diff options
Diffstat (limited to 'docs/configuration/service')
| -rw-r--r-- | docs/configuration/service/conntrack-sync.rst | 4 | ||||
| -rw-r--r-- | docs/configuration/service/dns.rst | 198 | ||||
| -rw-r--r-- | docs/configuration/service/ipoe-server.rst | 24 | ||||
| -rw-r--r-- | docs/configuration/service/pppoe-server.rst | 10 | ||||
| -rw-r--r-- | docs/configuration/service/router-advert.rst | 8 |
5 files changed, 118 insertions, 126 deletions
diff --git a/docs/configuration/service/conntrack-sync.rst b/docs/configuration/service/conntrack-sync.rst index 468b39d9..d43f2385 100644 --- a/docs/configuration/service/conntrack-sync.rst +++ b/docs/configuration/service/conntrack-sync.rst @@ -98,6 +98,10 @@ Configuration This diable the external cache and directly injects the flow-states into the in-kernel Connection Tracking System of the backup firewall. +.. cfgcmd:: set service conntrack-sync disable-syslog + + Disable connection logging via Syslog. + ********* Operation ********* diff --git a/docs/configuration/service/dns.rst b/docs/configuration/service/dns.rst index e430dc73..c6deb179 100644 --- a/docs/configuration/service/dns.rst +++ b/docs/configuration/service/dns.rst @@ -143,33 +143,6 @@ avoid being tracked by the provider of your upstream DNS server. 168.192.in-addr.arpa, 16-31.172.in-addr.arpa, which enabling upstream DNS server(s) to be used for reverse lookups of these zones. -.. cfgcmd:: set service dns forwarding serve-stale-extension <0-65535> - - Maximum number of times an expired record’s TTL is extended by 30s when - serving stale. Extension only occurs if a record cannot be refreshed. A - value of 0 means the Serve Stale mechanism is not used. To allow records - becoming stale to be served for an hour, use a value of 120. - -.. cfgcmd:: set service dns forwarding exclude-throttle-address <ip|prefix> - - When an authoritative server does not answer a query or sends a reply the - recursor does not like, it is throttled. Any servers matching the supplied - netmasks will never be throttled. - -.. cfgcmd:: set service dns forwarding options ecs-add-for <address> - - The requestor netmask for which the requestor IP Address should be used as the - EDNS Client Subnet for outgoing queries. - -.. cfgcmd:: set service dns forwarding options ecs-ipv4-bits <number> - - Number of bits of client IPv4 address to pass when sending EDNS Client Subnet - address information. - -.. cfgcmd:: set service dns forwarding options edns-subnet-allow-list <address|domain> - - The netmask or domain that EDNS Client Subnet should be enabled for in outgoing queries. - Example ======= @@ -231,8 +204,8 @@ this only one purpose. ddclient_ uses two methods to update a DNS record. The first one will send updates directly to the DNS daemon, in compliance with :rfc:`2136`. The second -one involves a third party service, like DynDNS.com or any other similar -website. This method uses HTTP requests to transmit the new IP address. You +one involves a third party service, like DynDNS.com or any other such +service provider. This method uses HTTP requests to transmit the new IP address. You can configure both in VyOS. .. _dns:dynmaic_config: @@ -243,46 +216,43 @@ Configuration :rfc:`2136` Based ----------------- -.. cfgcmd:: set service dns dynamic address <interface> rfc2136 <service-name> +.. cfgcmd:: set service dns dynamic name <service-name> address interface <interface> - Create new :rfc:`2136` DNS update configuration which will update the IP + Create new dynamic DNS update configuration which will update the IP address assigned to `<interface>` on the service you configured under `<service-name>`. -.. cfgcmd:: set service dns dynamic address <interface> rfc2136 <service-name> - key <keyfile> +.. cfgcmd:: set service dns dynamic name <service-name> description <text> + + Set description `<text>` for dynamic DNS service being configured. + +.. cfgcmd:: set service dns dynamic name <service-name> key <filename> - File identified by `<keyfile>` containing the secret RNDC key shared with - remote DNS server. + File identified by `<filename>` containing the TSIG authentication key for RFC2136 + nsupdate on remote DNS server. -.. cfgcmd:: set service dns dynamic address <interface> rfc2136 <service-name> - server <server> +.. cfgcmd:: set service dns dynamic name <service-name> server <server> Configure the DNS `<server>` IP/FQDN used when updating this dynamic assignment. -.. cfgcmd:: set service dns dynamic address <interface> rfc2136 <service-name> - zone <zone> +.. cfgcmd:: set service dns dynamic name <service-name> zone <zone> Configure DNS `<zone>` to be updated. -.. cfgcmd:: set service dns dynamic address <interface> rfc2136 <service-name> - record <record> +.. cfgcmd:: set service dns dynamic name <service-name> host-name <record> - Configure DNS `<record>` which should be updated. This can be set multiple - times. + Configure DNS `<record>` which should be updated. This can be set multiple times. -.. cfgcmd:: set service dns dynamic address <interface> rfc2136 <service-name> - ttl <ttl> +.. cfgcmd:: set service dns dynamic name <service-name> ttl <ttl> Configure optional TTL value on the given resource record. This defaults to 600 seconds. -.. cfgcmd:: set service dns dynamic timeout <60-3600> +.. cfgcmd:: set service dns dynamic interval <60-3600> - Specify timeout / update interval to check if IP address changed. - - This defaults to 300 seconds. + Specify interval in seconds to wait between Dynamic DNS updates. + The default is 300 seconds. .. _dns:dynmaic_example: @@ -295,32 +265,48 @@ Example .. code-block:: none + # Configuration commands entered: + # + set service dns dynamic name 'VyOS-DNS' address interface 'eth0' + set service dns dynamic name 'VyOS-DNS' description 'RFC 2136 dynamic dns service' + set service dns dynamic name 'VyOS-DNS' key '/config/auth/my.key' + set service dns dynamic name 'VyOS-DNS' server 'ns1.vyos.io' + set service dns dynamic name 'VyOS-DNS' zone 'vyos.io' + set service dns dynamic name 'VyOS-DNS' host-name 'example.vyos.io' + set service dns dynamic name 'VyOS-DNS' protocol 'nsupdate' + set service dns dynamic name 'VyOS-DNS' ttl '300' + + # Resulting config: + # vyos@vyos# show service dns dynamic - interface eth0.7 { - rfc2136 VyOS-DNS { - key /config/auth/my.key - record example.vyos.io - server ns1.vyos.io - ttl 300 - zone vyos.io + name VyOS-DNS { + address { + interface eth0 } + description "RFC 2136 dynamic dns service" + host-name example.vyos.io + key /config/auth/my.key + protocol nsupdate + server ns1.vyos.io + ttl 300 + zone vyos.io } This will render the following ddclient_ configuration entry: .. code-block:: none + # ddclient configuration for interface "eth0": # - # ddclient configuration for interface "eth0.7": - # - use=if, if=eth0.7 - - # RFC2136 dynamic DNS configuration for example.vyos.io.vyos.io - server=ns1.vyos.io - protocol=nsupdate - password=/config/auth/my.key - ttl=300 - zone=vyos.io + + # Web service dynamic DNS configuration for VyOS-DNS: [nsupdate, example.vyos.io] + use=if, \ + if=eth0, \ + protocol=nsupdate, \ + server=ns1.vyos.io, \ + zone=vyos.io, \ + password='/config/auth/my.key', \ + ttl=300 \ example.vyos.io .. note:: You can also keep different DNS zone updated. Just create a new @@ -335,40 +321,43 @@ VyOS is also able to use any service relying on protocols supported by ddclient. To use such a service, one must define a login, password, one or multiple hostnames, protocol and server. -.. cfgcmd:: set service dns dynamic address <interface> service <service> - host-name <hostname> +.. cfgcmd:: set service dns dynamic name <service-name> address interface <interface> + + Create new dynamic DNS update configuration which will update the IP + address assigned to `<interface>` on the service you configured under + `<service-name>`. + +.. cfgcmd:: set service dns dynamic name <service-name> description <text> + + Set description `<text>` for dynamic DNS service being configured. + +.. cfgcmd:: set service dns dynamic name <service-name> host-name <hostname> Setup the dynamic DNS hostname `<hostname>` associated with the DynDNS - provider identified by `<service>` when the IP address on address - `<interface>` changes. + provider identified by `<service-name>`. -.. cfgcmd:: set service dns dynamic address <interface> service <service> - username <username> +.. cfgcmd:: set service dns dynamic name <service-name> username <username> Configure `<username>` used when authenticating the update request for - DynDNS service identified by `<service>`. - For Namecheap, set the <domain> you wish to update. + DynDNS service identified by `<service-name>`. -.. cfgcmd:: set service dns dynamic address <interface> service <service> - password <password> +.. cfgcmd:: set service dns dynamic name <service-name> password <password> Configure `<password>` used when authenticating the update request for - DynDNS service identified by `<service>`. + DynDNS service identified by `<service-name>`. -.. cfgcmd:: set service dns dynamic address <interface> service <service> - protocol <protocol> +.. cfgcmd:: set service dns dynamic name <service-name> protocol <protocol> - When a ``custom`` DynDNS provider is used the protocol used for communicating + When a ``custom`` DynDNS provider is used, the protocol used for communicating to the provider must be specified under `<protocol>`. See the embedded - completion helper for available protocols. + completion helper when entering above command for available protocols. -.. cfgcmd:: set service dns dynamic address <interface> service <service> - server <server> +.. cfgcmd:: set service dns dynamic name <service-name> server <server> When a ``custom`` DynDNS provider is used the `<server>` where update requests are being sent to must be specified. -.. cfgcmd:: set service dns dynamic address <interface> ipv6-enable +.. cfgcmd:: set service dns dynamic name <service-name> ip-version 'ipv6' Allow explicit IPv6 address for the interface. @@ -376,14 +365,17 @@ hostnames, protocol and server. Example: ^^^^^^^^ -Use DynDNS as your preferred provider: +Use deSEC (dedyn.io) as your preferred provider: .. code-block:: none - set service dns dynamic address eth0 service dyndns - set service dns dynamic address eth0 service dyndns username my-login - set service dns dynamic address eth0 service dyndns password my-password - set service dns dynamic address eth0 service dyndns host-name my-dyndns-hostname + set service dns dynamic name dedyn description 'deSEC dynamic dns service' + set service dns dynamic name dedyn username 'myusername' + set service dns dynamic name dedyn password 'mypassword' + set service dns dynamic name dedyn host-name 'myhostname.dedyn.io' + set service dns dynamic name dedyn protocol 'dyndns2' + set service dns dynamic name dedyn server 'update.dedyn.io' + set service dns dynamic name dedyn address interface 'eth0' .. note:: Multiple services can be used per interface. Just specify as many services per interface as you like! @@ -393,12 +385,14 @@ Example IPv6 only: .. code-block:: none - set service dns dynamic address eth0 ipv6-enable - set service dns dynamic address eth0 service dyndns6 username my-login - set service dns dynamic address eth0 service dyndns6 password my-password - set service dns dynamic address eth0 service dyndns6 host-name my-dyndns-hostname - set service dns dynamic address eth0 service dyndns6 protocol dyndns2 - set service dns dynamic address eth0 service dyndns6 server dyndns-v6-server + set service dns dynamic name dedyn description 'deSEC ipv6 dynamic dns service' + set service dns dynamic name dedyn username 'myusername' + set service dns dynamic name dedyn password 'mypassword' + set service dns dynamic name dedyn host-name 'myhostname.dedyn.io' + set service dns dynamic name dedyn protocol 'dyndns2' + set service dns dynamic name dedyn ip-version 'ipv6' + set service dns dynamic name dedyn server 'update6.dedyn.io' + set service dns dynamic name dedyn address interface 'eth0' Running Behind NAT @@ -408,21 +402,15 @@ By default, ddclient_ will update a dynamic dns record using the IP address directly attached to the interface. If your VyOS instance is behind NAT, your record will be updated to point to your internal IP. -Above, command syntax isn noted to configure dynamic dns on a specific interface. -It is possible to overlook the additional address option, web, when completeing -those commands. ddclient_ has another way to determine the WAN IP address, using -a web-based url to determine the external IP. Each of the commands above will -need to be modified to use 'web' as the 'interface' specified if this functionality -is to be utilized. - -This functionality is controlled by adding the following configuration: +ddclient_ has another way to determine the WAN IP address. This is controlled +by: -.. cfgcmd:: set service dns dynamic address web web-options url <url> +.. cfgcmd:: set service dns dynamic name <service-name> address web <url> Use configured `<url>` to determine your IP address. ddclient_ will load `<url>` and tries to extract your IP address from the response. -.. cfgcmd:: set service dns dynamic address web web-options skip <pattern> +.. cfgcmd:: set service dns dynamic name <service-name> address web skip <pattern> ddclient_ will skip any address located before the string set in `<pattern>`. diff --git a/docs/configuration/service/ipoe-server.rst b/docs/configuration/service/ipoe-server.rst index 5608c27c..64048552 100644 --- a/docs/configuration/service/ipoe-server.rst +++ b/docs/configuration/service/ipoe-server.rst @@ -52,7 +52,7 @@ the configuration. .. cfgcmd:: set service ipoe-server authentication interface <interface> mac <MAC> - Creates local pppoe user with username=**<interface>** and + Creates local IPoE user with username=**<interface>** and password=**<MAC>** (mac-address) .. cfgcmd:: set service ipoe-server authentication mode <local | radius> @@ -68,7 +68,7 @@ the configuration. .. cfgcmd:: set service ipoe-server client-ip-pool <POOL-NAME> range <x.x.x.x-x.x.x.x | x.x.x.x/x> Use this command to define the first IP address of a pool of - addresses to be given to l2tp clients. If notation ``x.x.x.x-x.x.x.x``, + addresses to be given to IPoE clients. If notation ``x.x.x.x-x.x.x.x``, it must be within a /24 subnet. If notation ``x.x.x.x/x`` is used there is possibility to set host/netmask. @@ -251,15 +251,6 @@ User interface can be put to VRF context via RADIUS Access-Accept packet, or cha it via RADIUS CoA. ``Accel-VRF-Name`` is used from these purposes. It is custom `ACCEL-PPP attribute`_. Define it in your RADIUS server. -Renaming clients interfaces by RADIUS -===================================== - -If the RADIUS server uses the attribute ``NAS-Port-Id``, ppp tunnels will be -renamed. - -.. note:: The value of the attribute ``NAS-Port-Id`` must be less than 16 - characters, otherwise the interface won't be renamed. - **** IPv6 **** @@ -267,16 +258,16 @@ IPv6 .. cfgcmd:: set service ipoe-server client-ipv6-pool <IPv6-POOL-NAME> prefix <address> mask <number-of-bits> - Use this comand to set the IPv6 address pool from which an l2tp client + Use this comand to set the IPv6 address pool from which an IPoE client will get an IPv6 prefix of your defined length (mask) to terminate the - l2tp endpoint at their side. The mask length can be set from 48 to 128 + IPoE endpoint at their side. The mask length can be set from 48 to 128 bit long, the default value is 64. .. cfgcmd:: set service ipoe-server client-ipv6-pool <IPv6-POOL-NAME> delegate <address> delegation-prefix <number-of-bits> Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on - l2tp. You will have to set your IPv6 pool and the length of the + IPoE. You will have to set your IPv6 pool and the length of the delegation prefix. From the defined IPv6 pool you will be handing out networks of the defined length (delegation-prefix). The length of the delegation prefix can be set from 32 to 64 bit long. @@ -398,6 +389,11 @@ Global Advanced options Monitoring ********** +.. opcmd:: show ipoe-server sessions + + Use this command to locally check the active sessions in the IPoE + server. + .. code-block:: none vyos@vyos:~$ show ipoe-server sessions diff --git a/docs/configuration/service/pppoe-server.rst b/docs/configuration/service/pppoe-server.rst index 04113666..99b3fbb5 100644 --- a/docs/configuration/service/pppoe-server.rst +++ b/docs/configuration/service/pppoe-server.rst @@ -352,16 +352,16 @@ IPv6 .. cfgcmd:: set service pppoe-server client-ipv6-pool <IPv6-POOL-NAME> prefix <address> mask <number-of-bits> - Use this comand to set the IPv6 address pool from which an l2tp client + Use this comand to set the IPv6 address pool from which an PPPoE client will get an IPv6 prefix of your defined length (mask) to terminate the - l2tp endpoint at their side. The mask length can be set from 48 to 128 + PPPoE endpoint at their side. The mask length can be set from 48 to 128 bit long, the default value is 64. .. cfgcmd:: set service pppoe-server client-ipv6-pool <IPv6-POOL-NAME> delegate <address> delegation-prefix <number-of-bits> Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on - l2tp. You will have to set your IPv6 pool and the length of the + PPPoE. You will have to set your IPv6 pool and the length of the delegation prefix. From the defined IPv6 pool you will be handing out networks of the defined length (delegation-prefix). The length of the delegation prefix can be set from 32 to 64 bit long. @@ -624,7 +624,7 @@ address from the pool 10.1.1.100-111, terminates at the local endpoint Dual-Stack IPv4/IPv6 provisioning with Prefix Delegation ======================================================== -The example below covers a dual-stack configuration via pppoe-server. +The example below covers a dual-stack configuration. .. code-block:: none @@ -642,7 +642,7 @@ The example below covers a dual-stack configuration via pppoe-server. set service pppoe-server gateway-address '10.100.100.1' The client, once successfully authenticated, will receive an IPv4 and an -IPv6 /64 address to terminate the pppoe endpoint on the client side and +IPv6 /64 address to terminate the PPPoE endpoint on the client side and a /56 subnet for the clients internal use. .. code-block:: none diff --git a/docs/configuration/service/router-advert.rst b/docs/configuration/service/router-advert.rst index eb1a6844..f179153a 100644 --- a/docs/configuration/service/router-advert.rst +++ b/docs/configuration/service/router-advert.rst @@ -26,7 +26,7 @@ Supported interface types: Enabling Advertisments ~~~~~~~~~~~~~~~~~~~~~~~ -.. cfgcmd:: set service router-advert interface <interface> .... +.. cfgcmd:: set service router-advert interface <interface> ... .. stop_vyoslinter @@ -52,7 +52,11 @@ Enabling Advertisments Advertising a Prefix '''''''''''''''''''' -.. cfgcmd:: set service router-advert interface <interface> prefix 2001:DB8::/32 +.. cfgcmd:: set service router-advert interface <interface> prefix <prefix/mask> + + .. note:: You can also opt for using `::/64` as prefix for your :abbr:`RAs (Router + Advertisements)`. This will take the IPv6 GUA prefix assigned to the interface, + which comes in handy when using DHCPv6-PD. .. stop_vyoslinter |