You will have to add the public  key manually once as it is not shipped the first time. -.. code-block:: console +.. code-block:: none    vyatta@vyatta:~$ wget http://wiki.vyos.net/so3group_maintainers.key    Connecting to vyos.net (x.x.x.x:80) @@ -41,7 +41,7 @@ key manually once as it is not shipped the first time.  For completion the key below corresponds to the key listed in the URL above. -.. code-block:: console +.. code-block:: none    -----BEGIN PGP PUBLIC KEY BLOCK-----    Version: GnuPG v1.4.12 (GNU/Linux) @@ -101,7 +101,7 @@ Next add the VyOS image.  This example uses VyOS 1.0.0, however, it's better to install the latest  release. -.. code-block:: console +.. code-block:: none    vyatta@vyatta:~$ show system image    The system currently has the following image(s) installed: diff --git a/docs/appendix/vyos-on-baremetal.rst b/docs/appendix/vyos-on-baremetal.rst index e6b7597e..2b155fd7 100644 --- a/docs/appendix/vyos-on-baremetal.rst +++ b/docs/appendix/vyos-on-baremetal.rst @@ -114,7 +114,7 @@ Create a bootable USB pendrive using e.g. Rufus_ on a Windows machine.  Connect serial port to a PC through null modem cable (RXD / TXD crossed over).  Set terminal emulator to 115200 8N1. -.. code-block:: console +.. code-block:: none    PC Engines apu4    coreboot build 20171130 @@ -135,7 +135,7 @@ Now boot from the ``USB MSC Drive Generic Flash Disk 8.07`` media by pressing  ``2``, the VyOS boot menu will appear, just wait 10 seconds or press ``Enter``  to continue. -.. code-block:: console +.. code-block:: none    lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk    x                      VyOS - Boot Menu                      x @@ -147,7 +147,7 @@ to continue.  The image will be loaded and the last lines you will get will be: -.. code-block:: console +.. code-block:: none    Loading /live/vmlinuz... ok    Loading /live/initrd.img... @@ -155,7 +155,7 @@ The image will be loaded and the last lines you will get will be:  The Kernel will now spin up using a different console setting. Set terminal  emulator to 9600 8N1 and after a while your console will show: -.. code-block:: console +.. code-block:: none    Loading /live/vmlinuz... ok    Loading /live/initrd.img... @@ -172,14 +172,14 @@ your first successful boot.  Use the following command to adjust the :ref:`serial-console` settings: -.. code-block:: console +.. code-block:: none    set system console device ttyS0 speed 115200  .. note:: Once you ``commit`` the above changes access to the serial interface     is lost until you set your terminal emulator to 115200 8N1 again. -.. code-block:: console +.. code-block:: none    vyos@vyos# show system console     device ttyS0 { diff --git a/docs/cli.rst b/docs/cli.rst index 2861a73c..fb7506c8 100644 --- a/docs/cli.rst +++ b/docs/cli.rst @@ -20,14 +20,14 @@ For example typing ``sh`` followed by the ``TAB`` key will complete to  ``show``. Pressing ``TAB`` a second time will display the possible  sub-commands of the ``show`` command. -.. code-block:: console +.. code-block:: none    vyos@vyos:~$ s[tab]    set   show  Example showing possible show commands: -.. code-block:: console +.. code-block:: none    vyos@vyos:~$ show [tab]    Possible completions: @@ -71,7 +71,7 @@ When viewing in page mode the following commands are available:  To enter configuration mode use the ``configure`` command: -.. code-block:: console +.. code-block:: none    vyos@vyos:~$ configure    [edit] @@ -80,7 +80,7 @@ To enter configuration mode use the ``configure`` command:  .. note:: Prompt changes from ``$`` to ``#``. To exit configuration mode,     type ``exit``. -.. code-block:: console +.. code-block:: none    vyos@vyos:~# exit    exit diff --git a/docs/clustering.rst b/docs/clustering.rst index 3462ee73..97678445 100644 --- a/docs/clustering.rst +++ b/docs/clustering.rst @@ -17,7 +17,7 @@ General cluster configuration  In the general cluster configuration the network interfaces used for monitoring and negotiation of the cluster health is defined.  Additionally, the communication interval settings, multicast group (for sending/receiving heartbeat messages), and pre-shared secret used in this monitoring is defined. -.. code-block:: console +.. code-block:: none    vyos@vyos# set cluster    Possible completions: @@ -35,7 +35,7 @@ Cluster group configuration  For the cluster group configuration, the group name must be defined before the groups configuration can be set (See Example below).  After the group name is defined, the specific service to be clustered between primary and secondary nodes is configured. -.. code-block:: console +.. code-block:: none    vyos@vyos# set cluster group GROUPNAME    Possible completions: @@ -48,7 +48,7 @@ After the group name is defined, the specific service to be clustered between pr  Review cluster status  --------------------- -.. code-block:: console +.. code-block:: none    vyos@vyos:~$ show cluster status @@ -58,7 +58,7 @@ Example  In the example below SSH is clustered between two nodes. -.. code-block:: console +.. code-block:: none    cluster {        dead-interval 20000 diff --git a/docs/commandscripting.rst b/docs/commandscripting.rst index a86c2edb..5d14c6c5 100644 --- a/docs/commandscripting.rst +++ b/docs/commandscripting.rst @@ -9,7 +9,7 @@ from shell scripts.  To include VyOS specific functions and aliases you need to ``source  /opt/vyatta/etc/functions/script-template`` files at the top of your script. -.. code-block:: console +.. code-block:: none    #!/bin/vbash    source /opt/vyatta/etc/functions/script-template @@ -21,7 +21,7 @@ Run configuration commands  Configuration commands are executed just like from a normal config session. For  example, if you want to disable a BGP peer on VRRP transition to backup: -.. code-block:: console +.. code-block:: none    #!/bin/vbash    source /opt/vyatta/etc/functions/script-template @@ -36,7 +36,7 @@ Run operational commands  Unlike a normal configuration sessions, all operational commands must be  prepended with ``run``, even if you haven't created a session with configure. -.. code-block:: console +.. code-block:: none    #!/bin/vbash    source /opt/vyatta/etc/functions/script-template @@ -59,7 +59,7 @@ Here is a simple example:    print "set firewall group address-group somehosts address '1.1.1.2'" -.. code-block:: console +.. code-block:: none    #!/bin/vbash    source /opt/vyatta/etc/functions/script-template @@ -79,7 +79,7 @@ On VyOS this will cause the following problem: After modifying the configuration  via script like this once, it is not possible to manually modify the config  anymore: -.. code-block:: console +.. code-block:: none    sudo ./myscript.sh # Modifies config    configure @@ -91,14 +91,14 @@ a reboot is required to be able to edit the config manually again.  To avoid these problems, the proper way is to call a script with the  ``vyattacfg`` group, e.g., by using the ``sg`` (switch group) command: -.. code-block:: console +.. code-block:: none    sg vyattacfg -c ./myscript.sh  To make sure that a script is not accidentally called without the ``vyattacfg``  group, the script can be safeguarded like this: -.. code-block:: console +.. code-block:: none    if [ "$(id -g -n)" != 'vyattacfg' ] ; then        exec sg vyattacfg -c "/bin/vbash $(readlink -f $0) $@" @@ -115,7 +115,7 @@ which are not complete in the VyOS system can be placed here.  The default file looks like this: -.. code-block:: console +.. code-block:: none    #!/bin/sh    # This script is executed at boot time after VyOS configuration is fully diff --git a/docs/configuration-overview.rst b/docs/configuration-overview.rst index 903dfba6..c4fc36e0 100644 --- a/docs/configuration-overview.rst +++ b/docs/configuration-overview.rst @@ -11,7 +11,7 @@ of system configuration.  The current active configuration -aka running configuration- can be viewed  using the show configuration command. -.. code-block:: console +.. code-block:: none    vyos@vyos:~$ show configuration    interfaces { @@ -74,7 +74,7 @@ through a collection of ``set`` and ``delete`` commands.  Get a collection of all the set commands required which led to this  running configuration. -.. code-block:: console +.. code-block:: none    vyos@vyos:~$ show configuration commands    set interfaces ethernet eth0 address 'dhcp' @@ -130,7 +130,7 @@ When entering the configuration mode you are navigating inside the tree  structure exported in the overview above, to enter configuration mode enter  the command ``configure`` when in operational mode. -.. code-block:: console +.. code-block:: none    vyos@vyos$ configure    [edit] @@ -145,7 +145,7 @@ lengthy when manually typing them.  To change the current hierarchy level use the command: ``edit`` -.. code-block:: console +.. code-block:: none    [edit]    vyos@vyos# edit interfaces ethernet eth0 @@ -162,7 +162,7 @@ The ``show`` command within configuration mode will show the working  configuration indicating line changes with ``+`` for additions, ``>`` for  replacements and ``-`` for deletions. -.. code-block:: console +.. code-block:: none   vyos@vyos:~$ configure   [edit] @@ -194,7 +194,7 @@ replacements and ``-`` for deletions.  It is also possible to display all `set` commands within configuration mode  using ``show | commands`` -.. code-block:: console +.. code-block:: none    vyos@vyos# show interfaces ethernet eth0 | commands    set address dhcp @@ -203,7 +203,7 @@ using ``show | commands``  These commands are also relative to the level you are inside and only relevant  configuration blocks will be displayed when entering a sub-level. -.. code-block:: console +.. code-block:: none    [edit interfaces ethernet eth0]    vyos@vyos# show @@ -214,7 +214,7 @@ Exiting from the configuration mode is done via the ``exit`` command from the  top level, executing `exit` from within a sub-level takes you back to the top  level. -.. code-block:: console +.. code-block:: none    [edit interfaces ethernet eth0]    vyos@vyos# exit @@ -234,7 +234,7 @@ These commands are also relative to the level where they are executed and all  redundant information from the current level is removed from the command  entered. -.. code-block:: console +.. code-block:: none    [edit]    vyos@vyos# set interface ethernet eth0 address 192.0.2.100/24 @@ -250,7 +250,7 @@ all sub-levels under the current level you've specified in the ``delete``  command. Deleting an entry will also result in the element reverting back to  its default value if one exists. -.. code-block:: console +.. code-block:: none    [edit interfaces ethernet eth0]    vyos@vyos#  delete address 192.0.2.100/24 @@ -258,7 +258,7 @@ its default value if one exists.  Any change you do on the configuration, will not take effect until committed  using the ``commit`` command in configuration mode. -.. code-block:: console +.. code-block:: none    vyos@vyos# commit    [edit] @@ -270,7 +270,7 @@ In order to preserve configuration changes upon reboot, the configuration must  also be saved once applied. This is done using the ``save`` command in  configuration mode. -.. code-block:: console +.. code-block:: none    vyos@vyos# save    Saving configuration to '/config/config.boot'... @@ -280,7 +280,7 @@ Configuration mode can not be exited while uncommitted changes exist. To exit  configuration mode without applying changes, the exit discard command can be  used. -.. code-block:: console +.. code-block:: none    vyos@vyos# exit    Cannot exit: configuration modified. @@ -288,7 +288,7 @@ used.    [edit]    vyos@vyos# exit discard -.. code-block:: console +.. code-block:: none    vyos@vyos# save [tab]    Possible completions: @@ -314,7 +314,7 @@ operational mode.  Command completion and syntax help with ``?`` and ``[tab]`` will also work. -.. code-block:: console +.. code-block:: none    [edit]    vyos@vyos# run show interfaces @@ -336,7 +336,7 @@ previous revisions if anything goes wrong.  To view existing revisions, use ``show system commit`` operational mode command. -.. code-block:: console +.. code-block:: none    vyos@vyos-test-2# run show system commit    0   2015-03-30 08:53:03 by vyos via cli @@ -351,7 +351,7 @@ To view existing revisions, use ``show system commit`` operational mode command.  To compare configuration revisions in configuration mode, use the compare  command: -.. code-block:: console +.. code-block:: none    vyos@vyos# compare [tab]    Possible completions: @@ -381,7 +381,7 @@ compared to Y, indicating with a plus sign (``+``) the additional parts X has  when compared to y, and indicating with a minus sign (``-``) the lacking parts  x misses when compared to y. -.. code-block:: console +.. code-block:: none    vyos@vyos-test-2# compare 0 6    [edit interfaces] @@ -402,7 +402,7 @@ Rolling Back Changes  You can rollback configuration using the rollback command. This command will  apply the selected revision and trigger a system reboot. -.. code-block:: console +.. code-block:: none    vyos@vyos# compare 1    [edit system] @@ -443,7 +443,7 @@ Restore Default  In the case you want to completely delete your configuration and restore the  default one, you can enter the following command in configuration mode: -.. code-block:: console +.. code-block:: none    load /opt/vyatta/etc/config.boot.default diff --git a/docs/contributing/build-vyos.rst b/docs/contributing/build-vyos.rst index 3dbd1310..51cfc7a4 100644 --- a/docs/contributing/build-vyos.rst +++ b/docs/contributing/build-vyos.rst @@ -18,7 +18,7 @@ Buster.  Installing Docker_ and prerequisites: -.. code-block:: console +.. code-block:: none    $ apt-get update    $ apt-get install -y apt-transport-https ca-certificates curl \ @@ -48,7 +48,7 @@ the vyos-build repository).  The container can always be built directly from source: -.. code-block:: console +.. code-block:: none    $ git clone -b current --single-branch https://github.com/vyos/vyos-build    $ docker build -t vyos/vyos-build docker @@ -68,7 +68,7 @@ Build ISO  After the container is generated either manually or fetched from DockerHub,  a fresh build of the VyOS ISO can begin. -.. code-block:: console +.. code-block:: none    $ docker run --rm -it --privileged -v $(pwd):/vyos -w /vyos vyos/vyos-build bash    vyos_bld@d4220bb519a0:/vyos# ./configure --architecture amd64 \ @@ -88,7 +88,7 @@ image:  This ISO can be customized with the following list of configure options.  The full and current list can be generated with ``./configure --help``: -.. code-block:: console +.. code-block:: none    -h, --help            show this help message and exit    --architecture ARCHITECTURE diff --git a/docs/contributing/development.rst b/docs/contributing/development.rst index 366621a5..12d706f3 100644 --- a/docs/contributing/development.rst +++ b/docs/contributing/development.rst @@ -115,7 +115,7 @@ which of the many VyOS packages ship this file. You can determine the VyOS  package name in question by using Debians ``dpkg -S`` command of your running  VyOS installation. -.. code-block:: console +.. code-block:: none    vyos@vyos:~ dpkg -S /opt/vyatta/sbin/vyatta-update-webproxy.pl    vyatta-webproxy: /opt/vyatta/sbin/vyatta-update-webproxy.pl @@ -144,7 +144,7 @@ In order to record you as the author of the fix please indentify yourself to Git  by setting up your name and email. This can be done local for this one and only  repository ``git config`` or globally using ``git config --global``. -.. code-block:: console +.. code-block:: none    git config --global user.name "J. Random Hacker"    git config --global user.email "jrhacker@example.net" diff --git a/docs/contributing/documentation.rst b/docs/contributing/documentation.rst index 661f4fe0..99e1fab7 100644 --- a/docs/contributing/documentation.rst +++ b/docs/contributing/documentation.rst @@ -59,7 +59,7 @@ This requires you already have a GitHub account.    Check your configured remote repositories: -  .. code-block:: console +  .. code-block:: none      $ git remote -v      origin    https://github.com/YOUR_USERNAME/vyos-documentation.git (fetch) @@ -70,7 +70,7 @@ This requires you already have a GitHub account.    Your remote repo on Github is called Origin, while the original repo you    have forked is called Upstream. Now you can locally update your forked repo. -  .. code-block:: console +  .. code-block:: none      $ git fetch upstream      $ git checkout master @@ -88,7 +88,7 @@ Sections  We use the following syntax for Headlines. -.. code-block:: console +.. code-block:: none    #####    Parts @@ -139,7 +139,7 @@ Under the command a short exlaination should be provide.  Example: -.. code-block:: console +.. code-block:: none    .. opcmd:: show protocols static arp diff --git a/docs/firewall.rst b/docs/firewall.rst index 9f573d90..59bbaa31 100644 --- a/docs/firewall.rst +++ b/docs/firewall.rst @@ -44,14 +44,14 @@ addresses and networks, the network group is recommended.  Here is an example of a network group for the IP networks that make up the  internal network: -.. code-block:: console +.. code-block:: none    set firewall group network-group NET-INSIDE network 192.168.0.0/24    set firewall group network-group NET-INSIDE network 192.168.1.0/24  Groups need to have unique names. Even though some contain IPv4 addresses and others contain IPv6 addresses, they still need to have unique names, so you may want to append "-v4" or "-v6" to your group names. -.. code-block:: console +.. code-block:: none    set firewall group network-group NET-INSIDE-v4 network 192.168.1.0/24    set firewall group ipv6-network-group NET-INSIDE-v6 network 2001:db8::/64 @@ -64,7 +64,7 @@ Ranges of ports can be specified by using `-`.  Here is an example of a port group a server: -.. code-block:: console +.. code-block:: none    set firewall group port-group PORT-TCP-SERVER1 port 80    set firewall group port-group PORT-TCP-SERVER1 port 443 @@ -79,7 +79,7 @@ is matched, and the ability to specify the criteria to match.  Example of a rule-set to filter traffic to the internal network: -.. code-block:: console +.. code-block:: none    set firewall name INSIDE-OUT default-action drop    set firewall name INSIDE-OUT rule 1010 action accept @@ -96,7 +96,7 @@ Once a rule-set is created, it can be applied to an interface.  .. note:: Only one rule-set can be applied to each interface for `in`, `out`,     or `local` traffic for each protocol (IPv4 and IPv6). -.. code-block:: console +.. code-block:: none    set interfaces ethernet eth1 firewall out name INSIDE-OUT @@ -106,7 +106,7 @@ Applying a Rule-Set to a Zone  A named rule-set can also be applied to a zone relationship (note, zones must  first be created): -.. code-block:: console +.. code-block:: none    set zone-policy zone INSIDE from OUTSIDE firewall name INSIDE-OUT @@ -119,13 +119,13 @@ With the firewall you can set rules to accept, drop or reject ICMP in, out or lo  .. note:: **firewall all-ping** affects only to LOCAL and it always behaves in the most restrictive way -.. code-block:: console +.. code-block:: none    set firewall all-ping enable  When the command above is set, VyOS will answer every ICMP echo request addressed to itself, but that will only happen if no other rule is applied droping or rejecting local echo requests. In case of conflict, VyOS will not answer ICMP echo requests. -.. code-block:: console +.. code-block:: none    set firewall all-ping disable @@ -134,7 +134,7 @@ When the comand above is set, VyOS will answer no ICMP echo request addressed to  Example Partial Config  ---------------------- -.. code-block:: console +.. code-block:: none    firewall {       all-ping enable diff --git a/docs/high-availability.rst b/docs/high-availability.rst index de2f16b4..1ee59a7f 100644 --- a/docs/high-availability.rst +++ b/docs/high-availability.rst @@ -21,7 +21,7 @@ The required parameters are interface, vrid, and virtual-address.  minimal config -.. code-block:: console +.. code-block:: none    set high-availability vrrp group Foo vrid 10    set high-availability vrrp group Foo interface eth0 @@ -29,7 +29,7 @@ minimal config  You can verify your VRRP group status with the operational mode ``run show vrrp`` command: -.. code-block:: console +.. code-block:: none    vyos@vyos# run show vrrp    Name        Interface      VRID  State    Last Transition @@ -46,7 +46,7 @@ Disabling a VRRP group  You can disable a VRRP group with ``disable`` option: -.. code-block:: console +.. code-block:: none    set high-availability vrrp group Foo disable @@ -57,7 +57,7 @@ Setting VRRP group priority  VRRP priority can be set with ``priority`` option: -.. code-block:: console +.. code-block:: none    set high-availability vrrp group Foo priority 200 @@ -68,7 +68,7 @@ Sync groups  A sync group allows VRRP groups to transition together. -.. code-block:: console +.. code-block:: none      edit high-availability      set sync-group MAIN member VLAN9 @@ -76,7 +76,7 @@ A sync group allows VRRP groups to transition together.  In the following example, when VLAN9 transitions, VLAN20 will also transition: -.. code-block:: console +.. code-block:: none      vrrp {          group VLAN9 { @@ -108,13 +108,13 @@ VRRP can use two modes: preemptive and non-preemptive. In the preemptive mode, i  By default VRRP uses preemption. You can disable it with the "no-preempt" option: -.. code-block:: console +.. code-block:: none    set high-availability vrrp group Foo no-preempt  You can also configure the time interval for preemption with the "preempt-delay" option. For example, to set the higher priority router to take over in 180 seconds, use: -.. code-block:: console +.. code-block:: none    set high-availability vrrp group Foo preempt-delay 180 @@ -123,7 +123,7 @@ Unicast VRRP  By default VRRP uses multicast packets. If your network does not support multicast for whatever reason, you can make VRRP use unicast communication instead. -.. code-block:: console +.. code-block:: none    set high-availability vrrp group Foo peer-address 192.0.2.10    set high-availability vrrp group Foo hello-source-address 192.0.2.15 @@ -139,7 +139,7 @@ Health check scripts  This setup will make the VRRP process execute the ``/config/scripts/vrrp-check.sh script`` every 60 seconds, and transition the group to the fault state if it fails (i.e. exits with non-zero status) three times: -.. code-block:: console +.. code-block:: none    set high-availability vrrp group Foo health-check script /config/scripts/vrrp-check.sh    set high-availability vrrp group Foo health-check interval 60 @@ -151,7 +151,7 @@ Transition scripts  Transition scripts can help you implement various fixups, such as starting and stopping services, or even modifying the VyOS config on VRRP transition.  This setup will make the VRRP process execute the ``/config/scripts/vrrp-fail.sh`` with argument ``Foo`` when VRRP fails, and the ``/config/scripts/vrrp-master.sh`` when the router becomes the master: -.. code-block:: console +.. code-block:: none    set high-availability vrrp group Foo transition-script backup "/config/scripts/vrrp-fail.sh Foo"    set high-availability vrrp group Foo transition-script fault "/config/scripts/vrrp-fail.sh Foo" diff --git a/docs/image-mgmt.rst b/docs/image-mgmt.rst index daf37664..8b4ff563 100644 --- a/docs/image-mgmt.rst +++ b/docs/image-mgmt.rst @@ -9,7 +9,7 @@ each image on the storage device selected during the install process.  The directory structure of the boot device: -.. code-block:: console +.. code-block:: none    /    /boot @@ -37,7 +37,7 @@ default-boot` command in operational mode.  A list of available images can be shown using the :code:`show system image`  command in operational mode. -.. code-block:: console +.. code-block:: none    vyos@vyos:~$ show system image    The system currently has the following image(s) installed: @@ -62,7 +62,7 @@ install process will prompt you to use the current system configuration and SSH  security keys, allowing for the new image to boot using the current  configuration. -.. code-block:: console +.. code-block:: none    vyos@vyos:~$ add system image https://downloads.vyos.io/rolling/current/amd64/vyos-1.2.0-rolling%2B201810030440-amd64.iso    Trying to fetch ISO file from https://downloads.vyos.io/rolling/current/amd64/vyos-1.2.0-rolling%2B201810030440-amd64.iso @@ -100,7 +100,7 @@ If you need some files from a previous images - take a look inside a  After reboot you might want to verify the version you are running with :code:`show version` -.. code-block:: console +.. code-block:: none    vyos@vyos:~$ show version    Version:          VyOS 1.2.0-rolling+201810030440 diff --git a/docs/install.rst b/docs/install.rst index 95edb539..c42eda6b 100644 --- a/docs/install.rst +++ b/docs/install.rst @@ -71,7 +71,7 @@ https://pgp.mit.edu/pks/lookup?op=get&search=0xFD220285A0FE6D7E  Or from the following block: -.. code-block:: console +.. code-block:: none    -----BEGIN PGP PUBLIC KEY BLOCK-----    Version: GnuPG v1.4.12 (GNU/Linux) @@ -131,7 +131,7 @@ file_with_the_public_key``  The import can be verified with: -.. code-block:: console +.. code-block:: none    $ gpg --list-keys    ... @@ -154,7 +154,7 @@ downloaded.  Finally, verify the authencity of the downloaded image: -.. code-block:: console +.. code-block:: none    $ gpg2 --verify vyos-1.2.1-amd64.iso.asc  vyos-1.2.1-amd64.iso    gpg: Signature made So 14 Apr 12:58:07 2019 CEST @@ -171,7 +171,7 @@ VyOS ISO is a Live CD and will boot to a functional VyOS image.  To login to the system, use the default username and password will be: ``vyos`` -.. code-block:: console +.. code-block:: none    The programs included with the Debian GNU/Linux system are free software;    the exact distribution terms for each program are described in the @@ -200,7 +200,7 @@ keys, or custom scripts.  To install VyOS, run ``install image`` after logging into the live system with  the provided default credentials. -.. code-block:: console +.. code-block:: none    vyos@vyos:~$ install image    Welcome to the VyOS install program.  This script @@ -253,7 +253,7 @@ the provided default credentials.  After the installation is complete, remove the Live CD and reboot the system: -.. code-block:: console +.. code-block:: none    vyos@vyos:~$ reboot    Proceed with reboot? (Yes/No) [No] Yes @@ -288,7 +288,7 @@ Configure DHCP server to provide the client with:  In this example we configured an existent VyOS as the DHCP server: -.. code-block:: console +.. code-block:: none    vyos@vyos# show service dhcp-server     shared-network-name mydhcp { @@ -327,7 +327,7 @@ Configure a TFTP server so that it serves the following:  In the example we configured our existent VyOS as the TFTP server too: -.. code-block:: console +.. code-block:: none    vyos@vyos# show service tftp-server     directory /config/tftpboot @@ -335,7 +335,7 @@ In the example we configured our existent VyOS as the TFTP server too:  Example of the contents of the TFTP server: -.. code-block:: console +.. code-block:: none    vyos@vyos# ls -hal /config/tftpboot/    total 29M @@ -355,7 +355,7 @@ Example of the contents of the TFTP server:  Example of simple (no menu) configuration file: -.. code-block:: console +.. code-block:: none    vyos@vyos# cat /config/tftpboot/pxelinux.cfg/default    DEFAULT VyOS123 diff --git a/docs/interfaces/addresses.rst b/docs/interfaces/addresses.rst index 476de02d..19ba8225 100644 --- a/docs/interfaces/addresses.rst +++ b/docs/interfaces/addresses.rst @@ -27,7 +27,7 @@ PPP.  The command is ``set interfaces $type $name address $address``. Examples: -.. code-block:: console +.. code-block:: none    set interfaces ethernet eth0 address 192.0.2.1/24    set interfaces tunnel tun0 address 10.0.0.1/30 @@ -43,7 +43,7 @@ Pseudo-ethernet, Wireless).  The command is ``set interfaces $type $name address dhcp``. Examples: -.. code-block:: console +.. code-block:: none    set interfaces ethernet eth0 vif 90 address dhcp    set interfaces bridge br0 address dhcp @@ -61,7 +61,7 @@ except :ref:`tunnel-interface`.  The command is ``set interfaces $type $name address $address``. Examples: -.. code-block:: console +.. code-block:: none    set interfaces ethernet eth0 address 2001:db8:100::ffff/64    set interfaces tunnel tun0 address 2001:db8::1/64 @@ -77,7 +77,7 @@ Pseudo-ethernet, Wireless).  The command is `set interfaces $type $name address dhcpv6`. Examples: -.. code-block:: console +.. code-block:: none    set interfaces bonding bond1 address dhcpv6    set interfaces bridge br0 vif 56 address dhcpv6 @@ -91,7 +91,7 @@ interfaces, and those that are directly connected to a physical interface  The command is ``set interfaces $type $name ipv6 address autoconf``. Examples: -.. code-block:: console +.. code-block:: none    set interfaces ethernet eth0 vif 90 ipv6 address autoconf    set interfaces bridge br0 ipv6 address autoconf @@ -109,7 +109,7 @@ MAC address, if you specify the prefix.  The command is `set interfaces $type $name ipv6 address eui64 $prefix`.  Examples: -.. code-block:: console +.. code-block:: none    set interfaces bridge br0 ipv6 address eui64 2001:db8:beef::/64    set interfaces pseudo-ethernet peth0 ipv6 address eui64 2001:db8:aa::/64 @@ -123,14 +123,14 @@ of what is known as SLAAC (Stateless Address Autoconfiguration).  To enable or disable, use: -.. code-block:: console +.. code-block:: none    set interfaces <interface> ipv6 router-advert send-advert <true|false>  To set the options described in "Router Advertisement Message Format": -.. code-block:: console +.. code-block:: none    vyos@vyos#  set interfaces <interface> ipv6 router-advert    Possible completions: @@ -154,7 +154,7 @@ Prefix Information  Prefix information is described in :rfc:`4861#section-4.6.2`. -.. code-block:: console +.. code-block:: none    vyos@vyos# set interfaces <interface> ipv6 router-advert prefix <h:h:h:h:h:h:h:h/x>    Possible completions: @@ -169,7 +169,7 @@ Receiving Router Advertisements  To receive and accept RAs on an interface, you need to enable it with the  following configuration command -.. code-block:: console +.. code-block:: none    vyos@vyos# set system sysctl custom net.ipv6.conf.<interface>.accept_ra value 2 diff --git a/docs/interfaces/bond.rst b/docs/interfaces/bond.rst index 2de753d5..880c7580 100644 --- a/docs/interfaces/bond.rst +++ b/docs/interfaces/bond.rst @@ -8,13 +8,13 @@ logical one. It's called bonding, or LAG, or ether-channel, or port-channel.  Create interface bondX, where X is just a number: -.. code-block:: console +.. code-block:: none    set interfaces bonding bond0 description 'my-sw1 int 23 and 24'  You are able to choose a hash policy: -.. code-block:: console +.. code-block:: none    vyos@vyos# set interfaces bonding bond0 hash-policy    Possible completions: @@ -24,20 +24,20 @@ You are able to choose a hash policy:  For example: -.. code-block:: console +.. code-block:: none    set interfaces bonding bond0 hash-policy 'layer2'  You may want to set IEEE 802.3ad Dynamic link aggregation (802.3ad) AKA LACP  (don't forget to setup it on the other end of these links): -.. code-block:: console +.. code-block:: none   set interfaces bonding bond0 mode '802.3ad'  or some other modes: -.. code-block:: console +.. code-block:: none    vyos@vyos# set interfaces bonding bond0 mode    Possible completions: @@ -54,7 +54,7 @@ or some other modes:  Now bond some physical interfaces into bond0: -.. code-block:: console +.. code-block:: none    set interfaces bonding bond0 member interface eth0    set interfaces bonding bond0 member interface eth1 @@ -64,7 +64,7 @@ change its` duplex, for example) and assign IPs or VIFs on it.  You may check the result: -.. code-block:: console +.. code-block:: none    vyos@vyos# run sh interfaces bonding    Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down diff --git a/docs/interfaces/bridge.rst b/docs/interfaces/bridge.rst index 77049597..2ae6a243 100644 --- a/docs/interfaces/bridge.rst +++ b/docs/interfaces/bridge.rst @@ -9,7 +9,7 @@ Layer-2 traffic.  A bridge is created when a bridge interface is defined. In the example below  we create a bridge named br100 with eth1 and eth2 as the bridge member ports. -.. code-block:: console +.. code-block:: none    set interfaces bridge 'br100'    set interfaces bridge br100 member interface eth1 @@ -18,7 +18,7 @@ we create a bridge named br100 with eth1 and eth2 as the bridge member ports.  Each bridge member can be assiged a port cost and priority using the following  commands: -.. code-block:: console +.. code-block:: none    set interfaces bridge br100 member interface eth1 cost 10    set interfaces bridge br100 member interface eth1 priority 1024 @@ -27,14 +27,14 @@ Interfaces assigned to a bridge do not have address configuration. An IP  address can be assigned to the bridge interface itself, however, like any  normal interface. -.. code-block:: console +.. code-block:: none    set interfaces bridge br100 address '192.168.100.1/24'    set interfaces bridge br100 address '2001:db8:100::1/64'  Example Result: -.. code-block:: console +.. code-block:: none    bridge br100 {        address 192.168.100.1/24 @@ -59,7 +59,7 @@ Spanning-Tree Protocol. STP is disabled by default.  To enable spanning-tree use the `set interfaces bridge <name> stp` command: -.. code-block:: console +.. code-block:: none    set interfaces bridge br100 stp @@ -70,7 +70,7 @@ using the `aging` directive.  The `show bridge` operational command can be used to display configured  bridges: -.. code-block:: console +.. code-block:: none    vyos@vyos:~$ show bridge    bridge name     bridge id               STP enabled     interfaces @@ -79,7 +79,7 @@ bridges:  If spanning-tree is enabled, the `show bridge <name> spanning-tree` command  can be used to show STP configuration: -.. code-block:: console +.. code-block:: none    vyos@vyos:~$ show bridge br100 spanning-tree    br100 @@ -105,7 +105,7 @@ can be used to show STP configuration:  The MAC address-table for a bridge can be displayed using the  `show bridge <name> macs` command: -.. code-block:: console +.. code-block:: none    vyos@vyos:~$ show bridge br100 macs    port no mac addr                is local?       ageing timer diff --git a/docs/interfaces/dummy.rst b/docs/interfaces/dummy.rst index c3d58ff1..9dbb9668 100644 --- a/docs/interfaces/dummy.rst +++ b/docs/interfaces/dummy.rst @@ -10,7 +10,7 @@ purposes.  Configuration commands: -.. code-block:: console +.. code-block:: none    vyos@vyos# set interfaces dummy dum0    Possible completions: diff --git a/docs/interfaces/ethernet.rst b/docs/interfaces/ethernet.rst index c55f1c1c..cbefbaf6 100644 --- a/docs/interfaces/ethernet.rst +++ b/docs/interfaces/ethernet.rst @@ -6,7 +6,7 @@ Ethernet  Ethernet interfaces allow for the configuration of speed, duplex, and hw-id  (MAC address). Below is an example configuration: -.. code-block:: console +.. code-block:: none    set interfaces ethernet eth1 address '192.168.0.1/24'    set interfaces ethernet eth1 address '2001:db8:1::ffff/64' @@ -16,7 +16,7 @@ Ethernet interfaces allow for the configuration of speed, duplex, and hw-id  Resulting in: -.. code-block:: console +.. code-block:: none    ethernet eth1 {        address 192.168.0.1/24 @@ -35,7 +35,7 @@ In addition, Ethernet interfaces provide the extended operational commands:  Statistics available are driver dependent. -.. code-block:: console +.. code-block:: none    vyos@vyos:~$ show interfaces ethernet eth0 physical    Settings for eth0: diff --git a/docs/interfaces/geneve.rst b/docs/interfaces/geneve.rst index 4f41c4e6..f6303336 100644 --- a/docs/interfaces/geneve.rst +++ b/docs/interfaces/geneve.rst @@ -20,7 +20,7 @@ fabric. Sometimes termed "leaf and spine" or "fat tree" topologies.  Geneve Header: -.. code-block:: console +.. code-block:: none    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+    |Ver|  Opt Len  |O|C|    Rsvd.  |          Protocol Type        | diff --git a/docs/interfaces/index.rst b/docs/interfaces/index.rst index 7a97019d..adcc7c71 100644 --- a/docs/interfaces/index.rst +++ b/docs/interfaces/index.rst @@ -7,7 +7,7 @@ Network Interfaces  Configured interfaces on a VyOS system can be displayed using the  ``show interfaces`` command. -.. code-block:: console +.. code-block:: none    vyos@vyos:~$ show interfaces    Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down @@ -21,7 +21,7 @@ Configured interfaces on a VyOS system can be displayed using the  A specific interface can be shown using the ``show interfaces <type> <name>``  command. -.. code-block:: console +.. code-block:: none    vyos@vyos:~$ show interfaces ethernet eth0    eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 diff --git a/docs/interfaces/l2tpv3.rst b/docs/interfaces/l2tpv3.rst index f3cdd467..4574e731 100644 --- a/docs/interfaces/l2tpv3.rst +++ b/docs/interfaces/l2tpv3.rst @@ -12,7 +12,7 @@ to PPP.  Over IP  ^^^^^^^ -.. code-block:: console +.. code-block:: none    # show interfaces l2tpv3    l2tpv3 l2tpeth10 { @@ -36,7 +36,7 @@ UDP mode works better with NAT:  * Set local-ip to your local IP (LAN).  * Add a forwarding rule matching UDP port on your internet router. -.. code-block:: console +.. code-block:: none    # show interfaces l2tpv3    l2tpv3 l2tpeth10 { @@ -63,7 +63,7 @@ will be directly connected like if there was a switch between them.  IPSec: -.. code-block:: console +.. code-block:: none    set vpn ipsec ipsec-interfaces <VPN-interface>    set vpn ipsec esp-group test-ESP-1 compression 'disable' @@ -91,7 +91,7 @@ IPSec:  Bridge: -.. code-block:: console +.. code-block:: none    set interfaces bridge br0 description 'L2 VPN Bridge'    # remote side in this example: @@ -102,7 +102,7 @@ Bridge:  L2TPv3: -.. code-block:: console +.. code-block:: none    set interfaces bridge br0 member interface 'l2tpeth0'    set interfaces l2tpv3 l2tpeth0 description 'L2 VPN Tunnel' diff --git a/docs/interfaces/pppoe.rst b/docs/interfaces/pppoe.rst index eee795ae..ef595b97 100644 --- a/docs/interfaces/pppoe.rst +++ b/docs/interfaces/pppoe.rst @@ -72,7 +72,7 @@ Requirements:    nameservers your ISP sens you and thus you can fully rely on the ones you    have configured statically. -.. code-block:: console +.. code-block:: none    set interfaces ethernet eth0 description "DSL Modem"    set interfaces ethernet eth0 duplex auto @@ -88,7 +88,7 @@ Requirements:  You should add a firewall to your configuration above as well by  assigning it to the pppoe0 itself as shown here: -.. code-block:: console +.. code-block:: none    set interfaces ethernet eth0 pppoe 0 firewall in name NET-IN    set interfaces ethernet eth0 pppoe 0 firewall local name NET-LOCAL @@ -103,7 +103,7 @@ can easily create a PPPoE session through an encapsulated VLAN interface.  The following configuration will run your PPPoE connection through VLAN7  which is the default VLAN for Deutsche Telekom: -.. code-block:: console +.. code-block:: none    set interfaces ethernet eth0 description "DSL Modem"    set interfaces ethernet eth0 duplex auto diff --git a/docs/interfaces/qinq.rst b/docs/interfaces/qinq.rst index 5632d6f4..2038a21c 100644 --- a/docs/interfaces/qinq.rst +++ b/docs/interfaces/qinq.rst @@ -31,7 +31,7 @@ tag is the one closer/closest to the Ethernet header, its name is S-TAG  Configuration commands: -.. code-block:: console +.. code-block:: none    interfaces        ethernet <eth[0-999]> @@ -65,7 +65,7 @@ Configuration commands:  Example: -.. code-block:: console +.. code-block:: none    set interfaces ethernet eth0 vif-s 333    set interfaces ethernet eth0 vif-s 333 address 192.0.2.10/32 diff --git a/docs/interfaces/tunnel.rst b/docs/interfaces/tunnel.rst index 774a18aa..98d3766c 100644 --- a/docs/interfaces/tunnel.rst +++ b/docs/interfaces/tunnel.rst @@ -22,7 +22,7 @@ this reason, there are no other configuration options for this kind of tunnel.  An example: -.. code-block:: console +.. code-block:: none    set interfaces tunnel tun0 encapsulation ipip    set interfaces tunnel tun0 local-ip 192.0.2.10 @@ -40,7 +40,7 @@ It's not likely that anyone will need it any time soon, but it does exist.  An example: -.. code-block:: console +.. code-block:: none    set interfaces tunnel tun0 encapsulation ipip    set interfaces tunnel tun0 local-ip 2001:db8:aa::1/64 @@ -57,7 +57,7 @@ As the name implies, it's IPv4 encapsulated in IPv6, as simple as that.  An example: -.. code-block:: console +.. code-block:: none    set interfaces tunnel tun0 encapsulation ipip6    set interfaces tunnel tun0 local-ip 2001:db8:aa::1/64 @@ -79,7 +79,7 @@ Electric`_.  An example: -.. code-block:: console +.. code-block:: none    set interfaces tunnel tun0 encapsulation sit    set interfaces tunnel tun0 local-ip 192.0.2.10 @@ -108,7 +108,7 @@ ip otherwise it would have to be configured as well.  **VyOS Router:** -.. code-block:: console +.. code-block:: none    set interfaces tunnel tun100 address '10.0.0.1/30'    set interfaces tunnel tun100 encapsulation 'gre' @@ -117,7 +117,7 @@ ip otherwise it would have to be configured as well.  **Cisco IOS Router:** -.. code-block:: console +.. code-block:: none    interface Tunnel100    ip address 10.0.0.2 255.255.255.252 @@ -135,7 +135,7 @@ that are discarding IP protocol 47 or blocking your source/desintation traffic.  **1. Confirm IP connectivity between tunnel local-ip and remote-ip:** -.. code-block:: console +.. code-block:: none    vyos@vyos:~$ ping 203.0.113.10 interface 198.51.100.2 count 4    PING 203.0.113.10 (203.0.113.10) from 198.51.100.2 : 56(84) bytes of data. @@ -150,7 +150,7 @@ that are discarding IP protocol 47 or blocking your source/desintation traffic.  **2. Confirm the link type has been set to GRE:** -.. code-block:: console +.. code-block:: none    vyos@vyos:~$ show interfaces tunnel tun100    tun100@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1476 qdisc noqueue state UNKNOWN group default qlen 1000 @@ -167,7 +167,7 @@ that are discarding IP protocol 47 or blocking your source/desintation traffic.  **3. Confirm IP connectivity across the tunnel:** -.. code-block:: console +.. code-block:: none    vyos@vyos:~$ ping 10.0.0.2 interface 10.0.0.1 count 4    PING 10.0.0.2 (10.0.0.2) from 10.0.0.1 : 56(84) bytes of data. @@ -185,14 +185,14 @@ Virtual Tunnel Interface (VTI)  Set Virtual Tunnel Interface -.. code-block:: console +.. code-block:: none    set interfaces vti vti0 address 192.168.2.249/30    set interfaces vti vti0 address 2001:db8:2::249/64  Results in: -.. code-block:: console +.. code-block:: none    vyos@vyos# show interfaces vti    vti vti0 { diff --git a/docs/interfaces/vlan.rst b/docs/interfaces/vlan.rst index 5f7013b6..82f73efe 100644 --- a/docs/interfaces/vlan.rst +++ b/docs/interfaces/vlan.rst @@ -30,7 +30,7 @@ accomplished using the configuration command:  To assign a vif 100 using the VLAN 100 tag to physical interface eth1 use: -.. code-block:: console +.. code-block:: none    set interfaces ethernet eth1 vif 100 description 'VLAN 100'    set interfaces ethernet eth1 vif 100 address '192.168.100.1/24' @@ -38,7 +38,7 @@ To assign a vif 100 using the VLAN 100 tag to physical interface eth1 use:  Resulting in: -.. code-block:: console +.. code-block:: none    ethernet eth1 {        address 192.168.100.1/24 @@ -56,7 +56,7 @@ Resulting in:  VLAN interfaces are shown as `<name>.<vlan-id>`, e.g. `eth1.100`: -.. code-block:: console +.. code-block:: none    vyos@vyos:~$ show interfaces    Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down diff --git a/docs/interfaces/vxlan.rst b/docs/interfaces/vxlan.rst index 4b97c9e0..e597e167 100644 --- a/docs/interfaces/vxlan.rst +++ b/docs/interfaces/vxlan.rst @@ -68,7 +68,7 @@ support this.  Configuration commands  ^^^^^^^^^^^^^^^^^^^^^^ -.. code-block:: console +.. code-block:: none    interfaces      vxlan <vxlan[0-16777215]> @@ -97,7 +97,7 @@ This topology was built using GNS3.  Topology: -.. code-block:: console +.. code-block:: none    Spine1:    fa0/2 towards Leaf2, IP-address: 10.1.2.1/24 @@ -113,7 +113,7 @@ Topology:  Spine1 Configuration: -.. code-block:: console +.. code-block:: none    conf t    ip multicast-routing @@ -136,7 +136,7 @@ from.  Leaf2 configuration: -.. code-block:: console +.. code-block:: none    set interfaces ethernet eth0 address '10.1.2.2/24'    set protocols ospf area 0 network '10.0.0.0/8' @@ -161,7 +161,7 @@ Leaf2 configuration:  Leaf3 configuration: -.. code-block:: console +.. code-block:: none    set interfaces ethernet eth0 address '10.1.3.3/24'    set protocols ospf area 0 network '10.0.0.0/8' @@ -188,7 +188,7 @@ As you can see, Leaf2 and Leaf3 configuration is almost identical. There are  lots of commands above, I'll try to into more detail below, command  descriptions are placed under the command boxes: -.. code-block:: console +.. code-block:: none    set interfaces bridge br241 address '172.16.241.1/24' @@ -200,7 +200,7 @@ so that the Spine will learn how to reach it. To do this you need to change the  OSPF network from '10.0.0.0/8' to '0.0.0.0/0' to allow 172.16/12-networks to be  advertised. -.. code-block:: console +.. code-block:: none    set interfaces bridge br241 member interface 'eth1.241'    set interfaces bridge br241 member interface 'vxlan241' @@ -208,28 +208,28 @@ advertised.  Binds eth1.241 and vxlan241 to each other by making them both member interfaces of  the same bridge. -.. code-block:: console +.. code-block:: none    set interfaces vxlan vxlan241 group '239.0.0.241'  The multicast-group used by all Leafs for this vlan extension. Has to be the  same on all Leafs that has this interface. -.. code-block:: console +.. code-block:: none    set interfaces vxlan vxlan241 link 'eth0'  Sets the interface to listen for multicast packets on. Could be a loopback, not  yet tested. -.. code-block:: console +.. code-block:: none    set interfaces vxlan vxlan241 vni '241'  Sets the unique id for this vxlan-interface. Not sure how it correlates with  multicast-address. -.. code-block:: console +.. code-block:: none    set interfaces vxlan vxlan241 remote-port 12345 @@ -244,7 +244,7 @@ Older Examples  Example for bridging normal L2 segment and vxlan overlay network, and using a  vxlan interface as routing interface. -.. code-block:: console +.. code-block:: none    interfaces {         bridge br0 { @@ -276,7 +276,7 @@ router has a VLAN interface (26) facing the client devices and a VLAN interface  can flow between both routers' VLAN 26, but can't escape since there is no L3  gateway. You can add an IP to a bridge to create a gateway. -.. code-block:: console +.. code-block:: none    interfaces {         bridge br0 { @@ -310,7 +310,7 @@ Alternative to multicast, the remote IPv4 address of the VXLAN tunnel can set di  Let's change the Multicast example from above: -.. code-block:: console +.. code-block:: none    # leaf2 and leaf3    delete interfaces vxlan vxlan241 group '239.0.0.241' diff --git a/docs/interfaces/wireless.rst b/docs/interfaces/wireless.rst index f1f9ae80..8bd84364 100644 --- a/docs/interfaces/wireless.rst +++ b/docs/interfaces/wireless.rst @@ -45,7 +45,7 @@ The WAP in this example has the following characteristics:  * Use 802.11n protocol  * Wireless channel ``1`` -.. code-block:: console +.. code-block:: none    set interfaces wireless wlan0 address '192.0.2.1/24'    set interfaces wireless wlan0 type access-point @@ -58,7 +58,7 @@ The WAP in this example has the following characteristics:  Resulting in -.. code-block:: console +.. code-block:: none    interfaces {      [...] @@ -110,7 +110,7 @@ The WAP in this example has the following characteristics:  * Wireless channel ``1``  * RADIUS server at ``192.0.3.10`` with shared-secret ``VyOSPassword`` -.. code-block:: console +.. code-block:: none    set interfaces wireless wlan0 address '192.0.2.1/24'    set interfaces wireless wlan0 type access-point @@ -124,7 +124,7 @@ The WAP in this example has the following characteristics:  Resulting in -.. code-block:: console +.. code-block:: none    interfaces {      [...] @@ -161,7 +161,7 @@ The example creates a wireless station (commonly referred to as Wi-Fi client)  that accesses the network through the WAP defined in the above example. The  default physical device (``phy0``) is used. -.. code-block:: console +.. code-block:: none    set interfaces wireless wlan0 type station    set interfaces wireless wlan0 address dhcp @@ -170,7 +170,7 @@ default physical device (``phy0``) is used.  Resulting in -.. code-block:: console +.. code-block:: none    interfaces {      [...] @@ -193,7 +193,7 @@ Operational Commands  Use this command to view operational status and wireless-specific information  about all wireless interfaces. -.. code-block:: console +.. code-block:: none    vyos@vyos:~$ show interfaces wireless info    Interface  Type          SSID                         Channel @@ -204,7 +204,7 @@ about all wireless interfaces.  Use this command to view operational status and detailes wireless-specific  information about all wireless interfaces. -.. code-block:: console +.. code-block:: none    vyos@vyos:~$ show interfaces wireless detail    wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 @@ -236,7 +236,7 @@ information about all wireless interfaces.  This command shows both status and statistics on the specified wireless interface.  The wireless interface identifier can range from wlan0 to wlan999. -.. code-block:: console +.. code-block:: none    vyos@vyos:~$ show interfaces wireless wlan0    wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 @@ -257,7 +257,7 @@ The wireless interface identifier can range from wlan0 to wlan999.  This command gives a brief status overview of a specified wireless interface.  The wireless interface identifier can range from wlan0 to wlan999. -.. code-block:: console +.. code-block:: none    vyos@vyos:~$ show interfaces wireless wlan0 brief    Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down @@ -271,7 +271,7 @@ The wireless interface identifier can range from wlan0 to wlan999.  Use this command to view wireless interface queue information.  The wireless interface identifier can range from wlan0 to wlan999. -.. code-block:: console +.. code-block:: none    vyos@vyos:~$ show interfaces wireless wlan0 queue    qdisc pfifo_fast 0: root bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1 @@ -289,7 +289,7 @@ in station mode.     hardware. Refer to your driver and wireless hardware documentation for     further details. -.. code-block:: console +.. code-block:: none    vyos@vyos:~$ show interfaces wireless wlan0 scan    Address            SSID                          Channel  Signal (dbm) diff --git a/docs/load-balancing.rst b/docs/load-balancing.rst index 7aa8fd63..092161f4 100644 --- a/docs/load-balancing.rst +++ b/docs/load-balancing.rst @@ -15,7 +15,7 @@ In a minimal, configuration the following must be provided:  lets assume we have two dhcp WAN interfaces and one LAN (eth2) -.. code-block:: console +.. code-block:: none      set load-balancing wan interface-health eth0 nexthop 'dhcp'      set load-balancing wan interface-health eth1 nexthop 'dhcp' @@ -32,7 +32,7 @@ If a packet doesn't match any rule it is sent by using the system routing table.  Create a load balancing rule, rule can be a number between 1 and 9999: -.. code-block:: console +.. code-block:: none      vyos@vyos# set load-balancing wan rule 1      Possible completions: @@ -53,7 +53,7 @@ Interface weight  Let's expand the example from above and add a weight to the interfaces. The bandwidth from eth0 is larger than eth1.  Per default outbound traffic is distributed randomly across available interfaces. Weights can be assigned to interfaces to influence the balancing. -.. code-block:: console +.. code-block:: none      set load-balancing wan rule 1 interface eth0 weight 2      set load-balancing wan rule 1 interface eth1 weight 1 @@ -66,7 +66,7 @@ Rate limit  A packet rate limit can be set for a rule to apply the rule to traffic above or below a specified threshold.  To configure the rate limiting use: -.. code-block:: console +.. code-block:: none      set load-balancing wan rule <rule> limit <parameter> @@ -85,7 +85,7 @@ This has the advantage that packets always arrive in order if links with differe  Packet-based balancing can lead to a better balance across interfaces when out of order packets are no issue. Per-packet-based balancing can be set for a balancing rule with: -.. code-block:: console +.. code-block:: none      set load-balancing wan rule <rule> per-packet-balancing @@ -94,7 +94,7 @@ Exclude traffic  To exclude traffic from load balancing, traffic matching an exclude rule is not balanced but routed through the system routing table instead: -.. code-block:: console +.. code-block:: none      set load-balancing wan rule <rule> exclude @@ -105,7 +105,7 @@ Health checks  The health of interfaces and paths assigned to the load balancer is periodically checked by sending ICMP packets (ping) to remote destinations, a TTL test or the execution of a user defined script.  If an interface fails the health check it is removed from the load balancer's pool of interfaces. To enable health checking for an interface: -.. code-block:: console +.. code-block:: none      vyos@vyos# set load-balancing wan interface-health <interface>      Possible completions: @@ -116,14 +116,14 @@ If an interface fails the health check it is removed from the load balancer's po  Specify nexthop on the path to destination, ``ipv4-address`` can be set to ``dhcp`` -.. code-block:: console +.. code-block:: none      set load-balancing wan interface-health <interface> nexthop <ipv4-address>  Set the number of health check failures before an interface is marked as unavailable, range for number is 1 to 10, default 1.  Or set the number of successful health checks before an interface is added back to the interface pool, range for number is 1 to 10, default 1. -.. code-block:: console +.. code-block:: none      set load-balancing wan interface-health <interface> failure-count <number>      set load-balancing wan interface-health <interface> success-count <number> @@ -131,7 +131,7 @@ Or set the number of successful health checks before an interface is added back  Each health check is configured in its own test, tests are numbered and processed in numeric order.  For multi target health checking multiple tests can be defined: -.. code-block:: console +.. code-block:: none      vyos@vyos# set load-balancing wan interface-health eth1 test 0      Possible completions: @@ -153,7 +153,7 @@ Source NAT rules  Per default, interfaces used in a load balancing pool replace the source IP of each outgoing packet with its own address to ensure that replies arrive on the same interface.  This works through automatically generated source NAT (SNAT) rules, these rules are only applied to balanced traffic. In cases where this behaviour is not desired, the automatic generation of SNAT rules can be disabled: -.. code-block:: console +.. code-block:: none      set load-balancing wan disable-source-nat @@ -163,7 +163,7 @@ Sticky Connections  Upon reception of an incoming packet, when a response is sent, it might be desired to ensure that it leaves from the same interface as the inbound one.  This can be achieved by enabling sticky connections in the load balancing: -.. code-block:: console +.. code-block:: none      set load-balancing wan sticky-connections inbound @@ -176,13 +176,13 @@ The primary interface is selected based on its weight and health, others become  Secondary interfaces to take over a failed primary interface are chosen from the load balancer's interface pool, depending on their weight and health.  Interface roles can also be selected based on rule order by including interfaces in balancing rules and ordering those rules accordingly. To put the load balancer in failover mode, create a failover rule: -.. code-block:: console +.. code-block:: none      set load-balancing wan rule <number> failover  Because existing sessions do not automatically fail over to a new path, the session table can be flushed on each connection state change: -.. code-block:: console +.. code-block:: none      set load-balancing wan flush-connections @@ -195,7 +195,7 @@ Script execution  A script can be run when an interface state change occurs. Scripts are run from /config/scripts, for a different location specify the full path: -.. code-block:: console +.. code-block:: none      set load-balancing wan hook script-name @@ -219,7 +219,7 @@ A character at the start of each line depicts the state of the test  * ``-`` failed  * a blank indicates that no test has been carried out -.. code-block:: console +.. code-block:: none      vyos@vyos:~$ show wan-load-balance      Interface:  eth0 @@ -240,7 +240,7 @@ A character at the start of each line depicts the state of the test  Show connection data of load balanced traffic: -.. code-block:: console +.. code-block:: none      vyos@vyos:~$ show wan-load-balance connection      conntrack v1.4.2 (conntrack-tools): 3 flow entries have been shown. @@ -252,6 +252,6 @@ Show connection data of load balanced traffic:  Restart  ******* -.. code-block:: console +.. code-block:: none      restart wan-load-balance diff --git a/docs/nat.rst b/docs/nat.rst index 4e21ad3a..a8475978 100644 --- a/docs/nat.rst +++ b/docs/nat.rst @@ -21,7 +21,7 @@ To setup SNAT, we need to know:  In the example used for the Quick Start configuration above, we demonstrate  the following configuration: -.. code-block:: console +.. code-block:: none    set nat source rule 100 outbound-interface 'eth0'    set nat source rule 100 source address '192.168.0.0/24' @@ -29,7 +29,7 @@ the following configuration:  Which generates the following configuration: -.. code-block:: console +.. code-block:: none    rule 100 {        outbound-interface eth0 @@ -58,7 +58,7 @@ recommended.  A pool of addresses can be defined by using a **-** in the  `set nat source rule [n] translation address` statement. -.. code-block:: console +.. code-block:: none    set nat source rule 100 translation address '203.0.113.32-203.0.113.63' @@ -108,7 +108,7 @@ To setup a NAT reflection rule, we need to create a rule to NAT connections  from the internal network to the same internal network to use the source  address of the internal interface. -.. code-block:: console +.. code-block:: none    set nat source rule 110 description 'NAT Reflection: INSIDE'    set nat source rule 110 destination address '192.168.0.0/24' @@ -118,7 +118,7 @@ address of the internal interface.  Which results in a configuration of: -.. code-block:: console +.. code-block:: none    rule 110 {        description "NAT Reflection: INSIDE" @@ -156,7 +156,7 @@ For other common port numbers, see: http://en.wikipedia.org/wiki/List_of_TCP_and  Our configuration commands would be: -.. code-block:: console +.. code-block:: none    set nat destination rule 10 description 'Port Forward: HTTP to 192.168.0.100'    set nat destination rule 10 destination port '80' @@ -166,7 +166,7 @@ Our configuration commands would be:  Which would generate the following NAT destination configuration: -.. code-block:: console +.. code-block:: none    nat {        destination { @@ -198,7 +198,7 @@ the destination address has already been translated to 192.168.0.100.  So in our firewall policy, we want to allow traffic coming in on the outside  interface, destined for TCP port 80 and the IP address of 192.168.0.100. -.. code-block:: console +.. code-block:: none    set firewall name OUTSIDE-IN rule 20 action 'accept'    set firewall name OUTSIDE-IN rule 20 destination address '192.168.0.100' @@ -208,7 +208,7 @@ interface, destined for TCP port 80 and the IP address of 192.168.0.100.  This would generate the following configuration: -.. code-block:: console +.. code-block:: none    rule 20 {        action accept @@ -248,7 +248,7 @@ notion of ports, such as GRE.  Here's an extract of a simple 1-to-1 NAT configuration with one internal and  one external interface: -.. code-block:: console +.. code-block:: none    set interfaces ethernet eth0 address '192.168.1.1/24'    set interfaces ethernet eth0 description 'Inside interface' @@ -305,7 +305,7 @@ VyOS Support  NPTv6 support has been added in VyOS 1.2 (Crux) and is available through  `nat nptv6` configuration nodes. -.. code-block:: console +.. code-block:: none    set rule 10 inside-prefix 'fc00:dead:beef::/48'    set rule 10 outside-interface 'eth1' @@ -316,7 +316,7 @@ NPTv6 support has been added in VyOS 1.2 (Crux) and is available through  Resulting in the following ip6tables rules: -.. code-block:: console +.. code-block:: none    Chain VYOS_DNPT_HOOK (1 references)     pkts bytes target   prot opt in   out   source              destination @@ -368,14 +368,14 @@ but which are not actually assigned to a real network.  We only need a single step for this interface: -.. code-block:: console +.. code-block:: none    set interfaces dummy dum0 address '172.29.41.89/32'  NAT Configuration  ***************** -.. code-block:: console +.. code-block:: none    set nat source rule 110 description 'Internal to ASP'    set nat source rule 110 destination address '172.27.1.0/24' @@ -408,7 +408,7 @@ The ASP has documented their IPSec requirements:  Additionally, we want to use VPNs only on our eth1 interface (the external interface in the image above) -.. code-block:: console +.. code-block:: none    set vpn ipsec ike-group my-ike ikev2-reauth 'no'    set vpn ipsec ike-group my-ike key-exchange 'ikev1' @@ -433,7 +433,7 @@ We'll use the IKE and ESP groups created above for this VPN.  Because we need access to 2 different subnets on the far side, we will need two different tunnels.  If you changed the names of the ESP group and IKE group in the previous step, make sure you use the correct names here too. -.. code-block:: console +.. code-block:: none    set vpn ipsec site-to-site peer 198.51.100.243 authentication mode 'pre-shared-secret'    set vpn ipsec site-to-site peer 198.51.100.243 authentication pre-shared-secret 'PASSWORD IS HERE' @@ -454,7 +454,7 @@ If you've completed all the above steps you no doubt want to see if it's all wor  Start by checking for IPSec SAs (Security Associations) with: -.. code-block:: console +.. code-block:: none    $ show vpn ipsec sa diff --git a/docs/qos.rst b/docs/qos.rst index 01375ce3..f3b3d36c 100644 --- a/docs/qos.rst +++ b/docs/qos.rst @@ -31,7 +31,7 @@ Such configuration takes place under the `traffic-policy` tree.  Available subtrees : -.. code-block:: console +.. code-block:: none    set traffic-policy drop-tail NAME    set traffic-policy fair-queue NAME @@ -49,7 +49,7 @@ Apply traffic policy to an interface  Once a traffic-policy is created, you can apply it to an interface : -.. code-block:: console +.. code-block:: none    set interfaces ethernet eth0 traffic-policy in WAN-IN    set interfaces etherhet eth0 traffic-policy out WAN-OUT @@ -67,7 +67,7 @@ traffic that needs the bandwidth, the lower-priority traffic can use most of the  that the connection can be used fully by whatever wants it, without suffocating real-time traffic or  throttling background traffic too much. -.. code-block:: console +.. code-block:: none    set traffic-policy shaper download bandwidth '175mbit'    set traffic-policy shaper download class 10 bandwidth '10%' @@ -1203,13 +1203,13 @@ Matching traffic  A class can have multiple match filters: -.. code-block:: console +.. code-block:: none    set traffic-policy <POLICY> <POLICY-NAME> class N match MATCH-FILTER-NAME  Example: -.. code-block:: console +.. code-block:: none    set traffic-policy shaper SHAPER class 30 match HTTP    set traffic-policy shaper SHAPER class 30 match HTTPs @@ -1218,7 +1218,7 @@ A match filter contains multiple criteria and will match traffic if all those cr  For example: -.. code-block:: console +.. code-block:: none    set traffic-policy shaper SHAPER class 30 match HTTP ip protocol tcp    set traffic-policy shaper SHAPER class 30 match HTTP ip source port 80 @@ -1228,14 +1228,14 @@ This will match tcp traffic with source port 80.  description  *********** -.. code-block:: console +.. code-block:: none    set traffic-policy shaper SHAPER class 30 match MATCH description "match filter description"  ether  ***** -.. code-block:: console +.. code-block:: none    edit traffic-policy shaper SHAPER class 30 match MATCH ether @@ -1251,20 +1251,20 @@ source  interface  ********* -.. code-block:: console +.. code-block:: none    edit traffic-policy shaper SHAPER class 30 match MATCH interface <interface-name>  ip  ** -.. code-block:: console +.. code-block:: none    edit traffic-policy shaper SHAPER class 30 match MATCH ip  destination  ########### -.. code-block:: console +.. code-block:: none   set destination address IPv4-SUBNET   set destination port U32-PORT @@ -1272,14 +1272,14 @@ destination  dscp  #### -.. code-block:: console +.. code-block:: none    set dscp DSCPVALUE  max-length  ########## -.. code-block:: console +.. code-block:: none    set max-length U32-MAXLEN @@ -1288,14 +1288,14 @@ Will match ipv4 packets with a total length lesser than set value.  protocol  ######## -.. code-block:: console +.. code-block:: none    set protocol <IP PROTOCOL>  source  ###### -.. code-block:: console +.. code-block:: none    set source address IPv4-SUBNET    set source port U32-PORT @@ -1308,13 +1308,13 @@ tcp  .. note:: This filter will only match packets with an IPv4 header length of     20 bytes (which is the majority of IPv4 packets anyway). -.. code-block:: console +.. code-block:: none   set tcp ack  Will match tcp packets with ACK flag set. -.. code-block:: console +.. code-block:: none    set tcp syn @@ -1323,14 +1323,14 @@ Will match tcp packets with SYN flag set.  ipv6  **** -.. code-block:: console +.. code-block:: none    edit traffic-policy shaper SHAPER class 30 match MATCH ipv6  destination  ########### - .. code-block:: console + .. code-block:: none    set destination address IPv6-SUBNET    set destination port U32-PORT @@ -1338,14 +1338,14 @@ destination  dscp  #### -.. code-block:: console +.. code-block:: none    set dscp DSCPVALUE  max-length  ########## -.. code-block:: console +.. code-block:: none    set max-length U32-MAXLEN @@ -1354,14 +1354,14 @@ Will match ipv6 packets with a payload length lesser than set value.  protocol  ######## -.. code-block:: console +.. code-block:: none    set protocol IPPROTOCOL  source  ###### -.. code-block:: console +.. code-block:: none    set source address IPv6-SUBNET    set source port U32-PORT @@ -1375,13 +1375,13 @@ tcp     http://en.wikipedia.org/wiki/IPv6_packet#Extension_headers for no header     extension. -.. code-block:: console +.. code-block:: none    set tcp ack  Will match tcp packets with ACK flag set. -.. code-block:: console +.. code-block:: none    set tcp syn @@ -1390,18 +1390,18 @@ Will match tcp packets with SYN flag set.  mark  **** -.. code-block:: console +.. code-block:: none    set traffic-policy shaper SHAPER class 30 match MATCH mark **firewall-mark**  vif  *** -.. code-block:: console +.. code-block:: none    set traffic-policy shaper SHAPER class 30 match MATCH vif **vlan-tag** -.. code-block:: console +.. code-block:: none    set interfaces ethernet eth0 traffic-policy out 'WAN-OUT'    set interfaces ethernet eth1 traffic-policy out 'LAN-OUT' diff --git a/docs/quick-start.rst b/docs/quick-start.rst index 04746017..bb651c29 100644 --- a/docs/quick-start.rst +++ b/docs/quick-start.rst @@ -9,14 +9,14 @@ for a device with two interfaces.  Enter configuration mode: -.. code-block:: console +.. code-block:: none    vyos@vyos$ configure    vyos@vyos#  Configure network interfaces: -.. code-block:: console +.. code-block:: none    set interfaces ethernet eth0 address dhcp    set interfaces ethernet eth0 description 'OUTSIDE' @@ -25,14 +25,14 @@ Configure network interfaces:  Enable SSH for remote management: -.. code-block:: console +.. code-block:: none    set service ssh port '22'  Configure DHCP Server and DNS  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -.. code-block:: console +.. code-block:: none    set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 default-router '192.168.0.1'    set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 dns-server '192.168.0.1' @@ -43,7 +43,7 @@ Configure DHCP Server and DNS  And a DNS forwarder: -.. code-block:: console +.. code-block:: none    set service dns forwarding cache-size '0'    set service dns forwarding listen-address '192.168.0.1' @@ -55,7 +55,7 @@ NAT and Firewall  Configure Source NAT for our "Inside" network. -.. code-block:: console +.. code-block:: none    set nat source rule 100 outbound-interface 'eth0'    set nat source rule 100 source address '192.168.0.0/24' @@ -65,7 +65,7 @@ Add a set of firewall policies for our "Outside" interface.  This configuration creates a proper stateful firewall that blocks all traffic: -.. code-block:: console +.. code-block:: none    set firewall name OUTSIDE-IN default-action 'drop'    set firewall name OUTSIDE-IN rule 10 action 'accept' @@ -86,7 +86,7 @@ could create some additional rules to allow the traffic.  These rules allow SSH traffic and rate limit it to 4 requests per minute. This  blocks brute-forcing attempts: -.. code-block:: console +.. code-block:: none    set firewall name OUTSIDE-LOCAL rule 30 action 'drop'    set firewall name OUTSIDE-LOCAL rule 30 destination port '22' @@ -101,14 +101,14 @@ blocks brute-forcing attempts:  Apply the firewall policies: -.. code-block:: console +.. code-block:: none    set interfaces ethernet eth0 firewall in name 'OUTSIDE-IN'    set interfaces ethernet eth0 firewall local name 'OUTSIDE-LOCAL'  Commit changes, save the configuration, and exit configuration mode: -.. code-block:: console +.. code-block:: none    vyos@vyos# commit    vyos@vyos# save @@ -127,7 +127,7 @@ One common use of traffic policy is to limit bandwidth for an interface. In  the example below we limit bandwidth for our LAN connection to 200 Mbit  download and out WAN connection to 50 Mbit upload: -.. code-block:: console +.. code-block:: none    set traffic-policy shaper WAN-OUT bandwidth '50Mbit'    set traffic-policy shaper WAN-OUT default bandwidth '50%' @@ -140,7 +140,7 @@ download and out WAN connection to 50 Mbit upload:  Resulting in the following configuration: -.. code-block:: console +.. code-block:: none    traffic-policy {        shaper WAN-OUT { @@ -164,7 +164,7 @@ Resulting in the following configuration:  Once defined, a traffic policy can be applied to each interface using the  interface-level traffic-policy directive: -.. code-block:: console +.. code-block:: none    set interfaces ethernet eth0 traffic-policy out 'WAN-OUT'    set interfaces ethernet eth1 traffic-policy out 'LAN-OUT' @@ -184,7 +184,7 @@ additional configuration steps that should be taken.  Create a user to replace the default `vyos` user: -.. code-block:: console +.. code-block:: none    set system login user myvyosuser level admin    set system login user myvyosuser authentication plaintext-password mysecurepassword @@ -192,7 +192,7 @@ Create a user to replace the default `vyos` user:  Set up SSH key based authentication. For example, on Linux you'd want to run  ``ssh-keygen -t rsa``. Then the contents of ``id_rsa.pub`` would be used below: -.. code-block:: console +.. code-block:: none    set system login user myvyosuser authentication public-keys myusername@mydesktop type ssh-rsa    set system login user myvyosuser authentication public-keys myusername@mydesktop key contents_of_id_rsa.pub @@ -204,7 +204,7 @@ confirmed that your new user can access your server, without a password, delete  the original ``vyos`` user and probably disable password authentication for  SSH: -.. code-block:: console +.. code-block:: none    delete system login user vyos    set service ssh disable-password-authentication diff --git a/docs/routing/arp.rst b/docs/routing/arp.rst index bcc542d1..358476ac 100644 --- a/docs/routing/arp.rst +++ b/docs/routing/arp.rst @@ -31,7 +31,7 @@ Operation  Display all known ARP table entries spanning accross all interfaces -.. code-block:: console +.. code-block:: none    vyos@vyos:~$ show protocols static arp    Address                  HWtype  HWaddress           Flags Mask     Iface @@ -43,7 +43,7 @@ Display all known ARP table entries spanning accross all interfaces  Display all known ARP table entries on a given interface only (`eth1`): -.. code-block:: console +.. code-block:: none    vyos@vyos:~$ show protocols static arp interface eth1    Address                  HWtype  HWaddress           Flags Mask     Iface diff --git a/docs/routing/bgp.rst b/docs/routing/bgp.rst index 6a2ce581..4fac4889 100644 --- a/docs/routing/bgp.rst +++ b/docs/routing/bgp.rst @@ -15,7 +15,7 @@ A simple eBGP configuration:  **Node 1:** -.. code-block:: console +.. code-block:: none    set protocols bgp 65534 neighbor 192.168.0.2 ebgp-multihop '2'    set protocols bgp 65534 neighbor 192.168.0.2 remote-as '65535' @@ -25,7 +25,7 @@ A simple eBGP configuration:  **Node 2:** -.. code-block:: console +.. code-block:: none    set protocols bgp 65535 neighbor 192.168.0.1 ebgp-multihop '2'    set protocols bgp 65535 neighbor 192.168.0.1 remote-as '65534' @@ -40,13 +40,13 @@ creating a static route:**  **Node 1:** -.. code-block:: console +.. code-block:: none    set protocols static route 172.16.0.0/16 blackhole distance '254'  **Node 2:** -.. code-block:: console +.. code-block:: none    set protocols static route 172.17.0.0/16 blackhole distance '254' @@ -58,7 +58,7 @@ A simple BGP configuration via IPv6.  **Node 1:** -.. code-block:: console +.. code-block:: none    set protocols bgp 65534 neighbor 2001:db8::2 ebgp-multihop '2'    set protocols bgp 65534 neighbor 2001:db8::2 remote-as '65535' @@ -69,7 +69,7 @@ A simple BGP configuration via IPv6.  **Node 2:** -.. code-block:: console +.. code-block:: none    set protocols bgp 65535 neighbor 2001:db8::1 ebgp-multihop '2'    set protocols bgp 65535 neighbor 2001:db8::1 remote-as '65534' @@ -84,13 +84,13 @@ creating a static route:**  **Node 1:** -.. code-block:: console +.. code-block:: none    set protocols static route6 2001:db8:1::/48 blackhole distance '254'  **Node 2:** -.. code-block:: console +.. code-block:: none    set protocols static route6 2001:db8:2::/48 blackhole distance '254' @@ -101,7 +101,7 @@ Route filter can be applied using a route-map:  **Node1:** -.. code-block:: console +.. code-block:: none    set policy prefix-list AS65535-IN rule 10 action 'permit'    set policy prefix-list AS65535-IN rule 10 prefix '172.16.0.0/16' @@ -124,7 +124,7 @@ Route filter can be applied using a route-map:  **Node2:** -.. code-block:: console +.. code-block:: none    set policy prefix-list AS65534-IN rule 10 action 'permit'    set policy prefix-list AS65534-IN rule 10 prefix '172.17.0.0/16' diff --git a/docs/routing/igmp-proxy.rst b/docs/routing/igmp-proxy.rst index 6cf5187e..d08c42e2 100644 --- a/docs/routing/igmp-proxy.rst +++ b/docs/routing/igmp-proxy.rst @@ -14,7 +14,7 @@ simple example:  Interface eth1 LAN is behind NAT. In order to subscribe 10.0.0.0/23 subnet multicast which is in eth0 WAN we need igmp-proxy. -.. code-block:: console +.. code-block:: none    # show protocols igmp-proxy    interface eth0 { diff --git a/docs/routing/mss-clamp.rst b/docs/routing/mss-clamp.rst index 329910b0..986c5062 100644 --- a/docs/routing/mss-clamp.rst +++ b/docs/routing/mss-clamp.rst @@ -9,7 +9,7 @@ to clamp your TCP MSS value for IPv4 and IPv6.  Clamping can be disabled per interface using the `disable` keyword: -.. code-block:: console +.. code-block:: none    set firewall options interface pppoe0 disable @@ -19,7 +19,7 @@ IPv4  Clamp outgoing MSS value in a TCP SYN packet to `1452` for `pppoe0` and `1372`  for your WireGuard `wg02` tunnel. -.. code-block:: console +.. code-block:: none    set firewall options interface pppoe0 adjust-mss '1452'    set firewall options interface wg02 adjust-mss '1372' @@ -32,7 +32,7 @@ Clamp outgoing MSS value in a TCP SYN packet to `1280` for both `pppoe0` and  To achieve the same for IPv6 please use: -.. code-block:: console +.. code-block:: none    set firewall options interface pppoe0 adjust-mss6 '1280'    set firewall options interface wg02 adjust-mss6 '1280' diff --git a/docs/routing/ospf.rst b/docs/routing/ospf.rst index eca0acd3..bee70895 100644 --- a/docs/routing/ospf.rst +++ b/docs/routing/ospf.rst @@ -19,13 +19,13 @@ OSPFv2 (IPv4)  In order to have a VyOS system exchanging routes with OSPF neighbors, you will  at least need to configure the area and a network, -.. code-block:: console +.. code-block:: none    set protocols ospf area 0 network 192.168.0.0/24  as well as the router ID. -.. code-block:: console +.. code-block:: none    set protocols ospf parameters router-id 10.1.1.1 @@ -36,7 +36,7 @@ address and the node 1 sending the default route:  **Node 1** -.. code-block:: console +.. code-block:: none    set interfaces loopback lo address 10.1.1.1/32    set protocols ospf area 0 network 192.168.0.0/24 @@ -53,7 +53,7 @@ address and the node 1 sending the default route:  **Node 2** -.. code-block:: console +.. code-block:: none    set interfaces loopback lo address 10.2.2.2/32    set protocols ospf area 0 network 192.168.0.0/24 @@ -72,7 +72,7 @@ A typical configuration using 2 nodes.  **Node 1:** -.. code-block:: console +.. code-block:: none    set protocols ospfv3 area 0.0.0.0 interface eth1    set protocols ospfv3 area 0.0.0.0 range 2001:db8:1::/64 @@ -81,7 +81,7 @@ A typical configuration using 2 nodes.  **Node 2:** -.. code-block:: console +.. code-block:: none    set protocols ospfv3 area 0.0.0.0 interface eth1    set protocols ospfv3 area 0.0.0.0 range 2001:db8:2::/64 @@ -96,7 +96,7 @@ Example configuration for WireGuard interfaces:  **Node 1** -.. code-block:: console +.. code-block:: none    set interfaces wireguard wg01 address 'fe80::216:3eff:fe51:fd8c/64'    set interfaces wireguard wg01 address '192.168.0.1/24' @@ -111,7 +111,7 @@ Example configuration for WireGuard interfaces:  **Node 2** -.. code-block:: console +.. code-block:: none    set interfaces wireguard wg01 address 'fe80::216:3eff:fe0a:7ada/64'    set interfaces wireguard wg01 address '192.168.0.2/24' @@ -126,7 +126,7 @@ Example configuration for WireGuard interfaces:  **Status** -.. code-block:: console +.. code-block:: none    vyos@ospf01:~$ sh ipv6 ospfv3 neighbor    Neighbor ID     Pri    DeadTime    State/IfState         Duration I/F[State] diff --git a/docs/routing/pbr.rst b/docs/routing/pbr.rst index c2746fa3..24cc8498 100644 --- a/docs/routing/pbr.rst +++ b/docs/routing/pbr.rst @@ -13,7 +13,7 @@ Transparent Proxy  The following example will show how VyOS can be used to redirect web traffic to  an external transparent proxy: -.. code-block:: console +.. code-block:: none    set policy route FILTER-WEB rule 1000 destination port 80    set policy route FILTER-WEB rule 1000 protocol tcp @@ -26,7 +26,7 @@ default routing table.  To create routing table 100 and add a new default gateway to be used by  traffic matching our route policy: -.. code-block:: console +.. code-block:: none    set protocols static table 100 route 0.0.0.0/0 next-hop 10.255.0.2 @@ -35,7 +35,7 @@ This can be confirmed using the show ip route table 100 operational command.  Finally, to apply the policy route to ingress traffic on our LAN interface,  we use: -.. code-block:: console +.. code-block:: none    set interfaces ethernet eth1 policy route FILTER-WEB @@ -62,14 +62,14 @@ Routing tables that will be used in this example are:  Add default routes for routing ``table 10`` and ``table 11`` -.. code-block:: console +.. code-block:: none    set protocols static table 10 route 0.0.0.0/0 next-hop 192.0.1.1    set protocols static table 11 route 0.0.0.0/0 next-hop 192.0.2.2  Add policy route matching VLAN source addresses -.. code-block:: console +.. code-block:: none    set policy route PBR rule 20 set table '10'    set policy route PBR rule 20 description 'Route VLAN10 traffic to table 10' @@ -81,7 +81,7 @@ Add policy route matching VLAN source addresses  Apply routing policy to **inbound** direction of out VLAN interfaces -.. code-block:: console +.. code-block:: none    set interfaces ethernet eth0 vif 10 policy route 'PBR'    set interfaces ethernet eth0 vif 11 policy route 'PBR' @@ -89,7 +89,7 @@ Apply routing policy to **inbound** direction of out VLAN interfaces  **OPTIONAL:** Exclude Inter-VLAN traffic (between VLAN10 and VLAN11) from PBR -.. code-block:: console +.. code-block:: none    set policy route PBR rule 10 description 'VLAN10 <-> VLAN11 shortcut'    set policy route PBR rule 10 destination address '192.168.188.0/24' diff --git a/docs/routing/rip.rst b/docs/routing/rip.rst index 261a3c5e..69d9f4b3 100644 --- a/docs/routing/rip.rst +++ b/docs/routing/rip.rst @@ -19,7 +19,7 @@ Simple RIP configuration using 2 nodes and redistributing connected interfaces.  **Node 1:** -.. code-block:: console +.. code-block:: none    set interfaces loopback address 10.1.1.1/32    set protocols rip network 192.168.0.0/24 @@ -27,7 +27,7 @@ Simple RIP configuration using 2 nodes and redistributing connected interfaces.  **Node 2:** -.. code-block:: console +.. code-block:: none    set interfaces loopback address 10.2.2.2/32    set protocols rip network 192.168.0.0/24 diff --git a/docs/routing/routing-policy.rst b/docs/routing/routing-policy.rst index 408be955..a5714bf7 100644 --- a/docs/routing/routing-policy.rst +++ b/docs/routing/routing-policy.rst @@ -15,7 +15,7 @@ Routing Policy Example  **Policy definition:** -.. code-block:: console +.. code-block:: none    #Create policy    set policy route-map setmet rule 2 action 'permit' @@ -29,7 +29,7 @@ Routing Policy Example  **Routes learned before routing policy applied:** -.. code-block:: console +.. code-block:: none    vyos@vos1:~$ show ip bgp    BGP table version is 0, local router ID is 192.168.56.101 @@ -44,7 +44,7 @@ Routing Policy Example  **Routes learned after routing policy applied:** -.. code-block:: console +.. code-block:: none    vyos@vos1:~$ sho ip b    BGP table version is 0, local router ID is 192.168.56.101 diff --git a/docs/routing/static.rst b/docs/routing/static.rst index 003a8767..dc0e1ab4 100644 --- a/docs/routing/static.rst +++ b/docs/routing/static.rst @@ -9,7 +9,7 @@ Static routes are manually configured network routes.  A typical use for a static route is a static default route for systems that do  not make use of DHCP or dynamic routing protocols: -.. code-block:: console +.. code-block:: none    set protocols static route 0.0.0.0/0 next-hop 10.1.1.1 distance '1' @@ -19,7 +19,7 @@ example below, :rfc:`1918` networks are set as blackhole routes.  This prevents these networks leaking out public interfaces, but it does not prevent  them from being used as the most specific route has the highest priority. -.. code-block:: console +.. code-block:: none    set protocols static route 10.0.0.0/8 blackhole distance '254'    set protocols static route 172.16.0.0/12 blackhole distance '254' diff --git a/docs/services/conntrack.rst b/docs/services/conntrack.rst index e949e909..0ee6eb16 100644 --- a/docs/services/conntrack.rst +++ b/docs/services/conntrack.rst @@ -27,7 +27,7 @@ will be mandatorily defragmented.  Configuration  ^^^^^^^^^^^^^ -.. code-block:: console +.. code-block:: none    # Protocols only for which local conntrack entries will be synced (tcp, udp, icmp, sctp)    set service conntrack-sync accept-protocol @@ -69,20 +69,20 @@ The next exemple is a simple configuration of conntrack-sync.  First of all, make sure conntrack is enabled by running -.. code-block:: console +.. code-block:: none    show conntrack table ipv4  If the table is empty and you have a warning message, it means conntrack is not  enabled. To enable conntrack, just create a NAT or a firewall rule. -.. code-block:: console +.. code-block:: none    set firewall state-policy established action accept  You now should have a conntrack table -.. code-block:: console +.. code-block:: none    $ show conntrack table ipv4    TCP state codes: SS - SYN SENT, SR - SYN RECEIVED, ES - ESTABLISHED, @@ -99,7 +99,7 @@ You now should have a conntrack table  Now configure conntrack-sync service on ``router1`` **and** ``router2`` -.. code-block:: console +.. code-block:: none    set service conntrack-sync accept-protocol 'tcp,udp,icmp'    set service conntrack-sync event-listen-queue-size '8' @@ -110,7 +110,7 @@ Now configure conntrack-sync service on ``router1`` **and** ``router2``  If you are using VRRP, you need to define a VRRP sync-group, and use ``vrrp sync-group`` instead of ``cluster group``. -.. code-block:: console +.. code-block:: none    set high-availablilty vrrp group internal virtual-address ... etc ...    set high-availability vrrp sync-group syncgrp member 'internal' @@ -123,7 +123,7 @@ the external-cache of the standby router  On active router run: -.. code-block:: console +.. code-block:: none    $ show conntrack-sync statistics diff --git a/docs/services/dhcp.rst b/docs/services/dhcp.rst index e2c8a05e..a2aa087b 100644 --- a/docs/services/dhcp.rst +++ b/docs/services/dhcp.rst @@ -28,7 +28,7 @@ Prerequisites:  Multiple DHCP ranges can be defined and may contain holes. -.. code-block:: console +.. code-block:: none    set service dhcp-server shared-network-name '<name>' authoritative    set service dhcp-server shared-network-name '<name>' subnet 192.0.2.0/24 default-router 192.0.2.1 @@ -39,7 +39,7 @@ Multiple DHCP ranges can be defined and may contain holes.  The generated config will look like: -.. code-block:: console +.. code-block:: none    vyos@vyos# show service dhcp-server shared-network-name '<name>'    authoritative @@ -97,7 +97,7 @@ Failover  VyOS provides support for DHCP failover: -.. code-block:: console +.. code-block:: none    set service dhcp-server shared-network-name 'LAN' subnet '192.0.2.0/24' \        failover local-address '192.0.2.1' @@ -111,14 +111,14 @@ VyOS provides support for DHCP failover:  The primary and secondary statements determines whether the server is  primary or secondary -.. code-block:: console +.. code-block:: none    set service dhcp-server shared-network-name 'LAN' subnet '192.0.2.0/24' \        failover status 'primary'  or -.. code-block:: console +.. code-block:: none    set service dhcp-server shared-network-name 'LAN' subnet '192.0.2.0/24' \        failover status 'secondary' @@ -237,7 +237,7 @@ server. The following example describes a common scenario.  * Address pool shall be ``2001:db8::100`` through ``2001:db8::199``.  * Lease time will be left at the default value which is 24 hours -.. code-block:: console +.. code-block:: none    set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 \        address-range start 2001:db8::100 stop 2001:db8::199 @@ -246,7 +246,7 @@ server. The following example describes a common scenario.  The configuration will look as follows: -.. code-block:: console +.. code-block:: none    show service dhcpv6-server        shared-network-name NET1 { @@ -275,7 +275,7 @@ be created. The following example explains the process.  .. hint:: The MAC address identifier is defined by the last 4 byte of the     MAC address. -.. code-block:: console +.. code-block:: none    set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 \        static-mapping client1 ipv6-address 2001:db8::101 @@ -284,7 +284,7 @@ be created. The following example explains the process.  The configuration will look as follows: -.. code-block:: console +.. code-block:: none    show service dhcp-server shared-network-name NET1       shared-network-name NET1 { @@ -362,7 +362,7 @@ Example  The generated configuration will look like: -.. code-block:: console +.. code-block:: none    show service dhcp-relay        interface eth1 @@ -440,7 +440,7 @@ Example  The generated configuration will look like: -.. code-block:: console +.. code-block:: none    commit    show service dhcpv6-relay diff --git a/docs/services/dns-forwarding.rst b/docs/services/dns-forwarding.rst index f28c2d21..fbfac6c9 100644 --- a/docs/services/dns-forwarding.rst +++ b/docs/services/dns-forwarding.rst @@ -5,33 +5,33 @@ Use DNS forwarding if you want your router to function as a DNS server for the  local network. There are several options, the easiest being 'forward all  traffic to the system DNS server(s)' (defined with set system name-server): -.. code-block:: console +.. code-block:: none    set service dns forwarding system  Manually setting DNS servers for forwarding: -.. code-block:: console +.. code-block:: none    set service dns forwarding name-server 8.8.8.8    set service dns forwarding name-server 8.8.4.4  Manually setting DNS servers with IPv6 connectivity: -.. code-block:: console +.. code-block:: none    set service dns forwarding name-server 2001:4860:4860::8888    set service dns forwarding name-server 2001:4860:4860::8844  Setting a forwarding DNS server for a specific domain: -.. code-block:: console +.. code-block:: none    set service dns forwarding domain example.com server 192.0.2.1  Set which networks or clients are allowed to query the DNS Server. Allow from all: -.. code-block:: console +.. code-block:: none    set service dns forwarding allow-from 0.0.0.0/0 @@ -44,7 +44,7 @@ Router with two interfaces eth0 (WAN link) and eth1 (LAN). Split DNS for example  * Other DNS requests are forwarded to Google's DNS servers.  * The IP address for the LAN interface is 192.168.0.1. -.. code-block:: console +.. code-block:: none    set service dns forwarding domain example.com server 192.0.2.1    set service dns forwarding name-server 8.8.8.8 @@ -60,7 +60,7 @@ servers.  The IP addresses for the LAN interface are 192.168.0.1 and 2001:db8::1 -.. code-block:: console +.. code-block:: none    set service dns forwarding domain example.com server 192.0.2.1    set service dns forwarding name-server 8.8.8.8 diff --git a/docs/services/dynamic-dns.rst b/docs/services/dynamic-dns.rst index fdc8131d..f4968295 100644 --- a/docs/services/dynamic-dns.rst +++ b/docs/services/dynamic-dns.rst @@ -16,44 +16,44 @@ VyOS CLI and RFC2136  First, create an :rfc:`2136` config node : -.. code-block:: console +.. code-block:: none    edit service dns dynamic interface eth0 rfc2136 <confignodename>  Present your RNDC key to ddclient : -.. code-block:: console +.. code-block:: none    set key /config/dyndns/mydnsserver.rndc.key  Set the DNS server IP/FQDN : -.. code-block:: console +.. code-block:: none    set server dns.mydomain.com  Set the NS zone to be updated : -.. code-block:: console +.. code-block:: none    set zone mydomain.com  Set the records to be updated : -.. code-block:: console +.. code-block:: none    set record dyn    set record dyn2  You can optionally set a TTL (note : default value is 600 seconds) : -.. code-block:: console +.. code-block:: none    set ttl 600  This will generate the following ddclient config blocks: -.. code-block:: console +.. code-block:: none    server=dns.mydomain.com    protocol=nsupdate @@ -70,7 +70,7 @@ This will generate the following ddclient config blocks:  You can also keep a different dns zone updated. Just create a new config node: -.. code-block:: console +.. code-block:: none    edit service dns dynamic interface eth0 rfc2136 <confignode2> @@ -83,7 +83,7 @@ by ddclient.  To use such a service, you must define a login, a password, one or multiple  hostnames, a protocol and a server. -.. code-block:: console +.. code-block:: none    edit service dns dynamic interface eth0 service HeNet    set login my-login # set password my-password @@ -107,7 +107,7 @@ the services VyOS knows about:  To use DynDNS for example: -.. code-block:: console +.. code-block:: none    edit service dns dynamic interface eth0 service dyndns    set login my-login @@ -116,7 +116,7 @@ To use DynDNS for example:  It's possible to use multiple services : -.. code-block:: console +.. code-block:: none    edit service dns dynamic interface eth0 service dyndns    set login my-login @@ -139,7 +139,7 @@ record will be updated to point to your internal IP.  ddclient_ has another way to determine the WAN IP address. This is controlled  by these two options: -.. code-block:: console +.. code-block:: none    set service dns dynamic interface eth0 use-web url    set service dns dynamic interface eth0 use-web skip diff --git a/docs/services/ipoe-server.rst b/docs/services/ipoe-server.rst index 76a199b4..8e3a88eb 100644 --- a/docs/services/ipoe-server.rst +++ b/docs/services/ipoe-server.rst @@ -17,7 +17,7 @@ The clients mac address and the incoming interface is being used as control para  The example configuration below will assign an IP to the client on the incoming interface eth2 with the client mac address 08:00:27:2f:d8:06.  Other DHCP discovery requests will be ignored, unless the client mac has been enabled in the configuration. -.. code-block:: console +.. code-block:: none    set service ipoe-server authentication interface eth2 mac-address 08:00:27:2f:d8:06    set service ipoe-server authentication mode 'local' @@ -29,7 +29,7 @@ Other DHCP discovery requests will be ignored, unless the client mac has been en  The first address of the parameter ``client-subnet``, will be used as the default gateway.  Connected sessions can be checked via the ``show ipoe-server sessions`` command. -.. code-block:: console +.. code-block:: none    vyos@vyos:~$ show ipoe-server sessions @@ -46,7 +46,7 @@ for devices routed via the clients cpe.  IPv6 DNS addresses are optional. -.. code-block:: console +.. code-block:: none    set service ipoe-server authentication interface eth3 mac-address 08:00:27:2F:D8:06    set service ipoe-server authentication mode 'local' @@ -57,7 +57,7 @@ IPv6 DNS addresses are optional.    set service ipoe-server dnsv6-server server-3 '2001:db8:bbb::'    set service ipoe-server interface eth3 client-subnet '192.168.1.0/24' -.. code-block:: console +.. code-block:: none    vyos@ipoe-server# run sh ipoe-server sessions    ifname | called-sid |    calling-sid    |     ip      |               ip6               | ip6-dp          | rate-limit | state  |  uptime  |        sid @@ -74,7 +74,7 @@ Automatic VLAN creation  To create VLANs per user during runtime, the following settings are required on a per interface basis. VLAN ID and VLAN range can be present in the configuration at the same time. -.. code-block:: console +.. code-block:: none    set service ipoe-server interface eth2 network vlan    set service ipoe-server interface eth2 vlan-id 100 @@ -88,7 +88,7 @@ RADIUS Setup  To use a RADIUS server for authentication and bandwidth-shaping, the following example configuration can be used. -.. code-block:: console +.. code-block:: none    set service ipoe-server authentication mode 'radius'    set service ipoe-server authentication radius-server 10.100.100.1 secret 'password' @@ -105,7 +105,7 @@ Bandwidth Shaping for local users  The rate-limit is set in kbit/sec. -.. code-block:: console +.. code-block:: none    set service ipoe-server authentication interface eth2 mac-address 08:00:27:2f:d8:06 rate-limit download '500'    set service ipoe-server authentication interface eth2 mac-address 08:00:27:2f:d8:06 rate-limit upload '500' @@ -115,7 +115,7 @@ The rate-limit is set in kbit/sec.    set service ipoe-server interface eth2 client-subnet '192.168.0.0/24' -.. code-block:: console +.. code-block:: none    vyos@vyos# run show ipoe-server sessions diff --git a/docs/services/lldp.rst b/docs/services/lldp.rst index f3d95b5e..3149e4ca 100644 --- a/docs/services/lldp.rst +++ b/docs/services/lldp.rst @@ -74,7 +74,7 @@ Display neighbors  Exemple: -.. code-block:: console +.. code-block:: none    vyos@vyos:~# show lldp neighbors    Capability Codes: R - Router, B - Bridge, W - Wlan r - Repeater, S - Station diff --git a/docs/services/mdns-repeater.rst b/docs/services/mdns-repeater.rst index abd3f7ef..22e824ba 100644 --- a/docs/services/mdns-repeater.rst +++ b/docs/services/mdns-repeater.rst @@ -12,14 +12,14 @@ multiple VLANs.  To enable mDNS repeater you need to configure at least two interfaces. To re-  broadcast all mDNS packets from `eth0` to `eth1` and vice versa run: -.. code-block:: console +.. code-block:: none    set service mdns repeater interface eth0    set service mdns repeater interface eth1  mDNS repeater can be temporarily disabled without deleting the service using -.. code-block:: console +.. code-block:: none    set service mdns repeater disable diff --git a/docs/services/pppoe-server.rst b/docs/services/pppoe-server.rst index 0d2d4e80..fbfd09be 100644 --- a/docs/services/pppoe-server.rst +++ b/docs/services/pppoe-server.rst @@ -15,7 +15,7 @@ The example below uses ACN as access-concentrator name, assigns an address  from the pool 10.1.1.100-111, terminates at the local endpoint 10.1.1.1 and  serves requests only on eth1. -.. code-block:: console +.. code-block:: none    set service pppoe-server access-concentrator 'ACN'    set service pppoe-server authentication local-users username foo password 'bar' @@ -30,7 +30,7 @@ serves requests only on eth1.  Connections can be locally checked via the command -.. code-block:: console +.. code-block:: none    show pppoe-server sessions    ifname | username |     ip     |    calling-sid    | rate-limit  | state  |  uptime  | rx-bytes | tx-bytes @@ -48,7 +48,7 @@ If the CIDR notation is used, multiple subnets can be setup which are used seque  **Client IP address via IP range definition** -.. code-block:: console +.. code-block:: none    set service pppoe-server client-ip-pool start '10.1.1.100'    set service pppoe-server client-ip-pool stop '10.1.1.111' @@ -56,7 +56,7 @@ If the CIDR notation is used, multiple subnets can be setup which are used seque  **Client IP subnets via CIDR notation** -.. code-block:: console +.. code-block:: none    set service pppoe-server client-ip-pool subnet '10.1.1.0/24'    set service pppoe-server client-ip-pool subnet '10.1.2.0/24' @@ -70,7 +70,7 @@ To use a radius server, you need to switch to authentication mode radius and  of course need to specify an IP for the server. You can have multiple RADIUS  server configured, if you wish to achieve redundancy. -.. code-block:: console +.. code-block:: none    set service pppoe-server access-concentrator 'ACN'    set service pppoe-server authentication mode 'radius' @@ -84,7 +84,7 @@ RADIUS provides the IP addresses in the example above via Framed-IP-Address.  For remotely disconnect sessions and change some authentication parameters you can configure dae-server -.. code-block:: console +.. code-block:: none    set service pppoe-server authentication radius-settings dae-server ip-address '10.1.1.2'    set service pppoe-server authentication radius-settings dae-server port '3799' @@ -92,20 +92,20 @@ For remotely disconnect sessions and change some authentication parameters you c  Example, from radius-server send command for disconnect client with username test -.. code-block:: console +.. code-block:: none    root@radius-server:~# echo "User-Name=test" | radclient -x 10.1.1.2:3799 disconnect secret123  You can also use another attributes for identify client for disconnect, like Framed-IP-Address, Acct-Session-Id, etc.  Result commands appears in log -.. code-block:: console +.. code-block:: none    show log | match Disconnect*  Example for changing rate-limit via RADIUS CoA -.. code-block:: console +.. code-block:: none    echo "User-Name=test,Filter-Id=5000/4000" | radclient 10.1.1.2:3799 coa secret123 @@ -119,7 +119,7 @@ Automatic VLAN creation  VLAN's can be created by accel-ppp on the fly if via the use of the kernel module vlan_mon, which is monitoring incoming vlans and creates the necessary VLAN if required and allowed.  VyOS supports the use of either VLAN ID's or entire ranges, both values can be defined at the same time for an interface. -.. code-block:: console +.. code-block:: none    set service pppoe-server interface eth3 vlan-id 100    set service pppoe-server interface eth3 vlan-id 200 @@ -141,7 +141,7 @@ Bandwidth Shaping for local users  The rate-limit is set in kbit/sec. -.. code-block:: console +.. code-block:: none    set service pppoe-server access-concentrator 'ACN'    set service pppoe-server authentication local-users username foo password 'bar' @@ -158,7 +158,7 @@ The rate-limit is set in kbit/sec.  Once the user is connected, the user session is using the set limits and can be displayed via 'show pppoe-server sessions'. -.. code-block:: console +.. code-block:: none    show pppoe-server sessions    ifname | username |     ip     |    calling-sid    | rate-limit  | state  |  uptime  | rx-bytes | tx-bytes @@ -175,7 +175,7 @@ Filter-Id=2000/3000 (means 2000Kbit down-stream rate and 3000Kbit up-stream rate  The command below enables it, assuming the RADIUS connection has been setup and is working. -.. code-block:: console +.. code-block:: none    set service pppoe-server authentication radius-settings rate-limit enable @@ -191,7 +191,7 @@ Dual-stack provisioning with IPv6 PD via pppoe  The example below covers a dual-stack configuration via pppoe-server. -.. code-block:: console +.. code-block:: none    set service pppoe-server authentication local-users username test password 'test'    set service pppoe-server authentication mode 'local' @@ -207,7 +207,7 @@ The example below covers a dual-stack configuration via pppoe-server.  The client, once successfully authenticated, will receive an IPv4 and an IPv6 /64 address, to terminate the pppoe endpoint on the client side and a /56 subnet for the clients internal use. -.. code-block:: console +.. code-block:: none    vyos@pppoe-server:~$ sh pppoe-server sessions     ifname | username |     ip      |            ip6           |       ip6-dp        |    calling-sid    | rate-limit | state  |  uptime  | rx-bytes | tx-bytes diff --git a/docs/services/snmp.rst b/docs/services/snmp.rst index 2c0d958f..c4b8fa32 100644 --- a/docs/services/snmp.rst +++ b/docs/services/snmp.rst @@ -90,7 +90,7 @@ plain text.  Example  ******* -.. code-block:: console +.. code-block:: none    # Define a community    set service snmp community routers authorization ro @@ -139,7 +139,7 @@ The securityapproach in v3 targets:  Example  ******* -.. code-block:: console +.. code-block:: none    set service snmp v3 engineid '0x0aa0d6c6f450'    set service snmp v3 group defaultgroup mode 'ro' @@ -160,7 +160,7 @@ After commit the resulting configuration will look like:  .. note:: SNMPv3 keys won't we stored in plaintext. On ``commit`` the keys     will be encrypted and the encrypted key is based on the engineid! -.. code-block:: console +.. code-block:: none    vyos@vyos# show service snmp     v3 { @@ -196,7 +196,7 @@ All SNMP MIBs are located in each image of VyOS here: ``/usr/share/snmp/mibs/``  you are be able to download the files with the a activate ssh service like this -.. code-block:: console +.. code-block:: none    scp -r vyos@your_router:/usr/share/snmp/mibs /your_folder/mibs @@ -212,7 +212,7 @@ script of course, then upload it to your VyOS instance via the command  Once the script is uploaded, it needs to be configured via the command below. -.. code-block:: console +.. code-block:: none    set service snmp script-extensions extension-name my-extension script your_script.sh    commit @@ -221,7 +221,7 @@ Once the script is uploaded, it needs to be configured via the command below.  The OID ``.1.3.6.1.4.1.8072.1.3.2.3.1.1.4.116.101.115.116``, once called, will  contain the output of the extension. -.. code-block:: console +.. code-block:: none    root@vyos:/home/vyos# snmpwalk -v2c  -c public 127.0.0.1 nsExtendOutput1    NET-SNMP-EXTEND-MIB::nsExtendOutput1Line."my-extension" = STRING: hello @@ -238,7 +238,7 @@ Templates Management. A template for VyOS can be easily imported.  Create a file named ``VyOS-1.3.6.1.4.1.44641.ConfigMgmt-Commands`` using the  following content: -.. code-block:: console +.. code-block:: none    <Configuration-Management Device="VyOS" SystemOID="1.3.6.1.4.1.44641">        <Commands> diff --git a/docs/services/ssh.rst b/docs/services/ssh.rst index c770140b..3af71899 100644 --- a/docs/services/ssh.rst +++ b/docs/services/ssh.rst @@ -30,7 +30,7 @@ Configuration  Enabling SSH only requires you to add ``service ssh port NN``, where 'NN' is  the port you want SSH to listen on. By default, SSH runs on port 22. -.. code-block:: console +.. code-block:: none    set service ssh port 22 @@ -130,7 +130,7 @@ line. The third part is simply an identifier, and is for your own reference.  Under the user (in this example, ``vyos``), add the public key and the type.  The `identifier` is simply a string that is relevant to you. -.. code-block:: console +.. code-block:: none    set system login user vyos authentication public-keys 'identifier' key "AAAAB3Nz...."    set system login user vyos authentication public-keys 'identifier' type ssh-rsa" @@ -139,7 +139,7 @@ You can assign multiple keys to the same user by changing the identifier. In  the following example, both Unicron and xrobau will be able to SSH into VyOS  as the ``vyos`` user using their own keys. -.. code-block:: console +.. code-block:: none    set system login user vyos authentication public-keys 'Unicron' key "AAAAB3Nz...."    set system login user vyos authentication public-keys 'Unicron' type ssh-rsa diff --git a/docs/services/sstp-server.rst b/docs/services/sstp-server.rst index dd459a94..64a5206b 100644 --- a/docs/services/sstp-server.rst +++ b/docs/services/sstp-server.rst @@ -24,7 +24,7 @@ Self Signed CA and server certificates  To generate the CA, the server private key and certificates the following  commands can be used. -.. code-block:: console +.. code-block:: none    vyos@vyos:~$ conf    [edit] @@ -60,7 +60,7 @@ The example below will answer configuration request for the user ``foo``.  Use <tab> to setup the ``set sstp-settings ssl-certs ...``, it automatically  looks for all files and directories in ``/config/user-data/sstp``. -.. code-block:: console +.. code-block:: none    edit service sstp-server    set authentication local-users username foo password 'bar' diff --git a/docs/services/tftp.rst b/docs/services/tftp.rst index 185e594f..9ce46b02 100644 --- a/docs/services/tftp.rst +++ b/docs/services/tftp.rst @@ -10,7 +10,7 @@ simple to implement.  Example  ^^^^^^^ -.. code-block:: console +.. code-block:: none    # If you want to enable uploads, else TFTP server will act as read-only (optional)    set service tftp-server allow-upload @@ -30,7 +30,7 @@ Example  The resulting configuration will look like: -.. code-block:: console +.. code-block:: none    vyos@vyos# show service     tftp-server { diff --git a/docs/services/udp-broadcast-relay.rst b/docs/services/udp-broadcast-relay.rst index 995213fa..40f738e6 100644 --- a/docs/services/udp-broadcast-relay.rst +++ b/docs/services/udp-broadcast-relay.rst @@ -14,7 +14,7 @@ support 99 IDs!  Example #1: To forward all broadcast packets received on `UDP port 1900` on  `eth3`, `eth4` or `eth5` to all other interfaces in this configuration. -.. code-block:: console +.. code-block:: none    set service broadcast-relay id 1 description 'SONOS'    set service broadcast-relay id 1 interface 'eth3' @@ -25,7 +25,7 @@ Example #1: To forward all broadcast packets received on `UDP port 1900` on  Example #2: To Forward all broadcasts packets received on `UDP port 6969` on  `eth3` or `eth4` to the other interface in this configuration. -.. code-block:: console +.. code-block:: none    set service broadcast-relay id 2 description 'SONOS MGMT'    set service broadcast-relay id 2 interface 'eth3' @@ -38,14 +38,14 @@ Disable Instance(s)  Each broadcast relay instance can be individually disabled without deleting the  configured node by using the following command: -.. code-block:: console +.. code-block:: none    set service broadcast-relay id <n> disable  In addition you can also disable the whole service without removing the  configuration by: -.. code-block:: console +.. code-block:: none    set service broadcast-relay disable diff --git a/docs/services/webproxy.rst b/docs/services/webproxy.rst index eaccc4df..b4b20ef5 100644 --- a/docs/services/webproxy.rst +++ b/docs/services/webproxy.rst @@ -19,7 +19,7 @@ URL Filtering is provided by Squidguard_.  Configuration  ^^^^^^^^^^^^^^ -.. code-block:: console +.. code-block:: none    # Enable proxy service    set service webproxy listen-address 192.168.0.1 @@ -46,7 +46,7 @@ Filtering by category  If you wan't to use existing blacklists you have to create/download a database  first. Otherwise you will not be able to commit the config changes. -.. code-block:: console +.. code-block:: none    vyos@vyos# commit    [ service webproxy ] @@ -83,7 +83,7 @@ The embedded Squid proxy can use LDAP to authenticate users against a company  wide directory. The following configuration is an example of how to use Active  Directory as authentication backend. Queries are done via LDAP. -.. code-block:: console +.. code-block:: none    vyos@vyos# show service webproxy     authentication { @@ -117,7 +117,7 @@ Adjusting cache size  The size of the proxy cache can be adjusted by the user. -.. code-block:: console +.. code-block:: none    set service webproxy cache-size     Possible completions: diff --git a/docs/system/config-management.rst b/docs/system/config-management.rst index f21562fd..f087cb46 100644 --- a/docs/system/config-management.rst +++ b/docs/system/config-management.rst @@ -6,7 +6,7 @@ Config Management  The following changes the number of commit revisions. In the default settings, 20 revisions are stored locally. -.. code-block:: console +.. code-block:: none    set system config-management commit-revisions 50 @@ -14,7 +14,7 @@ The following changes the number of commit revisions. In the default settings, 2  | If you want to save all config changes to a remote destination. Set the commit-archive location. Every time a commit is successfully the config.boot file will be copied to the defined destinations. -.. code-block:: console +.. code-block:: none    set system config-management commit-archive location 'tftp://10.0.0.2' @@ -22,7 +22,7 @@ The following changes the number of commit revisions. In the default settings, 2  A commit look now like this: -.. code-block:: console +.. code-block:: none      vyos@vyos-R1# commit      Archiving config... diff --git a/docs/system/eventhandler.rst b/docs/system/eventhandler.rst index 6496c556..a68b3924 100644 --- a/docs/system/eventhandler.rst +++ b/docs/system/eventhandler.rst @@ -7,7 +7,7 @@ Event handler allows you to execute scripts when a string that matches a regex a  It uses "feeds" (output of commands, or a named pipes) and "policies" that define what to execute if a regex is matched. -.. code-block:: console +.. code-block:: none    system    event-handler @@ -29,7 +29,7 @@ It uses "feeds" (output of commands, or a named pipes) and "policies" that defin  In this small example a script runs every time a login failed and an interface goes down -.. code-block:: console +.. code-block:: none    vyos@vyos# show system event-handler    feed Syslog { diff --git a/docs/system/flowaccounting.rst b/docs/system/flowaccounting.rst index 6caa0d3e..9c876001 100644 --- a/docs/system/flowaccounting.rst +++ b/docs/system/flowaccounting.rst @@ -30,7 +30,7 @@ In order for flow accounting information to be collected and displayed for an  interface, the interface must be configured for flow accounting. The following  example shows how to configure ``eth0`` and ``bond3`` for flow accounting. -.. code-block:: console +.. code-block:: none    set system flow-accounting interface eth0    set system flow-accounting interface bond3 @@ -41,7 +41,7 @@ VyOS supports version 5, 9 and 10 (IPFIX - IP Flow Information Export)  NetFlow v5 example: -.. code-block:: console +.. code-block:: none    set system flow-accounting netflow engine-id 100    set system flow-accounting netflow version 5 @@ -55,7 +55,7 @@ display captured network traffic information for all configured interfaces.  The following op-mode command shows flow accounting for eth0. -.. code-block:: console +.. code-block:: none    vyos@vyos:~$ show flow-accounting interface eth0    flow-accounting for [eth0] diff --git a/docs/system/host-information.rst b/docs/system/host-information.rst index b5b16ed0..71209412 100644 --- a/docs/system/host-information.rst +++ b/docs/system/host-information.rst @@ -21,7 +21,7 @@ or over the internet.  Set a system host name: -.. code-block:: console +.. code-block:: none    set system host-name <hostname> @@ -29,19 +29,19 @@ Set a system host name:  Show host name: -.. code-block:: console +.. code-block:: none    show system host-name  Delete host name: -.. code-block:: console +.. code-block:: none    delete system host-name <hostname>  Example: Set system hostname to 'RT01': -.. code-block:: console +.. code-block:: none    set system host-name RT01    commit @@ -56,7 +56,7 @@ unique.  Set the system's domain: -.. code-block:: console +.. code-block:: none    set system domain-name <domain> @@ -64,19 +64,19 @@ Set the system's domain:  Show domain: -.. code-block:: console +.. code-block:: none    show system domain-name  Remove domain name: -.. code-block:: console +.. code-block:: none    set system delete domain-name <domain>  Example: Set system domain to example.com: -.. code-block:: console +.. code-block:: none    set system domain-name example.com    commit @@ -90,20 +90,20 @@ How to assign IPs to interfaces is described in chapter  :ref:`interfaces-addresses`. This section shows how to statically map a system  IP to its host name for local (meaning on this VyOS instance) DNS resolution: -.. code-block:: console +.. code-block:: none    set system static-host-mapping host-name <hostname> inet <IP address>  Show static mapping: -.. code-block:: console +.. code-block:: none    show system static-host-mapping  Example: Create a static mapping between the system's hostname `RT01` and  IP address `10.20.30.41`: -.. code-block:: console +.. code-block:: none    set system static-host-mapping host-name RT01 inet 10.20.30.41    commit @@ -117,25 +117,25 @@ Aliases  One or more system aliases (static mappings) can be defined: -.. code-block:: console +.. code-block:: none    set system static-host-mapping host-name <hostname> alias <alias>  Show aliases: -.. code-block:: console +.. code-block:: none    show system static-mapping  Delete alias: -.. code-block:: console +.. code-block:: none    delete system static-host-mapping host-name <hostname> alias <alias>  Example: Set alias `router1` for system with hostname `RT01`: -.. code-block:: console +.. code-block:: none    set system static-host-mapping host-name RT01 alias router1    commit @@ -154,19 +154,19 @@ existing configurations are migrated to the new CLI commands.  It is replaced by inserting a static route into the routing table using: -.. code-block:: console +.. code-block:: none    set protocols static route 0.0.0.0/0 next-hop <gateway ip>  Delete the default route from the system -.. code-block:: console +.. code-block:: none    delete protocols static route 0.0.0.0/0  Show default route: -.. code-block:: console +.. code-block:: none    vyos@vyos$ show ip route 0.0.0.0    Routing entry for 0.0.0.0/0 diff --git a/docs/system/login-users.rst b/docs/system/login-users.rst index 9b7668da..424d1978 100644 --- a/docs/system/login-users.rst +++ b/docs/system/login-users.rst @@ -16,20 +16,20 @@ Local  Create user account `jsmith` and the password `mypassword`. -.. code-block:: console +.. code-block:: none    set system login user jsmith full-name "Johan Smith"    set system login user jsmith authentication plaintext-password mypassword  The command: -.. code-block:: console +.. code-block:: none    show system login  will show the contents of :code:`system login` configuration node: -.. code-block:: console +.. code-block:: none    user jsmith {        authentication { @@ -45,7 +45,7 @@ SSH with Public Keys  The following command will load the public key `dev.pub` for user `jsmith` -.. code-block:: console +.. code-block:: none    loadkey jsmith dev.pub @@ -53,7 +53,7 @@ The following command will load the public key `dev.pub` for user `jsmith`     first. As an alternative you can also load the SSH public key directly     from a remote system: -.. code-block:: console +.. code-block:: none    loadkey jsmith scp://devuser@dev001.vyos.net/home/devuser/.ssh/dev.pub @@ -61,7 +61,7 @@ In addition SSH public keys can be fully added using the CLI. Each key can be  given a unique identifier, `calypso` is used oin the example below to id an SSH  key. -.. code-block:: console +.. code-block:: none    set system login user jsmith authentication public-keys callisto key 'AAAABo..Q=='    set system login user jsmith authentication public-keys callisto type 'ssh-rsa' @@ -75,7 +75,7 @@ The following command sets up two servers for RADIUS authentication, one with a  discrete timeout of `5` seconds and a discrete port of `1812` and the other using  a default timeout and port. -.. code-block:: console +.. code-block:: none    set system login radius server 192.168.1.2 secret 's3cr3t0815'    set system login radius server 192.168.1.2 timeout '5' @@ -84,7 +84,7 @@ a default timeout and port.  This configuration results in: -.. code-block:: console +.. code-block:: none    show system login     radius { @@ -111,7 +111,7 @@ not set incoming connections to the RADIUS server will use the nearest interface  address pointing towards the RADIUS server - making it error prone on e.g. OSPF  networks when a link fails. -.. code-block:: console +.. code-block:: none    set system login radius source-address 192.168.1.254 @@ -120,7 +120,7 @@ Login Banner  You are able to set post-login or pre-login messages with the following lines: -.. code-block:: console +.. code-block:: none    set system login banner pre-login "UNAUTHORIZED USE OF THIS SYSTEM IS PROHIBITED\n"    set system login banner post-login "Welcome to VyOS" diff --git a/docs/system/ntp.rst b/docs/system/ntp.rst index d9598a6f..95ff0692 100644 --- a/docs/system/ntp.rst +++ b/docs/system/ntp.rst @@ -5,7 +5,7 @@ NTP  there are 3 default NTP server set. You are able to change them. -.. code-block:: console +.. code-block:: none    set system ntp server 0.pool.ntp.org    set system ntp server 1.pool.ntp.org @@ -13,7 +13,7 @@ there are 3 default NTP server set. You are able to change them.  To set up VyOS as an NTP responder, you must specify the listen address and optionally the permitted clients. -.. code-block:: console +.. code-block:: none    set system ntp listen-address 192.168.199.1    set system ntp allow-clients address 192.168.199.0/24 diff --git a/docs/system/proxy.rst b/docs/system/proxy.rst index 421cd141..dc8ed555 100644 --- a/docs/system/proxy.rst +++ b/docs/system/proxy.rst @@ -8,7 +8,7 @@ The ``system proxy`` option sets the configuration for a proxy, and if necessary  This example sets a proxy for all connections initiated by VyOS, including HTTP, HTTPS, and FTP (anonymous ftp). -.. code-block:: console +.. code-block:: none    set system proxy url http://10.100.100.1    set system proxy port 8080 @@ -19,7 +19,7 @@ This example sets a proxy for all connections initiated by VyOS, including HTTP,  That enables the update of a system image if the VyOS system operates behind a proxy. -.. code-block:: console +.. code-block:: none    vyos@vyos:~$ add system image https://downloads.vyos.io/rolling/current/amd64/vyos-rolling-latest.iso    Trying to fetch ISO file from https://downloads.vyos.io/rolling/current/amd64/vyos-rolling-latest.iso diff --git a/docs/system/serialconsole.rst b/docs/system/serialconsole.rst index dbb90b7a..730c9da1 100644 --- a/docs/system/serialconsole.rst +++ b/docs/system/serialconsole.rst @@ -8,7 +8,7 @@ Serial console  Configuring Console  ------------------- -.. code-block:: console +.. code-block:: none    vyos@vyos# set system console    Possible completions: diff --git a/docs/system/syslog.rst b/docs/system/syslog.rst index 29a9aec5..c9dc8a1c 100644 --- a/docs/system/syslog.rst +++ b/docs/system/syslog.rst @@ -16,14 +16,14 @@ Logging to serial console  The below would log all messages to :code:`/dev/console`. -.. code-block:: console +.. code-block:: none    set system syslog console facility all level all  Use the **[tab]** function to display all facilities and levels which can  be configured. -.. code-block:: console +.. code-block:: none    vyos@vyos# set system syslog console facility <TAB>    Possible completions: @@ -70,7 +70,7 @@ Logging to a custom file  Logging to a custom file, rotation size and the number of rotate files left  on the system can be configured. -.. code-block:: console +.. code-block:: none    set system syslog file <FILENAME> facility <FACILITY>  level <LEVEL>    set system syslog file <FILENAME> archive file <NUMBER OF FILES> @@ -88,7 +88,7 @@ using either TCP or UDP. The default is sending the messages via UDP.  **UDP** -.. code-block:: console +.. code-block:: none    set system syslog host 10.1.1.1 facility all level all    <optional> @@ -97,7 +97,7 @@ using either TCP or UDP. The default is sending the messages via UDP.  **TCP** -.. code-block:: console +.. code-block:: none    set system syslog host 10.1.1.2 facility all level all    set system syslog host 10.1.1.2 facility all protocol tcp @@ -109,7 +109,7 @@ If logging to a local useraccount is configured, all defined log messages are  display on the console if the local user is logged in, if the user is not  logged in, no messages are being displayed. -.. code-block:: console +.. code-block:: none    set system syslog user <LOCAL_USERNAME> facility <FACILITY> level <LEVEL> @@ -118,7 +118,7 @@ Show logs  Display log files on the console -.. code-block:: console +.. code-block:: none    vyos@vyos:~$ show log    Possible completions: @@ -149,7 +149,7 @@ Show contents of a log file in an image  Log messages from a specified image can be displayed on the console: -.. code-block:: console +.. code-block:: none    $ show log image <image name>    $ show log image <image name> [all | authorization | directory | file <file name> | tail <lines>] diff --git a/docs/system/task-scheduler.rst b/docs/system/task-scheduler.rst index 20a8640c..7fe49988 100644 --- a/docs/system/task-scheduler.rst +++ b/docs/system/task-scheduler.rst @@ -7,7 +7,7 @@ Task scheduler  | Task scheduler — allows scheduled task execution. Note that scripts excecuted this way are executed as root user - this may be dangerous.  | Together with :ref:`commandscripting` this can be used for automating configuration. -.. code-block:: console +.. code-block:: none    system        task-scheduler @@ -24,7 +24,7 @@ Interval  You are able to set the time as an time interval. -.. code-block:: console +.. code-block:: none    set system task-scheduler task <name> interval <value><suffix> @@ -38,14 +38,14 @@ If suffix is omitted, minutes are implied.  Or set the execution time in common cron time. -.. code-block:: console +.. code-block:: none    set system task-scheduler task TEST crontab-spec "* * * 1 *"  Example  ******* -.. code-block:: console +.. code-block:: none    system        task-scheduler diff --git a/docs/system/time-zone.rst b/docs/system/time-zone.rst index 182829db..9e1690e8 100644 --- a/docs/system/time-zone.rst +++ b/docs/system/time-zone.rst @@ -5,7 +5,7 @@ Time Zone  To set the system time zone type: -.. code-block:: console +.. code-block:: none    [edit]    vyos@vyos# set system time-zone [time-zone]
\ No newline at end of file diff --git a/docs/troubleshooting.rst b/docs/troubleshooting.rst index c8585f12..477d1a4c 100644 --- a/docs/troubleshooting.rst +++ b/docs/troubleshooting.rst @@ -15,7 +15,7 @@ commands. The options for each are shown (the options for each command were  displayed using the built-in help as described in the :ref:`cli`  section and are omitted from the output here): -.. code-block:: console +.. code-block:: none    vyos@vyos:~$ ping    Possible completions: @@ -25,7 +25,7 @@ section and are omitted from the output here):  Several options are available when more extensive troubleshooting is needed: -.. code-block:: console +.. code-block:: none    vyos@vyos:~$ ping 8.8.8.8    Possible completions: @@ -51,7 +51,7 @@ Several options are available when more extensive troubleshooting is needed:      ttl      verbose -.. code-block:: console +.. code-block:: none    vyos@vyos:~$ traceroute    Possible completions: @@ -64,7 +64,7 @@ Several options are available when more extensive troubleshooting is needed:  However, another tool, mtr_, is available which combines ping and traceroute  into a single tool. An example of its output is shown: -.. code-block:: console +.. code-block:: none    vyos@vyos:~$ mtr 10.62.212.12 @@ -95,7 +95,7 @@ It's possible to monitor network traffic, either at the flow level or protocol  level. This can be useful when troubleshooting a variety of protocols and  configurations. The following interface types can be monitored: -.. code-block:: console +.. code-block:: none    vyos@vyos:~$ monitor interfaces    Possible completions: @@ -117,7 +117,7 @@ To monitor traffic flows, issue the :code:`monitor interfaces <type> <name> flow  command, replacing `<type>` and `<name>` with your desired interface type and  name, respectively. Output looks like the following: -.. code-block:: console +.. code-block:: none                       12.5Kb              25.0Kb              37.5Kb              50.0Kb        62.5Kb    ???????????????????????????????????????????????????????????????????????????????????????????????????? @@ -145,7 +145,7 @@ traffic` command, replacing `<type>` and `<name>` with your desired interface  type and name, respectively. This command invokes the familiar tshark_ utility  and the following options are available: -.. code-block:: console +.. code-block:: none    vyos@vyos:~$ monitor interfaces ethernet eth0 traffic    Possible completions: @@ -170,13 +170,13 @@ Interface Bandwith  to take a quick view on the used bandwith of an interface use the ``monitor  bandwith`` command -.. code-block:: console +.. code-block:: none    vyos@vyos:~$ monitor bandwidth interface eth0  show the following: -.. code-block:: console +.. code-block:: none           B                      (RX Bytes/second)      198.00 .|....|..................................................... @@ -202,7 +202,7 @@ Interface performance  To take a look on the network bandwith between two nodes, the ``monitor  bandwidth-test`` command is used to run iperf. -.. code-block:: console +.. code-block:: none    vyos@vyos:~$ monitor bandwidth-test    Possible completions: @@ -212,7 +212,7 @@ bandwidth-test`` command is used to run iperf.  * The ``accept`` command open a listen iperf server on TCP Port 5001  * The ``initiate`` command conncet to this server. -.. code-block:: console +.. code-block:: none    vyos@vyos:~$ monitor bandwidth-test initiate    Possible completions: @@ -229,14 +229,14 @@ a continuously refreshed output. The command is run and output every 2 seconds,  allowing you to monitor the output continuously without having to re-run the  command. This can be useful to follow routing adjacency formation. -.. code-block:: console +.. code-block:: none    vyos@router:~$ monitor command "show interfaces"  Will clear the screen and show you the output of ``show interfaces`` every  2 seconds. -.. code-block:: console +.. code-block:: none    Every 2.0s: /opt/vyatta/bin/vyatta-op-cmd-wrapper    Sun Mar 26 02:49:46 2019 @@ -259,13 +259,13 @@ To do this use the ``clear`` command in Operational mode.  to clear the console output -.. code-block:: console +.. code-block:: none    vyos@vyos:~$ clear console  to clear interface counters -.. code-block:: console +.. code-block:: none    # clear all interfaces    vyos@vyos:~$ clear interface ethernet counters @@ -274,7 +274,7 @@ to clear interface counters  The command follow the same logic as the ``set`` command in configuration mode. -.. code-block:: console +.. code-block:: none    # clear all counters of a interface type    vyos@vyos:~$ clear interface <interface_type> counters @@ -284,7 +284,7 @@ The command follow the same logic as the ``set`` command in configuration mode.  to clear counters on firewall rulesets or single rules -.. code-block:: console +.. code-block:: none    vyos@vyos:~$ clear firewall name <ipv4 ruleset name> counters    vyos@vyos:~$ clear firewall name <ipv4 ruleset name> rule <rule#> counters diff --git a/docs/vpn/dmvpn.rst b/docs/vpn/dmvpn.rst index 5794100b..344d5c3f 100644 --- a/docs/vpn/dmvpn.rst +++ b/docs/vpn/dmvpn.rst @@ -47,7 +47,7 @@ can be set to "0.0.0.0". If you do set the `remote-ip` directive at any point, t  HUB Configuration  ^^^^^^^^^^^^^^^^^ -.. code-block:: console +.. code-block:: none    interfaces        tunnel <tunN> { @@ -119,7 +119,7 @@ HUB Configuration  HUB Example Configuration: -.. code-block:: console +.. code-block:: none    set interfaces ethernet eth0 address '198.51.100.41/30'    set interfaces ethernet eth1 address '192.168.1.1/24' @@ -171,7 +171,7 @@ SPOKE Configuration  SPOKE1 Configuration: -.. code-block:: console +.. code-block:: none    interfaces        tunnel <tunN> { @@ -248,7 +248,7 @@ SPOKE1 Configuration:  SPOKE1 Example Configuration -.. code-block:: console +.. code-block:: none    set interfaces ethernet eth0 address 'dhcp'    set interfaces ethernet eth1 address '192.168.2.1/24' @@ -294,7 +294,7 @@ SPOKE1 Example Configuration  SPOKE2 Configuration -.. code-block:: console +.. code-block:: none    interfaces        tunnel <tunN> { @@ -371,7 +371,7 @@ SPOKE2 Configuration  SPOKE2 Example Configuration -.. code-block:: console +.. code-block:: none    set interfaces ethernet eth0 address 'dhcp'    set interfaces ethernet eth1 address '192.168.3.1/24' diff --git a/docs/vpn/gre-ipsec.rst b/docs/vpn/gre-ipsec.rst index 3ca36b9f..38849f67 100644 --- a/docs/vpn/gre-ipsec.rst +++ b/docs/vpn/gre-ipsec.rst @@ -40,7 +40,7 @@ and the RIGHT router is 203.0.113.45  On the LEFT: -.. code-block:: console +.. code-block:: none    # GRE tunnel    set interfaces tunnel tun0 encapsulation gre @@ -90,7 +90,7 @@ RIGHT router has a dynamic address on eth0.  On the LEFT: -.. code-block:: console +.. code-block:: none    set interfaces loopback lo address 192.168.99.1/32 @@ -101,7 +101,7 @@ On the LEFT:  On the RIGHT: -.. code-block:: console +.. code-block:: none    set interfaces loopback lo address 192.168.99.2/32 @@ -119,7 +119,7 @@ address, so we'll have to use RSA keys.  First, on both routers run the operational command "generate vpn rsa-key bits  2048". You may choose different length than 2048 of course. -.. code-block:: console +.. code-block:: none    vyos@left# run generate vpn rsa-key bits 2048    Generating rsa-key to /config/ipsec.d/rsa-keys/localhost.key @@ -131,7 +131,7 @@ First, on both routers run the operational command "generate vpn rsa-key bits  Then on the opposite router, add the RSA key to your config. -.. code-block:: console +.. code-block:: none    set vpn rsa-keys rsa-key-name LEFT rsa-key KEYGOESHERE @@ -140,7 +140,7 @@ for the peer on the dynamic side.  On the LEFT (static address): -.. code-block:: console +.. code-block:: none    set vpn rsa-keys rsa-key-name RIGHT rsa-key <PUBLIC KEY FROM THE RIGHT> @@ -165,7 +165,7 @@ On the LEFT (static address):  On the RIGHT (dynamic address): -.. code-block:: console +.. code-block:: none    set vpn rsa-keys rsa-key-name LEFT rsa-key <PUBLIC KEY FROM THE LEFT> diff --git a/docs/vpn/l2tp.rst b/docs/vpn/l2tp.rst index 2878babb..107a42d3 100644 --- a/docs/vpn/l2tp.rst +++ b/docs/vpn/l2tp.rst @@ -12,7 +12,7 @@ L2TP over IPsec  Example for configuring a simple L2TP over IPsec VPN for remote access (works  with native Windows and Mac VPN clients): -.. code-block:: console +.. code-block:: none    set vpn ipsec ipsec-interfaces interface eth0    set vpn ipsec nat-traversal enable @@ -43,7 +43,7 @@ As well as the below to allow NAT-traversal:  Example: -.. code-block:: console +.. code-block:: none    set firewall name OUTSIDE-LOCAL rule 40 action 'accept'    set firewall name OUTSIDE-LOCAL rule 40 protocol 'esp' @@ -61,7 +61,7 @@ Example:  To allow VPN-clients access via your external address, a NAT rule is required: -.. code-block:: console +.. code-block:: none    set nat source rule 110 outbound-interface 'eth0'    set nat source rule 110 source address '192.168.255.0/24' @@ -71,7 +71,7 @@ To allow VPN-clients access via your external address, a NAT rule is required:  VPN-clients will request configuration parameters, optionally you can DNS  parameter to the client. -.. code-block:: console +.. code-block:: none    set vpn l2tp remote-access dns-servers server-1 '8.8.8.8'    set vpn l2tp remote-access dns-servers server-2 '8.8.4.4' @@ -82,7 +82,7 @@ parameter to the client.  Established sessions can be viewed using the **show vpn remote-access**  operational command, or **show l2tp-server sessions** -.. code-block:: console +.. code-block:: none    vyos@vyos:~$ show vpn remote-access     ifname | username | calling-sid  |      ip       | rate-limit | type | comp | state  |  uptime @@ -97,7 +97,7 @@ LNS are often used to connect to a LAC (L2TP Access Concentrator).  Below is an example to configure a LNS: -.. code-block:: console +.. code-block:: none    set vpn l2tp remote-access outside-address 192.0.2.2    set vpn l2tp remote-access outside-nexthop 192.168.255.1 @@ -126,7 +126,7 @@ Bandwidth Shaping for local users  The rate-limit is set in kbit/sec. -.. code-block:: console +.. code-block:: none    set vpn l2tp remote-access outside-address 192.0.2.2    set vpn l2tp remote-access outside-nexthop 192.168.255.1 @@ -151,14 +151,14 @@ exists within the configuration, however they are not used if the mode has been  changed from local to radius. Once changed back to local, it will use all local  accounts again. -.. code-block:: console +.. code-block:: none    set vpn l2tp remote-access authentication mode <local|radius>  Since the RADIUS server would be a single point of failure, multiple RADIUS  servers can be setup and will be used subsequentially. -.. code-block:: console +.. code-block:: none    set vpn l2tp remote-access authentication radius server 10.0.0.1 key 'foo'    set vpn l2tp remote-access authentication radius server 10.0.0.2 key 'foo' @@ -173,7 +173,7 @@ If you are using OSPF as IGP always the closets interface connected to the RADIU  server is used. With VyOS 1.2 you can bind all outgoing RADIUS requests to a  single source IP e.g. the loopback interface. -.. code-block:: console +.. code-block:: none    set vpn l2tp remote-access authentication radius source-address 10.0.0.3 @@ -188,14 +188,14 @@ RADIUS bandwidth shaping attribute  To enable bandwidth shaping via RADIUS, the option rate-limit needs to be enabled. -.. code-block:: console +.. code-block:: none    set vpn l2tp remote-access authentication radius rate-limit enable  The default RADIUS attribute for rate limiting is ``Filter-Id``, but you may also  redefine it. -.. code-block:: console +.. code-block:: none    set vpn l2tp remote-access authentication radius rate-limit attribute Download-Speed diff --git a/docs/vpn/openvpn.rst b/docs/vpn/openvpn.rst index 2e4388ed..1c728ef6 100644 --- a/docs/vpn/openvpn.rst +++ b/docs/vpn/openvpn.rst @@ -68,7 +68,7 @@ in our configuration.  Local Configuration: -.. code-block:: console +.. code-block:: none    set interfaces openvpn vtun1 mode site-to-site    set interfaces openvpn vtun1 protocol udp @@ -82,7 +82,7 @@ Local Configuration:  Remote Configuration: -.. code-block:: console +.. code-block:: none    set interfaces openvpn vtun1 mode site-to-site    set interfaces openvpn vtun1 protocol udp @@ -104,7 +104,7 @@ For Encryption:  This sets the cipher when NCP (Negotiable Crypto Parameters) is disabled or  OpenVPN version < 2.4.0. -.. code-block:: console +.. code-block:: none    vyos@vyos# set interfaces openvpn vtun1 encryption cipher    Possible completions: @@ -123,7 +123,7 @@ This sets the accepted ciphers to use when version => 2.4.0 and NCP is  enabled (which is default). Default NCP cipher for versions >= 2.4.0 is  aes256gcm. The first cipher in this list is what server pushes to clients. -.. code-block:: console +.. code-block:: none    vyos@vyos# set int open vtun0 encryption ncp-ciphers    Possible completions: @@ -138,7 +138,7 @@ aes256gcm. The first cipher in this list is what server pushes to clients.  For Hashing: -.. code-block:: console +.. code-block:: none    vyos@vyos# set interfaces openvpn vtun1 hash    Possible completions: @@ -157,13 +157,13 @@ network of 10.1.0.0/16:  Local Configuration: -.. code-block:: console +.. code-block:: none    set protocols static interface-route 10.1.0.0/16 next-hop-interface vtun1  Remote Configuration: -.. code-block:: console +.. code-block:: none    set protocols static interface-route 10.0.0.0/16 next-hop-interface vtun1 @@ -206,7 +206,7 @@ closing on connection resets or daemon reloads.     0 on one side of the connection (to disable it), the chosen value on the     other side will determine when the renegotiation will occur. -.. code-block:: console +.. code-block:: none    set interfaces openvpn vtun10 mode server    set interfaces openvpn vtun10 local-port 1194 @@ -216,7 +216,7 @@ closing on connection resets or daemon reloads.  Then we need to specify the location of the cryptographic materials. Suppose  you keep the files in `/config/auth/openvpn` -.. code-block:: console +.. code-block:: none    set interfaces openvpn vtun10 tls ca-cert-file /config/auth/openvpn/ca.crt    set interfaces openvpn vtun10 tls cert-file /config/auth/openvpn/server.crt @@ -229,7 +229,7 @@ specify the subnet for client tunnel endpoints. Since we want clients to access  a specific network behind out router, we will use a push-route option for  installing that route on clients. -.. code-block:: console +.. code-block:: none    set interfaces openvpn vtun10 server push-route 192.168.0.0/16    set interfaces openvpn vtun10 server subnet 10.23.1.0/24 @@ -241,7 +241,7 @@ need configuration for each client to achieve this.  .. note:: Clients are identified by the CN field of their x.509 certificates,     in this example the CN is ``client0``: -.. code-block:: console +.. code-block:: none    set interfaces openvpn vtun10 server client client0 ip 10.23.1.10    set interfaces openvpn vtun10 server client client0 subnet 10.23.2.0/25 @@ -250,7 +250,7 @@ OpenVPN **will not** automatically create routes in the kernel for client  subnets when they connect and will only use client-subnet association  internally, so we need to create a route to the 10.23.0.0/20 network ourselves: -.. code-block:: console +.. code-block:: none    set protocols static interface-route 10.23.0.0/20 next-hop-interface vtun10 @@ -269,13 +269,13 @@ Authentication is done by using the ``openvpn-auth-ldap.so`` plugin which is  shipped with every VyOS installation. A dedicated configuration file is required.  It is best practise to store it in ``/config`` to survive image updates -.. code-block:: console +.. code-block:: none    set interfaces openvpn vtun0 openvpn-option "--plugin /usr/lib/openvpn/openvpn-auth-ldap.so /config/auth/ldap-auth.config"  The required config file may look like: -.. code-block:: console +.. code-block:: none    <LDAP>    # LDAP server URL @@ -302,7 +302,7 @@ Active Directory  Despite the fact that AD is a superset of LDAP -.. code-block:: console +.. code-block:: none    <LDAP>      # LDAP server URL @@ -336,7 +336,7 @@ Despite the fact that AD is a superset of LDAP  If you only want to check if the user account is enabled and can authenticate  (against the primary group) the following snipped is sufficient: -.. code-block:: console +.. code-block:: none    <LDAP>      URL ldap://dc01.example.com @@ -355,7 +355,7 @@ If you only want to check if the user account is enabled and can authenticate  A complete LDAP auth OpenVPN configuration could look like the following example: -.. code-block:: console +.. code-block:: none    vyos@vyos# show interfaces openvpn     openvpn vtun0 { @@ -398,7 +398,7 @@ using their CN attribute in the SSL certificate.  Server  ------ -.. code-block:: console +.. code-block:: none    set interfaces openvpn vtun10 encryption cipher 'aes256'    set interfaces openvpn vtun10 hash 'sha512' @@ -422,7 +422,7 @@ Server  Client  ------ -.. code-block:: console +.. code-block:: none    set interfaces openvpn vtun10 encryption cipher 'aes256'    set interfaces openvpn vtun10 hash 'sha512' diff --git a/docs/vpn/pptp.rst b/docs/vpn/pptp.rst index 68ded675..72b3feb0 100644 --- a/docs/vpn/pptp.rst +++ b/docs/vpn/pptp.rst @@ -12,7 +12,7 @@ If no gateway-address is set within the configuration, the lowest IP out of the  server example  ^^^^^^^^^^^^^^ -.. code-block:: console +.. code-block:: none    set vpn pptp remote-access authentication local-users username test password 'test'    set vpn pptp remote-access authentication mode 'local' @@ -28,7 +28,7 @@ client example (debian 9)  Install the client software via apt and execute pptpsetup to generate the configuration. -.. code-block:: console +.. code-block:: none    apt-get install pptp-linux    pptpsetup --create TESTTUNNEL --server 10.1.1.120 --username test --password test --encrypt @@ -39,7 +39,7 @@ The command pon TESTUNNEL establishes the PPTP tunnel to the remote system.  All tunnel sessions can be checked via: -.. code-block:: console +.. code-block:: none    run sh pptp-server sessions     ifname | username | calling-sid |      ip      | type | comp | state  |  uptime diff --git a/docs/vpn/site2site_ipsec.rst b/docs/vpn/site2site_ipsec.rst index 8414e3bc..3f00d91a 100644 --- a/docs/vpn/site2site_ipsec.rst +++ b/docs/vpn/site2site_ipsec.rst @@ -116,7 +116,7 @@ Example:  * right subnet: `10.0.0.0/24` site2,remote office side  * right local_ip: `203.0.113.2` # remote office side WAN IP -.. code-block:: console +.. code-block:: none    # server config    set vpn ipsec esp-group office-srv-esp compression 'disable' @@ -166,7 +166,7 @@ Example:  Show status of new setup: -.. code-block:: console +.. code-block:: none    vyos@srv-gw0:~$ show vpn ike sa    Peer ID / IP                            Local ID / IP @@ -186,7 +186,7 @@ Show status of new setup:  If there is SNAT rules on eth1, need to add exclude rule -.. code-block:: console +.. code-block:: none    # server side    set nat source rule 10 destination address '10.0.0.0/24' @@ -203,7 +203,7 @@ If there is SNAT rules on eth1, need to add exclude rule  To allow traffic to pass through to clients, you need to add the following  rules. (if you used the default configuration at the top of this page) -.. code-block:: console +.. code-block:: none    # server side    set firewall name OUTSIDE-LOCAL rule 32 action 'accept' @@ -231,7 +231,7 @@ Imagine the following topology  **left** -.. code-block:: console +.. code-block:: none    set interfaces vti vti10 address '10.0.0.2/31' @@ -265,7 +265,7 @@ Imagine the following topology  **right** -.. code-block:: console +.. code-block:: none    set interfaces vti vti10 address '10.0.0.3/31' diff --git a/docs/vpn/wireguard.rst b/docs/vpn/wireguard.rst index 76f1f6ee..8e957a30 100644 --- a/docs/vpn/wireguard.rst +++ b/docs/vpn/wireguard.rst @@ -21,7 +21,7 @@ within VyOS.  It will be used per default on any configured wireguard interface, even if  multiple interfaces are being configured. -.. code-block:: console +.. code-block:: none    wg01:~$ configure    wg01# run generate wireguard keypair @@ -29,7 +29,7 @@ multiple interfaces are being configured.  The public key is being shared with your peer(s), your peer will encrypt all  traffic to your system using this public key. -.. code-block:: console +.. code-block:: none    wg01# run show wireguard pubkey    u41jO3OF73Gq1WARMMFG7tOfk7+r8o8AzPxJ1FZRhzk= @@ -45,7 +45,7 @@ their own keypairs.  The commands below will generate 2 keypairs, which are not related  to each other. -.. code-block:: console +.. code-block:: none    wg01:~$ configure    wg01# run generate wireguard named-keypairs KP01 @@ -69,7 +69,7 @@ below is always the public key from your peer, not your local one.  **local side** -.. code-block:: console +.. code-block:: none    set interfaces wireguard wg01 address '10.1.0.1/24'    set interfaces wireguard wg01 description 'VPN-to-wg02' @@ -89,7 +89,7 @@ traffic.  To use a named key on an interface, the option private-key needs to be set. -.. code-block:: console +.. code-block:: none    set interfaces wireguard wg01 private-key KP01    set interfaces wireguard wg02 private-key KP02 @@ -100,7 +100,7 @@ which needs to be shared with the peer.  **remote side** -.. code-block:: console +.. code-block:: none    set interfaces wireguard wg01 address '10.2.0.1/24'    set interfaces wireguard wg01 description 'VPN-to-wg01' @@ -113,7 +113,7 @@ which needs to be shared with the peer.  Assure that your firewall rules allow the traffic, in which case you have a  working VPN using wireguard. -.. code-block:: console +.. code-block:: none    wg01# ping 10.2.0.1    PING 10.2.0.1 (10.2.0.1) 56(84) bytes of data. @@ -128,7 +128,7 @@ working VPN using wireguard.  An additional layer of symmetric-key crypto can be used on top of the  asymmetric crypto, which is optional. -.. code-block:: console +.. code-block:: none    wg01# run generate wireguard preshared-key    rvVDOoc2IYEnV+k5p7TNAmHBMEGTHbPU8Qqg8c/sUqc= @@ -137,7 +137,7 @@ Copy the key, as it is not stored on the local file system. Make sure you  distribute that key in a safe manner, it's a symmetric key, so only you and  your peer should have knowledge of its content. -.. code-block:: console +.. code-block:: none    wg01# set interfaces wireguard wg01 peer to-wg02 preshared-key 'rvVDOoc2IYEnV+k5p7TNAmHBMEGTHbPU8Qqg8c/sUqc='    wg02# set interfaces wireguard wg01 peer to-wg01 preshared-key 'rvVDOoc2IYEnV+k5p7TNAmHBMEGTHbPU8Qqg8c/sUqc=' @@ -149,7 +149,7 @@ With WireGuard, a Road Warrior VPN config is similar to a site-to-site VPN.  It  In the following example, the IPs for the remote clients are defined in the peers.  This would allow the peers to interact with one another. -.. code-block:: console +.. code-block:: none      wireguard wg0 {          address 10.172.24.1/24 @@ -173,7 +173,7 @@ In the following example, the IPs for the remote clients are defined in the peer  The following is the config for the iPhone peer above.  It's important to note that the ``AllowedIPs`` setting  directs all IPv4 and IPv6 traffic through the connection. -.. code-block:: console +.. code-block:: none      [Interface]      PrivateKey = ARAKLSDJsadlkfjasdfiowqeruriowqeuasdf= @@ -189,7 +189,7 @@ directs all IPv4 and IPv6 traffic through the connection.  This MacBook peer is doing split-tunneling, where only the subnets local to the server go over the connection. -.. code-block:: console +.. code-block:: none      [Interface]      PrivateKey = 8Iasdfweirousd1EVGUk5XsT+wYFZ9mhPnQhmjzaJE6Go= @@ -207,7 +207,7 @@ Operational commands  **Show interface status** -.. code-block:: console +.. code-block:: none    vyos@wg01# run show interfaces wireguard wg01    interface: wg1 @@ -233,14 +233,14 @@ Operational commands  **Show public key of the default key** -.. code-block:: console +.. code-block:: none    vyos@wg01# run show wireguard keypair pubkey default    FAXCPb6EbTlSH5200J5zTopt9AYXneBthAySPBLbZwM=  **Show public key of a named key** -.. code-block:: console +.. code-block:: none    vyos@wg01# run show wireguard keypair pubkey KP01    HUtsu198toEnm1poGoRTyqkUKfKUdyh54f45dtcahDM= @@ -248,7 +248,7 @@ Operational commands  **Delete wireguard keypairs** -.. code-block:: console +.. code-block:: none    vyos@wg01# wireguard keypair default | 
