diff options
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/_locale/de/configuration.pot | 4 | ||||
| -rw-r--r-- | docs/_locale/es/configuration.pot | 2 | ||||
| -rw-r--r-- | docs/_locale/ja/configuration.pot | 4 | ||||
| -rw-r--r-- | docs/_locale/pt/configuration.pot | 4 | ||||
| -rw-r--r-- | docs/_locale/uk/configuration.pot | 4 | ||||
| -rw-r--r-- | docs/_static/images/vyos_1_5_nat66_dhcpv6_wdummy.png | bin | 0 -> 349078 bytes | |||
| -rw-r--r-- | docs/configexamples/autotest/DHCPRelay_through_GRE/_include/dhcp-server.conf | 5 | ||||
| -rw-r--r-- | docs/configuration/loadbalancing/reverse-proxy.rst | 2 | ||||
| -rw-r--r-- | docs/configuration/nat/nat66.rst | 97 | ||||
| -rw-r--r-- | docs/configuration/pki/index.rst | 44 | ||||
| -rw-r--r-- | docs/configuration/service/dhcp-server.rst | 148 | ||||
| -rw-r--r-- | docs/configuration/service/https.rst | 78 | ||||
| -rw-r--r-- | docs/installation/install.rst | 9 | ||||
| -rw-r--r-- | docs/quick-start.rst | 7 |
14 files changed, 228 insertions, 180 deletions
diff --git a/docs/_locale/de/configuration.pot b/docs/_locale/de/configuration.pot index 6641dd72..df607936 100644 --- a/docs/_locale/de/configuration.pot +++ b/docs/_locale/de/configuration.pot @@ -19468,8 +19468,8 @@ msgid "``latency``: A server profile focused on lowering network latency. This p msgstr "``latency``: A server profile focused on lowering network latency. This profile favors performance over power savings by setting ``intel_pstate`` and ``min_perf_pct=100``." #: ../../configuration/loadbalancing/reverse-proxy.rst:108 -msgid "``least-connection`` Distributes requests tp tje server wotj the fewest active connections" -msgstr "``least-connection`` Distributes requests tp tje server wotj the fewest active connections" +msgid "``least-connection`` Distributes requests to the server with the fewest active connections" +msgstr "``least-connection`` Distributes requests to the server with the fewest active connections" #: ../../configuration/vpn/ipsec.rst:125 msgid "``life-bytes`` ESP life in bytes <1024-26843545600000>. Number of bytes transmitted over an IPsec SA before it expires;" diff --git a/docs/_locale/es/configuration.pot b/docs/_locale/es/configuration.pot index 88324a87..0f90f6ac 100644 --- a/docs/_locale/es/configuration.pot +++ b/docs/_locale/es/configuration.pot @@ -19468,7 +19468,7 @@ msgid "``latency``: A server profile focused on lowering network latency. This p msgstr "``latency``: un perfil de servidor centrado en reducir la latencia de la red. Este perfil favorece el rendimiento sobre el ahorro de energía configurando ``intel_pstate`` y ``min_perf_pct=100``." #: ../../configuration/loadbalancing/reverse-proxy.rst:108 -msgid "``least-connection`` Distributes requests tp tje server wotj the fewest active connections" +msgid "``least-connection`` Distributes requests to the server with the fewest active connections" msgstr "``least-connection`` Distribuye las solicitudes al servidor con la menor cantidad de conexiones activas" #: ../../configuration/vpn/ipsec.rst:125 diff --git a/docs/_locale/ja/configuration.pot b/docs/_locale/ja/configuration.pot index b76eeeb0..7a5f67f1 100644 --- a/docs/_locale/ja/configuration.pot +++ b/docs/_locale/ja/configuration.pot @@ -19468,8 +19468,8 @@ msgid "``latency``: A server profile focused on lowering network latency. This p msgstr "``latency``: A server profile focused on lowering network latency. This profile favors performance over power savings by setting ``intel_pstate`` and ``min_perf_pct=100``." #: ../../configuration/loadbalancing/reverse-proxy.rst:108 -msgid "``least-connection`` Distributes requests tp tje server wotj the fewest active connections" -msgstr "``least-connection`` Distributes requests tp tje server wotj the fewest active connections" +msgid "``least-connection`` Distributes requests to the server with the fewest active connections" +msgstr "``least-connection`` Distributes requests to the server with the fewest active connections" #: ../../configuration/vpn/ipsec.rst:125 msgid "``life-bytes`` ESP life in bytes <1024-26843545600000>. Number of bytes transmitted over an IPsec SA before it expires;" diff --git a/docs/_locale/pt/configuration.pot b/docs/_locale/pt/configuration.pot index dbe8970c..8b7aff49 100644 --- a/docs/_locale/pt/configuration.pot +++ b/docs/_locale/pt/configuration.pot @@ -19468,8 +19468,8 @@ msgid "``latency``: A server profile focused on lowering network latency. This p msgstr "``latency``: A server profile focused on lowering network latency. This profile favors performance over power savings by setting ``intel_pstate`` and ``min_perf_pct=100``." #: ../../configuration/loadbalancing/reverse-proxy.rst:108 -msgid "``least-connection`` Distributes requests tp tje server wotj the fewest active connections" -msgstr "``least-connection`` Distributes requests tp tje server wotj the fewest active connections" +msgid "``least-connection`` Distributes requests to the server with the fewest active connections" +msgstr "``least-connection`` Distributes requests to the server with the fewest active connections" #: ../../configuration/vpn/ipsec.rst:125 msgid "``life-bytes`` ESP life in bytes <1024-26843545600000>. Number of bytes transmitted over an IPsec SA before it expires;" diff --git a/docs/_locale/uk/configuration.pot b/docs/_locale/uk/configuration.pot index a3a1a512..1a912c61 100644 --- a/docs/_locale/uk/configuration.pot +++ b/docs/_locale/uk/configuration.pot @@ -19468,8 +19468,8 @@ msgid "``latency``: A server profile focused on lowering network latency. This p msgstr "``latency``: A server profile focused on lowering network latency. This profile favors performance over power savings by setting ``intel_pstate`` and ``min_perf_pct=100``." #: ../../configuration/loadbalancing/reverse-proxy.rst:108 -msgid "``least-connection`` Distributes requests tp tje server wotj the fewest active connections" -msgstr "``least-connection`` Distributes requests tp tje server wotj the fewest active connections" +msgid "``least-connection`` Distributes requests to the server with the fewest active connections" +msgstr "``least-connection`` Distributes requests to the server with the fewest active connections" #: ../../configuration/vpn/ipsec.rst:125 msgid "``life-bytes`` ESP life in bytes <1024-26843545600000>. Number of bytes transmitted over an IPsec SA before it expires;" diff --git a/docs/_static/images/vyos_1_5_nat66_dhcpv6_wdummy.png b/docs/_static/images/vyos_1_5_nat66_dhcpv6_wdummy.png Binary files differnew file mode 100644 index 00000000..297fdd11 --- /dev/null +++ b/docs/_static/images/vyos_1_5_nat66_dhcpv6_wdummy.png diff --git a/docs/configexamples/autotest/DHCPRelay_through_GRE/_include/dhcp-server.conf b/docs/configexamples/autotest/DHCPRelay_through_GRE/_include/dhcp-server.conf index 9c4b612a..20c8dd10 100644 --- a/docs/configexamples/autotest/DHCPRelay_through_GRE/_include/dhcp-server.conf +++ b/docs/configexamples/autotest/DHCPRelay_through_GRE/_include/dhcp-server.conf @@ -8,6 +8,7 @@ set protocols static route 10.0.10.0/24 next-hop 10.0.20.254 set protocols static route 192.168.0.0/24 next-hop 127.16.0.2 set service dhcp-server listen-address '172.16.0.1' set service dhcp-server shared-network-name DHCPTun100 authoritative -set service dhcp-server shared-network-name DHCPTun100 subnet 192.168.0.0/24 default-router '192.168.0.254' +set service dhcp-server shared-network-name DHCPTun100 subnet 192.168.0.0/24 option default-router '192.168.0.254' set service dhcp-server shared-network-name DHCPTun100 subnet 192.168.0.0/24 range 0 start '192.168.0.30' -set service dhcp-server shared-network-name DHCPTun100 subnet 192.168.0.0/24 range 0 stop '192.168.0.30'
\ No newline at end of file +set service dhcp-server shared-network-name DHCPTun100 subnet 192.168.0.0/24 range 0 stop '192.168.0.30' +set service dhcp-server shared-network-name DHCPTun100 subnet 192.168.0.0/24 subnet-id '1'
\ No newline at end of file diff --git a/docs/configuration/loadbalancing/reverse-proxy.rst b/docs/configuration/loadbalancing/reverse-proxy.rst index 04b612f5..19ef3773 100644 --- a/docs/configuration/loadbalancing/reverse-proxy.rst +++ b/docs/configuration/loadbalancing/reverse-proxy.rst @@ -105,7 +105,7 @@ Backend of the client * ``round-robin`` Distributes requests in a circular manner, sequentially sending each request to the next server in line - * ``least-connection`` Distributes requests tp tje server wotj the fewest + * ``least-connection`` Distributes requests to the server with the fewest active connections .. cfgcmd:: set load-balancing reverse-proxy backend <name> mode diff --git a/docs/configuration/nat/nat66.rst b/docs/configuration/nat/nat66.rst index 66cceb0a..9345e708 100644 --- a/docs/configuration/nat/nat66.rst +++ b/docs/configuration/nat/nat66.rst @@ -137,3 +137,100 @@ R2: set interfaces bridge br1 member interface eth1 set protocols static route6 ::/0 next-hop fc01::1 set service router-advert interface br1 prefix ::/0 + + +Use the following topology to translate internal user local addresses (``fc::/7``) +to DHCPv6-PD provided prefixes from an ISP connected to a VyOS HA pair. + +.. figure:: /_static/images/vyos_1_5_nat66_dhcpv6_wdummy.png + :alt: VyOS NAT66 DHCPv6 using a dummy interface + +Configure both routers (a and b) for DHCPv6-PD via dummy interface: + +.. code-block:: none + + set interfaces dummy dum1 description 'DHCPv6-PD NPT dummy' + set interfaces bonding bond0 vif 20 dhcpv6-options pd 0 interface dum1 address '0' + set interfaces bonding bond0 vif 20 dhcpv6-options pd 1 interface dum1 address '0' + set interfaces bonding bond0 vif 20 dhcpv6-options pd 2 interface dum1 address '0' + set interfaces bonding bond0 vif 20 dhcpv6-options pd 3 interface dum1 address '0' + set interfaces bonding bond0 vif 20 dhcpv6-options rapid-commit + commit + +Get the DHCPv6-PD prefixes from both routers: + +.. code-block:: none + + trae@cr01a-vyos# run show interfaces dummy dum1 br + Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down + Interface IP Address S/L Description + --------- ---------- --- ----------- + dum1 2001:db8:123:b008::/64 u/u DHCPv6-PD NPT dummy + 2001:db8:123:b00a::/64 + 2001:db8:123:b00b::/64 + 2001:db8:123:b009::/64 + + trae@cr01b-vyos# run show int dummy dum1 brief + Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down + Interface IP Address S/L Description + --------- ---------- --- ----------- + dum1 2001:db8:123:b00d::/64 u/u DHCPv6-PD NPT dummy + 2001:db8:123:b00c::/64 + 2001:db8:123:b00e::/64 + 2001:db8:123:b00f::/64 + +Configure the A-side router for NPTv6 using the prefixes above: + +.. code-block:: none + + set nat66 source rule 10 description 'NPT to VLAN 10' + set nat66 source rule 10 outbound-interface name 'bond0.20' + set nat66 source rule 10 source prefix 'fd52:d62e:8011:a::/64' + set nat66 source rule 10 translation address '2001:db8:123:b008::/64' + set nat66 source rule 20 description 'NPT to VLAN 70' + set nat66 source rule 20 outbound-interface name 'bond0.20' + set nat66 source rule 20 source prefix 'fd52:d62e:8011:46::/64' + set nat66 source rule 20 translation address '2001:db8:123:b009::/64' + set nat66 source rule 30 description 'NPT to VLAN 200' + set nat66 source rule 30 outbound-interface name 'bond0.20' + set nat66 source rule 30 source prefix 'fd52:d62e:8011:c8::/64' + set nat66 source rule 30 translation address '2001:db8:123:b00a::/64' + set nat66 source rule 40 description 'NPT to VLAN 240' + set nat66 source rule 40 outbound-interface name 'bond0.20' + set nat66 source rule 40 source prefix 'fd52:d62e:8011:f0::/64' + set nat66 source rule 40 translation address '2001:db8:123:b00b::/64' + commit + +Configure the B-side router for NPTv6 using the prefixes above: + +.. code-block:: none + + set nat66 source rule 10 description 'NPT to VLAN 10' + set nat66 source rule 10 outbound-interface name 'bond0.20' + set nat66 source rule 10 source prefix 'fd52:d62e:8011:a::/64' + set nat66 source rule 10 translation address '2001:db8:123:b00c::/64' + set nat66 source rule 20 description 'NPT to VLAN 70' + set nat66 source rule 20 outbound-interface name 'bond0.20' + set nat66 source rule 20 source prefix 'fd52:d62e:8011:46::/64' + set nat66 source rule 20 translation address '2001:db8:123:b00d::/64' + set nat66 source rule 30 description 'NPT to VLAN 200' + set nat66 source rule 30 outbound-interface name 'bond0.20' + set nat66 source rule 30 source prefix 'fd52:d62e:8011:c8::/64' + set nat66 source rule 30 translation address '2001:db8:123:b00e::/64' + set nat66 source rule 40 description 'NPT to VLAN 240' + set nat66 source rule 40 outbound-interface name 'bond0.20' + set nat66 source rule 40 source prefix 'fd52:d62e:8011:f0::/64' + set nat66 source rule 40 translation address '2001:db8:123:b00f::/64' + commit + +Verify that connections are hitting the rule on both sides: + +.. code-block:: none + + trae@cr01a-vyos# run show nat66 source statistics + Rule Packets Bytes Interface + ------ --------- ------- ----------- + 10 1 104 bond0.20 + 20 1 104 bond0.20 + 30 8093 669445 bond0.20 + 40 2446 216912 bond0.20 diff --git a/docs/configuration/pki/index.rst b/docs/configuration/pki/index.rst index 66ad84a3..1fea13ac 100644 --- a/docs/configuration/pki/index.rst +++ b/docs/configuration/pki/index.rst @@ -1,4 +1,4 @@ -:lastproofread: 2021-09-01 +:lastproofread: 2024-01-05 .. include:: /_include/need_improvement.txt @@ -248,6 +248,44 @@ certificates used by services on this router. If CA is present, this certificate will be included in generated CRLs +ACME +^^^^ + +The VyOS PKI subsystem can also be used to automatically retrieve Certificates +using the :abbr:`ACME (Automatic Certificate Management Environment)` protocol. + +.. cfgcmd:: set pki certificate <name> acme domain-name <name> + + Domain names to apply, multiple domain-names can be specified. + + This is a mandatory option + +.. cfgcmd:: set pki certificate <name> acme email <address> + + Email used for registration and recovery contact. + + This is a mandatory option + +.. cfgcmd:: set pki certificate <name> acme listen-address <address> + + The address the server listens to during http-01 challenge + +.. cfgcmd:: set pki certificate <name> acme rsa-key-size <2048 | 3072 | 4096> + + Size of the RSA key. + + This options defaults to 2048 + +.. cfgcmd:: set pki certificate <name> acme url <url> + + ACME Directory Resource URI. + + This defaults to https://acme-v02.api.letsencrypt.org/directory + + .. note:: During initial deployment we recommend using the staging API + of LetsEncrypt to prevent and blacklisting of your system. The API + endpoint is https://acme-staging-v02.api.letsencrypt.org/directory + Operation ========= @@ -292,3 +330,7 @@ also to display them. .. opcmd:: show pki crl Show a list of installed :abbr:`CRLs (Certificate Revocation List)`. + +.. opcmd:: renew certbot + + Manually trigger certificate renewal. This will be done twice a day. diff --git a/docs/configuration/service/dhcp-server.rst b/docs/configuration/service/dhcp-server.rst index 0cc10feb..c51a0aff 100644 --- a/docs/configuration/service/dhcp-server.rst +++ b/docs/configuration/service/dhcp-server.rst @@ -4,7 +4,7 @@ DHCP Server ########### -VyOS uses ISC DHCP server for both IPv4 and IPv6 address assignment. +VyOS uses Kea DHCP server for both IPv4 and IPv6 address assignment. *********** IPv4 server @@ -26,12 +26,7 @@ Configuration Create DNS record per client lease, by adding clients to /etc/hosts file. Entry will have format: `<shared-network-name>_<hostname>.<domain-name>` -.. cfgcmd:: set service dhcp-server host-decl-name - - Will drop `<shared-network-name>_` from client DNS record, using only the - host declaration name and domain: `<hostname>.<domain-name>` - -.. cfgcmd:: set service dhcp-server shared-network-name <name> domain-name <domain-name> +.. cfgcmd:: set service dhcp-server shared-network-name <name> option domain-name <domain-name> The domain-name parameter should be the domain name that will be appended to the client's hostname to form a fully-qualified domain-name (FQDN) (DHCP @@ -40,7 +35,7 @@ Configuration This is the configuration parameter for the entire shared network definition. All subnets will inherit this configuration item if not specified locally. -.. cfgcmd:: set service dhcp-server shared-network-name <name> domain-search <domain-name> +.. cfgcmd:: set service dhcp-server shared-network-name <name> option domain-search <domain-name> The domain-name parameter should be the domain name used when completing DNS request where no full FQDN is passed. This option can be given multiple times @@ -49,7 +44,7 @@ Configuration This is the configuration parameter for the entire shared network definition. All subnets will inherit this configuration item if not specified locally. -.. cfgcmd:: set service dhcp-server shared-network-name <name> name-server <address> +.. cfgcmd:: set service dhcp-server shared-network-name <name> option name-server <address> Inform client that the DNS server can be found at `<address>`. @@ -58,21 +53,6 @@ Configuration Multiple DNS servers can be defined. -.. cfgcmd:: set service dhcp-server shared-network-name <name> ping-check - - When the DHCP server is considering dynamically allocating an IP address to a - client, it first sends an ICMP Echo request (a ping) to the address being - assigned. It waits for a second, and if no ICMP Echo response has been heard, - it assigns the address. - - If a response is heard, the lease is abandoned, and the server does not - respond to the client. The lease will remain abandoned for a minimum of - abandon-lease-time seconds (defaults to 24 hours). - - If there are no free addresses but there are abandoned IP addresses, the - DHCP server will attempt to reclaim an abandoned IP address regardless of the - value of abandon-lease-time. - .. cfgcmd:: set service dhcp-server listen-address <address> This configuration parameter lets the DHCP server to listen for DHCP @@ -91,14 +71,20 @@ Individual Client Subnet network. .. cfgcmd:: set service dhcp-server shared-network-name <name> subnet <subnet> - default-router <address> + subnet-id <id> + + This configuration parameter is required and must be unique to each subnet. + It is required to map subnets to lease file entries. + +.. cfgcmd:: set service dhcp-server shared-network-name <name> subnet <subnet> + option default-router <address> This is a configuration parameter for the `<subnet>`, saying that as part of the response, tell the client that the default gateway can be reached at `<address>`. .. cfgcmd:: set service dhcp-server shared-network-name <name> subnet <subnet> - name-server <address> + option name-server <address> This is a configuration parameter for the subnet, saying that as part of the response, tell the client that the DNS server can be found at `<address>`. @@ -133,40 +119,19 @@ Individual Client Subnet This option can be specified multiple times. .. cfgcmd:: set service dhcp-server shared-network-name <name> subnet <subnet> - domain-name <domain-name> + option domain-name <domain-name> The domain-name parameter should be the domain name that will be appended to the client's hostname to form a fully-qualified domain-name (FQDN) (DHCP Option 015). .. cfgcmd:: set service dhcp-server shared-network-name <name> subnet <subnet> - domain-search <domain-name> + option domain-search <domain-name> The domain-name parameter should be the domain name used when completing DNS request where no full FQDN is passed. This option can be given multiple times if you need multiple search domains (DHCP Option 119). -.. cfgcmd:: set service dhcp-server shared-network-name <name> subnet <subnet> - ping-check - - When the DHCP server is considering dynamically allocating an IP address to a - client, it first sends an ICMP Echo request (a ping) to the address being - assigned. It waits for a second, and if no ICMP Echo response has been heard, - it assigns the address. - - If a response is heard, the lease is abandoned, and the server does not - respond to the client. The lease will remain abandoned for a minimum of - abandon-lease-time seconds (defaults to 24 hours). - - If a there are no free addresses but there are abandoned IP addresses, the - DHCP server will attempt to reclaim an abandoned IP address regardless of the - value of abandon-lease-time. - -.. cfgcmd:: set service dhcp-server shared-network-name <name> subnet <subnet> - enable-failover - - Enable DHCP failover configuration for this address pool. - Failover -------- @@ -238,6 +203,7 @@ inside the subnet definition but can be outside of the range statement. .. code-block:: none + set service dhcp-server shared-network-name 'NET1' subnet 192.168.1.0/24 subnet-id 1 set service dhcp-server shared-network-name 'NET1' subnet 192.168.1.0/24 static-mapping client1 ip-address 192.168.1.100 set service dhcp-server shared-network-name 'NET1' subnet 192.168.1.0/24 static-mapping client1 mac-address aa:bb:11:22:33:00 @@ -251,6 +217,7 @@ The configuration will look as follows: ip-address 192.168.1.100 mac-address aa:bb:11:22:33:00 } + subnet-id 1 } Options @@ -391,32 +358,6 @@ Options Multi: can be specified multiple times. -Raw Parameters -============== - -Raw parameters can be passed to shared-network-name, subnet and static-mapping: - -.. code-block:: none - - set service dhcp-server shared-network-name <name> shared-network-parameters - <text> Additional shared-network parameters for DHCP server. - set service dhcp-server shared-network-name <name> subnet <subnet> subnet-parameters - <text> Additional subnet parameters for DHCP server. - set service dhcp-server shared-network-name <name> subnet <subnet> static-mapping <description> static-mapping-parameters - <text> Additional static-mapping parameters for DHCP server. - Will be placed inside the "host" block of the mapping. - -These parameters are passed as-is to isc-dhcp's dhcpd.conf under the -configuration node they are defined in. They are not validated so an error in -the raw parameters won't be caught by vyos's scripts and will cause dhcpd to -fail to start. Always verify that the parameters are correct before committing -the configuration. Refer to isc-dhcp's dhcpd.conf manual for more information: -https://kb.isc.org/docs/isc-dhcp-44-manual-pages-dhcpdconf - -Quotes can be used inside parameter values by replacing all quote characters -with the string ``"``. They will be replaced with literal quote characters -when generating dhcpd.conf. - Example ======= @@ -439,12 +380,12 @@ Common configuration, valid for both primary and secondary node. .. code-block:: none - set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 default-router '192.0.2.254' - set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 name-server '192.0.2.254' - set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 domain-name 'vyos.net' + set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 option default-router '192.0.2.254' + set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 option name-server '192.0.2.254' + set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 option domain-name 'vyos.net' set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 range 0 start '192.0.2.10' set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 range 0 stop '192.0.2.250' - set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 enable-failover + set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 subnet-id '1' **Primary** @@ -467,47 +408,6 @@ Common configuration, valid for both primary and secondary node. .. _dhcp-server:v4_example_raw: -Raw Parameters --------------- - -* Override static-mapping's name-server with a custom one that will be sent only - to this host. -* An option that takes a quoted string is set by replacing all quote characters - with the string ``"`` inside the static-mapping-parameters value. - The resulting line in dhcpd.conf will be - ``option pxelinux.configfile "pxelinux.cfg/01-00-15-17-44-2d-aa";``. - - -.. code-block:: none - - set service dhcp-server shared-network-name dhcpexample subnet 192.0.2.0/24 static-mapping example static-mapping-parameters "option domain-name-servers 192.0.2.11, 192.0.2.12;" - set service dhcp-server shared-network-name dhcpexample subnet 192.0.2.0/24 static-mapping example static-mapping-parameters "option pxelinux.configfile "pxelinux.cfg/01-00-15-17-44-2d-aa";" - -Option 43 for UniFI -------------------- - -* These parameters need to be part of the DHCP global options. - They stay unchanged. - - -.. code-block:: none - - set service dhcp-server global-parameters 'option space ubnt;' - set service dhcp-server global-parameters 'option ubnt.unifi-address code 1 = ip-address;' - set service dhcp-server global-parameters 'class "ubnt" {' - set service dhcp-server global-parameters 'match if substring (option vendor-class-identifier, 0, 4) = "ubnt";' - set service dhcp-server global-parameters 'option vendor-class-identifier "ubnt";' - set service dhcp-server global-parameters 'vendor-option-space ubnt;' - set service dhcp-server global-parameters '}' - -* Now we add the option to the scope, adapt to your setup - - -.. code-block:: none - - set service dhcp-server shared-network-name example-scope subnet 10.1.1.0/24 subnet-parameters 'option ubnt.unifi-address 172.16.1.10;' - - Operation Mode ============== @@ -614,6 +514,12 @@ Configuration Clients receiving advertise messages from multiple servers choose the server with the highest preference value. The range for this value is ``0...255``. +.. cfgcmd:: set service dhcpv6-server shared-network-name <name> subnet <subnet> + subnet-id <id> + + This configuration parameter is required and must be unique to each subnet. + It is required to map subnets to lease file entries. + .. cfgcmd:: set service dhcpv6-server shared-network-name <name> subnet <prefix> lease-time {default | maximum | minimum} @@ -690,6 +596,7 @@ server. The following example describes a common scenario. set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 address-range start 2001:db8::100 stop 2001:db8::199 set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 name-server 2001:db8::ffff + set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 subnet-id 1 The configuration will look as follows: @@ -704,6 +611,7 @@ The configuration will look as follows: } } name-server 2001:db8::ffff + subnet-id 1 } } diff --git a/docs/configuration/service/https.rst b/docs/configuration/service/https.rst index eb2e30eb..973c5355 100644 --- a/docs/configuration/service/https.rst +++ b/docs/configuration/service/https.rst @@ -1,7 +1,7 @@ .. _http-api: ######## -HTTP-API +HTTP API ######## VyOS provide an HTTP API. You can use it to execute op-mode commands, @@ -13,75 +13,71 @@ Please take a look at the :ref:`vyosapi` page for an detailed how-to. Configuration ************* -.. cfgcmd:: set service https api keys id <name> key <apikey> +.. cfgcmd:: set service https allow-client address <address> - Set a named api key. Every key has the same, full permissions - on the system. + Only allow certain IP addresses or prefixes to access the https + webserver. -.. cfgcmd:: set service https api debug +.. cfgcmd:: set service https certificates ca-certificate <name> - To enable debug messages. Available via :opcmd:`show log` or - :opcmd:`monitor log` + Use CA certificate from PKI subsystem -.. cfgcmd:: set service https api strict +.. cfgcmd:: set service https certificates certificate <name> - Enforce strict path checking + Use certificate from PKI subsystem -.. cfgcmd:: set service https virtual-host <vhost> listen-address - <ipv4 or ipv6 address> +.. cfgcmd:: set service https certificates dh-params <name> - Address to listen for HTTPS requests + Use :abbr:`DH (Diffie–Hellman)` parameters from PKI subsystem. + Must be at least 2048 bits in length. -.. cfgcmd:: set service https virtual-host <vhost> port <1-65535> +.. cfgcmd:: set service https listen-address <address> - Port to listen for HTTPS requests; default 443 + Webserver should only listen on specified IP address -.. cfgcmd:: set service https virtual-host <vhost> server-name <text> +.. cfgcmd:: set service https port <number> - Server names for virtual hosts it can be exact, wildcard or regex. + Webserver should listen on specified port. -.. cfgcmd:: set service https api-restrict virtual-host <vhost> + Default: 443 - By default, nginx exposes the local API on all virtual servers. - Use this to restrict nginx to one or more virtual hosts. +.. cfgcmd:: set service https enable-http-redirect -.. cfgcmd:: set service https certificates certbot domain-name <text> + Enable automatic redirect from http to https. - Domain name(s) for which to obtain certificate +.. cfgcmd:: set service https tls-version <1.2 | 1.3> -.. cfgcmd:: set service https certificates certbot email + Select TLS version used. - Email address to associate with certificate + This defaults to both 1.2 and 1.3. -.. cfgcmd:: set service https certificates system-generated-certificate +.. cfgcmd:: set service https vrf <name> - Use an automatically generated self-signed certificate + Start Webserver in given VRF. -.. cfgcmd:: set service https certificates system-generated-certificate - lifetime <days> +API +=== - Lifetime in days; default is 365 +.. cfgcmd:: set service https api keys id <name> key <apikey> + Set a named api key. Every key has the same, full permissions + on the system. -********************* -Example Configuration -********************* +.. cfgcmd:: set service https api debug -Set an API-KEY is the minimal configuration to get a working API Endpoint. + To enable debug messages. Available via :opcmd:`show log` or + :opcmd:`monitor log` -.. code-block:: none +.. cfgcmd:: set service https api strict - set service https api keys id MY-HTTPS-API-ID key MY-HTTPS-API-PLAINTEXT-KEY + Enforce strict path checking +********************* +Example Configuration +********************* -To use this full configuration we asume a public accessible hostname. +Set an API-KEY is the minimal configuration to get a working API Endpoint. .. code-block:: none set service https api keys id MY-HTTPS-API-ID key MY-HTTPS-API-PLAINTEXT-KEY - set service https certificates certbot domain-name rtr01.example.com - set service https certificates certbot email mail@example.com - set service https virtual-host rtr01 listen-address 198.51.100.2 - set service https virtual-host rtr01 port 11443 - set service https virtual-host rtr01 server-name rtr01.example.com - set service https api-restrict virtual-host rtr01 diff --git a/docs/installation/install.rst b/docs/installation/install.rst index 2bbce8ee..17bccfbd 100644 --- a/docs/installation/install.rst +++ b/docs/installation/install.rst @@ -458,13 +458,16 @@ In this example we configured an existent VyOS as the DHCP server: vyos@vyos# show service dhcp-server shared-network-name mydhcp { subnet 192.168.1.0/24 { - bootfile-name pxelinux.0 - bootfile-server 192.168.1.50 - default-router 192.168.1.50 + option { + bootfile-name pxelinux.0 + bootfile-server 192.168.1.50 + default-router 192.168.1.50 + } range 0 { start 192.168.1.70 stop 192.168.1.100 } + subnet-id 1 } } diff --git a/docs/quick-start.rst b/docs/quick-start.rst index bbd7ab77..cf930bdd 100644 --- a/docs/quick-start.rst +++ b/docs/quick-start.rst @@ -93,12 +93,13 @@ DNS server. .. code-block:: none - set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 default-router '192.168.0.1' - set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 name-server '192.168.0.1' - set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 domain-name 'vyos.net' + set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 option default-router '192.168.0.1' + set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 option name-server '192.168.0.1' + set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 option domain-name 'vyos.net' set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 lease '86400' set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 range 0 start '192.168.0.9' set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 range 0 stop '192.168.0.254' + set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 subnet-id '1' set service dns forwarding cache-size '0' set service dns forwarding listen-address '192.168.0.1' |
