diff options
Diffstat (limited to 'docs/configuration/service')
| -rw-r--r-- | docs/configuration/service/dhcp-relay.rst | 10 | ||||
| -rw-r--r-- | docs/configuration/service/dns.rst | 74 | ||||
| -rw-r--r-- | docs/configuration/service/https.rst | 17 | ||||
| -rw-r--r-- | docs/configuration/service/lldp.rst | 2 | ||||
| -rw-r--r-- | docs/configuration/service/mdns.rst | 67 | ||||
| -rw-r--r-- | docs/configuration/service/monitoring.rst | 4 | ||||
| -rw-r--r-- | docs/configuration/service/pppoe-server.rst | 59 | ||||
| -rw-r--r-- | docs/configuration/service/ssh.rst | 28 |
8 files changed, 168 insertions, 93 deletions
diff --git a/docs/configuration/service/dhcp-relay.rst b/docs/configuration/service/dhcp-relay.rst index 43abf254..dc45d071 100644 --- a/docs/configuration/service/dhcp-relay.rst +++ b/docs/configuration/service/dhcp-relay.rst @@ -45,6 +45,10 @@ Configuration The router should discard DHCP packages already containing relay agent information to ensure that only requests from DHCP clients are forwarded. +.. cfgcmd:: set service dhcp-relay disable + + Disable dhcp-relay service. + Options ------- @@ -146,6 +150,12 @@ Configuration .. _dhcp-relay:ipv6_options: +.. cfgcmd:: set service dhcpv6-relay disable + + Disable dhcpv6-relay service. + +.. _dhcp_relay:v6_options: + Options ------- diff --git a/docs/configuration/service/dns.rst b/docs/configuration/service/dns.rst index 5fe408f1..2caeb22d 100644 --- a/docs/configuration/service/dns.rst +++ b/docs/configuration/service/dns.rst @@ -31,7 +31,7 @@ avoid being tracked by the provider of your upstream DNS server. on optional port specified under `<port>`. The port defaults to 53. You can configure multiple nameservers here. -.. cfgcmd:: set service dns forwarding domain <domain-name> server <address> +.. cfgcmd:: set service dns forwarding domain <domain-name> name-server <address> Forward received queries for a particular domain (specified via `domain-name`) to a given nameserver. Multiple nameservers @@ -164,8 +164,8 @@ In this scenario: .. code-block:: none - set service dns forwarding domain example.com server 192.0.2.254 - set service dns forwarding domain example.com server 2001:db8:cafe::1 + set service dns forwarding domain example.com name-server 192.0.2.254 + set service dns forwarding domain example.com name-server 2001:db8:cafe::1 set service dns forwarding name-server 192.0.2.1 set service dns forwarding name-server 192.0.2.2 set service dns forwarding name-server 192.0.2.3 port 853 @@ -216,41 +216,47 @@ Configuration :rfc:`2136` Based ----------------- -.. cfgcmd:: set service dns dynamic interface <interface> rfc2136 <service-name> +.. cfgcmd:: set service dns dynamic address <interface> rfc2136 <service-name> Create new :rfc:`2136` DNS update configuration which will update the IP address assigned to `<interface>` on the service you configured under `<service-name>`. -.. cfgcmd:: set service dns dynamic interface <interface> rfc2136 <service-name> +.. cfgcmd:: set service dns dynamic address <interface> rfc2136 <service-name> key <keyfile> File identified by `<keyfile>` containing the secret RNDC key shared with remote DNS server. -.. cfgcmd:: set service dns dynamic interface <interface> rfc2136 <service-name> +.. cfgcmd:: set service dns dynamic address <interface> rfc2136 <service-name> server <server> Configure the DNS `<server>` IP/FQDN used when updating this dynamic assignment. -.. cfgcmd:: set service dns dynamic interface <interface> rfc2136 <service-name> +.. cfgcmd:: set service dns dynamic address <interface> rfc2136 <service-name> zone <zone> Configure DNS `<zone>` to be updated. -.. cfgcmd:: set service dns dynamic interface <interface> rfc2136 <service-name> +.. cfgcmd:: set service dns dynamic address <interface> rfc2136 <service-name> record <record> Configure DNS `<record>` which should be updated. This can be set multiple times. -.. cfgcmd:: set service dns dynamic interface <interface> rfc2136 <service-name> +.. cfgcmd:: set service dns dynamic address <interface> rfc2136 <service-name> ttl <ttl> Configure optional TTL value on the given resource record. This defaults to 600 seconds. +.. cfgcmd:: set service dns dynamic timeout <60-3600> + + Specify timeout / update interval to check if IP address changed. + + This defaults to 300 seconds. + .. _dns:dynmaic_example: Example @@ -302,40 +308,40 @@ VyOS is also able to use any service relying on protocols supported by ddclient. To use such a service, one must define a login, password, one or multiple hostnames, protocol and server. -.. cfgcmd:: set service dns dynamic interface <interface> service <service> +.. cfgcmd:: set service dns dynamic address <interface> service <service> host-name <hostname> Setup the dynamic DNS hostname `<hostname>` associated with the DynDNS - provider identified by `<service>` when the IP address on interface + provider identified by `<service>` when the IP address on address `<interface>` changes. -.. cfgcmd:: set service dns dynamic interface <interface> service <service> - login <username> +.. cfgcmd:: set service dns dynamic address <interface> service <service> + username <username> Configure `<username>` used when authenticating the update request for DynDNS service identified by `<service>`. For Namecheap, set the <domain> you wish to update. -.. cfgcmd:: set service dns dynamic interface <interface> service <service> +.. cfgcmd:: set service dns dynamic address <interface> service <service> password <password> Configure `<password>` used when authenticating the update request for DynDNS service identified by `<service>`. -.. cfgcmd:: set service dns dynamic interface <interface> service <service> +.. cfgcmd:: set service dns dynamic address <interface> service <service> protocol <protocol> When a ``custom`` DynDNS provider is used the protocol used for communicating to the provider must be specified under `<protocol>`. See the embedded completion helper for available protocols. -.. cfgcmd:: set service dns dynamic interface <interface> service <service> +.. cfgcmd:: set service dns dynamic address <interface> service <service> server <server> When a ``custom`` DynDNS provider is used the `<server>` where update requests are being sent to must be specified. -.. cfgcmd:: set service dns dynamic interface <interface> ipv6-enable +.. cfgcmd:: set service dns dynamic address <interface> ipv6-enable Allow explicit IPv6 address for the interface. @@ -347,10 +353,10 @@ Use DynDNS as your preferred provider: .. code-block:: none - set service dns dynamic interface eth0 service dyndns - set service dns dynamic interface eth0 service dyndns login my-login - set service dns dynamic interface eth0 service dyndns password my-password - set service dns dynamic interface eth0 service dyndns host-name my-dyndns-hostname + set service dns dynamic address eth0 service dyndns + set service dns dynamic address eth0 service dyndns username my-login + set service dns dynamic address eth0 service dyndns password my-password + set service dns dynamic address eth0 service dyndns host-name my-dyndns-hostname .. note:: Multiple services can be used per interface. Just specify as many services per interface as you like! @@ -360,12 +366,12 @@ Example IPv6 only: .. code-block:: none - set service dns dynamic interface eth0 ipv6-enable - set service dns dynamic interface eth0 service dyndns6 login my-login - set service dns dynamic interface eth0 service dyndns6 password my-password - set service dns dynamic interface eth0 service dyndns6 host-name my-dyndns-hostname - set service dns dynamic interface eth0 service dyndns6 protocol dyndns2 - set service dns dynamic interface eth0 service dyndns6 server dyndns-v6-server + set service dns dynamic address eth0 ipv6-enable + set service dns dynamic address eth0 service dyndns6 username my-login + set service dns dynamic address eth0 service dyndns6 password my-password + set service dns dynamic address eth0 service dyndns6 host-name my-dyndns-hostname + set service dns dynamic address eth0 service dyndns6 protocol dyndns2 + set service dns dynamic address eth0 service dyndns6 server dyndns-v6-server Running Behind NAT @@ -375,15 +381,21 @@ By default, ddclient_ will update a dynamic dns record using the IP address directly attached to the interface. If your VyOS instance is behind NAT, your record will be updated to point to your internal IP. -ddclient_ has another way to determine the WAN IP address. This is controlled -by: +Above, command syntax isn noted to configure dynamic dns on a specific interface. +It is possible to overlook the additional address option, web, when completeing +those commands. ddclient_ has another way to determine the WAN IP address, using +a web-based url to determine the external IP. Each of the commands above will +need to be modified to use 'web' as the 'interface' specified if this functionality +is to be utilized. + +This functionality is controlled by adding the following configuration: -.. cfgcmd:: set service dns dynamic interface <interface> use-web url <url> +.. cfgcmd:: set service dns dynamic address web web-options url <url> Use configured `<url>` to determine your IP address. ddclient_ will load `<url>` and tries to extract your IP address from the response. -.. cfgcmd:: set service dns dynamic interface <interface> use-web skip <pattern> +.. cfgcmd:: set service dns dynamic address web web-options skip <pattern> ddclient_ will skip any address located before the string set in `<pattern>`. diff --git a/docs/configuration/service/https.rst b/docs/configuration/service/https.rst index 08b16575..eb2e30eb 100644 --- a/docs/configuration/service/https.rst +++ b/docs/configuration/service/https.rst @@ -20,28 +20,19 @@ Configuration .. cfgcmd:: set service https api debug - To enable debug messages. Available via :opcmd:`show log` or + To enable debug messages. Available via :opcmd:`show log` or :opcmd:`monitor log` -.. cfgcmd:: set service https api port - - Set the listen port of the local API, this has no effect on the - webserver. The default is port 8080 - -.. cfgcmd:: set service https api socket - - Use local socket for API - .. cfgcmd:: set service https api strict Enforce strict path checking -.. cfgcmd:: set service https virtual-host <vhost> listen-address +.. cfgcmd:: set service https virtual-host <vhost> listen-address <ipv4 or ipv6 address> Address to listen for HTTPS requests -.. cfgcmd:: set service https virtual-host <vhost> listen-port <1-65535> +.. cfgcmd:: set service https virtual-host <vhost> port <1-65535> Port to listen for HTTPS requests; default 443 @@ -91,6 +82,6 @@ To use this full configuration we asume a public accessible hostname. set service https certificates certbot domain-name rtr01.example.com set service https certificates certbot email mail@example.com set service https virtual-host rtr01 listen-address 198.51.100.2 - set service https virtual-host rtr01 listen-port 11443 + set service https virtual-host rtr01 port 11443 set service https virtual-host rtr01 server-name rtr01.example.com set service https api-restrict virtual-host rtr01 diff --git a/docs/configuration/service/lldp.rst b/docs/configuration/service/lldp.rst index aa357211..12a9e0b6 100644 --- a/docs/configuration/service/lldp.rst +++ b/docs/configuration/service/lldp.rst @@ -54,7 +54,7 @@ Configuration Disable transmit of LLDP frames on given `<interface>`. Useful to exclude certain interfaces from LLDP when ``all`` have been enabled. -.. cfgcmd:: set service lldp snmp enable +.. cfgcmd:: set service lldp snmp Enable SNMP queries of the LLDP database diff --git a/docs/configuration/service/mdns.rst b/docs/configuration/service/mdns.rst index 9d6a292a..51fbf1a1 100644 --- a/docs/configuration/service/mdns.rst +++ b/docs/configuration/service/mdns.rst @@ -5,28 +5,44 @@ Starting with VyOS 1.2 a :abbr:`mDNS (Multicast DNS)` repeater functionality is provided. Additional information can be obtained from https://en.wikipedia.org/wiki/Multicast_DNS. -Multicast DNS uses the 224.0.0.251 address, which is "administratively scoped" -and does not leave the subnet. It retransmits mDNS packets from one interface -to other interfaces. This enables support for e.g. Apple Airplay devices across -multiple VLANs. +Multicast DNS uses the reserved address ``224.0.0.251``, which is +`"administratively scoped"` and does not leave the subnet. mDNS repeater +retransmits mDNS packets from one interface to other interfaces. This enables +support for devices using mDNS discovery (like network printers, Apple Airplay, +Chromecast, various IP based home-automation devices etc) across multiple VLANs. -Since the mDNS protocol sends the AA records in the packet itself, the repeater -does not need to forge the source address. Instead, the source address is of -the interface that repeats the packet. +Since the mDNS protocol sends the :abbr:`AA(Authoritative Answer)` records in +the packet itself, the repeater does not need to forge the source address. +Instead, the source address is of the interface that repeats the packet. Configuration ============= .. cfgcmd:: set service mdns repeater interface <interface> - To enable mDNS repeater you need to configure at least two interfaces. To - re-broadcast all incoming mDNS packets from any interface configured here to - any other interface configured under this section. + To enable mDNS repeater you need to configure at least two interfaces so that + all incoming mDNS packets from one interface configured here can be + re-broadcasted to any other interface(s) configured under this section. .. cfgcmd:: set service mdns repeater disable mDNS repeater can be temporarily disabled without deleting the service using +.. cfgcmd:: set service mdns repeater ip-version <ipv4 | ipv6 | both> + + mDNS repeater can be enabled either on IPv4 socket or on IPv6 socket or both + to re-broadcast. By default, mDNS repeater will listen on both IPv4 and IPv6. + +.. cfgcmd:: set service mdns repeater allow-service <service> + + mDNS repeater can be configured to re-broadcast only specific services. By + default, all services are re-broadcasted. + +.. cfgcmd:: set service mdns repeater browse-domain <domain> + + Allow listing additional custom domains to be browsed (in addition to the + default ``local``) so that they can be reflected. + .. note:: You can not run this in a VRRP setup, if multiple mDNS repeaters are launched in a subnet you will experience the mDNS packet storm death! @@ -41,4 +57,35 @@ received on `eth0` to `eth1` (and vice-versa) use the following commands: set service mdns repeater interface 'eth0' set service mdns repeater interface 'eth1' +To allow only specific services, for example ``_airplay._tcp`` or ``_ipp._tcp``, +(instead of all services) to be re-broadcasted, use the following command: + +.. code-block:: none + + set service mdns repeater allow-service '_airplay._tcp' + set service mdns repeater allow-service '_ipp._tcp' + +To allow listing additional custom domain, for example +``openthread.thread.home.arpa``, so that it can reflected in addition to the +default ``local``, use the following command: + +.. code-block:: none + + set service mdns repeater browse-domain 'openthread.thread.home.arpa' + .. _`Multicast DNS`: https://en.wikipedia.org/wiki/Multicast_DNS + +Operation +========= + +.. opcmd:: restart mdns repeater + + Restart mDNS repeater service. + +.. opcmd:: show log mdns repeater + + Show logs for mDNS repeater service. + +.. opcmd:: monitor log mdns repeater + + Follow the logs for mDNS repeater service. diff --git a/docs/configuration/service/monitoring.rst b/docs/configuration/service/monitoring.rst index 755669e1..0aa93e71 100644 --- a/docs/configuration/service/monitoring.rst +++ b/docs/configuration/service/monitoring.rst @@ -19,7 +19,7 @@ Telegraf output plugin azure-data-explorer_ .. cfgcmd:: set service monitoring telegraf azure-data-explorer database <name> - Remote databe name. + Remote database name. .. cfgcmd:: set service monitoring telegraf azure-data-explorer group-metrics <single-table | table-per-metric> @@ -147,4 +147,4 @@ An example of a configuration that sends ``telegraf`` metrics to remote .. _azure-data-explorer: https://github.com/influxdata/telegraf/tree/master/plugins/outputs/azure_data_explorer .. _prometheus-client: https://github.com/influxdata/telegraf/tree/master/plugins/outputs/prometheus_client -.. _splunk: https://www.splunk.com/en_us/blog/it/splunk-metrics-via-telegraf.html
\ No newline at end of file +.. _splunk: https://www.splunk.com/en_us/blog/it/splunk-metrics-via-telegraf.html diff --git a/docs/configuration/service/pppoe-server.rst b/docs/configuration/service/pppoe-server.rst index 69e357f3..a230d9fe 100644 --- a/docs/configuration/service/pppoe-server.rst +++ b/docs/configuration/service/pppoe-server.rst @@ -57,48 +57,35 @@ Client Address Pools -------------------- To automatically assign the client an IP address as tunnel endpoint, a -client IP pool is needed. The source can be either RADIUS or a local -subnet or IP range definition. - -Once the local tunnel endpoint ``set service pppoe-server gateway-address -'10.1.1.2'`` has been defined, the client IP pool can be either defined -as a range or as subnet using CIDR notation. If the CIDR notation is -used, multiple subnets can be setup which are used sequentially. +client IP pool is needed. The source can be either RADIUS or a +named pool. There is possibility to create multiple named pools. +Each named pool can include only one address range. To use multiple +address ranges configure ``next-pool`` option. **Client IP address via IP range definition** -.. cfgcmd:: set service pppoe-server client-ip-pool start <address> - - Use this command to define the first IP address of a pool of - addresses to be given to PPPoE clients. It must be within a /24 - subnet. - -.. cfgcmd:: set service pppoe-server client-ip-pool stop <address> - - Use this command to define the last IP address of a pool of - addresses to be given to PPPoE clients. It must be within a /24 - subnet. - -.. code-block:: none +.. cfgcmd:: set service pppoe-server client-ip-pool <POOL-NAME> range <x.x.x.x-x.x.x.x | x.x.x.x/x> - set service pppoe-server client-ip-pool start '10.1.1.100' - set service pppoe-server client-ip-pool stop '10.1.1.111' + Use this command to define the IP address range to be given + to PPPoE clients. If notation ``x.x.x.x-x.x.x.x``, + it must be within a /24 subnet. If notation ``x.x.x.x/x`` is + used there is possibility to set host/netmask. +.. cfgcmd:: set service pppoe-server client-ip-pool <POOL-NAME> next-pool <NEXT-POOL-NAME> -**Client IP subnets via CIDR notation** + Use this command to define the next address pool name. -.. cfgcmd:: set service pppoe-server client-ip-pool subnet <address> +.. cfgcmd:: set service pppoe-server default-pool <POOL-NAME> - Use this command for every pool of client IP addresses you want to - define. The addresses of this pool will be given to PPPoE clients. - You must use CIDR notation and it must be within a /24 subnet. + Use this command to define default address pool name. .. code-block:: none - set service pppoe-server client-ip-pool subnet '10.1.1.0/24' - set service pppoe-server client-ip-pool subnet '10.1.2.0/24' - set service pppoe-server client-ip-pool subnet '10.1.3.0/24' + set service pppoe-server client-ip-pool IP-POOL next-pool 'IP-POOL2' + set service pppoe-server client-ip-pool IP-POOL range '10.0.10.5/24' + set service pppoe-server client-ip-pool IP-POOL2 range '10.0.0.10-10.0.0.12' + set service pppoe-server default-pool 'IP-POOL' **RADIUS based IP pools (Framed-IP-Address)** @@ -213,8 +200,8 @@ For Local Users set service pppoe-server authentication local-users username foo rate-limit download '20480' set service pppoe-server authentication local-users username foo rate-limit upload '10240' set service pppoe-server authentication mode 'local' - set service pppoe-server client-ip-pool start '10.1.1.100' - set service pppoe-server client-ip-pool stop '10.1.1.111' + set service pppoe-server client-ip-pool IP-POOL range '10.1.1.100/24' + set service pppoe-server default-pool 'IP-POOL' set service pppoe-server name-server '10.100.100.1' set service pppoe-server name-server '10.100.200.1' set service pppoe-server interface 'eth1' @@ -367,8 +354,8 @@ address from the pool 10.1.1.100-111, terminates at the local endpoint set service pppoe-server access-concentrator 'ACN' set service pppoe-server authentication local-users username foo password 'bar' set service pppoe-server authentication mode 'local' - set service pppoe-server client-ip-pool start '10.1.1.100' - set service pppoe-server client-ip-pool stop '10.1.1.111' + set service pppoe-server client-ip-pool IP-POOL range '10.1.1.100-10.1.1.111' + set service pppoe-server default-pool 'IP-POOL' set service pppoe-server interface eth1 set service pppoe-server gateway-address '10.1.1.2' set service pppoe-server name-server '10.100.100.1' @@ -385,8 +372,8 @@ The example below covers a dual-stack configuration via pppoe-server. set service pppoe-server authentication local-users username test password 'test' set service pppoe-server authentication mode 'local' - set service pppoe-server client-ip-pool start '192.168.0.1' - set service pppoe-server client-ip-pool stop '192.168.0.10' + set service pppoe-server client-ip-pool IP-POOL range '192.168.0.1/24' + set service pppoe-server default-pool 'IP-POOL' set service pppoe-server client-ipv6-pool delegate '2001:db8:8003::/48' delegation-prefix '56' set service pppoe-server client-ipv6-pool prefix '2001:db8:8002::/48' mask '64' set service pppoe-server ppp-options ipv6 allow diff --git a/docs/configuration/service/ssh.rst b/docs/configuration/service/ssh.rst index 15c2390c..efdbc651 100644 --- a/docs/configuration/service/ssh.rst +++ b/docs/configuration/service/ssh.rst @@ -218,3 +218,31 @@ Operation commit save exit + +.. opcmd:: show log ssh + + Show SSH server log. + +.. opcmd:: monitor log ssh + + Follow the SSH server log. + +.. opcmd:: show log ssh dynamic-protection + + Show SSH dynamic-protection log. + +.. opcmd:: monitor log ssh dynamic-protection + + Follow the SSH dynamic-protection log. + +.. opcmd:: show ssh dynamic-protection + + Show list of IPs currently blocked by SSH dynamic-protection. + +.. opcmd:: show ssh fingerprints + + Show SSH server public key fingerprints. + +.. opcmd:: show ssh fingerprints ascii + + Show SSH server public key fingerprints, including a visual ASCII art representation. |