diff options
Diffstat (limited to 'docs/configuration')
54 files changed, 1435 insertions, 233 deletions
| diff --git a/docs/configuration/container/index.rst b/docs/configuration/container/index.rst index 044e31b8..c23a6184 100644 --- a/docs/configuration/container/index.rst +++ b/docs/configuration/container/index.rst @@ -88,6 +88,10 @@ Configuration          set container name coredns volume 'corefile' source /config/coredns/Corefile          set container name coredns volume 'corefile' destination /etc/Corefile +         +.. cfgcmd:: set container name <name> volume <volumename> mode <ro | rw> + +    Volume is either mounted as rw (read-write - default) or ro (read-only)  .. cfgcmd:: set container name <name> restart [no | on-failure | always] @@ -216,4 +220,4 @@ Example Configuration          set container name zabbix-web-nginx-mysql environment 'MYSQL_ROOT_PASSWORD' value 'root_pwd'          set container name zabbix-web-nginx-mysql port http source 80 -        set container name zabbix-web-nginx-mysql port http destination 8080
\ No newline at end of file +        set container name zabbix-web-nginx-mysql port http destination 8080 diff --git a/docs/configuration/firewall/general.rst b/docs/configuration/firewall/general.rst index f2e01e03..c217ba6c 100644 --- a/docs/configuration/firewall/general.rst +++ b/docs/configuration/firewall/general.rst @@ -297,9 +297,9 @@ the action of the rule will be executed.     Use this command to enable the logging of the default action.  .. cfgcmd:: set firewall name <name> rule <1-999999> action [accept | drop | -   jump | reject | return] +   jump | queue | reject | return]  .. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> action [accept | -   drop | jump | reject | return] +   drop | jump | queue | reject | return]     This required setting defines the action of the current rule. If action     is set to ``jump``, then ``jump-target`` is also needed. @@ -310,6 +310,20 @@ the action of the rule will be executed.     To be used only when ``action`` is set to ``jump``. Use this     command to specify jump target. +.. cfgcmd:: set firewall name <name> rule <1-999999> queue <0-65535> +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> queue <0-65535> + +   Use this command to set the target to use. Action queue must be defined +   to use this setting + +.. cfgcmd:: set firewall name <name> rule <1-999999> queue-options +   <bypass-fanout> +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> queue-options +   <bypass-fanout> + +   Options used for queue target. Action queue must be defined to use this +   setting +  .. cfgcmd:: set firewall name <name> rule <1-999999> description <text>  .. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> description <text> @@ -321,13 +335,36 @@ the action of the rule will be executed.     Enable or disable logging for the matched packet. -.. cfgcmd:: set firewall name <name> rule <1-999999> log-level [emerg | -   alert | crit | err | warn | notice | info | debug] -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> log-level [emerg | -   alert | crit | err | warn | notice | info | debug] +.. cfgcmd:: set firewall name <name> rule <1-999999> log-options level +   [emerg | alert | crit | err | warn | notice | info | debug] +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> log-options level +   [emerg | alert | crit | err | warn | notice | info | debug]     Define log-level. Only applicable if rule log is enable. +.. cfgcmd:: set firewall name <name> rule <1-999999> log-options group +   <0-65535> +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> log-options group +   <0-65535> + +   Define log group to send message to. Only applicable if rule log is enable. + +.. cfgcmd:: set firewall name <name> rule <1-999999> log-options snaplen +   <0-9000> +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> log-options snaplen +   <0-9000> + +   Define length of packet payload to include in netlink message. Only +   applicable if rule log is enable and log group is defined. + +.. cfgcmd:: set firewall name <name> rule <1-999999> log-options +   queue-threshold <0-65535> +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> log-options +   queue-threshold <0-65535> + +   Define number of packets to queue inside the kernel before sending them to +   userspace. Only applicable if rule log is enable and log group is defined. +  .. cfgcmd:: set firewall name <name> rule <1-999999> disable  .. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> disable @@ -612,6 +649,13 @@ geoip) to keep database and rules updated.     Match based on packet length criteria. Multiple values from 1 to 65535     and ranges are supported. +.. cfgcmd:: set firewall name <name> rule <1-999999> packet-type +   [broadcast | host | multicast | other] +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> packet-type +   [broadcast | host | multicast | other] + +   Match based on packet type criteria. +  .. cfgcmd:: set firewall name <name> rule <1-999999> protocol [<text> |     <0-255> | all | tcp_udp]  .. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> protocol [<text> | diff --git a/docs/configuration/firewall/zone.rst b/docs/configuration/firewall/zone.rst index 6ed3e9f1..b27e02b9 100644 --- a/docs/configuration/firewall/zone.rst +++ b/docs/configuration/firewall/zone.rst @@ -55,7 +55,7 @@ To define a zone setup either one with interfaces or a local zone.     Define the zone as a local zone. A local zone has no interfaces and     will be applied to the router itself. -.. cfgcmd:: set firewall zone <name> default-action [drop |reject] +.. cfgcmd:: set firewall zone <name> default-action [drop | reject]     Change the default-action with this setting. diff --git a/docs/configuration/highavailability/index.rst b/docs/configuration/highavailability/index.rst index 29bb97be..bc8aad99 100644 --- a/docs/configuration/highavailability/index.rst +++ b/docs/configuration/highavailability/index.rst @@ -220,6 +220,70 @@ Verification     inet 172.25.0.247/16 scope global eth0v10     valid_lft forever preferred_lft forever +Global options +-------------- + +On most scenarios, there's no need to change specific parameters, and using +default configuration is enough. But there are cases were extra configuration +is needed. + +.. cfgcmd:: set high-availability vrrp global-parameters startup_delay <1-600> + +This option specifies a delay in seconds before vrrp instances start up after +keepalived starts.  + +Gratuitous ARP +-------------- + +These configuration is not mandatory and in most cases there's no +need to configure it. But if necessary, Gratuitous ARP can be configured in +``global-parameters`` and/or in ``group`` section. + +.. cfgcmd:: set high-availability vrrp global-parameters garp interval +   <0.000-1000> + +.. cfgcmd:: set high-availability vrrp group <name> garp interval +   <0.000-1000> + +Set delay between gratuitous ARP messages sent on an interface. 0 if not +defined. + +.. cfgcmd:: set high-availability vrrp global-parameters garp master-delay +   <1-255> + +.. cfgcmd:: set high-availability vrrp group <name> garp master-delay +   <1-255> + +Set delay for second set of gratuitous ARPs after transition to MASTER. 5 if +not defined. + +.. cfgcmd:: set high-availability vrrp global-parameters garp master-refresh +   <1-600> + +.. cfgcmd:: set high-availability vrrp group <name> garp master-refresh +   <1-600> + +Set minimum time interval for refreshing gratuitous ARPs while MASTER. 0 if +not defined, which means no refreshing. + +.. cfgcmd:: set high-availability vrrp global-parameters garp +   master-refresh-repeat <1-600> + +.. cfgcmd:: set high-availability vrrp group <name> garp +   master-refresh-repeat <1-600> + +Set number of gratuitous ARP messages to send at a time while MASTER. 1 if not +defined. + +.. cfgcmd:: set high-availability vrrp global-parameters garp master-repeat +   <1-600> + +.. cfgcmd:: set high-availability vrrp group <name> garp master-repeat +   <1-600> + +Set number of gratuitous ARP messages to send at a time after transition to +MASTER. 5 if not defined. +  Scripting  --------- @@ -293,6 +357,21 @@ Forward method    set high-availability virtual-server 203.0.113.1 forward-method 'nat' +Health-check +^^^^^^^^^^^^ +Custom health-check script allows checking real-server availability + +.. code-block:: none + +  set high-availability virtual-server 203.0.113.1 real-server 192.0.2.11 health-check script <path-to-script> + +Fwmark +^^^^^^ +Firewall mark. It possible to loadbalancing traffic based on ``fwmark`` value + +.. code-block:: none + +  set high-availability virtual-server 203.0.113.1 fwmark '111'  Real server  ^^^^^^^^^^^ @@ -331,3 +410,47 @@ Real server is auto-excluded if port check with this server fail.    set high-availability virtual-server 203.0.113.1 protocol 'tcp'    set high-availability virtual-server 203.0.113.1 real-server 192.0.2.11 port '80'    set high-availability virtual-server 203.0.113.1 real-server 192.0.2.12 port '80' + + +A firewall mark ``fwmark`` allows using multiple ports for high-availability +virtual-server. +It uses fwmark value. + +In this example all traffic destined to ports "80, 2222, 8888" protocol TCP +marks to fwmark "111" and balanced between 2 real servers. +Port "0" is required if multiple ports are used. + +.. code-block:: none + +  set interfaces ethernet eth0 address 'dhcp' +  set interfaces ethernet eth0 description 'WAN' +  set interfaces ethernet eth1 address '192.0.2.1/24' +  set interfaces ethernet eth1 description 'LAN' + +  set policy route PR interface 'eth0' +  set policy route PR rule 10 destination port '80,2222,8888' +  set policy route PR rule 10 protocol 'tcp' +  set policy route PR rule 10 set mark '111' + +  set high-availability virtual-server vyos fwmark '111' +  set high-availability virtual-server vyos protocol 'tcp' +  set high-availability virtual-server vyos real-server 192.0.2.11 health-check script '/config/scripts/check-real-server-first.sh' +  set high-availability virtual-server vyos real-server 192.0.2.11 port '0' +  set high-availability virtual-server vyos real-server 192.0.2.12 health-check script '/config/scripts/check-real-server-second.sh' +  set high-availability virtual-server vyos real-server 192.0.2.12 port '0' + +  set nat source rule 100 outbound-interface 'eth0' +  set nat source rule 100 source address '192.0.2.0/24' +  set nat source rule 100 translation address 'masquerade' + +Op-mode check virtual-server status + +.. code-block:: none + +  vyos@r14:~$ run show virtual-server +  IP Virtual Server version 1.2.1 (size=4096) +  Prot LocalAddress:Port Scheduler Flags +    -> RemoteAddress:Port           Forward Weight ActiveConn InActConn +  FWM  111 lc persistent 300 +    -> 192.0.2.11:0                 Masq    1      0          0 +    -> 192.0.2.12:0                 Masq    1      1          0 diff --git a/docs/configuration/interfaces/dummy.rst b/docs/configuration/interfaces/dummy.rst index ba09d9a7..945361c2 100644 --- a/docs/configuration/interfaces/dummy.rst +++ b/docs/configuration/interfaces/dummy.rst @@ -1,4 +1,4 @@ -:lastproofread: 2021-06-30 +:lastproofread: 2023-01-20  .. _dummy-interface: diff --git a/docs/configuration/interfaces/ethernet.rst b/docs/configuration/interfaces/ethernet.rst index 96ccb25f..76f02d6d 100644 --- a/docs/configuration/interfaces/ethernet.rst +++ b/docs/configuration/interfaces/ethernet.rst @@ -1,4 +1,4 @@ -:lastproofread: 2021-06-30 +:lastproofread: 2023-01-20  .. _ethernet-interface: @@ -107,10 +107,8 @@ Offloading    - it does not increase hardware device interrupt rate (although it does      introduce inter-processor interrupts (IPIs)). - -.. cmdinclude:: /_include/interface-xdp.txt -   :var0: ethernet -   :var1: eth0 +  .. note:: In order to use TSO/LRO with VMXNET3 adaters one must also enable +     the SG offloading option.  Authentication (EAPoL)  ---------------------- diff --git a/docs/configuration/interfaces/geneve.rst b/docs/configuration/interfaces/geneve.rst index b13e2ece..bf8b0920 100644 --- a/docs/configuration/interfaces/geneve.rst +++ b/docs/configuration/interfaces/geneve.rst @@ -1,4 +1,4 @@ -:lastproofread: 2021-06-30 +:lastproofread: 2023-01-20  .. _geneve-interface: diff --git a/docs/configuration/interfaces/l2tpv3.rst b/docs/configuration/interfaces/l2tpv3.rst index 191158b7..897e38dc 100644 --- a/docs/configuration/interfaces/l2tpv3.rst +++ b/docs/configuration/interfaces/l2tpv3.rst @@ -1,4 +1,4 @@ -:lastproofread: 2021-06-30 +:lastproofread: 2023-01-20  .. include:: /_include/need_improvement.txt @@ -141,29 +141,26 @@ IPSec:  .. code-block:: none +  set vpn ipsec authentication psk <pre-shared-name> id '%any' +  set vpn ipsec authentication psk <pre-shared-name> secret <pre-shared-key>    set vpn ipsec interface <VPN-interface> -  set vpn ipsec esp-group test-ESP-1 compression 'disable'    set vpn ipsec esp-group test-ESP-1 lifetime '3600'    set vpn ipsec esp-group test-ESP-1 mode 'transport'    set vpn ipsec esp-group test-ESP-1 pfs 'enable'    set vpn ipsec esp-group test-ESP-1 proposal 1 encryption 'aes128'    set vpn ipsec esp-group test-ESP-1 proposal 1 hash 'sha1' -  set vpn ipsec ike-group test-IKE-1 ikev2-reauth 'no'    set vpn ipsec ike-group test-IKE-1 key-exchange 'ikev1'    set vpn ipsec ike-group test-IKE-1 lifetime '3600'    set vpn ipsec ike-group test-IKE-1 proposal 1 dh-group '5'    set vpn ipsec ike-group test-IKE-1 proposal 1 encryption 'aes128'    set vpn ipsec ike-group test-IKE-1 proposal 1 hash 'sha1' -  set vpn ipsec site-to-site peer <peer-ip> authentication mode 'pre-shared-secret' -  set vpn ipsec site-to-site peer <peer-ip> authentication pre-shared-secret <pre-shared-key> -  set vpn ipsec site-to-site peer <peer-ip> connection-type 'initiate' -  set vpn ipsec site-to-site peer <peer-ip> ike-group 'test-IKE-1' -  set vpn ipsec site-to-site peer <peer-ip> ikev2-reauth 'inherit' -  set vpn ipsec site-to-site peer <peer-ip> local-address <local-ip> -  set vpn ipsec site-to-site peer <peer-ip> tunnel 1 allow-nat-networks 'disable' -  set vpn ipsec site-to-site peer <peer-ip> tunnel 1 allow-public-networks 'disable' -  set vpn ipsec site-to-site peer <peer-ip> tunnel 1 esp-group 'test-ESP-1' -  set vpn ipsec site-to-site peer <peer-ip> tunnel 1 protocol 'l2tp' +  set vpn ipsec site-to-site peer <connection-name> authentication mode 'pre-shared-secret' +  set vpn ipsec site-to-site peer <connection-name> connection-type 'initiate' +  set vpn ipsec site-to-site peer <connection-name> ike-group 'test-IKE-1' +  set vpn ipsec site-to-site peer <connection-name> ikev2-reauth 'inherit' +  set vpn ipsec site-to-site peer <connection-name> local-address <local-ip> +  set vpn ipsec site-to-site peer <connection-name> tunnel 1 esp-group 'test-ESP-1' +  set vpn ipsec site-to-site peer <connection-name> tunnel 1 protocol 'l2tp'  Bridge: diff --git a/docs/configuration/interfaces/loopback.rst b/docs/configuration/interfaces/loopback.rst index b97aa69c..8e983abb 100644 --- a/docs/configuration/interfaces/loopback.rst +++ b/docs/configuration/interfaces/loopback.rst @@ -1,4 +1,4 @@ -:lastproofread: 2021-06-30 +:lastproofread: 2023-01-20  .. _loopback-interface: diff --git a/docs/configuration/interfaces/macsec.rst b/docs/configuration/interfaces/macsec.rst index 338ad3ae..60877d73 100644 --- a/docs/configuration/interfaces/macsec.rst +++ b/docs/configuration/interfaces/macsec.rst @@ -1,4 +1,4 @@ -:lastproofread: 2021-07-05 +:lastproofread: 2023-01-20  .. _macsec-interface: diff --git a/docs/configuration/interfaces/pppoe.rst b/docs/configuration/interfaces/pppoe.rst index 0953e948..74a43bb5 100644 --- a/docs/configuration/interfaces/pppoe.rst +++ b/docs/configuration/interfaces/pppoe.rst @@ -91,7 +91,7 @@ PPPoE options     This command allows you to select a specific access concentrator when you     know the access concentrators `<name>`. -.. cfgcmd:: set interfaces pppoe <interface> authentication user <username> +.. cfgcmd:: set interfaces pppoe <interface> authentication username <username>     Use this command to set the username for authenticating with a remote PPPoE     endpoint. Authentication is optional from the system's point of view but @@ -154,6 +154,14 @@ PPPoE options     when it is idle and after the initial establishment of the connection. It     will stay up forever. +.. cfgcmd:: set interfaces pppoe <interface> holdoff <time> + +   Use this command to set re-dial delay time to be used with persist PPPoE +   sessions. When the PPPoE session is terminated by peer, and on-demand +   option is not set, the router will attempt to re-establish the PPPoE link. + +   If this parameter is not set, the default holdoff time is 30 seconds. +  .. cfgcmd:: set interfaces pppoe <interface> local-address <address>     Use this command to set the IP address of the local endpoint of a PPPoE @@ -324,7 +332,7 @@ Requirements:  .. code-block:: none -  set interfaces pppoe pppoe0 authentication user 'userid' +  set interfaces pppoe pppoe0 authentication username 'userid'    set interfaces pppoe pppoe0 authentication password 'secret'    set interfaces pppoe pppoe0 source-interface 'eth0' @@ -349,7 +357,7 @@ which is the default VLAN for Deutsche Telekom:  .. code-block:: none -  set interfaces pppoe pppoe0 authentication user 'userid' +  set interfaces pppoe pppoe0 authentication username 'userid'    set interfaces pppoe pppoe0 authentication password 'secret'    set interfaces pppoe pppoe0 source-interface 'eth0.7' @@ -367,7 +375,7 @@ If you do not know the prefix size delegated to you, start with sla-len 0.  .. code-block:: none -  set interfaces pppoe pppoe0 authentication user vyos +  set interfaces pppoe pppoe0 authentication username vyos    set interfaces pppoe pppoe0 authentication password vyos    set interfaces pppoe pppoe0 dhcpv6-options pd 0 interface eth0 address '1'    set interfaces pppoe pppoe0 dhcpv6-options pd 0 interface eth0 sla-id '0' diff --git a/docs/configuration/interfaces/pseudo-ethernet.rst b/docs/configuration/interfaces/pseudo-ethernet.rst index b2849772..59b3581c 100644 --- a/docs/configuration/interfaces/pseudo-ethernet.rst +++ b/docs/configuration/interfaces/pseudo-ethernet.rst @@ -1,4 +1,4 @@ -:lastproofread: 2021-07-09 +:lastproofread: 2023-01-26  .. _pseudo-ethernet-interface: diff --git a/docs/configuration/interfaces/tunnel.rst b/docs/configuration/interfaces/tunnel.rst index eac74d91..31539d9f 100644 --- a/docs/configuration/interfaces/tunnel.rst +++ b/docs/configuration/interfaces/tunnel.rst @@ -1,4 +1,4 @@ -:lastproofread: 2021-07-09 +:lastproofread: 2023-01-26  .. _tunnel-interface: @@ -18,7 +18,11 @@ a closer look at the protocols and options currently supported by VyOS.  Common interface configuration  ------------------------------ -.. cmdinclude:: /_include/interface-common-without-dhcp1.txt +.. cmdinclude:: /_include/interface-address.txt +   :var0: tunnel +   :var1: tun0 + +.. cmdinclude:: /_include/interface-common-without-mac.txt     :var0: tunnel     :var1: tun0 @@ -207,7 +211,7 @@ GRETAP  ^^^^^^^  While normal GRE is for layer 3, GRETAP is for layer 2. GRETAP can encapsulate -Ethernet frames, thus it can be bridged with other interfaces to create  +Ethernet frames, thus it can be bridged with other interfaces to create  datalink layer segments that span multiple remote sites.  .. code-block:: none diff --git a/docs/configuration/interfaces/vxlan.rst b/docs/configuration/interfaces/vxlan.rst index 7edeafb5..86568686 100644 --- a/docs/configuration/interfaces/vxlan.rst +++ b/docs/configuration/interfaces/vxlan.rst @@ -1,4 +1,4 @@ -:lastproofread: 2021-07-09 +:lastproofread: 2023-01-26  .. _vxlan-interface: diff --git a/docs/configuration/interfaces/wireguard.rst b/docs/configuration/interfaces/wireguard.rst index 93093b5d..18a888df 100644 --- a/docs/configuration/interfaces/wireguard.rst +++ b/docs/configuration/interfaces/wireguard.rst @@ -1,4 +1,4 @@ -:lastproofread: 2021-10-01 +:lastproofread: 2023-01-26  .. _wireguard: @@ -173,6 +173,7 @@ traffic.    Associates the previously generated private key to a specific WireGuard    interface. The private key can be generate via the command +    :opcmd:`generate pki wireguard key-pair`.    .. code-block:: none @@ -243,8 +244,8 @@ asymmetric crypto. This is optional.  .. code-block:: none -  vyos@vyos:~$ generate pki wireguard preshared-key install -  rvVDOoc2IYEnV+k5p7TNAmHBMEGTHbPU8Qqg8c/sUqc= +  vyos@vyos:~$ generate pki wireguard preshared-key +  Pre-shared key: rvVDOoc2IYEnV+k5p7TNAmHBMEGTHbPU8Qqg8c/sUqc=  Copy the key, as it is not stored on the local filesystem. Because it  is a symmetric key, only you and your peer should have knowledge of diff --git a/docs/configuration/interfaces/wireless.rst b/docs/configuration/interfaces/wireless.rst index 8be7cec9..f45101b5 100644 --- a/docs/configuration/interfaces/wireless.rst +++ b/docs/configuration/interfaces/wireless.rst @@ -1,4 +1,4 @@ -:lastproofread: 2021-07-13 +:lastproofread: 2023-01-26  .. _wireless-interface: diff --git a/docs/configuration/interfaces/wwan.rst b/docs/configuration/interfaces/wwan.rst index 0c820471..98890158 100644 --- a/docs/configuration/interfaces/wwan.rst +++ b/docs/configuration/interfaces/wwan.rst @@ -1,4 +1,4 @@ -:lastproofread: 2021-07-13 +:lastproofread: 2023-01-27  .. _wwan-interface: @@ -22,7 +22,6 @@ Common interface configuration     :var0: wwan     :var1: wwan0 -  .. cmdinclude:: /_include/interface-description.txt     :var0: wwan     :var1: wwan0 diff --git a/docs/configuration/loadbalancing/index.rst b/docs/configuration/loadbalancing/index.rst index 5034547b..18f01347 100644 --- a/docs/configuration/loadbalancing/index.rst +++ b/docs/configuration/loadbalancing/index.rst @@ -1,4 +1,4 @@ -:lastproofread: 2021-07-28 +:lastproofread: 2023-01-27  .. _load-balancing: diff --git a/docs/configuration/nat/nat44.rst b/docs/configuration/nat/nat44.rst index 62964fea..b2ba61af 100644 --- a/docs/configuration/nat/nat44.rst +++ b/docs/configuration/nat/nat44.rst @@ -697,17 +697,22 @@ too.  .. code-block:: none -  set vpn ipsec site-to-site peer 198.51.100.243 authentication mode 'pre-shared-secret' -  set vpn ipsec site-to-site peer 198.51.100.243 authentication pre-shared-secret 'PASSWORD IS HERE' -  set vpn ipsec site-to-site peer 198.51.100.243 connection-type 'initiate' -  set vpn ipsec site-to-site peer 198.51.100.243 default-esp-group 'my-esp' -  set vpn ipsec site-to-site peer 198.51.100.243 ike-group 'my-ike' -  set vpn ipsec site-to-site peer 198.51.100.243 ikev2-reauth 'inherit' -  set vpn ipsec site-to-site peer 198.51.100.243 local-address '203.0.113.46' -  set vpn ipsec site-to-site peer 198.51.100.243 tunnel 0 local prefix '172.29.41.89/32' -  set vpn ipsec site-to-site peer 198.51.100.243 tunnel 0 remote prefix '172.27.1.0/24' -  set vpn ipsec site-to-site peer 198.51.100.243 tunnel 1 local prefix '172.29.41.89/32' -  set vpn ipsec site-to-site peer 198.51.100.243 tunnel 1 remote prefix '10.125.0.0/16' +  set vpn ipsec authentication psk vyos id '203.0.113.46' +  set vpn ipsec authentication psk vyos id '198.51.100.243' +  set vpn ipsec authentication psk vyos secret 'MYSECRETPASSWORD' +  set vpn ipsec site-to-site peer branch authentication local-id '203.0.113.46' +  set vpn ipsec site-to-site peer branch authentication mode 'pre-shared-secret' +  set vpn ipsec site-to-site peer branch authentication remote-id '198.51.100.243' +  set vpn ipsec site-to-site peer branch connection-type 'initiate' +  set vpn ipsec site-to-site peer branch default-esp-group 'my-esp' +  set vpn ipsec site-to-site peer branch ike-group 'my-ike' +  set vpn ipsec site-to-site peer branch ikev2-reauth 'inherit' +  set vpn ipsec site-to-site peer branch local-address '203.0.113.46' +  set vpn ipsec site-to-site peer branch remote-address '198.51.100.243' +  set vpn ipsec site-to-site peer branch tunnel 0 local prefix '172.29.41.89/32' +  set vpn ipsec site-to-site peer branch tunnel 0 remote prefix '172.27.1.0/24' +  set vpn ipsec site-to-site peer branch tunnel 1 local prefix '172.29.41.89/32' +  set vpn ipsec site-to-site peer branch tunnel 1 remote prefix '10.125.0.0/16'  Testing and Validation  """""""""""""""""""""" diff --git a/docs/configuration/nat/nat66.rst b/docs/configuration/nat/nat66.rst index c5a8dec0..93dd3353 100644 --- a/docs/configuration/nat/nat66.rst +++ b/docs/configuration/nat/nat66.rst @@ -5,8 +5,8 @@ NAT66(NPTv6)  ############  :abbr:`NPTv6 (IPv6-to-IPv6 Network Prefix Translation)` is an address  -translation technology basedon IPv6 networks, used to convert an IPv6  -address prefix in an IPv6 message into another IPv6address prefix.  +translation technology based on IPv6 networks, used to convert an IPv6  +address prefix in an IPv6 message into another IPv6 address prefix.   We call this address translation method NAT66. Devices that support the NAT66  function are called NAT66 devices, which can provide NAT66 source  and destination address translation functions. diff --git a/docs/configuration/policy/large-community-list.rst b/docs/configuration/policy/large-community-list.rst index 39da0815..0c57fd4a 100644 --- a/docs/configuration/policy/large-community-list.rst +++ b/docs/configuration/policy/large-community-list.rst @@ -14,7 +14,7 @@ policy large-community-list  .. cfgcmd:: set policy large-community-list <text> -   Creat large-community-list policy identified by name <text>. +   Create large-community-list policy identified by name <text>.  .. cfgcmd:: set policy large-community-list <text> description <text> diff --git a/docs/configuration/policy/route.rst b/docs/configuration/policy/route.rst index a6330c57..1a85ffc6 100644 --- a/docs/configuration/policy/route.rst +++ b/docs/configuration/policy/route.rst @@ -168,6 +168,21 @@ And for ipv6:     ``tcp_udp`` for tcp and udp based packets. The ``!`` negates the selected     protocol. +.. cfgcmd:: set policy route <name> rule <n> packet-length <text> +.. cfgcmd:: set policy route6 <name> rule <n> packet-length <text> +.. cfgcmd:: set policy route <name> rule <n> packet-length-exclude <text> +.. cfgcmd:: set policy route6 <name> rule <n> packet-length-exclude <text> + +   Match based on packet length criteria. Multiple values from 1 to 65535 +   and ranges are supported. + +.. cfgcmd:: set policy route <name> rule <n> packet-type [broadcast | host +   | multicast | other] +.. cfgcmd:: set policy route6 <name> rule <n> packet-type [broadcast | host +   | multicast | other] + +   Match based on packet type criteria. +  .. cfgcmd:: set policy route <name> rule <n> recent count <1-255>  .. cfgcmd:: set policy route6 <name> rule <n> recent count <1-255>  .. cfgcmd:: set policy route <name> rule <n> recent time <1-4294967295> diff --git a/docs/configuration/protocols/babel.rst b/docs/configuration/protocols/babel.rst new file mode 100644 index 00000000..58436178 --- /dev/null +++ b/docs/configuration/protocols/babel.rst @@ -0,0 +1,210 @@ +.. _babel: + +#### +Babel +#### + +Babel is a modern routing protocol designed to be robust and efficient +both in ordinary wired networks and in wireless mesh networks. +By default, it uses hop-count on wired networks and a variant of ETX +on wireless links, It can be configured to take radio diversity into account +and to automatically compute a link's latency and include it in the metric. +It is defined in :rfc:`8966`. + +Babel a dual stack protocol. +A single Babel instance is able to perform routing for both IPv4 and IPv6. + +General Configuration +--------------------- + +VyOS does not have a special command to start the Babel process. +The Babel process starts when the first Babel enabled interface is configured. + +.. cfgcmd:: set protocols babel interface <interface> + +  This command specifies a Babel enabled interface by interface name. Both +  the sending and receiving of Babel packets will be enabled on the interface +  specified in this command. + +Optional Configuration +---------------------- + +.. cfgcmd:: set protocols babel parameters diversity + +  This command enables routing using radio frequency diversity. +  This is highly recommended in networks with many wireless nodes. + +   .. note:: If you enable this, you will probably want to +      set diversity-factor and channel below. + +.. cfgcmd:: set protocols babel parameters diversity-factor <1-256> + +  This command sets the multiplicative factor used for diversity routing, +  in units of 1/256; lower values cause diversity to play a more important role +  in route selection. +  The default it 256, which means that diversity plays no role in route +  selection; you will probably want to set that to 128 or less on nodes +  with multiple independent radios. + +.. cfgcmd:: set protocols babel parameters resend-delay <milliseconds> + +  This command specifies the time in milliseconds after which an 'important' +  request or update will be resent. The default is 2000 ms. + +.. cfgcmd:: set protocols babel parameters smoothing-half-life <seconds> + +  This command specifies the time constant, in seconds, of the smoothing +  algorithm used for implementing hysteresis. +  Larger values reduce route oscillation at the cost of very slightly increasing +  convergence time. The value 0 disables hysteresis, and is suitable for wired +  networks. The default is 4 s. + +Interfaces Configuration +------------------------ + +.. cfgcmd:: set protocols babel interface <interface> type <auto|wired|wireless> + +  This command sets the interface type: + +  **auto** – automatically determines the interface type. +  **wired** – enables optimisations for wired interfaces. +  **wireless** – disables a number of optimisations that are only correct +  on wired interfaces. Specifying wireless is always correct, +  but may cause slower convergence and extra routing traffic. + +.. cfgcmd:: set protocols babel interface <interface> split-horizon <default|disable|enable> + +  This command specifies whether to perform split-horizon on the interface. +  Specifying no babel split-horizon is always correct, while babel split-horizon +  is an optimisation that should only be used on symmetric +  and transitive (wired) networks. + +  **default** – enable split-horizon on wired interfaces, and disable +  split-horizon on wireless interfaces. +  **enable** – enable split-horizon on this interfaces. +  **disable** – disable split-horizon on this interfaces. + +.. cfgcmd:: set protocols babel interface <interface> hello-interval <milliseconds> + +  This command specifies the time in milliseconds between two scheduled hellos. +  On wired links, Babel notices a link failure within two hello intervals; +  on wireless links, the link quality value is reestimated at every hello +  interval. +  The default is 4000 ms. + +.. cfgcmd:: set protocols babel interface <interface> update-interval <milliseconds> + +  This command specifies the time in milliseconds between two scheduled updates. +  Since Babel makes extensive use of triggered updates, +  this can be set to fairly high values on links with little packet loss. +  The default is 20000 ms. + +.. cfgcmd:: set protocols babel interface <interface> rxcost <1-65534> + +  This command specifies the base receive cost for this interface. +  For wireless interfaces, it specifies the multiplier used for computing +  the ETX reception cost (default 256); +  for wired interfaces, it specifies the cost that will be advertised to +  neighbours. + +.. cfgcmd:: set protocols babel interface <interface> rtt-decay <1-256> + +  This command specifies the decay factor for the exponential moving average +  of RTT samples, in units of 1/256. +  Higher values discard old samples faster. The default is 42. + +.. cfgcmd:: set protocols babel interface <interface> rtt-min <milliseconds> + +  This command specifies the minimum RTT, in milliseconds, +  starting from which we increase the cost to a neighbour. +  The additional cost is linear in (rtt - rtt-min). The default is 10 ms. + +.. cfgcmd:: set protocols babel interface <interface> rtt-max <milliseconds> + +  This command specifies the maximum RTT, in milliseconds, above which +  we don't increase the cost to a neighbour. The default is 120 ms. + + +.. cfgcmd:: set protocols babel interface <interface> max-rtt-penalty <milliseconds> + +  This command specifies the maximum cost added to a neighbour because of RTT, +  i.e. when the RTT is higher or equal than rtt-max. +  The default is 150. +  Setting it to 0 effectively disables the use of a RTT-based cost. + +.. cfgcmd:: set protocols babel interface <interface> enable-timestamps + +  This command enables sending timestamps with each Hello and IHU message +  in order to compute RTT values. +  It is recommended to enable timestamps on tunnel interfaces. + +.. cfgcmd:: set protocols babel interface <interface> channel <1-254|interfering|noninterfering> + +  This command set the channel number that diversity routing uses for this +  interface (see diversity option above). + +  **1-254** – interfaces with a channel number interfere with +  interfering interfaces and interfaces with the same channel number. +  **interfering** – interfering interfaces are assumed to interfere with all other channels except +  noninterfering channels. +  **noninterfering** – noninterfering interfaces are assumed to only interfere +  with themselves. + +Redistribution Configuration +---------------------------- + +.. cfgcmd:: set protocols babel redistribute <ipv4|ipv6> <route source> + +   This command redistributes routing information from the given route source +   to the Babel process. + +   IPv4 route source: bgp, connected, eigrp, isis, kernel, nhrp, ospf, rip, static. + +   IPv6 route source: bgp, connected, eigrp, isis, kernel, nhrp, ospfv3, ripng, static. + +.. cfgcmd:: set protocols babel distribute-list <ipv4|ipv6> access-list <in|out> <number> + +  This command can be used to filter the Babel routes using access lists. +  :cfgcmd:`in` and :cfgcmd:`out` this is the direction in which the access +  lists are applied. + +.. cfgcmd:: set protocols babel distribute-list <ipv4|ipv6> interface <interface> access-list <in|out> <number> + +  This command allows you apply access lists to a chosen interface to +  filter the Babel routes. + +.. cfgcmd:: set protocols babel distribute-list <ipv4|ipv6> prefix-list <in|out> <name> + +  This command can be used to filter the Babel routes using prefix lists. +  :cfgcmd:`in` and :cfgcmd:`out` this is the direction in which the prefix +  lists are applied. + +.. cfgcmd:: set protocols babel distribute-list <ipv4|ipv6> interface <interface> prefix-list <in|out> <name> + +  This command allows you apply prefix lists to a chosen interface to +  filter the Babel routes. + +Configuration Example +--------------------- + +Simple Babel configuration using 2 nodes and redistributing connected interfaces. + +**Node 1:** + +.. code-block:: none + +  set interfaces loopback lo address 10.1.1.1/32 +  set interfaces loopback lo address fd12:3456:dead:beef::1/128 +  set protocols babel interface eth0 type wired +  set protocols babel redistribute ipv4 connected +  set protocols babel redistribute ipv6 connected + +**Node 2:** + +.. code-block:: none + +  set interfaces loopback lo address 10.2.2.2/32 +  set interfaces loopback lo address fd12:3456:beef:dead::2/128 +  set protocols babel interface eth0 type wired +  set protocols babel redistribute ipv4 connected +  set protocols babel redistribute ipv6 connected diff --git a/docs/configuration/protocols/bfd.rst b/docs/configuration/protocols/bfd.rst index dac1bf0f..faec71bc 100644 --- a/docs/configuration/protocols/bfd.rst +++ b/docs/configuration/protocols/bfd.rst @@ -1,4 +1,4 @@ -:lastproofread: 2022-02-05 +:lastproofread: 2023-01-27  .. include:: /_include/need_improvement.txt diff --git a/docs/configuration/protocols/bgp.rst b/docs/configuration/protocols/bgp.rst index 6593730f..737e98fa 100644 --- a/docs/configuration/protocols/bgp.rst +++ b/docs/configuration/protocols/bgp.rst @@ -206,6 +206,41 @@ Defining Peers     peers ASN is the same as mine as specified under the :cfgcmd:`protocols     bgp <asn>` command the connection will be denied. +.. cfgcmd:: set protocols bgp neighbor <address|interface> local-role +   <role> [strict] + +   BGP roles are defined in RFC :rfc:`9234` and provide an easy way to  +   add route leak prevention, detection and mitigation. The local Role  +   value is negotiated with the new BGP Role capability which has a  +   built-in check of the corresponding value. In case of a mismatch the  +   new OPEN Roles Mismatch Notification <2, 11> would be sent. +   The correct Role pairs are: +    +   Provider - Customer + +   Peer - Peer + +   RS-Server - RS-Client + +   If :cfgcmd:`strict` is set the BGP session won’t become established  +   until the BGP neighbor sets local Role on its side. This  +   configuration parameter is defined in RFC :rfc:`9234` and is used to +   enforce the corresponding configuration at your counter-parts side. +    +   Routes that are sent from provider, rs-server, or the peer local-role  +   (or if received by customer, rs-client, or the peer local-role) will  +   be marked with a new Only to Customer (OTC) attribute. +    +   Routes with this attribute can only be sent to your neighbor if your +   local-role is provider or rs-server. Routes with this attribute can +   be received only if your local-role is customer or rs-client.  +    +   In case of peer-peer relationship routes can be received only if OTC +   value is equal to your neighbor AS number. +    +   All these rules with OTC will help to detect and mitigate route leaks +   and happen automatically if local-role is set. +  .. cfgcmd:: set protocols bgp neighbor <address|interface> shutdown     This command disable the peer or peer group. To reenable the peer use @@ -904,8 +939,7 @@ IBGP (called confederation BGP). Confederation mechanism is described in     of the autonomous system that internally includes multiple sub-autonomous     systems (a confederation). -.. cfgcmd:: set protocols bgp parameters confederation confederation -   peers <nsubasn> +.. cfgcmd:: set protocols bgp parameters confederation peers <nsubasn>     This command sets other confederations <nsubasn> as members of autonomous     system specified by :cfgcmd:`confederation identifier <asn>`. diff --git a/docs/configuration/protocols/failover.rst b/docs/configuration/protocols/failover.rst new file mode 100644 index 00000000..72201ade --- /dev/null +++ b/docs/configuration/protocols/failover.rst @@ -0,0 +1,103 @@ +.. _routing-static: + +######## +Failover +######## + +Failover routes are manually configured routes, but they install +to the routing table if the health-check target is alive. +If the target is not alive the route is removed from the routing table +until the target will be available. + +*************** +Failover Routes +*************** + +.. cfgcmd:: set protocols failover route <subnet> next-hop <address> check  +   target <target-address> + +   Configure next-hop `<address>` and `<target-address>` for an IPv4 static  +   route. Specify the target +   IPv4 address for health checking. + +.. cfgcmd:: set protocols failover route <subnet> next-hop <address> check  +   timeout <timeout> + +   Timeout in seconds between health target checks. + +   Range is 1 to 300, default is 10. + +.. cfgcmd:: set protocols failover route <subnet> next-hop <address> check  +   type <protocol> + +   Defines protocols for checking ARP, ICMP, TCP + +   Default is ``icmp``. + +.. cfgcmd:: set protocols failover route <subnet> next-hop <address>  +   interface <interface> + +   Next-hop interface for the route + +.. cfgcmd:: set protocols failover route <subnet> next-hop <address>  +   metric <metric> + +   Route metric + +   Default 1. + + +******* +Example +******* + +**One gateway:** + +.. code-block:: none + +  set protocols failover route 203.0.113.1/32 next-hop 192.0.2.1 check target '192.0.2.1' +  set protocols failover route 203.0.113.1/32 next-hop 192.0.2.1 check timeout '5' +  set protocols failover route 203.0.113.1/32 next-hop 192.0.2.1 check type 'icmp' +  set protocols failover route 203.0.113.1/32 next-hop 192.0.2.1 interface 'eth0' +  set protocols failover route 203.0.113.1/32 next-hop 192.0.2.1 metric '10' + +Show the route + +.. code-block:: none + +  vyos@vyos:~$ show ip route 203.0.113.1 +    Routing entry for 203.0.113.1/32 +    Known via "kernel", distance 0, metric 10, best +    Last update 00:00:39 ago +    * 192.0.2.1, via eth0 + +**Two gateways and different metrics:** + +.. code-block:: none + +  set protocols failover route 203.0.113.1/32 next-hop 192.0.2.1 check target '192.0.2.1' +  set protocols failover route 203.0.113.1/32 next-hop 192.0.2.1 check timeout '5' +  set protocols failover route 203.0.113.1/32 next-hop 192.0.2.1 check type 'icmp' +  set protocols failover route 203.0.113.1/32 next-hop 192.0.2.1 interface 'eth0' +  set protocols failover route 203.0.113.1/32 next-hop 192.0.2.1 metric '10' + +  set protocols failover route 203.0.113.1/32 next-hop 198.51.100.1 check target '198.51.100.99' +  set protocols failover route 203.0.113.1/32 next-hop 198.51.100.1 check timeout '5' +  set protocols failover route 203.0.113.1/32 next-hop 198.51.100.1 check type 'icmp' +  set protocols failover route 203.0.113.1/32 next-hop 198.51.100.1 interface 'eth2' +  set protocols failover route 203.0.113.1/32 next-hop 198.51.100.1 metric '20' + +Show the route + +.. code-block:: none + +  vyos@vyos:~$ show ip route 203.0.113.1 +  Routing entry for 203.0.113.1/32 +    Known via "kernel", distance 0, metric 10, best +    Last update 00:08:06 ago +    * 192.0.2.1, via eth0 + +  Routing entry for 203.0.113.1/32 +    Known via "kernel", distance 0, metric 20 +    Last update 00:08:14 ago +    * 198.51.100.1, via eth2 diff --git a/docs/configuration/protocols/igmp.rst b/docs/configuration/protocols/igmp.rst index 0c7a470b..d3492632 100644 --- a/docs/configuration/protocols/igmp.rst +++ b/docs/configuration/protocols/igmp.rst @@ -1,4 +1,4 @@ -:lastproofread: 2021-09-30 +:lastproofread: 2023-01-27  .. _multicast: diff --git a/docs/configuration/protocols/index.rst b/docs/configuration/protocols/index.rst index c302d6a9..29dc230f 100644 --- a/docs/configuration/protocols/index.rst +++ b/docs/configuration/protocols/index.rst @@ -7,11 +7,14 @@ Protocols     :maxdepth: 1     :includehidden: +   babel     bfd     bgp +   failover     igmp     isis     mpls +   segment-routing     ospf     rip     rpki diff --git a/docs/configuration/protocols/segment-routing.rst b/docs/configuration/protocols/segment-routing.rst new file mode 100644 index 00000000..5ee710e9 --- /dev/null +++ b/docs/configuration/protocols/segment-routing.rst @@ -0,0 +1,357 @@ +.. _segment-routing: + +############### +Segment Routing +############### + +Segment Routing (SR) is a network architecture that is similar to source-routing +. In this architecture, the ingress router adds a list of segments, known as  +SIDs, to the packet as it enters the network. These segments represent different  +portions of the network path that the packet will take. + +The SR segments are portions of the network path taken by the packet, and are  +called SIDs. At each node, the first SID of the list is read, executed as a  +forwarding function, and may be popped to let the next node read the next SID of  +the list. The SID list completely determines the path where the packet is  +forwarded. + +Segment Routing can be applied to an existing MPLS-based data plane and defines +a control plane network architecture. In MPLS networks, segments are encoded as +MPLS labels and are added at the ingress router. These MPLS labels are then  +exchanged and populated by Interior Gateway Protocols (IGPs) like IS-IS or OSPF  +which are running on most ISPs. + + +.. note:: Segment routing defines a control plane network architecture and +  can be applied to an existing MPLS based dataplane. In the MPLS networks, +  segments are encoded as MPLS labels and are imposed at the ingress router. +  MPLS labels are exchanged and populated by IGPs like IS-IS.Segment Routing +  as per RFC8667 for MPLS dataplane. It supports IPv4, IPv6 and ECMP and has +  been tested against Cisco & Juniper routers.however,this deployment is still +  EXPERIMENTAL for FRR. +  + +IS-IS SR Configuration +---------------------- + +Segment routing (SR) is used by the IGP protocols to interconnect network +devices, below configuration shows how to enable SR on IS-IS: + + +.. note:: ``Known limitations:``  + +  No support for level redistribution (L1 to L2 or L2 to L1) + +  No support for binding SID + +  No support for SRLB + +  Only one SRGB and default SPF Algorithm is supported + + + +.. cfgcmd::  set protocols isis segment-routing global-block high-label-value  +  <label-value> + +  Set the Segment Routing Global Block i.e. the label range used by MPLS to  +  store label in the MPLS FIB for Prefix SID. Note that the block size may  +  not exceed 65535. + +.. cfgcmd:: set protocols isis segment-routing global-block low-label-value  +  <label-value> + +  Set the Segment Routing Global Block i.e. the low label range used by MPLS to  +  store label in the MPLS FIB for Prefix SID. Note that the block size may  +  not exceed 65535. +  +.. cfgcmd:: set protocols isis segment-routing local-block high-label-value  +  <label-value> + +  Set the Segment Routing Local Block i.e. the label range used by MPLS to  +  store label in the MPLS FIB for Prefix SID. Note that the block size may  +  not exceed 65535.Segment Routing Local Block, The negative command always  +  unsets both. + +.. cfgcmd:: set protocols isis segment-routing local-block <low-label-value  +  <label-value> + +  Set the Segment Routing Local Block i.e. the low label range used by MPLS to  +  store label in the MPLS FIB for Prefix SID. Note that the block size may  +  not exceed 65535.Segment Routing Local Block, The negative command always  +  unsets both. + +.. cfgcmd:: set protocols isis segment-routing maximum-label-depth <1-16> + +  Set the Maximum Stack Depth supported by the router. The value depend of +  the MPLS dataplane. + +.. cfgcmd:: set protocols isis segment-routing prefix <address> index value  +  <0-65535> +    +  A segment ID that contains an IP address prefix calculated by an IGP in the +  service provider core network. Prefix SIDs are globally unique, this value +  indentify it  + +.. cfgcmd:: set protocols isis segment-routing prefix <address> index +   <no-php-flag | explicit-null| n-flag-clear> + +   this option allows to configure prefix-sid on SR. The ‘no-php-flag’ means NO  +   Penultimate Hop Popping that allows SR node to request to its neighbor to  +   not pop the label. The ‘explicit-null’ flag allows SR node to request to its  +   neighbor to send IP packet with the EXPLICIT-NULL label. The ‘n-flag-clear’  +   option can be used to explicitly clear the Node flag that is set by default  +   for Prefix-SIDs associated to loopback addresses. This option is necessary  +   to configure Anycast-SIDs. + + +.. opcmd:: show isis segment-routing node +  +   Show detailed information about all learned Segment Routing Nodes + +.. opcmd:: show isis route prefix-sid + +   Show detailed information about prefix-sid and label learned + +.. note:: more information related IGP  - :ref:`routing-isis` + +    + +OSPF SR  Configuration +---------------------- + +Segment routing (SR) is used by the IGP protocols to interconnect network +devices, below configuration shows how to enable SR on OSPF: + +.. cfgcmd:: set protocols ospf parameters opaque-lsa + +  Enable the Opaque-LSA capability (rfc2370), necessary to transport label  +  on IGP + + +.. cfgcmd:: set protocols ospf segment-routing global-block high-label-value  +  <label-value> + +  Set the Segment Routing Global Block i.e. the label range used by MPLS to  +  store label in the MPLS FIB for Prefix SID. Note that the block size may  +  not exceed 65535. + +.. cfgcmd:: set protocols ospf segment-routing global-block low-label-value  +  <label-value> + +  Set the Segment Routing Global Block i.e. the low label range used by MPLS to  +  store label in the MPLS FIB for Prefix SID. Note that the block size may  +  not exceed 65535. + +.. cfgcmd:: set protocols ospf segment-routing local-block high-label-value  +  <label-value> + +  Set the Segment Routing Local Block i.e. the label range used by MPLS to  +  store label in the MPLS FIB for Prefix SID. Note that the block size may  +  not exceed 65535.Segment Routing Local Block, The negative command always  +  unsets both. + +.. cfgcmd:: set protocols ospf segment-routing local-block <low-label-value  +  <label-value> + +  Set the Segment Routing Local Block i.e. the low label range used by MPLS to  +  store label in the MPLS FIB for Prefix SID. Note that the block size may  +  not exceed 65535.Segment Routing Local Block, The negative command always  +  unsets both. + +.. cfgcmd:: set protocols ospf segment-routing maximum-label-depth <1-16> + +  Set the Maximum Stack Depth supported by the router. The value depend of +  the MPLS dataplane. + +.. cfgcmd:: set protocols ospf segment-routing prefix <address> index value  +  <0-65535> +    +  A segment ID that contains an IP address prefix calculated by an IGP in the +  service provider core network. Prefix SIDs are globally unique, this value +  indentify it  + +.. cfgcmd:: set protocols ospf segment-routing prefix <address> index +   <no-php-flag | explicit-null| n-flag-clear> + +   this option allows to configure prefix-sid on SR. The ‘no-php-flag’ means NO  +   Penultimate Hop Popping that allows SR node to request to its neighbor to  +   not pop the label. The ‘explicit-null’ flag allows SR node to request to its  +   neighbor to send IP packet with the EXPLICIT-NULL label. The ‘n-flag-clear’  +   option can be used to explicitly clear the Node flag that is set by default  +   for Prefix-SIDs associated to loopback addresses. This option is necessary  +   to configure Anycast-SIDs. + +.. note:: more information related IGP  - :ref:`routing-ospf` + +Configuration Example +--------------------- + +we described the configuration SR ISIS / SR OSPF using 2 connected with them to +share label information. + +Enable IS-IS with Segment Routing (Experimental) +================================================ + +**Node 1:** + +.. code-block:: none + +  set interfaces loopback lo address '192.168.255.255/32' +  set interfaces ethernet eth1 address '192.0.2.1/24' + +  set protocols isis interface eth1 +  set protocols isis interface lo +  set protocols isis net '49.0001.1921.6825.5255.00' +  set protocols isis segment-routing global-block high-label-value '599' +  set protocols isis segment-routing global-block low-label-value '550' +  set protocols isis segment-routing prefix 192.168.255.255/32 index value '1' +  set protocols isis segment-routing prefix 192.168.255.255/32 index explicit-null +  set protocols mpls interface 'eth1' +   +**Node 2:** + +.. code-block:: none + +  set interfaces loopback lo address '192.168.255.254/32' +  set interfaces ethernet eth1 address '192.0.2.2/24' + +  set protocols isis interface eth1 +  set protocols isis interface lo +  set protocols isis net '49.0001.1921.6825.5254.00' +  set protocols isis segment-routing global-block high-label-value '599' +  set protocols isis segment-routing global-block low-label-value '550' +  set protocols isis segment-routing prefix 192.168.255.254/32 index value '2' +  set protocols isis segment-routing prefix 192.168.255.254/32 index explicit-null +  set protocols mpls interface 'eth1' +   +   +   +This gives us MPLS segment routing enabled and labels for far end loopbacks: + +.. code-block:: none + +  Node-1@vyos:~$ show mpls table +   Inbound Label  Type        Nexthop                Outbound Label +   ---------------------------------------------------------------------- +   552            SR (IS-IS)  192.0.2.2              IPv4 Explicit Null <-- Node-2 loopback learned on Node-1 +   15000          SR (IS-IS)  192.0.2.2              implicit-null +   15001          SR (IS-IS)  fe80::e87:6cff:fe09:1  implicit-null +   15002          SR (IS-IS)  192.0.2.2              implicit-null +   15003          SR (IS-IS)  fe80::e87:6cff:fe09:1  implicit-null + +  Node-2@vyos:~$ show mpls table +   Inbound Label  Type        Nexthop               Outbound Label +   --------------------------------------------------------------------- +   551            SR (IS-IS)  192.0.2.1             IPv4 Explicit Null <-- Node-1 loopback learned on Node-2 +   15000          SR (IS-IS)  192.0.2.1             implicit-null +   15001          SR (IS-IS)  fe80::e33:2ff:fe80:1  implicit-null +   15002          SR (IS-IS)  192.0.2.1             implicit-null +   15003          SR (IS-IS)  fe80::e33:2ff:fe80:1  implicit-null + +Here is the routing tables showing the MPLS segment routing label operations: + +.. code-block:: none + +  Node-1@vyos:~$ show ip route isis +  Codes: K - kernel route, C - connected, S - static, R - RIP, +         O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, +         T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR, +         f - OpenFabric, +         > - selected route, * - FIB route, q - queued, r - rejected, b - backup +         t - trapped, o - offload failure + +  I   192.0.2.0/24 [115/20] via 192.0.2.2, eth1 inactive, weight 1, 00:07:48 +  I>* 192.168.255.254/32 [115/20] via 192.0.2.2, eth1, label IPv4 Explicit Null, weight 1, 00:03:39 + +  Node-2@vyos:~$ show ip route isis +  Codes: K - kernel route, C - connected, S - static, R - RIP, +         O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, +         T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR, +         f - OpenFabric, +         > - selected route, * - FIB route, q - queued, r - rejected, b - backup +         t - trapped, o - offload failure + +  I   192.0.2.0/24 [115/20] via 192.0.2.1, eth1 inactive, weight 1, 00:07:46 +  I>* 192.168.255.255/32 [115/20] via 192.0.2.1, eth1, label IPv4 Explicit Null, weight 1, 00:03:43 + + +Enable OSPF with Segment Routing (Experimental): +================================================ + +**Node 1** + +.. code-block:: none + +  set interfaces loopback lo address 10.1.1.1/32 +  set interfaces ethernet eth0 address 192.168.0.1/24 +  set protocols ospf area 0 network '192.168.0.0/24' +  set protocols ospf area 0 network '10.1.1.1/32' +  set protocols ospf parameters opaque-lsa +  set protocols ospf parameters router-id '10.1.1.1' +  set protocols ospf segment-routing global-block high-label-value '1100' +  set protocols ospf segment-routing global-block low-label-value '1000' +  set protocols ospf segment-routing prefix 10.1.1.1/32 index explicit-null +  set protocols ospf segment-routing prefix 10.1.1.1/32 index value '1' + +**Node 2** + +.. code-block:: none + +  set interfaces loopback lo address 10.1.1.2/32 +  set interfaces ethernet eth0 address 192.168.0.2/24 +  set protocols ospf area 0 network '192.168.0.0/24' +  set protocols ospf area 0 network '10.1.1.2/32' +  set protocols ospf parameters opaque-lsa +  set protocols ospf parameters router-id '10.1.1.2' +  set protocols ospf segment-routing global-block high-label-value '1100' +  set protocols ospf segment-routing global-block low-label-value '1000' +  set protocols ospf segment-routing prefix 10.1.1.2/32 index explicit-null +  set protocols ospf segment-routing prefix 10.1.1.2/32 index value '2' + + +This gives us MPLS segment routing enabled and labels for far end loopbacks: + +.. code-block:: none + +  Node-1@vyos:~$ show mpls table +   Inbound Label  Type       Nexthop      Outbound Label +   ----------------------------------------------------------- +   1002           SR (OSPF)  192.168.0.2  IPv4 Explicit Null  <-- Node-2 loopback learned on Node-1 +   15000          SR (OSPF)  192.168.0.2  implicit-null +   15001          SR (OSPF)  192.168.0.2  implicit-null + +  Node-2@vyos:~$ show mpls table +   Inbound Label  Type       Nexthop      Outbound Label +   ----------------------------------------------------------- +   1001           SR (OSPF)  192.168.0.1  IPv4 Explicit Null  <-- Node-1 loopback learned on Node-2 +   15000          SR (OSPF)  192.168.0.1  implicit-null +   15001          SR (OSPF)  192.168.0.1  implicit-null + +Here is the routing tables showing the MPLS segment routing label operations: + +.. code-block:: none + +  Node-1@vyos:~$ show ip route ospf +  Codes: K - kernel route, C - connected, S - static, R - RIP, +         O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, +         T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR, +         f - OpenFabric, +         > - selected route, * - FIB route, q - queued, r - rejected, b - backup +         t - trapped, o - offload failure + +  O   10.1.1.1/32 [110/0] is directly connected, lo, weight 1, 00:03:43 +  O>* 10.1.1.2/32 [110/1] via 192.168.0.2, eth0, label IPv4 Explicit Null, weight 1, 00:03:32 +  O   192.168.0.0/24 [110/1] is directly connected, eth0, weight 1, 00:03:43 + +  Node-2@vyos:~$ show ip route ospf +  Codes: K - kernel route, C - connected, S - static, R - RIP, +         O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, +         T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR, +         f - OpenFabric, +         > - selected route, * - FIB route, q - queued, r - rejected, b - backup +         t - trapped, o - offload failure + +  O>* 10.1.1.1/32 [110/1] via 192.168.0.1, eth0, label IPv4 Explicit Null, weight 1, 00:03:36 +  O   10.1.1.2/32 [110/0] is directly connected, lo, weight 1, 00:03:51 +  O   192.168.0.0/24 [110/1] is directly connected, eth0, weight 1, 00:03:51 + diff --git a/docs/configuration/service/conntrack-sync.rst b/docs/configuration/service/conntrack-sync.rst index 1b72f8eb..468b39d9 100644 --- a/docs/configuration/service/conntrack-sync.rst +++ b/docs/configuration/service/conntrack-sync.rst @@ -37,14 +37,14 @@ Most examples below show Multicast, but unicast can be specified by using the  Configuration  ************* -  .. cfgcmd:: set service conntrack-sync accept-protocol +.. cfgcmd:: set service conntrack-sync accept-protocol      Accept only certain protocols: You may want to replicate the state of flows      depending on their layer 4 protocol.      Protocols are: tcp, sctp, dccp, udp, icmp and ipv6-icmp. -  .. cfgcmd:: set service conntrack-sync event-listen-queue-size <size> +.. cfgcmd:: set service conntrack-sync event-listen-queue-size <size>      The daemon doubles the size of the netlink event socket buffer size if it      detects netlink event message dropping. This clause sets the maximum buffer @@ -52,39 +52,52 @@ Configuration      Queue size for listening to local conntrack events in MB. -  .. cfgcmd:: set service conntrack-sync expect-sync <all|ftp|h323|nfs|sip|sqlnet> +.. cfgcmd:: set service conntrack-sync expect-sync <all|ftp|h323|nfs|sip|sqlnet>      Protocol for which expect entries need to be synchronized. -  .. cfgcmd:: set service conntrack-sync failover-mechanism vrrp sync-group <group> +.. cfgcmd:: set service conntrack-sync failover-mechanism vrrp sync-group <group>      Failover mechanism to use for conntrack-sync.      Only VRRP is supported. Required option. -  .. cfgcmd:: set service conntrack-sync ignore-address <x.x.x.x> +.. cfgcmd:: set service conntrack-sync ignore-address <x.x.x.x>      IP addresses or networks for which local conntrack entries will not be synced -  .. cfgcmd:: set service conntrack-sync interface <name> +.. cfgcmd:: set service conntrack-sync interface <name>      Interface to use for syncing conntrack entries. -  .. cfgcmd:: set service conntrack-sync mcast-group <x.x.x.x> +.. cfgcmd:: set service conntrack-sync interface <name> port <port> + +   Port number used by connection. + +.. cfgcmd:: set service conntrack-sync listen-address <ipv4address> + +   Local IPv4 addresses for service to listen on. + +.. cfgcmd:: set service conntrack-sync mcast-group <x.x.x.x>      Multicast group to use for syncing conntrack entries.      Defaults to 225.0.0.50. -  .. cfgcmd:: set service conntrack-sync interface <name> peer <address> +.. cfgcmd:: set service conntrack-sync interface <name> peer <address>      Peer to send unicast UDP conntrack sync entires to, if not using Multicast      configuration from above above. -  .. cfgcmd:: set service conntrack-sync sync-queue-size <size> +.. cfgcmd:: set service conntrack-sync sync-queue-size <size>      Queue size for syncing conntrack entries in MB. +.. cfgcmd:: set service conntrack-sync disable-external-cache + +   This diable the external cache and directly injects the flow-states into the +   in-kernel Connection Tracking System of the backup firewall. +  *********  Operation  ********* diff --git a/docs/configuration/service/console-server.rst b/docs/configuration/service/console-server.rst index 435c972c..c9ea7f77 100644 --- a/docs/configuration/service/console-server.rst +++ b/docs/configuration/service/console-server.rst @@ -26,30 +26,30 @@ times are used to send a single character, and so dividing the signalling  bit-rate by ten results in the overall transmission speed in characters per  second. This is also the default setting if none of those options are defined. -.. cfgcmd:: set service console-server <device> data-bits [7 | 8] +.. cfgcmd:: set service console-server device <device> data-bits [7 | 8]    Configure either seven or eight data bits. This defaults to eight data    bits if left unconfigured. -.. cfgcmd:: set service console-server <device> description <string> +.. cfgcmd:: set service console-server device <device> description <string>    A user friendly description identifying the connected peripheral. -.. cfgcmd:: set service console-server <device> alias <string> +.. cfgcmd:: set service console-server device <device> alias <string>    A user friendly alias for this connection. Can be used instead of the    device name when connecting. -.. cfgcmd:: set service console-server <device> parity [even | odd | none] +.. cfgcmd:: set service console-server device <device> parity [even | odd | none]    Set the parity option for the console. If unset this will default to none. -.. cfgcmd:: set service console-server <device> stop-bits [1 | 2] +.. cfgcmd:: set service console-server device <device> stop-bits [1 | 2]    Configure either one or two stop bits. This defaults to one stop bits if    left unconfigured. -.. cfgcmd:: set service console-server <device> speed  +.. cfgcmd:: set service console-server device <device> speed      [ 300 | 1200 | 2400 | 4800 | 9600 | 19200 | 38400 | 57600 | 115200 ]    .. note:: USB to serial converters will handle most of their work in software @@ -63,7 +63,7 @@ Each individual configured console-server device can be directly exposed to  the outside world. A user can directly connect via SSH to the configured  port. -.. cfgcmd:: set service console-server <device> ssh port <port> +.. cfgcmd:: set service console-server device <device> ssh port <port>    Accept SSH connections for the given `<device>` on TCP port `<port>`.    After successfull authentication the user will be directly dropped to @@ -114,3 +114,7 @@ Operation    .. hint:: If ``alias`` is set, it can be used instead of the device when       connecting. + +.. opcmd:: show log console-server + +  Show the console server log.
\ No newline at end of file diff --git a/docs/configuration/service/dhcp-relay.rst b/docs/configuration/service/dhcp-relay.rst index 5ce22edb..43abf254 100644 --- a/docs/configuration/service/dhcp-relay.rst +++ b/docs/configuration/service/dhcp-relay.rst @@ -20,8 +20,20 @@ Configuration  .. cfgcmd:: set service dhcp-relay interface <interface> -   Interfaces that participate in the DHCP relay process, including the uplink -   to the DHCP server. +   Interfaces that participate in the DHCP relay process. If this command is +   used, at least two entries of it are required: one for the interface that +   captures the dhcp-requests, and one for the interface to forward such +   requests. A warning message will be shown if this command is used, since +   new implementations should use ``listen-interface`` and +   ``upstream-interface``. + +.. cfgcmd:: set service dhcp-relay listen-interface <interface> + +   Interface for DHCP Relay Agent to listen for requests. + +.. cfgcmd:: set service dhcp-relay upstream-interface <interface> + +   Interface for DHCP Relay Agent to forward requests out.  .. cfgcmd:: set service dhcp-relay server <server> @@ -47,7 +59,7 @@ Options     DHCP packet size surpasses this value it will be forwarded without appending     relay agent information. Range 64...1400, default 576. -.. cfgcmd:: set service dhcp-relay relay-options relay-agents-packet +.. cfgcmd:: set service dhcp-relay relay-options relay-agents-packets     <append | discard | forward | replace>     Four policies for reforwarding DHCP packets exist: @@ -70,8 +82,8 @@ Example  * Listen for DHCP requests on interface ``eth1``.  * DHCP server is located at IPv4 address 10.0.1.4 on ``eth2``. -* Router receives DHCP client requests on ``eth1`` and relays them to the server -  at 10.0.1.4 on ``eth2``. +* Router receives DHCP client requests on ``eth1`` and relays them to the +  server at 10.0.1.4 on ``eth2``.  .. figure:: /_static/images/service_dhcp-relay01.png     :scale: 80 % @@ -84,6 +96,19 @@ The generated configuration will look like:  .. code-block:: none    show service dhcp-relay +      listen-interface eth1 +      upstrem-interface eth2 +      server 10.0.1.4 +      relay-options { +         relay-agents-packets discard +      } + +Also, for backwards compatibility this configuration, which uses generic +interface definition, is still valid: + +.. code-block:: none + +  show service dhcp-relay        interface eth1        interface eth2        server 10.0.1.4 @@ -124,7 +149,7 @@ Configuration  Options  ------- -.. cfgcmd:: set service dhcpv6-relay max-hop-count 'count' +.. cfgcmd:: set service dhcpv6-relay max-hop-count <count>     Set maximum hop count before packets are discarded, default: 10 diff --git a/docs/configuration/service/dhcp-server.rst b/docs/configuration/service/dhcp-server.rst index 3f4b7b89..b5b12a5b 100644 --- a/docs/configuration/service/dhcp-server.rst +++ b/docs/configuration/service/dhcp-server.rst @@ -234,7 +234,7 @@ inside the subnet definition but can be outside of the range statement.  **Example:** -* IP address ``192.168.1.100`` shall be statically mapped to client named ``client100`` +* IP address ``192.168.1.100`` shall be statically mapped to client named ``client1``  .. code-block:: none @@ -747,10 +747,6 @@ Operation Mode     To restart the DHCPv6 server -.. opcmd:: show dhcpv6 server status - -   To show the current status of the DHCPv6 server. -  .. opcmd:: show dhcpv6 server leases     Shows status of all assigned leases: diff --git a/docs/configuration/service/dns.rst b/docs/configuration/service/dns.rst index aee207a6..5fe408f1 100644 --- a/docs/configuration/service/dns.rst +++ b/docs/configuration/service/dns.rst @@ -21,10 +21,15 @@ avoid being tracked by the provider of your upstream DNS server.     Forward incoming DNS queries to the DNS servers configured under the ``system     name-server`` nodes. -.. cfgcmd:: set service dns forwarding name-server <address> +.. cfgcmd:: set service dns forwarding dhcp <interface> -   Send all DNS queries to the IPv4/IPv6 DNS server specified under `<address>`. -   You can configure multiple nameservers here. +   Interfaces whose DHCP client nameservers to forward requests to. + +.. cfgcmd:: set service dns forwarding name-server <address> port <port> + +   Send all DNS queries to the IPv4/IPv6 DNS server specified under `<address>` +   on optional port specified under `<port>`. The port defaults to 53. You can +   configure multiple nameservers here.  .. cfgcmd:: set service dns forwarding domain <domain-name> server <address> @@ -35,6 +40,15 @@ avoid being tracked by the provider of your upstream DNS server.     .. note:: This also works for reverse-lookup zones (``18.172.in-addr.arpa``). +.. cfgcmd:: set service dns forwarding domain <domain-name> addnta + +   Add NTA (negative trust anchor) for this domain. This must be set if the +   domain does not support DNSSEC. + +.. cfgcmd:: set service dns forwarding domain <domain-name> recursion-desired + +   Set the "recursion desired" bit in requests to the upstream nameserver. +  .. cfgcmd:: set service dns forwarding allow-from <network>     Given the fact that open DNS recursors could be used on DDoS amplification @@ -154,8 +168,10 @@ In this scenario:    set service dns forwarding domain example.com server 2001:db8:cafe::1    set service dns forwarding name-server 192.0.2.1    set service dns forwarding name-server 192.0.2.2 +  set service dns forwarding name-server 192.0.2.3 port 853    set service dns forwarding name-server 2001:db8::1:ffff    set service dns forwarding name-server 2001:db8::2:ffff +  set service dns forwarding name-server 2001:db8::3:ffff port 8053    set service dns forwarding listen-address 192.168.1.254    set service dns forwarding listen-address 2001:db8::ffff    set service dns forwarding allow-from 192.168.1.0/24 diff --git a/docs/configuration/service/index.rst b/docs/configuration/service/index.rst index 8607490d..1195348f 100644 --- a/docs/configuration/service/index.rst +++ b/docs/configuration/service/index.rst @@ -18,6 +18,7 @@ Service     lldp     mdns     monitoring +   ntp     pppoe-server     router-advert     salt-minion diff --git a/docs/configuration/service/ipoe-server.rst b/docs/configuration/service/ipoe-server.rst index d8b9e6b7..c219a063 100644 --- a/docs/configuration/service/ipoe-server.rst +++ b/docs/configuration/service/ipoe-server.rst @@ -39,7 +39,7 @@ the configuration.  .. code-block:: none -  set service ipoe-server authentication interface eth2 mac-address 08:00:27:2f:d8:06 +  set service ipoe-server authentication interface eth2 mac 08:00:27:2f:d8:06    set service ipoe-server authentication mode 'local'    set service ipoe-server name-server '10.10.1.1'    set service ipoe-server name-server '10.10.1.2' @@ -70,7 +70,7 @@ IPv6 DNS addresses are optional.  .. code-block:: none -  set service ipoe-server authentication interface eth3 mac-address 08:00:27:2F:D8:06 +  set service ipoe-server authentication interface eth3 mac 08:00:27:2F:D8:06    set service ipoe-server authentication mode 'local'    set service ipoe-server client-ipv6-pool delegate '2001:db8:1::/48' delegation-prefix '56'    set service ipoe-server client-ipv6-pool prefix '2001:db8::/48' mask '64' @@ -131,8 +131,8 @@ The rate-limit is set in kbit/sec.  .. code-block:: none -  set service ipoe-server authentication interface eth2 mac-address 08:00:27:2f:d8:06 rate-limit download '500' -  set service ipoe-server authentication interface eth2 mac-address 08:00:27:2f:d8:06 rate-limit upload '500' +  set service ipoe-server authentication interface eth2 mac 08:00:27:2f:d8:06 rate-limit download '500' +  set service ipoe-server authentication interface eth2 mac 08:00:27:2f:d8:06 rate-limit upload '500'    set service ipoe-server authentication mode 'local'    set service ipoe-server name-server '10.10.1.1'    set service ipoe-server name-server '10.10.1.2' @@ -146,4 +146,49 @@ The rate-limit is set in kbit/sec.    -------+------------+-------------------+-------------+-----+--------+------------+--------+----------+------------------    ipoe0  | eth2       | 08:00:27:2f:d8:06 | 192.168.0.2 |     |        | 500/500    | active | 00:00:05 | dccc870fd31349fb +Example +======= + +* IPoE server will listen on interfaces eth1.50 and eth1.51 +* There are rate-limited and non rate-limited users (MACs) + +Server configuration +-------------------- + +.. code-block:: none + +    set interfaces dummy dum1000 address 100.64.0.1/32 +    set interfaces dummy dum1000 address 2001:db8::1/128 + +    set interfaces ethernet eth1 description 'IPoE' +    set interfaces ethernet eth1 vif 50 +    set interfaces ethernet eth1 vif 51 + +    set service ipoe-server authentication interface eth1.50 mac 00:0c:29:b7:49:a7 +    set service ipoe-server authentication interface eth1.50 mac 00:0c:29:f0:be:4c rate-limit download '5000' +    set service ipoe-server authentication interface eth1.50 mac 00:0c:29:f0:be:4c rate-limit upload '5000' +    set service ipoe-server authentication interface eth1.51 mac 00:0c:29:b7:49:a7 rate-limit download '50000' +    set service ipoe-server authentication interface eth1.51 mac 00:0c:29:b7:49:a7 rate-limit upload '50000' +    set service ipoe-server authentication mode 'local' +     +    set service ipoe-server client-ipv6-pool delegate 2001:db8:ffff::/48 delegation-prefix '56' +    set service ipoe-server client-ipv6-pool prefix 2001:db8:fffe::/48 mask '64' +    set service ipoe-server interface eth1.50 client-subnet '100.64.50.0/24' +    set service ipoe-server interface eth1.50 mode 'l2' +    set service ipoe-server interface eth1.51 client-subnet '100.64.51.0/24' +    set service ipoe-server interface eth1.51 mode 'l2' +    set service ipoe-server name-server '100.64.0.1' +    set service ipoe-server name-server '2001:db8::1' + +Client configuration +-------------------- + +.. code-block:: none + +    set interfaces ethernet eth0 mac '00:0c:29:b7:49:a7' + +    set interfaces ethernet eth0 vif 50 address 'dhcp' +    set interfaces ethernet eth0 vif 50 address 'dhcpv6' +    set interfaces ethernet eth0 vif 50 dhcpv6-options pd 0 interface eth1 sla-id '1' +  .. include:: /_include/common-references.txt diff --git a/docs/configuration/system/ntp.rst b/docs/configuration/service/ntp.rst index 223447f5..08be047c 100644 --- a/docs/configuration/system/ntp.rst +++ b/docs/configuration/service/ntp.rst @@ -30,10 +30,16 @@ The current protocol is version 4 (NTPv4), which is a proposed standard as  documented in :rfc:`5905`. It is backward compatible with version 3, specified  in :rfc:`1305`. +.. note:: VyOS 1.4 uses chrony instead of ntpd (see :vytask:`T3008`) which will +   no longer accept anonymous NTP requests as in VyOS 1.3. All configurations +   will be migrated to keep the anonymous functionality. For new setups if you +   have clients using your VyOS installation as NTP server, you must specify +   the `allow-client` directive. +  Configuration  ============= -.. cfgcmd:: set system ntp server <address> +.. cfgcmd:: set service ntp server <address>     Configure one or more servers for synchronisation. Server name can be either     an IP address or :abbr:`FQDN (Fully Qualified Domain Name)`. @@ -44,34 +50,35 @@ Configuration     * ``1.pool.ntp.org``     * ``2.pool.ntp.org`` -.. cfgcmd:: set system ntp server <address> <noselect | pool | preempt | prefer> +.. cfgcmd:: set service ntp server <address> <noselect | nts | pool | prefer>     Configure one or more attributes to the given NTP server.     * ``noselect`` marks the server as unused, except for display purposes. The       server is discarded by the selection algorithm. +   * ``nts`` enables Network Time Security (NTS) for the server as specified  +     in :rfc:`8915` +     * ``pool`` mobilizes persistent client mode association with a number of       remote servers. -   * ``preempt`` a preemptable association is expendable. -     * ``prefer`` marks the server as preferred. All other things being equal,       this host will be chosen for synchronization among a set of correctly       operating hosts. -.. cfgcmd:: set system ntp listen-address <address> +.. cfgcmd:: set service ntp listen-address <address>     NTP process will only listen on the specified IP address. You must specify     the `<address>` and optionally the permitted clients. Multiple listen     addresses can be configured. -.. cfgcmd:: set system ntp allow-clients address <address> +.. cfgcmd:: set service ntp allow-client address <address>     List of networks or client addresses permitted to contact this NTP server. -   Multiple networks can be configured. +   Multiple networks/client IP addresses can be configured. -.. cfgcmd:: set system ntp vrf <name> +.. cfgcmd:: set service ntp vrf <name>    Specify name of the :abbr:`VRF (Virtual Routing and Forwarding)` instance. diff --git a/docs/configuration/service/router-advert.rst b/docs/configuration/service/router-advert.rst index 0de72941..eb1a6844 100644 --- a/docs/configuration/service/router-advert.rst +++ b/docs/configuration/service/router-advert.rst @@ -8,7 +8,6 @@ Router Advertisements  They are part of what is known as :abbr:`SLAAC (Stateless Address  Autoconfiguration)`. -  Supported interface types:      * bonding @@ -21,7 +20,7 @@ Supported interface types:      * vxlan      * wireguard      * wireless -    * wirelessmodem +    * wwan  Enabling Advertisments @@ -31,7 +30,7 @@ Enabling Advertisments  .. stop_vyoslinter -.. csv-table::  +.. csv-table::     :header: "Field", "VyOS Option", "Description"     :widths: 10, 10, 20 diff --git a/docs/configuration/service/ssh.rst b/docs/configuration/service/ssh.rst index ab77c138..15c2390c 100644 --- a/docs/configuration/service/ssh.rst +++ b/docs/configuration/service/ssh.rst @@ -139,6 +139,8 @@ offending IP is blocked. Offenders are unblocked after a set interval.    Block source IP when their cumulative attack score exceeds threshold. The    default is 30. +.. _ssh_operation: +  Operation  ========= @@ -193,13 +195,13 @@ Operation     :ref:`ssh_key_based_authentication`.     ``<location>`` can be a local path or a URL pointing at a remote file. -   Supported remote protocols are FTP, HTTP, HTTPS, SCP/SFTP and TFTP. +   Supported remote protocols are FTP, FTPS, HTTP, HTTPS, SCP/SFTP and TFTP.    Example:    .. code-block:: none -    alyssa@vyos:~$ generate public-key-command name alyssa path sftp://example.net/home/alyssa/.ssh/id_rsa.pub +    alyssa@vyos:~$ generate public-key-command user alyssa path sftp://example.net/home/alyssa/.ssh/id_rsa.pub      # To add this key as an embedded key, run the following commands:      configure      set system login user alyssa authentication public-keys alyssa@example.net key AAA... diff --git a/docs/configuration/service/tftp-server.rst b/docs/configuration/service/tftp-server.rst index 0ca75efe..84acf3d4 100644 --- a/docs/configuration/service/tftp-server.rst +++ b/docs/configuration/service/tftp-server.rst @@ -15,8 +15,8 @@ Configuration  .. cfgcmd:: set service tftp-server directory <directory> -Enable TFTP service by specifying the `<directory>` which will be used to serve -files. +   Enable TFTP service by specifying the `<directory>` which will be used to serve +   files.  .. hint:: Choose your ``directory`` location carefully or you will loose the     content on image upgrades. Any directory under ``/config`` is save at this @@ -24,9 +24,9 @@ files.  .. cfgcmd:: set service tftp-server listen-address <address> -Configure the IPv4 or IPv6 listen address of the TFTP server. Multiple IPv4 and -IPv6 addresses can be given. There will be one TFTP server instances listening -on each IP address. +   Configure the IPv4 or IPv6 listen address of the TFTP server. Multiple IPv4 and +   IPv6 addresses can be given. There will be one TFTP server instances listening +   on each IP address.  .. cfgcmd:: set service tftp-server listen-address <address> vrf <name> @@ -40,8 +40,8 @@ Additional option to run TFTP server in the :abbr:`VRF (Virtual Routing and Forw  .. cfgcmd:: set service tftp-server allow-upload -Optional, if you want to enable uploads, else TFTP server will act as a  -read-only server. +   Optional, if you want to enable uploads, else TFTP server will act as a  +   read-only server.  Example  ------- diff --git a/docs/configuration/system/acceleration.disable b/docs/configuration/system/acceleration.disable deleted file mode 100644 index b09da38b..00000000 --- a/docs/configuration/system/acceleration.disable +++ /dev/null @@ -1,7 +0,0 @@ -.. _acceleration: - -############ -Acceleration -############ - - diff --git a/docs/configuration/system/acceleration.rst b/docs/configuration/system/acceleration.rst index 62b85c71..63506d6d 100644 --- a/docs/configuration/system/acceleration.rst +++ b/docs/configuration/system/acceleration.rst @@ -63,39 +63,50 @@ Side A:  .. code-block:: +      set interfaces vti vti1 address '192.168.1.2/24' +    set vpn ipsec authentication psk right id '10.10.10.2' +    set vpn ipsec authentication psk right id '10.10.10.1' +    set vpn ipsec authentication psk right secret 'Qwerty123'      set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes256'      set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha256'      set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '14'      set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes256'      set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha256'      set vpn ipsec interface 'eth0' -    set vpn ipsec site-to-site peer 10.10.10.1 authentication mode 'pre-shared-secret' -    set vpn ipsec site-to-site peer 10.10.10.1 authentication pre-shared-secret 'Qwerty123' -    set vpn ipsec site-to-site peer 10.10.10.1 connection-type 'initiate' -    set vpn ipsec site-to-site peer 10.10.10.1 default-esp-group 'MyESPGroup' -    set vpn ipsec site-to-site peer 10.10.10.1 ike-group 'MyIKEGroup' -    set vpn ipsec site-to-site peer 10.10.10.1 local-address '10.10.10.2' -    set vpn ipsec site-to-site peer 10.10.10.1 vti bind 'vti1' +    set vpn ipsec site-to-site peer right authentication local-id '10.10.10.2' +    set vpn ipsec site-to-site peer right authentication mode 'pre-shared-secret' +    set vpn ipsec site-to-site peer right authentication remote-id '10.10.10.1' +    set vpn ipsec site-to-site peer right connection-type 'initiate' +    set vpn ipsec site-to-site peer right default-esp-group 'MyESPGroup' +    set vpn ipsec site-to-site peer right ike-group 'MyIKEGroup' +    set vpn ipsec site-to-site peer right local-address '10.10.10.2' +    set vpn ipsec site-to-site peer right remote-address '10.10.10.1' +    set vpn ipsec site-to-site peer right vti bind 'vti1'  Side B:  .. code-block::      set interfaces vti vti1 address '192.168.1.1/24' +    set vpn ipsec authentication psk left id '10.10.10.2' +    set vpn ipsec authentication psk left id '10.10.10.1' +    set vpn ipsec authentication psk left secret 'Qwerty123'      set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes256'      set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha256'      set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '14'      set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes256'      set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha256'      set vpn ipsec interface 'eth0' -    set vpn ipsec site-to-site peer 10.10.10.2 authentication mode 'pre-shared-secret' -    set vpn ipsec site-to-site peer 10.10.10.2 authentication pre-shared-secret 'Qwerty123' -    set vpn ipsec site-to-site peer 10.10.10.2 connection-type 'initiate' -    set vpn ipsec site-to-site peer 10.10.10.2 default-esp-group 'MyESPGroup' -    set vpn ipsec site-to-site peer 10.10.10.2 ike-group 'MyIKEGroup' -    set vpn ipsec site-to-site peer 10.10.10.2 local-address '10.10.10.1' -    set vpn ipsec site-to-site peer 10.10.10.2 vti bind 'vti1' +    set vpn ipsec site-to-site peer left authentication local-id '10.10.10.1' +    set vpn ipsec site-to-site peer left authentication mode 'pre-shared-secret' +    set vpn ipsec site-to-site peer left authentication remote-id '10.10.10.2' +    set vpn ipsec site-to-site peer left connection-type 'initiate' +    set vpn ipsec site-to-site peer left default-esp-group 'MyESPGroup' +    set vpn ipsec site-to-site peer left ike-group 'MyIKEGroup' +    set vpn ipsec site-to-site peer left local-address '10.10.10.1' +    set vpn ipsec site-to-site peer left remote-address '10.10.10.2' +    set vpn ipsec site-to-site peer left vti bind 'vti1'  a bandwidth test over the VPN got these results: diff --git a/docs/configuration/system/conntrack.rst b/docs/configuration/system/conntrack.rst index 0fe0d575..68a4f2b8 100644 --- a/docs/configuration/system/conntrack.rst +++ b/docs/configuration/system/conntrack.rst @@ -1,13 +1,15 @@ -################### -Connection tracking -################### + +######### +Conntrack +#########  VyOS can be configured to track connections using the connection  tracking subsystem. Connection tracking becomes operational once either  stateful firewall or NAT is configured. -Conntrack Table ---------------- +********* +Configure +*********  .. cfgcmd:: set system conntrack table-size <1-50000000>      :defaultvalue: @@ -30,12 +32,6 @@ Conntrack Table      searching the connection tracking table faster. The hash table uses      “buckets” to record entries in the connection tracking table. - -Modules -------- - -Enables ``conntrack`` modules. All modules are enable by default. -  .. cfgcmd:: set system conntrack modules ftp  .. cfgcmd:: set system conntrack modules h323  .. cfgcmd:: set system conntrack modules nfs @@ -44,12 +40,15 @@ Enables ``conntrack`` modules. All modules are enable by default.  .. cfgcmd:: set system conntrack modules sqlnet  .. cfgcmd:: set system conntrack modules tftp -Use ``delete system conntrack modules`` to deactive all modules. -Or, for example ftp, ``delete system conntrack modules ftp``. +    Configure the connection tracking protocol helper modules. +    All modules are enable by default. +    | Use `delete system conntrack modules` to deactive all modules. +    | Or, for example ftp, `delete system conntrack modules ftp`. -Define Connection Timeouts --------------------------- + +Define Conection Timeouts +=========================  VyOS supports setting timeouts for connections according to the  connection type. You can set timeout values for generic connections, for ICMP @@ -88,43 +87,101 @@ You can also define custom timeout values to apply to a specific subset of  connections, based on a packet and flow selector. To do this, you need to  create a rule defining the packet and flow selector. -.. cfgcmd:: set system conntrack timeout custom rule <1-999999> -   description <test> -.. cfgcmd:: set system conntrack timeout custom rule <1-999999> -   destination address <ip-address> -.. cfgcmd:: set system conntrack timeout custom rule <1-999999> -   destination port <value> -.. cfgcmd:: set system conntrack timeout custom rule <1-999999> -   inbound-interface <interface> -.. cfgcmd:: set system conntrack timeout custom rule <1-999999> -   source address <ip-address> -.. cfgcmd:: set system conntrack timeout custom rule <1-999999> -   source port <value> -.. cfgcmd:: set system conntrack timeout custom rule <1-999999> -   protocol <protocol> - -    Configure customized timeout rules for selective connection tracking. - -Conntrack Ignore ----------------- - -Customized ignore rules, based on a packet and flow selector, can be -configured in VyOS. To do this, you can configure as much rules as -needed using next commands: - -.. cfgcmd:: set system conntrack ignore rule <1-999999> -   description <text> -.. cfgcmd:: set system conntrack ignore rule <1-999999> -   destination address <ip-address> -.. cfgcmd:: set system conntrack ignore rule <1-999999> -   destination port <port> -.. cfgcmd:: set system conntrack ignore rule <1-999999> -   inbound-interface <interface> -.. cfgcmd:: set system conntrack ignore rule <1-999999> -   protocol <protocol> -.. cfgcmd:: set system conntrack ignore rule <1-999999> -   source address <ip-address> -.. cfgcmd:: set system conntrack ignore rule <1-999999> -   source port <port> - -    Configure customized ignore rules for selective connection tracking. +.. cfgcmd:: set system conntrack timeout custom rule <1-9999> description <test> + +    Set a rule description. + + +.. cfgcmd:: set system conntrack timeout custom rule <1-9999> destination address <ip-address> +.. cfgcmd:: set system conntrack timeout custom rule <1-9999> source address <ip-address> + +    set a destination and/or source address. Accepted input: + +    .. code-block:: none + +        <x.x.x.x>    IP address to match +        <x.x.x.x/x>  Subnet to match +        <x.x.x.x>-<x.x.x.x> +                        IP range to match +        !<x.x.x.x>   Match everything except the specified address +        !<x.x.x.x/x> Match everything except the specified subnet +        !<x.x.x.x>-<x.x.x.x> +                        Match everything except the specified range + +.. cfgcmd:: set system conntrack timeout custom rule <1-9999> destination port <value> +.. cfgcmd:: set system conntrack timeout custom rule <1-9999> source port <value> + +    Set a destination and/or source port. Accepted input: + +    .. code-block:: none + +        <port name>    Named port (any name in /etc/services, e.g., http) +        <1-65535>      Numbered port +        <start>-<end>  Numbered port range (e.g., 1001-1005) +     +    Multiple destination ports can be specified as a comma-separated list. +    The whole list can also be "negated" using '!'. For example: +    `!22,telnet,http,123,1001-1005`` + +             + +.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol icmp <1-21474836> +.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol other <1-21474836> +.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp close <1-21474836> +.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp close-wait <1-21474836> +.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp established <1-21474836> +.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp fin-wait <1-21474836> +.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp last-ack <1-21474836> +.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp syn-recv <1-21474836> +.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp syn-sent <1-21474836> +.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp time-wait <1-21474836> +.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol udp other <1-21474836> +.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol udp stream <1-21474836> + +    Set the timeout in secounds for a protocol or state in a custom rule. + + +.. cfgcmd:: set system conntrack tcp half-open-connections <1-21474836> +    :defaultvalue: + +    Set the maximum number of TCP half-open connections. + +.. cfgcmd:: set system conntrack tcp loose <enable | disable> +    :defaultvalue: + +    Policy to track previously established connections. + +.. cfgcmd:: set system conntrack tcp max-retrans <1-2147483647> +    :defaultvalue: + +    Set the number of TCP maximum retransmit attempts. + +.. cfgcmd:: set system conntrack ignore rule <1-9999> description <text> +.. cfgcmd:: set system conntrack ignore rule <1-9999> destination address <ip-address> +.. cfgcmd:: set system conntrack ignore rule <1-9999> destination port <port> +.. cfgcmd:: set system conntrack ignore rule <1-9999> inbound-interface <interface> +.. cfgcmd:: set system conntrack ignore rule <1-9999> protocol <protocol> +.. cfgcmd:: set system conntrack ignore rule <1-9999> source address <ip-address> +.. cfgcmd:: set system conntrack ignore rule <1-9999> source port <port> + +    Customized ignore rules, based on a packet and flow selector. + +.. cfgcmd:: set system conntrack log icmp destroy +.. cfgcmd:: set system conntrack log icmp new +.. cfgcmd:: set system conntrack log icmp update +.. cfgcmd:: set system conntrack log other destroy +.. cfgcmd:: set system conntrack log other new +.. cfgcmd:: set system conntrack log other update +.. cfgcmd:: set system conntrack log tcp destroy +.. cfgcmd:: set system conntrack log tcp new +.. cfgcmd:: set system conntrack log tcp update close-wait +.. cfgcmd:: set system conntrack log tcp update established +.. cfgcmd:: set system conntrack log tcp update fin-wait +.. cfgcmd:: set system conntrack log tcp update last-ack +.. cfgcmd:: set system conntrack log tcp update syn-received +.. cfgcmd:: set system conntrack log tcp update time-wait +.. cfgcmd:: set system conntrack log udp destroy +.. cfgcmd:: set system conntrack log udp new +.. cfgcmd:: set system conntrack log udp update + +    Log the connection tracking events per protocol.
\ No newline at end of file diff --git a/docs/configuration/system/host-name.rst b/docs/configuration/system/host-name.rst index 79fae851..d062fc62 100644 --- a/docs/configuration/system/host-name.rst +++ b/docs/configuration/system/host-name.rst @@ -46,7 +46,12 @@ Static Hostname Mapping  How an IP address is assigned to an interface in :ref:`ethernet-interface`.  This section shows how to statically map an IP address to a hostname for local -(meaning on this VyOS instance) name resolution. +(meaning on this VyOS instance) name resolution. This is the VyOS equivalent to +`/etc/hosts` file entries. + +.. note:: Do *not* manually edit `/etc/hosts`. This file will automatically be +   regenerated on boot based on the settings in this section, which means you'll +   lose all your manual edits. Instead, configure static host mappings as follows.  .. cfgcmd:: set system static-host-mapping host-name <hostname> inet <address> diff --git a/docs/configuration/system/index.rst b/docs/configuration/system/index.rst index 5bf781af..23edaa3f 100644 --- a/docs/configuration/system/index.rst +++ b/docs/configuration/system/index.rst @@ -17,10 +17,11 @@ System     lcd     login     name-server -   ntp     option     proxy +   sflow     syslog +   sysctl     task-scheduler     time-zone diff --git a/docs/configuration/system/login.rst b/docs/configuration/system/login.rst index c4cc232d..a5c1b558 100644 --- a/docs/configuration/system/login.rst +++ b/docs/configuration/system/login.rst @@ -54,6 +54,8 @@ and paste it. Some terminal emulators may accidentally split this over several  lines. Be attentive when you paste it that it only pastes as a single line.  The third part is simply an identifier, and is for your own reference. +.. seealso:: SSH :ref:`ssh_operation` +  .. cfgcmd:: set system login user <username> authentication public-keys     <identifier> key <key> @@ -85,24 +87,6 @@ The third part is simply an identifier, and is for your own reference.     ``from="10.0.0.0/24"`` to restrict where the user     may connect from when using this key. -.. cfgcmd:: loadkey <username> <location> - -   **Deprecation notice:** ``loadkey`` has been deprecated in favour of -   :opcmd:`generate public-key-commands` and will be removed in a future -   version. See :ref:`ssh`. - -   SSH keys can not only be specified on the command-line but also loaded for -   a given user with `<username>` from a file pointed to by `<location>.` Keys -   can be either loaded from local filesystem or any given remote location -   using one of the following :abbr:`URIs (Uniform Resource Identifier)`: - -   * ``<file>`` - Load from file on local filesystem path -   * ``scp://<user>@<host>:/<file>`` - Load via SCP from remote machine -   * ``sftp://<user>@<host>/<file>`` - Load via SFTP from remote machine -   * ``ftp://<user>@<host>/<file>`` - Load via FTP from remote machine -   * ``http://<host>/<file>`` - Load via HTTP from remote machine -   * ``tftp://<host>/<file>`` - Load via TFTP from remote machine -  MFA/2FA authentication using OTP (one time passwords)  ----------------------------------------------------- diff --git a/docs/configuration/system/option.rst b/docs/configuration/system/option.rst index a4e08245..c9c9bfb1 100644 --- a/docs/configuration/system/option.rst +++ b/docs/configuration/system/option.rst @@ -39,6 +39,20 @@ HTTP client  .. note:: `source-address` and `source-interface` can not be used at the same     time. +********** +SSH client +********** + +.. cfgcmd:: set system option ssh-client source-address <address> + +   Use the specified address on the local machine as the source address of the +   connection. Only useful on systems with more than one address. + +.. cfgcmd:: set system option ssh-client source-interface <interface> + +   Use the address of the specified interface on the local machine as the +   source address of the connection. +  ***************  Keyboard Layout  *************** diff --git a/docs/configuration/system/sflow.rst b/docs/configuration/system/sflow.rst new file mode 100644 index 00000000..b131d8a9 --- /dev/null +++ b/docs/configuration/system/sflow.rst @@ -0,0 +1,63 @@ +.. _ntp: + +##### +sFlow +##### + +VyOS supports sFlow accounting for both IPv4 and IPv6 traffic. The system acts as a flow exporter, and you are free to use it with any compatible collector. + +sFlow is a technology that enables monitoring of network traffic by sending sampled packets to a collector device. + +The sFlow accounting based on hsflowd https://sflow.net/ + +Configuration +============= + +.. cfgcmd:: set system sflow agent-address <address> + +   Configure sFlow agent IPv4 or IPv6 address + + +.. cfgcmd:: set system sflow agent-interface <interface> + +   Configure agent IP address associated with this interface. + + +.. cfgcmd:: set system sflow drop-monitor-limit <limit> + +   Dropped packets reported on DROPMON Netlink channel by Linux kernel are exported via the standard sFlow v5 extension for reporting dropped packets + +.. cfgcmd:: set system sflow interface <interface> + +   Configure and enable collection of flow information for the interface identified by <interface>. + +   You can configure multiple interfaces which whould participate in sflow accounting. + + +.. cfgcmd:: set system sflow polling <sec> + +   Configure schedule counter-polling in seconds (default: 30) + +.. cfgcmd:: set system sflow sampling-rate <rate> + +   Use this command to configure the sampling rate for sFlow accounting (default: 1000) + +.. cfgcmd:: set system sflow server <address> port <port> + +   Configure address of sFlow collector. sFlow server at <address> can be both listening on an IPv4 or IPv6 address. + + +Example +======= + +.. code-block:: none + +  set system sflow agent-address '192.0.2.14' +  set system sflow agent-interface 'eth0' +  set system sflow drop-monitor-limit '50' +  set system sflow interface 'eth0' +  set system sflow interface 'eth1' +  set system sflow polling '30' +  set system sflow sampling-rate '1000' +  set system sflow server 192.0.2.1 port '6343' +  set system sflow server 203.0.113.23 port '6343' diff --git a/docs/configuration/system/sysctl.disable b/docs/configuration/system/sysctl.disable deleted file mode 100644 index 82ffd159..00000000 --- a/docs/configuration/system/sysctl.disable +++ /dev/null @@ -1,2 +0,0 @@ -sysctl -######
\ No newline at end of file diff --git a/docs/configuration/system/sysctl.rst b/docs/configuration/system/sysctl.rst new file mode 100644 index 00000000..06e15031 --- /dev/null +++ b/docs/configuration/system/sysctl.rst @@ -0,0 +1,12 @@ +.. _sysctl: + +###### +Sysctl +###### + +This chapeter describes how to configure kernel parameters at runtime. + +``sysctl`` is used to modify kernel parameters at runtime.  The parameters +available are those listed under /proc/sys/.  + +.. cfgcmd:: set system sysctl parameter <parameter> value <value> diff --git a/docs/configuration/vpn/dmvpn.rst b/docs/configuration/vpn/dmvpn.rst index 66fc79da..6680d46a 100644 --- a/docs/configuration/vpn/dmvpn.rst +++ b/docs/configuration/vpn/dmvpn.rst @@ -191,7 +191,7 @@ Hub    set interfaces tunnel tun100 address '172.16.253.134/29'    set interfaces tunnel tun100 encapsulation 'gre'    set interfaces tunnel tun100 local-ip '192.0.2.1' -  set interfaces tunnel tun100 multicast 'enable' +  set interfaces tunnel tun100 enable-multicast    set interfaces tunnel tun100 parameters ip key '1'    set protocols nhrp tunnel tun100 cisco-authentication 'secret' @@ -298,7 +298,7 @@ VyOS can also run in DMVPN spoke mode.    set interfaces tunnel tun100 address '172.16.253.133/29'    set interfaces tunnel tun100 local-ip 0.0.0.0    set interfaces tunnel tun100 encapsulation 'gre' -  set interfaces tunnel tun100 multicast 'enable' +  set interfaces tunnel tun100 enable-multicast    set interfaces tunnel tun100 parameters ip key '1'    set protocols nhrp tunnel tun100 cisco-authentication 'secret' diff --git a/docs/configuration/vpn/ipsec.rst b/docs/configuration/vpn/ipsec.rst index 4721cbcd..327f3abb 100644 --- a/docs/configuration/vpn/ipsec.rst +++ b/docs/configuration/vpn/ipsec.rst @@ -111,6 +111,8 @@ VyOS IKE group has the next options:   * ``hash`` hash algorithm. + * ``prf`` pseudo-random function. +  ***********************************************  ESP (Encapsulating Security Payload) Attributes  *********************************************** @@ -200,6 +202,11 @@ On the LEFT:    ## IPsec    set vpn ipsec interface eth0 +  # Pre-shared-secret +  set vpn ipsec authentication psk vyos id 192.0.2.10 +  set vpn ipsec authentication psk vyos id 203.0.113.45 +  set vpn ipsec authentication psk vyos secret MYSECRETKEY +    # IKE group    set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '2'    set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes128' @@ -211,7 +218,6 @@ On the LEFT:    # IPsec tunnel    set vpn ipsec site-to-site peer right authentication mode pre-shared-secret -  set vpn ipsec site-to-site peer right authentication pre-shared-secret MYSECRETKEY    set vpn ipsec site-to-site peer right authentication remote-id 203.0.113.45    set vpn ipsec site-to-site peer right ike-group MyIKEGroup diff --git a/docs/configuration/vpn/openconnect.rst b/docs/configuration/vpn/openconnect.rst index 1b48571d..1b4d4b4c 100644 --- a/docs/configuration/vpn/openconnect.rst +++ b/docs/configuration/vpn/openconnect.rst @@ -56,7 +56,7 @@ Server Configuration    set vpn openconnect ssl passphrase <pki-password>  2FA OTP support  -==================== +===============  Instead of password only authentication, 2FA password   authentication + OTP key can be used. Alternatively, OTP authentication only, @@ -221,3 +221,34 @@ To display the configured OTP user settings, use the command:  .. code-block:: none    show openconnect-server user <username> otp <full|key-b32|key-hex|qrcode|uri> + +Configuring RADIUS accounting +============================= + +OpenConnect can be configured to send accounting information to a +RADIUS server to capture user session data such as time of +connect/disconnect, data transferred, and so on. + +Configure an accounting server and enable accounting with: + +.. code-block:: none + +  set vpn openconnect accounting mode radius +  set vpn openconnect accounting radius server 172.20.20.10 +  set vpn openconnect accounting radius server 172.20.20.10 port 1813 +  set vpn openconnect accounting radius server 172.20.20.10 key your_radius_secret + +.. warning:: The RADIUS accounting feature must be used with the OpenConnect +  authentication mode RADIUS. It cannot be used with local authentication. +  You must configure the OpenConnect authentication mode to "radius". + +An example of the data captured by a FREERADIUS server with sql accounting: + +.. code-block:: none + +  mysql> SELECT username, nasipaddress, acctstarttime, acctstoptime, acctinputoctets, acctoutputoctets, callingstationid, framedipaddress, connectinfo_start FROM radacct; +  +----------+---------------+---------------------+---------------------+-----------------+------------------+-------------------+-----------------+-----------------------------------+ +  | username | nasipaddress  | acctstarttime       | acctstoptime        | acctinputoctets | acctoutputoctets | callingstationid  | framedipaddress | connectinfo_start                 | +  +----------+---------------+---------------------+---------------------+-----------------+------------------+-------------------+-----------------+-----------------------------------+ +  | test     | 198.51.100.15 | 2023-01-13 00:59:15 | 2023-01-13 00:59:21 |           10606 |              152 | 192.168.6.1       | 172.20.20.198   | Open AnyConnect VPN Agent v8.05-1 | +  +----------+---------------+---------------------+---------------------+-----------------+------------------+-------------------+-----------------+-----------------------------------+ diff --git a/docs/configuration/vpn/site2site_ipsec.rst b/docs/configuration/vpn/site2site_ipsec.rst index bc30a711..e89d25c6 100644 --- a/docs/configuration/vpn/site2site_ipsec.rst +++ b/docs/configuration/vpn/site2site_ipsec.rst @@ -18,23 +18,29 @@ Each site-to-site peer has the next options:  * ``authentication`` - configure authentication between VyOS and a remote peer.    Suboptions: + * ``psk`` - Preshared secret key name: + +  * ``dhcp-interface`` - ID for authentication generated from DHCP address  +    dynamically; +  * ``id`` - static ID's for authentication. In general local and remote  +    address ``<x.x.x.x>``, ``<h:h:h:h:h:h:h:h>`` or ``%any``; +  * ``secret`` - predefined shared secret. Used if configured mode  +    ``pre-shared-secret``; + +   * ``local-id`` - ID for the local VyOS router. If defined, during the     authentication     it will be send to remote peer;   * ``mode`` - mode for authentication between VyOS and remote peer: -  * ``pre-shared-secret`` - use predefined shared secret phrase, must be the -    same for local and remote side; +  * ``pre-shared-secret`` - use predefined shared secret phrase;    * ``rsa`` - use simple shared RSA key. The key must be defined in the      ``set vpn rsa-keys`` section;    * ``x509`` - use certificates infrastructure for authentication. - * ``pre-shared-secret`` - predefined shared secret. Used if configured -   ``mode pre-shared-secret``; -   * ``remote-id`` - define an ID for remote peer, instead of using peer name or     address. Useful in case if the remote peer is behind NAT or if ``mode x509``     is used; @@ -161,6 +167,9 @@ Example:  .. code-block:: none    # server config +  set vpn ipsec authentication psk OFFICE-B id '198.51.100.3' +  set vpn ipsec authentication psk OFFICE-B id '203.0.113.2' +  set vpn ipsec authentication psk OFFICE-B secret 'SomePreSharedKey'    set vpn ipsec esp-group office-srv-esp lifetime '1800'    set vpn ipsec esp-group office-srv-esp mode 'tunnel'    set vpn ipsec esp-group office-srv-esp pfs 'enable' @@ -171,8 +180,8 @@ Example:    set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256'    set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1'    set vpn ipsec interface 'eth1' +  set vpn ipsec site-to-site peer OFFICE-B authentication local-id '198.51.100.3'    set vpn ipsec site-to-site peer OFFICE-B authentication mode 'pre-shared-secret' -  set vpn ipsec site-to-site peer OFFICE-B authentication pre-shared-secret 'SomePreSharedKey'    set vpn ipsec site-to-site peer OFFICE-B authentication remote-id '203.0.113.2'    set vpn ipsec site-to-site peer OFFICE-B ike-group 'office-srv-ike'    set vpn ipsec site-to-site peer OFFICE-B local-address '198.51.100.3' @@ -182,6 +191,9 @@ Example:    set vpn ipsec site-to-site peer OFFICE-B tunnel 0 remote prefix '10.0.0.0/21'    # remote office config +  set vpn ipsec authentication psk OFFICE-A id '198.51.100.3' +  set vpn ipsec authentication psk OFFICE-A id '203.0.113.2' +  set vpn ipsec authentication psk OFFICE-A secret 'SomePreSharedKey'    set vpn ipsec esp-group office-srv-esp lifetime '1800'    set vpn ipsec esp-group office-srv-esp mode 'tunnel'    set vpn ipsec esp-group office-srv-esp pfs 'enable' @@ -192,8 +204,8 @@ Example:    set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256'    set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1'    set vpn ipsec interface 'eth1' +  set vpn ipsec site-to-site peer OFFICE-A authentication local-id '203.0.113.2'    set vpn ipsec site-to-site peer OFFICE-A authentication mode 'pre-shared-secret' -  set vpn ipsec site-to-site peer OFFICE-A authentication pre-shared-secret 'SomePreSharedKey'    set vpn ipsec site-to-site peer OFFICE-A authentication remote-id '198.51.100.3'    set vpn ipsec site-to-site peer OFFICE-A ike-group 'office-srv-ike'    set vpn ipsec site-to-site peer OFFICE-A local-address '203.0.113.2' @@ -279,6 +291,9 @@ Imagine the following topology    set interfaces vti vti10 address '10.0.0.2/31' +  set vpn ipsec authentication psk OFFICE-B id '172.18.201.10' +  set vpn ipsec authentication psk OFFICE-B id '172.18.202.10' +  set vpn ipsec authentication psk OFFICE-B secret 'secretkey'    set vpn ipsec esp-group ESP_DEFAULT lifetime '3600'    set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel'    set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19' @@ -293,7 +308,6 @@ Imagine the following topology    set vpn ipsec interface 'eth0.201'    set vpn ipsec site-to-site peer OFFICE-B authentication local-id '172.18.201.10'    set vpn ipsec site-to-site peer OFFICE-B authentication mode 'pre-shared-secret' -  set vpn ipsec site-to-site peer OFFICE-B authentication pre-shared-secret 'secretkey'    set vpn ipsec site-to-site peer OFFICE-B authentication remote-id '172.18.202.10'    set vpn ipsec site-to-site peer OFFICE-B connection-type 'respond'    set vpn ipsec site-to-site peer OFFICE-B ike-group 'IKEv2_DEFAULT' @@ -308,6 +322,9 @@ Imagine the following topology    set interfaces vti vti10 address '10.0.0.3/31' +  set vpn ipsec authentication psk OFFICE-A id '172.18.201.10' +  set vpn ipsec authentication psk OFFICE-A id '172.18.202.10' +  set vpn ipsec authentication psk OFFICE-A secret 'secretkey'    set vpn ipsec esp-group ESP_DEFAULT lifetime '3600'    set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel'    set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19' @@ -325,7 +342,6 @@ Imagine the following topology    set vpn ipsec interface 'eth0.202'    set vpn ipsec site-to-site peer OFFICE-A authentication local-id '172.18.202.10'    set vpn ipsec site-to-site peer OFFICE-A authentication mode 'pre-shared-secret' -  set vpn ipsec site-to-site peer OFFICE-A authentication pre-shared-secret 'secretkey'    set vpn ipsec site-to-site peer OFFICE-A authentication remote-id '172.18.201.10'    set vpn ipsec site-to-site peer OFFICE-A connection-type 'initiate'    set vpn ipsec site-to-site peer OFFICE-A ike-group 'IKEv2_DEFAULT' @@ -375,9 +391,7 @@ Key Parameters:    Below flow-chart could be a quick reference for the close-action     combination depending on how the peer is configured.    -    -.. image:: /_static/images/IPSec_close_action_settings.jpg -   :width: 50% -   :align: center + +.. figure:: /_static/images/IPSec_close_action_settings.jpg    Similar combinations are applicable for the dead-peer-detection. | 
