8 files changed, 256 insertions, 112 deletions

diff --git a/docs/configuration/interfaces/bridge.rst b/docs/configuration/interfaces/bridge.rst
index e69a6e26..5e79107b 100644
--- a/docs/configuration/interfaces/bridge.rst
+++ b/docs/configuration/interfaces/bridge.rst
@@ -1,4 +1,4 @@
-:lastproofread: 2021-06-30
+:lastproofread: 2024-07-04
 
 .. _bridge-interface:
 
@@ -155,9 +155,8 @@ VLAN Options
    native-vlan <vlan-id>
 
    Set the native VLAN ID flag of the interface. When a data packet without a
-   VLAN tag enters the port, the data packet will be forced to add a tag of a
-   specific vlan id. When the vlan id flag flows out, the tag of the vlan id
-   will be stripped
+   VLAN tag enters the port, the data packet will have a specific vlan id added
+   to it. When the packet flows out, the native vlan tag will be stripped.
 
    Example: Set `eth0` member port to be native VLAN 2
 
diff --git a/docs/configuration/interfaces/ethernet.rst b/docs/configuration/interfaces/ethernet.rst
index dd524035..30a13b5b 100644
--- a/docs/configuration/interfaces/ethernet.rst
+++ b/docs/configuration/interfaces/ethernet.rst
@@ -52,6 +52,14 @@ Ethernet options
 
    VyOS default will be `auto`.
 
+.. cfgcmd:: set interface ethernet <interface> ring-buffer rx <value>
+.. cfgcmd:: set interface ethernet <interface> ring-buffer tx <value>
+
+  Configures the ring buffer size of the interface.
+
+  The supported values for a specific interface can be obtained
+  with: `ethtool -g <interface>`
+
 
 Offloading
 ----------
@@ -295,5 +303,3 @@ Operation
         BR margin, min          : 0%
         Vendor SN               : FNS092xxxxx
         Date code               : 0506xx
-
-.. stop_vyoslinter
diff --git a/docs/configuration/interfaces/geneve.rst b/docs/configuration/interfaces/geneve.rst
index bf8b0920..a0a46a95 100644
--- a/docs/configuration/interfaces/geneve.rst
+++ b/docs/configuration/interfaces/geneve.rst
@@ -16,7 +16,7 @@ entirely.
 GENEVE is designed to support network virtualization use cases, where tunnels
 are typically established to act as a backplane between the virtual switches
 residing in hypervisors, physical switches, or middleboxes or other appliances.
-An arbitrary IP network can be used as an underlay although Clos networks - A
+An arbitrary IP network can be used as an underlay through Clos networks - A
 technique for composing network fabrics larger than a single switch while
 maintaining non-blocking bandwidth across connection points. ECMP is used to
 divide traffic across the multiple links and switches that constitute the
@@ -41,9 +41,33 @@ Configuration
 Common interface configuration
 ==============================
 
-.. cmdinclude:: /_include/interface-common-without-dhcp.txt
-   :var0: geneve
-   :var1: gnv0
+.. cmdinclude:: /_include/interface-address.txt
+  :var0: geneve
+  :var1: gnv0
+
+.. cmdinclude:: /_include/interface-description.txt
+  :var0: geneve
+  :var1: gnv0
+
+.. cmdinclude:: /_include/interface-disable.txt
+  :var0: geneve
+  :var1: gnv0
+
+.. cmdinclude:: /_include/interface-mac.txt
+  :var0: geneve
+  :var1: gnv0
+
+.. cmdinclude:: /_include/interface-mtu.txt
+  :var0: geneve
+  :var1: gnv0
+
+.. cmdinclude:: /_include/interface-ip.txt
+  :var0: geneve
+  :var1: gnv0
+
+.. cmdinclude:: /_include/interface-ipv6.txt
+  :var0: geneve
+  :var1: gnv0
 
 GENEVE options
 ==============
diff --git a/docs/configuration/interfaces/openvpn.rst b/docs/configuration/interfaces/openvpn.rst
index f51dfa94..1dfe1fc5 100644
--- a/docs/configuration/interfaces/openvpn.rst
+++ b/docs/configuration/interfaces/openvpn.rst
@@ -1,4 +1,4 @@
-:lastproofread: 2021-07-05
+:lastproofread: 2024-07-04
 
 .. _openvpn:
 
@@ -9,8 +9,8 @@ OpenVPN
 Traditionally hardware routers implement IPsec exclusively due to relative
 ease of implementing it in hardware and insufficient CPU power for doing
 encryption in software. Since VyOS is a software router, this is less of a
-concern. OpenVPN has been widely used on UNIX platform for a long time and is
-a popular option for remote access VPN, though it's also capable of
+concern. OpenVPN has been widely used on the UNIX platform for a long time and
+is a popular option for remote access VPN, though it's also capable of
 site-to-site connections.
 
 Advantages of OpenVPN are:
@@ -45,14 +45,15 @@ remains a relatively obscure feature, and many router appliances
 still don't support it. However, it's very useful for quickly setting up
 tunnels between routers.
 
-As of VyOS 1.4, OpenVPN site-to-site mode can use either pre-shared keys or x.509 certificates.
+As of VyOS 1.4, OpenVPN site-to-site mode can use either pre-shared keys or
+x.509 certificates.
 
-The pre-shared key mode is deprecated and will be removed from future OpenVPN versions,
-so VyOS will have to remove support for that option as well. The reason is that using pre-shared keys
-is significantly less secure than using TLS.
+The pre-shared key mode is deprecated and will be removed from future OpenVPN
+versions, so VyOS will have to remove support for that option as well. The
+reason is that using pre-shared keys is significantly less secure than using TLS.
 
-We'll configure OpenVPN using self-signed certificates, and then discuss the legacy
-pre-shared key mode.
+We'll configure OpenVPN using self-signed certificates, and then discuss the
+legacy pre-shared key mode.
 
 In both cases, we will use the following settings:
 
@@ -168,10 +169,11 @@ Remote Configuration:
 Pre-shared keys
 ===============
 
-Until VyOS 1.4, the only option for site-to-site OpenVPN without PKI was to use pre-shared keys.
-That option is still available but it is deprecated and will be removed in the future.
-However, if you need to set up a tunnel to an older VyOS version or a system with older OpenVPN,
-you need to still need to know how to use it.
+Until VyOS 1.4, the only option for site-to-site OpenVPN without PKI was to use
+pre-shared keys. That option is still available but it is deprecated and will
+be removed in the future. However, if you need to set up a tunnel to an older
+VyOS version or a system with older OpenVPN, you need to still need to know how
+to use it.
 
 First, you need to generate a key by running ``run generate pki openvpn shared-secret install <name>`` from configuration mode.
 You can use any name, we will use ``s2s``.
@@ -311,11 +313,11 @@ not come up.
 Firewall policy can also be applied to the tunnel interface for `local`, `in`,
 and `out` directions and functions identically to ethernet interfaces.
 
-If making use of multiple tunnels, OpenVPN must have a way to distinguish
-between different tunnels aside from the pre-shared-key. This is either by
-referencing IP address or port number. One option is to dedicate a public IP
-to each tunnel. Another option is to dedicate a port number to each tunnel
-(e.g. 1195,1196,1197...).
+If you're making use of multiple tunnels, OpenVPN must have a way to 
+distinguish between different tunnels aside from the pre-shared-key. This is 
+done either by referencing IP addresses or port numbers. One option is to
+dedicate a public IP to each tunnel. Another option is to dedicate a port 
+number to each tunnel (e.g. 1195,1196,1197...).
 
 OpenVPN status can be verified using the `show openvpn` operational commands.
 See the built-in help for a complete list of options.
@@ -327,7 +329,7 @@ Server
 Multi-client server is the most popular OpenVPN mode on routers. It always uses
 x.509 authentication and therefore requires a PKI setup. Refer this topic
 :ref:`configuration/pki/index:pki` to generate a CA certificate,
-a server certificate and key, a certificate revocation list, a Diffie-Hellman
+a server certificate and key, a certificate revocation list, and a Diffie-Hellman
 key exchange parameters file. You do not need client certificates and keys for
 the server setup.
 
@@ -340,14 +342,14 @@ all client subnets belong to 10.23.0.0/20. All clients need access to the
 192.168.0.0/16 network.
 
 First we need to specify the basic settings. 1194/UDP is the default. The
-``persistent-tunnel`` option is recommended, it prevents the TUN/TAP device from
-closing on connection resets or daemon reloads.
+``persistent-tunnel`` option is recommended, as it prevents the TUN/TAP device
+from closing on connection resets or daemon reloads.
 
 .. note:: Using **openvpn-option -reneg-sec** can be tricky. This option is
-   used to renegotiate data channel after n seconds. When used at both server
-   and client, the lower value will trigger the renegotiation. If you set it to
-   0 on one side of the connection (to disable it), the chosen value on the
-   other side will determine when the renegotiation will occur.
+   used to renegotiate data channel after n seconds. When used on both the 
+   server and client, the lower value will trigger the renegotiation. If you
+   set it to 0 on one side of the connection (to disable it), the chosen value
+   on the other side will determine when the renegotiation will occur.
 
 .. code-block:: none
 
@@ -357,7 +359,7 @@ closing on connection resets or daemon reloads.
   set interfaces openvpn vtun10 protocol udp
 
 Then we need to generate, add and specify the names of the cryptographic materials.
-Each of the install command should be applied to the configuration and commited
+Each of the install commands should be applied to the configuration and commited
 before using under the openvpn interface configuration.
 
 .. code-block:: none
@@ -392,7 +394,7 @@ installing that route on clients.
   set interfaces openvpn vtun10 server push-route 192.168.0.0/16
   set interfaces openvpn vtun10 server subnet 10.23.1.0/24
 
-Since it's a HQ and branch offices setup, we will want all clients to have
+Since it's a HQ with branch offices setup, we will want all clients to have
 fixed addresses and we will route traffic to specific subnets through them. We
 need configuration for each client to achieve this.
 
@@ -413,9 +415,9 @@ internally, so we need to create a route to the 10.23.0.0/20 network ourselves:
   set protocols static route 10.23.0.0/20 interface vtun10
 
 Additionally, each client needs a copy of ca cert and its own client key and
-cert files. The files are plaintext so they may be copied either manually from the CLI.
-Client key and cert files should be signed with the proper ca cert and generated on the
-server side.
+cert files. The files are plaintext so they may be copied manually from the CLI.
+Client key and cert files should be signed with the proper ca cert and generated
+on the server side.
 
 HQ's router requires the following steps to generate crypto materials for the Branch 1:
 
@@ -570,12 +572,12 @@ example:
 Client
 ******
 
-VyOS can not only act as an OpenVPN site-to-site or server for multiple clients.
-You can indeed also configure any VyOS OpenVPN interface as an OpenVPN client
-connecting to a VyOS OpenVPN server or any other OpenVPN server.
+VyOS can not only act as an OpenVPN site-to-site or server for multiple clients
+but you can also configure any VyOS OpenVPN interface as an OpenVPN client that
+connects to a VyOS OpenVPN server or any other OpenVPN server.
 
-Given the following example we have one VyOS router acting as OpenVPN server
-and another VyOS router acting as OpenVPN client. The server also pushes a
+Given the following example we have one VyOS router acting as an OpenVPN server
+and another VyOS router acting as an OpenVPN client. The server also pushes a
 static client IP address to the OpenVPN client. Remember, clients are identified
 using their CN attribute in the SSL certificate.
 
@@ -637,17 +639,23 @@ benefit from it (see :ref:`issues_features`).
 If you are a hacker or want to try on your own we support passing raw OpenVPN
 options to OpenVPN.
 
-.. cfgcmd:: set interfaces openvpn vtun10 openvpn-option 'persistent-key'
+.. cfgcmd:: set interfaces openvpn vtun10 openvpn-option 'persist-key'
 
-Will add ``persistent-key`` at the end of the generated OpenVPN configuration.
+Will add ``persist-key`` to the generated OpenVPN configuration.
 Please use this only as last resort - things might break and OpenVPN won't start
 if you pass invalid options/syntax.
 
 .. cfgcmd:: set interfaces openvpn vtun10 openvpn-option
-   'push &quot;keepalive 1 10&quot;'
+   'push keepalive 10 60'
 
 Will add ``push "keepalive 1 10"`` to the generated OpenVPN config file.
 
+.. cfgcmd:: set interfaces openvpn vtun10 openvpn-option
+   'route-up &quot;/config/auth/tun_up.sh arg1&quot;'
+
+Will add ``route-up "/config/auth/tun_up.sh arg1"`` to the generated OpenVPN 
+config file. The path and arguments need to be single- or double-quoted.
+
 .. note:: Sometimes option lines in the generated OpenVPN configuration require
    quotes. This is done through a hack on our config generator. You can pass
    quotes using the ``&quot;`` statement.
@@ -748,7 +756,7 @@ between kernel and user space for encryption and packet handling.
 As a result, the processing of each packet becomes more efficient, potentially
 leveraging hardware encryption offloading support available in the kernel.
 
-.. note:: OpenVPN DCO is not full OpenVPN features supported , is currently
+.. note:: OpenVPN DCO is not a fully supported OpenVPN feature, and is currently
    considered experimental. Furthermore, there are certain OpenVPN features and
    use cases that remain incompatible with DCO. To get a comprehensive
    understanding of the limitations associated with DCO, refer to the list of
@@ -764,9 +772,9 @@ DCO support is a per-tunnel option and it is not automatically enabled by
 default for new or upgraded tunnels. Existing tunnels will continue to function 
 as they have in the past.
 
-DCO can be enabled for both new and existing tunnels,VyOS adds an option in each 
-tunnel configuration where we can enable this function  .The current best 
-practice is to create a new tunnel with DCO to minimize the chance of problems 
+DCO can be enabled for both new and existing tunnels. VyOS adds an option in
+each tunnel configuration where we can enable this function. The current best
+practice is to create a new tunnel with DCO to minimize the chance of problems
 with existing clients.
 
 .. cfgcmd:: set interfaces openvpn <name> offload dco
diff --git a/docs/configuration/interfaces/vxlan.rst b/docs/configuration/interfaces/vxlan.rst
index af00fdec..39901f53 100644
--- a/docs/configuration/interfaces/vxlan.rst
+++ b/docs/configuration/interfaces/vxlan.rst
@@ -1,4 +1,4 @@
-:lastproofread: 2023-01-26
+:lastproofread: 2024-07-04
 
 .. _vxlan-interface:
 
@@ -103,8 +103,8 @@ Unicast
 
 .. cfgcmd:: set interfaces vxlan <interface> remote <address>
 
-  IPv4/IPv6 remote address of the VXLAN tunnel. Alternative to multicast, the
-  remote IPv4/IPv6 address can set directly.
+  IPv4/IPv6 remote address of the VXLAN tunnel. An alternative to multicast,
+  the remote IPv4/IPv6 address can be set directly.
 
 Multicast
 ^^^^^^^^^
@@ -117,7 +117,7 @@ Multicast
 
 .. cfgcmd:: set interfaces vxlan <interface> group <address>
 
-  Multicast group address for VXLAN interface. VXLAN tunnels can be built
+  Multicast group address for the VXLAN interface. VXLAN tunnels can be built
   either via Multicast or via Unicast.
 
   Both IPv4 and IPv6 multicast is possible.
@@ -132,7 +132,7 @@ the same broadcast domain.
 
 Let's assume PC4 on Leaf2 wants to ping PC5 on Leaf3. Instead of setting Leaf3
 as our remote end manually, Leaf2 encapsulates the packet into a UDP-packet and
-sends it to its designated multicast-address via Spine1. When Spine1 receives
+sends it to its' designated multicast-address via Spine1. When Spine1 receives
 this packet it forwards it to all other leaves who has joined the same
 multicast-group, in this case Leaf3. When Leaf3 receives the packet it forwards
 it, while at the same time learning that PC4 is reachable behind Leaf2, because
@@ -188,8 +188,8 @@ Example
 
 The setup is this: Leaf2 - Spine1 - Leaf3
 
-Spine1 is a Cisco IOS router running version 15.4, Leaf2 and Leaf3 is each a
-VyOS router running 1.2.
+Spine1 is a Cisco IOS router running version 15.4, Leaf2 and Leaf3 are each
+VyOS routers running 1.2.
 
 This topology was built using GNS3.
 
@@ -282,8 +282,8 @@ traffic from.
   set interfaces vxlan vxlan242 source-interface 'eth0'
   set interfaces vxlan vxlan242 vni '242'
 
-As you can see, Leaf2 and Leaf3 configuration is almost identical. There are
-lots of commands above, I'll try to into more detail below, command
+As you can see, the Leaf2 and Leaf3 configurations are almost identical. There
+are lots of commands above, I'll try to go into more detail below. Command
 descriptions are placed under the command boxes:
 
 .. code-block:: none
@@ -339,7 +339,7 @@ that behavior is available using the above command.
 Unicast VXLAN
 =============
 
-Alternative to multicast, the remote IPv4 address of the VXLAN tunnel can be
+Alternatively to multicast, the remote IPv4 address of the VXLAN tunnel can be
 set directly. Let's change the Multicast example from above:
 
 .. code-block:: none
diff --git a/docs/configuration/interfaces/wireguard.rst b/docs/configuration/interfaces/wireguard.rst
index 885720e1..db2ff2c7 100644
--- a/docs/configuration/interfaces/wireguard.rst
+++ b/docs/configuration/interfaces/wireguard.rst
@@ -1,4 +1,4 @@
-:lastproofread: 2023-01-26
+:lastproofread: 2024-07-04
 
 .. _wireguard:
 
@@ -30,7 +30,7 @@ Generate Keypair
 
 .. opcmd:: generate pki wireguard key-pair
 
-   It generates the keypair, which includes the public and private parts.
+   Generates the keypair, which includes the public and private parts.
    The key is not stored on the system - only a keypair is generated.
 
    .. code-block:: none
@@ -41,7 +41,7 @@ Generate Keypair
 
 .. opcmd:: generate pki wireguard key-pair install interface <interface>
 
-   Generates a keypair, which includes the public and private parts, and build
+   Generates a keypair, which includes the public and private parts, and builds
    a configuration command to install this key to ``interface``.
 
    .. code-block:: none
@@ -101,8 +101,8 @@ Optional
 .. opcmd:: generate pki wireguard preshared-key install interface <interface> peer <peer>
 
    An additional layer of symmetric-key crypto can be used on top of the
-   asymmetric crypto. This command automatically creates for you the required
-   CLI command to install this PSK for a given peer.
+   asymmetric crypto. This command automatically creates the required CLI
+   command to install this PSK for a given peer.
 
    This is optional.
 
@@ -409,7 +409,7 @@ the VyOS CLI.
   connect to ``interface`` on this router. The public key from the specified
   interface is automatically extracted and embedded into the configuration.
 
-  The command also generates a configuration snipped which can be copy/pasted
+  The command also generates a configuration snippet which can be copy/pasted
   into the VyOS CLI if needed. The supplied ``<name>`` on the CLI will become
   the peer name in the snippet.
 
diff --git a/docs/configuration/interfaces/wireless.rst b/docs/configuration/interfaces/wireless.rst
index df153763..695866a0 100644
--- a/docs/configuration/interfaces/wireless.rst
+++ b/docs/configuration/interfaces/wireless.rst
@@ -1,4 +1,4 @@
-:lastproofread: 2023-01-26
+:lastproofread: 2024-07-04
 
 .. _wireless-interface:
 
@@ -6,20 +6,20 @@
 WLAN/WIFI - Wireless LAN
 ########################
 
-:abbr:`WLAN (Wireless LAN)` interface provide 802.11 (a/b/g/n/ac) wireless
-support (commonly referred to as Wi-Fi) by means of compatible hardware. If your
-hardware supports it, VyOS supports multiple logical wireless interfaces per
-physical device.
+The :abbr:`WLAN (Wireless LAN)` interface provides 802.11 (a/b/g/n/ac) wireless
+support (commonly referred to as Wi-Fi) by means of compatible hardware. If
+your hardware supports it, VyOS supports multiple logical wireless interfaces
+per physical device.
 
 There are three modes of operation for a wireless interface:
 
-* :abbr:`WAP (Wireless Access-Point)` provides network access to connecting
+* :abbr:`WAP (Wireless Access-Point)` mode provides network access to connecting
   stations if the physical hardware supports acting as a WAP
 
-* A station acts as a Wi-Fi client accessing the network through an available
+* Station mode acts as a Wi-Fi client accessing the network through an available
   WAP
 
-* Monitor, the system passively monitors any kind of wireless traffic
+* Monitor mode lets the system passively monitor wireless traffic
 
 If the system detects an unconfigured wireless device, it will be automatically
 added the configuration tree, specifying any detected settings (for example,
@@ -36,26 +36,38 @@ Common interface configuration
    :var0: wireless
    :var1: wlan0
 
-Wireless options
-================
+System Wide configuration
+=========================
 
-.. cfgcmd:: set interfaces wireless <interface> channel <number>
+.. cfgcmd:: set system wireless country-code <cc>
 
-  Channel number (IEEE 802.11), for 2.4Ghz (802.11 b/g/n) channels range from
-  1-14. On 5Ghz (802.11 a/h/j/n/ac) channels available are 0, 34 to 173
+  Country code (ISO/IEC 3166-1). Used to set regulatory domain. Set as needed
+  to indicate country in which device is operating. This can limit available
+  channels and transmit power.
 
-.. cfgcmd:: set interfaces wireless <interface> country-code <cc>
+  .. note:: This option is mandatory in Access-Point mode.
+
+Wireless options
+================
+
+.. cfgcmd:: set system wireless country-code <cc>
 
   Country code (ISO/IEC 3166-1). Used to set regulatory domain. Set as needed
-  to indicate country in which device is operating. This can limit available
+  to indicate country in which the box is operating. This can limit available
   channels and transmit power.
 
   .. note:: This option is mandatory in Access-Point mode.
 
+.. cfgcmd:: set interfaces wireless <interface> channel <number>
+
+  Channel number (IEEE 802.11), for 2.4Ghz (802.11 b/g/n) channels range from
+  1-14. On 5Ghz (802.11 a/h/j/n/ac) channels available are 0, 34 to 173. 
+  On 6GHz (802.11 ax) channels range from 1 to 233.
+
 .. cfgcmd:: set interfaces wireless <interface> disable-broadcast-ssid
 
   Send empty SSID in beacons and ignore probe request frames that do not specify
-  full SSID, i.e., require stations to know SSID.
+  full SSID, i.e., require stations to know the SSID.
 
 .. cfgcmd:: set interfaces wireless <interface> expunge-failing-stations
 
@@ -84,7 +96,16 @@ Wireless options
 
   Management Frame Protection (MFP) according to IEEE 802.11w
 
-.. cfgcmd:: set interfaces wireless <interface> mode <a | b | g | n | ac>
+  .. note:: :abbr:`MFP (Management Frame Protection)` is required for WPA3.
+
+.. cfgcmd:: set interfaces wireless <interface> enable-bf-protection
+
+  Beacon Protection: management frame protection for Beacon frames.
+
+  .. note:: This option requires :abbr:`MFP (Management Frame Protection)` 
+    to be enabled.
+
+.. cfgcmd:: set interfaces wireless <interface> mode <a | b | g | n | ac | ax>
 
   Operation mode of wireless radio.
 
@@ -93,6 +114,9 @@ Wireless options
   * ``g`` - 802.11g - 54 Mbits/sec (default)
   * ``n`` - 802.11n - 600 Mbits/sec
   * ``ac`` - 802.11ac - 1300 Mbits/sec
+  * ``ax`` - 802.11ax - exceeds 1GBit/sec
+
+  .. note:: In VyOS, 802.11ax is only implemented for 6GHz as of yet.
 
 .. cfgcmd:: set interfaces wireless <interface> physical-device <device>
 
@@ -102,10 +126,12 @@ Wireless options
 
 .. cfgcmd:: set interfaces wireless <interface> reduce-transmit-power <number>
 
-  Add Power Constraint element to Beacon and Probe Response frames.
+  Adds the Power Constraint information element to Beacon and Probe Response
+  frames.
 
-  This option adds Power Constraint element when applicable and Country element
-  is added. Power Constraint element is required by Transmit Power Control.
+  This option adds the Power Constraint information element when applicable
+  and the Country information element is configured. The Power Constraint 
+  element is required by Transmit Power Control.
 
   Valid values are 0..255.
 
@@ -131,7 +157,9 @@ PPDU
 
 .. cfgcmd:: set interfaces wireless <interface> capabilities require-ht
 
-.. cfgcmd:: set interfaces wireless <interface> capabilities require-hvt
+.. cfgcmd:: set interfaces wireless <interface> capabilities require-vht
+
+.. cfgcmd:: set interfaces wireless <interface> capabilities require-he
 
 HT (High Throughput) capabilities (802.11n)
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
@@ -149,6 +177,7 @@ HT (High Throughput) capabilities (802.11n)
 
   Supported channel width set.
 
+  * ``ht20`` - 20 MHz channel width
   * ``ht40-`` - Both 20 MHz and 40 MHz with secondary channel below the primary
     channel
   * ``ht40+`` - Both 20 MHz and 40 MHz with secondary channel above the primary
@@ -234,10 +263,14 @@ VHT (Very High Throughput) capabilities (802.11ac)
 
   Beamforming capabilities:
 
-  * ``single-user-beamformer`` - Support for operation as single user beamformer
-  * ``single-user-beamformee`` - Support for operation as single user beamformee
-  * ``multi-user-beamformer`` - Support for operation as single user beamformer
-  * ``multi-user-beamformee`` - Support for operation as single user beamformer
+  * ``single-user-beamformer`` - Support for operation as 
+    single user beamformer
+  * ``single-user-beamformee`` - Support for operation as 
+    single user beamformee
+  * ``multi-user-beamformer`` - Support for operation as 
+    multi user beamformer
+  * ``multi-user-beamformee`` - Support for operation as 
+    multi user beamformee
 
 .. cfgcmd:: set interfaces wireless <interface> capabilities vht
    center-channel-freq <freq-1 | freq-2> <number>
@@ -262,7 +295,8 @@ VHT (Very High Throughput) capabilities (802.11ac)
 
   Enable LDPC (Low Density Parity Check) coding capability
 
-.. cfgcmd:: set interfaces wireless <interface> capabilities vht link-adaptation
+.. cfgcmd:: set interfaces wireless <interface> 
+  capabilities vht link-adaptation
 
   VHT link adaptation capabilities
 
@@ -274,7 +308,8 @@ VHT (Very High Throughput) capabilities (802.11ac)
 .. cfgcmd:: set interfaces wireless <interface> capabilities vht
    max-mpdu-exp <value>
 
-  Set the maximum length of A-MPDU pre-EOF padding that the station can receive
+  Set the maximum length of A-MPDU pre-EOF padding that the station can 
+  receive
 
 .. cfgcmd:: set interfaces wireless <interface> capabilities vht
    short-gi <80 | 160>
@@ -297,6 +332,58 @@ VHT (Very High Throughput) capabilities (802.11ac)
 
   Station supports receiving VHT variant HT Control field
 
+HE (High Efficiency) capabilities (802.11ax)
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+.. cfgcmd:: set interfaces wireless <interface> 
+  capabilities he antenna-pattern-fixed
+
+  Tell the AP that antenna positions are fixed and will not change
+  during the lifetime of an association.
+
+.. cfgcmd:: set interfaces wireless <interface> capabilities he beamform 
+  <single-user-beamformer | single-user-beamformee | multi-user-beamformer>
+
+  Beamforming capabilities:
+
+  * ``single-user-beamformer`` - Support for operation as 
+    single user beamformer
+  * ``single-user-beamformee`` - Support for operation as 
+    single user beamformee
+  * ``multi-user-beamformer`` - Support for operation as single 
+    user beamformer
+
+.. cfgcmd:: set interfaces wireless <interface> 
+  capabilities he bss-color <number>
+
+  BSS coloring helps to prevent channel jamming when multiple APs use 
+  the same channels.
+
+  Valid values are 1..63
+
+.. cfgcmd:: set interfaces wireless <interface> capabilities he 
+  center-channel-freq <freq-1 | freq-2> <number>
+
+  HE operating channel center frequency - center freq 1
+  (for use with 80, 80+80 and 160 modes)
+
+  HE operating channel center frequency - center freq 2
+  (for use with the 80+80 mode)
+
+  <number> must be within 1..233. For 80 MHz channels it should be 
+  channel + 6 and for 160 MHz channels, it should be channel + 14.
+
+.. cfgcmd:: set interfaces wireless <interface> 
+  capabilities he channel-set-width <number>
+
+  <number> must be one of:
+
+  * ``131`` - 20 MHz channel width
+  * ``132`` - 40 MHz channel width
+  * ``133`` - 80 MHz channel width
+  * ``134`` - 160 MHz channel width
+  * ``135`` - 80+80 MHz channel width
+
 Wireless options (Station/Client)
 =================================
 
@@ -306,9 +393,9 @@ default physical device (``phy0``) is used.
 
 .. code-block:: none
 
+  set system wireless country-code de
   set interfaces wireless wlan0 type station
   set interfaces wireless wlan0 address dhcp
-  set interfaces wireless wlan0 country-code de
   set interfaces wireless wlan0 ssid Test
   set interfaces wireless wlan0 security wpa passphrase '12345678'
 
@@ -316,11 +403,14 @@ Resulting in
 
 .. code-block:: none
 
+  system {
+    wireless {
+      country-code de
+    }
+  }
   interfaces {
-    [...]
     wireless wlan0 {
       address dhcp
-      country-code de
       security {
         wpa {
           passphrase "12345678"
@@ -333,13 +423,13 @@ Resulting in
 Security
 ========
 
-:abbr:`WPA (Wi-Fi Protected Access)` and WPA2 Enterprise in combination with
-802.1x based authentication can be used to authenticate users or computers
-in a domain.
+:abbr:`WPA (Wi-Fi Protected Access)`, WPA2 Enterprise and WPA3 Enterprise in 
+combination with 802.1x based authentication can be used to authenticate 
+users or computers in a domain.
 
 The wireless client (supplicant) authenticates against the RADIUS server
 (authentication server) using an :abbr:`EAP (Extensible Authentication
-Protocol)`  method configured on the RADIUS server. The WAP (also referred
+Protocol)` method configured on the RADIUS server. The WAP (also referred
 to as authenticator) role is to send all authentication messages between the
 supplicant and the configured authentication server, thus the RADIUS server
 is responsible for authenticating the users.
@@ -353,10 +443,11 @@ The WAP in this example has the following characteristics:
 * Wireless channel ``1``
 * RADIUS server at ``192.168.3.10`` with shared-secret ``VyOSPassword``
 
+.. stop_vyoslinter
 .. code-block:: none
 
+  set system wireless country-code de
   set interfaces wireless wlan0 address '192.168.2.1/24'
-  set interfaces wireless wlan0 country-code de
   set interfaces wireless wlan0 type access-point
   set interfaces wireless wlan0 channel 1
   set interfaces wireless wlan0 mode n
@@ -366,15 +457,21 @@ The WAP in this example has the following characteristics:
   set interfaces wireless wlan0 security wpa radius server 192.168.3.10 key 'VyOSPassword'
   set interfaces wireless wlan0 security wpa radius server 192.168.3.10 port 1812
 
+.. start_vyoslinter
+
 Resulting in
 
 .. code-block:: none
 
+  system {
+    wireless {
+      country-code de
+    }
+  }
   interfaces {
     [...]
     wireless wlan0 {
           address 192.168.2.1/24
-          country-code de
           channel 1
           mode n
           security {
@@ -431,6 +528,7 @@ about all wireless interfaces.
 Use this command to view operational status and details wireless-specific
 information about all wireless interfaces.
 
+.. stop_vyoslinter
 .. code-block:: none
 
   vyos@vyos:~$ show interfaces wireless detail
@@ -458,11 +556,14 @@ information about all wireless interfaces.
       TX:  bytes    packets     errors    dropped    carrier collisions
            183413      5430          0          0          0          0
 
+.. start_vyoslinter
+
 .. opcmd:: show interfaces wireless <wlanX>
 
 This command shows both status and statistics on the specified wireless
 interface. The wireless interface identifier can range from wlan0 to wlan999.
 
+.. stop_vyoslinter
 .. code-block:: none
 
   vyos@vyos:~$ show interfaces wireless wlan0
@@ -478,6 +579,8 @@ interface. The wireless interface identifier can range from wlan0 to wlan999.
       TX:  bytes    packets     errors    dropped    carrier collisions
            83413        430          0          0          0          0
 
+.. start_vyoslinter
+
 
 .. opcmd:: show interfaces wireless <wlanX> brief
 
@@ -554,6 +657,7 @@ The WAP in this example has the following characteristics:
 
 .. code-block:: none
 
+  set system wireless country-code de
   set interfaces wireless wlan0 address '192.168.2.1/24'
   set interfaces wireless wlan0 type access-point
   set interfaces wireless wlan0 channel 1
@@ -562,18 +666,21 @@ The WAP in this example has the following characteristics:
   set interfaces wireless wlan0 security wpa mode wpa2
   set interfaces wireless wlan0 security wpa cipher CCMP
   set interfaces wireless wlan0 security wpa passphrase '12345678'
-  set interfaces wireless wlan0 country-code de
 
 Resulting in
 
 .. code-block:: none
 
+  system {
+    wireless {
+      country-code de
+    }
+  }
   interfaces {
     [...]
     wireless wlan0 {
           address 192.168.2.1/24
           channel 1
-          country-code de
           mode n
           security {
               wpa {
@@ -608,8 +715,8 @@ still put this card into AP mode using the following configuration:
 .. stop_vyoslinter
 .. code-block:: none
 
+  set system wireless country-code 'us'
   set interfaces wireless wlan0 channel '1'
-  set interfaces wireless wlan0 country-code 'us'
   set interfaces wireless wlan0 mode 'n'
   set interfaces wireless wlan0 physical-device 'phy0'
   set interfaces wireless wlan0 ssid 'VyOS'
diff --git a/docs/configuration/interfaces/wwan.rst b/docs/configuration/interfaces/wwan.rst
index 98890158..00f927bb 100644
--- a/docs/configuration/interfaces/wwan.rst
+++ b/docs/configuration/interfaces/wwan.rst
@@ -1,4 +1,4 @@
-:lastproofread: 2023-01-27
+:lastproofread: 2024-07-04
 
 .. _wwan-interface:
 
@@ -320,11 +320,11 @@ The following hardware modules have been tested successfully in an
 Firmware Update
 ***************
 
-All available WWAN cards have a build in, reprogrammable firmware. Most of the
-vendors provide a regular update to the firmware used in the baseband chip.
+All available WWAN cards have a built-in, reprogrammable firmware. Most vendors
+provide regular updates to firmware used in the baseband chip.
 
-As VyOS makes use of the QMI interface to connect to the WWAN modem cards, also
-the firmware can be reprogrammed.
+As VyOS makes use of the QMI interface to connect to the WWAN modem cards, the
+firmware can be reprogrammed.
 
 To update the firmware, VyOS also ships the `qmi-firmware-update` binary. To
 upgrade the firmware of an e.g. Sierra Wireless MC7710 module to the firmware