diff options
Diffstat (limited to 'docs')
43 files changed, 443 insertions, 404 deletions
| diff --git a/docs/configuration/firewall/index.rst b/docs/configuration/firewall/index.rst index d9a3ebe3..2615774f 100644 --- a/docs/configuration/firewall/index.rst +++ b/docs/configuration/firewall/index.rst @@ -766,3 +766,68 @@ Example Partial Config           }       }    } + + +.. _routing-mss-clamp: + +################ +TCP-MSS Clamping +################ + +As Internet wide PMTU discovery rarely works, we sometimes need to clamp +our TCP MSS value to a specific value. This is a field in the TCP +Options part of a SYN packet. By setting the MSS value, you are telling +the remote side unequivocally 'do not try to send me packets bigger than +this value'. + +Starting with VyOS 1.2 there is a firewall option to clamp your TCP MSS +value for IPv4 and IPv6. + + +.. note:: MSS value = MTU - 20 (IP header) - 20 (TCP header), resulting +   in 1452 bytes on a 1492 byte MTU. + + +IPv4 +==== + +.. cfgcmd:: set firewall options interface <interface> adjust-mss <number-of-bytes> + +   Use this command to set the maximum segment size for IPv4 transit +   packets on a specific interface (500-1460 bytes). + +Example +------- + +Clamp outgoing MSS value in a TCP SYN packet to `1452` for `pppoe0` and +`1372` +for your WireGuard `wg02` tunnel. + +.. code-block:: none + +  set firewall options interface pppoe0 adjust-mss '1452' +  set firewall options interface wg02 adjust-mss '1372' + +IPv6 +==== + +.. cfgcmd:: set firewall options interface <interface> adjust-mss6 <number-of-bytes> + +   Use this command to set the maximum segment size for IPv6 transit +   packets on a specific interface (1280-1492 bytes). + +Example +------- + +Clamp outgoing MSS value in a TCP SYN packet to `1280` for both `pppoe0` and +`wg02` interface. + +.. code-block:: none + +  set firewall options interface pppoe0 adjust-mss6 '1280' +  set firewall options interface wg02 adjust-mss6 '1280' + + + +.. hint:: When doing your byte calculations, you might find useful this +   `Visual packet size calculator <https://baturin.org/tools/encapcalc/>`_. diff --git a/docs/routing/bfd.rst b/docs/configuration/protocols/bfd.rst index b8fdf489..b8fdf489 100644 --- a/docs/routing/bfd.rst +++ b/docs/configuration/protocols/bfd.rst diff --git a/docs/routing/bgp.rst b/docs/configuration/protocols/bgp.rst index c576d836..c576d836 100644 --- a/docs/routing/bgp.rst +++ b/docs/configuration/protocols/bgp.rst diff --git a/docs/configuration/protocols/igmp-proxy.rst b/docs/configuration/protocols/igmp-proxy.rst new file mode 100644 index 00000000..cce5f948 --- /dev/null +++ b/docs/configuration/protocols/igmp-proxy.rst @@ -0,0 +1,2 @@ +igmp-proxy +##########
\ No newline at end of file diff --git a/docs/routing/multicast.rst b/docs/configuration/protocols/igmp.rst index 9104b0c9..9104b0c9 100644 --- a/docs/routing/multicast.rst +++ b/docs/configuration/protocols/igmp.rst diff --git a/docs/configuration/protocols/index.rst b/docs/configuration/protocols/index.rst new file mode 100644 index 00000000..271b6056 --- /dev/null +++ b/docs/configuration/protocols/index.rst @@ -0,0 +1,22 @@ +######### +Protocols +######### + + +.. toctree:: +   :maxdepth: 1 +   :includehidden: + +   bfd +   bgp +   igmp +   igmp-proxy +   mpls +   ospf +   ospfv3 +   pim +   rip +   ripng +   rpki +   static +   vrf diff --git a/docs/routing/mpls.rst b/docs/configuration/protocols/mpls.rst index 82e99a17..82e99a17 100644 --- a/docs/routing/mpls.rst +++ b/docs/configuration/protocols/mpls.rst diff --git a/docs/configuration/protocols/ospf.rst b/docs/configuration/protocols/ospf.rst new file mode 100644 index 00000000..ff7c5e64 --- /dev/null +++ b/docs/configuration/protocols/ospf.rst @@ -0,0 +1,70 @@ +.. include:: /_include/need_improvement.txt + +.. _routing-ospf: + +#### +OSPF +#### + +:abbr:`OSPF (Open Shortest Path First)` is a routing protocol for Internet +Protocol (IP) networks. It uses a link state routing (LSR) algorithm and falls +into the group of interior gateway protocols (IGPs), operating within a single +autonomous system (AS). It is defined as OSPF Version 2 in :rfc:`2328` (1998) +for IPv4. Updates for IPv6 are specified as OSPF Version 3 in :rfc:`5340` +(2008). OSPF supports the :abbr:`CIDR (Classless Inter-Domain Routing)` +addressing model. + +OSPF is a widely used IGP in large enterprise networks. + +OSPFv2 (IPv4) +############# + +In order to have a VyOS system exchanging routes with OSPF neighbors, you will +at least need to configure an OSPF area and some network. + +.. code-block:: none + +  set protocols ospf area 0 network 192.168.0.0/24 + +That is the minimum configuration you will need. +It is a good practice to define the router ID too. + +.. code-block:: none + +  set protocols ospf parameters router-id 10.1.1.1 + + +Below you can see a typical configuration using 2 nodes, redistribute loopback +address and the node 1 sending the default route: + +**Node 1** + +.. code-block:: none + +  set interfaces loopback lo address 10.1.1.1/32 +  set protocols ospf area 0 network 192.168.0.0/24 +  set protocols ospf default-information originate always +  set protocols ospf default-information originate metric 10 +  set protocols ospf default-information originate metric-type 2 +  set protocols ospf log-adjacency-changes +  set protocols ospf parameters router-id 10.1.1.1 +  set protocols ospf redistribute connected metric-type 2 +  set protocols ospf redistribute connected route-map CONNECT + +  set policy route-map CONNECT rule 10 action permit +  set policy route-map CONNECT rule 10 match interface lo + +**Node 2** + +.. code-block:: none + +  set interfaces loopback lo address 10.2.2.2/32 +  set protocols ospf area 0 network 192.168.0.0/24 +  set protocols ospf log-adjacency-changes +  set protocols ospf parameters router-id 10.2.2.2 +  set protocols ospf redistribute connected metric-type 2 +  set protocols ospf redistribute connected route-map CONNECT + +  set policy route-map CONNECT rule 10 action permit +  set policy route-map CONNECT rule 10 match interface lo + diff --git a/docs/routing/ospf.rst b/docs/configuration/protocols/ospfv3.rst index 19787b11..f0e28983 100644 --- a/docs/routing/ospf.rst +++ b/docs/configuration/protocols/ospfv3.rst @@ -1,73 +1,3 @@ -.. include:: /_include/need_improvement.txt - -.. _routing-ospf: - -#### -OSPF -#### - -:abbr:`OSPF (Open Shortest Path First)` is a routing protocol for Internet -Protocol (IP) networks. It uses a link state routing (LSR) algorithm and falls -into the group of interior gateway protocols (IGPs), operating within a single -autonomous system (AS). It is defined as OSPF Version 2 in :rfc:`2328` (1998) -for IPv4. Updates for IPv6 are specified as OSPF Version 3 in :rfc:`5340` -(2008). OSPF supports the :abbr:`CIDR (Classless Inter-Domain Routing)` -addressing model. - -OSPF is a widely used IGP in large enterprise networks. - -OSPFv2 (IPv4) -############# - -In order to have a VyOS system exchanging routes with OSPF neighbors, you will -at least need to configure an OSPF area and some network. - -.. code-block:: none - -  set protocols ospf area 0 network 192.168.0.0/24 - -That is the minimum configuration you will need. -It is a good practice to define the router ID too. - -.. code-block:: none - -  set protocols ospf parameters router-id 10.1.1.1 - - -Below you can see a typical configuration using 2 nodes, redistribute loopback -address and the node 1 sending the default route: - -**Node 1** - -.. code-block:: none - -  set interfaces loopback lo address 10.1.1.1/32 -  set protocols ospf area 0 network 192.168.0.0/24 -  set protocols ospf default-information originate always -  set protocols ospf default-information originate metric 10 -  set protocols ospf default-information originate metric-type 2 -  set protocols ospf log-adjacency-changes -  set protocols ospf parameters router-id 10.1.1.1 -  set protocols ospf redistribute connected metric-type 2 -  set protocols ospf redistribute connected route-map CONNECT - -  set policy route-map CONNECT rule 10 action permit -  set policy route-map CONNECT rule 10 match interface lo - -**Node 2** - -.. code-block:: none - -  set interfaces loopback lo address 10.2.2.2/32 -  set protocols ospf area 0 network 192.168.0.0/24 -  set protocols ospf log-adjacency-changes -  set protocols ospf parameters router-id 10.2.2.2 -  set protocols ospf redistribute connected metric-type 2 -  set protocols ospf redistribute connected route-map CONNECT - -  set policy route-map CONNECT rule 10 action permit -  set policy route-map CONNECT rule 10 match interface lo -  OSPFv3 (IPv6)  ############# diff --git a/docs/configuration/protocols/pim.rst b/docs/configuration/protocols/pim.rst new file mode 100644 index 00000000..1dd373d8 --- /dev/null +++ b/docs/configuration/protocols/pim.rst @@ -0,0 +1,2 @@ +PIM +###
\ No newline at end of file diff --git a/docs/routing/rip.rst b/docs/configuration/protocols/rip.rst index 0d73ad34..0d73ad34 100644 --- a/docs/routing/rip.rst +++ b/docs/configuration/protocols/rip.rst diff --git a/docs/configuration/protocols/ripng.rst b/docs/configuration/protocols/ripng.rst new file mode 100644 index 00000000..dec6bddf --- /dev/null +++ b/docs/configuration/protocols/ripng.rst @@ -0,0 +1,3 @@ +##### +RIPng +#####
\ No newline at end of file diff --git a/docs/routing/rpki.rst b/docs/configuration/protocols/rpki.rst index 9813b1b6..9813b1b6 100644 --- a/docs/routing/rpki.rst +++ b/docs/configuration/protocols/rpki.rst diff --git a/docs/routing/static.rst b/docs/configuration/protocols/static.rst index 523627fa..fbde8228 100644 --- a/docs/routing/static.rst +++ b/docs/configuration/protocols/static.rst @@ -132,3 +132,64 @@ TBD  Alternate routing tables are used with policy based routing of by utilizing  :ref:`vrf`. + + +.. _routing-arp: + +### +ARP +### + +:abbr:`ARP (Address Resolution Protocol)` is a communication protocol used for +discovering the link layer address, such as a MAC address, associated with a +given internet layer address, typically an IPv4 address. This mapping is a +critical function in the Internet protocol suite. ARP was defined in 1982 by +:rfc:`826` which is Internet Standard STD 37. + +In Internet Protocol Version 6 (IPv6) networks, the functionality of ARP is +provided by the Neighbor Discovery Protocol (NDP). + +To manipulate or display ARP_ table entries, the following commands are +implemented. + +Configure +========= + +.. cfgcmd:: set protocols static arp <address> hwaddr <mac> + +   This will configure a static ARP entry always resolving `<address>` to +   `<mac>`. + +   Example: + +   .. code-block:: none + +     set protocols static arp 192.0.2.100 hwaddr 00:53:27:de:23:aa + +Operation +========= + +.. opcmd:: show protocols static arp + +   Display all known ARP table entries spanning across all interfaces + +.. code-block:: none + +  vyos@vyos:~$ show protocols static arp +  Address                  HWtype  HWaddress           Flags Mask     Iface +  10.1.1.1                 ether   00:53:00:de:23:2e   C              eth1 +  10.1.1.100               ether   00:53:00:de:23:aa   CM             eth1 + + +.. opcmd:: show protocols static arp interface eth1 + +   Display all known ARP table entries on a given interface only (`eth1`): + +.. code-block:: none + +  vyos@vyos:~$ show protocols static arp interface eth1 +  Address                  HWtype  HWaddress           Flags Mask     Iface +  10.1.1.1                 ether   00:53:00:de:23:2e   C              eth1 +  10.1.1.100               ether   00:53:00:de:23:aa   CM             eth1 + +.. _ARP: https://en.wikipedia.org/wiki/Address_Resolution_Protocol diff --git a/docs/configuration/protocols/vrf.rst b/docs/configuration/protocols/vrf.rst new file mode 100644 index 00000000..e7609a77 --- /dev/null +++ b/docs/configuration/protocols/vrf.rst @@ -0,0 +1,3 @@ +############# +Protocols VRF +############# diff --git a/docs/services/udp-broadcast-relay.rst b/docs/configuration/service/broadcast-relay.rst index df48bfd6..df48bfd6 100644 --- a/docs/services/udp-broadcast-relay.rst +++ b/docs/configuration/service/broadcast-relay.rst diff --git a/docs/services/conntrack.rst b/docs/configuration/service/conntrack-sync.rst index 55cd088e..55cd088e 100644 --- a/docs/services/conntrack.rst +++ b/docs/configuration/service/conntrack-sync.rst diff --git a/docs/services/console-server.rst b/docs/configuration/service/console-server.rst index cf222544..cf222544 100644 --- a/docs/services/console-server.rst +++ b/docs/configuration/service/console-server.rst diff --git a/docs/configuration/service/dhcp-relay.rst b/docs/configuration/service/dhcp-relay.rst new file mode 100644 index 00000000..445519b3 --- /dev/null +++ b/docs/configuration/service/dhcp-relay.rst @@ -0,0 +1,2 @@ +dhcp-relay +##########
\ No newline at end of file diff --git a/docs/services/dhcp.rst b/docs/configuration/service/dhcp-server.rst index 56316793..56316793 100644 --- a/docs/services/dhcp.rst +++ b/docs/configuration/service/dhcp-server.rst diff --git a/docs/configuration/service/dhcpv6-relay.rst b/docs/configuration/service/dhcpv6-relay.rst new file mode 100644 index 00000000..2d105fdf --- /dev/null +++ b/docs/configuration/service/dhcpv6-relay.rst @@ -0,0 +1,2 @@ +dhcpv6-relay +############
\ No newline at end of file diff --git a/docs/configuration/service/dhcpv6-server.rst b/docs/configuration/service/dhcpv6-server.rst new file mode 100644 index 00000000..64e523a0 --- /dev/null +++ b/docs/configuration/service/dhcpv6-server.rst @@ -0,0 +1,2 @@ +dhcpv6-server +#############
\ No newline at end of file diff --git a/docs/services/dns-forwarding.rst b/docs/configuration/service/dns.rst index 5c154fdf..f332c55c 100644 --- a/docs/services/dns-forwarding.rst +++ b/docs/configuration/service/dns.rst @@ -145,3 +145,169 @@ Operation  .. opcmd:: restart dns forwarding     Restarts the DNS recursor process. This also invalidates the local DNS forwarding cache. + + +.. _dynamic-dns: + +########### +Dynamic DNS +########### + +VyOS is able to update a remote DNS record when an interface gets a new IP +address. In order to do so, VyOS includes ddclient_, a Perl script written for +this only one purpose. + +ddclient_ uses two methods to update a DNS record. The first one will send +updates directly to the DNS daemon, in compliance with :rfc:`2136`. The second +one involves a third party service, like DynDNS.com or any other similar +website. This method uses HTTP requests to transmit the new IP address. You +can configure both in VyOS. + +Configuration +============= + +:rfc:`2136` Based +----------------- + +.. cfgcmd:: set service dns dynamic interface <interface> rfc2136 <service-name> + +   Create new :rfc:`2136` DNS update configuration which will update the IP +   address assigned to `<interface>` on the service you configured under +   `<service-name>`. + +.. cfgcmd:: set service dns dynamic interface <interface> rfc2136 <service-name> key <keyfile> + +   File identified by `<keyfile>` containing the secret RNDC key shared with +   remote DNS server. + +.. cfgcmd:: set service dns dynamic interface <interface> rfc2136 <service-name> server <server> + +   Configure the DNS `<server>` IP/FQDN used when updating this dynamic +   assignment. + +.. cfgcmd:: set service dns dynamic interface <interface> rfc2136 <service-name> zone <zone> + +   Configure DNS `<zone>` to be updated. + +.. cfgcmd:: set service dns dynamic interface <interface> rfc2136 <service-name> record <record> + +   Configure DNS `<record>` which should be updated. This can be set multiple +   times. + +.. cfgcmd:: set service dns dynamic interface <interface> rfc2136 <service-name> ttl <ttl> + +   Configure optional TTL value on the given resource record. This defualts to +   600 seconds. + +Example +^^^^^^^ + +* Register DNS record ``example.vyos.io`` on DNS server ``ns1.vyos.io`` +* Use auth key file at ``/config/auth/my.key`` +* Set TTL to 300 seconds + +.. code-block:: none + +  vyos@vyos# show service dns dynamic +   interface eth0.7 { +       rfc2136 VyOS-DNS { +           key /config/auth/my.key +           record example.vyos.io +           server ns1.vyos.io +           ttl 300 +           zone vyos.io +       } +   } + +This will render the following ddclient_ configuration entry: + +.. code-block:: none + +  # +  # ddclient configuration for interface "eth0.7": +  # +  use=if, if=eth0.7 + +  # RFC2136 dynamic DNS configuration for example.vyos.io.vyos.io +  server=ns1.vyos.io +  protocol=nsupdate +  password=/config/auth/my.key +  ttl=300 +  zone=vyos.io +  example.vyos.io + +.. note:: You can also keep different DNS zone updated. Just create a new +   config node: ``set service dns dynamic interface <interface> rfc2136 +   <other-service-name>`` + +HTTP based services +------------------- + +VyOS is also able to use any service relying on protocols supported by ddclient. + +To use such a service, one must define a login, password, one or multiple +hostnames, protocol and server. + +.. cfgcmd:: set service dns dynamic interface <interface> service <service> host-name <hostname> + +   Setup the dynamic DNS hostname `<hostname>` associated with the DynDNS +   provider identified by `<service>` when the IP address on interface +   `<interface>` changes. + +.. cfgcmd:: set service dns dynamic interface <interface> service <service> login <username> + +   Configure `<username>` used when authenticating the update request for +   DynDNS service identified by `<service>`. +   For Namecheap, set the <domain> you wish to update. + +.. cfgcmd:: set service dns dynamic interface <interface> service <service> password <password> + +   Configure `<password>` used when authenticating the update request for +   DynDNS service identified by `<service>`. + +.. cfgcmd:: set service dns dynamic interface <interface> service <service> protocol <protocol> + +   When a ``custom`` DynDNS provider is used the protocol used for communicating +   to the provider must be specified under `<protocol>`. See the embedded +   completion helper for available protocols. + +.. cfgcmd:: set service dns dynamic interface <interface> service <service> server <server> + +   When a ``custom`` DynDNS provider is used the `<server>` where update +   requests are being sent to must be specified. + +Example: +^^^^^^^^ + +Use DynDNS as your preferred provider: + +.. code-block:: none + +  set service dns dynamic interface eth0 service dyndns +  set service dns dynamic interface eth0 service dyndns login my-login +  set service dns dynamic interface eth0 service dyndns password my-password +  set service dns dynamic interface eth0 service dyndns host-name my-dyndns-hostname + +.. note:: Multiple services can be used per interface. Just specify as many +   serives per interface as you like! + +Running Behind NAT +------------------ + +By default, ddclient_ will update a dynamic dns record using the IP address +directly attached to the interface. If your VyOS instance is behind NAT, your +record will be updated to point to your internal IP. + +ddclient_ has another way to determine the WAN IP address. This is controlled +by: + +.. cfgcmd:: set service dns dynamic interface <interface> use-web url <url> + +   Use configured `<url>` to determine your IP address. ddclient_ will load +   `<url>` and tries to extract your IP address from the response. + +.. cfgcmd:: set service dns dynamic interface <interface> use-web skip <pattern> + +   ddclient_ will skip any address located before the string set in `<pattern>`. + +.. _ddclient: https://github.com/ddclient/ddclient diff --git a/docs/automation/http-api.rst b/docs/configuration/service/https.rst index 49f2dbd9..49f2dbd9 100644 --- a/docs/automation/http-api.rst +++ b/docs/configuration/service/https.rst diff --git a/docs/configuration/service/index.rst b/docs/configuration/service/index.rst new file mode 100644 index 00000000..0ef2bbd3 --- /dev/null +++ b/docs/configuration/service/index.rst @@ -0,0 +1,29 @@ +####### +Service +####### + + +.. toctree:: +   :maxdepth: 1 +   :includehidden: + +   broadcast-relay +   conntrack-sync +   console-server +   dhcp-relay +   dhcp-server +   dhcpv6-relay +   dhcpv6-server +   dns +   https +   ipoe-server +   lldp +   mdns +   pppoe-advert +   pppoe-server +   router-advert +   salt-minion +   snmp +   ssh +   tftp-server +   webproxy diff --git a/docs/services/ipoe-server.rst b/docs/configuration/service/ipoe-server.rst index 279f0c6d..279f0c6d 100644 --- a/docs/services/ipoe-server.rst +++ b/docs/configuration/service/ipoe-server.rst diff --git a/docs/services/lldp.rst b/docs/configuration/service/lldp.rst index 4b1743e6..4b1743e6 100644 --- a/docs/services/lldp.rst +++ b/docs/configuration/service/lldp.rst diff --git a/docs/services/mdns-repeater.rst b/docs/configuration/service/mdns.rst index 9d6a292a..9d6a292a 100644 --- a/docs/services/mdns-repeater.rst +++ b/docs/configuration/service/mdns.rst diff --git a/docs/configuration/service/pppoe-advert.rst b/docs/configuration/service/pppoe-advert.rst new file mode 100644 index 00000000..bbb82202 --- /dev/null +++ b/docs/configuration/service/pppoe-advert.rst @@ -0,0 +1,2 @@ +pppoe-advert +############
\ No newline at end of file diff --git a/docs/services/pppoe-server.rst b/docs/configuration/service/pppoe-server.rst index 4deb6c7e..4deb6c7e 100644 --- a/docs/services/pppoe-server.rst +++ b/docs/configuration/service/pppoe-server.rst diff --git a/docs/services/router-advert.rst b/docs/configuration/service/router-advert.rst index bc92f315..bc92f315 100644 --- a/docs/services/router-advert.rst +++ b/docs/configuration/service/router-advert.rst diff --git a/docs/configuration/service/salt-minion.rst b/docs/configuration/service/salt-minion.rst new file mode 100644 index 00000000..63df57a4 --- /dev/null +++ b/docs/configuration/service/salt-minion.rst @@ -0,0 +1,2 @@ +salt-minion +###########
\ No newline at end of file diff --git a/docs/services/snmp.rst b/docs/configuration/service/snmp.rst index 3f445ea8..3f445ea8 100644 --- a/docs/services/snmp.rst +++ b/docs/configuration/service/snmp.rst diff --git a/docs/services/ssh.rst b/docs/configuration/service/ssh.rst index 6da8560f..6da8560f 100644 --- a/docs/services/ssh.rst +++ b/docs/configuration/service/ssh.rst diff --git a/docs/services/tftp.rst b/docs/configuration/service/tftp-server.rst index 276ce5fb..276ce5fb 100644 --- a/docs/services/tftp.rst +++ b/docs/configuration/service/tftp-server.rst diff --git a/docs/services/webproxy.rst b/docs/configuration/service/webproxy.rst index 654e73f2..654e73f2 100644 --- a/docs/services/webproxy.rst +++ b/docs/configuration/service/webproxy.rst diff --git a/docs/operation/index.rst b/docs/operation/index.rst new file mode 100644 index 00000000..b40f769d --- /dev/null +++ b/docs/operation/index.rst @@ -0,0 +1,10 @@ +############## +Operation Mode +############## + +.. toctree:: +   :maxdepth: 1 +   :includehidden: + +   information +   ip-command
\ No newline at end of file diff --git a/docs/routing/ip-commands.rst b/docs/operation/ip-commands.rst index eba4fd90..eba4fd90 100644 --- a/docs/routing/ip-commands.rst +++ b/docs/operation/ip-commands.rst diff --git a/docs/routing/arp.rst b/docs/routing/arp.rst deleted file mode 100644 index 5f3115ab..00000000 --- a/docs/routing/arp.rst +++ /dev/null @@ -1,59 +0,0 @@ -.. _routing-arp: - -### -ARP -### - -:abbr:`ARP (Address Resolution Protocol)` is a communication protocol used for -discovering the link layer address, such as a MAC address, associated with a -given internet layer address, typically an IPv4 address. This mapping is a -critical function in the Internet protocol suite. ARP was defined in 1982 by -:rfc:`826` which is Internet Standard STD 37. - -In Internet Protocol Version 6 (IPv6) networks, the functionality of ARP is -provided by the Neighbor Discovery Protocol (NDP). - -To manipulate or display ARP_ table entries, the following commands are -implemented. - -Configure -========= - -.. cfgcmd:: set protocols static arp <address> hwaddr <mac> - -   This will configure a static ARP entry always resolving `<address>` to -   `<mac>`. - -   Example: - -   .. code-block:: none - -     set protocols static arp 192.0.2.100 hwaddr 00:53:27:de:23:aa - -Operation -========= - -.. opcmd:: show protocols static arp - -   Display all known ARP table entries spanning across all interfaces - -.. code-block:: none - -  vyos@vyos:~$ show protocols static arp -  Address                  HWtype  HWaddress           Flags Mask     Iface -  10.1.1.1                 ether   00:53:00:de:23:2e   C              eth1 -  10.1.1.100               ether   00:53:00:de:23:aa   CM             eth1 - - -.. opcmd:: show protocols static arp interface eth1 - -   Display all known ARP table entries on a given interface only (`eth1`): - -.. code-block:: none - -  vyos@vyos:~$ show protocols static arp interface eth1 -  Address                  HWtype  HWaddress           Flags Mask     Iface -  10.1.1.1                 ether   00:53:00:de:23:2e   C              eth1 -  10.1.1.100               ether   00:53:00:de:23:aa   CM             eth1 - -.. _ARP: https://en.wikipedia.org/wiki/Address_Resolution_Protocol diff --git a/docs/routing/index.rst b/docs/routing/index.rst deleted file mode 100644 index 63d7c7d8..00000000 --- a/docs/routing/index.rst +++ /dev/null @@ -1,22 +0,0 @@ -.. _routing: - -####### -Routing -####### - -.. toctree:: -   :maxdepth: 1 - -   arp -   bfd -   bgp -   mpls -   mss-clamp -   multicast -   ip-commands -   ospf -   pbr -   rip -   policy -   rpki -   static diff --git a/docs/routing/mss-clamp.rst b/docs/routing/mss-clamp.rst deleted file mode 100644 index 3fdd1153..00000000 --- a/docs/routing/mss-clamp.rst +++ /dev/null @@ -1,63 +0,0 @@ -.. _routing-mss-clamp: - -################ -TCP-MSS Clamping -################ - -As Internet wide PMTU discovery rarely works, we sometimes need to clamp -our TCP MSS value to a specific value. This is a field in the TCP -Options part of a SYN packet. By setting the MSS value, you are telling -the remote side unequivocally 'do not try to send me packets bigger than -this value'. - -Starting with VyOS 1.2 there is a firewall option to clamp your TCP MSS -value for IPv4 and IPv6. - - -.. note:: MSS value = MTU - 20 (IP header) - 20 (TCP header), resulting -   in 1452 bytes on a 1492 byte MTU. - - -IPv4 -==== - -.. cfgcmd:: set firewall options interface <interface> adjust-mss <number-of-bytes> - -   Use this command to set the maximum segment size for IPv4 transit -   packets on a specific interface (500-1460 bytes). - -Example -------- - -Clamp outgoing MSS value in a TCP SYN packet to `1452` for `pppoe0` and -`1372` -for your WireGuard `wg02` tunnel. - -.. code-block:: none - -  set firewall options interface pppoe0 adjust-mss '1452' -  set firewall options interface wg02 adjust-mss '1372' - -IPv6 -==== - -.. cfgcmd:: set firewall options interface <interface> adjust-mss6 <number-of-bytes> - -   Use this command to set the maximum segment size for IPv6 transit -   packets on a specific interface (1280-1492 bytes). - -Example -------- - -Clamp outgoing MSS value in a TCP SYN packet to `1280` for both `pppoe0` and -`wg02` interface. - -.. code-block:: none - -  set firewall options interface pppoe0 adjust-mss6 '1280' -  set firewall options interface wg02 adjust-mss6 '1280' - - - -.. hint:: When doing your byte calculations, you might find useful this -   `Visual packet size calculator <https://baturin.org/tools/encapcalc/>`_. diff --git a/docs/services/dynamic-dns.rst b/docs/services/dynamic-dns.rst deleted file mode 100644 index 3d802d29..00000000 --- a/docs/services/dynamic-dns.rst +++ /dev/null @@ -1,164 +0,0 @@ -.. _dynamic-dns: - -########### -Dynamic DNS -########### - -VyOS is able to update a remote DNS record when an interface gets a new IP -address. In order to do so, VyOS includes ddclient_, a Perl script written for -this only one purpose. - -ddclient_ uses two methods to update a DNS record. The first one will send -updates directly to the DNS daemon, in compliance with :rfc:`2136`. The second -one involves a third party service, like DynDNS.com or any other similar -website. This method uses HTTP requests to transmit the new IP address. You -can configure both in VyOS. - -Configuration -============= - -:rfc:`2136` Based ------------------ - -.. cfgcmd:: set service dns dynamic interface <interface> rfc2136 <service-name> - -   Create new :rfc:`2136` DNS update configuration which will update the IP -   address assigned to `<interface>` on the service you configured under -   `<service-name>`. - -.. cfgcmd:: set service dns dynamic interface <interface> rfc2136 <service-name> key <keyfile> - -   File identified by `<keyfile>` containing the secret RNDC key shared with -   remote DNS server. - -.. cfgcmd:: set service dns dynamic interface <interface> rfc2136 <service-name> server <server> - -   Configure the DNS `<server>` IP/FQDN used when updating this dynamic -   assignment. - -.. cfgcmd:: set service dns dynamic interface <interface> rfc2136 <service-name> zone <zone> - -   Configure DNS `<zone>` to be updated. - -.. cfgcmd:: set service dns dynamic interface <interface> rfc2136 <service-name> record <record> - -   Configure DNS `<record>` which should be updated. This can be set multiple -   times. - -.. cfgcmd:: set service dns dynamic interface <interface> rfc2136 <service-name> ttl <ttl> - -   Configure optional TTL value on the given resource record. This defualts to -   600 seconds. - -Example -^^^^^^^ - -* Register DNS record ``example.vyos.io`` on DNS server ``ns1.vyos.io`` -* Use auth key file at ``/config/auth/my.key`` -* Set TTL to 300 seconds - -.. code-block:: none - -  vyos@vyos# show service dns dynamic -   interface eth0.7 { -       rfc2136 VyOS-DNS { -           key /config/auth/my.key -           record example.vyos.io -           server ns1.vyos.io -           ttl 300 -           zone vyos.io -       } -   } - -This will render the following ddclient_ configuration entry: - -.. code-block:: none - -  # -  # ddclient configuration for interface "eth0.7": -  # -  use=if, if=eth0.7 - -  # RFC2136 dynamic DNS configuration for example.vyos.io.vyos.io -  server=ns1.vyos.io -  protocol=nsupdate -  password=/config/auth/my.key -  ttl=300 -  zone=vyos.io -  example.vyos.io - -.. note:: You can also keep different DNS zone updated. Just create a new -   config node: ``set service dns dynamic interface <interface> rfc2136 -   <other-service-name>`` - -HTTP based services -------------------- - -VyOS is also able to use any service relying on protocols supported by ddclient. - -To use such a service, one must define a login, password, one or multiple -hostnames, protocol and server. - -.. cfgcmd:: set service dns dynamic interface <interface> service <service> host-name <hostname> - -   Setup the dynamic DNS hostname `<hostname>` associated with the DynDNS -   provider identified by `<service>` when the IP address on interface -   `<interface>` changes. - -.. cfgcmd:: set service dns dynamic interface <interface> service <service> login <username> - -   Configure `<username>` used when authenticating the update request for -   DynDNS service identified by `<service>`. -   For Namecheap, set the <domain> you wish to update. - -.. cfgcmd:: set service dns dynamic interface <interface> service <service> password <password> - -   Configure `<password>` used when authenticating the update request for -   DynDNS service identified by `<service>`. - -.. cfgcmd:: set service dns dynamic interface <interface> service <service> protocol <protocol> - -   When a ``custom`` DynDNS provider is used the protocol used for communicating -   to the provider must be specified under `<protocol>`. See the embedded -   completion helper for available protocols. - -.. cfgcmd:: set service dns dynamic interface <interface> service <service> server <server> - -   When a ``custom`` DynDNS provider is used the `<server>` where update -   requests are being sent to must be specified. - -Example: -^^^^^^^^ - -Use DynDNS as your preferred provider: - -.. code-block:: none - -  set service dns dynamic interface eth0 service dyndns -  set service dns dynamic interface eth0 service dyndns login my-login -  set service dns dynamic interface eth0 service dyndns password my-password -  set service dns dynamic interface eth0 service dyndns host-name my-dyndns-hostname - -.. note:: Multiple services can be used per interface. Just specify as many -   serives per interface as you like! - -Running Behind NAT ------------------- - -By default, ddclient_ will update a dynamic dns record using the IP address -directly attached to the interface. If your VyOS instance is behind NAT, your -record will be updated to point to your internal IP. - -ddclient_ has another way to determine the WAN IP address. This is controlled -by: - -.. cfgcmd:: set service dns dynamic interface <interface> use-web url <url> - -   Use configured `<url>` to determine your IP address. ddclient_ will load -   `<url>` and tries to extract your IP address from the response. - -.. cfgcmd:: set service dns dynamic interface <interface> use-web skip <pattern> - -   ddclient_ will skip any address located before the string set in `<pattern>`. - -.. _ddclient: https://github.com/ddclient/ddclient diff --git a/docs/services/index.rst b/docs/services/index.rst deleted file mode 100644 index 76520b52..00000000 --- a/docs/services/index.rst +++ /dev/null @@ -1,26 +0,0 @@ -.. _services: - -######## -Services -######## - -This chapter describes the available system/network services provided by VyOS. - -.. toctree:: -   :maxdepth: 1 - -   conntrack -   console-server -   dhcp -   dns-forwarding -   dynamic-dns -   lldp -   mdns-repeater -   ipoe-server -   pppoe-server -   udp-broadcast-relay -   router-advert -   snmp -   ssh -   tftp -   webproxy | 
