From 13d99f2ff19e04d81442d7d61f497a7ba365c49c Mon Sep 17 00:00:00 2001 From: Alain Lamar Date: Sun, 2 Jun 2024 16:56:52 +0200 Subject: wireless: T6320: Document 802.11ax settings --- docs/configuration/interfaces/wireless.rst | 74 +++++++++++++++++++++++++++--- 1 file changed, 67 insertions(+), 7 deletions(-) diff --git a/docs/configuration/interfaces/wireless.rst b/docs/configuration/interfaces/wireless.rst index df153763..8039b039 100644 --- a/docs/configuration/interfaces/wireless.rst +++ b/docs/configuration/interfaces/wireless.rst @@ -42,7 +42,8 @@ Wireless options .. cfgcmd:: set interfaces wireless channel Channel number (IEEE 802.11), for 2.4Ghz (802.11 b/g/n) channels range from - 1-14. On 5Ghz (802.11 a/h/j/n/ac) channels available are 0, 34 to 173 + 1-14. On 5Ghz (802.11 a/h/j/n/ac) channels available are 0, 34 to 173. + On 6GHz (802.11 ax) channels range from 1 to 233. .. cfgcmd:: set interfaces wireless country-code @@ -84,7 +85,14 @@ Wireless options Management Frame Protection (MFP) according to IEEE 802.11w -.. cfgcmd:: set interfaces wireless mode + .. note:: :abbr:`MFP (Management Frame Protection)` is required for WPA3. + +.. cfgcmd:: set interfaces wireless beacon-frame-protection + + + .. note:: This option requires :abbr:`MFP (Management Frame Protection)` to be enabled. + +.. cfgcmd:: set interfaces wireless mode Operation mode of wireless radio. @@ -93,6 +101,9 @@ Wireless options * ``g`` - 802.11g - 54 Mbits/sec (default) * ``n`` - 802.11n - 600 Mbits/sec * ``ac`` - 802.11ac - 1300 Mbits/sec + * ``ax`` - 802.11ax - exceeds 1GBit/sec + + .. note:: In VyOS, 802.11ax is only implemented for 6GHz as of yet. .. cfgcmd:: set interfaces wireless physical-device @@ -131,7 +142,9 @@ PPDU .. cfgcmd:: set interfaces wireless capabilities require-ht -.. cfgcmd:: set interfaces wireless capabilities require-hvt +.. cfgcmd:: set interfaces wireless capabilities require-vht + +.. cfgcmd:: set interfaces wireless capabilities require-he HT (High Throughput) capabilities (802.11n) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -149,6 +162,7 @@ HT (High Throughput) capabilities (802.11n) Supported channel width set. + * ``ht20`` - 20 MHz channel width * ``ht40-`` - Both 20 MHz and 40 MHz with secondary channel below the primary channel * ``ht40+`` - Both 20 MHz and 40 MHz with secondary channel above the primary @@ -297,6 +311,52 @@ VHT (Very High Throughput) capabilities (802.11ac) Station supports receiving VHT variant HT Control field +HE (High Efficiency) capabilities (802.11ax) +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +.. cfgcmd:: set interfaces wireless capabilities he antenna-pattern-fixed + + Tell the AP that antenna positions are fixed and will not change + during the lifetime of an association. + +.. cfgcmd:: set interfaces wireless capabilities he beamform + + + Beamforming capabilities: + + * ``single-user-beamformer`` - Support for operation as single user beamformer + * ``single-user-beamformee`` - Support for operation as single user beamformee + * ``multi-user-beamformer`` - Support for operation as single user beamformer + +.. cfgcmd:: set interfaces wireless capabilities he bss-color + + BSS coloring helps to prevent channel jamming when multiple APs use + the same channels. + + Valid values are 1..63 + +.. cfgcmd:: set interfaces wireless capabilities he + center-channel-freq + + HE operating channel center frequency - center freq 1 + (for use with 80, 80+80 and 160 modes) + + HE operating channel center frequency - center freq 2 + (for use with the 80+80 mode) + + must be within 1..233. For 80 MHz channels it should be channel + 6 + and for 160 MHz channels, it should be channel + 14. + +.. cfgcmd:: set interfaces wireless capabilities he channel-set-width + + must be one of: + + * ``131`` - 20 MHz channel width + * ``132`` - 40 MHz channel width + * ``133`` - 80 MHz channel width + * ``134`` - 160 MHz channel width + * ``135`` - 80+80 MHz channel width + Wireless options (Station/Client) ================================= @@ -333,13 +393,13 @@ Resulting in Security ======== -:abbr:`WPA (Wi-Fi Protected Access)` and WPA2 Enterprise in combination with -802.1x based authentication can be used to authenticate users or computers -in a domain. +:abbr:`WPA (Wi-Fi Protected Access)`, WPA2 Enterprise and WPA3 Enterprise in +combination with 802.1x based authentication can be used to authenticate +users or computers in a domain. The wireless client (supplicant) authenticates against the RADIUS server (authentication server) using an :abbr:`EAP (Extensible Authentication -Protocol)` method configured on the RADIUS server. The WAP (also referred +Protocol)` method configured on the RADIUS server. The WAP (also referred to as authenticator) role is to send all authentication messages between the supplicant and the configured authentication server, thus the RADIUS server is responsible for authenticating the users. -- cgit v1.2.3 From 0839aa604ed8ba5f4dbe56eee2e984d32e55f8b3 Mon Sep 17 00:00:00 2001 From: Alain Lamar Date: Tue, 4 Jun 2024 13:14:29 +0200 Subject: wireless: T6320: Address linter issues --- docs/configuration/interfaces/wireless.rst | 58 ++++++++++++++++++++---------- 1 file changed, 40 insertions(+), 18 deletions(-) diff --git a/docs/configuration/interfaces/wireless.rst b/docs/configuration/interfaces/wireless.rst index 8039b039..1930a1b9 100644 --- a/docs/configuration/interfaces/wireless.rst +++ b/docs/configuration/interfaces/wireless.rst @@ -7,9 +7,9 @@ WLAN/WIFI - Wireless LAN ######################## :abbr:`WLAN (Wireless LAN)` interface provide 802.11 (a/b/g/n/ac) wireless -support (commonly referred to as Wi-Fi) by means of compatible hardware. If your -hardware supports it, VyOS supports multiple logical wireless interfaces per -physical device. +support (commonly referred to as Wi-Fi) by means of compatible hardware. If +your hardware supports it, VyOS supports multiple logical wireless interfaces +per physical device. There are three modes of operation for a wireless interface: @@ -90,7 +90,8 @@ Wireless options .. cfgcmd:: set interfaces wireless beacon-frame-protection - .. note:: This option requires :abbr:`MFP (Management Frame Protection)` to be enabled. + .. note:: This option requires :abbr:`MFP (Management Frame Protection)` + to be enabled. .. cfgcmd:: set interfaces wireless mode @@ -248,10 +249,14 @@ VHT (Very High Throughput) capabilities (802.11ac) Beamforming capabilities: - * ``single-user-beamformer`` - Support for operation as single user beamformer - * ``single-user-beamformee`` - Support for operation as single user beamformee - * ``multi-user-beamformer`` - Support for operation as single user beamformer - * ``multi-user-beamformee`` - Support for operation as single user beamformer + * ``single-user-beamformer`` - Support for operation as + single user beamformer + * ``single-user-beamformee`` - Support for operation as + single user beamformee + * ``multi-user-beamformer`` - Support for operation as + multi user beamformer + * ``multi-user-beamformee`` - Support for operation as + multi user beamformee .. cfgcmd:: set interfaces wireless capabilities vht center-channel-freq @@ -276,7 +281,8 @@ VHT (Very High Throughput) capabilities (802.11ac) Enable LDPC (Low Density Parity Check) coding capability -.. cfgcmd:: set interfaces wireless capabilities vht link-adaptation +.. cfgcmd:: set interfaces wireless + capabilities vht link-adaptation VHT link adaptation capabilities @@ -288,7 +294,8 @@ VHT (Very High Throughput) capabilities (802.11ac) .. cfgcmd:: set interfaces wireless capabilities vht max-mpdu-exp - Set the maximum length of A-MPDU pre-EOF padding that the station can receive + Set the maximum length of A-MPDU pre-EOF padding that the station can + receive .. cfgcmd:: set interfaces wireless capabilities vht short-gi <80 | 160> @@ -314,7 +321,8 @@ VHT (Very High Throughput) capabilities (802.11ac) HE (High Efficiency) capabilities (802.11ax) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -.. cfgcmd:: set interfaces wireless capabilities he antenna-pattern-fixed +.. cfgcmd:: set interfaces wireless + capabilities he antenna-pattern-fixed Tell the AP that antenna positions are fixed and will not change during the lifetime of an association. @@ -324,11 +332,15 @@ HE (High Efficiency) capabilities (802.11ax) Beamforming capabilities: - * ``single-user-beamformer`` - Support for operation as single user beamformer - * ``single-user-beamformee`` - Support for operation as single user beamformee - * ``multi-user-beamformer`` - Support for operation as single user beamformer + * ``single-user-beamformer`` - Support for operation as + single user beamformer + * ``single-user-beamformee`` - Support for operation as + single user beamformee + * ``multi-user-beamformer`` - Support for operation as single + user beamformer -.. cfgcmd:: set interfaces wireless capabilities he bss-color +.. cfgcmd:: set interfaces wireless + capabilities he bss-color BSS coloring helps to prevent channel jamming when multiple APs use the same channels. @@ -344,10 +356,11 @@ HE (High Efficiency) capabilities (802.11ax) HE operating channel center frequency - center freq 2 (for use with the 80+80 mode) - must be within 1..233. For 80 MHz channels it should be channel + 6 - and for 160 MHz channels, it should be channel + 14. + must be within 1..233. For 80 MHz channels it should be + channel + 6 and for 160 MHz channels, it should be channel + 14. -.. cfgcmd:: set interfaces wireless capabilities he channel-set-width +.. cfgcmd:: set interfaces wireless + capabilities he channel-set-width must be one of: @@ -413,6 +426,7 @@ The WAP in this example has the following characteristics: * Wireless channel ``1`` * RADIUS server at ``192.168.3.10`` with shared-secret ``VyOSPassword`` +.. stop_vyoslinter .. code-block:: none set interfaces wireless wlan0 address '192.168.2.1/24' @@ -426,6 +440,8 @@ The WAP in this example has the following characteristics: set interfaces wireless wlan0 security wpa radius server 192.168.3.10 key 'VyOSPassword' set interfaces wireless wlan0 security wpa radius server 192.168.3.10 port 1812 +.. start_vyoslinter + Resulting in .. code-block:: none @@ -491,6 +507,7 @@ about all wireless interfaces. Use this command to view operational status and details wireless-specific information about all wireless interfaces. +.. stop_vyoslinter .. code-block:: none vyos@vyos:~$ show interfaces wireless detail @@ -518,11 +535,14 @@ information about all wireless interfaces. TX: bytes packets errors dropped carrier collisions 183413 5430 0 0 0 0 +.. start_vyoslinter + .. opcmd:: show interfaces wireless This command shows both status and statistics on the specified wireless interface. The wireless interface identifier can range from wlan0 to wlan999. +.. stop_vyoslinter .. code-block:: none vyos@vyos:~$ show interfaces wireless wlan0 @@ -538,6 +558,8 @@ interface. The wireless interface identifier can range from wlan0 to wlan999. TX: bytes packets errors dropped carrier collisions 83413 430 0 0 0 0 +.. start_vyoslinter + .. opcmd:: show interfaces wireless brief -- cgit v1.2.3 From 8118c93687b89e267111069c475e02f8e89f648c Mon Sep 17 00:00:00 2001 From: Nicolas Fort Date: Wed, 12 Jun 2024 09:13:08 -0300 Subject: Firewall: Add prerouting information --- docs/_static/images/firewall-fwd-packet-flow.png | Bin 39628 -> 30593 bytes docs/_static/images/firewall-input-packet-flow.png | Bin 56752 -> 43944 bytes docs/configuration/firewall/global-options.rst | 32 +++++++++++++++++ docs/configuration/firewall/index.rst | 35 +++++++++++++----- docs/configuration/firewall/ipv4.rst | 31 +++++++++++++--- docs/configuration/firewall/ipv6.rst | 31 +++++++++++++--- docs/configuration/system/conntrack.rst | 39 ++++----------------- 7 files changed, 118 insertions(+), 50 deletions(-) diff --git a/docs/_static/images/firewall-fwd-packet-flow.png b/docs/_static/images/firewall-fwd-packet-flow.png index e4bc2adc..1ca213e8 100644 Binary files a/docs/_static/images/firewall-fwd-packet-flow.png and b/docs/_static/images/firewall-fwd-packet-flow.png differ diff --git a/docs/_static/images/firewall-input-packet-flow.png b/docs/_static/images/firewall-input-packet-flow.png index 1c53c34a..20d356bd 100644 Binary files a/docs/_static/images/firewall-input-packet-flow.png and b/docs/_static/images/firewall-input-packet-flow.png differ diff --git a/docs/configuration/firewall/global-options.rst b/docs/configuration/firewall/global-options.rst index b3f311aa..7c52045e 100644 --- a/docs/configuration/firewall/global-options.rst +++ b/docs/configuration/firewall/global-options.rst @@ -145,3 +145,35 @@ Configuration [emerg | alert | crit | err | warn | notice | info | debug] Set the global setting for related connections. + +VyOS supports setting timeouts for connections according to the +connection type. You can set timeout values for generic connections, for ICMP +connections, UDP connections, or for TCP connections in a number of different +states. + +.. cfgcmd:: set firewall global-options timeout icmp <1-21474836> + :defaultvalue: +.. cfgcmd:: set firewall global-options timeout other <1-21474836> + :defaultvalue: +.. cfgcmd:: set firewall global-options timeout tcp close <1-21474836> + :defaultvalue: +.. cfgcmd:: set firewall global-options timeout tcp close-wait <1-21474836> + :defaultvalue: +.. cfgcmd:: set firewall global-options timeout tcp established <1-21474836> + :defaultvalue: +.. cfgcmd:: set firewall global-options timeout tcp fin-wait <1-21474836> + :defaultvalue: +.. cfgcmd:: set firewall global-options timeout tcp last-ack <1-21474836> + :defaultvalue: +.. cfgcmd:: set firewall global-options timeout tcp syn-recv <1-21474836> + :defaultvalue: +.. cfgcmd:: set firewall global-options timeout tcp syn-sent <1-21474836> + :defaultvalue: +.. cfgcmd:: set firewall global-options timeout tcp time-wait <1-21474836> + :defaultvalue: +.. cfgcmd:: set firewall global-options timeout udp other <1-21474836> + :defaultvalue: +.. cfgcmd:: set firewall global-options timeout udp stream <1-21474836> + :defaultvalue: + + Set the timeout in seconds for a protocol or state. \ No newline at end of file diff --git a/docs/configuration/firewall/index.rst b/docs/configuration/firewall/index.rst index 1d904901..daf5f116 100644 --- a/docs/configuration/firewall/index.rst +++ b/docs/configuration/firewall/index.rst @@ -26,14 +26,23 @@ firewall are covered below: If the interface where the packet was received isn't part of a bridge, then packet is processed at the **IP Layer**: - * **Prerouting**: several actions can be done in this stage, and currently - these actions are defined in different parts in VyOS configuration. Order - is important, and all these actions are performed before any actions - defined under ``firewall`` section. Relevant configuration that acts in - this stage are: + * **Prerouting**: All packets that are received by the router + are processed in this stage, regardless of the destination of the packet. + Starting from vyos-1.5-rolling-202406120020, a new section was added to + firewall configuration. There are several actions that can be done in this + stage, and currently these actions are also defined in different parts in + VyOS configuration. Order is important, and relevant configuration that + acts in this stage are: + + * **Firewall prerouting**: rules defined under ``set firewall [ipv4 | + ipv6] prerouting raw...``. All rules defined in this section are + processed before connection tracking subsystem. * **Conntrack Ignore**: rules defined under ``set system conntrack ignore - [ipv4 | ipv6] ...``. + [ipv4 | ipv6] ...``. Starting from vyos-1.5-rolling-202406120020, + configuration done in this section can be done in ``firewall [ipv4 | + ipv6] prerouting ...``. For compatibility reasons, this feature is + still present, but it will be removed in the future. * **Policy Route**: rules defined under ``set policy [route | route6] ...``. @@ -67,11 +76,13 @@ packet is processed at the **IP Layer**: new connection originated by a internal process running on VyOS router, such as NTP, or a response to traffic received externally through **input** (for example response to an ssh login attempt to the router). - This includes ipv4 and ipv6 filtering rules, defined in: + This includes ipv4 and ipv6 rules, and two different sections are present: - * ``set firewall ipv4 output filter ...``. + * **Output Prerouting**: ``set firewall [ipv4 | ipv6] output filter ...``. + As described in **Prerouting**, rules defined in this section are + processed before connection tracking subsystem. - * ``set firewall ipv6 output filter ...``. + * **Output Filter**: ``set firewall [ipv4 | ipv6] output filter ...``. * **Postrouting**: as in **Prerouting**, several actions defined in different parts of VyOS configuration are performed in this @@ -120,6 +131,9 @@ The main structure of the VyOS firewall CLI is shown next: + filter - output + filter + + raw + - prerouting + + raw - name + custom_name * ipv6 @@ -129,6 +143,9 @@ The main structure of the VyOS firewall CLI is shown next: + filter - output + filter + + raw + - prerouting + + raw - ipv6-name + custom_name * zone diff --git a/docs/configuration/firewall/ipv4.rst b/docs/configuration/firewall/ipv4.rst index f7f98dc7..e53f2480 100644 --- a/docs/configuration/firewall/ipv4.rst +++ b/docs/configuration/firewall/ipv4.rst @@ -31,17 +31,34 @@ of the general structure: + filter - output + filter + + raw + - prerouting + + raw - name + custom_name +First, all traffic is received by the router, and it is processed in the +**prerouting** section. + +This stage includes: + + * **Firewall Prerouting**: commands found under ``set firewall ipv4 + prerouting raw ...`` + * :doc:`Conntrack Ignore`: ``set system + conntrack ignore ipv4...`` + * :doc:`Policy Route`: commands found under + ``set policy route ...`` + * :doc:`Destination NAT`: commands found under + ``set nat destination ...`` + For transit traffic, which is received by the router and forwarded, base chain is **forward**. A simplified packet flow diagram for transit traffic is shown next: .. figure:: /_static/images/firewall-fwd-packet-flow.png -Where firewall base chain to configure firewall filtering rules for transit -traffic is ``set firewall ipv4 forward filter ...``, which happens in stage 5, +Firewall base chain to configure firewall filtering rules for transit traffic +is ``set firewall ipv4 forward filter ...``, which happens in stage 5, highlighted with red color. For traffic towards the router itself, base chain is **input**, while traffic @@ -52,11 +69,17 @@ router (starting from circle number 6): .. figure:: /_static/images/firewall-input-packet-flow.png -Base chain is for traffic toward the router is ``set firewall ipv4 input +Base chain for traffic towards the router is ``set firewall ipv4 input filter ...`` And base chain for traffic generated by the router is ``set firewall ipv4 -output filter ...`` +output ...``, where two sub-chains are available: **filter** and **raw**: + +* **Output Prerouting**: ``set firewall ipv4 output raw ...``. + As described in **Prerouting**, rules defined in this section are + processed before connection tracking subsystem. +* **Output Filter**: ``set firewall ipv4 output filter ...``. Rules defined + in this section are processed after connection tracking subsystem. .. note:: **Important note about default-actions:** If default action for any base chain is not defined, then the default diff --git a/docs/configuration/firewall/ipv6.rst b/docs/configuration/firewall/ipv6.rst index cbf18a7d..423f3e09 100644 --- a/docs/configuration/firewall/ipv6.rst +++ b/docs/configuration/firewall/ipv6.rst @@ -31,17 +31,34 @@ of the general structure: + filter - output + filter + + raw + - prerouting + + raw - name + custom_name +First, all traffic is received by the router, and it is processed in the +**prerouting** section. + +This stage includes: + + * **Firewall Prerouting**: commands found under ``set firewall ipv6 + prerouting raw ...`` + * :doc:`Conntrack Ignore`: ``set system + conntrack ignore ipv6...`` + * :doc:`Policy Route`: commands found under + ``set policy route6 ...`` + * :doc:`Destination NAT`: commands found under + ``set nat66 destination ...`` + For transit traffic, which is received by the router and forwarded, base chain is **forward**. A simplified packet flow diagram for transit traffic is shown next: .. figure:: /_static/images/firewall-fwd-packet-flow.png -Where firewall base chain to configure firewall filtering rules for transit -traffic is ``set firewall ipv6 forward filter ...``, which happens in stage 5, +Firewall base chain to configure firewall filtering rules for transit traffic +is ``set firewall ipv6 forward filter ...``, which happens in stage 5, highlighted with red color. For traffic towards the router itself, base chain is **input**, while traffic @@ -52,11 +69,17 @@ router (starting from circle number 6): .. figure:: /_static/images/firewall-input-packet-flow.png -Base chain is for traffic toward the router is ``set firewall ipv6 input +Base chain for traffic towards the router is ``set firewall ipv6 input filter ...`` And base chain for traffic generated by the router is ``set firewall ipv6 -output filter ...`` +output filter ...``, where two sub-chains are available: **filter** and **raw**: + +* **Output Prerouting**: ``set firewall ipv6 output raw ...``. + As described in **Prerouting**, rules defined in this section are + processed before connection tracking subsystem. +* **Output Filter**: ``set firewall ipv6 output filter ...``. Rules defined + in this section are processed after connection tracking subsystem. .. note:: **Important note about default-actions:** If default action for any base chain is not defined, then the default diff --git a/docs/configuration/system/conntrack.rst b/docs/configuration/system/conntrack.rst index 1401e02e..6d551575 100644 --- a/docs/configuration/system/conntrack.rst +++ b/docs/configuration/system/conntrack.rst @@ -64,39 +64,7 @@ Configure Contrack Timeouts ================= -VyOS supports setting timeouts for connections according to the -connection type. You can set timeout values for generic connections, for ICMP -connections, UDP connections, or for TCP connections in a number of different -states. - -.. cfgcmd:: set system conntrack timeout icmp <1-21474836> - :defaultvalue: -.. cfgcmd:: set system conntrack timeout other <1-21474836> - :defaultvalue: -.. cfgcmd:: set system conntrack timeout tcp close <1-21474836> - :defaultvalue: -.. cfgcmd:: set system conntrack timeout tcp close-wait <1-21474836> - :defaultvalue: -.. cfgcmd:: set system conntrack timeout tcp established <1-21474836> - :defaultvalue: -.. cfgcmd:: set system conntrack timeout tcp fin-wait <1-21474836> - :defaultvalue: -.. cfgcmd:: set system conntrack timeout tcp last-ack <1-21474836> - :defaultvalue: -.. cfgcmd:: set system conntrack timeout tcp syn-recv <1-21474836> - :defaultvalue: -.. cfgcmd:: set system conntrack timeout tcp syn-sent <1-21474836> - :defaultvalue: -.. cfgcmd:: set system conntrack timeout tcp time-wait <1-21474836> - :defaultvalue: -.. cfgcmd:: set system conntrack timeout udp other <1-21474836> - :defaultvalue: -.. cfgcmd:: set system conntrack timeout udp stream <1-21474836> - :defaultvalue: - - Set the timeout in seconds for a protocol or state. - -You can also define custom timeout values to apply to a specific subset of +You can define custom timeout values to apply to a specific subset of connections, based on a packet and flow selector. To do this, you need to create a rule defining the packet and flow selector. @@ -177,6 +145,11 @@ create a rule defining the packet and flow selector. Conntrack ignore rules ====================== +.. note:: **Important note about conntrack ignore rules:** + Starting from vyos-1.5-rolling-202406120020, ignore rules can be defined in + ``set firewall [ipv4 | ipv6] prerouting raw ...``. It's expected that in + the future the conntrack ignore rules will be removed. + Customized ignore rules, based on a packet and flow selector. .. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999> -- cgit v1.2.3 From 4f71374b273cb0b0f2f181563134324f1d7e57fc Mon Sep 17 00:00:00 2001 From: fett0 Date: Wed, 12 Jun 2024 17:30:56 -0300 Subject: T5307: Add doc for traffic match groups --- docs/configuration/trafficpolicy/index.rst | 50 ++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) diff --git a/docs/configuration/trafficpolicy/index.rst b/docs/configuration/trafficpolicy/index.rst index f99c2a66..5414ce77 100644 --- a/docs/configuration/trafficpolicy/index.rst +++ b/docs/configuration/trafficpolicy/index.rst @@ -212,6 +212,56 @@ You can also write a description for a filter: .. note:: IPv6 TCP filters will only match IPv6 packets with no header extension, see https://en.wikipedia.org/wiki/IPv6_packet#Extension_headers +Traffic Match Group +------------------- +In some case where we need to have an organization of our matching selection, +in order to be more flexible and organize with our filter definition. We can +apply traffic match groups, allowing us to create distinct filter groups within +our policy and define various parameters for each group: + +.. code-block:: none + + set qos traffic-match-group match + Possible completions: + description Description + > ip Match IP protocol header + > ipv6 Match IPv6 protocol header + mark Match on mark applied by firewall + vif Virtual Local Area Network (VLAN) ID for this match + +inherit matches from another group + +.. code-block:: none + + set qos traffic-match-group match-group + +A match group can contain multiple criteria and inherit them in the same policy. + +For example: + +.. code-block:: none + + set qos traffic-match-group Mission-Critical match AF31 ip dscp 'AF31' + set qos traffic-match-group Mission-Critical match AF32 ip dscp 'AF42' + set qos traffic-match-group Mission-Critical match CS3 ip dscp 'CS3' + set qos traffic-match-group Streaming-Video match AF11 ip dscp 'AF11' + set qos traffic-match-group Streaming-Video match AF41 ip dscp 'AF41' + set qos traffic-match-group Streaming-Video match AF43 ip dscp 'AF43' + set qos policy shaper VyOS-HTB class 10 bandwidth '30%' + set qos policy shaper VyOS-HTB class 10 description 'Multimedia' + set qos policy shaper VyOS-HTB class 10 match CS4 ip dscp 'CS4' + set qos policy shaper VyOS-HTB class 10 match-group 'Streaming-Video' + set qos policy shaper VyOS-HTB class 10 priority '1' + set qos policy shaper VyOS-HTB class 10 queue-type 'fair-queue' + set qos policy shaper VyOS-HTB class 20 description 'MC' + set qos policy shaper VyOS-HTB class 20 match-group 'Mission-Critical' + set qos policy shaper VyOS-HTB class 20 priority '2' + set qos policy shaper VyOS-HTB class 20 queue-type 'fair-queue' + set qos policy shaper VyOS-HTB default bandwidth '20%' + set qos policy shaper VyOS-HTB default queue-type 'fq-codel' + +In this example, we can observe that different DSCP criteria are defined based +on our QoS configuration within the same policy group. Default ------- -- cgit v1.2.3 From 1dbb5579f048821e3a793a12df170021c6aa382b Mon Sep 17 00:00:00 2001 From: Viacheslav Hletenko Date: Fri, 14 Jun 2024 13:56:50 +0300 Subject: CGNAT: extend configuration and op-mode examples --- docs/configuration/nat/cgnat.rst | 55 +++++++++++++++++++++++++++++++++++++++- 1 file changed, 54 insertions(+), 1 deletion(-) diff --git a/docs/configuration/nat/cgnat.rst b/docs/configuration/nat/cgnat.rst index 70916318..7fc5e03b 100644 --- a/docs/configuration/nat/cgnat.rst +++ b/docs/configuration/nat/cgnat.rst @@ -82,9 +82,10 @@ Configuration Set external source port limits that will be allocated to each subscriber individually. The default value is 2000. -.. cfgcmd:: set nat cgnat pool external range [address | address range | network] +.. cfgcmd:: set nat cgnat pool external range [address | address range | network] [seq] Set the range of external IP addresses for the CGNAT pool. + The sequence is optional; if set, a lower value means higher priority. .. cfgcmd:: set nat cgnat pool internal range [address range | network] @@ -98,6 +99,9 @@ Configuration Set the rule for the translation pool. +.. cfgcmd:: set nat cgnat log-allocation + + Enable logging of IP address and ports allocations. Configuration Examples @@ -134,6 +138,55 @@ Multiple external addresses set nat cgnat rule 10 source pool 'int1' set nat cgnat rule 10 translation pool 'ext1' +External address sequences +----------------------------------- + +.. code-block:: none + + set nat cgnat pool external ext-01 per-user-limit port '16000' + set nat cgnat pool external ext-01 range 203.0.113.1/32 seq '10' + set nat cgnat pool external ext-01 range 192.0.2.1/32 seq '20' + set nat cgnat pool internal int-01 range '100.64.0.0/29' + set nat cgnat rule 10 source pool 'int-01' + set nat cgnat rule 10 translation pool 'ext-01' + + +Operation commands +================== + +.. opcmd:: show nat cgnat allocation + + Show address and port allocations + +.. opcmd:: show nat cgnat allocation external-address
+ + Show all allocations for an external IP address + +.. opcmd:: show nat cgnat allocation internal-address
+ + Show all allocations for an internal IP address + +Show CGNAT allocations +---------------------- + +.. code-block:: none + + vyos@vyos:~$ show nat cgnat allocation + Internal IP External IP Port range + ------------- ------------- ------------ + 100.64.0.0 203.0.113.1 1024-17023 + 100.64.0.1 203.0.113.1 17024-33023 + 100.64.0.2 203.0.113.1 33024-49023 + 100.64.0.3 203.0.113.1 49024-65023 + 100.64.0.4 192.0.2.1 1024-17023 + 100.64.0.5 192.0.2.1 17024-33023 + 100.64.0.6 192.0.2.1 33024-49023 + 100.64.0.7 192.0.2.1 49024-65023 + + vyos@vyos:~$ show nat cgnat allocation internal-address 100.64.0.4 + Internal IP External IP Port range + ------------- ------------- ------------ + 100.64.0.4 192.0.2.1 1024-17023 Further Reading -- cgit v1.2.3 From fe416b56cfa30494172a0310c16fd2787330c7bb Mon Sep 17 00:00:00 2001 From: Nicolas Fort Date: Fri, 14 Jun 2024 11:14:53 -0300 Subject: Configuration Blueprints: add new example for firewall+vrf. Also, add note about usage of inbound and outbound interface when interface is attached to a non-default vrf. --- .../_static/images/firewall-and-vrf-blueprints.png | Bin 0 -> 84270 bytes docs/configexamples/firewall.rst | 12 ++ docs/configexamples/fwall-and-vrf.rst | 121 +++++++++++++++++++++ docs/configexamples/index.rst | 2 +- docs/configexamples/zone-policy.rst | 13 +-- docs/configuration/firewall/ipv4.rst | 8 ++ docs/configuration/firewall/ipv6.rst | 8 ++ 7 files changed, 151 insertions(+), 13 deletions(-) create mode 100644 docs/_static/images/firewall-and-vrf-blueprints.png create mode 100644 docs/configexamples/firewall.rst create mode 100644 docs/configexamples/fwall-and-vrf.rst diff --git a/docs/_static/images/firewall-and-vrf-blueprints.png b/docs/_static/images/firewall-and-vrf-blueprints.png new file mode 100644 index 00000000..8c3bf9f2 Binary files /dev/null and b/docs/_static/images/firewall-and-vrf-blueprints.png differ diff --git a/docs/configexamples/firewall.rst b/docs/configexamples/firewall.rst new file mode 100644 index 00000000..e0a4ca55 --- /dev/null +++ b/docs/configexamples/firewall.rst @@ -0,0 +1,12 @@ +:lastproofread: 2024-06-14 + +Firewall Examples +================= + +This section contains examples of firewall configurations for various deployments. + +.. toctree:: + :maxdepth: 2 + + fwall-and-vrf + zone-policy diff --git a/docs/configexamples/fwall-and-vrf.rst b/docs/configexamples/fwall-and-vrf.rst new file mode 100644 index 00000000..38663a18 --- /dev/null +++ b/docs/configexamples/fwall-and-vrf.rst @@ -0,0 +1,121 @@ +VRF and firewall example +------------------------ + +Scenario and requirements +^^^^^^^^^^^^^^^^^^^^^^^^^ + +This example shows how to configure a VyOS router with VRFs and firewall rules. + +Diagram used in this example: + +.. image:: /_static/images/firewall-and-vrf-blueprints.png + :width: 80% + :align: center + :alt: Network Topology Diagram + +As exposed in the diagram, there are four VRFs. These VRFs are ``MGMT``, +``WAN``, ``LAN`` and ``PROD``, and their requirements are: + +* VRF MGMT: + * Allow connections to LAN and PROD. + * Deny connections to internet(WAN). + * Allow connections to the router. +* VRF LAN: + * Allow connections to PROD. + * Allow connections to internet(WAN). +* VRF PROD: + * Only accepts connections. +* VRF WAN: + * Allow connection to PROD. + +Configuration +^^^^^^^^^^^^^ + +First, we need to configure the interfaces and VRFs: + +.. code-block:: none + + set interfaces ethernet eth1 address '10.100.100.1/24' + set interfaces ethernet eth1 vrf 'MGMT' + set interfaces ethernet eth2 vif 150 address '10.150.150.1/24' + set interfaces ethernet eth2 vif 150 vrf 'LAN' + set interfaces ethernet eth2 vif 160 address '10.160.160.1/24' + set interfaces ethernet eth2 vif 160 vrf 'LAN' + set interfaces ethernet eth2 vif 3500 address '172.16.20.1/24' + set interfaces ethernet eth2 vif 3500 vrf 'PROD' + set interfaces loopback lo + set interfaces pppoe pppoe0 authentication password 'p4ssw0rd' + set interfaces pppoe pppoe0 authentication username 'vyos' + set interfaces pppoe pppoe0 source-interface 'eth0' + set interfaces pppoe pppoe0 vrf 'WAN' + set vrf bind-to-all + set vrf name LAN protocols static route 0.0.0.0/0 interface pppoe0 vrf 'WAN' + set vrf name LAN protocols static route 10.100.100.0/24 interface eth1 vrf 'MGMT' + set vrf name LAN protocols static route 172.16.20.0/24 interface eth2.3500 vrf 'PROD' + set vrf name LAN table '103' + set vrf name MGMT protocols static route 10.150.150.0/24 interface eth2.150 vrf 'LAN' + set vrf name MGMT protocols static route 10.160.160.0/24 interface eth2.160 vrf 'LAN' + set vrf name MGMT protocols static route 172.16.20.0/24 interface eth2.3500 vrf 'PROD' + set vrf name MGMT table '102' + set vrf name PROD protocols static route 0.0.0.0/0 interface pppoe0 vrf 'WAN' + set vrf name PROD protocols static route 10.100.100.0/24 interface eth1 vrf 'MGMT' + set vrf name PROD protocols static route 10.150.150.0/24 interface eth2.150 vrf 'LAN' + set vrf name PROD protocols static route 10.160.160.0/24 interface eth2.160 vrf 'LAN' + set vrf name PROD table '104' + set vrf name WAN protocols static route 10.150.150.0/24 interface eth2.150 vrf 'LAN' + set vrf name WAN protocols static route 10.160.160.0/24 interface eth2.160 vrf 'LAN' + set vrf name WAN protocols static route 172.16.20.0/24 interface eth2.3500 vrf 'PROD' + set vrf name WAN table '101' + +And before firewall rules are shown, we need to pay attention how to configure +and match interfaces and VRFs. In case where an interface is assigned to a +non-default VRF, if we want to use inbound-interface or outbound-interface in +firewall rules, we need to: + +* For **inbound-interface**: use the interface name with the VRF name, like + ``MGMT`` or ``LAN``. +* For **outbound-interface**: use the interface name, like ``eth0``, ``vtun0``, + ``eth2*`` or similar. + +Next, we need to configure the firewall rules. First we will define all rules +for transit traffic between VRFs. + +.. code-block:: none + + set firewall ipv4 forward filter default-action 'drop' + set firewall ipv4 forward filter default-log + set firewall ipv4 forward filter rule 10 action 'accept' + set firewall ipv4 forward filter rule 10 description 'MGMT - Allow to LAN and PROD' + set firewall ipv4 forward filter rule 10 inbound-interface name 'MGMT' + set firewall ipv4 forward filter rule 10 outbound-interface name 'eth2*' + set firewall ipv4 forward filter rule 99 action 'drop' + set firewall ipv4 forward filter rule 99 description 'MGMT - Drop all going to mgmt' + set firewall ipv4 forward filter rule 99 outbound-interface name 'eth1' + set firewall ipv4 forward filter rule 120 action 'accept' + set firewall ipv4 forward filter rule 120 description 'LAN - Allow to PROD' + set firewall ipv4 forward filter rule 120 inbound-interface name 'LAN' + set firewall ipv4 forward filter rule 120 outbound-interface name 'eth2.3500' + set firewall ipv4 forward filter rule 130 action 'accept' + set firewall ipv4 forward filter rule 130 description 'LAN - Allow internet' + set firewall ipv4 forward filter rule 130 inbound-interface name 'LAN' + set firewall ipv4 forward filter rule 130 outbound-interface name 'pppoe0' + +Also, we are adding global state policies, in order to allow established and +related traffic, in order not to drop valid responses: + +.. code-block:: none + + set firewall global-options state-policy established action 'accept' + set firewall global-options state-policy invalid action 'drop' + set firewall global-options state-policy related action 'accept' + +And finally, we need to allow input connections to the router itself only from +vrf MGMT: + +.. code-block:: none + + set firewall ipv4 input filter default-action 'drop' + set firewall ipv4 input filter default-log + set firewall ipv4 input filter rule 10 action 'accept' + set firewall ipv4 input filter rule 10 description 'MGMT - Allow input' + set firewall ipv4 input filter rule 10 inbound-interface name 'MGMT' \ No newline at end of file diff --git a/docs/configexamples/index.rst b/docs/configexamples/index.rst index d5973eb2..11dee806 100644 --- a/docs/configexamples/index.rst +++ b/docs/configexamples/index.rst @@ -8,7 +8,7 @@ This chapter contains various configuration examples: .. toctree:: :maxdepth: 2 - zone-policy + firewall bgp-ipv6-unnumbered ospf-unnumbered azure-vpn-bgp diff --git a/docs/configexamples/zone-policy.rst b/docs/configexamples/zone-policy.rst index 95648e7a..d0101ebf 100644 --- a/docs/configexamples/zone-policy.rst +++ b/docs/configexamples/zone-policy.rst @@ -1,20 +1,10 @@ -:lastproofread: 2021-06-29 +:lastproofread: 2024-06-14 .. _examples-zone-policy: Zone-Policy example ------------------- -.. note:: Starting from VyOS 1.4-rolling-202308040557, a new firewall - structure can be found on all vyos installations, and zone based firewall is - no longer supported. Documentation for most of the new firewall CLI can be - found in the `firewall - `_ - chapter. The legacy firewall is still available for versions before - 1.4-rolling-202308040557 and can be found in the :ref:`firewall-legacy` - chapter. The examples in this section use the legacy firewall configuration - commands, since this feature has been removed in earlier releases. - .. note:: In :vytask:`T2199` the syntax of the zone configuration was changed. The zone configuration moved from ``zone-policy zone `` to ``firewall zone ``. @@ -428,4 +418,3 @@ Something like: address ip.of.tunnel.broker } } - diff --git a/docs/configuration/firewall/ipv4.rst b/docs/configuration/firewall/ipv4.rst index e53f2480..39370c86 100644 --- a/docs/configuration/firewall/ipv4.rst +++ b/docs/configuration/firewall/ipv4.rst @@ -732,6 +732,10 @@ geoip) to keep database and rules updated. For example: ``eth2*``. Prepending character ``!`` for inverted matching criteria is also supported. For example ``!eth2`` +.. note:: If an interface is attached to a non-default vrf, when using + **inbound-interface**, vrf name must be used. For example ``set firewall + ipv4 forward filter rule 10 inbound-interface name MGMT`` + .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> inbound-interface group .. cfgcmd:: set firewall ipv4 input filter rule <1-999999> @@ -753,6 +757,10 @@ geoip) to keep database and rules updated. For example: ``eth2*``. Prepending character ``!`` for inverted matching criteria is also supported. For example ``!eth2`` +.. note:: If an interface is attached to a non-default vrf, when using + **outbound-interface**, real interface name must be used. For example + ``set firewall ipv4 forward filter rule 10 outbound-interface name eth0`` + .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> outbound-interface group .. cfgcmd:: set firewall ipv4 output filter rule <1-999999> diff --git a/docs/configuration/firewall/ipv6.rst b/docs/configuration/firewall/ipv6.rst index 423f3e09..511fd51f 100644 --- a/docs/configuration/firewall/ipv6.rst +++ b/docs/configuration/firewall/ipv6.rst @@ -723,6 +723,10 @@ geoip) to keep database and rules updated. For example: ``eth2*``. Prepending character ``!`` for inverted matching criteria is also supported. For example ``!eth2`` +.. note:: If an interface is attached to a non-default vrf, when using + **inbound-interface**, vrf name must be used. For example ``set firewall + ipv6 forward filter rule 10 inbound-interface name MGMT`` + .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> inbound-interface group .. cfgcmd:: set firewall ipv6 input filter rule <1-999999> @@ -744,6 +748,10 @@ geoip) to keep database and rules updated. For example: ``eth2*``. Prepending character ``!`` for inverted matching criteria is also supported. For example ``!eth2`` +.. note:: If an interface is attached to a non-default vrf, when using + **outbound-interface**, real interface name must be used. For example + ``set firewall ipv6 forward filter rule 10 outbound-interface name eth0`` + .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> outbound-interface group .. cfgcmd:: set firewall ipv6 output filter rule <1-999999> -- cgit v1.2.3 From 6a69e00a85f26c8f6dfe66afb7c59b264ea2088a Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Sat, 15 Jun 2024 21:50:47 +0200 Subject: wireless: T6318: move country-code to a system wide configuration --- docs/configuration/interfaces/wireless.rst | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/docs/configuration/interfaces/wireless.rst b/docs/configuration/interfaces/wireless.rst index df153763..8a45111e 100644 --- a/docs/configuration/interfaces/wireless.rst +++ b/docs/configuration/interfaces/wireless.rst @@ -36,15 +36,10 @@ Common interface configuration :var0: wireless :var1: wlan0 -Wireless options -================ - -.. cfgcmd:: set interfaces wireless channel +System Wide configuration +========================= - Channel number (IEEE 802.11), for 2.4Ghz (802.11 b/g/n) channels range from - 1-14. On 5Ghz (802.11 a/h/j/n/ac) channels available are 0, 34 to 173 - -.. cfgcmd:: set interfaces wireless country-code +.. cfgcmd:: set system wireless country-code Country code (ISO/IEC 3166-1). Used to set regulatory domain. Set as needed to indicate country in which device is operating. This can limit available @@ -52,6 +47,14 @@ Wireless options .. note:: This option is mandatory in Access-Point mode. +Wireless options +================ + +.. cfgcmd:: set interfaces wireless channel + + Channel number (IEEE 802.11), for 2.4Ghz (802.11 b/g/n) channels range from + 1-14. On 5Ghz (802.11 a/h/j/n/ac) channels available are 0, 34 to 173 + .. cfgcmd:: set interfaces wireless disable-broadcast-ssid Send empty SSID in beacons and ignore probe request frames that do not specify -- cgit v1.2.3 From 99086ab972f18ad8e0da632b57606822f5057d69 Mon Sep 17 00:00:00 2001 From: Alain Lamar Date: Mon, 17 Jun 2024 23:12:36 +0200 Subject: wireless: T6320: Change 'beacon-frame-protection enable' to 'enable-bf-protection' --- docs/configuration/interfaces/wireless.rst | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/configuration/interfaces/wireless.rst b/docs/configuration/interfaces/wireless.rst index 1930a1b9..22e7d11f 100644 --- a/docs/configuration/interfaces/wireless.rst +++ b/docs/configuration/interfaces/wireless.rst @@ -87,8 +87,9 @@ Wireless options .. note:: :abbr:`MFP (Management Frame Protection)` is required for WPA3. -.. cfgcmd:: set interfaces wireless beacon-frame-protection - +.. cfgcmd:: set interfaces wireless enable-bf-protection + + Beacon Protection: management frame protection for Beacon frames. .. note:: This option requires :abbr:`MFP (Management Frame Protection)` to be enabled. -- cgit v1.2.3 From df22d6dfdfbb0730546fa92978de3d1a45d3ee6b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 17 Jun 2024 22:35:14 +0000 Subject: build(deps): bump urllib3 from 2.1.0 to 2.2.2 Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.1.0 to 2.2.2. - [Release notes](https://github.com/urllib3/urllib3/releases) - [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst) - [Commits](https://github.com/urllib3/urllib3/compare/2.1.0...2.2.2) --- updated-dependencies: - dependency-name: urllib3 dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 08a1fd15..d604873c 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,4 +1,4 @@ -urllib3==2.1.0 +urllib3==2.2.2 Sphinx==7.2.6 sphinx-rtd-theme==2.0.0 sphinx-autobuild==2021.3.14 -- cgit v1.2.3 From e2427a9c2515780a12fc3a6702cfc95793053605 Mon Sep 17 00:00:00 2001 From: Simon Novak Date: Thu, 20 Jun 2024 16:07:46 +0200 Subject: Update flowtables.rst chore(docs): fixed typos & relevant distinctions for ipv4, ipv6 --- docs/configuration/firewall/flowtables.rst | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/configuration/firewall/flowtables.rst b/docs/configuration/firewall/flowtables.rst index e8a5f2e8..ae95a85f 100644 --- a/docs/configuration/firewall/flowtables.rst +++ b/docs/configuration/firewall/flowtables.rst @@ -1,4 +1,4 @@ -:lastproofread: 2023-12-26 +:lastproofread: 2024-06-20 .. _firewall-flowtables-configuration: @@ -85,12 +85,12 @@ Provide a description to the flow table. Creating rules for using flow tables: -.. cfgcmd:: set firewall [ipv4 | ipv4] forward filter rule <1-999999> +.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> action offload Create firewall rule in forward chain, and set action to ``offload``. -.. cfgcmd:: set firewall [ipv4 | ipv4] forward filter rule <1-999999> +.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> offload-target Create firewall rule in forward chain, and define which flowtbale @@ -142,7 +142,7 @@ Explanation Analysis on what happens for desired connection: - 1. First packet is received on eht0, with destination address 192.0.2.100, + 1. First packet is received on eth0, with destination address 192.0.2.100, protocol tcp and destination port 1122. Assume such destination address is reachable through interface eth1. @@ -159,7 +159,7 @@ Analysis on what happens for desired connection: connection state is **established**, then rule 10 is hit, and a new entry in the flowtable FT01 is added for this connection. - 6. All subsecuent packets will skip traditional path, and will be offloaded + 6. All the following packets will skip traditional path, and will be offloaded and will use the **Fast Path**. Checks -- cgit v1.2.3 From dcc1645e54fe6573efd8a2b808c9a7b8c9341652 Mon Sep 17 00:00:00 2001 From: Alain Lamar Date: Mon, 24 Jun 2024 14:32:22 +0200 Subject: wireless: T6320: Backport changes from T6318 --- docs/configuration/interfaces/wireless.rst | 31 ++++++++++++++++++++---------- 1 file changed, 21 insertions(+), 10 deletions(-) diff --git a/docs/configuration/interfaces/wireless.rst b/docs/configuration/interfaces/wireless.rst index 22e7d11f..b7188f44 100644 --- a/docs/configuration/interfaces/wireless.rst +++ b/docs/configuration/interfaces/wireless.rst @@ -45,10 +45,10 @@ Wireless options 1-14. On 5Ghz (802.11 a/h/j/n/ac) channels available are 0, 34 to 173. On 6GHz (802.11 ax) channels range from 1 to 233. -.. cfgcmd:: set interfaces wireless country-code +.. cfgcmd:: set system wireless country-code Country code (ISO/IEC 3166-1). Used to set regulatory domain. Set as needed - to indicate country in which device is operating. This can limit available + to indicate country in which the box is operating. This can limit available channels and transmit power. .. note:: This option is mandatory in Access-Point mode. @@ -380,9 +380,9 @@ default physical device (``phy0``) is used. .. code-block:: none + set system wireless country-code de set interfaces wireless wlan0 type station set interfaces wireless wlan0 address dhcp - set interfaces wireless wlan0 country-code de set interfaces wireless wlan0 ssid Test set interfaces wireless wlan0 security wpa passphrase '12345678' @@ -390,11 +390,14 @@ Resulting in .. code-block:: none + system { + wireless { + country-code de + } + } interfaces { - [...] wireless wlan0 { address dhcp - country-code de security { wpa { passphrase "12345678" @@ -430,8 +433,8 @@ The WAP in this example has the following characteristics: .. stop_vyoslinter .. code-block:: none + set system wireless country-code de set interfaces wireless wlan0 address '192.168.2.1/24' - set interfaces wireless wlan0 country-code de set interfaces wireless wlan0 type access-point set interfaces wireless wlan0 channel 1 set interfaces wireless wlan0 mode n @@ -447,11 +450,15 @@ Resulting in .. code-block:: none + system { + wireless { + country-code de + } + } interfaces { [...] wireless wlan0 { address 192.168.2.1/24 - country-code de channel 1 mode n security { @@ -637,6 +644,7 @@ The WAP in this example has the following characteristics: .. code-block:: none + set system wireless country-code de set interfaces wireless wlan0 address '192.168.2.1/24' set interfaces wireless wlan0 type access-point set interfaces wireless wlan0 channel 1 @@ -645,18 +653,21 @@ The WAP in this example has the following characteristics: set interfaces wireless wlan0 security wpa mode wpa2 set interfaces wireless wlan0 security wpa cipher CCMP set interfaces wireless wlan0 security wpa passphrase '12345678' - set interfaces wireless wlan0 country-code de Resulting in .. code-block:: none + system { + wireless { + country-code de + } + } interfaces { [...] wireless wlan0 { address 192.168.2.1/24 channel 1 - country-code de mode n security { wpa { @@ -691,8 +702,8 @@ still put this card into AP mode using the following configuration: .. stop_vyoslinter .. code-block:: none + set system wireless country-code 'us' set interfaces wireless wlan0 channel '1' - set interfaces wireless wlan0 country-code 'us' set interfaces wireless wlan0 mode 'n' set interfaces wireless wlan0 physical-device 'phy0' set interfaces wireless wlan0 ssid 'VyOS' -- cgit v1.2.3 From c712670979fc1e2690482374e29b5b9384535dee Mon Sep 17 00:00:00 2001 From: aapostoliuk Date: Tue, 25 Jun 2024 16:51:26 +0300 Subject: Added info how to use DNAT and VRRP with rfc3768-compatibility Added warning info on how to use DNAT and VRRP with rfc3768-compatibility. --- docs/configuration/highavailability/index.rst | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docs/configuration/highavailability/index.rst b/docs/configuration/highavailability/index.rst index 9158ac1d..93d01364 100644 --- a/docs/configuration/highavailability/index.rst +++ b/docs/configuration/highavailability/index.rst @@ -220,6 +220,10 @@ Verification inet 172.25.0.247/16 scope global eth0v10 valid_lft forever preferred_lft forever +.. warning:: RFC 3768 creates a virtual interface. If you want to apply + the destination NAT rule to the traffic sent to the virtual MAC, set + the created virtual interface as `inbound-interface`. + Global options -------------- -- cgit v1.2.3 From d160ef08f6f2952a93bfb058f86d193c80fee4b8 Mon Sep 17 00:00:00 2001 From: Nicolas Vollmar Date: Wed, 26 Jun 2024 10:50:50 +0200 Subject: T2891: add documentation for ring-buffer option --- docs/configuration/interfaces/ethernet.rst | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/docs/configuration/interfaces/ethernet.rst b/docs/configuration/interfaces/ethernet.rst index dd524035..30a13b5b 100644 --- a/docs/configuration/interfaces/ethernet.rst +++ b/docs/configuration/interfaces/ethernet.rst @@ -52,6 +52,14 @@ Ethernet options VyOS default will be `auto`. +.. cfgcmd:: set interface ethernet ring-buffer rx +.. cfgcmd:: set interface ethernet ring-buffer tx + + Configures the ring buffer size of the interface. + + The supported values for a specific interface can be obtained + with: `ethtool -g ` + Offloading ---------- @@ -295,5 +303,3 @@ Operation BR margin, min : 0% Vendor SN : FNS092xxxxx Date code : 0506xx - -.. stop_vyoslinter -- cgit v1.2.3 From d595e52be6d2cec07e910628b86f09c0734d6b26 Mon Sep 17 00:00:00 2001 From: khramshinr Date: Wed, 26 Jun 2024 15:13:26 +0600 Subject: ssh: T5878: Allow changing the PubkeyAcceptedAlgorithms option --- docs/configuration/service/ssh.rst | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/docs/configuration/service/ssh.rst b/docs/configuration/service/ssh.rst index efdbc651..d3ca51b5 100644 --- a/docs/configuration/service/ssh.rst +++ b/docs/configuration/service/ssh.rst @@ -109,6 +109,25 @@ Configuration Specify name of the :abbr:`VRF (Virtual Routing and Forwarding)` instance. +.. cfgcmd:: set service ssh pubkey-accepted-algorithm + + Specifies the signature algorithms that will be accepted for public key + authentication + + List of supported algorithms: ``ssh-ed25519``, + ``ssh-ed25519-cert-v01@openssh.com``, ``sk-ssh-ed25519@openssh.com``, + ``sk-ssh-ed25519-cert-v01@openssh.com``, ``ecdsa-sha2-nistp256``, + ``ecdsa-sha2-nistp256-cert-v01@openssh.com``, ``ecdsa-sha2-nistp384``, + ``ecdsa-sha2-nistp384-cert-v01@openssh.com``, ``ecdsa-sha2-nistp521``, + ``ecdsa-sha2-nistp521-cert-v01@openssh.com``, + ``sk-ecdsa-sha2-nistp256@openssh.com``, + ``sk-ecdsa-sha2-nistp256-cert-v01@openssh.com``, + ``webauthn-sk-ecdsa-sha2-nistp256@openssh.com``, + ``ssh-dss``, ``ssh-dss-cert-v01@openssh.com``, ``ssh-rsa``, + ``ssh-rsa-cert-v01@openssh.com``, ``rsa-sha2-256``, + ``rsa-sha2-256-cert-v01@openssh.com``, ``rsa-sha2-512``, + ``rsa-sha2-512-cert-v01@openssh.com`` + Dynamic-protection ================== Protects host from brute-force attacks against -- cgit v1.2.3 From ccdfa9fec150a409818f6f2a2cf4d5099de37b1b Mon Sep 17 00:00:00 2001 From: srividya0208 Date: Mon, 1 Jul 2024 01:38:15 -0400 Subject: openvpn: edit of the openvpn-options --- docs/configuration/interfaces/openvpn.rst | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/docs/configuration/interfaces/openvpn.rst b/docs/configuration/interfaces/openvpn.rst index f51dfa94..fb85f4bf 100644 --- a/docs/configuration/interfaces/openvpn.rst +++ b/docs/configuration/interfaces/openvpn.rst @@ -637,17 +637,23 @@ benefit from it (see :ref:`issues_features`). If you are a hacker or want to try on your own we support passing raw OpenVPN options to OpenVPN. -.. cfgcmd:: set interfaces openvpn vtun10 openvpn-option 'persistent-key' +.. cfgcmd:: set interfaces openvpn vtun10 openvpn-option 'persist-key' -Will add ``persistent-key`` at the end of the generated OpenVPN configuration. +Will add ``persist-key`` to the generated OpenVPN configuration. Please use this only as last resort - things might break and OpenVPN won't start if you pass invalid options/syntax. .. cfgcmd:: set interfaces openvpn vtun10 openvpn-option - 'push "keepalive 1 10"' + 'push keepalive 10 60' Will add ``push "keepalive 1 10"`` to the generated OpenVPN config file. +.. cfgcmd:: set interfaces openvpn vtun10 openvpn-option + 'route-up "/config/auth/tun_up.sh arg1"' + +Will add ``route-up "/config/auth/tun_up.sh arg1"`` to the generated OpenVPN +config file. The path and arguments need to be single- or double-quoted. + .. note:: Sometimes option lines in the generated OpenVPN configuration require quotes. This is done through a hack on our config generator. You can pass quotes using the ``"`` statement. -- cgit v1.2.3 From 2b051992294fad1729c124d72ab88fb241c0d39d Mon Sep 17 00:00:00 2001 From: Nicolas Vollmar Date: Mon, 1 Jul 2024 08:49:35 +0200 Subject: T6477: Add documentation for telegraf loki output --- docs/configuration/service/monitoring.rst | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/docs/configuration/service/monitoring.rst b/docs/configuration/service/monitoring.rst index 245af067..10b4dee2 100644 --- a/docs/configuration/service/monitoring.rst +++ b/docs/configuration/service/monitoring.rst @@ -130,6 +130,36 @@ and logs from your routers. Remote URL +Loki +==== + +Telegraf can be used to send logs to Loki using tags as labels. + +.. cfgcmd:: set service monitoring telegraf loki port + + Remote Loki port + + Default is 3100 + +.. cfgcmd:: set service monitoring telegraf loki url + + Remote Loki url + +.. cfgcmd:: set service monitoring telegraf loki authentication username +.. cfgcmd:: set service monitoring telegraf loki authentication password + + HTTP basic authentication. + + If either is set both must be set. + +.. cfgcmd:: set service monitoring telegraf loki metric-name-label