From a11428c495ebd75eb7351f2e3becaad915c9d3cc Mon Sep 17 00:00:00 2001
From: rebortg <rebortg@users.noreply.github.com>
Date: Mon, 15 Jan 2024 06:02:35 +0000
Subject: Github: update translations

---
 docs/_locale/de/404.pot                       |    8 +
 docs/_locale/de/LC_MESSAGES/404.mo            |  Bin 984 -> 1252 bytes
 docs/_locale/de/LC_MESSAGES/automation.mo     |  Bin 35418 -> 37840 bytes
 docs/_locale/de/LC_MESSAGES/cli.mo            |  Bin 29208 -> 30414 bytes
 docs/_locale/de/LC_MESSAGES/configexamples.mo |  Bin 123543 -> 127575 bytes
 docs/_locale/de/LC_MESSAGES/configuration.mo  |  Bin 1067443 -> 1148357 bytes
 docs/_locale/de/LC_MESSAGES/contributing.mo   |  Bin 109457 -> 111651 bytes
 docs/_locale/de/LC_MESSAGES/installation.mo   |  Bin 102022 -> 102388 bytes
 docs/_locale/de/LC_MESSAGES/quick-start.mo    |  Bin 19890 -> 22278 bytes
 docs/_locale/de/automation.pot                |  130 +-
 docs/_locale/de/cli.pot                       |   48 +-
 docs/_locale/de/configexamples.pot            |  194 +-
 docs/_locale/de/configuration.pot             | 5713 +++++++++++--------------
 docs/_locale/de/contributing.pot              |  288 +-
 docs/_locale/de/index.pot                     |   30 +-
 docs/_locale/de/installation.pot              |  114 +-
 docs/_locale/de/quick-start.pot               |  110 +-
 17 files changed, 3037 insertions(+), 3598 deletions(-)

(limited to 'docs/_locale/de')

diff --git a/docs/_locale/de/404.pot b/docs/_locale/de/404.pot
index 7ef03f50..57b3b68d 100644
--- a/docs/_locale/de/404.pot
+++ b/docs/_locale/de/404.pot
@@ -24,6 +24,14 @@ msgstr "`1.2.x (crux) <https://docs.vyos.io/en/crux/>`_"
 msgid "`1.3.x (equuleus) <https://docs.vyos.io/en/equuleus/>`_"
 msgstr "`1.3.x (equuleus) <https://docs.vyos.io/en/equuleus/>`_"
 
+#: ../../404.rst:11
+msgid "`1.4.x (sagitta) <https://docs.vyos.io/en/sagitta/>`_"
+msgstr "`1.4.x (sagitta) <https://docs.vyos.io/en/sagitta/>`_"
+
+#: ../../404.rst:12
+msgid "`rolling release (circinus) <https://docs.vyos.io/en/latest/>`_"
+msgstr "`rolling release (circinus) <https://docs.vyos.io/en/latest/>`_"
+
 #: ../../404.rst:11
 msgid "`rolling release (sagitta) <https://docs.vyos.io/en/latest/>`_"
 msgstr "`Rolling Release (Sagitta) <https://docs.vyos.io/en/latest/>`_"
diff --git a/docs/_locale/de/LC_MESSAGES/404.mo b/docs/_locale/de/LC_MESSAGES/404.mo
index 5cfb6e0c..e992b14f 100644
Binary files a/docs/_locale/de/LC_MESSAGES/404.mo and b/docs/_locale/de/LC_MESSAGES/404.mo differ
diff --git a/docs/_locale/de/LC_MESSAGES/automation.mo b/docs/_locale/de/LC_MESSAGES/automation.mo
index 0c571a2e..cb431fe9 100644
Binary files a/docs/_locale/de/LC_MESSAGES/automation.mo and b/docs/_locale/de/LC_MESSAGES/automation.mo differ
diff --git a/docs/_locale/de/LC_MESSAGES/cli.mo b/docs/_locale/de/LC_MESSAGES/cli.mo
index efb26dae..1722898e 100644
Binary files a/docs/_locale/de/LC_MESSAGES/cli.mo and b/docs/_locale/de/LC_MESSAGES/cli.mo differ
diff --git a/docs/_locale/de/LC_MESSAGES/configexamples.mo b/docs/_locale/de/LC_MESSAGES/configexamples.mo
index 44d8467f..4c237a80 100644
Binary files a/docs/_locale/de/LC_MESSAGES/configexamples.mo and b/docs/_locale/de/LC_MESSAGES/configexamples.mo differ
diff --git a/docs/_locale/de/LC_MESSAGES/configuration.mo b/docs/_locale/de/LC_MESSAGES/configuration.mo
index 0bbe8f6c..5d09f4b5 100644
Binary files a/docs/_locale/de/LC_MESSAGES/configuration.mo and b/docs/_locale/de/LC_MESSAGES/configuration.mo differ
diff --git a/docs/_locale/de/LC_MESSAGES/contributing.mo b/docs/_locale/de/LC_MESSAGES/contributing.mo
index 98e048cc..affcbb27 100644
Binary files a/docs/_locale/de/LC_MESSAGES/contributing.mo and b/docs/_locale/de/LC_MESSAGES/contributing.mo differ
diff --git a/docs/_locale/de/LC_MESSAGES/installation.mo b/docs/_locale/de/LC_MESSAGES/installation.mo
index e3d86879..d04f2532 100644
Binary files a/docs/_locale/de/LC_MESSAGES/installation.mo and b/docs/_locale/de/LC_MESSAGES/installation.mo differ
diff --git a/docs/_locale/de/LC_MESSAGES/quick-start.mo b/docs/_locale/de/LC_MESSAGES/quick-start.mo
index 6988da10..c14e354d 100644
Binary files a/docs/_locale/de/LC_MESSAGES/quick-start.mo and b/docs/_locale/de/LC_MESSAGES/quick-start.mo differ
diff --git a/docs/_locale/de/automation.pot b/docs/_locale/de/automation.pot
index 6d0be2c4..efd67b47 100644
--- a/docs/_locale/de/automation.pot
+++ b/docs/_locale/de/automation.pot
@@ -32,22 +32,30 @@ msgstr "**user-data**: includes vyos-commands."
 msgid "**user-data** file must start with ``#cloud-config`` and contains vyos-commands. For example:"
 msgstr "**user-data** file must start with ``#cloud-config`` and contains vyos-commands. For example:"
 
-#: ../../automation/vyos-api.rst:285
+#: ../../automation/vyos-api.rst:322
 msgid "/config-file"
 msgstr "/config-file"
 
-#: ../../automation/vyos-api.rst:228
+#: ../../automation/vyos-api.rst:265
 msgid "/configure"
 msgstr "/configure"
 
-#: ../../automation/vyos-api.rst:209
+#: ../../automation/vyos-api.rst:246
 msgid "/generate"
 msgstr "/generate"
 
-#: ../../automation/vyos-api.rst:147
+#: ../../automation/vyos-api.rst:184
 msgid "/image"
 msgstr "/image"
 
+#: ../../automation/vyos-api.rst:165
+msgid "/poweroff"
+msgstr "/poweroff"
+
+#: ../../automation/vyos-api.rst:147
+msgid "/reboot"
+msgstr "/reboot"
+
 #: ../../automation/vyos-api.rst:129
 msgid "/reset"
 msgstr "/reset"
@@ -56,7 +64,7 @@ msgstr "/reset"
 msgid "/retrieve"
 msgstr "/retrieve"
 
-#: ../../automation/vyos-api.rst:185
+#: ../../automation/vyos-api.rst:222
 msgid "/show"
 msgstr "/show"
 
@@ -178,6 +186,34 @@ msgstr "Configuration"
 msgid "Configuration commands are executed just like from a normal config session. For example, if you want to disable a BGP peer on VRRP transition to backup:"
 msgstr "Configuration commands are executed just like from a normal config session. For example, if you want to disable a BGP peer on VRRP transition to backup:"
 
+#: ../../automation/vyos-pyvyos.rst:94
+msgid "Configure, then Delete Object"
+msgstr "Configure, then Delete Object"
+
+#: ../../automation/vyos-pyvyos.rst:141
+msgid "Configure, then Load File"
+msgstr "Configure, then Load File"
+
+#: ../../automation/vyos-pyvyos.rst:101
+msgid "Configure, then Save"
+msgstr "Configure, then Save"
+
+#: ../../automation/vyos-pyvyos.rst:108
+msgid "Configure, then Save File"
+msgstr "Configure, then Save File"
+
+#: ../../automation/vyos-pyvyos.rst:68
+msgid "Configure, then Set"
+msgstr "Configure, then Set"
+
+#: ../../automation/vyos-pyvyos.rst:85
+msgid "Configure, then Show Object"
+msgstr "Configure, then Show Object"
+
+#: ../../automation/vyos-pyvyos.rst:77
+msgid "Configure, then Show a Single Object Value"
+msgstr "Configure, then Show a Single Object Value"
+
 #: ../../automation/vyos-napalm.rst:89
 msgid "Content of commands.conf"
 msgstr "Content of commands.conf"
@@ -258,7 +294,7 @@ msgstr "For configuration and enabling the API see :ref:`http-api`"
 msgid "For example, get the addresses of a ``dum0`` interface."
 msgstr "For example, get the addresses of a ``dum0`` interface."
 
-#: ../../automation/vyos-api.rst:189
+#: ../../automation/vyos-api.rst:226
 msgid "For example, show which images are installed."
 msgstr "For example, show which images are installed."
 
@@ -270,10 +306,18 @@ msgstr "For more information on the NoCloud data source, visit its `page <https:
 msgid "From cli or GUI, power on VM, and after it boots, verify configuration"
 msgstr "From cli or GUI, power on VM, and after it boots, verify configuration"
 
+#: ../../automation/vyos-pyvyos.rst:123
+msgid "Generate Object"
+msgstr "Generate Object"
+
 #: ../../automation/cloud-init.rst:268
 msgid "Generate qcow image"
 msgstr "Generate qcow image"
 
+#: ../../automation/vyos-pyvyos.rst:24
+msgid "Getting Started"
+msgstr "Getting Started"
+
 #: ../../automation/command-scripting.rst:82
 msgid "Here is a simple example:"
 msgstr "Here is a simple example:"
@@ -306,6 +350,10 @@ msgstr "If you need to gather information from linux commands to configure VyOS,
 msgid "If you want to script the configs in a language other than bash you can have your script output commands and then source them in a bash script."
 msgstr "If you want to script the configs in a language other than bash you can have your script output commands and then source them in a bash script."
 
+#: ../../automation/vyos-pyvyos.rst:27
+msgid "Importing and Disabling Warnings for verify=False"
+msgstr "Importing and Disabling Warnings for verify=False"
+
 #: ../../automation/cloud-init.rst:298
 msgid "In Proxmox server three files are going to be used for this setup:"
 msgstr "In Proxmox server three files are going to be used for this setup:"
@@ -326,6 +374,10 @@ msgstr "In this lab, we are using 1.3.0 VyOS version and setting a disk of 10G.
 msgid "Initial Configuration"
 msgstr "Initial Configuration"
 
+#: ../../automation/vyos-pyvyos.rst:47
+msgid "Initializing a VyDevice Object"
+msgstr "Initializing a VyDevice Object"
+
 #: ../../automation/cloud-init.rst:180
 msgid "Injecting configuration data is not limited to cloud platforms. Users can employ the NoCloud data source to inject user-data and meta-data on virtualization platforms such as VMware, Hyper-V and KVM."
 msgstr "Injecting configuration data is not limited to cloud platforms. Users can employ the NoCloud data source to inject user-data and meta-data on virtualization platforms such as VMware, Hyper-V and KVM."
@@ -334,6 +386,10 @@ msgstr "Injecting configuration data is not limited to cloud platforms. Users ca
 msgid "Install ``napalm-vyos`` module"
 msgstr "Install ``napalm-vyos`` module"
 
+#: ../../automation/vyos-pyvyos.rst:15
+msgid "Installation"
+msgstr "Installation"
+
 #: ../../automation/vyos-salt.rst:98
 msgid "It is possible to configure VyOS via netmiko_ proxy module. It requires a minion with installed packet  ``python3-netmiko`` module who has a connection to VyOS nodes. Salt-minion have to communicate with salt master"
 msgstr "It is possible to configure VyOS via netmiko_ proxy module. It requires a minion with installed packet  ``python3-netmiko`` module who has a connection to VyOS nodes. Salt-minion have to communicate with salt master"
@@ -451,6 +507,14 @@ msgstr "Proxmox IP address: **192.168.0.253/24**"
 msgid "Proxmox `Cloud-init-Support`_."
 msgstr "Proxmox `Cloud-init-Support`_."
 
+#: ../../automation/vyos-pyvyos.rst:6
+msgid "PyVyOS"
+msgstr "PyVyOS"
+
+#: ../../automation/vyos-pyvyos.rst:8
+msgid "PyVyOS is a Python library for interacting with VyOS devices via their API. This documentation guides you on using PyVyOS to manage your VyOS devices programmatically. The complete PyVyOS documentation is available on [Read the Docs](https://pyvyos.readthedocs.io/en/latest/), and the library can be found on [GitHub](https://github.com/robertoberto/pyvyos) and [PyPI](https://pypi.org/project/pyvyos/)."
+msgstr "PyVyOS is a Python library for interacting with VyOS devices via their API. This documentation guides you on using PyVyOS to manage your VyOS devices programmatically. The complete PyVyOS documentation is available on [Read the Docs](https://pyvyos.readthedocs.io/en/latest/), and the library can be found on [GitHub](https://github.com/robertoberto/pyvyos) and [PyPI](https://pypi.org/project/pyvyos/)."
+
 #: ../../automation/cloud-init.rst:416
 msgid "References"
 msgstr "References"
@@ -459,6 +523,10 @@ msgstr "References"
 msgid "Remove default dhcp client on first interface, and load other configuration during first boot, using cloud-init."
 msgstr "Remove default dhcp client on first interface, and load other configuration during first boot, using cloud-init."
 
+#: ../../automation/vyos-pyvyos.rst:132
+msgid "Reset Object"
+msgstr "Reset Object"
+
 #: ../../automation/vyos-ansible.rst:80
 msgid "Run ansible"
 msgstr "Run ansible"
@@ -487,11 +555,11 @@ msgstr "Salt"
 msgid "Salt master configuration:"
 msgstr "Salt master configuration:"
 
-#: ../../automation/vyos-api.rst:307
+#: ../../automation/vyos-api.rst:344
 msgid "Save a running configuration to a file."
 msgstr "Save a running configuration to a file."
 
-#: ../../automation/vyos-api.rst:289
+#: ../../automation/vyos-api.rst:326
 msgid "Save a running configuration to the startup configuration. When you don't specify the file when saving, it saves to ``/config/config.boot``."
 msgstr "Save a running configuration to the startup configuration. When you don't specify the file when saving, it saves to ``/config/config.boot``."
 
@@ -503,6 +571,10 @@ msgstr "Script vyos-napalm.py"
 msgid "Scripts are run in alphabetical order. Their names must consist entirely of ASCII upper- and lower-case letters,ASCII digits, ASCII underscores, and ASCII minus-hyphens.No other characters are allowed."
 msgstr "Scripts are run in alphabetical order. Their names must consist entirely of ASCII upper- and lower-case letters,ASCII digits, ASCII underscores, and ASCII minus-hyphens.No other characters are allowed."
 
+#: ../../automation/vyos-pyvyos.rst:115
+msgid "Show Object"
+msgstr "Show Object"
+
 #: ../../automation/command-scripting.rst:52
 msgid "Sometimes you simply wan't to execute a bunch of op-mode commands via SSH on a remote VyOS system."
 msgstr "Sometimes you simply wan't to execute a bunch of op-mode commands via SSH on a remote VyOS system."
@@ -523,7 +595,7 @@ msgstr "Structure of files"
 msgid "System Defaults/Fallbacks"
 msgstr "System Defaults/Fallbacks"
 
-#: ../../automation/vyos-api.rst:264
+#: ../../automation/vyos-api.rst:301
 msgid "The API pushes every request to a session and commit it. But some of VyOS components like DHCP and PPPoE Servers, IPSec, VXLAN, and other tunnels require full configuration for commit. The endpoint will process multiple commands when you pass them as a list to the ``data`` field."
 msgstr "The API pushes every request to a session and commit it. But some of VyOS components like DHCP and PPPoE Servers, IPSec, VXLAN, and other tunnels require full configuration for commit. The endpoint will process multiple commands when you pass them as a list to the ``data`` field."
 
@@ -535,11 +607,11 @@ msgstr "The ``/config/scripts/vyos-postconfig-bootup.script`` script is called o
 msgid "The ``/config/scripts/vyos-preconfig-bootup.script`` script is called on boot before the VyOS configuration during boot process."
 msgstr "The ``/config/scripts/vyos-preconfig-bootup.script`` script is called on boot before the VyOS configuration during boot process."
 
-#: ../../automation/vyos-api.rst:187
+#: ../../automation/vyos-api.rst:224
 msgid "The ``/show`` endpoint is to show everything in the operational mode."
 msgstr "The ``/show`` endpoint is to show everything in the operational mode."
 
-#: ../../automation/vyos-api.rst:211
+#: ../../automation/vyos-api.rst:248
 msgid "The ``generate`` endpoint run a ``generate`` command."
 msgstr "The ``generate`` endpoint run a ``generate`` command."
 
@@ -568,7 +640,7 @@ msgstr "The default file looks like this:"
 msgid "The easiest way to configure the system via user-data is the Cloud-config syntax described below."
 msgstr "The easiest way to configure the system via user-data is the Cloud-config syntax described below."
 
-#: ../../automation/vyos-api.rst:287
+#: ../../automation/vyos-api.rst:324
 msgid "The endpoint ``/config-file`` is to save or load a configuration."
 msgstr "The endpoint ``/config-file`` is to save or load a configuration."
 
@@ -604,11 +676,11 @@ msgstr "This section needs improvements, examples and explanations."
 msgid "This will result in the following error message: ``Set failed`` If this happens, a reboot is required to be able to edit the config manually again."
 msgstr "This will result in the following error message: ``Set failed`` If this happens, a reboot is required to be able to edit the config manually again."
 
-#: ../../automation/vyos-api.rst:323
+#: ../../automation/vyos-api.rst:360
 msgid "To Load a configuration file."
 msgstr "To Load a configuration file."
 
-#: ../../automation/vyos-api.rst:149
+#: ../../automation/vyos-api.rst:186
 msgid "To add or delete an image, use the ``/image`` endpoint."
 msgstr "To add or delete an image, use the ``/image`` endpoint."
 
@@ -624,6 +696,10 @@ msgstr "To get the whole configuration, pass an empty list to the ``path`` field
 msgid "To include VyOS specific functions and aliases you need to ``source /opt/vyatta/etc/functions/script-template`` files at the top of your script."
 msgstr "To include VyOS specific functions and aliases you need to ``source /opt/vyatta/etc/functions/script-template`` files at the top of your script."
 
+#: ../../automation/vyos-api.rst:149
+msgid "To initiate a reboot use the ``reboot`` endpoint."
+msgstr "To initiate a reboot use the ``reboot`` endpoint."
+
 #: ../../automation/command-scripting.rst:128
 msgid "To make sure that a script is not accidentally called without the ``vyattacfg`` group, the script can be safeguarded like this:"
 msgstr "To make sure that a script is not accidentally called without the ``vyattacfg`` group, the script can be safeguarded like this:"
@@ -632,6 +708,10 @@ msgstr "To make sure that a script is not accidentally called without the ``vyat
 msgid "To only get a part of the configuration, for example ``system syslog``."
 msgstr "To only get a part of the configuration, for example ``system syslog``."
 
+#: ../../automation/vyos-api.rst:167
+msgid "To power off the system use the ``poweroff`` endpoint."
+msgstr "To power off the system use the ``poweroff`` endpoint."
+
 #: ../../automation/cloud-init.rst:223
 msgid "Troubleshooting"
 msgstr "Troubleshooting"
@@ -648,6 +728,14 @@ msgstr "User-data"
 msgid "User-data - User-data is specified by the user. This config source offers the ability to insert any CLI configuration commands into the configuration before the first boot."
 msgstr "User-data - User-data is specified by the user. This config source offers the ability to insert any CLI configuration commands into the configuration before the first boot."
 
+#: ../../automation/vyos-pyvyos.rst:35
+msgid "Using API Response Class"
+msgstr "Using API Response Class"
+
+#: ../../automation/vyos-pyvyos.rst:65
+msgid "Using PyVyOS"
+msgstr "Using PyVyOS"
+
 #: ../../automation/cloud-init.rst:373
 msgid "VM ID: in this example, VM ID used is 555."
 msgstr "VM ID: in this example, VM ID used is 555."
@@ -736,11 +824,15 @@ msgstr "Without proxy it requires VyOS minion configuration and support op-mode
 msgid "Without proxy it requires VyOS minion configuration and supports op-mode data:"
 msgstr "Without proxy it requires VyOS minion configuration and supports op-mode data:"
 
-#: ../../automation/vyos-api.rst:230
+#: ../../automation/vyos-pyvyos.rst:17
+msgid "You can install PyVyOS using pip:"
+msgstr "You can install PyVyOS using pip:"
+
+#: ../../automation/vyos-api.rst:267
 msgid "You can pass a ``set``, ``delete`` or ``comment`` command to the ``/configure`` endpoint."
 msgstr "You can pass a ``set``, ``delete`` or ``comment`` command to the ``/configure`` endpoint."
 
-#: ../../automation/vyos-api.rst:249
+#: ../../automation/vyos-api.rst:286
 msgid "``delete`` a single command"
 msgstr "``delete`` a single command"
 
@@ -748,7 +840,7 @@ msgstr "``delete`` a single command"
 msgid "``seed.iso`` was previously created in directory ``/tmp/``. It's necessary to move it to ``/var/lib/vz/template/iso``"
 msgstr "``seed.iso`` was previously created in directory ``/tmp/``. It's necessary to move it to ``/var/lib/vz/template/iso``"
 
-#: ../../automation/vyos-api.rst:233
+#: ../../automation/vyos-api.rst:270
 msgid "``set`` a single command"
 msgstr "``set`` a single command"
 
@@ -764,7 +856,7 @@ msgstr "``vyos``/``vyos`` credentials if no others specified by data source."
 msgid "``write_files`` - this module allows to insert any files into the filesystem before the first boot, for example, pre-generated encryption keys, certificates, or even a whole ``config.boot`` file. The format is described in the cloudinit documentation `Cloud-init-write_files`_."
 msgstr "``write_files`` - this module allows to insert any files into the filesystem before the first boot, for example, pre-generated encryption keys, certificates, or even a whole ``config.boot`` file. The format is described in the cloudinit documentation `Cloud-init-write_files`_."
 
-#: ../../automation/vyos-api.rst:151
+#: ../../automation/vyos-api.rst:188
 msgid "add an image"
 msgstr "add an image"
 
@@ -784,7 +876,7 @@ msgstr "cloud-init logs to /var/log/cloud-init.log. This file can be helpful in
 msgid "commands.txt"
 msgstr "commands.txt"
 
-#: ../../automation/vyos-api.rst:168
+#: ../../automation/vyos-api.rst:205
 msgid "delete an image, for example ``1.3-rolling-202006070117``"
 msgstr "delete an image, for example ``1.3-rolling-202006070117``"
 
diff --git a/docs/_locale/de/cli.pot b/docs/_locale/de/cli.pot
index 06a89458..8f272347 100644
--- a/docs/_locale/de/cli.pot
+++ b/docs/_locale/de/cli.pot
@@ -124,14 +124,18 @@ msgstr "For example typing ``sh`` followed by the ``TAB`` key will complete to `
 msgid "Get a collection of all the set commands required which led to the running configuration."
 msgstr "Get a collection of all the set commands required which led to the running configuration."
 
-#: ../../cli.rst:930
+#: ../../cli.rst:933
 msgid "If you are remotely connected, you will lose your connection. You may want to copy first the config, edit it to ensure connectivity, and load the edited config."
 msgstr "If you are remotely connected, you will lose your connection. You may want to copy first the config, edit it to ensure connectivity, and load the edited config."
 
-#: ../../cli.rst:916
+#: ../../cli.rst:919
 msgid "In the case you want to completely delete your configuration and restore the default one, you can enter the following command in configuration mode:"
 msgstr "In the case you want to completely delete your configuration and restore the default one, you can enter the following command in configuration mode:"
 
+#: ../../cli.rst:413
+msgid "It is also possible to display all :cfgcmd:`set` commands within configuration mode using :cfgcmd:`show | commands`"
+msgstr "It is also possible to display all :cfgcmd:`set` commands within configuration mode using :cfgcmd:`show | commands`"
+
 #: ../../cli.rst:413
 msgid "It is also possible to display all `set` commands within configuration mode using :cfgcmd:`show | commands`"
 msgstr "It is also possible to display all `set` commands within configuration mode using :cfgcmd:`show | commands`"
@@ -168,7 +172,7 @@ msgstr "Remote Archive"
 msgid "Rename a configuration element."
 msgstr "Rename a configuration element."
 
-#: ../../cli.rst:914
+#: ../../cli.rst:917
 msgid "Restore Default"
 msgstr "Restore Default"
 
@@ -184,7 +188,7 @@ msgstr "Rollback Changes"
 msgid "Rollback to revision N (currently requires reboot)"
 msgstr "Rollback to revision N (currently requires reboot)"
 
-#: ../../cli.rst:881
+#: ../../cli.rst:884
 msgid "Saving and loading manually"
 msgstr "Saving and loading manually"
 
@@ -244,11 +248,11 @@ msgstr "The configuration can be edited by the use of :cfgcmd:`set` and :cfgcmd:
 msgid "The current hierarchy level can be changed by the :cfgcmd:`edit` command."
 msgstr "The current hierarchy level can be changed by the :cfgcmd:`edit` command."
 
-#: ../../cli.rst:869
+#: ../../cli.rst:872
 msgid "The number of revisions don't affect the commit-archive."
 msgstr "The number of revisions don't affect the commit-archive."
 
-#: ../../cli.rst:927
+#: ../../cli.rst:930
 msgid "Then you may want to :cfgcmd:`save` in order to delete the saved configuration too."
 msgstr "Then you may want to :cfgcmd:`save` in order to delete the saved configuration too."
 
@@ -280,7 +284,7 @@ msgstr "To remove an existing comment from your current configuration, specify a
 msgid "Use the ``show configuration commands | strip-private`` command when you want to hide private data. You may want to do so if you want to share your configuration on the `forum`_."
 msgstr "Use the ``show configuration commands | strip-private`` command when you want to hide private data. You may want to do so if you want to share your configuration on the `forum`_."
 
-#: ../../cli.rst:892
+#: ../../cli.rst:895
 msgid "Use this command to load a configuration which will replace the running configuration. Define the location of the configuration file to be loaded. You can use a path to a local file, an SCP address, an SFTP address, an FTP address, an HTTP address, an HTTPS address or a TFTP address."
 msgstr "Use this command to load a configuration which will replace the running configuration. Define the location of the configuration file to be loaded. You can use a path to a local file, an SCP address, an SFTP address, an FTP address, an HTTP address, an HTTPS address or a TFTP address."
 
@@ -352,7 +356,7 @@ msgstr "When inside configuration mode you are not directly able to execute oper
 msgid "When the output of a command results in more lines than can be displayed on the terminal screen the output is paginated as indicated by a ``:`` prompt."
 msgstr "When the output of a command results in more lines than can be displayed on the terminal screen the output is paginated as indicated by a ``:`` prompt."
 
-#: ../../cli.rst:886
+#: ../../cli.rst:889
 msgid "When using the save_ command, you can add a specific location where to store your configuration file. And, when needed it, you will be able to load it with the ``load`` command:"
 msgstr "When using the save_ command, you can add a specific location where to store your configuration file. And, when needed it, you will be able to load it with the ``load`` command:"
 
@@ -364,6 +368,10 @@ msgstr "When viewing in page mode the following commands are available:"
 msgid "You are now in a sublevel relative to ``interfaces ethernet eth0``, all commands executed from this point on are relative to this sublevel. Use eithe the :cfgcmd:`top` or :cfgcmd:`exit` command to go back to the top of the hierarchy. You can also use the :cfgcmd:`up` command to move only one level up at a time."
 msgstr "You are now in a sublevel relative to ``interfaces ethernet eth0``, all commands executed from this point on are relative to this sublevel. Use eithe the :cfgcmd:`top` or :cfgcmd:`exit` command to go back to the top of the hierarchy. You can also use the :cfgcmd:`up` command to move only one level up at a time."
 
+#: ../../cli.rst:370
+msgid "You are now in a sublevel relative to ``interfaces ethernet eth0``, all commands executed from this point on are relative to this sublevel. Use either the :cfgcmd:`top` or :cfgcmd:`exit` command to go back to the top of the hierarchy. You can also use the :cfgcmd:`up` command to move only one level up at a time."
+msgstr "You are now in a sublevel relative to ``interfaces ethernet eth0``, all commands executed from this point on are relative to this sublevel. Use either the :cfgcmd:`top` or :cfgcmd:`exit` command to go back to the top of the hierarchy. You can also use the :cfgcmd:`up` command to move only one level up at a time."
+
 #: ../../cli.rst:618
 msgid "You can also rename config subtrees:"
 msgstr "You can also rename config subtrees:"
@@ -384,15 +392,15 @@ msgstr "You can scroll up with the keys ``[Shift]+[PageUp]`` and scroll down wit
 msgid "You can specify the number of revisions stored on disk. N can be in the range of 0 - 65535. When the number of revisions exceeds the configured value, the oldest revision is removed. The default setting for this value is to store 100 revisions locally."
 msgstr "You can specify the number of revisions stored on disk. N can be in the range of 0 - 65535. When the number of revisions exceeds the configured value, the oldest revision is removed. The default setting for this value is to store 100 revisions locally."
 
-#: ../../cli.rst:883
+#: ../../cli.rst:886
 msgid "You can use the ``save`` and ``load`` commands if you want to manually manage specific configuration files."
 msgstr "You can use the ``save`` and ``load`` commands if you want to manually manage specific configuration files."
 
-#: ../../cli.rst:871
+#: ../../cli.rst:874
 msgid "You may find VyOS not allowing the secure connection because it cannot verify the legitimacy of the remote server. You can use the workaround below to quickly add the remote host's SSH fingerprint to your ``~/.ssh/known_hosts`` file:"
 msgstr "You may find VyOS not allowing the secure connection because it cannot verify the legitimacy of the remote server. You can use the workaround below to quickly add the remote host's SSH fingerprint to your ``~/.ssh/known_hosts`` file:"
 
-#: ../../cli.rst:924
+#: ../../cli.rst:927
 msgid "You will be asked if you want to continue. If you accept, you will have to use :cfgcmd:`commit` if you want to make the changes active."
 msgstr "You will be asked if you want to continue. If you accept, you will have to use :cfgcmd:`commit` if you want to make the changes active."
 
@@ -404,6 +412,18 @@ msgstr "``b`` will scroll back one page"
 msgid "``ftp://<user>:<passwd>@<host>/<dir>``"
 msgstr "``ftp://<user>:<passwd>@<host>/<dir>``"
 
+#: ../../cli.rst:870
+msgid "``git+https://<user>:<passwd>@<host>/<path>``"
+msgstr "``git+https://<user>:<passwd>@<host>/<path>``"
+
+#: ../../cli.rst:864
+msgid "``http://<user>:<passwd>@<host>:/<dir>``"
+msgstr "``http://<user>:<passwd>@<host>:/<dir>``"
+
+#: ../../cli.rst:865
+msgid "``https://<user>:<passwd>@<host>:/<dir>``"
+msgstr "``https://<user>:<passwd>@<host>:/<dir>``"
+
 #: ../../cli.rst:71
 msgid "``left-arrow`` and ``right-arrow`` can be used to scroll left or right in the event that the output has lines which exceed the terminal size."
 msgstr "``left-arrow`` and ``right-arrow`` can be used to scroll left or right in the event that the output has lines which exceed the terminal size."
@@ -416,11 +436,11 @@ msgstr "``q`` key can be used to cancel output"
 msgid "``return`` will scroll down one line"
 msgstr "``return`` will scroll down one line"
 
-#: ../../cli.rst:864
+#: ../../cli.rst:868
 msgid "``scp://<user>:<passwd>@<host>:/<dir>``"
 msgstr "``scp://<user>:<passwd>@<host>:/<dir>``"
 
-#: ../../cli.rst:865
+#: ../../cli.rst:867
 msgid "``sftp://<user>:<passwd>@<host>/<dir>``"
 msgstr "``sftp://<user>:<passwd>@<host>/<dir>``"
 
@@ -428,7 +448,7 @@ msgstr "``sftp://<user>:<passwd>@<host>/<dir>``"
 msgid "``space`` will scroll down one page"
 msgstr "``space`` will scroll down one page"
 
-#: ../../cli.rst:867
+#: ../../cli.rst:869
 msgid "``tftp://<host>/<dir>``"
 msgstr "``tftp://<host>/<dir>``"
 
diff --git a/docs/_locale/de/configexamples.pot b/docs/_locale/de/configexamples.pot
index 22c08587..d7dd346f 100644
--- a/docs/_locale/de/configexamples.pot
+++ b/docs/_locale/de/configexamples.pot
@@ -210,22 +210,18 @@ msgstr "4 x Provider routers (VyOS-Px)"
 msgid "50: Upstream, using the 192.0.2.0/24 network allocated by them."
 msgstr "50: Upstream, using the 192.0.2.0/24 network allocated by them."
 
-#: ../../configexamples/inter-vrf-routing-vrf-lite.rst:102
 #: ../../configexamples/inter-vrf-routing-vrf-lite.rst:102
 msgid "64496:1"
 msgstr "64496:1"
 
-#: ../../configexamples/inter-vrf-routing-vrf-lite.rst:108
 #: ../../configexamples/inter-vrf-routing-vrf-lite.rst:108
 msgid "64496:100"
 msgstr "64496:100"
 
-#: ../../configexamples/inter-vrf-routing-vrf-lite.rst:104
 #: ../../configexamples/inter-vrf-routing-vrf-lite.rst:104
 msgid "64496:2"
 msgstr "64496:2"
 
-#: ../../configexamples/inter-vrf-routing-vrf-lite.rst:106
 #: ../../configexamples/inter-vrf-routing-vrf-lite.rst:106
 msgid "64496:50"
 msgstr "64496:50"
@@ -276,7 +272,7 @@ msgstr "A brief excursion into VRFs: This has been one of the longest-standing f
 msgid "A connection resource deployed in Azure linking the Azure VNet gateway and the local network gateway representing the Vyos device."
 msgstr "A connection resource deployed in Azure linking the Azure VNet gateway and the local network gateway representing the Vyos device."
 
-#: ../../configexamples/index.rst:35
+#: ../../configexamples/index.rst:37
 msgid "A host ``vyos-oobm`` will use as a ssh proxy. This host is just necessary for the Lab test."
 msgstr "A host ``vyos-oobm`` will use as a ssh proxy. This host is just necessary for the Lab test."
 
@@ -322,10 +318,22 @@ msgstr "Active Directory on Windows server"
 msgid "Add (temporary) default route"
 msgstr "Add (temporary) default route"
 
+#: ../../configexamples/ansible.rst:73
+msgid "Add all the hosts of VyOS:"
+msgstr "Add all the hosts of VyOS:"
+
+#: ../../configexamples/ansible.rst:85
+msgid "Add general variables:"
+msgstr "Add general variables:"
+
 #: ../../configexamples/autotest/OpenVPN_with_LDAP/OpenVPN_with_LDAP.rst:47
 msgid "Add the LDAP plugin configuration file `/config/auth/ldap-auth.config`"
 msgstr "Add the LDAP plugin configuration file `/config/auth/ldap-auth.config`"
 
+#: ../../configexamples/ansible.rst:99
+msgid "Add the simple playbook with the tasks for each router:"
+msgstr "Add the simple playbook with the tasks for each router:"
+
 #: ../../configexamples/wan-load-balancing.rst:167
 msgid "Adding a rule for the second interface"
 msgstr "Adding a rule for the second interface"
@@ -426,11 +434,15 @@ msgstr "And show all DHCP Leases"
 msgid "And the ``client`` to receive an IPv6 address with stateless autoconfig."
 msgstr "And the ``client`` to receive an IPv6 address with stateless autoconfig."
 
-#: ../../configexamples/autotest/DHCPRelay_through_GRE/DHCPRelay_through_GRE.rst:None
-#: ../../configexamples/autotest/Wireguard/Wireguard.rst:None
+#: ../../configexamples/autotest/DHCPRelay_through_GRE/DHCPRelay_through_GRE.rst:-1
+#: ../../configexamples/autotest/Wireguard/Wireguard.rst:-1
 msgid "Ansible Example topology image"
 msgstr "Ansible Example topology image"
 
+#: ../../configexamples/ansible.rst:7
+msgid "Ansible example"
+msgstr "Ansible example"
+
 #: ../../configexamples/inter-vrf-routing-vrf-lite.rst:10
 msgid "Any information related to a VRF is not exchanged between devices -or in the same device- by default, this is a technique called **VRF-Lite**."
 msgstr "Any information related to a VRF is not exchanged between devices -or in the same device- by default, this is a technique called **VRF-Lite**."
@@ -559,6 +571,10 @@ msgstr "Basic Firewall"
 msgid "Basic Setup (via console)"
 msgstr "Basic Setup (via console)"
 
+#: ../../configexamples/ansible.rst:64
+msgid "Basik configuration of the ansible.cfg:"
+msgstr "Basik configuration of the ansible.cfg:"
+
 #: ../../configexamples/qos.rst:74
 msgid "Before the interface eth0 on router VyOS3"
 msgstr "Before the interface eth0 on router VyOS3"
@@ -611,6 +627,14 @@ msgstr "Check the result"
 msgid "Check the result."
 msgstr "Check the result."
 
+#: ../../configexamples/ansible.rst:142
+msgid "Check the result on the vyos10 router:"
+msgstr "Check the result on the vyos10 router:"
+
+#: ../../configexamples/ansible.rst:51
+msgid "Check the version:"
+msgstr "Check the version:"
+
 #: ../../configexamples/inter-vrf-routing-vrf-lite.rst:164
 msgid "Checking the routing table of the VRF should reveal both static and connected entries active. A PING test between the Core and remote router is a way to validate connectivity within the VRF."
 msgstr "Checking the routing table of the VRF should reveal both static and connected entries active. A PING test between the Core and remote router is a way to validate connectivity within the VRF."
@@ -619,6 +643,10 @@ msgstr "Checking the routing table of the VRF should reveal both static and conn
 msgid "Checking through op-mode commands"
 msgstr "Checking through op-mode commands"
 
+#: ../../configexamples/site-2-site-cisco.rst:71
+msgid "Cisco"
+msgstr "Cisco"
+
 #: ../../configexamples/ha.rst:90
 msgid "Cisco VPC Crossconnect - Ports 39 and 40 bonded between each switch"
 msgstr "Cisco VPC Crossconnect - Ports 39 and 40 bonded between each switch"
@@ -652,6 +680,7 @@ msgstr "Conclusions"
 #: ../../configexamples/ospf-unnumbered.rst:12
 #: ../../configexamples/policy-based-ipsec-and-firewall.rst:47
 #: ../../configexamples/segment-routing-isis.rst:24
+#: ../../configexamples/site-2-site-cisco.rst:18
 msgid "Configuration"
 msgstr "Configuration"
 
@@ -675,7 +704,7 @@ msgstr "Configuration 'dcsp' and shaper using QoS"
 msgid "Configuration Blueprints"
 msgstr "Configuration Blueprints"
 
-#: ../../configexamples/index.rst:28
+#: ../../configexamples/index.rst:30
 msgid "Configuration Blueprints (autotest)"
 msgstr "Configuration Blueprints (autotest)"
 
@@ -856,7 +885,7 @@ msgstr "Dynamic routing used between CE and PE nodes and eBGP peering establishe
 msgid "Each interface is assigned to a zone. The interface can be physical or virtual such as tunnels (VPN, PPTP, GRE, etc) and are treated exactly the same."
 msgstr "Each interface is assigned to a zone. The interface can be physical or virtual such as tunnels (VPN, PPTP, GRE, etc) and are treated exactly the same."
 
-#: ../../configexamples/index.rst:32
+#: ../../configexamples/index.rst:34
 msgid "Each lab will build an test from an external script. The page content will generate, so changes will not take an effect."
 msgstr "Each lab will build an test from an external script. The page content will generate, so changes will not take an effect."
 
@@ -962,6 +991,10 @@ msgstr "First a CA, a signed server and client ceftificate and a Diffie-Hellman
 msgid "First prepare our VyOS router for connection to NMP. We have to set up the SNMP protocol and connectivity between the router and NMP."
 msgstr "First prepare our VyOS router for connection to NMP. We have to set up the SNMP protocol and connectivity between the router and NMP."
 
+#: ../../configexamples/site-2-site-cisco.rst:9
+msgid "FlexVPN is a newer \"solution\" for deployment of VPNs and it utilizes IKEv2 as the key exchange protocol. The result is a flexible and scalable VPN solution that can be easily adapted to fit various network needs. It can also support a variety of encryption methods, including AES and 3DES."
+msgstr "FlexVPN is a newer \"solution\" for deployment of VPNs and it utilizes IKEv2 as the key exchange protocol. The result is a flexible and scalable VPN solution that can be easily adapted to fit various network needs. It can also support a variety of encryption methods, including AES and 3DES."
+
 #: ../../configexamples/ha.rst:60
 msgid "For connection between sites, we are running a WireGuard link to two REMOTE routers and using OSPF over those links to distribute routes. That remote site is expected to send traffic from anything in 10.201.0.0/16"
 msgstr "For connection between sites, we are running a WireGuard link to two REMOTE routers and using OSPF over those links to distribute routes. That remote site is expected to send traffic from anything in 10.201.0.0/16"
@@ -998,6 +1031,10 @@ msgstr "From Management to Outside (fails as intended)"
 msgid "Full configuration from all devices"
 msgstr "Full configuration from all devices"
 
+#: ../../configexamples/site-2-site-cisco.rst:23
+msgid "GRE:"
+msgstr "GRE:"
+
 #: ../../configexamples/inter-vrf-routing-vrf-lite.rst:19
 msgid "General information about L3VPNs can be found in the :ref:`configuration/vrf/index:L3VPN VRFs` chapter."
 msgstr "General information about L3VPNs can be found in the :ref:`configuration/vrf/index:L3VPN VRFs` chapter."
@@ -1062,6 +1099,10 @@ msgstr "IPSec configuration:"
 msgid "IP Schema"
 msgstr "IP Schema"
 
+#: ../../configexamples/site-2-site-cisco.rst:34
+msgid "IPsec:"
+msgstr "IPsec:"
+
 #: ../../configexamples/inter-vrf-routing-vrf-lite.rst:85
 msgid "IPv4 Network"
 msgstr "IPv4 Network"
@@ -1171,6 +1212,10 @@ msgstr "In the end, you'll get a powerful instrument for monitoring the VyOS sys
 msgid "In the end, you will end up with something like this config. I took out everything but the Firewall, Interfaces, and zone-policy sections. It is long enough as is."
 msgstr "In the end, you will end up with something like this config. I took out everything but the Firewall, Interfaces, and zone-policy sections. It is long enough as is."
 
+#: ../../configexamples/ansible.rst:216
+msgid "In the next chapter of the example, we'll use the Ansible with jinja2 templates and variables."
+msgstr "In the next chapter of the example, we'll use the Ansible with jinja2 templates and variables."
+
 #: ../../configexamples/ha.rst:154
 msgid "In this case, the hardware router has a different IP, so it would be"
 msgstr "In this case, the hardware router has a different IP, so it would be"
@@ -1191,6 +1236,10 @@ msgstr "In this document, we have been allocated 203.0.113.0/24 by our upstream
 msgid "In this example, eth0 is the primary interface and eth1 is the secondary interface. To provide simple failover functionality. If eth0 fails, eth1 takes over."
 msgstr "In this example, eth0 is the primary interface and eth1 is the secondary interface. To provide simple failover functionality. If eth0 fails, eth1 takes over."
 
+#: ../../configexamples/ansible.rst:12
+msgid "In this example, we will set up a simple use of Ansible to configure multiple VyoS routers. We have four pre-configured routers with this configuration:"
+msgstr "In this example, we will set up a simple use of Ansible to configure multiple VyoS routers. We have four pre-configured routers with this configuration:"
+
 #: ../../configexamples/autotest/OpenVPN_with_LDAP/OpenVPN_with_LDAP.rst:42
 msgid "In this example OpenVPN will be setup with a client certificate and username / password authentication."
 msgstr "In this example OpenVPN will be setup with a client certificate and username / password authentication."
@@ -1215,6 +1264,14 @@ msgstr "Information about Ethernet Virtual Private Networks"
 msgid "Information about prefix-sid and label-operation from VyOS"
 msgstr "Information about prefix-sid and label-operation from VyOS"
 
+#: ../../configexamples/ansible.rst:37
+msgid "Install the Ansible:"
+msgstr "Install the Ansible:"
+
+#: ../../configexamples/ansible.rst:44
+msgid "Install the paramiko:"
+msgstr "Install the paramiko:"
+
 #: ../../configexamples/inter-vrf-routing-vrf-lite.rst:3
 msgid "Inter-VRF Routing over VRF Lite"
 msgstr "Inter-VRF Routing over VRF Lite"
@@ -1276,7 +1333,7 @@ msgstr "Keep networks isolated is -in general- a good principle, but there are c
 msgid "L3VPN EVPN with VyOS"
 msgstr "L3VPN EVPN with VyOS"
 
-#: ../../configexamples/autotest/L3VPN_EVPN/L3VPN_EVPN.rst:None
+#: ../../configexamples/autotest/L3VPN_EVPN/L3VPN_EVPN.rst:-1
 msgid "L3VPN EVPN with VyOS topology image"
 msgstr "L3VPN EVPN with VyOS topology image"
 
@@ -1403,29 +1460,14 @@ msgstr "Network Cabling"
 msgid "Network Topology"
 msgstr "Network Topology"
 
-#: ../../configexamples/inter-vrf-routing-vrf-lite.rst:None
-#: ../../configexamples/l3vpn-hub-and-spoke.rst:None
-#: ../../configexamples/nmp.rst:None
-#: ../../configexamples/nmp.rst:None
-#: ../../configexamples/nmp.rst:None
-#: ../../configexamples/nmp.rst:None
-#: ../../configexamples/nmp.rst:None
-#: ../../configexamples/nmp.rst:None
-#: ../../configexamples/nmp.rst:None
-#: ../../configexamples/pppoe-ipv6-basic.rst:None
-#: ../../configexamples/qos.rst:None
-#: ../../configexamples/qos.rst:None
-#: ../../configexamples/qos.rst:None
-#: ../../configexamples/qos.rst:None
-#: ../../configexamples/qos.rst:None
-#: ../../configexamples/qos.rst:None
-#: ../../configexamples/qos.rst:None
-#: ../../configexamples/qos.rst:None
-#: ../../configexamples/qos.rst:None
-#: ../../configexamples/qos.rst:None
-#: ../../configexamples/wan-load-balancing.rst:None
-#: ../../configexamples/wan-load-balancing.rst:None
-#: ../../configexamples/zone-policy.rst:None
+#: ../../configexamples/ansible.rst:-1
+#: ../../configexamples/inter-vrf-routing-vrf-lite.rst:-1
+#: ../../configexamples/l3vpn-hub-and-spoke.rst:-1
+#: ../../configexamples/nmp.rst:-1
+#: ../../configexamples/pppoe-ipv6-basic.rst:-1
+#: ../../configexamples/qos.rst:-1
+#: ../../configexamples/wan-load-balancing.rst:-1
+#: ../../configexamples/zone-policy.rst:-1
 msgid "Network Topology Diagram"
 msgstr "Network Topology Diagram"
 
@@ -1457,7 +1499,7 @@ msgstr "Node"
 msgid "Note that router1 is a VM that runs on one of the compute nodes."
 msgstr "Note that router1 is a VM that runs on one of the compute nodes."
 
-#: ../../configexamples/pppoe-ipv6-basic.rst:111
+#: ../../configexamples/pppoe-ipv6-basic.rst:115
 msgid "Note to allow the router to receive DHCPv6 response from ISP. We need to allow packets with source port 547 (server) and destination port 546 (client)."
 msgstr "Note to allow the router to receive DHCPv6 response from ISP. We need to allow packets with source port 547 (server) and destination port 546 (client)."
 
@@ -1554,7 +1596,7 @@ msgstr "One cable/logical connection between LAN2 and Management"
 msgid "OpenVPN with LDAP"
 msgstr "OpenVPN with LDAP"
 
-#: ../../configexamples/autotest/OpenVPN_with_LDAP/OpenVPN_with_LDAP.rst:None
+#: ../../configexamples/autotest/OpenVPN_with_LDAP/OpenVPN_with_LDAP.rst:-1
 msgid "OpenVPN with LDAP topology image"
 msgstr "OpenVPN with LDAP topology image"
 
@@ -1793,6 +1835,10 @@ msgstr "Sets your LAN interface's IP address"
 msgid "Setting BGP global local-as as well inside the VRF. Redistribute static routes to inject configured networks into the BGP process but still inside the VRF."
 msgstr "Setting BGP global local-as as well inside the VRF. Redistribute static routes to inject configured networks into the BGP process but still inside the VRF."
 
+#: ../../configexamples/ansible.rst:10
+msgid "Setting up Ansible on a server running the Debian operating system."
+msgstr "Setting up Ansible on a server running the Debian operating system."
+
 #: ../../configexamples/autotest/tunnelbroker/tunnelbroker.rst:51
 msgid "Setup the ipv6 default route to the tunnel interface"
 msgstr "Setup the ipv6 default route to the tunnel interface"
@@ -1809,6 +1855,10 @@ msgstr "Similarly, to attach the firewall, you would use `set interfaces etherne
 msgid "Since some ISPs disconnects continuous connection for every 2~3 days, we set ``valid-lifetime`` to 2 days to allow PC for phasing out old address."
 msgstr "Since some ISPs disconnects continuous connection for every 2~3 days, we set ``valid-lifetime`` to 2 days to allow PC for phasing out old address."
 
+#: ../../configexamples/site-2-site-cisco.rst:128
+msgid "Since the tunnel is a point-to-point GRE tunnel, it behaves like any other point-to-point interface (for example: serial, dialer), and it is possible to run any Interior Gateway Protocol (IGP)/Exterior Gateway Protocol (EGP) over the link in order to exchange routing information"
+msgstr "Since the tunnel is a point-to-point GRE tunnel, it behaves like any other point-to-point interface (for example: serial, dialer), and it is possible to run any Interior Gateway Protocol (IGP)/Exterior Gateway Protocol (EGP) over the link in order to exchange routing information"
+
 #: ../../configexamples/zone-policy.rst:236
 msgid "Since we have 4 zones, we need to setup the following rulesets."
 msgstr "Since we have 4 zones, we need to setup the following rulesets."
@@ -1821,6 +1871,10 @@ msgstr "Single LAN Setup"
 msgid "Single LAN setup where eth2 is your LAN interface. Use the Tunnelbroker Routed /64 prefix:"
 msgstr "Single LAN setup where eth2 is your LAN interface. Use the Tunnelbroker Routed /64 prefix:"
 
+#: ../../configexamples/site-2-site-cisco.rst:4
+msgid "Site-to-Site IPSec VPN to Cisco using FlexVPN"
+msgstr "Site-to-Site IPSec VPN to Cisco using FlexVPN"
+
 #: ../../configexamples/autotest/tunnelbroker/tunnelbroker.rst:179
 msgid "So, when your LAN is eth1, your DMZ is eth2, your cameras are on eth3, etc:"
 msgstr "So, when your LAN is eth1, your DMZ is eth2, your cameras are on eth3, etc:"
@@ -1838,6 +1892,10 @@ msgstr "Spoke"
 msgid "Start by setting the interface and default action for each zone."
 msgstr "Start by setting the interface and default action for each zone."
 
+#: ../../configexamples/ansible.rst:122
+msgid "Start the playbook:"
+msgstr "Start the playbook:"
+
 #: ../../configexamples/zone-policy.rst:8
 msgid "Starting from VyOS 1.4-rolling-202308040557, a new firewall structure can be found on all vyos instalations, and zone based firewall is no longer supported. Documentation for most of the new firewall CLI can be found in the `firewall <https://docs.vyos.io/en/latest/configuration/firewall/general.html>`_ chapter. The legacy firewall is still available for versions before 1.4-rolling-202308040557 and can be found in the :ref:`firewall-legacy` chapter. The examples in this section use the legacy firewall configuration commands, since this feature has been removed in earlier releases."
 msgstr "Starting from VyOS 1.4-rolling-202308040557, a new firewall structure can be found on all vyos instalations, and zone based firewall is no longer supported. Documentation for most of the new firewall CLI can be found in the `firewall <https://docs.vyos.io/en/latest/configuration/firewall/general.html>`_ chapter. The legacy firewall is still available for versions before 1.4-rolling-202308040557 and can be found in the :ref:`firewall-legacy` chapter. The examples in this section use the legacy firewall configuration commands, since this feature has been removed in earlier releases."
@@ -1909,6 +1967,11 @@ msgstr "Testdate: 2023-05-11"
 msgid "Testdate: 2023-08-31"
 msgstr "Testdate: 2023-08-31"
 
+#: ../../configexamples/autotest/Wireguard/Wireguard.rst:6
+#: ../../configexamples/autotest/tunnelbroker/tunnelbroker.rst:7
+msgid "Testdate: 2024-01-13"
+msgstr "Testdate: 2024-01-13"
+
 #: ../../configexamples/ha.rst:276
 #: ../../configexamples/ha.rst:337
 msgid "Testing"
@@ -1979,7 +2042,11 @@ msgstr "The format of these addresses:"
 msgid "The lab I built is using a VRF (called **mgmt**) to provide out-of-band SSH access to the PE (Provider Edge) routers."
 msgstr "The lab I built is using a VRF (called **mgmt**) to provide out-of-band SSH access to the PE (Provider Edge) routers."
 
-#: ../../configexamples/index.rst:30
+#: ../../configexamples/site-2-site-cisco.rst:14
+msgid "The lab was built using EVE-NG."
+msgstr "The lab was built using EVE-NG."
+
+#: ../../configexamples/index.rst:32
 msgid "The next pages contains automatic full tested configuration examples."
 msgstr "The next pages contains automatic full tested configuration examples."
 
@@ -1987,7 +2054,7 @@ msgstr "The next pages contains automatic full tested configuration examples."
 msgid "The previous example used the failover command to send traffic through eth1 if eth0 fails. In this example, failover functionality is provided by rule order."
 msgstr "The previous example used the failover command to send traffic through eth1 if eth0 fails. In this example, failover functionality is provided by rule order."
 
-#: ../../configexamples/index.rst:38
+#: ../../configexamples/index.rst:40
 msgid "The process will do the following steps:"
 msgstr "The process will do the following steps:"
 
@@ -1999,6 +2066,10 @@ msgstr "The scope of this document is to cover such cases in a dynamic way witho
 msgid "The setup used in this example is shown in the following diagram:"
 msgstr "The setup used in this example is shown in the following diagram:"
 
+#: ../../configexamples/ansible.rst:161
+msgid "The simple way without configuration of the hostname (one task for all routers):"
+msgstr "The simple way without configuration of the hostname (one task for all routers):"
+
 #: ../../configexamples/ha.rst:339
 msgid "The simplest way to test is to look at the connection tracking stats on the standby hardware router with the command ``show conntrack-sync statistics``. The numbers should be very close to the numbers on the primary router."
 msgstr "The simplest way to test is to look at the connection tracking stats on the standby hardware router with the command ``show conntrack-sync statistics``. The numbers should be very close to the numbers on the primary router."
@@ -2079,6 +2150,10 @@ msgstr "This example uses the failover mode."
 msgid "This gives us MPLS segment routing enabled and labels forwarding :"
 msgstr "This gives us MPLS segment routing enabled and labels forwarding :"
 
+#: ../../configexamples/site-2-site-cisco.rst:6
+msgid "This guide shows a sample configuration for FlexVPN site-to-site Internet Protocol Security (IPsec)/Generic Routing Encapsulation (GRE) tunnel."
+msgstr "This guide shows a sample configuration for FlexVPN site-to-site Internet Protocol Security (IPsec)/Generic Routing Encapsulation (GRE) tunnel."
+
 #: ../../configexamples/azure-vpn-dual-bgp.rst:8
 msgid "This guide shows an example of a redundant (active-active) route-based IKEv2 site-to-site VPN to Azure using VTI and BGP for dynamic routing updates."
 msgstr "This guide shows an example of a redundant (active-active) route-based IKEv2 site-to-site VPN to Azure using VTI and BGP for dynamic routing updates."
@@ -2196,7 +2271,7 @@ msgstr "Transport:"
 msgid "Tunnelbroker.net (IPv6)"
 msgstr "Tunnelbroker.net (IPv6)"
 
-#: ../../configexamples/autotest/tunnelbroker/tunnelbroker.rst:None
+#: ../../configexamples/autotest/tunnelbroker/tunnelbroker.rst:-1
 msgid "Tunnelbroker topology image"
 msgstr "Tunnelbroker topology image"
 
@@ -2212,6 +2287,7 @@ msgstr "Two rules will be created, the first rule directs traffic coming in from
 msgid "Unlike IPv4, IPv6 is really not designed to be broken up smaller than /64. So if you ever want to have multiple LANs, VLANs, DMZ, etc, you'll want to ignore the assigned /64, and request the /48 and use that."
 msgstr "Unlike IPv4, IPv6 is really not designed to be broken up smaller than /64. So if you ever want to have multiple LANs, VLANs, DMZ, etc, you'll want to ignore the assigned /64, and request the /48 and use that."
 
+#: ../../configexamples/ansible.rst:15
 #: ../../configexamples/qos.rst:16
 msgid "Using the general schema for example:"
 msgstr "Using the general schema for example:"
@@ -2245,6 +2321,7 @@ msgstr "VRRP Configuration"
 #: ../../configexamples/inter-vrf-routing-vrf-lite.rst:248
 #: ../../configexamples/inter-vrf-routing-vrf-lite.rst:320
 #: ../../configexamples/inter-vrf-routing-vrf-lite.rst:829
+#: ../../configexamples/site-2-site-cisco.rst:134
 msgid "Verification"
 msgstr "Verification"
 
@@ -2263,10 +2340,19 @@ msgstr "Version: 1.4-rolling-202305100734"
 msgid "Version: 1.4-rolling-202308240020"
 msgstr "Version: 1.4-rolling-202308240020"
 
+#: ../../configexamples/autotest/Wireguard/Wireguard.rst:7
+#: ../../configexamples/autotest/tunnelbroker/tunnelbroker.rst:8
+msgid "Version: 1.5-rolling-202401121239"
+msgstr "Version: 1.5-rolling-202401121239"
+
 #: ../../configexamples/autotest/Wireguard/Wireguard.rst:7
 msgid "Version: vyos-1.4-rolling-202302150317"
 msgstr "Version: vyos-1.4-rolling-202302150317"
 
+#: ../../configexamples/site-2-site-cisco.rst:21
+msgid "VyOS"
+msgstr "VyOS"
+
 #: ../../configexamples/l3vpn-hub-and-spoke.rst:1025
 msgid "VyOS-CE-HUB -------> VyOS-CE1-SPOKE"
 msgstr "VyOS-CE-HUB -------> VyOS-CE1-SPOKE"
@@ -2434,6 +2520,10 @@ msgstr "We explicitly exclude the primary upstream network so that BGP or OSPF t
 msgid "We have four hosts on the local network 172.17.1.0/24. All hosts are labeled CS0 by default. We need to replace labels on all hosts except vpc8. We will replace the labels on the nearest router “VyOS3” using the IP addresses of the sources."
 msgstr "We have four hosts on the local network 172.17.1.0/24. All hosts are labeled CS0 by default. We need to replace labels on all hosts except vpc8. We will replace the labels on the nearest router “VyOS3” using the IP addresses of the sources."
 
+#: ../../configexamples/ansible.rst:22
+msgid "We have four pre-configured routers with this configuration:"
+msgstr "We have four pre-configured routers with this configuration:"
+
 #: ../../configexamples/zone-policy.rst:25
 msgid "We have three networks."
 msgstr "We have three networks."
@@ -2623,15 +2713,15 @@ msgstr "compute3 - Port 11 of each switch"
 msgid "compute3 (VMware ESXi 6.5)"
 msgstr "compute3 (VMware ESXi 6.5)"
 
-#: ../../configexamples/index.rst:41
+#: ../../configexamples/index.rst:43
 msgid "configure each host in the lab"
 msgstr "configure each host in the lab"
 
-#: ../../configexamples/index.rst:40
+#: ../../configexamples/index.rst:42
 msgid "create the lab on a eve-ng server"
 msgstr "create the lab on a eve-ng server"
 
-#: ../../configexamples/index.rst:42
+#: ../../configexamples/index.rst:44
 msgid "do some defined tests"
 msgstr "do some defined tests"
 
@@ -2652,7 +2742,7 @@ msgstr "extended community and remote label of specific destination"
 msgid "first the PCA"
 msgstr "first the PCA"
 
-#: ../../configexamples/index.rst:44
+#: ../../configexamples/index.rst:46
 msgid "generate the documentation and include files"
 msgstr "generate the documentation and include files"
 
@@ -2664,7 +2754,7 @@ msgstr "green uses local routing table id and VNI 4000"
 msgid "information between PE and CE:"
 msgstr "information between PE and CE:"
 
-#: ../../configexamples/index.rst:43
+#: ../../configexamples/index.rst:45
 msgid "optional do an upgrade to a higher version and do step 3 again."
 msgstr "optional do an upgrade to a higher version and do step 3 again."
 
@@ -2680,7 +2770,7 @@ msgstr "router2 (Random 1RU machine with 4 NICs)"
 msgid "save the output to a file and import it in nearly all openvpn clients."
 msgstr "save the output to a file and import it in nearly all openvpn clients."
 
-#: ../../configexamples/index.rst:45
+#: ../../configexamples/index.rst:47
 msgid "shutdown and destroy the lab, if there is no error"
 msgstr "shutdown and destroy the lab, if there is no error"
 
@@ -2700,6 +2790,22 @@ msgstr "switch2 (Nexus 10gb Switch)"
 msgid "v6 pairs would be:"
 msgstr "v6 pairs would be:"
 
+#: ../../configexamples/ansible.rst:34
+msgid "vyos10 - 192.0.2.108"
+msgstr "vyos10 - 192.0.2.108"
+
+#: ../../configexamples/ansible.rst:31
+msgid "vyos7 - 192.0.2.105"
+msgstr "vyos7 - 192.0.2.105"
+
+#: ../../configexamples/ansible.rst:32
+msgid "vyos8 - 192.0.2.106"
+msgstr "vyos8 - 192.0.2.106"
+
+#: ../../configexamples/ansible.rst:33
+msgid "vyos9 - 192.0.2.107"
+msgstr "vyos9 - 192.0.2.107"
+
 #: ../../configexamples/inter-vrf-routing-vrf-lite.rst:571
 msgid "we are using \"source-address\" option cause we are not redistributing connected interfaces into BGP on the Core router hence there is no comeback route and ping will fail."
 msgstr "we are using \"source-address\" option cause we are not redistributing connected interfaces into BGP on the Core router hence there is no comeback route and ping will fail."
diff --git a/docs/_locale/de/configuration.pot b/docs/_locale/de/configuration.pot
index df607936..cc30affb 100644
--- a/docs/_locale/de/configuration.pot
+++ b/docs/_locale/de/configuration.pot
@@ -40,6 +40,10 @@ msgstr "\"Managed address configuration\" flag"
 msgid "\"Other configuration\" flag"
 msgstr "\"Other configuration\" flag"
 
+#: ../../configuration/firewall/flowtables.rst:5
+msgid "###################ä############# Flowtables Firewall Configuration #################################"
+msgstr "###################ä############# Flowtables Firewall Configuration #################################"
+
 #: ../../configuration/protocols/babel.rst:146
 msgid "**1-254** – interfaces with a channel number interfere with interfering interfaces and interfaces with the same channel number. **interfering** – interfering interfaces are assumed to interfere with all other channels except noninterfering channels. **noninterfering** – noninterfering interfaces are assumed to only interfere with themselves."
 msgstr "**1-254** – interfaces with a channel number interfere with interfering interfaces and interfaces with the same channel number. **interfering** – interfering interfaces are assumed to interfere with all other channels except noninterfering channels. **noninterfering** – noninterfering interfaces are assumed to only interfere with themselves."
@@ -100,11 +104,19 @@ msgstr "**Applies to:** Outbound traffic."
 msgid "**Apply the traffic policy to an interface ingress or egress**."
 msgstr "**Apply the traffic policy to an interface ingress or egress**."
 
+#: ../../configuration/firewall/index.rst:22
+msgid "**Bridge Port?**: choose appropiate path based on if interface were the packet was received is part of a bridge, or not."
+msgstr "**Bridge Port?**: choose appropiate path based on if interface were the packet was received is part of a bridge, or not."
+
+#: ../../configuration/firewall/index.rst:23
+msgid "**Bridge Port?**: choose appropriate path based on whether interface where the packet was received is part of a bridge, or not."
+msgstr "**Bridge Port?**: choose appropriate path based on whether interface where the packet was received is part of a bridge, or not."
+
 #: ../../configuration/interfaces/tunnel.rst:137
 msgid "**Cisco IOS Router:**"
 msgstr "**Cisco IOS Router:**"
 
-#: ../../configuration/service/pppoe-server.rst:69
+#: ../../configuration/service/pppoe-server.rst:66
 msgid "**Client IP address via IP range definition**"
 msgstr "**Client IP address via IP range definition**"
 
@@ -116,56 +128,49 @@ msgstr "**Client IP subnets via CIDR notation**"
 msgid "**Cluster-List length check**"
 msgstr "**Cluster-List length check**"
 
+#: ../../configuration/firewall/index.rst:35
+msgid "**Conntrack Ignore**: rules defined under ``set system conntrack ignore [ipv4 | ipv6] ...``."
+msgstr "**Conntrack Ignore**: rules defined under ``set system conntrack ignore [ipv4 | ipv6] ...``."
+
 #: ../../configuration/trafficpolicy/index.rst:30
 msgid "**Create a traffic policy**."
 msgstr "**Create a traffic policy**."
 
+#: ../../configuration/interfaces/wwan.rst:53
 #: ../../_include/interface-common-with-dhcp.txt:9
-#: ../../_include/interface-vlan-8021q.txt:97
-#: ../../_include/interface-common-with-dhcp.txt:9
-#: ../../_include/interface-vlan-8021q.txt:97
-#: ../../_include/interface-common-with-dhcp.txt:9
-#: ../../_include/interface-vlan-8021q.txt:97
-#: ../../_include/interface-vlan-8021ad.txt:121
-#: ../../_include/interface-common-with-dhcp.txt:9
-#: ../../_include/interface-common-with-dhcp.txt:9
-#: ../../_include/interface-vlan-8021q.txt:97
-#: ../../_include/interface-vlan-8021q.txt:97
 #: ../../_include/interface-vlan-8021ad.txt:121
-#: ../../_include/interface-common-with-dhcp.txt:9
 #: ../../_include/interface-vlan-8021q.txt:97
-#: ../../_include/interface-vlan-8021ad.txt:121
-#: ../../configuration/interfaces/wwan.rst:53
 msgid "**DHCP(v6)**"
 msgstr "**DHCP(v6)**"
 
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:1
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:1
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:1
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:1
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:1
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:1
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:1
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:1
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:1
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:1
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:1
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:1
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:1
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:1
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:1
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:1
 #: ../../_include/interface-dhcpv6-prefix-delegation.txt:1
 msgid "**DHCPv6 Prefix Delegation (PD)**"
 msgstr "**DHCPv6 Prefix Delegation (PD)**"
 
+#: ../../configuration/firewall/index.rst:41
+msgid "**Destination NAT**: rules defined under ``set [nat | nat66] destination...``."
+msgstr "**Destination NAT**: rules defined under ``set [nat | nat66] destination...``."
+
+#: ../../configuration/firewall/index.rst:43
+msgid "**Destination is the router?**: choose appropiate path based on destination IP address. Transit forward continunes to **forward**, while traffic that destination IP address is configured on the router continues to **input**."
+msgstr "**Destination is the router?**: choose appropiate path based on destination IP address. Transit forward continunes to **forward**, while traffic that destination IP address is configured on the router continues to **input**."
+
+#: ../../configuration/firewall/index.rst:44
+msgid "**Destination is the router?**: choose appropriate path based on destination IP address. Transit forward continues to **forward**, while traffic that destination IP address is configured on the router continues to **input**."
+msgstr "**Destination is the router?**: choose appropriate path based on destination IP address. Transit forward continues to **forward**, while traffic that destination IP address is configured on the router continues to **input**."
+
+#: ../../configuration/firewall/bridge.rst:9
+#: ../../configuration/firewall/flowtables.rst:9
+msgid "**Documentation under development**"
+msgstr "**Documentation under development**"
+
 #: ../../configuration/trafficpolicy/index.rst:169
 msgid "**Ethernet (protocol, destination address or source address)**"
 msgstr "**Ethernet (protocol, destination address or source address)**"
 
-#: ../../configuration/service/dhcp-server.rst:235
-#: ../../configuration/service/dhcp-server.rst:657
-#: ../../configuration/service/dhcp-server.rst:694
+#: ../../configuration/service/dhcp-server.rst:200
+#: ../../configuration/service/dhcp-server.rst:587
+#: ../../configuration/service/dhcp-server.rst:626
 msgid "**Example:**"
 msgstr "**Example:**"
 
@@ -177,10 +182,30 @@ msgstr "**External check**"
 msgid "**Firewall mark**"
 msgstr "**Firewall mark**"
 
-#: ../../configuration/firewall/index.rst:41
+#: ../../configuration/firewall/flowtables.rst:51
+msgid "**Flowtable Reference:** https://docs.kernel.org/networking/nf_flowtable.html"
+msgstr "**Flowtable Reference:** https://docs.kernel.org/networking/nf_flowtable.html"
+
+#: ../../configuration/firewall/index.rst:152
 msgid "**For more information** of Netfilter hooks and Linux networking packet flows can be found in `Netfilter-Hooks <https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks>`_"
 msgstr "**For more information** of Netfilter hooks and Linux networking packet flows can be found in `Netfilter-Hooks <https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks>`_"
 
+#: ../../configuration/firewall/index.rst:58
+msgid "**Forward**: stage where transit traffic can be filtered and controlled. This includes ipv4 and ipv6 filtering rules, defined in:"
+msgstr "**Forward**: stage where transit traffic can be filtered and controlled. This includes ipv4 and ipv6 filtering rules, defined in:"
+
+#: ../../configuration/firewall/index.rst:86
+msgid "**Forward (Bridge)**: stage where traffic that is trasspasing through the bridge is filtered and controlled:"
+msgstr "**Forward (Bridge)**: stage where traffic that is trasspasing through the bridge is filtered and controlled:"
+
+#: ../../configuration/firewall/index.rst:87
+msgid "**Forward (Bridge)**: stage where traffic that is trespasing through the bridge is filtered and controlled:"
+msgstr "**Forward (Bridge)**: stage where traffic that is trespasing through the bridge is filtered and controlled:"
+
+#: ../../configuration/firewall/flowtables.rst:83
+msgid "**Hardware offload:** should be supported by the NICs used."
+msgstr "**Hardware offload:** should be supported by the NICs used."
+
 #: ../../configuration/protocols/bgp.rst:94
 msgid "**IGP cost check**"
 msgstr "**IGP cost check**"
@@ -205,6 +230,17 @@ msgstr "**Important note:** This documentation is valid only for VyOS Sagitta pr
 msgid "**Important note:** This documentation is valid only for VyOS Sagitta prior to 1.4-rolling-YYYYMMDDHHmm"
 msgstr "**Wichtiger Hinweis: ** Diese Dokumentation ist nur für VyOS Sagitta vor 1.4-Rolling-YYYYMMDDHHMM gültig"
 
+#: ../../configuration/firewall/ipv4.rst:60
+#: ../../configuration/firewall/ipv6.rst:60
+msgid "**Important note about default-actions:** If default action for any base chain is not defined, then the default action is set to **accept** for that chain. For custom chains, if default action is not defined, then the default-action is set to **drop**"
+msgstr "**Important note about default-actions:** If default action for any base chain is not defined, then the default action is set to **accept** for that chain. For custom chains, if default action is not defined, then the default-action is set to **drop**"
+
+#: ../../configuration/firewall/bridge.rst:143
+#: ../../configuration/firewall/ipv4.rst:190
+#: ../../configuration/firewall/ipv6.rst:190
+msgid "**Important note about default-actions:** If default action for any base chain is not defined, then the default action is set to **accept** for that chain. For custom chains, if default action is not defined, then the default-action is set to **drop**."
+msgstr "**Important note about default-actions:** If default action for any base chain is not defined, then the default action is set to **accept** for that chain. For custom chains, if default action is not defined, then the default-action is set to **drop**."
+
 #: ../../configuration/firewall/general.rst:72
 msgid "**Important note about default-actions:** If default action for any chain is not defined, then the default action is set to **accept** for that chain. Only for custom chains, the default action is set to **drop**."
 msgstr "**Wichtiger Hinweis zu Standardaktionen: ** Wenn die Standardaktion für eine Kette nicht definiert ist, ist die Standardaktion für diese Kette auf ** accept** gesetzt. Nur für benutzerdefinierte Ketten ist die Standardaktion auf **drop** gesetzt."
@@ -221,23 +257,35 @@ msgstr "**Important note on usage of terms:** The firewall makes use of the term
 msgid "**Important note on usage of terms:** The firewall makes use of the terms `in`, `out`, and `local` for firewall policy. Users experienced with netfilter often confuse `in` to be a reference to the `INPUT` chain, and `out` the `OUTPUT` chain from netfilter. This is not the case. These instead indicate the use of the `FORWARD` chain and either the input or output interface. The `INPUT` chain, which is used for local traffic to the OS, is a reference to as `local` with respect to its input interface."
 msgstr "**Important note on usage of terms:** The firewall makes use of the terms `in`, `out`, and `local` for firewall policy. Users experienced with netfilter often confuse `in` to be a reference to the `INPUT` chain, and `out` the `OUTPUT` chain from netfilter. This is not the case. These instead indicate the use of the `FORWARD` chain and either the input or output interface. The `INPUT` chain, which is used for local traffic to the OS, is a reference to as `local` with respect to its input interface."
 
+#: ../../configuration/firewall/index.rst:48
+msgid "**Input**: stage where traffic destinated to the router itself can be filtered and controlled. This is where all rules for securing the router should take place. This includes ipv4 and ipv6 filtering rules, defined in:"
+msgstr "**Input**: stage where traffic destinated to the router itself can be filtered and controlled. This is where all rules for securing the router should take place. This includes ipv4 and ipv6 filtering rules, defined in:"
+
+#: ../../configuration/firewall/index.rst:49
+msgid "**Input**: stage where traffic destined for the router itself can be filtered and controlled. This is where all rules for securing the router should take place. This includes ipv4 and ipv6 filtering rules, defined in:"
+msgstr "**Input**: stage where traffic destined for the router itself can be filtered and controlled. This is where all rules for securing the router should take place. This includes ipv4 and ipv6 filtering rules, defined in:"
+
 #: ../../configuration/trafficpolicy/index.rst:170
 msgid "**Interface name**"
 msgstr "**Interface name**"
 
-#: ../../configuration/vpn/site2site_ipsec.rst:299
+#: ../../configuration/vpn/site2site_ipsec.rst:303
 msgid "**LEFT**"
 msgstr "**LEFT**"
 
-#: ../../configuration/vpn/site2site_ipsec.rst:283
+#: ../../configuration/vpn/site2site_ipsec.rst:287
 msgid "**LEFT:** * WAN interface on `eth0.201` * `eth0.201` interface IP: `172.18.201.10/24` * `vti10` interface IP: `10.0.0.2/31` * `dum0` interface IP: `10.0.11.1/24` (for testing purposes)"
 msgstr "**LEFT:** * WAN interface on `eth0.201` * `eth0.201` interface IP: `172.18.201.10/24` * `vti10` interface IP: `10.0.0.2/31` * `dum0` interface IP: `10.0.11.1/24` (for testing purposes)"
 
-#: ../../configuration/interfaces/vxlan.rst:214
+#: ../../configuration/firewall/bridge.rst:48
+msgid "**Layer 3 bridge**: When an IP address is assigned to the bridge interface, and if traffic is sent to the router to this IP (for example using such IP as default gateway), then rules defined for **bridge firewall** won't match, and firewall analysis continues at **IP layer**."
+msgstr "**Layer 3 bridge**: When an IP address is assigned to the bridge interface, and if traffic is sent to the router to this IP (for example using such IP as default gateway), then rules defined for **bridge firewall** won't match, and firewall analysis continues at **IP layer**."
+
+#: ../../configuration/interfaces/vxlan.rst:235
 msgid "**Leaf2 configuration:**"
 msgstr "**Leaf2 configuration:**"
 
-#: ../../configuration/interfaces/vxlan.rst:239
+#: ../../configuration/interfaces/vxlan.rst:260
 msgid "**Leaf3 configuration:**"
 msgstr "**Leaf3 configuration:**"
 
@@ -261,33 +309,33 @@ msgstr "**MED check**"
 msgid "**Multi-path check**"
 msgstr "**Multi-path check**"
 
-#: ../../configuration/protocols/bgp.rst:1192
+#: ../../configuration/protocols/bgp.rst:1193
 msgid "**Node1:**"
 msgstr "**Node1:**"
 
-#: ../../configuration/protocols/bgp.rst:1220
+#: ../../configuration/protocols/bgp.rst:1221
 msgid "**Node2:**"
 msgstr "**Node2:**"
 
 #: ../../configuration/protocols/ospf.rst:840
 #: ../../configuration/protocols/ospf.rst:913
 #: ../../configuration/protocols/ospf.rst:985
-#: ../../configuration/protocols/ospf.rst:1348
+#: ../../configuration/protocols/ospf.rst:1350
 #: ../../configuration/protocols/segment-routing.rst:281
 msgid "**Node 1**"
 msgstr "**Node 1**"
 
 #: ../../configuration/protocols/babel.rst:192
-#: ../../configuration/protocols/bgp.rst:1102
-#: ../../configuration/protocols/bgp.rst:1129
-#: ../../configuration/protocols/bgp.rst:1147
-#: ../../configuration/protocols/bgp.rst:1175
-#: ../../configuration/protocols/isis.rst:313
-#: ../../configuration/protocols/isis.rst:388
-#: ../../configuration/protocols/isis.rst:429
-#: ../../configuration/protocols/isis.rst:467
+#: ../../configuration/protocols/bgp.rst:1103
+#: ../../configuration/protocols/bgp.rst:1130
+#: ../../configuration/protocols/bgp.rst:1148
+#: ../../configuration/protocols/bgp.rst:1176
+#: ../../configuration/protocols/isis.rst:341
+#: ../../configuration/protocols/isis.rst:416
+#: ../../configuration/protocols/isis.rst:457
+#: ../../configuration/protocols/isis.rst:495
 #: ../../configuration/protocols/ospf.rst:948
-#: ../../configuration/protocols/ospf.rst:1318
+#: ../../configuration/protocols/ospf.rst:1320
 #: ../../configuration/protocols/rip.rst:243
 #: ../../configuration/protocols/segment-routing.rst:195
 msgid "**Node 1:**"
@@ -296,20 +344,20 @@ msgstr "**Node 1:**"
 #: ../../configuration/protocols/ospf.rst:850
 #: ../../configuration/protocols/ospf.rst:930
 #: ../../configuration/protocols/ospf.rst:1001
-#: ../../configuration/protocols/ospf.rst:1363
+#: ../../configuration/protocols/ospf.rst:1365
 #: ../../configuration/protocols/segment-routing.rst:296
 msgid "**Node 2**"
 msgstr "**Node 2**"
 
 #: ../../configuration/protocols/babel.rst:202
-#: ../../configuration/protocols/bgp.rst:1113
-#: ../../configuration/protocols/bgp.rst:1135
-#: ../../configuration/protocols/bgp.rst:1159
-#: ../../configuration/protocols/bgp.rst:1181
-#: ../../configuration/protocols/isis.rst:324
-#: ../../configuration/protocols/isis.rst:404
-#: ../../configuration/protocols/isis.rst:483
-#: ../../configuration/protocols/ospf.rst:1327
+#: ../../configuration/protocols/bgp.rst:1114
+#: ../../configuration/protocols/bgp.rst:1136
+#: ../../configuration/protocols/bgp.rst:1160
+#: ../../configuration/protocols/bgp.rst:1182
+#: ../../configuration/protocols/isis.rst:352
+#: ../../configuration/protocols/isis.rst:432
+#: ../../configuration/protocols/isis.rst:511
+#: ../../configuration/protocols/ospf.rst:1329
 #: ../../configuration/protocols/rip.rst:251
 #: ../../configuration/protocols/segment-routing.rst:211
 msgid "**Node 2:**"
@@ -331,15 +379,39 @@ msgstr "**One gateway:**"
 msgid "**Origin check**"
 msgstr "**Origin check**"
 
+#: ../../configuration/firewall/index.rst:64
+msgid "**Output**: stage where traffic that is originated by the router itself can be filtered and controlled. Bare in mind that this traffic can be a new connection originted by a internal process running on VyOS router, such as NTP, or can be a response to traffic received externaly through **inputt** (for example response to an ssh login attempt to the router). This includes ipv4 and ipv6 filtering rules, defined in:"
+msgstr "**Output**: stage where traffic that is originated by the router itself can be filtered and controlled. Bare in mind that this traffic can be a new connection originted by a internal process running on VyOS router, such as NTP, or can be a response to traffic received externaly through **inputt** (for example response to an ssh login attempt to the router). This includes ipv4 and ipv6 filtering rules, defined in:"
+
+#: ../../configuration/firewall/index.rst:65
+msgid "**Output**: stage where traffic that originates from the router itself can be filtered and controlled. Bear in mind that this traffic can be a new connection originated by a internal process running on VyOS router, such as NTP, or a response to traffic received externaly through **inputt** (for example response to an ssh login attempt to the router). This includes ipv4 and ipv6 filtering rules, defined in:"
+msgstr "**Output**: stage where traffic that originates from the router itself can be filtered and controlled. Bear in mind that this traffic can be a new connection originated by a internal process running on VyOS router, such as NTP, or a response to traffic received externaly through **inputt** (for example response to an ssh login attempt to the router). This includes ipv4 and ipv6 filtering rules, defined in:"
+
 #: ../../configuration/protocols/bgp.rst:125
 msgid "**Peer address**"
 msgstr "**Peer address**"
 
+#: ../../configuration/firewall/index.rst:38
+msgid "**Policy Route**: rules defined under ``set policy [route | route6] ...``."
+msgstr "**Policy Route**: rules defined under ``set policy [route | route6] ...``."
+
 #: ../../configuration/policy/examples.rst:5
 msgid "**Policy definition:**"
 msgstr "**Policy definition:**"
 
-#: ../../configuration/service/dhcp-server.rst:450
+#: ../../configuration/firewall/index.rst:76
+msgid "**Postrouting**: as in **Prerouting**, several actions defined in different parts of VyOS configuration are performed in this stage. This includes:"
+msgstr "**Postrouting**: as in **Prerouting**, several actions defined in different parts of VyOS configuration are performed in this stage. This includes:"
+
+#: ../../configuration/firewall/index.rst:29
+msgid "**Prerouting**: several actions can be done in this stage, and currently these actions are defined in different parts in VyOS configuration. Order is important, and all these actions are performed before any actions defined under ``firewall`` section. Relevant configuration that acts in this stage are:"
+msgstr "**Prerouting**: several actions can be done in this stage, and currently these actions are defined in different parts in VyOS configuration. Order is important, and all these actions are performed before any actions defined under ``firewall`` section. Relevant configuration that acts in this stage are:"
+
+#: ../../configuration/firewall/index.rst:28
+msgid "**Prerouting**: several actions can be done in this stage, and currently these actions are defined in different parts in vyos configuration. Order is important, and all these actions are performed before any actions define under ``firewall`` section. Relevant configuration that acts in this stage are:"
+msgstr "**Prerouting**: several actions can be done in this stage, and currently these actions are defined in different parts in vyos configuration. Order is important, and all these actions are performed before any actions define under ``firewall`` section. Relevant configuration that acts in this stage are:"
+
+#: ../../configuration/service/dhcp-server.rst:391
 msgid "**Primary**"
 msgstr "**Primary**"
 
@@ -401,19 +473,19 @@ msgstr "**R2**"
 msgid "**R2 Static Key**"
 msgstr "**R2 Static Key**"
 
-#: ../../configuration/service/pppoe-server.rst:104
+#: ../../configuration/service/pppoe-server.rst:91
 msgid "**RADIUS based IP pools (Framed-IP-Address)**"
 msgstr "**RADIUS based IP pools (Framed-IP-Address)**"
 
-#: ../../configuration/service/pppoe-server.rst:128
+#: ../../configuration/service/pppoe-server.rst:115
 msgid "**RADIUS sessions management DM/CoA**"
 msgstr "**RADIUS sessions management DM/CoA**"
 
-#: ../../configuration/vpn/site2site_ipsec.rst:335
+#: ../../configuration/vpn/site2site_ipsec.rst:343
 msgid "**RIGHT**"
 msgstr "**RIGHT**"
 
-#: ../../configuration/vpn/site2site_ipsec.rst:289
+#: ../../configuration/vpn/site2site_ipsec.rst:293
 msgid "**RIGHT:** * WAN interface on `eth0.202` * `eth0.201` interface IP: `172.18.202.10/24` * `vti10` interface IP: `10.0.0.3/31` * `dum0` interface IP: `10.0.12.1/24` (for testing purposes)"
 msgstr "**RIGHT:** * WAN interface on `eth0.202` * `eth0.201` interface IP: `172.18.202.10/24` * `vti10` interface IP: `10.0.0.3/31` * `dum0` interface IP: `10.0.12.1/24` (for testing purposes)"
 
@@ -421,15 +493,15 @@ msgstr "**RIGHT:** * WAN interface on `eth0.202` * `eth0.201` interface IP: `172
 msgid "**Router-ID check**"
 msgstr "**Router-ID check**"
 
-#: ../../configuration/protocols/igmp.rst:46
+#: ../../configuration/protocols/pim.rst:228
 msgid "**Router 1**"
 msgstr "**Router 1**"
 
-#: ../../configuration/protocols/igmp.rst:74
+#: ../../configuration/protocols/pim.rst:256
 msgid "**Router 2**"
 msgstr "**Router 2**"
 
-#: ../../configuration/protocols/igmp.rst:59
+#: ../../configuration/protocols/pim.rst:241
 msgid "**Router 3**"
 msgstr "**Router 3**"
 
@@ -449,7 +521,7 @@ msgstr "**SW1**"
 msgid "**SW2**"
 msgstr "**SW2**"
 
-#: ../../configuration/service/dhcp-server.rst:459
+#: ../../configuration/service/dhcp-server.rst:400
 msgid "**Secondary**"
 msgstr "**Secondary**"
 
@@ -461,15 +533,19 @@ msgstr "**Setting up IPSec**"
 msgid "**Setting up the GRE tunnel**"
 msgstr "**Setting up the GRE tunnel**"
 
-#: ../../configuration/interfaces/vxlan.rst:191
+#: ../../configuration/firewall/index.rst:80
+msgid "**Source NAT**: rules defined under ``set [nat | nat66] destination...``."
+msgstr "**Source NAT**: rules defined under ``set [nat | nat66] destination...``."
+
+#: ../../configuration/interfaces/vxlan.rst:212
 msgid "**Spine1 Configuration:**"
 msgstr "**Spine1 Configuration:**"
 
-#: ../../configuration/protocols/ospf.rst:1378
+#: ../../configuration/protocols/ospf.rst:1380
 msgid "**Status**"
 msgstr "**Status**"
 
-#: ../../configuration/protocols/ospf.rst:1336
+#: ../../configuration/protocols/ospf.rst:1338
 msgid "**To see the redistributed routes:**"
 msgstr "**To see the redistributed routes:**"
 
@@ -490,48 +566,12 @@ msgstr "**VyOS Router:**"
 msgid "**Weight check**"
 msgstr "**Weight check**"
 
-#: ../../_include/interface-dhcp-options.txt:69
-#: ../../_include/interface-dhcp-options.txt:69
-#: ../../_include/interface-dhcp-options.txt:69
-#: ../../_include/interface-dhcp-options.txt:69
-#: ../../_include/interface-dhcp-options.txt:69
-#: ../../_include/interface-dhcp-options.txt:69
-#: ../../_include/interface-dhcp-options.txt:69
-#: ../../_include/interface-dhcp-options.txt:69
-#: ../../_include/interface-dhcp-options.txt:69
-#: ../../_include/interface-dhcp-options.txt:69
-#: ../../_include/interface-dhcp-options.txt:69
-#: ../../_include/interface-dhcp-options.txt:69
-#: ../../_include/interface-dhcp-options.txt:69
-#: ../../_include/interface-dhcp-options.txt:69
-#: ../../_include/interface-dhcp-options.txt:69
-#: ../../_include/interface-dhcp-options.txt:69
+#: ../../_include/interface-dhcp-options.txt:74
 msgid "**address** can be specified multiple times, e.g. 192.168.100.1 and/or 192.168.100.0/24"
 msgstr "**address** can be specified multiple times, e.g. 192.168.100.1 and/or 192.168.100.0/24"
 
-#: ../../_include/interface-address-with-dhcp.txt:7
-#: ../../_include/interface-address-with-dhcp.txt:7
-#: ../../_include/interface-address-with-dhcp.txt:7
-#: ../../_include/interface-address-with-dhcp.txt:7
-#: ../../_include/interface-address.txt:6
-#: ../../_include/interface-address-with-dhcp.txt:7
-#: ../../_include/interface-address-with-dhcp.txt:7
-#: ../../_include/interface-address-with-dhcp.txt:7
-#: ../../_include/interface-address.txt:6
-#: ../../_include/interface-address.txt:6
-#: ../../_include/interface-address.txt:6
-#: ../../_include/interface-address-with-dhcp.txt:7
-#: ../../_include/interface-address-with-dhcp.txt:7
 #: ../../_include/interface-address-with-dhcp.txt:7
 #: ../../_include/interface-address.txt:6
-#: ../../_include/interface-address-with-dhcp.txt:7
-#: ../../_include/interface-address-with-dhcp.txt:7
-#: ../../_include/interface-address-with-dhcp.txt:7
-#: ../../_include/interface-address.txt:6
-#: ../../_include/interface-address-with-dhcp.txt:7
-#: ../../_include/interface-address-with-dhcp.txt:7
-#: ../../_include/interface-address-with-dhcp.txt:7
-#: ../../_include/interface-address-with-dhcp.txt:7
 msgid "**address** can be specified multiple times as IPv4 and/or IPv6 address, e.g. 192.0.2.1/24 and/or 2001:db8::1/64"
 msgstr "**address** can be specified multiple times as IPv4 and/or IPv6 address, e.g. 192.0.2.1/24 and/or 2001:db8::1/64"
 
@@ -579,50 +619,18 @@ msgstr "**default** –  this area will be used for shortcutting only if ABR doe
 msgid "**default** – enable split-horizon on wired interfaces, and disable split-horizon on wireless interfaces. **enable** – enable split-horizon on this interfaces. **disable** – disable split-horizon on this interfaces."
 msgstr "**default** – enable split-horizon on wired interfaces, and disable split-horizon on wireless interfaces. **enable** – enable split-horizon on this interfaces. **disable** – disable split-horizon on this interfaces."
 
-#: ../../configuration/vpn/sstp.rst:188
+#: ../../configuration/vpn/sstp.rst:199
 msgid "**deny** - deny mppe"
 msgstr "**deny** - deny mppe"
 
-#: ../../configuration/nat/nat44.rst:201
+#: ../../configuration/nat/nat44.rst:213
 msgid "**destination** - specify which packets the translation will be applied to, only based on the destination address and/or port number configured."
 msgstr "**destination** - specify which packets the translation will be applied to, only based on the destination address and/or port number configured."
 
-#: ../../_include/interface-address-with-dhcp.txt:9
-#: ../../_include/interface-address-with-dhcp.txt:9
-#: ../../_include/interface-address-with-dhcp.txt:9
-#: ../../_include/interface-address-with-dhcp.txt:9
-#: ../../_include/interface-address-with-dhcp.txt:9
-#: ../../_include/interface-address-with-dhcp.txt:9
-#: ../../_include/interface-address-with-dhcp.txt:9
-#: ../../_include/interface-address-with-dhcp.txt:9
-#: ../../_include/interface-address-with-dhcp.txt:9
-#: ../../_include/interface-address-with-dhcp.txt:9
-#: ../../_include/interface-address-with-dhcp.txt:9
-#: ../../_include/interface-address-with-dhcp.txt:9
-#: ../../_include/interface-address-with-dhcp.txt:9
-#: ../../_include/interface-address-with-dhcp.txt:9
-#: ../../_include/interface-address-with-dhcp.txt:9
-#: ../../_include/interface-address-with-dhcp.txt:9
 #: ../../_include/interface-address-with-dhcp.txt:9
 msgid "**dhcp** interface address is received by DHCP from a DHCP server on this segment."
 msgstr "**dhcp** interface address is received by DHCP from a DHCP server on this segment."
 
-#: ../../_include/interface-address-with-dhcp.txt:11
-#: ../../_include/interface-address-with-dhcp.txt:11
-#: ../../_include/interface-address-with-dhcp.txt:11
-#: ../../_include/interface-address-with-dhcp.txt:11
-#: ../../_include/interface-address-with-dhcp.txt:11
-#: ../../_include/interface-address-with-dhcp.txt:11
-#: ../../_include/interface-address-with-dhcp.txt:11
-#: ../../_include/interface-address-with-dhcp.txt:11
-#: ../../_include/interface-address-with-dhcp.txt:11
-#: ../../_include/interface-address-with-dhcp.txt:11
-#: ../../_include/interface-address-with-dhcp.txt:11
-#: ../../_include/interface-address-with-dhcp.txt:11
-#: ../../_include/interface-address-with-dhcp.txt:11
-#: ../../_include/interface-address-with-dhcp.txt:11
-#: ../../_include/interface-address-with-dhcp.txt:11
-#: ../../_include/interface-address-with-dhcp.txt:11
 #: ../../_include/interface-address-with-dhcp.txt:11
 msgid "**dhcpv6** interface address is received by DHCPv6 from a DHCPv6 server on this segment."
 msgstr "**dhcpv6** interface address is received by DHCPv6 from a DHCPv6 server on this segment."
@@ -631,7 +639,7 @@ msgstr "**dhcpv6** interface address is received by DHCPv6 from a DHCPv6 server
 msgid "**discard:** Received packets which already contain relay information will be discarded."
 msgstr "**discard:** Received packets which already contain relay information will be discarded."
 
-#: ../../configuration/protocols/igmp.rst:195
+#: ../../configuration/protocols/igmp-proxy.rst:23
 msgid "**downstream:** Downstream network interfaces are the distribution interfaces to the destination networks, where multicast clients can join groups and receive multicast data. One or more downstream interfaces must be configured."
 msgstr "**downstream:** Downstream network interfaces are the distribution interfaces to the destination networks, where multicast clients can join groups and receive multicast data. One or more downstream interfaces must be configured."
 
@@ -643,7 +651,7 @@ msgstr "**exporter**: aggregates packets into flows and exports flow records tow
 msgid "**firewall all-ping** affects only to LOCAL and it always behaves in the most restrictive way"
 msgstr "**firewall all-ping** affects only to LOCAL and it always behaves in the most restrictive way"
 
-#: ../../configuration/firewall/general.rst:99
+#: ../../configuration/firewall/global-options.rst:36
 msgid "**firewall global-options all-ping** affects only to LOCAL and it always behaves in the most restrictive way"
 msgstr "**firewall global-options all-ping** affects only to LOCAL and it always behaves in the most restrictive way"
 
@@ -655,6 +663,10 @@ msgstr "**forward:** All packets are forwarded, relay information already presen
 msgid "**inbound-interface** - applicable only to :ref:`destination-nat`. It configures the interface which is used for the inside traffic the translation rule applies to."
 msgstr "**inbound-interface** - applicable only to :ref:`destination-nat`. It configures the interface which is used for the inside traffic the translation rule applies to."
 
+#: ../../configuration/nat/nat44.rst:165
+msgid "**inbound-interface** - applicable only to :ref:`destination-nat`. It configures the interface which is used for the inside traffic the translation rule applies to. Interface groups, inverted selection and wildcard, are also supported."
+msgstr "**inbound-interface** - applicable only to :ref:`destination-nat`. It configures the interface which is used for the inside traffic the translation rule applies to. Interface groups, inverted selection and wildcard, are also supported."
+
 #: ../../configuration/interfaces/bonding.rst:161
 msgid "**layer2** - Uses XOR of hardware MAC addresses and packet type ID field to generate the hash. The formula is"
 msgstr "**layer2** - Uses XOR of hardware MAC addresses and packet type ID field to generate the hash. The formula is"
@@ -739,7 +751,11 @@ msgstr "**on-failure**: Restart containers when they exit with a non-zero exit c
 msgid "**outbound-interface** - applicable only to :ref:`source-nat`. It configures the interface which is used for the outside traffic that this translation rule applies to."
 msgstr "**outbound-interface** - applicable only to :ref:`source-nat`. It configures the interface which is used for the outside traffic that this translation rule applies to."
 
-#: ../../configuration/vpn/sstp.rst:187
+#: ../../configuration/nat/nat44.rst:149
+msgid "**outbound-interface** - applicable only to :ref:`source-nat`. It configures the interface which is used for the outside traffic that this translation rule applies to. Interface groups, inverted selection and wildcard, are also supported."
+msgstr "**outbound-interface** - applicable only to :ref:`source-nat`. It configures the interface which is used for the outside traffic that this translation rule applies to. Interface groups, inverted selection and wildcard, are also supported."
+
+#: ../../configuration/vpn/sstp.rst:198
 msgid "**prefer** - ask client for mppe, if it rejects don't fail"
 msgstr "**prefer** - ask client for mppe, if it rejects don't fail"
 
@@ -751,7 +767,7 @@ msgstr "**process** When dnssec is set to process the behavior is similar to pro
 msgid "**process-no-validate** In this mode the recursor acts as a \"security aware, non-validating\" nameserver, meaning it will set the DO-bit on outgoing queries and will provide DNSSEC related RRsets (NSEC, RRSIG) to clients that ask for them (by means of a DO-bit in the query), except for zones provided through the auth-zones setting. It will not do any validation in this mode, not even when requested by the client."
 msgstr "**process-no-validate** In this mode the recursor acts as a \"security aware, non-validating\" nameserver, meaning it will set the DO-bit on outgoing queries and will provide DNSSEC related RRsets (NSEC, RRSIG) to clients that ask for them (by means of a DO-bit in the query), except for zones provided through the auth-zones setting. It will not do any validation in this mode, not even when requested by the client."
 
-#: ../../configuration/nat/nat44.rst:169
+#: ../../configuration/nat/nat44.rst:181
 msgid "**protocol** - specify which types of protocols this translation rule applies to. Only packets matching the specified protocol are NATed. By default this applies to `all` protocols."
 msgstr "**protocol** - specify which types of protocols this translation rule applies to. Only packets matching the specified protocol are NATed. By default this applies to `all` protocols."
 
@@ -767,7 +783,7 @@ msgstr "**remote side - commands**"
 msgid "**replace:** Relay information already present in a packet is stripped and replaced with the router's own relay information set."
 msgstr "**replace:** Relay information already present in a packet is stripped and replaced with the router's own relay information set."
 
-#: ../../configuration/vpn/sstp.rst:186
+#: ../../configuration/vpn/sstp.rst:197
 msgid "**require** - ask client for mppe, if it rejects drop connection"
 msgstr "**require** - ask client for mppe, if it rejects drop connection"
 
@@ -779,7 +795,7 @@ msgstr "**right**"
 msgid "**setpcap**: Capability sets (from bounded or inherited set)"
 msgstr "**setpcap**: Capability sets (from bounded or inherited set)"
 
-#: ../../configuration/nat/nat44.rst:183
+#: ../../configuration/nat/nat44.rst:195
 msgid "**source** - specifies which packets the NAT translation rule applies to based on the packets source IP address and/or source port. Only matching packets are considered for NAT."
 msgstr "**source** - specifies which packets the NAT translation rule applies to based on the packets source IP address and/or source port. Only matching packets are considered for NAT."
 
@@ -795,7 +811,7 @@ msgstr "**sys-time**: Permission to set system clock"
 msgid "**transition** - Send and accept both styles of TLVs during transition."
 msgstr "**transition** - Send and accept both styles of TLVs during transition."
 
-#: ../../configuration/protocols/igmp.rst:191
+#: ../../configuration/protocols/igmp-proxy.rst:19
 msgid "**upstream:** The upstream network interface is the outgoing interface which is responsible for communicating to available multicast data sources. There can only be one upstream interface."
 msgstr "**upstream:** The upstream network interface is the outgoing interface which is responsible for communicating to available multicast data sources. There can only be one upstream interface."
 
@@ -859,25 +875,6 @@ msgstr "011100"
 msgid "011110"
 msgstr "011110"
 
-#: ../../_include/interface-ipv6.txt:79
-#: ../../_include/interface-ipv6.txt:79
-#: ../../_include/interface-ipv6.txt:79
-#: ../../_include/interface-ipv6.txt:79
-#: ../../_include/interface-ipv6.txt:79
-#: ../../_include/interface-ipv6.txt:79
-#: ../../_include/interface-ipv6.txt:79
-#: ../../_include/interface-ipv6.txt:79
-#: ../../_include/interface-ipv6.txt:79
-#: ../../_include/interface-ipv6.txt:79
-#: ../../_include/interface-ipv6.txt:79
-#: ../../_include/interface-ipv6.txt:79
-#: ../../_include/interface-ipv6.txt:79
-#: ../../_include/interface-ipv6.txt:79
-#: ../../_include/interface-ipv6.txt:79
-#: ../../_include/interface-ipv6.txt:79
-#: ../../_include/interface-ipv6.txt:79
-#: ../../_include/interface-ipv6.txt:79
-#: ../../_include/interface-ipv6.txt:79
 #: ../../_include/interface-ipv6.txt:79
 msgid "0: Disable DAD"
 msgstr "0: Disable DAD"
@@ -890,7 +887,7 @@ msgstr "0 if not defined, which means no refreshing."
 msgid "0 if not defined."
 msgstr "0 if not defined."
 
-#: ../../configuration/service/dhcp-server.rst:270
+#: ../../configuration/service/dhcp-server.rst:237
 #: ../../configuration/system/syslog.rst:114
 #: ../../configuration/system/syslog.rst:173
 #: ../../configuration/trafficpolicy/index.rst:801
@@ -898,7 +895,7 @@ msgstr "0 if not defined."
 msgid "1"
 msgstr "1"
 
-#: ../../configuration/nat/nat44.rst:588
+#: ../../configuration/nat/nat44.rst:612
 msgid "1-to-1 NAT"
 msgstr "1-to-1 NAT"
 
@@ -953,7 +950,7 @@ msgstr "10 - 10 MBit/s"
 msgid "11"
 msgstr "11"
 
-#: ../../configuration/service/dhcp-server.rst:352
+#: ../../configuration/service/dhcp-server.rst:319
 msgid "119"
 msgstr "119"
 
@@ -963,11 +960,11 @@ msgstr "119"
 msgid "12"
 msgstr "12"
 
-#: ../../configuration/service/dhcp-server.rst:357
+#: ../../configuration/service/dhcp-server.rst:324
 msgid "121, 249"
 msgstr "121, 249"
 
-#: ../../configuration/service/dhcp-server.rst:337
+#: ../../configuration/service/dhcp-server.rst:304
 #: ../../configuration/system/syslog.rst:138
 #: ../../configuration/trafficpolicy/index.rst:870
 msgid "13"
@@ -979,7 +976,7 @@ msgstr "13"
 msgid "14"
 msgstr "14"
 
-#: ../../configuration/service/dhcp-server.rst:297
+#: ../../configuration/service/dhcp-server.rst:264
 #: ../../configuration/system/syslog.rst:142
 #: ../../configuration/trafficpolicy/index.rst:866
 msgid "15"
@@ -1003,7 +1000,7 @@ msgstr "172.16.0.0 to 172.31.255.255 (CIDR: 172.16.0.0/12)"
 msgid "18"
 msgstr "18"
 
-#: ../../configuration/service/dhcp-server.rst:302
+#: ../../configuration/service/dhcp-server.rst:269
 #: ../../configuration/system/syslog.rst:150
 msgid "19"
 msgstr "19"
@@ -1016,25 +1013,10 @@ msgstr "192.168.0.0 to 192.168.255.255 (CIDR: 192.168.0.0/16)"
 msgid "1. Create an event handler"
 msgstr "1. Create an event handler"
 
-#: ../../_include/interface-ipv6.txt:80
-#: ../../_include/interface-ipv6.txt:80
-#: ../../_include/interface-ipv6.txt:80
-#: ../../_include/interface-ipv6.txt:80
-#: ../../_include/interface-ipv6.txt:80
-#: ../../_include/interface-ipv6.txt:80
-#: ../../_include/interface-ipv6.txt:80
-#: ../../_include/interface-ipv6.txt:80
-#: ../../_include/interface-ipv6.txt:80
-#: ../../_include/interface-ipv6.txt:80
-#: ../../_include/interface-ipv6.txt:80
-#: ../../_include/interface-ipv6.txt:80
-#: ../../_include/interface-ipv6.txt:80
-#: ../../_include/interface-ipv6.txt:80
-#: ../../_include/interface-ipv6.txt:80
-#: ../../_include/interface-ipv6.txt:80
-#: ../../_include/interface-ipv6.txt:80
-#: ../../_include/interface-ipv6.txt:80
-#: ../../_include/interface-ipv6.txt:80
+#: ../../configuration/firewall/flowtables.rst:144
+msgid "1. First packet is received on eht0, with destination address 192.0.2.100, protocol tcp and destination port 1122. Assume such destination address is reachable through interface eth1."
+msgstr "1. First packet is received on eht0, with destination address 192.0.2.100, protocol tcp and destination port 1122. Assume such destination address is reachable through interface eth1."
+
 #: ../../_include/interface-ipv6.txt:80
 msgid "1: Enable DAD (default)"
 msgstr "1: Enable DAD (default)"
@@ -1043,7 +1025,7 @@ msgstr "1: Enable DAD (default)"
 msgid "1 if not defined."
 msgstr "1 if not defined."
 
-#: ../../configuration/service/dhcp-server.rst:276
+#: ../../configuration/service/dhcp-server.rst:243
 #: ../../configuration/system/syslog.rst:116
 #: ../../configuration/system/syslog.rst:178
 #: ../../configuration/trafficpolicy/index.rst:799
@@ -1077,7 +1059,7 @@ msgstr "25000 - 25 GBit/s"
 msgid "2500 - 2.5 GBit/s"
 msgstr "2500 - 2.5 GBit/s"
 
-#: ../../configuration/service/dhcp-server.rst:362
+#: ../../configuration/service/dhcp-server.rst:329
 msgid "252"
 msgstr "252"
 
@@ -1097,30 +1079,15 @@ msgstr "2FA OTP support"
 msgid "2. Add regex to the script"
 msgstr "2. Add regex to the script"
 
-#: ../../_include/interface-ipv6.txt:81
-#: ../../_include/interface-ipv6.txt:81
-#: ../../_include/interface-ipv6.txt:81
-#: ../../_include/interface-ipv6.txt:81
-#: ../../_include/interface-ipv6.txt:81
-#: ../../_include/interface-ipv6.txt:81
-#: ../../_include/interface-ipv6.txt:81
-#: ../../_include/interface-ipv6.txt:81
-#: ../../_include/interface-ipv6.txt:81
-#: ../../_include/interface-ipv6.txt:81
-#: ../../_include/interface-ipv6.txt:81
-#: ../../_include/interface-ipv6.txt:81
-#: ../../_include/interface-ipv6.txt:81
-#: ../../_include/interface-ipv6.txt:81
-#: ../../_include/interface-ipv6.txt:81
-#: ../../_include/interface-ipv6.txt:81
-#: ../../_include/interface-ipv6.txt:81
-#: ../../_include/interface-ipv6.txt:81
-#: ../../_include/interface-ipv6.txt:81
+#: ../../configuration/firewall/flowtables.rst:148
+msgid "2. Since this is the first packet, connection status of this connection, so far is **new**. So neither rule 10 nor 20 are valid."
+msgstr "2. Since this is the first packet, connection status of this connection, so far is **new**. So neither rule 10 nor 20 are valid."
+
 #: ../../_include/interface-ipv6.txt:81
 msgid "2: Enable DAD, and disable IPv6 operation if MAC-based duplicate link-local address has been found."
 msgstr "2: Enable DAD, and disable IPv6 operation if MAC-based duplicate link-local address has been found."
 
-#: ../../configuration/service/dhcp-server.rst:282
+#: ../../configuration/service/dhcp-server.rst:249
 #: ../../configuration/system/syslog.rst:118
 #: ../../configuration/system/syslog.rst:181
 #: ../../configuration/trafficpolicy/index.rst:797
@@ -1148,7 +1115,7 @@ msgstr "38"
 msgid "3. Add a full path to the script"
 msgstr "3. Add a full path to the script"
 
-#: ../../configuration/service/dhcp-server.rst:287
+#: ../../configuration/service/dhcp-server.rst:254
 #: ../../configuration/system/syslog.rst:120
 #: ../../configuration/system/syslog.rst:183
 #: ../../configuration/trafficpolicy/index.rst:795
@@ -1164,11 +1131,11 @@ msgstr "40000 - 40 GBit/s"
 msgid "40 MHz channels may switch their primary and secondary channels if needed or creation of 40 MHz channel maybe rejected based on overlapping BSSes. These changes are done automatically when hostapd is setting up the 40 MHz channel."
 msgstr "40 MHz channels may switch their primary and secondary channels if needed or creation of 40 MHz channel maybe rejected based on overlapping BSSes. These changes are done automatically when hostapd is setting up the 40 MHz channel."
 
-#: ../../configuration/service/dhcp-server.rst:307
+#: ../../configuration/service/dhcp-server.rst:274
 msgid "42"
 msgstr "42"
 
-#: ../../configuration/service/dhcp-server.rst:312
+#: ../../configuration/service/dhcp-server.rst:279
 msgid "44"
 msgstr "44"
 
@@ -1180,6 +1147,10 @@ msgstr "46"
 msgid "4. Add optional parameters"
 msgstr "4. Add optional parameters"
 
+#: ../../configuration/firewall/flowtables.rst:153
+msgid "4. Once answer from server 192.0.2.100 is seen in opposite direction, connection state will be triggered to **established**, so this reply is accepted in rule 10."
+msgstr "4. Once answer from server 192.0.2.100 is seen in opposite direction, connection state will be triggered to **established**, so this reply is accepted in rule 10."
+
 #: ../../configuration/system/syslog.rst:122
 #: ../../configuration/system/syslog.rst:185
 #: ../../configuration/trafficpolicy/index.rst:793
@@ -1195,16 +1166,20 @@ msgstr "50000 - 50 GBit/s"
 msgid "5000 - 5 GBit/s"
 msgstr "5000 - 5 GBit/s"
 
-#: ../../configuration/service/dhcp-server.rst:317
+#: ../../configuration/service/dhcp-server.rst:284
 msgid "54"
 msgstr "54"
 
+#: ../../configuration/firewall/flowtables.rst:157
+msgid "5. Second packet for this connection is received by the router. Since connection state is **established**, then rule 10 is hit, and a new entry in the flowtable FT01 is added for this connection."
+msgstr "5. Second packet for this connection is received by the router. Since connection state is **established**, then rule 10 is hit, and a new entry in the flowtable FT01 is added for this connection."
+
 #: ../../configuration/highavailability/index.rst:257
 #: ../../configuration/highavailability/index.rst:288
 msgid "5 if not defined."
 msgstr "5 if not defined."
 
-#: ../../configuration/service/dhcp-server.rst:292
+#: ../../configuration/service/dhcp-server.rst:259
 #: ../../configuration/system/syslog.rst:124
 #: ../../configuration/system/syslog.rst:189
 #: ../../configuration/trafficpolicy/index.rst:791
@@ -1212,7 +1187,7 @@ msgstr "5 if not defined."
 msgid "6"
 msgstr "6"
 
-#: ../../configuration/service/dhcp-server.rst:327
+#: ../../configuration/service/dhcp-server.rst:294
 msgid "66"
 msgstr "66"
 
@@ -1220,14 +1195,18 @@ msgstr "66"
 msgid "66% of traffic is routed to eth0, eth1 gets 33% of traffic."
 msgstr "66% of traffic is routed to eth0, eth1 gets 33% of traffic."
 
-#: ../../configuration/service/dhcp-server.rst:332
+#: ../../configuration/service/dhcp-server.rst:299
 msgid "67"
 msgstr "67"
 
-#: ../../configuration/service/dhcp-server.rst:342
+#: ../../configuration/service/dhcp-server.rst:309
 msgid "69"
 msgstr "69"
 
+#: ../../configuration/firewall/flowtables.rst:161
+msgid "6. All subsecuent packets will skip traditional path, and will be offloaded and will use the **Fast Path**."
+msgstr "6. All subsecuent packets will skip traditional path, and will be offloaded and will use the **Fast Path**."
+
 #: ../../configuration/interfaces/tunnel.rst:81
 msgid "6in4 (SIT)"
 msgstr "6in4 (SIT)"
@@ -1243,7 +1222,7 @@ msgstr "6in4 uses tunneling to encapsulate IPv6 traffic over IPv4 links as defin
 msgid "7"
 msgstr "7"
 
-#: ../../configuration/service/dhcp-server.rst:347
+#: ../../configuration/service/dhcp-server.rst:314
 msgid "70"
 msgstr "70"
 
@@ -1251,11 +1230,6 @@ msgstr "70"
 msgid "8"
 msgstr "8"
 
-#: ../../_include/interface-vlan-8021q.txt:21
-#: ../../_include/interface-vlan-8021q.txt:21
-#: ../../_include/interface-vlan-8021q.txt:21
-#: ../../_include/interface-vlan-8021q.txt:21
-#: ../../_include/interface-vlan-8021q.txt:21
 #: ../../_include/interface-vlan-8021q.txt:21
 msgid "802.1q VLAN interfaces are represented as virtual sub-interfaces in VyOS. The term used for this is ``vif``."
 msgstr "802.1q VLAN interfaces are represented as virtual sub-interfaces in VyOS. The term used for this is ``vif``."
@@ -1325,22 +1299,31 @@ msgstr "<x.x.x.x>-<x.x.x.x>: IP range to match."
 msgid "<x.x.x.x>: IP address to match."
 msgstr "<x.x.x.x>: IP address to match."
 
+#: ../../configuration/pki/index.rst:252
+msgid "ACME"
+msgstr "ACME"
+
+#: ../../configuration/pki/index.rst:281
+msgid "ACME Directory Resource URI."
+msgstr "ACME Directory Resource URI."
+
+#: ../../configuration/service/https.rst:59
+msgid "API"
+msgstr "API"
+
 #: ../../configuration/protocols/static.rst:150
 msgid "ARP"
 msgstr "ARP"
 
-#: ../../configuration/firewall/general.rst:302
-#: ../../configuration/firewall/general-legacy.rst:257
+#: ../../configuration/firewall/groups.rst:129
 msgid "A **domain group** represents a collection of domains."
 msgstr "A **domain group** represents a collection of domains."
 
-#: ../../configuration/firewall/general.rst:284
-#: ../../configuration/firewall/general-legacy.rst:242
+#: ../../configuration/firewall/groups.rst:111
 msgid "A **mac group** represents a collection of mac addresses."
 msgstr "A **mac group** represents a collection of mac addresses."
 
-#: ../../configuration/firewall/general.rst:259
-#: ../../configuration/firewall/general-legacy.rst:217
+#: ../../configuration/firewall/groups.rst:86
 msgid "A **port group** represents only port numbers, not the protocol. Port groups can be referenced for either TCP or UDP. It is recommended that TCP and UDP groups are created separately to avoid accidentally filtering unnecessary ports. Ranges of ports can be specified by using `-`."
 msgstr "A **port group** represents only port numbers, not the protocol. Port groups can be referenced for either TCP or UDP. It is recommended that TCP and UDP groups are created separately to avoid accidentally filtering unnecessary ports. Ranges of ports can be specified by using `-`."
 
@@ -1368,7 +1351,7 @@ msgstr "A GRE tunnel operates at layer 3 of the OSI model and is represented by
 msgid "A Rule-Set can be applied to every interface:"
 msgstr "A Rule-Set can be applied to every interface:"
 
-#: ../../configuration/service/dhcp-server.rst:631
+#: ../../configuration/service/dhcp-server.rst:561
 msgid "A SNTP server address can be specified for DHCPv6 clients."
 msgstr "A SNTP server address can be specified for DHCPv6 clients."
 
@@ -1380,11 +1363,11 @@ msgstr "A VRF device is created with an associated route table. Network interfac
 msgid "A VyOS GRE tunnel can carry both IPv4 and IPv6 traffic and can also be created over either IPv4 (gre) or IPv6 (ip6gre)."
 msgstr "A VyOS GRE tunnel can carry both IPv4 and IPv6 traffic and can also be created over either IPv4 (gre) or IPv6 (ip6gre)."
 
-#: ../../configuration/service/dns.rst:149
+#: ../../configuration/service/dns.rst:162
 msgid "A VyOS router with two interfaces - eth0 (WAN) and eth1 (LAN) - is required to implement a split-horizon DNS configuration for example.com."
 msgstr "A VyOS router with two interfaces - eth0 (WAN) and eth1 (LAN) - is required to implement a split-horizon DNS configuration for example.com."
 
-#: ../../configuration/service/dhcp-server.rst:603
+#: ../../configuration/service/dhcp-server.rst:533
 msgid "A :abbr:`NIS (Network Information Service)` domain can be set to be used for DHCPv6 clients."
 msgstr "A :abbr:`NIS (Network Information Service)` domain can be set to be used for DHCPv6 clients."
 
@@ -1392,7 +1375,7 @@ msgstr "A :abbr:`NIS (Network Information Service)` domain can be set to be used
 msgid "A basic configuration requires a tunnel source (source-address), a tunnel destination (remote), an encapsulation type (gre), and an address (ipv4/ipv6). Below is a basic IPv4 only configuration example taken from a VyOS router and a Cisco IOS router. The main difference between these two configurations is that VyOS requires you explicitly configure the encapsulation type. The Cisco router defaults to GRE IP otherwise it would have to be configured as well."
 msgstr "A basic configuration requires a tunnel source (source-address), a tunnel destination (remote), an encapsulation type (gre), and an address (ipv4/ipv6). Below is a basic IPv4 only configuration example taken from a VyOS router and a Cisco IOS router. The main difference between these two configurations is that VyOS requires you explicitly configure the encapsulation type. The Cisco router defaults to GRE IP otherwise it would have to be configured as well."
 
-#: ../../configuration/firewall/zone.rst:54
+#: ../../configuration/firewall/zone.rst:73
 msgid "A basic introduction to zone-based firewalls can be found `here <https://support.vyos.io/en/kb/articles/a-primer-to-zone-based-firewall>`_, and an example at :ref:`examples-zone-policy`."
 msgstr "A basic introduction to zone-based firewalls can be found `here <https://support.vyos.io/en/kb/articles/a-primer-to-zone-based-firewall>`_, and an example at :ref:`examples-zone-policy`."
 
@@ -1413,7 +1396,7 @@ msgstr "A common example is the case of some policies which, in order to be effe
 msgid "A complete LDAP auth OpenVPN configuration could look like the following example:"
 msgstr "A complete LDAP auth OpenVPN configuration could look like the following example:"
 
-#: ../../configuration/vpn/sstp.rst:323
+#: ../../configuration/vpn/sstp.rst:335
 msgid "A connection attempt will be shown as:"
 msgstr "A connection attempt will be shown as:"
 
@@ -1433,7 +1416,7 @@ msgstr "A disabled group will be removed from the VRRP process and your router w
 msgid "A domain name is the label (name) assigned to a computer network and is thus unique. VyOS appends the domain name as a suffix to any unqualified name. For example, if you set the domain name `example.com`, and you would ping the unqualified name of `crux`, then VyOS qualifies the name to `crux.example.com`."
 msgstr "A domain name is the label (name) assigned to a computer network and is thus unique. VyOS appends the domain name as a suffix to any unqualified name. For example, if you set the domain name `example.com`, and you would ping the unqualified name of `crux`, then VyOS qualifies the name to `crux.example.com`."
 
-#: ../../configuration/nat/nat44.rst:685
+#: ../../configuration/nat/nat44.rst:709
 msgid "A dummy interface for the provider-assigned IP;"
 msgstr "A dummy interface for the provider-assigned IP;"
 
@@ -1445,7 +1428,7 @@ msgstr "A firewall mark ``fwmark`` allows using multiple ports for high-availabi
 msgid "A full example of a Tunnelbroker.net config can be found at :ref:`here <examples-tunnelbroker-ipv6>`."
 msgstr "A full example of a Tunnelbroker.net config can be found at :ref:`here <examples-tunnelbroker-ipv6>`."
 
-#: ../../configuration/service/dhcp-server.rst:187
+#: ../../configuration/service/dhcp-server.rst:152
 msgid "A generic `<name>` referencing this sync service."
 msgstr "A generic `<name>` referencing this sync service."
 
@@ -1489,6 +1472,10 @@ msgstr "A new interface becomes present ``Port-channel1``, all configuration lik
 msgid "A packet rate limit can be set for a rule to apply the rule to traffic above or below a specified threshold. To configure the rate limiting use:"
 msgstr "A packet rate limit can be set for a rule to apply the rule to traffic above or below a specified threshold. To configure the rate limiting use:"
 
+#: ../../configuration/firewall/flowtables.rst:44
+msgid "A packet that finds a matching entry in the flowtable (flowtable hit) is transmitted to the output netdevice, hence, packets bypass the classic IP forwarding path and uses the **Fast Path** (orange circles path). The visible effect is that you do not see these packets from any of the Netfilter hooks coming after ingress. In case that there is no matching entry in the flowtable (flowtable miss), the packet follows the classic IP forwarding path."
+msgstr "A packet that finds a matching entry in the flowtable (flowtable hit) is transmitted to the output netdevice, hence, packets bypass the classic IP forwarding path and uses the **Fast Path** (orange circles path). The visible effect is that you do not see these packets from any of the Netfilter hooks coming after ingress. In case that there is no matching entry in the flowtable (flowtable miss), the packet follows the classic IP forwarding path."
+
 #: ../../configuration/protocols/bgp.rst:698
 msgid "A penalty of 1000 is assessed each time the route fails. When the penalties reach a predefined threshold (suppress-value), the router stops advertising the route."
 msgstr "A penalty of 1000 is assessed each time the route fails. When the penalties reach a predefined threshold (suppress-value), the router stops advertising the route."
@@ -1497,12 +1484,12 @@ msgstr "A penalty of 1000 is assessed each time the route fails. When the penalt
 msgid "A physical interface is required to connect this MACsec instance to. Traffic leaving this interface will now be authenticated/encrypted."
 msgstr "A physical interface is required to connect this MACsec instance to. Traffic leaving this interface will now be authenticated/encrypted."
 
-#: ../../configuration/nat/nat44.rst:360
+#: ../../configuration/nat/nat44.rst:374
 msgid "A pool of addresses can be defined by using a hyphen between two IP addresses:"
 msgstr "A pool of addresses can be defined by using a hyphen between two IP addresses:"
 
-#: ../../configuration/firewall/general.rst:761
-#: ../../configuration/firewall/general-legacy.rst:506
+#: ../../configuration/firewall/ipv4.rst:485
+#: ../../configuration/firewall/ipv6.rst:491
 msgid "A port can be set with a port number or a name which is here defined: ``/etc/services``."
 msgstr "A port can be set with a port number or a name which is here defined: ``/etc/services``."
 
@@ -1535,24 +1522,15 @@ msgstr "A script can be run when an interface state change occurs. Scripts are r
 msgid "A segment ID that contains an IP address prefix calculated by an IGP in the service provider core network. Prefix SIDs are globally unique, this value indentify it"
 msgstr "A segment ID that contains an IP address prefix calculated by an IGP in the service provider core network. Prefix SIDs are globally unique, this value indentify it"
 
-#: ../../_include/interface-disable-flow-control.txt:11
-#: ../../_include/interface-disable-flow-control.txt:11
-#: ../../_include/interface-disable-flow-control.txt:11
-#: ../../_include/interface-disable-flow-control.txt:11
-#: ../../_include/interface-disable-flow-control.txt:11
-#: ../../_include/interface-disable-flow-control.txt:11
-#: ../../_include/interface-disable-flow-control.txt:11
-#: ../../_include/interface-disable-flow-control.txt:11
-#: ../../_include/interface-disable-flow-control.txt:11
 #: ../../_include/interface-disable-flow-control.txt:11
 msgid "A sending station (computer or network switch) may be transmitting data faster than the other end of the link can accept it. Using flow control, the receiving station can signal the sender requesting suspension of transmissions until the receiver catches up."
 msgstr "A sending station (computer or network switch) may be transmitting data faster than the other end of the link can accept it. Using flow control, the receiving station can signal the sender requesting suspension of transmissions until the receiver catches up."
 
-#: ../../configuration/service/dhcp-server.rst:659
+#: ../../configuration/service/dhcp-server.rst:589
 msgid "A shared network named ``NET1`` serves subnet ``2001:db8::/64``"
 msgstr "A shared network named ``NET1`` serves subnet ``2001:db8::/64``"
 
-#: ../../configuration/protocols/bgp.rst:1145
+#: ../../configuration/protocols/bgp.rst:1146
 msgid "A simple BGP configuration via IPv6."
 msgstr "A simple BGP configuration via IPv6."
 
@@ -1560,7 +1538,7 @@ msgstr "A simple BGP configuration via IPv6."
 msgid "A simple Random Early Detection (RED) policy would start randomly dropping packets from a queue before it reaches its queue limit thus avoiding congestion. That is good for TCP connections as the gradual dropping of packets acts as a signal for the sender to decrease its transmission rate."
 msgstr "A simple Random Early Detection (RED) policy would start randomly dropping packets from a queue before it reaches its queue limit thus avoiding congestion. That is good for TCP connections as the gradual dropping of packets acts as a signal for the sender to decrease its transmission rate."
 
-#: ../../configuration/protocols/bgp.rst:1100
+#: ../../configuration/protocols/bgp.rst:1101
 msgid "A simple eBGP configuration:"
 msgstr "A simple eBGP configuration:"
 
@@ -1572,6 +1550,14 @@ msgstr "A simple example of Shaper using priorities."
 msgid "A simple example of an FQ-CoDel policy working inside a Shaper one."
 msgstr "A simple example of an FQ-CoDel policy working inside a Shaper one."
 
+#: ../../configuration/firewall/index.rst:14
+msgid "A simplified traffic flow, based on Netfilter packet flow, is shown next, in order to have a full view and understanding of how packets are processed, and what possible paths can take."
+msgstr "A simplified traffic flow, based on Netfilter packet flow, is shown next, in order to have a full view and understanding of how packets are processed, and what possible paths can take."
+
+#: ../../configuration/firewall/index.rst:14
+msgid "A simplified traffic flow diagram, based on Netfilter packet flow, is shown next, in order to have a full view and understanding of how packets are processed, and what possible paths traffic can take."
+msgstr "A simplified traffic flow diagram, based on Netfilter packet flow, is shown next, in order to have a full view and understanding of how packets are processed, and what possible paths traffic can take."
+
 #: ../../configuration/nat/nat66.rst:28
 msgid "A single internal network and external network. Use the NAT66 device to connect a single internal network and public network, and the hosts in the internal network use IPv6 address prefixes that only support routing within the local range. When a host in the internal network accesses the external network, the source IPv6 address prefix in the message will be converted into a global unicast IPv6 address prefix by the NAT66 device."
 msgstr "A single internal network and external network. Use the NAT66 device to connect a single internal network and public network, and the hosts in the internal network use IPv6 address prefixes that only support routing within the local range. When a host in the internal network accesses the external network, the source IPv6 address prefix in the message will be converted into a global unicast IPv6 address prefix by the NAT66 device."
@@ -1584,11 +1570,11 @@ msgstr "A station acts as a Wi-Fi client accessing the network through an availa
 msgid "A sync group allows VRRP groups to transition together."
 msgstr "A sync group allows VRRP groups to transition together."
 
-#: ../../configuration/protocols/ospf.rst:1316
+#: ../../configuration/protocols/ospf.rst:1318
 msgid "A typical configuration using 2 nodes."
 msgstr "A typical configuration using 2 nodes."
 
-#: ../../configuration/nat/nat44.rst:400
+#: ../../configuration/nat/nat44.rst:414
 msgid "A typical problem with using NAT and hosting public servers is the ability for internal systems to reach an internal server using it's external IP address. The solution to this is usually the use of split-DNS to correctly point host systems to the internal address when requests are made internally. Because many smaller networks lack DNS infrastructure, a work-around is commonly deployed to facilitate the traffic by NATing the request from internal hosts to the source address of the internal interface on the firewall."
 msgstr "A typical problem with using NAT and hosting public servers is the ability for internal systems to reach an internal server using it's external IP address. The solution to this is usually the use of split-DNS to correctly point host systems to the internal address when requests are made internally. Because many smaller networks lack DNS infrastructure, a work-around is commonly deployed to facilitate the traffic by NATing the request from internal hosts to the source address of the internal interface on the firewall."
 
@@ -1612,11 +1598,11 @@ msgstr "A value of 296 works well on very slow links (40 bytes for TCP/IP header
 msgid "A very small buffer will soon start dropping packets."
 msgstr "A very small buffer will soon start dropping packets."
 
-#: ../../configuration/firewall/zone.rst:33
+#: ../../configuration/firewall/zone.rst:52
 msgid "A zone must be configured before an interface is assigned to it and an interface can be assigned to only a single zone."
 msgstr "A zone must be configured before an interface is assigned to it and an interface can be assigned to only a single zone."
 
-#: ../../configuration/service/dns.rst:384
+#: ../../configuration/service/dns.rst:397
 msgid "Above, command syntax isn noted to configure dynamic dns on a specific interface. It is possible to overlook the additional address option, web, when completeing those commands. ddclient_ has another way to determine the WAN IP address, using a web-based url to determine the external IP. Each of the commands above will need to be modified to use 'web' as the 'interface' specified if this functionality is to be utilized."
 msgstr "Above, command syntax isn noted to configure dynamic dns on a specific interface. It is possible to overlook the additional address option, web, when completeing those commands. ddclient_ has another way to determine the WAN IP address, using a web-based url to determine the external IP. Each of the commands above will need to be modified to use 'web' as the 'interface' specified if this functionality is to be utilized."
 
@@ -1652,12 +1638,14 @@ msgstr "Action must be taken immediately - A condition that should be corrected
 msgid "Action which will be run once the ctrl-alt-del keystroke is received."
 msgstr "Action which will be run once the ctrl-alt-del keystroke is received."
 
-#: ../../configuration/firewall/general.rst:327
+#: ../../configuration/firewall/bridge.rst:65
+#: ../../configuration/firewall/ipv4.rst:81
+#: ../../configuration/firewall/ipv6.rst:81
 #: ../../configuration/policy/route.rst:238
 msgid "Actions"
 msgstr "Actions"
 
-#: ../../configuration/interfaces/openvpn.rst:431
+#: ../../configuration/interfaces/openvpn.rst:483
 msgid "Active Directory"
 msgstr "Active Directory"
 
@@ -1737,7 +1725,7 @@ msgstr "Add the private key portion of this certificate to the CLI. This should
 msgid "Add the public CA certificate for the CA named `name` to the VyOS CLI."
 msgstr "Add the public CA certificate for the CA named `name` to the VyOS CLI."
 
-#: ../../configuration/vpn/openconnect.rst:169
+#: ../../configuration/vpn/openconnect.rst:176
 msgid "Adding a 2FA with an OTP-key"
 msgstr "Adding a 2FA with an OTP-key"
 
@@ -1753,7 +1741,7 @@ msgstr "Additional option to run TFTP server in the :abbr:`VRF (Virtual Routing
 msgid "Additionally, each client needs a copy of ca cert and its own client key and cert files. The files are plaintext so they may be copied either manually from the CLI. Client key and cert files should be signed with the proper ca cert and generated on the server side."
 msgstr "Additionally, each client needs a copy of ca cert and its own client key and cert files. The files are plaintext so they may be copied either manually from the CLI. Client key and cert files should be signed with the proper ca cert and generated on the server side."
 
-#: ../../configuration/nat/nat44.rst:738
+#: ../../configuration/nat/nat44.rst:760
 msgid "Additionally, we want to use VPNs only on our eth1 interface (the external interface in the image above)"
 msgstr "Additionally, we want to use VPNs only on our eth1 interface (the external interface in the image above)"
 
@@ -1765,7 +1753,7 @@ msgstr "Additionally you should keep in mind that this feature fundamentally dis
 msgid "Address"
 msgstr "Address"
 
-#: ../../configuration/nat/nat44.rst:219
+#: ../../configuration/nat/nat44.rst:231
 msgid "Address Conversion"
 msgstr "Address Conversion"
 
@@ -1773,20 +1761,19 @@ msgstr "Address Conversion"
 msgid "Address Families"
 msgstr "Address Families"
 
-#: ../../configuration/firewall/general.rst:192
-#: ../../configuration/firewall/general-legacy.rst:168
+#: ../../configuration/firewall/groups.rst:19
 msgid "Address Groups"
 msgstr "Address Groups"
 
-#: ../../configuration/service/dhcp-server.rst:662
+#: ../../configuration/service/dhcp-server.rst:592
 msgid "Address pool shall be ``2001:db8::100`` through ``2001:db8::199``."
 msgstr "Address pool shall be ``2001:db8::100`` through ``2001:db8::199``."
 
-#: ../../configuration/service/dhcp-server.rst:652
+#: ../../configuration/service/dhcp-server.rst:582
 msgid "Address pools"
 msgstr "Address pools"
 
-#: ../../configuration/service/https.rst:42
+#: ../../configuration/service/https.rst:33
 msgid "Address to listen for HTTPS requests"
 msgstr "Address to listen for HTTPS requests"
 
@@ -1798,7 +1785,7 @@ msgstr "Adds registry to list of unqualified-search-registries. By default, for
 msgid "Administrative Distance"
 msgstr "Administrative Distance"
 
-#: ../../configuration/nat/nat44.rst:289
+#: ../../configuration/nat/nat44.rst:301
 msgid "Advanced configuration can be used in order to apply source or destination NAT, and within a single rule, be able to define multiple translated addresses, so NAT balances the translations among them."
 msgstr "Advanced configuration can be used in order to apply source or destination NAT, and within a single rule, be able to define multiple translated addresses, so NAT balances the translations among them."
 
@@ -1818,7 +1805,7 @@ msgstr "Advertising a Prefix"
 msgid "After commit the plaintext passwords will be hashed and stored in your configuration. The resulting CLI config will look like:"
 msgstr "After commit the plaintext passwords will be hashed and stored in your configuration. The resulting CLI config will look like:"
 
-#: ../../configuration/vrf/index.rst:323
+#: ../../configuration/vrf/index.rst:325
 msgid "After committing the configuration we can verify all leaked routes are installed, and try to ICMP ping PC1 from PC3."
 msgstr "After committing the configuration we can verify all leaked routes are installed, and try to ICMP ping PC1 from PC3."
 
@@ -1846,7 +1833,7 @@ msgstr "Algorithm"
 msgid "Aliases"
 msgstr "Aliases"
 
-#: ../../configuration/service/dns.rst:154
+#: ../../configuration/service/dns.rst:167
 msgid "All DNS requests for example.com must be forwarded to a DNS server at 192.0.2.254 and 2001:db8:cafe::1"
 msgstr "All DNS requests for example.com must be forwarded to a DNS server at 192.0.2.254 and 2001:db8:cafe::1"
 
@@ -1874,7 +1861,7 @@ msgstr "All interfaces used for the DHCP relay must be configured. This includes
 msgid "All items in a sync group should be similarly configured. If one VRRP group is set to a different preemption delay or priority, it would result in an endless transition loop."
 msgstr "All items in a sync group should be similarly configured. If one VRRP group is set to a different preemption delay or priority, it would result in an endless transition loop."
 
-#: ../../configuration/service/dns.rst:156
+#: ../../configuration/service/dns.rst:169
 msgid "All other DNS requests will be forwarded to a different set of DNS servers at 192.0.2.1, 192.0.2.2, 2001:db8::1:ffff and 2001:db8::2:ffff"
 msgstr "All other DNS requests will be forwarded to a different set of DNS servers at 192.0.2.1, 192.0.2.2, 2001:db8::1:ffff and 2001:db8::2:ffff"
 
@@ -1882,6 +1869,10 @@ msgstr "All other DNS requests will be forwarded to a different set of DNS serve
 msgid "All reply sizes are accepted by default."
 msgstr "All reply sizes are accepted by default."
 
+#: ../../configuration/protocols/pim.rst:91
+msgid "All routers in the PIM network must agree on these values."
+msgstr "All routers in the PIM network must agree on these values."
+
 #: ../../configuration/system/task-scheduler.rst:10
 msgid "All scripts excecuted this way are executed as root user - this may be dangerous. Together with :ref:`command-scripting` this can be used for automating (re-)configuration."
 msgstr "All scripts excecuted this way are executed as root user - this may be dangerous. Together with :ref:`command-scripting` this can be used for automating (re-)configuration."
@@ -1894,11 +1885,11 @@ msgstr "All these rules with OTC will help to detect and mitigate route leaks an
 msgid "All those protocols are grouped under ``interfaces tunnel`` in VyOS. Let's take a closer look at the protocols and options currently supported by VyOS."
 msgstr "All those protocols are grouped under ``interfaces tunnel`` in VyOS. Let's take a closer look at the protocols and options currently supported by VyOS."
 
-#: ../../configuration/firewall/zone.rst:36
+#: ../../configuration/firewall/zone.rst:55
 msgid "All traffic between zones is affected by existing policies"
 msgstr "All traffic between zones is affected by existing policies"
 
-#: ../../configuration/firewall/zone.rst:35
+#: ../../configuration/firewall/zone.rst:54
 msgid "All traffic to and from an interface within a zone is permitted."
 msgstr "All traffic to and from an interface within a zone is permitted."
 
@@ -1922,7 +1913,7 @@ msgstr "Allow access to sites in a domain without retrieving them from the Proxy
 msgid "Allow bgp to negotiate the extended-nexthop capability with it’s peer. If you are peering over a IPv6 Link-Local address then this capability is turned on automatically. If you are peering over a IPv6 Global Address then turning on this command will allow BGP to install IPv4 routes with IPv6 nexthops if you do not have IPv4 configured on interfaces."
 msgstr "Allow bgp to negotiate the extended-nexthop capability with it’s peer. If you are peering over a IPv6 Link-Local address then this capability is turned on automatically. If you are peering over a IPv6 Global Address then turning on this command will allow BGP to install IPv4 routes with IPv6 nexthops if you do not have IPv4 configured on interfaces."
 
-#: ../../configuration/service/dns.rst:346
+#: ../../configuration/service/dns.rst:359
 msgid "Allow explicit IPv6 address for the interface."
 msgstr "Allow explicit IPv6 address for the interface."
 
@@ -1930,15 +1921,24 @@ msgstr "Allow explicit IPv6 address for the interface."
 msgid "Allow host networking in a container. The network stack of the container is not isolated from the host and will use the host IP."
 msgstr "Allow host networking in a container. The network stack of the container is not isolated from the host and will use the host IP."
 
+#: ../../configuration/service/mdns.rst:43
+msgid "Allow listing additional custom domains to be browsed (in addition to the default ``local``) so that they can be reflected."
+msgstr "Allow listing additional custom domains to be browsed (in addition to the default ``local``) so that they can be reflected."
+
 #: ../../configuration/protocols/bfd.rst:34
 msgid "Allow this BFD peer to not be directly connected"
 msgstr "Allow this BFD peer to not be directly connected"
 
-#: ../../configuration/firewall/general.rst:1137
 #: ../../configuration/firewall/general-legacy.rst:694
 msgid "Allowed values fpr TCP flags: ``SYN``, ``ACK``, ``FIN``, ``RST``, ``URG``, ``PSH``, ``ALL`` When specifying more than one flag, flags should be comma separated. The ``!`` negate the selected protocol."
 msgstr "Allowed values fpr TCP flags: ``SYN``, ``ACK``, ``FIN``, ``RST``, ``URG``, ``PSH``, ``ALL`` When specifying more than one flag, flags should be comma separated. The ``!`` negate the selected protocol."
 
+#: ../../configuration/firewall/ipv4.rst:812
+#: ../../configuration/firewall/ipv6.rst:821
+#: ../../configuration/system/conntrack.rst:199
+msgid "Allowed values fpr TCP flags: ``ack``, ``cwr``, ``ecn``, ``fin``, ``psh``, ``rst``, ``syn`` and ``urg``. Multiple values are supported, and for inverted selection use ``not``, as shown in the example."
+msgstr "Allowed values fpr TCP flags: ``ack``, ``cwr``, ``ecn``, ``fin``, ``psh``, ``rst``, ``syn`` and ``urg``. Multiple values are supported, and for inverted selection use ``not``, as shown in the example."
+
 #: ../../configuration/interfaces/bridge.rst:162
 msgid "Allows specific VLAN IDs to pass through the bridge member interface. This can either be an individual VLAN id or a range of VLAN ids delimited by a hyphen."
 msgstr "Allows specific VLAN IDs to pass through the bridge member interface. This can either be an individual VLAN id or a range of VLAN ids delimited by a hyphen."
@@ -1959,7 +1959,9 @@ msgstr "Allows you to configure the next-hop interface for an interface-based IP
 msgid "Already learned known_hosts files of clients need an update as the public key will change."
 msgstr "Already learned known_hosts files of clients need an update as the public key will change."
 
-#: ../../configuration/firewall/general.rst:377
+#: ../../configuration/firewall/bridge.rst:123
+#: ../../configuration/firewall/ipv4.rst:166
+#: ../../configuration/firewall/ipv6.rst:166
 msgid "Also, **default-action** is an action that takes place whenever a packet does not match any rule in it's chain. For base chains, possible options for **default-action** are **accept** or **drop**."
 msgstr "Also, **default-action** is an action that takes place whenever a packet does not match any rule in it's chain. For base chains, possible options for **default-action** are **accept** or **drop**."
 
@@ -1971,7 +1973,7 @@ msgstr "Also, for backwards compatibility this configuration, which uses generic
 msgid "Also, for those who haven't updated to newer version, legacy documentation is still present and valid for all sagitta version prior to VyOS 1.4-rolling-202308040557:"
 msgstr "Also, for those who haven't updated to newer version, legacy documentation is still present and valid for all sagitta version prior to VyOS 1.4-rolling-202308040557:"
 
-#: ../../configuration/nat/nat44.rst:276
+#: ../../configuration/nat/nat44.rst:288
 msgid "Also, in :ref:`destination-nat`, redirection to localhost is supported. The redirect statement is a special form of dnat which always translates the destination address to the local host’s one."
 msgstr "Also, in :ref:`destination-nat`, redirection to localhost is supported. The redirect statement is a special form of dnat which always translates the destination address to the local host’s one."
 
@@ -1983,15 +1985,15 @@ msgstr "Alternate Routing Tables"
 msgid "Alternate routing tables are used with policy based routing by utilizing :ref:`vrf`."
 msgstr "Alternate routing tables are used with policy based routing by utilizing :ref:`vrf`."
 
-#: ../../configuration/interfaces/vxlan.rst:321
+#: ../../configuration/interfaces/vxlan.rst:342
 msgid "Alternative to multicast, the remote IPv4 address of the VXLAN tunnel can be set directly. Let's change the Multicast example from above:"
 msgstr "Alternative to multicast, the remote IPv4 address of the VXLAN tunnel can be set directly. Let's change the Multicast example from above:"
 
-#: ../../configuration/service/dhcp-server.rst:130
+#: ../../configuration/service/dhcp-server.rst:116
 msgid "Always exclude this address from any defined range. This address will never be assigned by the DHCP server."
 msgstr "Always exclude this address from any defined range. This address will never be assigned by the DHCP server."
 
-#: ../../configuration/firewall/general.rst:241
+#: ../../configuration/firewall/groups.rst:68
 msgid "An **interface group** represents a collection of interfaces."
 msgstr "An **interface group** represents a collection of interfaces."
 
@@ -2035,6 +2037,10 @@ msgstr "An agent is a network-management software module that resides on a manag
 msgid "An alternate command could be \"mpls-te on\" (Traffic Engineering)"
 msgstr "An alternate command could be \"mpls-te on\" (Traffic Engineering)"
 
+#: ../../configuration/firewall/ipv4.rst:373
+msgid "An arbitrary netmask can be applied to mask addresses to only match against a specific portion."
+msgstr "An arbitrary netmask can be applied to mask addresses to only match against a specific portion."
+
 #: ../../configuration/firewall/general-legacy.rst:424
 msgid "An arbitrary netmask can be applied to mask addresses to only match against a specific portion. This is particularly useful with IPv6 and a zone-based firewall as rules will remain valid if the IPv6 prefix changes and the host portion of systems IPv6 address is static (for example, with SLAAC or `tokenised IPv6 addresses <https://datatracker.ietf.org/doc/id/draft-chown-6man-tokenised-ipv6-identifiers-02.txt>`_)"
 msgstr "An arbitrary netmask can be applied to mask addresses to only match against a specific portion. This is particularly useful with IPv6 and a zone-based firewall as rules will remain valid if the IPv6 prefix changes and the host portion of systems IPv6 address is static (for example, with SLAAC or `tokenised IPv6 addresses <https://datatracker.ietf.org/doc/id/draft-chown-6man-tokenised-ipv6-identifiers-02.txt>`_)"
@@ -2043,7 +2049,7 @@ msgstr "An arbitrary netmask can be applied to mask addresses to only match agai
 msgid "An arbitrary netmask can be applied to mask addresses to only match against a specific portion. This is particularly useful with IPv6 and a zone-based firewall as rules will remain valid if the IPv6 prefix changes and the host portion of systems IPv6 address is static (for example, with SLAAC or `tokenised IPv6 addresses <https://datatracker.ietf.org/doc/id/draft-chown-6man-tokenised-ipv6-identifiers-02.txt>`_)."
 msgstr "An arbitrary netmask can be applied to mask addresses to only match against a specific portion. This is particularly useful with IPv6 and a zone-based firewall as rules will remain valid if the IPv6 prefix changes and the host portion of systems IPv6 address is static (for example, with SLAAC or `tokenised IPv6 addresses <https://datatracker.ietf.org/doc/id/draft-chown-6man-tokenised-ipv6-identifiers-02.txt>`_)."
 
-#: ../../configuration/firewall/general.rst:619
+#: ../../configuration/firewall/ipv6.rst:371
 msgid "An arbitrary netmask can be applied to mask addresses to only match against a specific portion. This is particularly useful with IPv6 as rules will remain valid if the IPv6 prefix changes and the host portion of systems IPv6 address is static (for example, with SLAAC or `tokenised IPv6 addresses <https://datatracker.ietf.org/doc/id/draft-chown-6man-tokenised-ipv6-identifiers-02.txt>`_)"
 msgstr "An arbitrary netmask can be applied to mask addresses to only match against a specific portion. This is particularly useful with IPv6 as rules will remain valid if the IPv6 prefix changes and the host portion of systems IPv6 address is static (for example, with SLAAC or `tokenised IPv6 addresses <https://datatracker.ietf.org/doc/id/draft-chown-6man-tokenised-ipv6-identifiers-02.txt>`_)"
 
@@ -2072,7 +2078,7 @@ msgstr "An example of creating a VLAN-aware bridge is as follows:"
 msgid "An example of key generation:"
 msgstr "An example of key generation:"
 
-#: ../../configuration/vpn/openconnect.rst:291
+#: ../../configuration/vpn/openconnect.rst:298
 msgid "An example of the data captured by a FREERADIUS server with sql accounting:"
 msgstr "An example of the data captured by a FREERADIUS server with sql accounting:"
 
@@ -2080,10 +2086,34 @@ msgstr "An example of the data captured by a FREERADIUS server with sql accounti
 msgid "An option that takes a quoted string is set by replacing all quote characters with the string ``&quot;`` inside the static-mapping-parameters value. The resulting line in dhcpd.conf will be ``option pxelinux.configfile \"pxelinux.cfg/01-00-15-17-44-2d-aa\";``."
 msgstr "An option that takes a quoted string is set by replacing all quote characters with the string ``&quot;`` inside the static-mapping-parameters value. The resulting line in dhcpd.conf will be ``option pxelinux.configfile \"pxelinux.cfg/01-00-15-17-44-2d-aa\";``."
 
+#: ../../configuration/firewall/flowtables.rst:142
+msgid "Analysis on what happens for desired connection:"
+msgstr "Analysis on what happens for desired connection:"
+
+#: ../../configuration/firewall/bridge.rst:297
+msgid "And, to print only bridge firewall information:"
+msgstr "And, to print only bridge firewall information:"
+
+#: ../../configuration/firewall/ipv4.rst:57
+msgid "And base chain for traffic generated by the router is ``set firewall ipv4 output filter ...``"
+msgstr "And base chain for traffic generated by the router is ``set firewall ipv4 output filter ...``"
+
+#: ../../configuration/firewall/ipv6.rst:57
+msgid "And base chain for traffic generated by the router is ``set firewall ipv6 output filter ...``"
+msgstr "And base chain for traffic generated by the router is ``set firewall ipv6 output filter ...``"
+
 #: ../../configuration/policy/route.rst:76
 msgid "And for ipv6:"
 msgstr "And for ipv6:"
 
+#: ../../configuration/firewall/groups.rst:165
+msgid "And next, some configuration example where groups are used:"
+msgstr "And next, some configuration example where groups are used:"
+
+#: ../../configuration/firewall/bridge.rst:349
+msgid "And op-mode commands:"
+msgstr "And op-mode commands:"
+
 #: ../../configuration/system/ip.rst:84
 msgid "And the different IPv4 **reset** commands available:"
 msgstr "And the different IPv4 **reset** commands available:"
@@ -2093,7 +2123,7 @@ msgstr "And the different IPv4 **reset** commands available:"
 msgid "And then hash is reduced modulo slave count."
 msgstr "And then hash is reduced modulo slave count."
 
-#: ../../configuration/nat/nat44.rst:590
+#: ../../configuration/nat/nat44.rst:614
 msgid "Another term often used for DNAT is **1-to-1 NAT**. For a 1-to-1 NAT configuration, both DNAT and SNAT are used to NAT all traffic from an external IP address to an internal IP address and vice-versa."
 msgstr "Another term often used for DNAT is **1-to-1 NAT**. For a 1-to-1 NAT configuration, both DNAT and SNAT are used to NAT all traffic from an external IP address to an internal IP address and vice-versa."
 
@@ -2118,7 +2148,7 @@ msgstr "Apply a route-map filter to routes for the specified protocol. The follo
 msgid "Apply routing policy to **inbound** direction of out VLAN interfaces"
 msgstr "Apply routing policy to **inbound** direction of out VLAN interfaces"
 
-#: ../../configuration/firewall/zone.rst:82
+#: ../../configuration/firewall/zone.rst:101
 msgid "Applying a Rule-Set to a Zone"
 msgstr "Applying a Rule-Set to a Zone"
 
@@ -2151,49 +2181,11 @@ msgstr "Arista EOS"
 msgid "Aruba/HP"
 msgstr "Aruba/HP"
 
-#: ../../_include/interface-ip.txt:4
-#: ../../_include/interface-ipv6.txt:60
-#: ../../_include/interface-ip.txt:4
-#: ../../_include/interface-ipv6.txt:60
-#: ../../_include/interface-ip.txt:4
-#: ../../_include/interface-ipv6.txt:60
-#: ../../_include/interface-ip.txt:4
-#: ../../_include/interface-ipv6.txt:60
-#: ../../_include/interface-ip.txt:4
-#: ../../_include/interface-ipv6.txt:60
-#: ../../_include/interface-ip.txt:4
-#: ../../_include/interface-ipv6.txt:60
-#: ../../_include/interface-ip.txt:4
-#: ../../_include/interface-ipv6.txt:60
-#: ../../_include/interface-ip.txt:4
-#: ../../_include/interface-ipv6.txt:60
-#: ../../_include/interface-ip.txt:4
-#: ../../_include/interface-ipv6.txt:60
-#: ../../_include/interface-ip.txt:4
-#: ../../_include/interface-ipv6.txt:60
 #: ../../configuration/interfaces/pppoe.rst:207
 #: ../../configuration/interfaces/pppoe.rst:253
-#: ../../_include/interface-ip.txt:4
-#: ../../_include/interface-ipv6.txt:60
-#: ../../_include/interface-ip.txt:4
-#: ../../_include/interface-ipv6.txt:60
 #: ../../configuration/interfaces/sstp-client.rst:79
 #: ../../_include/interface-ip.txt:4
 #: ../../_include/interface-ipv6.txt:60
-#: ../../_include/interface-ip.txt:4
-#: ../../_include/interface-ipv6.txt:60
-#: ../../_include/interface-ip.txt:4
-#: ../../_include/interface-ipv6.txt:60
-#: ../../_include/interface-ip.txt:4
-#: ../../_include/interface-ipv6.txt:60
-#: ../../_include/interface-ip.txt:4
-#: ../../_include/interface-ipv6.txt:60
-#: ../../_include/interface-ip.txt:4
-#: ../../_include/interface-ipv6.txt:60
-#: ../../_include/interface-ip.txt:4
-#: ../../_include/interface-ipv6.txt:60
-#: ../../_include/interface-ip.txt:4
-#: ../../_include/interface-ipv6.txt:60
 msgid "As Internet wide PMTU discovery rarely works, we sometimes need to clamp our TCP MSS value to a specific value. This is a field in the TCP options part of a SYN packet. By setting the MSS value, you are telling the remote side unequivocally 'do not try to send me packets bigger than this value'."
 msgstr "As Internet wide PMTU discovery rarely works, we sometimes need to clamp our TCP MSS value to a specific value. This is a field in the TCP options part of a SYN packet. By setting the MSS value, you are telling the remote side unequivocally 'do not try to send me packets bigger than this value'."
 
@@ -2209,6 +2201,10 @@ msgstr "As VyOS is Linux based the default port used is not using 4789 as the de
 msgid "As VyOS is based on Linux and there was no official IANA port assigned for VXLAN, VyOS uses a default port of 8472. You can change the port on a per VXLAN interface basis to get it working across multiple vendors."
 msgstr "As VyOS is based on Linux and there was no official IANA port assigned for VXLAN, VyOS uses a default port of 8472. You can change the port on a per VXLAN interface basis to get it working across multiple vendors."
 
+#: ../../configuration/firewall/index.rst:7
+msgid "As VyOS is based on Linux it leverages its firewall. The Netfilter project created iptables and its successor nftables for the Linux kernel to work directly on packet data flows. This now extends the concept of zone-based security to allow for manipulating the data at multiple stages once accepted by the network interface and the driver before being handed off to the destination (e.g., a web server OR another device)."
+msgstr "As VyOS is based on Linux it leverages its firewall. The Netfilter project created iptables and its successor nftables for the Linux kernel to work directly on packet data flows. This now extends the concept of zone-based security to allow for manipulating the data at multiple stages once accepted by the network interface and the driver before being handed off to the destination (e.g., a web server OR another device)."
+
 #: ../../configuration/interfaces/wwan.rst:326
 msgid "As VyOS makes use of the QMI interface to connect to the WWAN modem cards, also the firmware can be reprogrammed."
 msgstr "As VyOS makes use of the QMI interface to connect to the WWAN modem cards, also the firmware can be reprogrammed."
@@ -2221,10 +2217,14 @@ msgstr "As a reference: for 10mbit/s on Intel, you might need at least 10kbyte b
 msgid "As a result, the processing of each packet becomes more efficient, potentially leveraging hardware encryption offloading support available in the kernel."
 msgstr "As a result, the processing of each packet becomes more efficient, potentially leveraging hardware encryption offloading support available in the kernel."
 
-#: ../../configuration/firewall/zone.rst:49
+#: ../../configuration/firewall/zone.rst:68
 msgid "As an alternative to applying policy to an interface directly, a zone-based firewall can be created to simplify configuration when multiple interfaces belong to the same security zone. Instead of applying rule-sets to interfaces, they are applied to source zone-destination zone pairs."
 msgstr "As an alternative to applying policy to an interface directly, a zone-based firewall can be created to simplify configuration when multiple interfaces belong to the same security zone. Instead of applying rule-sets to interfaces, they are applied to source zone-destination zone pairs."
 
+#: ../../configuration/firewall/flowtables.rst:109
+msgid "As described, first packet will be evaluated by all the firewall path, so desired connection should be explicitely accepted. Same thing should be taken into account for traffic in reverse order. In most cases state policies are used in order to accept connection in reverse patch."
+msgstr "As described, first packet will be evaluated by all the firewall path, so desired connection should be explicitely accepted. Same thing should be taken into account for traffic in reverse order. In most cases state policies are used in order to accept connection in reverse patch."
+
 #: ../../configuration/system/option.rst:80
 msgid "As more and more routers run on Hypervisors, expecially with a :abbr:`NOS (Network Operating System)` as VyOS, it makes fewer and fewer sense to use static resource bindings like ``smp-affinity`` as present in VyOS 1.2 and earlier to pin certain interrupt handlers to specific CPUs."
 msgstr "As more and more routers run on Hypervisors, expecially with a :abbr:`NOS (Network Operating System)` as VyOS, it makes fewer and fewer sense to use static resource bindings like ``smp-affinity`` as present in VyOS 1.2 and earlier to pin certain interrupt handlers to specific CPUs."
@@ -2241,6 +2241,10 @@ msgstr "As of VyOS 1.4, OpenVPN site-to-site mode can use either pre-shared keys
 msgid "As per default and if not otherwise defined, mschap-v2 is being used for authentication and mppe 128-bit (stateless) for encryption. If no gateway-address is set within the configuration, the lowest IP out of the /24 client-ip-pool is being used. For instance, in the example below it would be 192.168.0.1."
 msgstr "As per default and if not otherwise defined, mschap-v2 is being used for authentication and mppe 128-bit (stateless) for encryption. If no gateway-address is set within the configuration, the lowest IP out of the /24 client-ip-pool is being used. For instance, in the example below it would be 192.168.0.1."
 
+#: ../../configuration/firewall/groups.rst:147
+msgid "As said before, once firewall groups are created, they can be referenced either in firewall, nat, nat66 and/or policy-route rules."
+msgstr "As said before, once firewall groups are created, they can be referenced either in firewall, nat, nat66 and/or policy-route rules."
+
 #: ../../configuration/trafficpolicy/index.rst:196
 msgid "As shown in the example above, one of the possibilities to match packets is based on marks done by the firewall, `that can give you a great deal of flexibility`_."
 msgstr "As shown in the example above, one of the possibilities to match packets is based on marks done by the firewall, `that can give you a great deal of flexibility`_."
@@ -2249,11 +2253,11 @@ msgstr "As shown in the example above, one of the possibilities to match packets
 msgid "As shown in the last command of the example above, the `queue-type` setting allows these combinations. You will be able to use it in many policies."
 msgstr "As shown in the last command of the example above, the `queue-type` setting allows these combinations. You will be able to use it in many policies."
 
-#: ../../configuration/firewall/index.rst:81
+#: ../../configuration/firewall/index.rst:176
 msgid "As the example image below shows, the device now needs rules to allow/block traffic to or from the services running on the device that have open connections on that interface."
 msgstr "As the example image below shows, the device now needs rules to allow/block traffic to or from the services running on the device that have open connections on that interface."
 
-#: ../../configuration/firewall/index.rst:60
+#: ../../configuration/firewall/index.rst:182
 msgid "As the example image below shows, the device was configured with rules blocking inbound or outbound traffic on each interface."
 msgstr "As the example image below shows, the device was configured with rules blocking inbound or outbound traffic on each interface."
 
@@ -2281,7 +2285,7 @@ msgstr "As with other policies, you can define different type of matching rules
 msgid "As with other policies, you can embed_ other policies into the classes (and default) of your Priority Queue policy through the ``queue-type`` setting:"
 msgstr "As with other policies, you can embed_ other policies into the classes (and default) of your Priority Queue policy through the ``queue-type`` setting:"
 
-#: ../../configuration/interfaces/vxlan.rst:264
+#: ../../configuration/interfaces/vxlan.rst:285
 msgid "As you can see, Leaf2 and Leaf3 configuration is almost identical. There are lots of commands above, I'll try to into more detail below, command descriptions are placed under the command boxes:"
 msgstr "As you can see, Leaf2 and Leaf3 configuration is almost identical. There are lots of commands above, I'll try to into more detail below, command descriptions are placed under the command boxes:"
 
@@ -2309,7 +2313,7 @@ msgstr "Assign member interfaces to PortChannel"
 msgid "Assign static IP address to `<user>` account."
 msgstr "Assign static IP address to `<user>` account."
 
-#: ../../configuration/service/dhcp-server.rst:111
+#: ../../configuration/service/dhcp-server.rst:97
 msgid "Assign the IP address to this machine for `<time>` seconds."
 msgstr "Assign the IP address to this machine for `<time>` seconds."
 
@@ -2377,7 +2381,6 @@ msgstr "Assured Forwarding(AF) 43"
 msgid "At every round, the deficit counter adds the quantum so that even large packets will have their opportunity to be dequeued."
 msgstr "At every round, the deficit counter adds the quantum so that even large packets will have their opportunity to be dequeued."
 
-#: ../../configuration/firewall/general.rst:1489
 #: ../../configuration/firewall/general-legacy.rst:972
 msgid "At the moment it not possible to look at the whole firewall log with VyOS operational commands. All logs will save to ``/var/logs/messages``. For example: ``grep '10.10.0.10' /var/log/messages``"
 msgstr "At the moment it not possible to look at the whole firewall log with VyOS operational commands. All logs will save to ``/var/logs/messages``. For example: ``grep '10.10.0.10' /var/log/messages``"
@@ -2434,7 +2437,7 @@ msgstr "Authentication – to verify that the message is from a valid source."
 msgid "Authorization token"
 msgstr "Authorization token"
 
-#: ../../configuration/service/pppoe-server.rst:172
+#: ../../configuration/service/pppoe-server.rst:159
 msgid "Automatic VLAN Creation"
 msgstr "Automatic VLAN Creation"
 
@@ -2442,6 +2445,10 @@ msgstr "Automatic VLAN Creation"
 msgid "Automatic VLAN creation"
 msgstr "Automatic VLAN creation"
 
+#: ../../configuration/protocols/pim.rst:137
+msgid "Automatically create BFD session for each RIP peer discovered in this interface. When the BFD session monitor signalize that the link is down the RIP peer is removed and all the learned routes associated with that peer are removed."
+msgstr "Automatically create BFD session for each RIP peer discovered in this interface. When the BFD session monitor signalize that the link is down the RIP peer is removed and all the learned routes associated with that peer are removed."
+
 #: ../../configuration/system/option.rst:19
 msgid "Automatically reboot system on kernel panic after 60 seconds."
 msgstr "Automatically reboot system on kernel panic after 60 seconds."
@@ -2450,7 +2457,7 @@ msgstr "Automatically reboot system on kernel panic after 60 seconds."
 msgid "Autonomous Systems"
 msgstr "Autonomous Systems"
 
-#: ../../configuration/nat/nat44.rst:370
+#: ../../configuration/nat/nat44.rst:384
 msgid "Avoiding \"leaky\" NAT"
 msgstr "Avoiding \"leaky\" NAT"
 
@@ -2530,7 +2537,7 @@ msgstr "BGP roles are defined in RFC :rfc:`9234` and provide an easy way to add
 msgid "BGP routers connected inside the same AS through BGP belong to an internal BGP session, or IBGP. In order to prevent routing table loops, IBGP speaker does not advertise IBGP-learned routes to other IBGP speaker (Split Horizon mechanism). As such, IBGP requires a full mesh of all peers. For large networks, this quickly becomes unscalable."
 msgstr "BGP routers connected inside the same AS through BGP belong to an internal BGP session, or IBGP. In order to prevent routing table loops, IBGP speaker does not advertise IBGP-learned routes to other IBGP speaker (Split Horizon mechanism). As such, IBGP requires a full mesh of all peers. For large networks, this quickly becomes unscalable."
 
-#: ../../configuration/vrf/index.rst:411
+#: ../../configuration/vrf/index.rst:413
 msgid "BGP routes may be leaked (i.e. copied) between a unicast VRF RIB and the VPN SAFI RIB of the default VRF for use in MPLS-based L3VPNs. Unicast routes may also be leaked between any VRFs (including the unicast RIB of the default BGP instance). A shortcut syntax is also available for specifying leaking from one VRF to another VRF using the default instance’s VPN RIB as the intemediary . A common application of the VRF-VRF feature is to connect a customer’s private routing domain to a provider’s VPN service. Leaking is configured from the point of view of an individual VRF: import refers to routes leaked from VPN to a unicast VRF, whereas export refers to routes leaked from a unicast VRF to VPN."
 msgstr "BGP routes may be leaked (i.e. copied) between a unicast VRF RIB and the VPN SAFI RIB of the default VRF for use in MPLS-based L3VPNs. Unicast routes may also be leaked between any VRFs (including the unicast RIB of the default BGP instance). A shortcut syntax is also available for specifying leaking from one VRF to another VRF using the default instance’s VPN RIB as the intemediary . A common application of the VRF-VRF feature is to connect a customer’s private routing domain to a provider’s VPN service. Leaking is configured from the point of view of an individual VRF: import refers to routes leaked from VPN to a unicast VRF, whereas export refers to routes leaked from a unicast VRF to VPN."
 
@@ -2563,7 +2570,7 @@ msgid "Balancing based on domain name"
 msgstr "Balancing based on domain name"
 
 #: ../../configuration/service/ipoe-server.rst:122
-#: ../../configuration/service/pppoe-server.rst:195
+#: ../../configuration/service/pppoe-server.rst:182
 #: ../../configuration/vpn/l2tp.rst:113
 msgid "Bandwidth Shaping"
 msgstr "Bandwidth Shaping"
@@ -2573,7 +2580,7 @@ msgstr "Bandwidth Shaping"
 msgid "Bandwidth Shaping for local users"
 msgstr "Bandwidth Shaping for local users"
 
-#: ../../configuration/service/pppoe-server.rst:197
+#: ../../configuration/service/pppoe-server.rst:184
 msgid "Bandwidth rate limits can be set for local users or RADIUS based attributes."
 msgstr "Bandwidth rate limits can be set for local users or RADIUS based attributes."
 
@@ -2585,7 +2592,14 @@ msgstr "Bandwidth rate limits can be set for local users or via RADIUS based att
 msgid "Bandwidth rate limits can be set for local users within the configuration or via RADIUS based attributes."
 msgstr "Bandwidth rate limits can be set for local users within the configuration or via RADIUS based attributes."
 
-#: ../../configuration/vpn/dmvpn.rst:34
+#: ../../configuration/firewall/ipv4.rst:54
+msgid "Base chain is for traffic toward the router is ``set firewall ipv4 input filter ...``"
+msgstr "Base chain is for traffic toward the router is ``set firewall ipv4 input filter ...``"
+
+#: ../../configuration/firewall/ipv6.rst:54
+msgid "Base chain is for traffic toward the router is ``set firewall ipv6 input filter ...``"
+msgstr "Base chain is for traffic toward the router is ``set firewall ipv6 input filter ...``"
+
 #: ../../configuration/vpn/dmvpn.rst:34
 msgid "Baseline DMVPN topology"
 msgstr "Baseline DMVPN topology"
@@ -2594,7 +2608,6 @@ msgstr "Baseline DMVPN topology"
 msgid "Basic Concepts"
 msgstr "Basic Concepts"
 
-#: ../../configuration/protocols/igmp.rst:91
 #: ../../configuration/protocols/pim6.rst:26
 msgid "Basic commands"
 msgstr "Basic commands"
@@ -2611,7 +2624,7 @@ msgstr "Basic filtering could also be applied to IPv6 traffic."
 msgid "Basic setup"
 msgstr "Basic setup"
 
-#: ../../configuration/vpn/openconnect.rst:255
+#: ../../configuration/vpn/openconnect.rst:262
 msgid "Be sure to set a sane default config in the default config file, this will be loaded in the case that a user is authenticated and no file is found in the configured directory matching the users username/group."
 msgstr "Be sure to set a sane default config in the default config file, this will be loaded in the case that a user is authenticated and no file is found in the configured directory matching the users username/group."
 
@@ -2631,11 +2644,11 @@ msgstr "Because existing sessions do not automatically fail over to a new path,
 msgid "Before enabling any hardware segmentation offload a corresponding software offload is required in GSO. Otherwise it becomes possible for a frame to be re-routed between devices and end up being unable to be transmitted."
 msgstr "Before enabling any hardware segmentation offload a corresponding software offload is required in GSO. Otherwise it becomes possible for a frame to be re-routed between devices and end up being unable to be transmitted."
 
-#: ../../configuration/firewall/zone.rst:84
+#: ../../configuration/firewall/zone.rst:103
 msgid "Before you are able to apply a rule-set to a zone you have to create the zones first."
 msgstr "Before you are able to apply a rule-set to a zone you have to create the zones first."
 
-#: ../../configuration/vpn/site2site_ipsec.rst:413
+#: ../../configuration/vpn/site2site_ipsec.rst:422
 msgid "Below flow-chart could be a quick reference for the close-action combination depending on how the peer is configured."
 msgstr "Below flow-chart could be a quick reference for the close-action combination depending on how the peer is configured."
 
@@ -2663,7 +2676,7 @@ msgstr "Binary value"
 msgid "Bind listener to specific interface/address, mandatory for IPv6"
 msgstr "Bind listener to specific interface/address, mandatory for IPv6"
 
-#: ../../configuration/interfaces/vxlan.rst:285
+#: ../../configuration/interfaces/vxlan.rst:306
 msgid "Binds eth1.241 and vxlan241 to each other by making them both member interfaces of the same bridge."
 msgstr "Binds eth1.241 and vxlan241 to each other by making them both member interfaces of the same bridge."
 
@@ -2695,15 +2708,15 @@ msgstr "Bond / Link Aggregation"
 msgid "Bond options"
 msgstr "Bond options"
 
-#: ../../configuration/service/dhcp-server.rst:339
+#: ../../configuration/service/dhcp-server.rst:306
 msgid "Boot image length in 512-octet blocks"
 msgstr "Boot image length in 512-octet blocks"
 
-#: ../../configuration/service/dhcp-server.rst:334
+#: ../../configuration/service/dhcp-server.rst:301
 msgid "Bootstrap file name"
 msgstr "Bootstrap file name"
 
-#: ../../configuration/interfaces/vxlan.rst:102
+#: ../../configuration/interfaces/vxlan.rst:123
 msgid "Both IPv4 and IPv6 multicast is possible."
 msgstr "Both IPv4 and IPv6 multicast is possible."
 
@@ -2711,25 +2724,6 @@ msgstr "Both IPv4 and IPv6 multicast is possible."
 msgid "Both local administered and remote administered :abbr:`RADIUS (Remote Authentication Dial-In User Service)` accounts are supported."
 msgstr "Both local administered and remote administered :abbr:`RADIUS (Remote Authentication Dial-In User Service)` accounts are supported."
 
-#: ../../_include/interface-ip.txt:88
-#: ../../_include/interface-ip.txt:88
-#: ../../_include/interface-ip.txt:88
-#: ../../_include/interface-ip.txt:88
-#: ../../_include/interface-ip.txt:88
-#: ../../_include/interface-ip.txt:88
-#: ../../_include/interface-ip.txt:88
-#: ../../_include/interface-ip.txt:88
-#: ../../_include/interface-ip.txt:88
-#: ../../_include/interface-ip.txt:88
-#: ../../_include/interface-ip.txt:88
-#: ../../_include/interface-ip.txt:88
-#: ../../_include/interface-ip.txt:88
-#: ../../_include/interface-ip.txt:88
-#: ../../_include/interface-ip.txt:88
-#: ../../_include/interface-ip.txt:88
-#: ../../_include/interface-ip.txt:88
-#: ../../_include/interface-ip.txt:88
-#: ../../_include/interface-ip.txt:88
 #: ../../_include/interface-ip.txt:88
 msgid "Both replies and requests type gratuitous arp will trigger the ARP table to be updated, if this setting is on."
 msgstr "Both replies and requests type gratuitous arp will trigger the ARP table to be updated, if this setting is on."
@@ -2746,10 +2740,18 @@ msgstr "Bridge"
 msgid "Bridge:"
 msgstr "Bridge:"
 
+#: ../../configuration/firewall/bridge.rst:7
+msgid "Bridge Firewall Configuration"
+msgstr "Bridge Firewall Configuration"
+
 #: ../../configuration/interfaces/bridge.rst:66
 msgid "Bridge Options"
 msgstr "Bridge Options"
 
+#: ../../configuration/firewall/bridge.rst:56
+msgid "Bridge Rules"
+msgstr "Bridge Rules"
+
 #: ../../configuration/interfaces/bridge.rst:198
 #: ../../configuration/interfaces/bridge.rst:233
 msgid "Bridge answers on IP address 192.0.2.1/24 and 2001:db8::ffff/64"
@@ -2779,7 +2781,7 @@ msgstr "By default, VyOS does not advertise a default route (0.0.0.0/0) even if
 msgid "By default, a new token is generated every 30 seconds by the mobile application. In order to compensate for possible time-skew between the client and the server, an extra token before and after the current time is allowed. This allows for a time skew of up to 30 seconds between authentication server and client."
 msgstr "By default, a new token is generated every 30 seconds by the mobile application. In order to compensate for possible time-skew between the client and the server, an extra token before and after the current time is allowed. This allows for a time skew of up to 30 seconds between authentication server and client."
 
-#: ../../configuration/service/dns.rst:380
+#: ../../configuration/service/dns.rst:393
 msgid "By default, ddclient_ will update a dynamic dns record using the IP address directly attached to the interface. If your VyOS instance is behind NAT, your record will be updated to point to your internal IP."
 msgstr "By default, ddclient_ will update a dynamic dns record using the IP address directly attached to the interface. If your VyOS instance is behind NAT, your record will be updated to point to your internal IP."
 
@@ -2792,7 +2794,7 @@ msgstr "By default, enabling RPKI does not change best path selection. In partic
 msgid "By default, it supports both planned and unplanned outages."
 msgstr "By default, it supports both planned and unplanned outages."
 
-#: ../../configuration/service/https.rst:54
+#: ../../configuration/service/https.rst:45
 msgid "By default, nginx exposes the local API on all virtual servers. Use this to restrict nginx to one or more virtual hosts."
 msgstr "By default, nginx exposes the local API on all virtual servers. Use this to restrict nginx to one or more virtual hosts."
 
@@ -2808,8 +2810,7 @@ msgstr "By default, the BGP prefix is advertised even if it's not present in the
 msgid "By default, this bridging is allowed."
 msgstr "By default, this bridging is allowed."
 
-#: ../../configuration/firewall/general.rst:90
-#: ../../configuration/firewall/general-legacy.rst:42
+#: ../../configuration/firewall/global-options.rst:27
 msgid "By default, when VyOS receives an ICMP echo request packet destined for itself, it will answer with an ICMP echo reply, unless you avoid it through its firewall."
 msgstr "By default, when VyOS receives an ICMP echo request packet destined for itself, it will answer with an ICMP echo reply, unless you avoid it through its firewall."
 
@@ -2876,7 +2877,7 @@ msgstr "Certificates"
 msgid "Change system keyboard layout to given language."
 msgstr "Change system keyboard layout to given language."
 
-#: ../../configuration/firewall/zone.rst:75
+#: ../../configuration/firewall/zone.rst:94
 msgid "Change the default-action with this setting."
 msgstr "Change the default-action with this setting."
 
@@ -2896,6 +2897,10 @@ msgstr "Changing the keymap only has an effect on the system console, using SSH
 msgid "Channel number (IEEE 802.11), for 2.4Ghz (802.11 b/g/n) channels range from 1-14. On 5Ghz (802.11 a/h/j/n/ac) channels available are 0, 34 to 173"
 msgstr "Channel number (IEEE 802.11), for 2.4Ghz (802.11 b/g/n) channels range from 1-14. On 5Ghz (802.11 a/h/j/n/ac) channels available are 0, 34 to 173"
 
+#: ../../configuration/system/updates.rst:28
+msgid "Check:"
+msgstr "Check:"
+
 #: ../../configuration/system/acceleration.rst:32
 msgid "Check if the Intel® QAT device is up and ready to do the job."
 msgstr "Check if the Intel® QAT device is up and ready to do the job."
@@ -2908,10 +2913,14 @@ msgstr "Check status"
 msgid "Check the many parameters available for the `show ipv6 route` command:"
 msgstr "Check the many parameters available for the `show ipv6 route` command:"
 
-#: ../../configuration/service/pppoe-server.rst:320
+#: ../../configuration/service/pppoe-server.rst:307
 msgid "Checking connections"
 msgstr "Checking connections"
 
+#: ../../configuration/firewall/flowtables.rst:165
+msgid "Checks"
+msgstr "Checks"
+
 #: ../../configuration/service/tftp-server.rst:21
 msgid "Choose your ``directory`` location carefully or you will loose the content on image upgrades. Any directory under ``/config`` is save at this will be migrated."
 msgstr "Choose your ``directory`` location carefully or you will loose the content on image upgrades. Any directory under ``/config`` is save at this will be migrated."
@@ -2920,25 +2929,6 @@ msgstr "Choose your ``directory`` location carefully or you will loose the conte
 msgid "Cisco Catalyst"
 msgstr "Cisco Catalyst"
 
-#: ../../_include/interface-ip.txt:168
-#: ../../_include/interface-ip.txt:168
-#: ../../_include/interface-ip.txt:168
-#: ../../_include/interface-ip.txt:168
-#: ../../_include/interface-ip.txt:168
-#: ../../_include/interface-ip.txt:168
-#: ../../_include/interface-ip.txt:168
-#: ../../_include/interface-ip.txt:168
-#: ../../_include/interface-ip.txt:168
-#: ../../_include/interface-ip.txt:168
-#: ../../_include/interface-ip.txt:168
-#: ../../_include/interface-ip.txt:168
-#: ../../_include/interface-ip.txt:168
-#: ../../_include/interface-ip.txt:168
-#: ../../_include/interface-ip.txt:168
-#: ../../_include/interface-ip.txt:168
-#: ../../_include/interface-ip.txt:168
-#: ../../_include/interface-ip.txt:168
-#: ../../_include/interface-ip.txt:168
 #: ../../_include/interface-ip.txt:168
 msgid "Cisco and Allied Telesyn call it Private VLAN"
 msgstr "Cisco and Allied Telesyn call it Private VLAN"
@@ -2955,7 +2945,7 @@ msgstr "Class treatment"
 msgid "Classes"
 msgstr "Classes"
 
-#: ../../configuration/service/dhcp-server.rst:359
+#: ../../configuration/service/dhcp-server.rst:326
 msgid "Classless static route"
 msgstr "Classless static route"
 
@@ -2975,7 +2965,7 @@ msgstr "Client:"
 msgid "Client Address Pools"
 msgstr "Client Address Pools"
 
-#: ../../configuration/interfaces/openvpn.rst:388
+#: ../../configuration/interfaces/openvpn.rst:440
 msgid "Client Authentication"
 msgstr "Client Authentication"
 
@@ -2983,7 +2973,7 @@ msgstr "Client Authentication"
 msgid "Client Configuration"
 msgstr "Client Configuration"
 
-#: ../../configuration/vpn/sstp.rst:278
+#: ../../configuration/vpn/sstp.rst:289
 msgid "Client IP addresses will be provided from pool `192.0.2.0/25`"
 msgstr "Client IP addresses will be provided from pool `192.0.2.0/25`"
 
@@ -2995,11 +2985,11 @@ msgstr "Client Side"
 msgid "Client configuration"
 msgstr "Client configuration"
 
-#: ../../configuration/service/dhcp-server.rst:299
+#: ../../configuration/service/dhcp-server.rst:266
 msgid "Client domain name"
 msgstr "Client domain name"
 
-#: ../../configuration/service/dhcp-server.rst:354
+#: ../../configuration/service/dhcp-server.rst:321
 msgid "Client domain search"
 msgstr "Client domain search"
 
@@ -3011,7 +3001,7 @@ msgstr "Client isolation can be used to prevent low-level bridging of frames bet
 msgid "Clients are identified by the CN field of their x.509 certificates, in this example the CN is ``client0``:"
 msgstr "Clients are identified by the CN field of their x.509 certificates, in this example the CN is ``client0``:"
 
-#: ../../configuration/service/dhcp-server.rst:590
+#: ../../configuration/service/dhcp-server.rst:514
 msgid "Clients receiving advertise messages from multiple servers choose the server with the highest preference value. The range for this value is ``0...255``."
 msgstr "Clients receiving advertise messages from multiple servers choose the server with the highest preference value. The range for this value is ``0...255``."
 
@@ -3023,7 +3013,9 @@ msgstr "Clock daemon"
 msgid "Command completion can be used to list available time zones. The adjustment for daylight time will take place automatically based on the time of year."
 msgstr "Command completion can be used to list available time zones. The adjustment for daylight time will take place automatically based on the time of year."
 
-#: ../../configuration/firewall/general.rst:530
+#: ../../configuration/firewall/bridge.rst:216
+#: ../../configuration/firewall/ipv4.rst:298
+#: ../../configuration/firewall/ipv6.rst:298
 msgid "Command for disabling a rule but keep it in the configuration."
 msgstr "Command for disabling a rule but keep it in the configuration."
 
@@ -3031,12 +3023,16 @@ msgstr "Command for disabling a rule but keep it in the configuration."
 msgid "Command should probably be extended to list also the real interfaces assigned to this one VRF to get a better overview."
 msgstr "Command should probably be extended to list also the real interfaces assigned to this one VRF to get a better overview."
 
-#: ../../configuration/firewall/general.rst:1544
-#: ../../configuration/firewall/general-legacy.rst:1054
+#: ../../configuration/firewall/ipv4.rst:1179
+#: ../../configuration/firewall/ipv6.rst:1195
 msgid "Command used to update GeoIP database and firewall sets."
 msgstr "Command used to update GeoIP database and firewall sets."
 
-#: ../../configuration/service/dhcp-server.rst:438
+#: ../../configuration/firewall/flowtables.rst:119
+msgid "Commands"
+msgstr "Commands"
+
+#: ../../configuration/service/dhcp-server.rst:379
 msgid "Common configuration, valid for both primary and secondary node."
 msgstr "Common configuration, valid for both primary and secondary node."
 
@@ -3072,7 +3068,9 @@ msgid "Confidentiality – Encryption of packets to prevent snooping by an unaut
 msgstr "Confidentiality – Encryption of packets to prevent snooping by an unauthorized source."
 
 #: ../../configuration/container/index.rst:12
-#: ../../configuration/firewall/zone.rst:47
+#: ../../configuration/firewall/global-options.rst:23
+#: ../../configuration/firewall/groups.rst:11
+#: ../../configuration/firewall/zone.rst:66
 #: ../../configuration/interfaces/bonding.rst:17
 #: ../../configuration/interfaces/bridge.rst:21
 #: ../../configuration/interfaces/dummy.rst:28
@@ -3081,6 +3079,7 @@ msgstr "Confidentiality – Encryption of packets to prevent snooping by an unau
 #: ../../configuration/interfaces/l2tpv3.rst:31
 #: ../../configuration/interfaces/loopback.rst:26
 #: ../../configuration/interfaces/macsec.rst:20
+#: ../../configuration/interfaces/openvpn.rst:585
 #: ../../configuration/interfaces/pppoe.rst:59
 #: ../../configuration/interfaces/pseudo-ethernet.rst:45
 #: ../../configuration/interfaces/sstp-client.rst:20
@@ -3090,7 +3089,7 @@ msgstr "Confidentiality – Encryption of packets to prevent snooping by an unau
 #: ../../configuration/interfaces/wireless.rst:30
 #: ../../configuration/interfaces/wwan.rst:16
 #: ../../configuration/loadbalancing/reverse-proxy.rst:13
-#: ../../configuration/nat/nat44.rst:681
+#: ../../configuration/nat/nat44.rst:705
 #: ../../configuration/policy/access-list.rst:13
 #: ../../configuration/policy/as-path-list.rst:10
 #: ../../configuration/policy/community-list.rst:10
@@ -3101,7 +3100,7 @@ msgstr "Confidentiality – Encryption of packets to prevent snooping by an unau
 #: ../../configuration/policy/route-map.rst:10
 #: ../../configuration/protocols/bfd.rst:143
 #: ../../configuration/protocols/bgp.rst:164
-#: ../../configuration/protocols/igmp.rst:186
+#: ../../configuration/protocols/igmp-proxy.rst:14
 #: ../../configuration/protocols/isis.rst:28
 #: ../../configuration/protocols/ospf.rst:22
 #: ../../configuration/protocols/ospf.rst:1076
@@ -3112,13 +3111,13 @@ msgstr "Confidentiality – Encryption of packets to prevent snooping by an unau
 #: ../../configuration/service/dhcp-relay.rst:19
 #: ../../configuration/service/dhcp-relay.rst:137
 #: ../../configuration/service/dhcp-server.rst:22
-#: ../../configuration/service/dhcp-server.rst:586
+#: ../../configuration/service/dhcp-server.rst:510
 #: ../../configuration/service/dns.rst:8
-#: ../../configuration/service/dns.rst:214
+#: ../../configuration/service/dns.rst:227
 #: ../../configuration/service/https.rst:14
 #: ../../configuration/service/ipoe-server.rst:28
 #: ../../configuration/service/lldp.rst:36
-#: ../../configuration/service/mdns.rst:18
+#: ../../configuration/service/mdns.rst:19
 #: ../../configuration/service/ntp.rst:40
 #: ../../configuration/service/pppoe-server.rst:17
 #: ../../configuration/service/salt-minion.rst:25
@@ -3131,28 +3130,31 @@ msgstr "Confidentiality – Encryption of packets to prevent snooping by an unau
 #: ../../configuration/system/login.rst:241
 #: ../../configuration/system/login.rst:310
 #: ../../configuration/system/sflow.rst:12
+#: ../../configuration/system/updates.rst:8
 #: ../../configuration/vpn/dmvpn.rst:38
 #: ../../configuration/vpn/dmvpn.rst:182
 #: ../../configuration/vpn/openconnect.rst:21
 #: ../../configuration/vpn/sstp.rst:65
 #: ../../configuration/vrf/index.rst:16
 #: ../../configuration/vrf/index.rst:253
-#: ../../configuration/vrf/index.rst:286
-#: ../../configuration/vrf/index.rst:434
+#: ../../configuration/vrf/index.rst:288
+#: ../../configuration/vrf/index.rst:436
 msgid "Configuration"
 msgstr "Configuration"
 
+#: ../../configuration/firewall/flowtables.rst:100
 #: ../../configuration/protocols/babel.rst:188
-#: ../../configuration/protocols/ospf.rst:1314
+#: ../../configuration/protocols/ospf.rst:1316
 #: ../../configuration/protocols/pim6.rst:78
 #: ../../configuration/protocols/rip.rst:239
 #: ../../configuration/protocols/segment-routing.rst:187
 #: ../../configuration/system/login.rst:279
-#: ../../configuration/system/login.rst:348
+#: ../../configuration/system/login.rst:350
 msgid "Configuration Example"
 msgstr "Configuration Example"
 
-#: ../../configuration/nat/nat44.rst:313
+#: ../../configuration/nat/nat44.rst:325
+#: ../../configuration/nat/nat64.rst:38
 #: ../../configuration/nat/nat66.rst:109
 msgid "Configuration Examples"
 msgstr "Configuration Examples"
@@ -3165,6 +3167,10 @@ msgstr "Configuration Guide"
 msgid "Configuration Options"
 msgstr "Configuration Options"
 
+#: ../../configuration/firewall/global-options.rst:17
+msgid "Configuration commands covered in this section:"
+msgstr "Configuration commands covered in this section:"
+
 #: ../../configuration/vpn/ipsec.rst:284
 msgid "Configuration commands for the private and public key will be displayed on the screen which needs to be set on the router first. Note the command with the public key (set pki key-pair ipsec-LEFT public key 'MIIBIjANBgkqh...'). Then do the same on the opposite router:"
 msgstr "Configuration commands for the private and public key will be displayed on the screen which needs to be set on the router first. Note the command with the public key (set pki key-pair ipsec-LEFT public key 'MIIBIjANBgkqh...'). Then do the same on the opposite router:"
@@ -3173,7 +3179,11 @@ msgstr "Configuration commands for the private and public key will be displayed
 msgid "Configuration commands will display. Note the command with the public key (set pki key-pair ipsec-LEFT public key 'MIIBIjANBgkqh...'). Then do the same on the opposite router:"
 msgstr "Configuration commands will display. Note the command with the public key (set pki key-pair ipsec-LEFT public key 'MIIBIjANBgkqh...'). Then do the same on the opposite router:"
 
-#: ../../configuration/vrf/index.rst:428
+#: ../../configuration/firewall/bridge.rst:323
+msgid "Configuration example:"
+msgstr "Configuration example:"
+
+#: ../../configuration/vrf/index.rst:430
 msgid "Configuration for these exported routes must, at a minimum, specify these two parameters."
 msgstr "Configuration for these exported routes must, at a minimum, specify these two parameters."
 
@@ -3181,11 +3191,11 @@ msgstr "Configuration for these exported routes must, at a minimum, specify thes
 msgid "Configuration of :ref:`routing-static`"
 msgstr "Configuration of :ref:`routing-static`"
 
-#: ../../configuration/service/dhcp-server.rst:430
+#: ../../configuration/service/dhcp-server.rst:371
 msgid "Configuration of a DHCP failover pair"
 msgstr "Configuration of a DHCP failover pair"
 
-#: ../../configuration/vrf/index.rst:436
+#: ../../configuration/vrf/index.rst:438
 msgid "Configuration of route leaking between a unicast VRF RIB and the VPN SAFI RIB of the default VRF is accomplished via commands in the context of a VRF address-family."
 msgstr "Configuration of route leaking between a unicast VRF RIB and the VPN SAFI RIB of the default VRF is accomplished via commands in the context of a VRF address-family."
 
@@ -3198,11 +3208,11 @@ msgstr "Configure"
 msgid "Configure BFD"
 msgstr "Configure BFD"
 
-#: ../../configuration/service/dns.rst:245
+#: ../../configuration/service/dns.rst:258
 msgid "Configure DNS `<record>` which should be updated. This can be set multiple times."
 msgstr "Configure DNS `<record>` which should be updated. This can be set multiple times."
 
-#: ../../configuration/service/dns.rst:240
+#: ../../configuration/service/dns.rst:253
 msgid "Configure DNS `<zone>` to be updated."
 msgstr "Configure DNS `<zone>` to be updated."
 
@@ -3224,59 +3234,42 @@ msgstr "Configure Graceful Restart :rfc:`3623` restarting support. When enabled,
 msgid "Configure IP address of the DHCP `<server>` which will handle the relayed packets."
 msgstr "Configure IP address of the DHCP `<server>` which will handle the relayed packets."
 
-#: ../../configuration/vpn/sstp.rst:203
+#: ../../configuration/vpn/sstp.rst:214
 msgid "Configure RADIUS `<server>` and its required port for authentication requests."
 msgstr "Configure RADIUS `<server>` and its required port for authentication requests."
 
-#: ../../configuration/vpn/sstp.rst:207
+#: ../../configuration/vpn/sstp.rst:218
 msgid "Configure RADIUS `<server>` and its required shared `<secret>` for communicating with the RADIUS server."
 msgstr "Configure RADIUS `<server>` and its required shared `<secret>` for communicating with the RADIUS server."
 
-#: ../../configuration/nat/nat44.rst:210
+#: ../../configuration/nat/nat44.rst:222
 msgid "Configure SNAT rule (40) to only NAT packets with a destination address of 192.0.2.1."
 msgstr "Configure SNAT rule (40) to only NAT packets with a destination address of 192.0.2.1."
 
-#: ../../_include/interface-mtu.txt:4
-#: ../../_include/interface-mtu.txt:4
-#: ../../_include/interface-mtu.txt:4
-#: ../../_include/interface-mtu.txt:4
-#: ../../_include/interface-mtu.txt:4
-#: ../../_include/interface-mtu.txt:4
-#: ../../_include/interface-mtu.txt:4
-#: ../../_include/interface-mtu.txt:4
-#: ../../_include/interface-mtu.txt:4
-#: ../../_include/interface-mtu.txt:4
-#: ../../_include/interface-mtu.txt:4
-#: ../../_include/interface-mtu.txt:4
-#: ../../_include/interface-mtu.txt:4
-#: ../../_include/interface-mtu.txt:4
-#: ../../_include/interface-mtu.txt:4
-#: ../../_include/interface-mtu.txt:4
-#: ../../_include/interface-mtu.txt:4
-#: ../../_include/interface-mtu.txt:4
-#: ../../_include/interface-mtu.txt:4
-#: ../../_include/interface-mtu.txt:4
-#: ../../_include/interface-mtu.txt:4
 #: ../../_include/interface-mtu.txt:4
 msgid "Configure :abbr:`MTU (Maximum Transmission Unit)` on given `<interface>`. It is the size (in bytes) of the largest ethernet frame sent on this link."
 msgstr "Configure :abbr:`MTU (Maximum Transmission Unit)` on given `<interface>`. It is the size (in bytes) of the largest ethernet frame sent on this link."
 
-#: ../../configuration/system/login.rst:373
+#: ../../configuration/system/login.rst:375
 msgid "Configure `<message>` which is shown after user has logged in to the system."
 msgstr "Configure `<message>` which is shown after user has logged in to the system."
 
-#: ../../configuration/system/login.rst:368
+#: ../../configuration/system/login.rst:370
 msgid "Configure `<message>` which is shown during SSH connect and before a user is logged in."
 msgstr "Configure `<message>` which is shown during SSH connect and before a user is logged in."
 
-#: ../../configuration/service/dns.rst:328
+#: ../../configuration/service/dns.rst:341
 msgid "Configure `<password>` used when authenticating the update request for DynDNS service identified by `<service>`."
 msgstr "Configure `<password>` used when authenticating the update request for DynDNS service identified by `<service>`."
 
-#: ../../configuration/service/dns.rst:321
+#: ../../configuration/service/dns.rst:334
 msgid "Configure `<username>` used when authenticating the update request for DynDNS service identified by `<service>`. For Namecheap, set the <domain> you wish to update."
 msgstr "Configure `<username>` used when authenticating the update request for DynDNS service identified by `<service>`. For Namecheap, set the <domain> you wish to update."
 
+#: ../../configuration/system/updates.rst:17
+msgid "Configure a URL that contains information about images."
+msgstr "Configure a URL that contains information about images."
+
 #: ../../configuration/system/flow-accounting.rst:158
 msgid "Configure a sFlow agent address. It can be IPv4 or IPv6 address, but you must set the same protocol, which is used for sFlow collector addresses. By default, using router-id from BGP or OSPF protocol, or the primary IP address from the first interface."
 msgstr "Configure a sFlow agent address. It can be IPv4 or IPv6 address, but you must set the same protocol, which is used for sFlow collector addresses. By default, using router-id from BGP or OSPF protocol, or the primary IP address from the first interface."
@@ -3311,7 +3304,7 @@ msgstr "Configure agent IP address associated with this interface."
 msgid "Configure aggregation delay timer interval."
 msgstr "Configure aggregation delay timer interval."
 
-#: ../../configuration/vpn/openconnect.rst:278
+#: ../../configuration/vpn/openconnect.rst:285
 msgid "Configure an accounting server and enable accounting with:"
 msgstr "Configure an accounting server and enable accounting with:"
 
@@ -3323,10 +3316,18 @@ msgstr "Configure and enable collection of flow information for the interface id
 msgid "Configure and enable collection of flow information for the interface identified by `<interface>`."
 msgstr "Configure and enable collection of flow information for the interface identified by `<interface>`."
 
+#: ../../configuration/system/updates.rst:12
+msgid "Configure auto-checking for new images"
+msgstr "Configure auto-checking for new images"
+
 #: ../../configuration/loadbalancing/reverse-proxy.rst:114
 msgid "Configure backend `<name>` mode TCP or HTTP"
 msgstr "Configure backend `<name>` mode TCP or HTTP"
 
+#: ../../configuration/nat/nat66.rst:148
+msgid "Configure both routers (a and b) for DHCPv6-PD via dummy interface:"
+msgstr "Configure both routers (a and b) for DHCPv6-PD via dummy interface:"
+
 #: ../../configuration/service/console-server.rst:49
 msgid "Configure either one or two stop bits. This defaults to one stop bits if left unconfigured."
 msgstr "Configure either one or two stop bits. This defaults to one stop bits if left unconfigured."
@@ -3339,75 +3340,16 @@ msgstr "Configure either seven or eight data bits. This defaults to eight data b
 msgid "Configure individual bridge port `<priority>`."
 msgstr "Configure individual bridge port `<priority>`."
 
-#: ../../_include/interface-ip.txt:59
-#: ../../_include/interface-ipv6.txt:48
-#: ../../_include/interface-ip.txt:59
-#: ../../_include/interface-ipv6.txt:48
-#: ../../_include/interface-ip.txt:59
-#: ../../_include/interface-ipv6.txt:48
-#: ../../_include/interface-ip.txt:59
-#: ../../_include/interface-ipv6.txt:48
-#: ../../_include/interface-ip.txt:59
-#: ../../_include/interface-ipv6.txt:48
-#: ../../_include/interface-ip.txt:59
-#: ../../_include/interface-ipv6.txt:48
-#: ../../_include/interface-ip.txt:59
-#: ../../_include/interface-ipv6.txt:48
-#: ../../_include/interface-ip.txt:59
-#: ../../_include/interface-ipv6.txt:48
-#: ../../_include/interface-ip.txt:59
-#: ../../_include/interface-ipv6.txt:48
-#: ../../_include/interface-ip.txt:59
-#: ../../_include/interface-ipv6.txt:48
 #: ../../configuration/interfaces/pppoe.rst:223
 #: ../../configuration/interfaces/pppoe.rst:269
-#: ../../_include/interface-ip.txt:59
-#: ../../_include/interface-ipv6.txt:48
-#: ../../_include/interface-ip.txt:59
-#: ../../_include/interface-ipv6.txt:48
 #: ../../configuration/interfaces/sstp-client.rst:95
 #: ../../_include/interface-ip.txt:59
 #: ../../_include/interface-ipv6.txt:48
-#: ../../_include/interface-ip.txt:59
-#: ../../_include/interface-ipv6.txt:48
-#: ../../_include/interface-ip.txt:59
-#: ../../_include/interface-ipv6.txt:48
-#: ../../_include/interface-ip.txt:59
-#: ../../_include/interface-ipv6.txt:48
-#: ../../_include/interface-ip.txt:59
-#: ../../_include/interface-ipv6.txt:48
-#: ../../_include/interface-ip.txt:59
-#: ../../_include/interface-ipv6.txt:48
-#: ../../_include/interface-ip.txt:59
-#: ../../_include/interface-ipv6.txt:48
-#: ../../_include/interface-ip.txt:59
-#: ../../_include/interface-ipv6.txt:48
 msgid "Configure interface-specific Host/Router behaviour. If set, the interface will switch to host mode and IPv6 forwarding will be disabled on this interface."
 msgstr "Configure interface-specific Host/Router behaviour. If set, the interface will switch to host mode and IPv6 forwarding will be disabled on this interface."
 
-#: ../../_include/interface-address-with-dhcp.txt:5
-#: ../../_include/interface-address-with-dhcp.txt:5
-#: ../../_include/interface-address-with-dhcp.txt:5
-#: ../../_include/interface-address-with-dhcp.txt:5
-#: ../../_include/interface-address.txt:3
-#: ../../_include/interface-address-with-dhcp.txt:5
-#: ../../_include/interface-address-with-dhcp.txt:5
-#: ../../_include/interface-address-with-dhcp.txt:5
-#: ../../_include/interface-address.txt:3
-#: ../../_include/interface-address.txt:3
-#: ../../_include/interface-address.txt:3
-#: ../../_include/interface-address-with-dhcp.txt:5
-#: ../../_include/interface-address-with-dhcp.txt:5
-#: ../../_include/interface-address-with-dhcp.txt:5
-#: ../../_include/interface-address.txt:3
-#: ../../_include/interface-address-with-dhcp.txt:5
-#: ../../_include/interface-address-with-dhcp.txt:5
 #: ../../_include/interface-address-with-dhcp.txt:5
 #: ../../_include/interface-address.txt:3
-#: ../../_include/interface-address-with-dhcp.txt:5
-#: ../../_include/interface-address-with-dhcp.txt:5
-#: ../../_include/interface-address-with-dhcp.txt:5
-#: ../../_include/interface-address-with-dhcp.txt:5
 msgid "Configure interface `<interface>` with one or more interface addresses."
 msgstr "Configure interface `<interface>` with one or more interface addresses."
 
@@ -3439,7 +3381,7 @@ msgstr "Configure one or more attributes to the given NTP server."
 msgid "Configure one or more servers for synchronisation. Server name can be either an IP address or :abbr:`FQDN (Fully Qualified Domain Name)`."
 msgstr "Configure one or more servers for synchronisation. Server name can be either an IP address or :abbr:`FQDN (Fully Qualified Domain Name)`."
 
-#: ../../configuration/service/dns.rst:251
+#: ../../configuration/service/dns.rst:264
 msgid "Configure optional TTL value on the given resource record. This defaults to 600 seconds."
 msgstr "Configure optional TTL value on the given resource record. This defaults to 600 seconds."
 
@@ -3451,14 +3393,10 @@ msgstr "Configure physical interface duplex setting."
 msgid "Configure physical interface speed setting."
 msgstr "Configure physical interface speed setting."
 
-#: ../../_include/interface-mirror.txt:16
-#: ../../_include/interface-mirror.txt:16
 #: ../../_include/interface-mirror.txt:16
 msgid "Configure port mirroring for `interface` inbound traffic and copy the traffic to `monitor-interface`"
 msgstr "Configure port mirroring for `interface` inbound traffic and copy the traffic to `monitor-interface`"
 
-#: ../../_include/interface-mirror.txt:28
-#: ../../_include/interface-mirror.txt:28
 #: ../../_include/interface-mirror.txt:28
 msgid "Configure port mirroring for `interface` outbound traffic and copy the traffic to `monitor-interface`"
 msgstr "Configure port mirroring for `interface` outbound traffic and copy the traffic to `monitor-interface`"
@@ -3491,7 +3429,7 @@ msgstr "Configure service `<name>` mode TCP or HTTP"
 msgid "Configure service `<name>` to use the backend <name>"
 msgstr "Configure service `<name>` to use the backend <name>"
 
-#: ../../configuration/system/login.rst:392
+#: ../../configuration/system/login.rst:394
 msgid "Configure session timeout after which the user will be logged out."
 msgstr "Configure session timeout after which the user will be logged out."
 
@@ -3499,7 +3437,15 @@ msgstr "Configure session timeout after which the user will be logged out."
 msgid "Configure system domain name. A domain name must start and end with a letter or digit, and have as interior characters only letters, digits, or a hyphen."
 msgstr "Configure system domain name. A domain name must start and end with a letter or digit, and have as interior characters only letters, digits, or a hyphen."
 
-#: ../../configuration/service/dns.rst:234
+#: ../../configuration/nat/nat66.rst:182
+msgid "Configure the A-side router for NPTv6 using the prefixes above:"
+msgstr "Configure the A-side router for NPTv6 using the prefixes above:"
+
+#: ../../configuration/nat/nat66.rst:204
+msgid "Configure the B-side router for NPTv6 using the prefixes above:"
+msgstr "Configure the B-side router for NPTv6 using the prefixes above:"
+
+#: ../../configuration/service/dns.rst:247
 msgid "Configure the DNS `<server>` IP/FQDN used when updating this dynamic assignment."
 msgstr "Configure the DNS `<server>` IP/FQDN used when updating this dynamic assignment."
 
@@ -3523,27 +3469,14 @@ msgstr "Configure the discrete port under which the TACACS server can be reached
 msgid "Configure the load-balancing reverse-proxy service for HTTP."
 msgstr "Configure the load-balancing reverse-proxy service for HTTP."
 
-#: ../../_include/interface-mac.txt:4
-#: ../../_include/interface-mac.txt:4
-#: ../../_include/interface-mac.txt:4
-#: ../../_include/interface-mac.txt:4
-#: ../../_include/interface-mac.txt:4
-#: ../../_include/interface-mac.txt:4
-#: ../../_include/interface-mac.txt:4
-#: ../../_include/interface-mac.txt:4
-#: ../../_include/interface-mac.txt:4
-#: ../../_include/interface-mac.txt:4
-#: ../../_include/interface-mac.txt:4
-#: ../../_include/interface-mac.txt:4
-#: ../../_include/interface-mac.txt:4
-#: ../../_include/interface-mac.txt:4
-#: ../../_include/interface-mac.txt:4
-#: ../../_include/interface-mac.txt:4
-#: ../../_include/interface-mac.txt:4
 #: ../../_include/interface-mac.txt:4
 msgid "Configure user defined :abbr:`MAC (Media Access Control)` address on given `<interface>`."
 msgstr "Configure user defined :abbr:`MAC (Media Access Control)` address on given `<interface>`."
 
+#: ../../configuration/protocols/pim.rst:180
+msgid "Configure watermark warning generation for an IGMP group limit. Generates warning once the configured group limit is reached while adding new groups."
+msgstr "Configure watermark warning generation for an IGMP group limit. Generates warning once the configured group limit is reached while adding new groups."
+
 #: ../../configuration/vrf/index.rst:28
 msgid "Configured routing table `<id>` is used by VRF `<name>`."
 msgstr "Configured routing table `<id>` is used by VRF `<name>`."
@@ -3556,7 +3489,7 @@ msgstr "Configured value"
 msgid "Configures the BGP speaker so that it only accepts inbound connections from, but does not initiate outbound connections to the peer or peer group."
 msgstr "Configures the BGP speaker so that it only accepts inbound connections from, but does not initiate outbound connections to the peer or peer group."
 
-#: ../../configuration/vpn/openconnect.rst:272
+#: ../../configuration/vpn/openconnect.rst:279
 msgid "Configuring RADIUS accounting"
 msgstr "Configuring RADIUS accounting"
 
@@ -3569,10 +3502,14 @@ msgstr "Configuring a listen-address is essential for the service to work."
 msgid "Connect/Disconnect"
 msgstr "Connect/Disconnect"
 
-#: ../../configuration/vpn/sstp.rst:144
+#: ../../configuration/vpn/sstp.rst:155
 msgid "Connected client should use `<address>` as their DNS server. This command accepts both IPv4 and IPv6 addresses. Up to two nameservers can be configured for IPv4, up to three for IPv6."
 msgstr "Connected client should use `<address>` as their DNS server. This command accepts both IPv4 and IPv6 addresses. Up to two nameservers can be configured for IPv4, up to three for IPv6."
 
+#: ../../configuration/protocols/rpki.rst:129
+msgid "Connections to the RPKI caching server can not only be established by HTTP/TLS but you can also rely on a secure SSH session to the server. To enable SSH, first you need to create an SSH client keypair using ``generate ssh client-key /config/auth/id_rsa_rpki``. Once your key is created you can setup the connection."
+msgstr "Connections to the RPKI caching server can not only be established by HTTP/TLS but you can also rely on a secure SSH session to the server. To enable SSH, first you need to create an SSH client keypair using ``generate ssh client-key /config/auth/id_rsa_rpki``. Once your key is created you can setup the connection."
+
 #: ../../configuration/protocols/rpki.rst:129
 msgid "Connections to the RPKI caching server can not only be established by HTTP/TLS but you can also rely on a secure SSH session to the server. To enable SSH you first need to create yoursels an SSH client keypair using ``generate ssh client-key /config/auth/id_rsa_rpki``. Once your key is created you can setup the connection."
 msgstr "Connections to the RPKI caching server can not only be established by HTTP/TLS but you can also rely on a secure SSH session to the server. To enable SSH you first need to create yoursels an SSH client keypair using ``generate ssh client-key /config/auth/id_rsa_rpki``. Once your key is created you can setup the connection."
@@ -3585,10 +3522,18 @@ msgstr "Conntrack"
 msgid "Conntrack Sync"
 msgstr "Conntrack Sync"
 
-#: ../../configuration/service/conntrack-sync.rst:None
+#: ../../configuration/service/conntrack-sync.rst:-1
 msgid "Conntrack Sync Example"
 msgstr "Conntrack Sync Example"
 
+#: ../../configuration/system/conntrack.rst:178
+msgid "Conntrack ignore rules"
+msgstr "Conntrack ignore rules"
+
+#: ../../configuration/system/conntrack.rst:204
+msgid "Conntrack log"
+msgstr "Conntrack log"
+
 #: ../../configuration/system/syslog.rst:21
 msgid "Console"
 msgstr "Console"
@@ -3605,6 +3550,10 @@ msgstr "Constrain the memory available to the container."
 msgid "Container"
 msgstr "Container"
 
+#: ../../configuration/system/conntrack.rst:65
+msgid "Contrack Timeouts"
+msgstr "Contrack Timeouts"
+
 #: ../../configuration/nat/nat66.rst:98
 msgid "Convert the address prefix of a single `fc00::/64` network to `fc01::/64`"
 msgstr "Convert the address prefix of a single `fc00::/64` network to `fc01::/64`"
@@ -3629,11 +3578,11 @@ msgstr "Creat community-list policy identified by name <text>."
 msgid "Creat extcommunity-list policy identified by name <text>."
 msgstr "Creat extcommunity-list policy identified by name <text>."
 
-#: ../../configuration/service/dhcp-server.rst:118
+#: ../../configuration/service/dhcp-server.rst:104
 msgid "Create DHCP address range with a range id of `<n>`. DHCP leases are taken from this pool. The pool starts at address `<address>`."
 msgstr "Create DHCP address range with a range id of `<n>`. DHCP leases are taken from this pool. The pool starts at address `<address>`."
 
-#: ../../configuration/service/dhcp-server.rst:124
+#: ../../configuration/service/dhcp-server.rst:110
 msgid "Create DHCP address range with a range id of `<n>`. DHCP leases are taken from this pool. The pool stops with address `<address>`."
 msgstr "Create DHCP address range with a range id of `<n>`. DHCP leases are taken from this pool. The pool stops with address `<address>`."
 
@@ -3657,15 +3606,10 @@ msgstr "Create a file named ``VyOS-1.3.6.1.4.1.44641.ConfigMgmt-Commands`` using
 msgid "Create a load balancing rule, it can be a number between 1 and 9999:"
 msgstr "Create a load balancing rule, it can be a number between 1 and 9999:"
 
-#: ../../configuration/service/dhcp-server.rst:218
+#: ../../configuration/service/dhcp-server.rst:183
 msgid "Create a new DHCP static mapping named `<description>` which is valid for the host identified by its MAC `<address>`."
 msgstr "Create a new DHCP static mapping named `<description>` which is valid for the host identified by its MAC `<address>`."
 
-#: ../../_include/interface-vlan-8021q.txt:26
-#: ../../_include/interface-vlan-8021q.txt:26
-#: ../../_include/interface-vlan-8021q.txt:26
-#: ../../_include/interface-vlan-8021q.txt:26
-#: ../../_include/interface-vlan-8021q.txt:26
 #: ../../_include/interface-vlan-8021q.txt:26
 msgid "Create a new VLAN interface on interface `<interface>` using the VLAN number provided via `<vlan-id>`."
 msgstr "Create a new VLAN interface on interface `<interface>` using the VLAN number provided via `<vlan-id>`."
@@ -3714,6 +3658,22 @@ msgstr "Create a static hostname mapping which will always resolve the name `<ho
 msgid "Create as-path-policy identified by name <text>."
 msgstr "Create as-path-policy identified by name <text>."
 
+#: ../../configuration/firewall/flowtables.rst:64
+msgid "Create firewall rule: create a firewall rule, setting action to ``offload`` and using desired flowtable for ``offload-target``."
+msgstr "Create firewall rule: create a firewall rule, setting action to ``offload`` and using desired flowtable for ``offload-target``."
+
+#: ../../configuration/firewall/flowtables.rst:95
+msgid "Create firewall rule in forward chain, and define which flowtbale should be used. Only applicable if action is ``offload``."
+msgstr "Create firewall rule in forward chain, and define which flowtbale should be used. Only applicable if action is ``offload``."
+
+#: ../../configuration/firewall/flowtables.rst:90
+msgid "Create firewall rule in forward chain, and set action to ``offload``."
+msgstr "Create firewall rule in forward chain, and set action to ``offload``."
+
+#: ../../configuration/firewall/flowtables.rst:61
+msgid "Create flowtable: create flowtable, which includes the interfaces that are going to be used by the flowtable."
+msgstr "Create flowtable: create flowtable, which includes the interfaces that are going to be used by the flowtable."
+
 #: ../../configuration/policy/large-community-list.rst:17
 msgid "Create large-community-list policy identified by name <text>."
 msgstr "Create large-community-list policy identified by name <text>."
@@ -3726,7 +3686,7 @@ msgstr "Create named `<alias>` for the configured static mapping for `<hostname>
 msgid "Create new VRF instance with `<name>`. The name is used when placing individual interfaces into the VRF."
 msgstr "Create new VRF instance with `<name>`. The name is used when placing individual interfaces into the VRF."
 
-#: ../../configuration/service/dns.rst:221
+#: ../../configuration/service/dns.rst:234
 msgid "Create new :rfc:`2136` DNS update configuration which will update the IP address assigned to `<interface>` on the service you configured under `<service-name>`."
 msgstr "Create new :rfc:`2136` DNS update configuration which will update the IP address assigned to `<interface>` on the service you configured under `<service-name>`."
 
@@ -3750,10 +3710,18 @@ msgstr "Creates static peer mapping of protocol-address to :abbr:`NBMA (Non-broa
 msgid "Creating a bridge interface is very simple. In this example, we will have:"
 msgstr "Creating a bridge interface is very simple. In this example, we will have:"
 
+#: ../../configuration/firewall/flowtables.rst:67
+msgid "Creating a flow table:"
+msgstr "Creating a flow table:"
+
 #: ../../configuration/trafficpolicy/index.rst:335
 msgid "Creating a traffic policy"
 msgstr "Creating a traffic policy"
 
+#: ../../configuration/firewall/flowtables.rst:85
+msgid "Creating rules for using flow tables:"
+msgstr "Creating rules for using flow tables:"
+
 #: ../../configuration/system/syslog.rst:178
 msgid "Critical"
 msgstr "Critical"
@@ -3794,15 +3762,27 @@ msgstr "Currently dynamic routing is supported for the following protocols:"
 msgid "Custom File"
 msgstr "Custom File"
 
+#: ../../configuration/firewall/bridge.rst:44
+msgid "Custom bridge firewall chains can be create with command ``set firewall bridge name <name> ...``. In order to use such custom chain, a rule with action jump, and the appropiate target should be defined in a base chain."
+msgstr "Custom bridge firewall chains can be create with command ``set firewall bridge name <name> ...``. In order to use such custom chain, a rule with action jump, and the appropiate target should be defined in a base chain."
+
 #: ../../configuration/firewall/general.rst:77
 msgid "Custom firewall chains can be created, with commands ``set firewall [ipv4 | ipv6] [name | ipv6-name] <name> ...``. In order to use such custom chain, a rule with **action jump**, and the appropiate **target** should be defined in a base chain."
 msgstr "Custom firewall chains can be created, with commands ``set firewall [ipv4 | ipv6] [name | ipv6-name] <name> ...``. In order to use such custom chain, a rule with **action jump**, and the appropiate **target** should be defined in a base chain."
 
+#: ../../configuration/firewall/ipv4.rst:65
+msgid "Custom firewall chains can be created, with commands ``set firewall ipv4 name <name> ...``. In order to use such custom chain, a rule with **action jump**, and the appropiate **target** should be defined in a base chain."
+msgstr "Custom firewall chains can be created, with commands ``set firewall ipv4 name <name> ...``. In order to use such custom chain, a rule with **action jump**, and the appropiate **target** should be defined in a base chain."
+
+#: ../../configuration/firewall/ipv6.rst:65
+msgid "Custom firewall chains can be created, with commands ``set firewall ipv6 name <name> ...``. In order to use such custom chain, a rule with **action jump**, and the appropiate **target** should be defined in a base chain."
+msgstr "Custom firewall chains can be created, with commands ``set firewall ipv6 name <name> ...``. In order to use such custom chain, a rule with **action jump**, and the appropiate **target** should be defined in a base chain."
+
 #: ../../configuration/highavailability/index.rst:373
 msgid "Custom health-check script allows checking real-server availability"
 msgstr "Custom health-check script allows checking real-server availability"
 
-#: ../../configuration/system/conntrack.rst:167
+#: ../../configuration/system/conntrack.rst:180
 msgid "Customized ignore rules, based on a packet and flow selector."
 msgstr "Customized ignore rules, based on a packet and flow selector."
 
@@ -3822,19 +3802,18 @@ msgstr "DHCP Relay"
 msgid "DHCP Server"
 msgstr "DHCP Server"
 
-#: ../../configuration/service/dhcp-server.rst:384
+#: ../../configuration/service/dhcp-server.rst:351
 msgid "DHCP failover parameters"
 msgstr "DHCP failover parameters"
 
-#: ../../configuration/service/dhcp-server.rst:374
+#: ../../configuration/service/dhcp-server.rst:341
 msgid "DHCP lease range"
 msgstr "DHCP lease range"
 
-#: ../../configuration/service/dhcp-server.rst:436
+#: ../../configuration/service/dhcp-server.rst:377
 msgid "DHCP range spans from `192.168.189.10` - `192.168.189.250`"
 msgstr "DHCP range spans from `192.168.189.10` - `192.168.189.250`"
 
-#: ../../configuration/service/dhcp-relay.rst:96
 #: ../../configuration/service/dhcp-relay.rst:96
 msgid "DHCP relay example"
 msgstr "DHCP relay example"
@@ -3843,20 +3822,19 @@ msgstr "DHCP relay example"
 msgid "DHCP server is located at IPv4 address 10.0.1.4 on ``eth2``."
 msgstr "DHCP server is located at IPv4 address 10.0.1.4 on ``eth2``."
 
-#: ../../configuration/service/dhcp-server.rst:654
+#: ../../configuration/service/dhcp-server.rst:584
 msgid "DHCPv6 address pools must be configured for the system to act as a DHCPv6 server. The following example describes a common scenario."
 msgstr "DHCPv6 address pools must be configured for the system to act as a DHCPv6 server. The following example describes a common scenario."
 
-#: ../../configuration/service/dhcp-relay.rst:182
-#: ../../configuration/service/dhcp-relay.rst:182
+#: ../../configuration/service/dhcp-relay.rst:184
 msgid "DHCPv6 relay example"
 msgstr "DHCPv6 relay example"
 
-#: ../../configuration/service/dhcp-relay.rst:174
+#: ../../configuration/service/dhcp-relay.rst:176
 msgid "DHCPv6 requests are received by the router on `listening interface` ``eth1``"
 msgstr "DHCPv6 requests are received by the router on `listening interface` ``eth1``"
 
-#: ../../configuration/nat/nat44.rst:735
+#: ../../configuration/nat/nat44.rst:757
 msgid "DH Group 14"
 msgstr "DH Group 14"
 
@@ -3884,11 +3862,11 @@ msgstr "DNAT"
 msgid "DNAT66"
 msgstr "DNAT66"
 
-#: ../../configuration/nat/nat44.rst:494
+#: ../../configuration/nat/nat44.rst:514
 msgid "DNAT is typically referred to as a **Port Forward**. When using VyOS as a NAT router and firewall, a common configuration task is to redirect incoming traffic to a system behind the firewall."
 msgstr "DNAT is typically referred to as a **Port Forward**. When using VyOS as a NAT router and firewall, a common configuration task is to redirect incoming traffic to a system behind the firewall."
 
-#: ../../configuration/nat/nat44.rst:268
+#: ../../configuration/nat/nat44.rst:280
 msgid "DNAT rule 10 replaces the destination address of an inbound packet with 192.0.2.10"
 msgstr "DNAT rule 10 replaces the destination address of an inbound packet with 192.0.2.10"
 
@@ -3909,11 +3887,11 @@ msgstr "DNS name servers"
 msgid "DNS search list to advertise"
 msgstr "DNS search list to advertise"
 
-#: ../../configuration/service/dhcp-server.rst:294
+#: ../../configuration/service/dhcp-server.rst:261
 msgid "DNS server IPv4 address"
 msgstr "DNS server IPv4 address"
 
-#: ../../configuration/service/dhcp-server.rst:661
+#: ../../configuration/service/dhcp-server.rst:591
 msgid "DNS server is located at ``2001:db8::ffff``"
 msgstr "DNS server is located at ``2001:db8::ffff``"
 
@@ -3925,8 +3903,8 @@ msgstr "DSCP values as per :rfc:`2474` and :rfc:`4595`:"
 msgid "DSSS/CCK Mode in 40 MHz, this sets ``[DSSS_CCK-40]``"
 msgstr "DSSS/CCK Mode in 40 MHz, this sets ``[DSSS_CCK-40]``"
 
-#: ../../configuration/firewall/general.rst:714
-#: ../../configuration/firewall/general-legacy.rst:480
+#: ../../configuration/firewall/ipv4.rst:444
+#: ../../configuration/firewall/ipv6.rst:451
 msgid "Data is provided by DB-IP.com under CC-BY-4.0 license. Attribution required, permits redistribution so we can include a database in images(~3MB compressed). Includes cron script (manually callable by op-mode update geoip) to keep database and rules updated."
 msgstr "Data is provided by DB-IP.com under CC-BY-4.0 license. Attribution required, permits redistribution so we can include a database in images(~3MB compressed). Includes cron script (manually callable by op-mode update geoip) to keep database and rules updated."
 
@@ -3942,29 +3920,14 @@ msgstr "Debug-level messages - Messages that contain information normally of use
 msgid "Default"
 msgstr "Default"
 
-#: ../../_include/interface-ipv6.txt:94
-#: ../../_include/interface-ipv6.txt:94
-#: ../../_include/interface-ipv6.txt:94
-#: ../../_include/interface-ipv6.txt:94
-#: ../../_include/interface-ipv6.txt:94
-#: ../../_include/interface-ipv6.txt:94
-#: ../../_include/interface-ipv6.txt:94
-#: ../../_include/interface-ipv6.txt:94
-#: ../../_include/interface-ipv6.txt:94
-#: ../../_include/interface-ipv6.txt:94
-#: ../../_include/interface-ipv6.txt:94
-#: ../../_include/interface-ipv6.txt:94
-#: ../../_include/interface-ipv6.txt:94
-#: ../../_include/interface-ipv6.txt:94
-#: ../../_include/interface-ipv6.txt:94
-#: ../../_include/interface-ipv6.txt:94
-#: ../../_include/interface-ipv6.txt:94
-#: ../../_include/interface-ipv6.txt:94
-#: ../../_include/interface-ipv6.txt:94
 #: ../../_include/interface-ipv6.txt:94
 msgid "Default: 1"
 msgstr "Default: 1"
 
+#: ../../configuration/service/https.rst:42
+msgid "Default: 443"
+msgstr "Default: 443"
+
 #: ../../configuration/protocols/failover.rst:58
 msgid "Default 1."
 msgstr "Default 1."
@@ -3977,11 +3940,11 @@ msgstr "Default Gateway/Route"
 msgid "Default Router Preference"
 msgstr "Default Router Preference"
 
-#: ../../configuration/vpn/sstp.rst:190
+#: ../../configuration/vpn/sstp.rst:201
 msgid "Default behavior - don't ask client for mppe, but allow it if client wants. Please note that RADIUS may override this option by MS-MPPE-Encryption-Policy attribute."
 msgstr "Default behavior - don't ask client for mppe, but allow it if client wants. Please note that RADIUS may override this option by MS-MPPE-Encryption-Policy attribute."
 
-#: ../../configuration/service/dhcp-server.rst:433
+#: ../../configuration/service/dhcp-server.rst:374
 msgid "Default gateway and DNS server is at `192.0.2.254`"
 msgstr "Default gateway and DNS server is at `192.0.2.254`"
 
@@ -3997,25 +3960,6 @@ msgstr "Default is ``any-available``."
 msgid "Default is ``icmp``."
 msgstr "Default is ``icmp``."
 
-#: ../../_include/interface-disable-link-detect.txt:7
-#: ../../_include/interface-disable-link-detect.txt:7
-#: ../../_include/interface-disable-link-detect.txt:7
-#: ../../_include/interface-disable-link-detect.txt:7
-#: ../../_include/interface-disable-link-detect.txt:7
-#: ../../_include/interface-disable-link-detect.txt:7
-#: ../../_include/interface-disable-link-detect.txt:7
-#: ../../_include/interface-disable-link-detect.txt:7
-#: ../../_include/interface-disable-link-detect.txt:7
-#: ../../_include/interface-disable-link-detect.txt:7
-#: ../../_include/interface-disable-link-detect.txt:7
-#: ../../_include/interface-disable-link-detect.txt:7
-#: ../../_include/interface-disable-link-detect.txt:7
-#: ../../_include/interface-disable-link-detect.txt:7
-#: ../../_include/interface-disable-link-detect.txt:7
-#: ../../_include/interface-disable-link-detect.txt:7
-#: ../../_include/interface-disable-link-detect.txt:7
-#: ../../_include/interface-disable-link-detect.txt:7
-#: ../../_include/interface-disable-link-detect.txt:7
 #: ../../_include/interface-disable-link-detect.txt:7
 msgid "Default is to detects physical link state changes."
 msgstr "Default is to detects physical link state changes."
@@ -4044,36 +3988,31 @@ msgstr "Define Conection Timeouts"
 msgid "Define IPv4/IPv6 management address transmitted via LLDP. Multiple addresses can be defined. Only addresses connected to the system will be transmitted."
 msgstr "Define IPv4/IPv6 management address transmitted via LLDP. Multiple addresses can be defined. Only addresses connected to the system will be transmitted."
 
-#: ../../configuration/firewall/general.rst:225
-#: ../../configuration/firewall/general-legacy.rst:201
+#: ../../configuration/firewall/groups.rst:52
 msgid "Define a IPv4 or IPv6 Network group."
 msgstr "Define a IPv4 or IPv6 Network group."
 
-#: ../../configuration/firewall/general.rst:201
-#: ../../configuration/firewall/general-legacy.rst:177
+#: ../../configuration/firewall/groups.rst:28
 msgid "Define a IPv4 or a IPv6 address group"
 msgstr "Define a IPv4 or a IPv6 address group"
 
-#: ../../configuration/firewall/zone.rst:59
+#: ../../configuration/firewall/zone.rst:78
 msgid "Define a Zone"
 msgstr "Define a Zone"
 
-#: ../../configuration/nat/nat44.rst:246
+#: ../../configuration/nat/nat44.rst:258
 msgid "Define a discrete source IP address of 100.64.0.1 for SNAT rule 20"
 msgstr "Define a discrete source IP address of 100.64.0.1 for SNAT rule 20"
 
-#: ../../configuration/firewall/general.rst:306
-#: ../../configuration/firewall/general-legacy.rst:261
+#: ../../configuration/firewall/groups.rst:133
 msgid "Define a domain group."
 msgstr "Define a domain group."
 
-#: ../../configuration/firewall/general.rst:288
-#: ../../configuration/firewall/general-legacy.rst:246
+#: ../../configuration/firewall/groups.rst:115
 msgid "Define a mac group."
 msgstr "Define a mac group."
 
-#: ../../configuration/firewall/general.rst:268
-#: ../../configuration/firewall/general-legacy.rst:226
+#: ../../configuration/firewall/groups.rst:95
 msgid "Define a port group. A port name can be any name defined in /etc/services. e.g.: http"
 msgstr "Define a port group. A port name can be any name defined in /etc/services. e.g.: http"
 
@@ -4081,119 +4020,51 @@ msgstr "Define a port group. A port name can be any name defined in /etc/service
 msgid "Define allowed ciphers used for the SSH connection. A number of allowed ciphers can be specified, use multiple occurrences to allow multiple ciphers."
 msgstr "Define allowed ciphers used for the SSH connection. A number of allowed ciphers can be specified, use multiple occurrences to allow multiple ciphers."
 
-#: ../../configuration/firewall/general.rst:245
+#: ../../configuration/firewall/groups.rst:72
 msgid "Define an interface group. Wildcard are accepted too."
 msgstr "Define an interface group. Wildcard are accepted too."
 
-#: ../../_include/interface-ip.txt:85
-#: ../../_include/interface-ip.txt:85
-#: ../../_include/interface-ip.txt:85
-#: ../../_include/interface-ip.txt:85
-#: ../../_include/interface-ip.txt:85
-#: ../../_include/interface-ip.txt:85
-#: ../../_include/interface-ip.txt:85
-#: ../../_include/interface-ip.txt:85
-#: ../../_include/interface-ip.txt:85
-#: ../../_include/interface-ip.txt:85
-#: ../../_include/interface-ip.txt:85
-#: ../../_include/interface-ip.txt:85
-#: ../../_include/interface-ip.txt:85
-#: ../../_include/interface-ip.txt:85
-#: ../../_include/interface-ip.txt:85
-#: ../../_include/interface-ip.txt:85
-#: ../../_include/interface-ip.txt:85
-#: ../../_include/interface-ip.txt:85
-#: ../../_include/interface-ip.txt:85
 #: ../../_include/interface-ip.txt:85
 msgid "Define behavior for gratuitous ARP frames who's IP is not already present in the ARP table. If configured create new entries in the ARP table."
 msgstr "Define behavior for gratuitous ARP frames who's IP is not already present in the ARP table. If configured create new entries in the ARP table."
 
-#: ../../_include/interface-ip.txt:69
-#: ../../_include/interface-ip.txt:69
-#: ../../_include/interface-ip.txt:69
-#: ../../_include/interface-ip.txt:69
-#: ../../_include/interface-ip.txt:69
-#: ../../_include/interface-ip.txt:69
-#: ../../_include/interface-ip.txt:69
-#: ../../_include/interface-ip.txt:69
-#: ../../_include/interface-ip.txt:69
-#: ../../_include/interface-ip.txt:69
-#: ../../_include/interface-ip.txt:69
-#: ../../_include/interface-ip.txt:69
-#: ../../_include/interface-ip.txt:69
-#: ../../_include/interface-ip.txt:69
-#: ../../_include/interface-ip.txt:69
-#: ../../_include/interface-ip.txt:69
-#: ../../_include/interface-ip.txt:69
-#: ../../_include/interface-ip.txt:69
-#: ../../_include/interface-ip.txt:69
 #: ../../_include/interface-ip.txt:69
 msgid "Define different modes for IP directed broadcast forwarding as described in :rfc:`1812` and :rfc:`2644`."
 msgstr "Define different modes for IP directed broadcast forwarding as described in :rfc:`1812` and :rfc:`2644`."
 
-#: ../../_include/interface-ip.txt:121
-#: ../../_include/interface-ip.txt:121
-#: ../../_include/interface-ip.txt:121
-#: ../../_include/interface-ip.txt:121
-#: ../../_include/interface-ip.txt:121
-#: ../../_include/interface-ip.txt:121
-#: ../../_include/interface-ip.txt:121
-#: ../../_include/interface-ip.txt:121
-#: ../../_include/interface-ip.txt:121
-#: ../../_include/interface-ip.txt:121
-#: ../../_include/interface-ip.txt:121
-#: ../../_include/interface-ip.txt:121
-#: ../../_include/interface-ip.txt:121
-#: ../../_include/interface-ip.txt:121
-#: ../../_include/interface-ip.txt:121
-#: ../../_include/interface-ip.txt:121
-#: ../../_include/interface-ip.txt:121
-#: ../../_include/interface-ip.txt:121
-#: ../../_include/interface-ip.txt:121
 #: ../../_include/interface-ip.txt:121
 msgid "Define different modes for sending replies in response to received ARP requests that resolve local target IP addresses:"
 msgstr "Define different modes for sending replies in response to received ARP requests that resolve local target IP addresses:"
 
-#: ../../_include/interface-ip.txt:101
-#: ../../_include/interface-ip.txt:101
-#: ../../_include/interface-ip.txt:101
-#: ../../_include/interface-ip.txt:101
-#: ../../_include/interface-ip.txt:101
-#: ../../_include/interface-ip.txt:101
-#: ../../_include/interface-ip.txt:101
-#: ../../_include/interface-ip.txt:101
-#: ../../_include/interface-ip.txt:101
-#: ../../_include/interface-ip.txt:101
-#: ../../_include/interface-ip.txt:101
-#: ../../_include/interface-ip.txt:101
-#: ../../_include/interface-ip.txt:101
-#: ../../_include/interface-ip.txt:101
-#: ../../_include/interface-ip.txt:101
-#: ../../_include/interface-ip.txt:101
-#: ../../_include/interface-ip.txt:101
-#: ../../_include/interface-ip.txt:101
-#: ../../_include/interface-ip.txt:101
 #: ../../_include/interface-ip.txt:101
 msgid "Define different restriction levels for announcing the local source IP address from IP packets in ARP requests sent on interface."
 msgstr "Define different restriction levels for announcing the local source IP address from IP packets in ARP requests sent on interface."
 
-#: ../../configuration/firewall/general.rst:476
-#: ../../configuration/firewall/general-legacy.rst:361
+#: ../../configuration/firewall/flowtables.rst:71
+msgid "Define interfaces to be used in the flowtable."
+msgstr "Define interfaces to be used in the flowtable."
+
+#: ../../configuration/firewall/bridge.rst:187
+#: ../../configuration/firewall/ipv4.rst:252
+#: ../../configuration/firewall/ipv6.rst:252
 msgid "Define length of packet payload to include in netlink message. Only applicable if rule log is enable and log group is defined."
 msgstr "Define length of packet payload to include in netlink message. Only applicable if rule log is enable and log group is defined."
 
-#: ../../configuration/firewall/general.rst:450
-#: ../../configuration/firewall/general-legacy.rst:347
+#: ../../configuration/firewall/bridge.rst:173
+#: ../../configuration/firewall/ipv4.rst:230
+#: ../../configuration/firewall/ipv6.rst:230
 msgid "Define log-level. Only applicable if rule log is enable."
 msgstr "Define log-level. Only applicable if rule log is enable."
 
-#: ../../configuration/firewall/general.rst:463
-#: ../../configuration/firewall/general-legacy.rst:354
+#: ../../configuration/firewall/bridge.rst:180
+#: ../../configuration/firewall/ipv4.rst:241
+#: ../../configuration/firewall/ipv6.rst:241
 msgid "Define log group to send message to. Only applicable if rule log is enable."
 msgstr "Define log group to send message to. Only applicable if rule log is enable."
 
-#: ../../configuration/firewall/general.rst:490
-#: ../../configuration/firewall/general-legacy.rst:369
+#: ../../configuration/firewall/bridge.rst:195
+#: ../../configuration/firewall/ipv4.rst:264
+#: ../../configuration/firewall/ipv6.rst:264
 msgid "Define number of packets to queue inside the kernel before sending them to userspace. Only applicable if rule log is enable and log group is defined."
 msgstr "Define number of packets to queue inside the kernel before sending them to userspace. Only applicable if rule log is enable and log group is defined."
 
@@ -4201,15 +4072,19 @@ msgstr "Define number of packets to queue inside the kernel before sending them
 msgid "Define the time interval to update the local cache"
 msgstr "Define the time interval to update the local cache"
 
-#: ../../configuration/firewall/zone.rst:70
+#: ../../configuration/firewall/zone.rst:89
 msgid "Define the zone as a local zone. A local zone has no interfaces and will be applied to the router itself."
 msgstr "Define the zone as a local zone. A local zone has no interfaces and will be applied to the router itself."
 
+#: ../../configuration/firewall/flowtables.rst:80
+msgid "Define type of offload to be used by the flowtable: ``hardware`` or ``software``. By default, ``software`` offload is used."
+msgstr "Define type of offload to be used by the flowtable: ``hardware`` or ``software``. By default, ``software`` offload is used."
+
 #: ../../configuration/protocols/rpki.rst:114
 msgid "Defined the IPv4, IPv6 or FQDN and port number of the caching RPKI caching instance which is used."
 msgstr "Defined the IPv4, IPv6 or FQDN and port number of the caching RPKI caching instance which is used."
 
-#: ../../configuration/protocols/igmp.rst:202
+#: ../../configuration/protocols/igmp-proxy.rst:30
 msgid "Defines alternate sources for multicasting and IGMP data. The network address must be on the following format 'a.b.c.d/n'. By default, the router will accept data from sources on the same network as configured on an interface. If the multicast source lies on a remote network, one must define from where traffic should be accepted."
 msgstr "Defines alternate sources for multicasting and IGMP data. The network address must be on the following format 'a.b.c.d/n'. By default, the router will accept data from sources on the same network as configured on an interface. If the multicast source lies on a remote network, one must define from where traffic should be accepted."
 
@@ -4233,7 +4108,7 @@ msgstr "Defines next-hop distance for this route, routes with smaller administra
 msgid "Defines protocols for checking ARP, ICMP, TCP"
 msgstr "Defines protocols for checking ARP, ICMP, TCP"
 
-#: ../../configuration/vpn/sstp.rst:167
+#: ../../configuration/vpn/sstp.rst:178
 msgid "Defines the maximum `<number>` of unanswered echo requests. Upon reaching the value `<number>`, the session will be reset."
 msgstr "Defines the maximum `<number>` of unanswered echo requests. Upon reaching the value `<number>`, the session will be reset."
 
@@ -4245,7 +4120,7 @@ msgstr "Defines the specified device as a system console. Available console devi
 msgid "Defining Peers"
 msgstr "Defining Peers"
 
-#: ../../configuration/service/dhcp-server.rst:649
+#: ../../configuration/service/dhcp-server.rst:579
 msgid "Delegate prefixes from the range indicated by the start and stop qualifier."
 msgstr "Delegate prefixes from the range indicated by the start and stop qualifier."
 
@@ -4281,7 +4156,6 @@ msgstr "Deletes the specified user-defined file <text> in the /var/log/user dire
 msgid "Depending on the location, not all of these channels may be available for use!"
 msgstr "Depending on the location, not all of these channels may be available for use!"
 
-#: ../../configuration/service/router-advert.rst:1
 #: ../../configuration/service/router-advert.rst:1
 #: ../../configuration/system/syslog.rst:107
 #: ../../configuration/system/syslog.rst:167
@@ -4297,11 +4171,11 @@ msgstr "Despite the Drop-Tail policy does not slow down packets, if many packets
 msgid "Despite the fact that AD is a superset of LDAP"
 msgstr "Despite the fact that AD is a superset of LDAP"
 
-#: ../../configuration/nat/nat44.rst:261
+#: ../../configuration/nat/nat44.rst:273
 msgid "Destination Address"
 msgstr "Destination Address"
 
-#: ../../configuration/nat/nat44.rst:492
+#: ../../configuration/nat/nat44.rst:512
 msgid "Destination NAT"
 msgstr "Destination NAT"
 
@@ -4326,6 +4200,7 @@ msgid "Devices evaluating whether an IPv4 address is public must be updated to r
 msgstr "Devices evaluating whether an IPv4 address is public must be updated to recognize the new address space. Allocating more private IPv4 address space for NAT devices might prolong the transition to IPv6."
 
 #: ../../configuration/nat/nat44.rst:71
+#: ../../configuration/nat/nat64.rst:21
 #: ../../configuration/nat/nat66.rst:18
 msgid "Different NAT Types"
 msgstr "Different NAT Types"
@@ -4350,7 +4225,8 @@ msgstr "Disable a BFD peer"
 msgid "Disable a container."
 msgstr "Disable a container."
 
-#: ../../configuration/firewall/general.rst:1283
+#: ../../configuration/firewall/ipv4.rst:930
+#: ../../configuration/firewall/ipv6.rst:939
 msgid "Disable conntrack loose track option"
 msgstr "Disable conntrack loose track option"
 
@@ -4362,29 +4238,6 @@ msgstr "Disable dhcp-relay service."
 msgid "Disable dhcpv6-relay service."
 msgstr "Disable dhcpv6-relay service."
 
-#: ../../_include/interface-disable.txt:4
-#: ../../_include/interface-disable.txt:4
-#: ../../_include/interface-disable.txt:4
-#: ../../_include/interface-disable.txt:4
-#: ../../_include/interface-disable.txt:4
-#: ../../_include/interface-disable.txt:4
-#: ../../_include/interface-disable.txt:4
-#: ../../_include/interface-disable.txt:4
-#: ../../_include/interface-disable.txt:4
-#: ../../_include/interface-disable.txt:4
-#: ../../_include/interface-disable.txt:4
-#: ../../_include/interface-disable.txt:4
-#: ../../_include/interface-disable.txt:4
-#: ../../_include/interface-disable.txt:4
-#: ../../_include/interface-disable.txt:4
-#: ../../_include/interface-disable.txt:4
-#: ../../_include/interface-disable.txt:4
-#: ../../_include/interface-disable.txt:4
-#: ../../_include/interface-disable.txt:4
-#: ../../_include/interface-disable.txt:4
-#: ../../_include/interface-disable.txt:4
-#: ../../_include/interface-disable.txt:4
-#: ../../_include/interface-disable.txt:4
 #: ../../_include/interface-disable.txt:4
 msgid "Disable given `<interface>`. It will be placed in administratively down (``A/D``) state."
 msgstr "Disable given `<interface>`. It will be placed in administratively down (``A/D``) state."
@@ -4397,6 +4250,10 @@ msgstr "Disable immediate session reset if peer's connected link goes down."
 msgid "Disable password based authentication. Login via SSH keys only. This hardens security!"
 msgstr "Disable password based authentication. Login via SSH keys only. This hardens security!"
 
+#: ../../configuration/protocols/pim.rst:167
+msgid "Disable sending and receiving PIM control packets on the interface."
+msgstr "Disable sending and receiving PIM control packets on the interface."
+
 #: ../../configuration/service/ssh.rst:64
 msgid "Disable the host validation through reverse DNS lookups - can speedup login time when reverse lookup is not possible."
 msgstr "Disable the host validation through reverse DNS lookups - can speedup login time when reverse lookup is not possible."
@@ -4413,7 +4270,7 @@ msgstr "Disable this IPv4 static route entry."
 msgid "Disable this IPv6 static route entry."
 msgstr "Disable this IPv6 static route entry."
 
-#: ../../configuration/protocols/igmp.rst:228
+#: ../../configuration/protocols/igmp-proxy.rst:56
 msgid "Disable this service."
 msgstr "Disable this service."
 
@@ -4437,7 +4294,7 @@ msgstr "Disables interface-based IPv4 static route."
 msgid "Disables interface-based IPv6 static route."
 msgstr "Disables interface-based IPv6 static route."
 
-#: ../../configuration/protocols/igmp.rst:215
+#: ../../configuration/protocols/igmp-proxy.rst:43
 msgid "Disables quickleave mode. In this mode the daemon will not send a Leave IGMP message upstream as soon as it receives a Leave message for any downstream interface. The daemon will not ask for Membership reports on the downstream interfaces, and if a report is received the group is not joined again the upstream."
 msgstr "Disables quickleave mode. In this mode the daemon will not send a Leave IGMP message upstream as soon as it receives a Leave message for any downstream interface. The daemon will not ask for Membership reports on the downstream interfaces, and if a report is received the group is not joined again the upstream."
 
@@ -4533,25 +4390,6 @@ msgstr "Displays the route packets taken to a network host utilizing VRF instanc
 msgid "Do *not* manually edit `/etc/hosts`. This file will automatically be regenerated on boot based on the settings in this section, which means you'll lose all your manual edits. Instead, configure static host mappings as follows."
 msgstr "Do *not* manually edit `/etc/hosts`. This file will automatically be regenerated on boot based on the settings in this section, which means you'll lose all your manual edits. Instead, configure static host mappings as follows."
 
-#: ../../_include/interface-ipv6.txt:37
-#: ../../_include/interface-ipv6.txt:37
-#: ../../_include/interface-ipv6.txt:37
-#: ../../_include/interface-ipv6.txt:37
-#: ../../_include/interface-ipv6.txt:37
-#: ../../_include/interface-ipv6.txt:37
-#: ../../_include/interface-ipv6.txt:37
-#: ../../_include/interface-ipv6.txt:37
-#: ../../_include/interface-ipv6.txt:37
-#: ../../_include/interface-ipv6.txt:37
-#: ../../_include/interface-ipv6.txt:37
-#: ../../_include/interface-ipv6.txt:37
-#: ../../_include/interface-ipv6.txt:37
-#: ../../_include/interface-ipv6.txt:37
-#: ../../_include/interface-ipv6.txt:37
-#: ../../_include/interface-ipv6.txt:37
-#: ../../_include/interface-ipv6.txt:37
-#: ../../_include/interface-ipv6.txt:37
-#: ../../_include/interface-ipv6.txt:37
 #: ../../_include/interface-ipv6.txt:37
 msgid "Do not assign a link-local IPv6 address to this interface."
 msgstr "Do not assign a link-local IPv6 address to this interface."
@@ -4564,25 +4402,6 @@ msgstr "Do not configure IFB as the first step. First create everything else of
 msgid "Do not use the local ``/etc/hosts`` file in name resolution. VyOS DHCP server will use this file to add resolvers to assigned addresses."
 msgstr "Do not use the local ``/etc/hosts`` file in name resolution. VyOS DHCP server will use this file to add resolvers to assigned addresses."
 
-#: ../../_include/interface-ip.txt:162
-#: ../../_include/interface-ip.txt:162
-#: ../../_include/interface-ip.txt:162
-#: ../../_include/interface-ip.txt:162
-#: ../../_include/interface-ip.txt:162
-#: ../../_include/interface-ip.txt:162
-#: ../../_include/interface-ip.txt:162
-#: ../../_include/interface-ip.txt:162
-#: ../../_include/interface-ip.txt:162
-#: ../../_include/interface-ip.txt:162
-#: ../../_include/interface-ip.txt:162
-#: ../../_include/interface-ip.txt:162
-#: ../../_include/interface-ip.txt:162
-#: ../../_include/interface-ip.txt:162
-#: ../../_include/interface-ip.txt:162
-#: ../../_include/interface-ip.txt:162
-#: ../../_include/interface-ip.txt:162
-#: ../../_include/interface-ip.txt:162
-#: ../../_include/interface-ip.txt:162
 #: ../../_include/interface-ip.txt:162
 msgid "Does not need to be used together with proxy_arp."
 msgstr "Does not need to be used together with proxy_arp."
@@ -4591,8 +4410,7 @@ msgstr "Does not need to be used together with proxy_arp."
 msgid "Domain"
 msgstr "Domain"
 
-#: ../../configuration/firewall/general.rst:300
-#: ../../configuration/firewall/general-legacy.rst:255
+#: ../../configuration/firewall/groups.rst:127
 msgid "Domain Groups"
 msgstr "Domain Groups"
 
@@ -4600,7 +4418,7 @@ msgstr "Domain Groups"
 msgid "Domain Name"
 msgstr "Domain Name"
 
-#: ../../configuration/service/https.rst:59
+#: ../../configuration/service/https.rst:50
 msgid "Domain name(s) for which to obtain certificate"
 msgstr "Domain name(s) for which to obtain certificate"
 
@@ -4608,6 +4426,10 @@ msgstr "Domain name(s) for which to obtain certificate"
 msgid "Domain names can include letters, numbers, hyphens and periods with a maximum length of 253 characters."
 msgstr "Domain names can include letters, numbers, hyphens and periods with a maximum length of 253 characters."
 
+#: ../../configuration/pki/index.rst:259
+msgid "Domain names to apply, multiple domain-names can be specified."
+msgstr "Domain names to apply, multiple domain-names can be specified."
+
 #: ../../configuration/system/name-server.rst:13
 #: ../../configuration/system/name-server.rst:45
 msgid "Domain search order"
@@ -4617,15 +4439,15 @@ msgstr "Domain search order"
 msgid "Don't be afraid that you need to re-do your configuration. Key transformation is handled, as always, by our migration scripts, so this will be a smooth transition for you!"
 msgstr "Don't be afraid that you need to re-do your configuration. Key transformation is handled, as always, by our migration scripts, so this will be a smooth transition for you!"
 
-#: ../../configuration/protocols/bgp.rst:1171
+#: ../../configuration/protocols/bgp.rst:1172
 msgid "Don't forget, the CIDR declared in the network statement **MUST exist in your routing table (dynamic or static), the best way to make sure that is true is creating a static route:**"
 msgstr "Don't forget, the CIDR declared in the network statement **MUST exist in your routing table (dynamic or static), the best way to make sure that is true is creating a static route:**"
 
-#: ../../configuration/protocols/bgp.rst:1125
+#: ../../configuration/protocols/bgp.rst:1126
 msgid "Don't forget, the CIDR declared in the network statement MUST **exist in your routing table (dynamic or static), the best way to make sure that is true is creating a static route:**"
 msgstr "Don't forget, the CIDR declared in the network statement MUST **exist in your routing table (dynamic or static), the best way to make sure that is true is creating a static route:**"
 
-#: ../../configuration/vpn/site2site_ipsec.rst:295
+#: ../../configuration/vpn/site2site_ipsec.rst:299
 msgid "Don't get confused about the used /31 tunnel subnet. :rfc:`3021` gives you additional information for using /31 subnets on point-to-point links."
 msgstr "Don't get confused about the used /31 tunnel subnet. :rfc:`3021` gives you additional information for using /31 subnets on point-to-point links."
 
@@ -4657,7 +4479,7 @@ msgstr "Drop rate"
 msgid "Dropped packets reported on DROPMON Netlink channel by Linux kernel are exported via the standard sFlow v5 extension for reporting dropped packets"
 msgstr "Dropped packets reported on DROPMON Netlink channel by Linux kernel are exported via the standard sFlow v5 extension for reporting dropped packets"
 
-#: ../../configuration/service/pppoe-server.rst:380
+#: ../../configuration/service/pppoe-server.rst:367
 msgid "Dual-Stack IPv4/IPv6 provisioning with Prefix Delegation"
 msgstr "Dual-Stack IPv4/IPv6 provisioning with Prefix Delegation"
 
@@ -4665,7 +4487,7 @@ msgstr "Dual-Stack IPv4/IPv6 provisioning with Prefix Delegation"
 msgid "Dummy"
 msgstr "Dummy"
 
-#: ../../configuration/nat/nat44.rst:692
+#: ../../configuration/nat/nat44.rst:716
 msgid "Dummy interface"
 msgstr "Dummy interface"
 
@@ -4677,11 +4499,15 @@ msgstr "Dummy interfaces can be used as interfaces that always stay up (in the s
 msgid "Duplicate packets are not included in the packet loss calculation, although the round-trip time of these packets is used in calculating the minimum/ average/maximum round-trip time numbers."
 msgstr "Duplicate packets are not included in the packet loss calculation, although the round-trip time of these packets is used in calculating the minimum/ average/maximum round-trip time numbers."
 
+#: ../../configuration/pki/index.rst:285
+msgid "During initial deployment we recommend using the staging API of LetsEncrypt to prevent and blacklisting of your system. The API endpoint is https://acme-staging-v02.api.letsencrypt.org/directory"
+msgstr "During initial deployment we recommend using the staging API of LetsEncrypt to prevent and blacklisting of your system. The API endpoint is https://acme-staging-v02.api.letsencrypt.org/directory"
+
 #: ../../configuration/service/ssh.rst:113
 msgid "Dynamic-protection"
 msgstr "Dynamic-protection"
 
-#: ../../configuration/service/dns.rst:199
+#: ../../configuration/service/dns.rst:212
 msgid "Dynamic DNS"
 msgstr "Dynamic DNS"
 
@@ -4689,7 +4515,7 @@ msgstr "Dynamic DNS"
 msgid "EAPoL comes with an identify option. We automatically use the interface MAC address as identity parameter."
 msgstr "EAPoL comes with an identify option. We automatically use the interface MAC address as identity parameter."
 
-#: ../../configuration/nat/nat44.rst:731
+#: ../../configuration/nat/nat44.rst:753
 msgid "ESP Phase:"
 msgstr "ESP Phase:"
 
@@ -4757,10 +4583,14 @@ msgstr "Each site-to-site peer has the next options:"
 msgid "Eenables the Generic Protocol extension (VXLAN-GPE). Currently, this is only supported together with the external keyword."
 msgstr "Eenables the Generic Protocol extension (VXLAN-GPE). Currently, this is only supported together with the external keyword."
 
-#: ../../configuration/service/https.rst:63
+#: ../../configuration/service/https.rst:54
 msgid "Email address to associate with certificate"
 msgstr "Email address to associate with certificate"
 
+#: ../../configuration/pki/index.rst:265
+msgid "Email used for registration and recovery contact."
+msgstr "Email used for registration and recovery contact."
+
 #: ../../configuration/trafficpolicy/index.rst:300
 msgid "Embedding one policy into another one"
 msgstr "Embedding one policy into another one"
@@ -4809,6 +4639,10 @@ msgstr "Enable DHCP failover configuration for this address pool."
 msgid "Enable HT-delayed Block Ack ``[DELAYED-BA]``"
 msgstr "Enable HT-delayed Block Ack ``[DELAYED-BA]``"
 
+#: ../../configuration/system/frr.rst:24
+msgid "Enable ICMP Router Discovery Protocol support"
+msgstr "Enable ICMP Router Discovery Protocol support"
+
 #: ../../configuration/interfaces/bridge.rst:81
 msgid "Enable IGMP and MLD querier."
 msgstr "Enable IGMP and MLD querier."
@@ -4817,23 +4651,23 @@ msgstr "Enable IGMP and MLD querier."
 msgid "Enable IGMP and MLD snooping."
 msgstr "Enable IGMP and MLD snooping."
 
-#: ../../configuration/service/dhcp-server.rst:304
+#: ../../configuration/service/dhcp-server.rst:271
 msgid "Enable IP forwarding on client"
 msgstr "Enable IP forwarding on client"
 
-#: ../../configuration/protocols/isis.rst:311
+#: ../../configuration/protocols/isis.rst:339
 msgid "Enable IS-IS"
 msgstr "Enable IS-IS"
 
-#: ../../configuration/protocols/isis.rst:427
+#: ../../configuration/protocols/isis.rst:455
 msgid "Enable IS-IS and IGP-LDP synchronization"
 msgstr "Enable IS-IS and IGP-LDP synchronization"
 
-#: ../../configuration/protocols/isis.rst:386
+#: ../../configuration/protocols/isis.rst:414
 msgid "Enable IS-IS and redistribute routes not natively in IS-IS"
 msgstr "Enable IS-IS and redistribute routes not natively in IS-IS"
 
-#: ../../configuration/protocols/isis.rst:465
+#: ../../configuration/protocols/isis.rst:493
 #: ../../configuration/protocols/segment-routing.rst:193
 msgid "Enable IS-IS with Segment Routing (Experimental)"
 msgstr "Enable IS-IS with Segment Routing (Experimental)"
@@ -4883,6 +4717,10 @@ msgstr "Enable OpenVPN Data Channel Offload feature by loading the appropriate k
 msgid "Enable SNMP queries of the LLDP database"
 msgstr "Enable SNMP queries of the LLDP database"
 
+#: ../../configuration/system/frr.rst:28
+msgid "Enable SNMP support for an individual routing daemon."
+msgstr "Enable SNMP support for an individual routing daemon."
+
 #: ../../configuration/interfaces/bridge.rst:197
 #: ../../configuration/interfaces/bridge.rst:232
 msgid "Enable STP"
@@ -4900,6 +4738,14 @@ msgstr "Enable VHT TXOP Power Save Mode"
 msgid "Enable VLAN-Aware Bridge"
 msgstr "Enable VLAN-Aware Bridge"
 
+#: ../../configuration/system/frr.rst:13
+msgid "Enable :abbr:`BMP (BGP Monitoring Protocol)` support"
+msgstr "Enable :abbr:`BMP (BGP Monitoring Protocol)` support"
+
+#: ../../configuration/service/https.rst:46
+msgid "Enable automatic redirect from http to https."
+msgstr "Enable automatic redirect from http to https."
+
 #: ../../configuration/vpn/dmvpn.rst:132
 msgid "Enable creation of shortcut routes."
 msgstr "Enable creation of shortcut routes."
@@ -4916,18 +4762,22 @@ msgstr "Enable given legacy protocol on this LLDP instance. Legacy protocols inc
 msgid "Enable layer 7 HTTP health check"
 msgstr "Enable layer 7 HTTP health check"
 
-#: ../../configuration/firewall/general.rst:177
-#: ../../configuration/firewall/general-legacy.rst:126
+#: ../../configuration/firewall/bridge.rst:157
+#: ../../configuration/firewall/ipv4.rst:206
+#: ../../configuration/firewall/ipv6.rst:206
+msgid "Enable logging for the matched packet. If this configuration command is not present, then log is not enabled."
+msgstr "Enable logging for the matched packet. If this configuration command is not present, then log is not enabled."
+
+#: ../../configuration/firewall/global-options.rst:114
 msgid "Enable or Disable VyOS to be :rfc:`1337` conform. The following system parameter will be altered:"
 msgstr "Enable or Disable VyOS to be :rfc:`1337` conform. The following system parameter will be altered:"
 
-#: ../../configuration/firewall/general.rst:169
-#: ../../configuration/firewall/general-legacy.rst:119
+#: ../../configuration/firewall/global-options.rst:106
 msgid "Enable or Disable if VyOS use IPv4 TCP SYN Cookies. The following system parameter will be altered:"
 msgstr "Enable or Disable if VyOS use IPv4 TCP SYN Cookies. The following system parameter will be altered:"
 
-#: ../../configuration/firewall/general.rst:426
-#: ../../configuration/firewall/general-legacy.rst:340
+#: ../../configuration/firewall/ipv4.rst:173
+#: ../../configuration/firewall/ipv6.rst:173
 msgid "Enable or disable logging for the matched packet."
 msgstr "Enable or disable logging for the matched packet."
 
@@ -4935,28 +4785,9 @@ msgstr "Enable or disable logging for the matched packet."
 msgid "Enable ospf on an interface and set associated area."
 msgstr "Enable ospf on an interface and set associated area."
 
-#: ../../_include/interface-ip.txt:177
-#: ../../_include/interface-ip.txt:177
-#: ../../_include/interface-ip.txt:177
-#: ../../_include/interface-ip.txt:177
-#: ../../_include/interface-ip.txt:177
-#: ../../_include/interface-ip.txt:177
-#: ../../_include/interface-ip.txt:177
-#: ../../_include/interface-ip.txt:177
-#: ../../_include/interface-ip.txt:177
-#: ../../_include/interface-ip.txt:177
 #: ../../configuration/interfaces/pppoe.rst:228
-#: ../../_include/interface-ip.txt:177
-#: ../../_include/interface-ip.txt:177
 #: ../../configuration/interfaces/sstp-client.rst:100
 #: ../../_include/interface-ip.txt:177
-#: ../../_include/interface-ip.txt:177
-#: ../../_include/interface-ip.txt:177
-#: ../../_include/interface-ip.txt:177
-#: ../../_include/interface-ip.txt:177
-#: ../../_include/interface-ip.txt:177
-#: ../../_include/interface-ip.txt:177
-#: ../../_include/interface-ip.txt:177
 msgid "Enable policy for source validation by reversed path, as specified in :rfc:`3704`. Current recommended practice in :rfc:`3704` is to enable strict mode to prevent IP spoofing from DDos attacks. If using asymmetric routing or other complicated routing, then loose mode is recommended."
 msgstr "Enable policy for source validation by reversed path, as specified in :rfc:`3704`. Current recommended practice in :rfc:`3704` is to enable strict mode to prevent IP spoofing from DDos attacks. If using asymmetric routing or other complicated routing, then loose mode is recommended."
 
@@ -5002,18 +4833,22 @@ msgstr "Enabled on-demand PPPoE connections bring up the link only when traffic
 msgid "Enables Cisco style authentication on NHRP packets. This embeds the secret plaintext password to the outgoing NHRP packets. Incoming NHRP packets on this interface are discarded unless the secret password is present. Maximum length of the secret is 8 characters."
 msgstr "Enables Cisco style authentication on NHRP packets. This embeds the secret plaintext password to the outgoing NHRP packets. Incoming NHRP packets on this interface are discarded unless the secret password is present. Maximum length of the secret is 8 characters."
 
-#: ../../configuration/vrf/index.rst:459
+#: ../../configuration/vrf/index.rst:461
 msgid "Enables an MPLS label to be attached to a route exported from the current unicast VRF to VPN. If the value specified is auto, the label value is automatically assigned from a pool maintained."
 msgstr "Enables an MPLS label to be attached to a route exported from the current unicast VRF to VPN. If the value specified is auto, the label value is automatically assigned from a pool maintained."
 
-#: ../../configuration/vpn/sstp.rst:266
+#: ../../configuration/vpn/sstp.rst:277
 msgid "Enables bandwidth shaping via RADIUS."
 msgstr "Enables bandwidth shaping via RADIUS."
 
-#: ../../configuration/vrf/index.rst:481
+#: ../../configuration/vrf/index.rst:483
 msgid "Enables import or export of routes between the current unicast VRF and VPN."
 msgstr "Enables import or export of routes between the current unicast VRF and VPN."
 
+#: ../../configuration/interfaces/vxlan.rst:72
+msgid "Enables the Generic Protocol extension (VXLAN-GPE). Currently, this is only supported together with the external keyword."
+msgstr "Enables the Generic Protocol extension (VXLAN-GPE). Currently, this is only supported together with the external keyword."
+
 #: ../../configuration/protocols/bfd.rst:30
 msgid "Enables the echo transmission mode"
 msgstr "Enables the echo transmission mode"
@@ -5022,7 +4857,7 @@ msgstr "Enables the echo transmission mode"
 msgid "Enabling Advertisments"
 msgstr "Enabling Advertisments"
 
-#: ../../configuration/interfaces/openvpn.rst:627
+#: ../../configuration/interfaces/openvpn.rst:679
 msgid "Enabling OpenVPN DCO"
 msgstr "Enabling OpenVPN DCO"
 
@@ -5030,11 +4865,11 @@ msgstr "Enabling OpenVPN DCO"
 msgid "Enabling SSH only requires you to specify the port ``<port>`` you want SSH to listen on. By default, SSH runs on port 22."
 msgstr "Enabling SSH only requires you to specify the port ``<port>`` you want SSH to listen on. By default, SSH runs on port 22."
 
-#: ../../configuration/protocols/igmp.rst:224
+#: ../../configuration/protocols/igmp-proxy.rst:52
 msgid "Enabling this function increases the risk of bandwidth saturation."
 msgstr "Enabling this function increases the risk of bandwidth saturation."
 
-#: ../../configuration/service/https.rst:37
+#: ../../configuration/service/https.rst:73
 msgid "Enforce strict path checking"
 msgstr "Enforce strict path checking"
 
@@ -5050,25 +4885,6 @@ msgstr "Ensure that when comparing routes where both are equal on most metrics,
 msgid "Enterprise installations usually ship a kind of directory service which is used to have a single password store for all employees. VyOS and OpenVPN support using LDAP/AD as single user backend."
 msgstr "Enterprise installations usually ship a kind of directory service which is used to have a single password store for all employees. VyOS and OpenVPN support using LDAP/AD as single user backend."
 
-#: ../../_include/interface-ip.txt:172
-#: ../../_include/interface-ip.txt:172
-#: ../../_include/interface-ip.txt:172
-#: ../../_include/interface-ip.txt:172
-#: ../../_include/interface-ip.txt:172
-#: ../../_include/interface-ip.txt:172
-#: ../../_include/interface-ip.txt:172
-#: ../../_include/interface-ip.txt:172
-#: ../../_include/interface-ip.txt:172
-#: ../../_include/interface-ip.txt:172
-#: ../../_include/interface-ip.txt:172
-#: ../../_include/interface-ip.txt:172
-#: ../../_include/interface-ip.txt:172
-#: ../../_include/interface-ip.txt:172
-#: ../../_include/interface-ip.txt:172
-#: ../../_include/interface-ip.txt:172
-#: ../../_include/interface-ip.txt:172
-#: ../../_include/interface-ip.txt:172
-#: ../../_include/interface-ip.txt:172
 #: ../../_include/interface-ip.txt:172
 msgid "Ericsson call it MAC-Forced Forwarding (RFC Draft)"
 msgstr "Ericsson call it MAC-Forced Forwarding (RFC Draft)"
@@ -5089,15 +4905,6 @@ msgstr "Established sessions can be viewed using the **show l2tp-server sessions
 msgid "Ethernet"
 msgstr "Ethernet"
 
-#: ../../_include/interface-disable-flow-control.txt:4
-#: ../../_include/interface-disable-flow-control.txt:4
-#: ../../_include/interface-disable-flow-control.txt:4
-#: ../../_include/interface-disable-flow-control.txt:4
-#: ../../_include/interface-disable-flow-control.txt:4
-#: ../../_include/interface-disable-flow-control.txt:4
-#: ../../_include/interface-disable-flow-control.txt:4
-#: ../../_include/interface-disable-flow-control.txt:4
-#: ../../_include/interface-disable-flow-control.txt:4
 #: ../../_include/interface-disable-flow-control.txt:4
 msgid "Ethernet flow control is a mechanism for temporarily stopping the transmission of data on Ethernet family computer networks. The goal of this mechanism is to ensure zero packet loss in the presence of network congestion."
 msgstr "Ethernet flow control is a mechanism for temporarily stopping the transmission of data on Ethernet family computer networks. The goal of this mechanism is to ensure zero packet loss in the presence of network congestion."
@@ -5130,7 +4937,7 @@ msgstr "Event handler script"
 msgid "Event handler that monitors the state of interface eth0."
 msgstr "Event handler that monitors the state of interface eth0."
 
-#: ../../configuration/nat/nat44.rst:221
+#: ../../configuration/nat/nat44.rst:233
 msgid "Every NAT rule has a translation command defined. The address defined for the translation is the address used when the address information in a packet is replaced."
 msgstr "Every NAT rule has a translation command defined. The address defined for the translation is the address used when the address information in a packet is replaced."
 
@@ -5162,484 +4969,90 @@ msgstr "Every WWAN connection requires an :abbr:`APN (Access Point Name)` which
 msgid "Every connection/remote-access pool we configure also needs a pool where we can draw our client IP addresses from. We provide one IPv4 and IPv6 pool. Authorized clients will receive an IPv4 address from the configured IPv4 prefix and an IPv6 address from the IPv6 prefix. We can also send some DNS nameservers down to our clients used on their connection."
 msgstr "Every connection/remote-access pool we configure also needs a pool where we can draw our client IP addresses from. We provide one IPv4 and IPv6 pool. Authorized clients will receive an IPv4 address from the configured IPv4 prefix and an IPv6 address from the IPv6 prefix. We can also send some DNS nameservers down to our clients used on their connection."
 
+#: ../../configuration/firewall/bridge.rst:321
 #: ../../configuration/highavailability/index.rst:397
 #: ../../configuration/interfaces/bonding.rst:291
 #: ../../configuration/interfaces/l2tpv3.rst:86
 #: ../../configuration/interfaces/pppoe.rst:323
 #: ../../configuration/interfaces/virtual-ethernet.rst:92
-#: ../../configuration/interfaces/vxlan.rst:166
+#: ../../configuration/interfaces/vxlan.rst:187
 #: ../../configuration/interfaces/wwan.rst:294
 #: ../../configuration/protocols/failover.rst:63
-#: ../../configuration/protocols/igmp.rst:35
-#: ../../configuration/protocols/igmp.rst:233
+#: ../../configuration/protocols/igmp-proxy.rst:61
+#: ../../configuration/protocols/pim.rst:217
 #: ../../configuration/protocols/rpki.rst:156
 #: ../../configuration/service/broadcast-relay.rst:55
 #: ../../configuration/service/conntrack-sync.rst:186
 #: ../../configuration/service/dhcp-relay.rst:85
-#: ../../configuration/service/dhcp-relay.rst:172
-#: ../../configuration/service/dhcp-server.rst:421
-#: ../../configuration/service/dns.rst:147
-#: ../../configuration/service/dns.rst:263
+#: ../../configuration/service/dhcp-relay.rst:174
+#: ../../configuration/service/dhcp-server.rst:362
+#: ../../configuration/service/dns.rst:160
+#: ../../configuration/service/dns.rst:276
 #: ../../configuration/service/eventhandler.rst:83
 #: ../../configuration/service/ipoe-server.rst:150
-#: ../../configuration/service/mdns.rst:34
+#: ../../configuration/service/mdns.rst:50
 #: ../../configuration/service/monitoring.rst:134
 #: ../../configuration/service/snmp.rst:94
 #: ../../configuration/service/snmp.rst:145
 #: ../../configuration/service/tftp-server.rst:47
 #: ../../configuration/system/acceleration.rst:58
-#: ../../configuration/system/login.rst:395
+#: ../../configuration/system/login.rst:397
 #: ../../configuration/system/name-server.rst:28
 #: ../../configuration/system/name-server.rst:63
 #: ../../configuration/system/sflow.rst:49
+#: ../../configuration/system/updates.rst:21
 #: ../../configuration/trafficpolicy/index.rst:530
 #: ../../configuration/trafficpolicy/index.rst:1122
 #: ../../configuration/vpn/dmvpn.rst:161
 #: ../../configuration/vpn/openconnect.rst:97
-#: ../../configuration/vpn/sstp.rst:275
+#: ../../configuration/vpn/sstp.rst:286
 #: ../../configuration/vrf/index.rst:99
 #: ../../configuration/vrf/index.rst:232
 msgid "Example"
 msgstr "Example"
 
-#: ../../configuration/service/pppoe-server.rst:144
+#: ../../configuration/service/pppoe-server.rst:131
 msgid "Example, from radius-server send command for disconnect client with username test"
 msgstr "Example, from radius-server send command for disconnect client with username test"
 
-#: ../../_include/interface-address-with-dhcp.txt:22
-#: ../../_include/interface-description.txt:7
-#: ../../_include/interface-disable.txt:7
-#: ../../_include/interface-disable-flow-control.txt:19
-#: ../../_include/interface-disable-link-detect.txt:9
-#: ../../_include/interface-mac.txt:7
-#: ../../_include/interface-mtu.txt:7
-#: ../../_include/interface-ip.txt:27
-#: ../../_include/interface-ip.txt:50
-#: ../../_include/interface-ip.txt:144
-#: ../../_include/interface-ipv6.txt:15
-#: ../../_include/interface-ipv6.txt:28
-#: ../../_include/interface-ipv6.txt:39
-#: ../../_include/interface-ipv6.txt:51
-#: ../../_include/interface-ipv6.txt:83
-#: ../../_include/interface-ipv6.txt:96
-#: ../../_include/interface-vrf.txt:9
-#: ../../_include/interface-dhcp-options.txt:10
-#: ../../_include/interface-dhcp-options.txt:22
-#: ../../_include/interface-dhcp-options.txt:34
-#: ../../_include/interface-dhcp-options.txt:46
-#: ../../_include/interface-dhcp-options.txt:57
-#: ../../_include/interface-dhcp-options.txt:72
-#: ../../_include/interface-address-with-dhcp.txt:22
-#: ../../_include/interface-description.txt:7
-#: ../../_include/interface-disable.txt:7
-#: ../../_include/interface-disable-link-detect.txt:9
-#: ../../_include/interface-mac.txt:7
-#: ../../_include/interface-mtu.txt:7
-#: ../../_include/interface-ip.txt:27
-#: ../../_include/interface-ip.txt:50
-#: ../../_include/interface-ip.txt:144
-#: ../../_include/interface-ipv6.txt:15
-#: ../../_include/interface-ipv6.txt:28
-#: ../../_include/interface-ipv6.txt:39
-#: ../../_include/interface-ipv6.txt:51
-#: ../../_include/interface-ipv6.txt:83
-#: ../../_include/interface-ipv6.txt:96
-#: ../../_include/interface-vrf.txt:9
-#: ../../_include/interface-dhcp-options.txt:10
-#: ../../_include/interface-dhcp-options.txt:22
-#: ../../_include/interface-dhcp-options.txt:34
-#: ../../_include/interface-dhcp-options.txt:46
-#: ../../_include/interface-dhcp-options.txt:57
-#: ../../_include/interface-dhcp-options.txt:72
-#: ../../_include/interface-address-with-dhcp.txt:22
-#: ../../_include/interface-description.txt:7
-#: ../../_include/interface-disable.txt:7
-#: ../../_include/interface-disable-flow-control.txt:19
-#: ../../_include/interface-disable-link-detect.txt:9
-#: ../../_include/interface-mac.txt:7
-#: ../../_include/interface-mtu.txt:7
-#: ../../_include/interface-ip.txt:27
-#: ../../_include/interface-ip.txt:50
-#: ../../_include/interface-ip.txt:144
-#: ../../_include/interface-ipv6.txt:15
-#: ../../_include/interface-ipv6.txt:28
-#: ../../_include/interface-ipv6.txt:39
-#: ../../_include/interface-ipv6.txt:51
-#: ../../_include/interface-ipv6.txt:83
-#: ../../_include/interface-ipv6.txt:96
-#: ../../_include/interface-vrf.txt:9
-#: ../../_include/interface-dhcp-options.txt:10
-#: ../../_include/interface-dhcp-options.txt:22
-#: ../../_include/interface-dhcp-options.txt:34
-#: ../../_include/interface-dhcp-options.txt:46
-#: ../../_include/interface-dhcp-options.txt:57
-#: ../../_include/interface-dhcp-options.txt:72
-#: ../../_include/interface-address-with-dhcp.txt:22
-#: ../../_include/interface-description.txt:7
-#: ../../_include/interface-disable.txt:7
-#: ../../_include/interface-disable-link-detect.txt:9
-#: ../../_include/interface-mac.txt:7
-#: ../../_include/interface-mtu.txt:7
-#: ../../_include/interface-ip.txt:27
-#: ../../_include/interface-ip.txt:50
-#: ../../_include/interface-ip.txt:144
-#: ../../_include/interface-ipv6.txt:15
-#: ../../_include/interface-ipv6.txt:28
-#: ../../_include/interface-ipv6.txt:39
-#: ../../_include/interface-ipv6.txt:51
-#: ../../_include/interface-ipv6.txt:83
-#: ../../_include/interface-ipv6.txt:96
-#: ../../_include/interface-vrf.txt:9
-#: ../../_include/interface-dhcp-options.txt:10
-#: ../../_include/interface-dhcp-options.txt:22
-#: ../../_include/interface-dhcp-options.txt:34
-#: ../../_include/interface-dhcp-options.txt:46
-#: ../../_include/interface-dhcp-options.txt:57
-#: ../../_include/interface-dhcp-options.txt:72
-#: ../../_include/interface-address.txt:9
-#: ../../_include/interface-description.txt:7
-#: ../../_include/interface-disable.txt:7
-#: ../../_include/interface-vrf.txt:9
-#: ../../_include/interface-address-with-dhcp.txt:22
-#: ../../_include/interface-description.txt:7
-#: ../../_include/interface-disable.txt:7
-#: ../../_include/interface-disable-flow-control.txt:19
-#: ../../_include/interface-disable-link-detect.txt:9
-#: ../../_include/interface-mac.txt:7
-#: ../../_include/interface-mtu.txt:7
-#: ../../_include/interface-ip.txt:27
-#: ../../_include/interface-ip.txt:50
-#: ../../_include/interface-ip.txt:144
-#: ../../_include/interface-ipv6.txt:15
-#: ../../_include/interface-ipv6.txt:28
-#: ../../_include/interface-ipv6.txt:39
-#: ../../_include/interface-ipv6.txt:51
-#: ../../_include/interface-ipv6.txt:83
-#: ../../_include/interface-ipv6.txt:96
-#: ../../_include/interface-vrf.txt:9
-#: ../../_include/interface-dhcp-options.txt:10
-#: ../../_include/interface-dhcp-options.txt:22
-#: ../../_include/interface-dhcp-options.txt:34
-#: ../../_include/interface-dhcp-options.txt:46
-#: ../../_include/interface-dhcp-options.txt:57
-#: ../../_include/interface-dhcp-options.txt:72
-#: ../../_include/interface-eapol.txt:18
-#: ../../_include/interface-eapol.txt:33
-#: ../../_include/interface-address-with-dhcp.txt:22
-#: ../../_include/interface-description.txt:7
-#: ../../_include/interface-disable.txt:7
-#: ../../_include/interface-disable-link-detect.txt:9
-#: ../../_include/interface-mac.txt:7
-#: ../../_include/interface-mtu.txt:7
-#: ../../_include/interface-ip.txt:27
-#: ../../_include/interface-ip.txt:50
-#: ../../_include/interface-ip.txt:144
-#: ../../_include/interface-ipv6.txt:15
-#: ../../_include/interface-ipv6.txt:28
-#: ../../_include/interface-ipv6.txt:39
-#: ../../_include/interface-ipv6.txt:51
-#: ../../_include/interface-ipv6.txt:83
-#: ../../_include/interface-ipv6.txt:96
-#: ../../_include/interface-vrf.txt:9
-#: ../../_include/interface-dhcp-options.txt:10
-#: ../../_include/interface-dhcp-options.txt:22
-#: ../../_include/interface-dhcp-options.txt:34
-#: ../../_include/interface-dhcp-options.txt:46
-#: ../../_include/interface-dhcp-options.txt:57
-#: ../../_include/interface-dhcp-options.txt:72
-#: ../../_include/interface-address-with-dhcp.txt:22
-#: ../../_include/interface-description.txt:7
-#: ../../_include/interface-disable.txt:7
-#: ../../_include/interface-disable-link-detect.txt:9
-#: ../../_include/interface-mac.txt:7
-#: ../../_include/interface-mtu.txt:7
-#: ../../_include/interface-ip.txt:27
-#: ../../_include/interface-ip.txt:50
-#: ../../_include/interface-ip.txt:144
-#: ../../_include/interface-ipv6.txt:15
-#: ../../_include/interface-ipv6.txt:28
-#: ../../_include/interface-ipv6.txt:39
-#: ../../_include/interface-ipv6.txt:51
-#: ../../_include/interface-ipv6.txt:83
-#: ../../_include/interface-ipv6.txt:96
-#: ../../_include/interface-vrf.txt:9
-#: ../../_include/interface-dhcp-options.txt:10
-#: ../../_include/interface-dhcp-options.txt:22
-#: ../../_include/interface-dhcp-options.txt:34
-#: ../../_include/interface-dhcp-options.txt:46
-#: ../../_include/interface-dhcp-options.txt:57
-#: ../../_include/interface-dhcp-options.txt:72
-#: ../../_include/interface-address.txt:9
-#: ../../_include/interface-description.txt:7
-#: ../../_include/interface-disable.txt:7
-#: ../../_include/interface-disable-flow-control.txt:19
-#: ../../_include/interface-disable-link-detect.txt:9
-#: ../../_include/interface-mac.txt:7
-#: ../../_include/interface-mtu.txt:7
-#: ../../_include/interface-ip.txt:27
-#: ../../_include/interface-ip.txt:50
-#: ../../_include/interface-ip.txt:144
-#: ../../_include/interface-ipv6.txt:15
-#: ../../_include/interface-ipv6.txt:28
-#: ../../_include/interface-ipv6.txt:39
-#: ../../_include/interface-ipv6.txt:51
-#: ../../_include/interface-ipv6.txt:83
-#: ../../_include/interface-ipv6.txt:96
-#: ../../_include/interface-vrf.txt:9
-#: ../../_include/interface-address.txt:9
-#: ../../_include/interface-description.txt:7
-#: ../../_include/interface-disable.txt:7
-#: ../../_include/interface-disable-flow-control.txt:19
-#: ../../_include/interface-disable-link-detect.txt:9
-#: ../../_include/interface-mac.txt:7
-#: ../../_include/interface-mtu.txt:7
-#: ../../_include/interface-ip.txt:27
-#: ../../_include/interface-ip.txt:50
-#: ../../_include/interface-ip.txt:144
-#: ../../_include/interface-ipv6.txt:15
-#: ../../_include/interface-ipv6.txt:28
-#: ../../_include/interface-ipv6.txt:39
-#: ../../_include/interface-ipv6.txt:51
-#: ../../_include/interface-ipv6.txt:83
-#: ../../_include/interface-ipv6.txt:96
-#: ../../_include/interface-vrf.txt:9
-#: ../../_include/interface-address.txt:9
-#: ../../_include/interface-description.txt:7
-#: ../../_include/interface-address-with-dhcp.txt:22
-#: ../../_include/interface-description.txt:7
-#: ../../_include/interface-disable.txt:7
-#: ../../_include/interface-disable-flow-control.txt:19
-#: ../../_include/interface-disable-link-detect.txt:9
-#: ../../_include/interface-mac.txt:7
-#: ../../_include/interface-mtu.txt:7
-#: ../../_include/interface-ip.txt:27
-#: ../../_include/interface-ip.txt:50
-#: ../../_include/interface-ip.txt:144
-#: ../../_include/interface-ipv6.txt:15
-#: ../../_include/interface-ipv6.txt:28
-#: ../../_include/interface-ipv6.txt:39
-#: ../../_include/interface-ipv6.txt:51
-#: ../../_include/interface-ipv6.txt:83
-#: ../../_include/interface-ipv6.txt:96
-#: ../../_include/interface-vrf.txt:9
-#: ../../_include/interface-dhcp-options.txt:10
-#: ../../_include/interface-dhcp-options.txt:22
-#: ../../_include/interface-dhcp-options.txt:34
-#: ../../_include/interface-dhcp-options.txt:46
-#: ../../_include/interface-dhcp-options.txt:57
-#: ../../_include/interface-dhcp-options.txt:72
-#: ../../_include/interface-description.txt:7
-#: ../../_include/interface-disable.txt:7
-#: ../../_include/interface-mtu.txt:7
-#: ../../_include/interface-vrf.txt:9
 #: ../../configuration/interfaces/pppoe.rst:127
 #: ../../configuration/interfaces/pppoe.rst:140
-#: ../../_include/interface-address-with-dhcp.txt:22
-#: ../../_include/interface-description.txt:7
-#: ../../_include/interface-disable.txt:7
-#: ../../_include/interface-disable-flow-control.txt:19
-#: ../../_include/interface-disable-link-detect.txt:9
-#: ../../_include/interface-mac.txt:7
-#: ../../_include/interface-mtu.txt:7
-#: ../../_include/interface-ip.txt:27
-#: ../../_include/interface-ip.txt:50
-#: ../../_include/interface-ip.txt:144
-#: ../../_include/interface-ipv6.txt:15
-#: ../../_include/interface-ipv6.txt:28
-#: ../../_include/interface-ipv6.txt:39
-#: ../../_include/interface-ipv6.txt:51
-#: ../../_include/interface-ipv6.txt:83
-#: ../../_include/interface-ipv6.txt:96
-#: ../../_include/interface-vrf.txt:9
-#: ../../_include/interface-dhcp-options.txt:10
-#: ../../_include/interface-dhcp-options.txt:22
-#: ../../_include/interface-dhcp-options.txt:34
-#: ../../_include/interface-dhcp-options.txt:46
-#: ../../_include/interface-dhcp-options.txt:57
-#: ../../_include/interface-dhcp-options.txt:72
-#: ../../_include/interface-address-with-dhcp.txt:22
-#: ../../_include/interface-description.txt:7
-#: ../../_include/interface-disable.txt:7
-#: ../../_include/interface-disable-link-detect.txt:9
-#: ../../_include/interface-mac.txt:7
-#: ../../_include/interface-mtu.txt:7
-#: ../../_include/interface-ip.txt:27
-#: ../../_include/interface-ip.txt:50
-#: ../../_include/interface-ip.txt:144
-#: ../../_include/interface-ipv6.txt:15
-#: ../../_include/interface-ipv6.txt:28
-#: ../../_include/interface-ipv6.txt:39
-#: ../../_include/interface-ipv6.txt:51
-#: ../../_include/interface-ipv6.txt:83
-#: ../../_include/interface-ipv6.txt:96
-#: ../../_include/interface-vrf.txt:9
-#: ../../_include/interface-dhcp-options.txt:10
-#: ../../_include/interface-dhcp-options.txt:22
-#: ../../_include/interface-dhcp-options.txt:34
-#: ../../_include/interface-dhcp-options.txt:46
-#: ../../_include/interface-dhcp-options.txt:57
-#: ../../_include/interface-dhcp-options.txt:72
-#: ../../_include/interface-description.txt:7
-#: ../../_include/interface-disable.txt:7
-#: ../../_include/interface-mtu.txt:7
-#: ../../_include/interface-vrf.txt:9
 #: ../../configuration/interfaces/sstp-client.rst:49
-#: ../../configuration/interfaces/sstp-client.rst:62
-#: ../../_include/interface-address.txt:9
-#: ../../_include/interface-description.txt:7
-#: ../../_include/interface-disable.txt:7
-#: ../../_include/interface-disable-flow-control.txt:19
-#: ../../_include/interface-disable-link-detect.txt:9
-#: ../../_include/interface-mtu.txt:7
-#: ../../_include/interface-ip.txt:27
-#: ../../_include/interface-ip.txt:50
-#: ../../_include/interface-ip.txt:144
-#: ../../_include/interface-ipv6.txt:15
-#: ../../_include/interface-ipv6.txt:28
-#: ../../_include/interface-ipv6.txt:39
-#: ../../_include/interface-ipv6.txt:51
-#: ../../_include/interface-ipv6.txt:83
-#: ../../_include/interface-ipv6.txt:96
-#: ../../_include/interface-vrf.txt:9
-#: ../../_include/interface-address-with-dhcp.txt:22
-#: ../../_include/interface-description.txt:7
-#: ../../_include/interface-address-with-dhcp.txt:22
-#: ../../_include/interface-description.txt:7
-#: ../../_include/interface-disable.txt:7
-#: ../../_include/interface-disable-link-detect.txt:9
-#: ../../_include/interface-mac.txt:7
-#: ../../_include/interface-mtu.txt:7
-#: ../../_include/interface-ip.txt:27
-#: ../../_include/interface-ip.txt:50
-#: ../../_include/interface-ip.txt:144
-#: ../../_include/interface-ipv6.txt:15
-#: ../../_include/interface-ipv6.txt:28
-#: ../../_include/interface-ipv6.txt:39
-#: ../../_include/interface-ipv6.txt:51
-#: ../../_include/interface-ipv6.txt:83
-#: ../../_include/interface-ipv6.txt:96
-#: ../../_include/interface-vrf.txt:9
-#: ../../_include/interface-dhcp-options.txt:10
-#: ../../_include/interface-dhcp-options.txt:22
-#: ../../_include/interface-dhcp-options.txt:34
-#: ../../_include/interface-dhcp-options.txt:46
-#: ../../_include/interface-dhcp-options.txt:57
-#: ../../_include/interface-dhcp-options.txt:72
-#: ../../_include/interface-address-with-dhcp.txt:22
-#: ../../_include/interface-description.txt:7
-#: ../../_include/interface-disable.txt:7
-#: ../../_include/interface-disable-link-detect.txt:9
-#: ../../_include/interface-mac.txt:7
-#: ../../_include/interface-mtu.txt:7
-#: ../../_include/interface-ip.txt:27
-#: ../../_include/interface-ip.txt:50
-#: ../../_include/interface-ip.txt:144
-#: ../../_include/interface-ipv6.txt:15
-#: ../../_include/interface-ipv6.txt:28
-#: ../../_include/interface-ipv6.txt:39
-#: ../../_include/interface-ipv6.txt:51
-#: ../../_include/interface-ipv6.txt:83
-#: ../../_include/interface-ipv6.txt:96
-#: ../../_include/interface-vrf.txt:9
-#: ../../_include/interface-dhcp-options.txt:10
-#: ../../_include/interface-dhcp-options.txt:22
-#: ../../_include/interface-dhcp-options.txt:34
-#: ../../_include/interface-dhcp-options.txt:46
-#: ../../_include/interface-dhcp-options.txt:57
-#: ../../_include/interface-dhcp-options.txt:72
-#: ../../_include/interface-disable.txt:7
-#: ../../_include/interface-vrf.txt:9
-#: ../../_include/interface-address.txt:9
-#: ../../_include/interface-description.txt:7
-#: ../../_include/interface-disable.txt:7
-#: ../../_include/interface-disable-flow-control.txt:19
-#: ../../_include/interface-disable-link-detect.txt:9
-#: ../../_include/interface-mac.txt:7
-#: ../../_include/interface-mtu.txt:7
-#: ../../_include/interface-ip.txt:27
-#: ../../_include/interface-ip.txt:50
-#: ../../_include/interface-ip.txt:144
-#: ../../_include/interface-ipv6.txt:15
-#: ../../_include/interface-ipv6.txt:28
-#: ../../_include/interface-ipv6.txt:39
-#: ../../_include/interface-ipv6.txt:51
-#: ../../_include/interface-ipv6.txt:83
-#: ../../_include/interface-ipv6.txt:96
-#: ../../_include/interface-vrf.txt:9
-#: ../../_include/interface-per-client-thread.txt:10
-#: ../../_include/interface-address-with-dhcp.txt:22
-#: ../../_include/interface-description.txt:7
-#: ../../_include/interface-disable.txt:7
-#: ../../_include/interface-disable-flow-control.txt:19
-#: ../../_include/interface-disable-link-detect.txt:9
-#: ../../_include/interface-mac.txt:7
-#: ../../_include/interface-mtu.txt:7
-#: ../../_include/interface-ip.txt:27
-#: ../../_include/interface-ip.txt:50
-#: ../../_include/interface-ip.txt:144
-#: ../../_include/interface-ipv6.txt:15
-#: ../../_include/interface-ipv6.txt:28
-#: ../../_include/interface-ipv6.txt:39
-#: ../../_include/interface-ipv6.txt:51
-#: ../../_include/interface-ipv6.txt:83
-#: ../../_include/interface-ipv6.txt:96
-#: ../../_include/interface-vrf.txt:9
-#: ../../_include/interface-dhcp-options.txt:10
-#: ../../_include/interface-dhcp-options.txt:22
-#: ../../_include/interface-dhcp-options.txt:34
-#: ../../_include/interface-dhcp-options.txt:46
-#: ../../_include/interface-dhcp-options.txt:57
-#: ../../_include/interface-dhcp-options.txt:72
-#: ../../_include/interface-per-client-thread.txt:10
-#: ../../_include/interface-address-with-dhcp.txt:22
-#: ../../_include/interface-description.txt:7
-#: ../../_include/interface-disable.txt:7
-#: ../../_include/interface-disable-link-detect.txt:9
-#: ../../_include/interface-mac.txt:7
-#: ../../_include/interface-mtu.txt:7
-#: ../../_include/interface-ip.txt:27
-#: ../../_include/interface-ip.txt:50
-#: ../../_include/interface-ip.txt:144
-#: ../../_include/interface-ipv6.txt:15
-#: ../../_include/interface-ipv6.txt:28
-#: ../../_include/interface-ipv6.txt:39
-#: ../../_include/interface-ipv6.txt:51
-#: ../../_include/interface-ipv6.txt:83
-#: ../../_include/interface-ipv6.txt:96
-#: ../../_include/interface-vrf.txt:9
-#: ../../_include/interface-dhcp-options.txt:10
-#: ../../_include/interface-dhcp-options.txt:22
-#: ../../_include/interface-dhcp-options.txt:34
-#: ../../_include/interface-dhcp-options.txt:46
-#: ../../_include/interface-dhcp-options.txt:57
-#: ../../_include/interface-dhcp-options.txt:72
-#: ../../_include/interface-address-with-dhcp.txt:22
-#: ../../_include/interface-description.txt:7
-#: ../../_include/interface-disable.txt:7
-#: ../../_include/interface-disable-link-detect.txt:9
-#: ../../_include/interface-mac.txt:7
-#: ../../_include/interface-mtu.txt:7
-#: ../../_include/interface-ip.txt:27
-#: ../../_include/interface-ip.txt:50
-#: ../../_include/interface-ip.txt:144
-#: ../../_include/interface-ipv6.txt:15
-#: ../../_include/interface-ipv6.txt:28
-#: ../../_include/interface-ipv6.txt:39
-#: ../../_include/interface-ipv6.txt:51
-#: ../../_include/interface-ipv6.txt:83
-#: ../../_include/interface-ipv6.txt:96
-#: ../../_include/interface-vrf.txt:9
-#: ../../_include/interface-dhcp-options.txt:10
-#: ../../_include/interface-dhcp-options.txt:22
-#: ../../_include/interface-dhcp-options.txt:34
-#: ../../_include/interface-dhcp-options.txt:46
-#: ../../_include/interface-dhcp-options.txt:57
-#: ../../_include/interface-dhcp-options.txt:72
+#: ../../configuration/interfaces/sstp-client.rst:62
+#: ../../configuration/nat/nat44.rst:170
+#: ../../configuration/nat/nat44.rst:185
+#: ../../configuration/nat/nat44.rst:199
+#: ../../configuration/nat/nat44.rst:220
+#: ../../configuration/nat/nat44.rst:256
+#: ../../configuration/nat/nat44.rst:278
+#: ../../configuration/nat/nat44.rst:425
+#: ../../configuration/nat/nat66.rst:78
+#: ../../configuration/nat/nat66.rst:96
+#: ../../configuration/protocols/static.rst:174
+#: ../../configuration/service/dns.rst:363
+#: ../../configuration/service/monitoring.rst:69
+#: ../../configuration/service/monitoring.rst:98
+#: ../../configuration/service/ssh.rst:165
+#: ../../configuration/service/ssh.rst:200
+#: ../../configuration/system/flow-accounting.rst:164
+#: ../../configuration/vpn/l2tp.rst:41
+#: ../../configuration/vpn/site2site_ipsec.rst:162
+#: ../../configuration/vpn/site2site_ipsec.rst:273
 #: ../../_include/interface-address-with-dhcp.txt:22
+#: ../../_include/interface-address.txt:9
 #: ../../_include/interface-description.txt:7
-#: ../../_include/interface-disable.txt:7
+#: ../../_include/interface-dhcp-options.txt:10
+#: ../../_include/interface-dhcp-options.txt:22
+#: ../../_include/interface-dhcp-options.txt:39
+#: ../../_include/interface-dhcp-options.txt:51
+#: ../../_include/interface-dhcp-options.txt:62
+#: ../../_include/interface-dhcp-options.txt:77
+#: ../../_include/interface-dhcp-options.txt:91
+#: ../../_include/interface-disable-flow-control.txt:19
 #: ../../_include/interface-disable-link-detect.txt:9
-#: ../../_include/interface-mtu.txt:7
+#: ../../_include/interface-disable.txt:7
+#: ../../_include/interface-eapol.txt:18
+#: ../../_include/interface-eapol.txt:33
 #: ../../_include/interface-ip.txt:27
 #: ../../_include/interface-ip.txt:50
 #: ../../_include/interface-ip.txt:144
@@ -5649,76 +5062,21 @@ msgstr "Example, from radius-server send command for disconnect client with user
 #: ../../_include/interface-ipv6.txt:51
 #: ../../_include/interface-ipv6.txt:83
 #: ../../_include/interface-ipv6.txt:96
+#: ../../_include/interface-mac.txt:7
+#: ../../_include/interface-mtu.txt:7
+#: ../../_include/interface-per-client-thread.txt:10
 #: ../../_include/interface-vrf.txt:9
-#: ../../_include/interface-dhcp-options.txt:10
-#: ../../_include/interface-dhcp-options.txt:22
-#: ../../_include/interface-dhcp-options.txt:34
-#: ../../_include/interface-dhcp-options.txt:46
-#: ../../_include/interface-dhcp-options.txt:57
-#: ../../_include/interface-dhcp-options.txt:72
-#: ../../configuration/nat/nat44.rst:153
-#: ../../configuration/nat/nat44.rst:163
-#: ../../configuration/nat/nat44.rst:173
-#: ../../configuration/nat/nat44.rst:187
-#: ../../configuration/nat/nat44.rst:208
-#: ../../configuration/nat/nat44.rst:244
-#: ../../configuration/nat/nat44.rst:266
-#: ../../configuration/nat/nat44.rst:411
-#: ../../configuration/nat/nat66.rst:78
-#: ../../configuration/nat/nat66.rst:96
-#: ../../configuration/protocols/static.rst:174
-#: ../../configuration/service/dns.rst:350
-#: ../../configuration/service/monitoring.rst:69
-#: ../../configuration/service/monitoring.rst:98
-#: ../../configuration/service/ssh.rst:165
-#: ../../configuration/service/ssh.rst:200
-#: ../../configuration/system/flow-accounting.rst:164
-#: ../../configuration/vpn/l2tp.rst:41
-#: ../../configuration/vpn/site2site_ipsec.rst:158
-#: ../../configuration/vpn/site2site_ipsec.rst:269
 msgid "Example:"
 msgstr "Example:"
 
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:36
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:36
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:36
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:36
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:36
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:36
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:36
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:36
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:36
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:36
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:36
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:36
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:36
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:36
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:36
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:36
 #: ../../_include/interface-dhcpv6-prefix-delegation.txt:36
 msgid "Example: Delegate a /64 prefix to interface eth8 which will use a local address on this router of ``<prefix>::ffff``, as the address 65534 will correspond to ``ffff`` in hexadecimal notation."
 msgstr "Example: Delegate a /64 prefix to interface eth8 which will use a local address on this router of ``<prefix>::ffff``, as the address 65534 will correspond to ``ffff`` in hexadecimal notation."
 
-#: ../../configuration/nat/nat44.rst:357
+#: ../../configuration/nat/nat44.rst:371
 msgid "Example: For an ~8,000 host network a source NAT pool of 32 IP addresses is recommended."
 msgstr "Example: For an ~8,000 host network a source NAT pool of 32 IP addresses is recommended."
 
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:54
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:54
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:54
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:54
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:54
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:54
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:54
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:54
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:54
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:54
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:54
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:54
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:54
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:54
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:54
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:54
 #: ../../_include/interface-dhcpv6-prefix-delegation.txt:54
 msgid "Example: If ID is 1 and the client is delegated an IPv6 prefix 2001:db8:ffff::/48, dhcp6c will combine the two values into a single IPv6 prefix, 2001:db8:ffff:1::/64, and will configure the prefix on the specified interface."
 msgstr "Example: If ID is 1 and the client is delegated an IPv6 prefix 2001:db8:ffff::/48, dhcp6c will combine the two values into a single IPv6 prefix, 2001:db8:ffff:1::/64, and will configure the prefix on the specified interface."
@@ -5769,24 +5127,24 @@ msgstr "Example: to be appended is set to ``vyos.net`` and the URL received is `
 msgid "Example Configuration"
 msgstr "Example Configuration"
 
-#: ../../configuration/service/dns.rst:365
+#: ../../configuration/service/dns.rst:378
 msgid "Example IPv6 only:"
 msgstr "Example IPv6 only:"
 
-#: ../../configuration/nat/nat44.rst:666
+#: ../../configuration/nat/nat44.rst:690
 msgid "Example Network"
 msgstr "Example Network"
 
-#: ../../configuration/firewall/general.rst:1495
-#: ../../configuration/firewall/general-legacy.rst:979
+#: ../../configuration/firewall/ipv4.rst:1130
+#: ../../configuration/firewall/ipv6.rst:1153
 msgid "Example Partial Config"
 msgstr "Example Partial Config"
 
-#: ../../configuration/protocols/ospf.rst:1346
+#: ../../configuration/protocols/ospf.rst:1348
 msgid "Example configuration for WireGuard interfaces:"
 msgstr "Example configuration for WireGuard interfaces:"
 
-#: ../../configuration/service/pppoe-server.rst:160
+#: ../../configuration/service/pppoe-server.rst:147
 msgid "Example for changing rate-limit via RADIUS CoA."
 msgstr "Example for changing rate-limit via RADIUS CoA."
 
@@ -5794,28 +5152,31 @@ msgstr "Example for changing rate-limit via RADIUS CoA."
 msgid "Example for configuring a simple L2TP over IPsec VPN for remote access (works with native Windows and Mac VPN clients):"
 msgstr "Example for configuring a simple L2TP over IPsec VPN for remote access (works with native Windows and Mac VPN clients):"
 
-#: ../../configuration/nat/nat44.rst:280
+#: ../../configuration/nat/nat44.rst:292
 msgid "Example of redirection:"
 msgstr "Example of redirection:"
 
-#: ../../configuration/firewall/general.rst:1278
+#: ../../configuration/firewall/ipv4.rst:925
+#: ../../configuration/firewall/ipv6.rst:934
 msgid "Example synproxy"
 msgstr "Example synproxy"
 
+#: ../../configuration/firewall/groups.rst:145
 #: ../../configuration/interfaces/bridge.rst:187
 #: ../../configuration/interfaces/macsec.rst:153
 #: ../../configuration/interfaces/wireless.rst:541
 #: ../../configuration/loadbalancing/reverse-proxy.rst:187
 #: ../../configuration/policy/index.rst:46
-#: ../../configuration/protocols/bgp.rst:1095
-#: ../../configuration/protocols/isis.rst:308
+#: ../../configuration/protocols/bgp.rst:1096
+#: ../../configuration/protocols/isis.rst:336
 #: ../../configuration/protocols/ospf.rst:834
-#: ../../configuration/service/pppoe-server.rst:356
+#: ../../configuration/service/pppoe-server.rst:343
 #: ../../configuration/service/webproxy.rst:419
 msgid "Examples"
 msgstr "Examples"
 
-#: ../../configuration/vpn/site2site_ipsec.rst:153
+#: ../../configuration/nat/nat44.rst:154
+#: ../../configuration/vpn/site2site_ipsec.rst:157
 msgid "Examples:"
 msgstr "Examples:"
 
@@ -5847,11 +5208,15 @@ msgstr "Exit policy on match: go to rule <1-65535>"
 msgid "Expedited forwarding (EF)"
 msgstr "Expedited forwarding (EF)"
 
+#: ../../configuration/firewall/flowtables.rst:140
+msgid "Explanation"
+msgstr "Explanation"
+
 #: ../../configuration/service/salt-minion.rst:33
 msgid "Explicitly declare ID for this minion to use (default: hostname)"
 msgstr "Explicitly declare ID for this minion to use (default: hostname)"
 
-#: ../../configuration/service/dhcp-relay.rst:176
+#: ../../configuration/service/dhcp-relay.rst:178
 msgid "External DHCPv6 server is at 2001:db8::4"
 msgstr "External DHCPv6 server is at 2001:db8::4"
 
@@ -5879,11 +5244,15 @@ msgstr "FQ-CoDel is tuned to run ok with its default parameters at 10Gbit speeds
 msgid "FQ-Codel is a non-shaping (work-conserving) policy, so it will only be useful if your outgoing interface is really full. If it is not, VyOS will not own the queue and FQ-Codel will have no effect. If there is bandwidth available on the physical link, you can embed_ FQ-Codel into a classful shaping policy to make sure it owns the queue. If you are not sure if you need to embed your FQ-CoDel policy into a Shaper, do it."
 msgstr "FQ-Codel is a non-shaping (work-conserving) policy, so it will only be useful if your outgoing interface is really full. If it is not, VyOS will not own the queue and FQ-Codel will have no effect. If there is bandwidth available on the physical link, you can embed_ FQ-Codel into a classful shaping policy to make sure it owns the queue. If you are not sure if you need to embed your FQ-CoDel policy into a Shaper, do it."
 
+#: ../../configuration/system/frr.rst:5
+msgid "FRR"
+msgstr "FRR"
+
 #: ../../configuration/protocols/ospf.rst:213
 msgid "FRR offers only partial support for some of the routing protocol extensions that are used with MPLS-TE; it does not support a complete RSVP-TE solution."
 msgstr "FRR offers only partial support for some of the routing protocol extensions that are used with MPLS-TE; it does not support a complete RSVP-TE solution."
 
-#: ../../configuration/interfaces/vxlan.rst:138
+#: ../../configuration/interfaces/vxlan.rst:159
 msgid "FRR supports a new way of configuring VLAN-to-VNI mappings for EVPN-VXLAN, when working with the Linux kernel. In this new way, the mapping of a VLAN to a :abbr:`VNI (VXLAN Network Identifier (or VXLAN Segment ID))` is configured against a container VXLAN interface which is referred to as a :abbr:`SVD (Single VXLAN device)`."
 msgstr "FRR supports a new way of configuring VLAN-to-VNI mappings for EVPN-VXLAN, when working with the Linux kernel. In this new way, the mapping of a VLAN to a :abbr:`VNI (VXLAN Network Identifier (or VXLAN Segment ID))` is configured against a container VXLAN interface which is referred to as a :abbr:`SVD (Single VXLAN device)`."
 
@@ -5905,8 +5274,8 @@ msgstr "Facility Code"
 
 #: ../../configuration/loadbalancing/wan.rst:218
 #: ../../configuration/protocols/failover.rst:3
-#: ../../configuration/service/dhcp-server.rst:171
-#: ../../configuration/service/dhcp-server.rst:428
+#: ../../configuration/service/dhcp-server.rst:136
+#: ../../configuration/service/dhcp-server.rst:369
 msgid "Failover"
 msgstr "Failover"
 
@@ -5942,15 +5311,15 @@ msgstr "Features of the Current Implementation"
 msgid "Field"
 msgstr "Field"
 
-#: ../../configuration/service/dns.rst:228
+#: ../../configuration/service/dns.rst:241
 msgid "File identified by `<keyfile>` containing the secret RNDC key shared with remote DNS server."
 msgstr "File identified by `<keyfile>` containing the secret RNDC key shared with remote DNS server."
 
-#: ../../configuration/service/pppoe-server.rst:241
+#: ../../configuration/service/pppoe-server.rst:228
 msgid "Filter-Id=2000/3000 (means 2000Kbit down-stream rate and 3000Kbit up-stream rate)"
 msgstr "Filter-Id=2000/3000 (means 2000Kbit down-stream rate and 3000Kbit up-stream rate)"
 
-#: ../../configuration/service/pppoe-server.rst:167
+#: ../../configuration/service/pppoe-server.rst:154
 msgid "Filter-Id=5000/4000 (means 5000Kbit down-stream rate and 4000Kbit up-stream rate) If attribute Filter-Id redefined, replace it in RADIUS CoA request."
 msgstr "Filter-Id=5000/4000 (means 5000Kbit down-stream rate and 4000Kbit up-stream rate) If attribute Filter-Id redefined, replace it in RADIUS CoA request."
 
@@ -5982,6 +5351,14 @@ msgstr "Firewall"
 msgid "Firewall-Legacy"
 msgstr "Firewall-Legacy"
 
+#: ../../configuration/firewall/ipv4.rst:72
+msgid "Firewall - IPv4 Rules"
+msgstr "Firewall - IPv4 Rules"
+
+#: ../../configuration/firewall/ipv6.rst:72
+msgid "Firewall - IPv6 Rules"
+msgstr "Firewall - IPv6 Rules"
+
 #: ../../configuration/firewall/general.rst:7
 msgid "Firewall Configuration"
 msgstr "Firewall Configuration"
@@ -5990,7 +5367,9 @@ msgstr "Firewall Configuration"
 msgid "Firewall Configuration (Deprecated)"
 msgstr "Firewall Configuration (Deprecated)"
 
-#: ../../configuration/firewall/general.rst:495
+#: ../../configuration/firewall/bridge.rst:199
+#: ../../configuration/firewall/ipv4.rst:268
+#: ../../configuration/firewall/ipv6.rst:268
 msgid "Firewall Description"
 msgstr "Firewall Description"
 
@@ -5999,7 +5378,9 @@ msgstr "Firewall Description"
 msgid "Firewall Exceptions"
 msgstr "Firewall Exceptions"
 
-#: ../../configuration/firewall/general.rst:410
+#: ../../configuration/firewall/bridge.rst:149
+#: ../../configuration/firewall/ipv4.rst:196
+#: ../../configuration/firewall/ipv6.rst:196
 msgid "Firewall Logs"
 msgstr "Firewall Logs"
 
@@ -6007,6 +5388,14 @@ msgstr "Firewall Logs"
 msgid "Firewall Rules"
 msgstr "Firewall Rules"
 
+#: ../../configuration/firewall/groups.rst:7
+msgid "Firewall groups"
+msgstr "Firewall groups"
+
+#: ../../configuration/firewall/groups.rst:13
+msgid "Firewall groups represent collections of IP addresses, networks, ports, mac addresses, domains or interfaces. Once created, a group can be referenced by firewall, nat and policy route rules as either a source or destination matcher, and/or as inbound/outbound in the case of interface group."
+msgstr "Firewall groups represent collections of IP addresses, networks, ports, mac addresses, domains or interfaces. Once created, a group can be referenced by firewall, nat and policy route rules as either a source or destination matcher, and/or as inbound/outbound in the case of interface group."
+
 #: ../../configuration/firewall/general.rst:186
 msgid "Firewall groups represent collections of IP addresses, networks, ports, mac addresses, domains or interfaces. Once created, a group can be referenced by firewall, nat and policy route rules as either a source or destination matcher, and as inbpund/outbound in the case of interface group."
 msgstr "Firewall groups represent collections of IP addresses, networks, ports, mac addresses, domains or interfaces. Once created, a group can be referenced by firewall, nat and policy route rules as either a source or destination matcher, and as inbpund/outbound in the case of interface group."
@@ -6023,10 +5412,14 @@ msgstr "Firewall mark. It possible to loadbalancing traffic based on ``fwmark``
 msgid "Firewall policy can also be applied to the tunnel interface for `local`, `in`, and `out` directions and functions identically to ethernet interfaces."
 msgstr "Firewall policy can also be applied to the tunnel interface for `local`, `in`, and `out` directions and functions identically to ethernet interfaces."
 
-#: ../../configuration/nat/nat44.rst:620
+#: ../../configuration/nat/nat44.rst:644
 msgid "Firewall rules are written as normal, using the internal IP address as the source of outbound rules and the destination of inbound rules."
 msgstr "Firewall rules are written as normal, using the internal IP address as the source of outbound rules and the destination of inbound rules."
 
+#: ../../configuration/nat/nat44.rst:572
+msgid "Firewall rules for Destination NAT"
+msgstr "Firewall rules for Destination NAT"
+
 #: ../../configuration/interfaces/wwan.rst:321
 msgid "Firmware Update"
 msgstr "Firmware Update"
@@ -6059,7 +5452,7 @@ msgstr "First of all, we need to create a CA root certificate and server certifi
 msgid "First of all you must configure BGP router with the :abbr:`ASN (Autonomous System Number)`. The AS number is an identifier for the autonomous system. The BGP protocol uses the AS number for detecting whether the BGP connection is internal or external. VyOS does not have a special command to start the BGP process. The BGP process starts when the first neighbor is configured."
 msgstr "First of all you must configure BGP router with the :abbr:`ASN (Autonomous System Number)`. The AS number is an identifier for the autonomous system. The BGP protocol uses the AS number for detecting whether the BGP connection is internal or external. VyOS does not have a special command to start the BGP process. The BGP process starts when the first neighbor is configured."
 
-#: ../../configuration/nat/nat44.rst:635
+#: ../../configuration/nat/nat44.rst:659
 msgid "First scenario: apply destination NAT for all HTTP traffic comming through interface eth0, and user 4 backends. First backend should received 30% of the request, second backend should get 20%, third 15% and the fourth 35% We will use source and destination address for hash generation."
 msgstr "First scenario: apply destination NAT for all HTTP traffic comming through interface eth0, and user 4 backends. First backend should received 30% of the request, second backend should get 20%, third 15% and the fourth 35% We will use source and destination address for hash generation."
 
@@ -6067,7 +5460,7 @@ msgstr "First scenario: apply destination NAT for all HTTP traffic comming throu
 msgid "First steps"
 msgstr "First steps"
 
-#: ../../configuration/vpn/openconnect.rst:171
+#: ../../configuration/vpn/openconnect.rst:178
 msgid "First the OTP keys must be generated and sent to the user and to the configuration:"
 msgstr "First the OTP keys must be generated and sent to the user and to the configuration:"
 
@@ -6103,10 +5496,30 @@ msgstr "Flow and packet-based balancing"
 msgid "Flows can be exported via two different protocols: NetFlow (versions 5, 9 and 10/IPFIX) and sFlow. Additionally, you may save flows to an in-memory table internally in a router."
 msgstr "Flows can be exported via two different protocols: NetFlow (versions 5, 9 and 10/IPFIX) and sFlow. Additionally, you may save flows to an in-memory table internally in a router."
 
+#: ../../configuration/firewall/flowtables.rst:57
+msgid "Flowtable Configuration"
+msgstr "Flowtable Configuration"
+
+#: ../../configuration/firewall/flowtables.rst:7
+msgid "Flowtables Firewall Configuration"
+msgstr "Flowtables Firewall Configuration"
+
+#: ../../configuration/firewall/flowtables.rst:32
+msgid "Flowtables  allows you to define a fastpath through the flowtable datapath. The flowtable supports for the layer 3 IPv4 and IPv6 and the layer 4 TCP and UDP protocols."
+msgstr "Flowtables  allows you to define a fastpath through the flowtable datapath. The flowtable supports for the layer 3 IPv4 and IPv6 and the layer 4 TCP and UDP protocols."
+
 #: ../../configuration/loadbalancing/wan.rst:244
 msgid "Flushing the session table will cause other connections to fall back from flow-based to packet-based balancing until each flow is reestablished."
 msgstr "Flushing the session table will cause other connections to fall back from flow-based to packet-based balancing until each flow is reestablished."
 
+#: ../../configuration/service/ssh.rst:236
+msgid "Follow the SSH dynamic-protection log."
+msgstr "Follow the SSH dynamic-protection log."
+
+#: ../../configuration/service/ssh.rst:228
+msgid "Follow the SSH server log."
+msgstr "Follow the SSH server log."
+
 #: ../../configuration/vpn/openconnect.rst:102
 msgid "Follow the instructions to generate CA cert (in configuration mode):"
 msgstr "Follow the instructions to generate CA cert (in configuration mode):"
@@ -6115,6 +5528,10 @@ msgstr "Follow the instructions to generate CA cert (in configuration mode):"
 msgid "Follow the instructions to generate server cert (in configuration mode):"
 msgstr "Follow the instructions to generate server cert (in configuration mode):"
 
+#: ../../configuration/service/mdns.rst:91
+msgid "Follow the logs for mDNS repeater service."
+msgstr "Follow the logs for mDNS repeater service."
+
 #: ../../configuration/interfaces/openvpn.rst:258
 msgid "For Encryption:"
 msgstr "For Encryption:"
@@ -6131,11 +5548,11 @@ msgstr "For IS-IS top operate correctly, one must do the equivalent of a Router
 msgid "For Incoming and Import Route-maps if we receive a v6 global and v6 LL address for the route, then prefer to use the global address as the nexthop."
 msgstr "For Incoming and Import Route-maps if we receive a v6 global and v6 LL address for the route, then prefer to use the global address as the nexthop."
 
-#: ../../configuration/service/pppoe-server.rst:201
+#: ../../configuration/service/pppoe-server.rst:188
 msgid "For Local Users"
 msgstr "For Local Users"
 
-#: ../../configuration/service/pppoe-server.rst:236
+#: ../../configuration/service/pppoe-server.rst:223
 msgid "For RADIUS users"
 msgstr "For RADIUS users"
 
@@ -6147,11 +5564,11 @@ msgstr "For USB port information please refor to: :ref:`hardware_usb`."
 msgid "For :ref:`bidirectional-nat` a rule for both :ref:`source-nat` and :ref:`destination-nat` needs to be created."
 msgstr "For :ref:`bidirectional-nat` a rule for both :ref:`source-nat` and :ref:`destination-nat` needs to be created."
 
-#: ../../configuration/nat/nat44.rst:263
+#: ../../configuration/nat/nat44.rst:275
 msgid "For :ref:`destination-nat` rules the packets destination address will be replaced by the specified address in the `translation address` command."
 msgstr "For :ref:`destination-nat` rules the packets destination address will be replaced by the specified address in the `translation address` command."
 
-#: ../../configuration/nat/nat44.rst:228
+#: ../../configuration/nat/nat44.rst:240
 msgid "For :ref:`source-nat` rules the packets source address will be replaced with the address specified in the translation command. A port translation can also be specified and is part of the translation address."
 msgstr "For :ref:`source-nat` rules the packets source address will be replaced with the address specified in the translation command. A port translation can also be specified and is part of the translation address."
 
@@ -6163,7 +5580,7 @@ msgstr "For a headstart you can use the below example on how to build a bond,por
 msgid "For a headstart you can use the below example on how to build a bond with two interfaces from VyOS to a Juniper EX Switch system."
 msgstr "For a headstart you can use the below example on how to build a bond with two interfaces from VyOS to a Juniper EX Switch system."
 
-#: ../../configuration/nat/nat44.rst:248
+#: ../../configuration/nat/nat44.rst:260
 msgid "For a large amount of private machines behind the NAT your address pool might to be bigger. Use any address in the range 100.64.0.10 - 100.64.0.20 on SNAT rule 40 when doing the translation"
 msgstr "For a large amount of private machines behind the NAT your address pool might to be bigger. Use any address in the range 100.64.0.10 - 100.64.0.20 on SNAT rule 40 when doing the translation"
 
@@ -6187,7 +5604,9 @@ msgstr "For example:"
 msgid "For firewall filtering, configuration should be done in ``set firewall [ipv4 | ipv6] ...``"
 msgstr "For firewall filtering, configuration should be done in ``set firewall [ipv4 | ipv6] ...``"
 
-#: ../../configuration/firewall/general.rst:320
+#: ../../configuration/firewall/bridge.rst:58
+#: ../../configuration/firewall/ipv4.rst:74
+#: ../../configuration/firewall/ipv6.rst:74
 msgid "For firewall filtering, firewall rules needs to be created. Each rule is numbered, has an action to apply if the rule is matched, and the ability to specify multiple criteria matchers. Data packets go through the rules from 1 - 999999, so order is crucial. At the first match the action of the rule will be executed."
 msgstr "For firewall filtering, firewall rules needs to be created. Each rule is numbered, has an action to apply if the rule is matched, and the ability to specify multiple criteria matchers. Data packets go through the rules from 1 - 999999, so order is crucial. At the first match the action of the rule will be executed."
 
@@ -6223,11 +5642,11 @@ msgstr "For latest releases, refer the `firewall (interface-groups) <https://doc
 msgid "For more information on how MPLS label switching works, please go visit `Wikipedia (MPLS)`_."
 msgstr "For more information on how MPLS label switching works, please go visit `Wikipedia (MPLS)`_."
 
-#: ../../configuration/service/pppoe-server.rst:312
+#: ../../configuration/service/pppoe-server.rst:299
 msgid "For network maintenance, it's a good idea to direct users to a backup server so that the primary server can be safely taken out of service. It's possible to switch your PPPoE server to maintenance mode where it maintains already established connections, but refuses new connection attempts."
 msgstr "For network maintenance, it's a good idea to direct users to a backup server so that the primary server can be safely taken out of service. It's possible to switch your PPPoE server to maintenance mode where it maintains already established connections, but refuses new connection attempts."
 
-#: ../../configuration/interfaces/vxlan.rst:131
+#: ../../configuration/interfaces/vxlan.rst:152
 msgid "For optimal scalability, Multicast shouldn't be used at all, but instead use BGP to signal all connected devices between leaves. Unfortunately, VyOS does not yet support this."
 msgstr "For optimal scalability, Multicast shouldn't be used at all, but instead use BGP to signal all connected devices between leaves. Unfortunately, VyOS does not yet support this."
 
@@ -6235,7 +5654,12 @@ msgstr "For optimal scalability, Multicast shouldn't be used at all, but instead
 msgid "For outbound updates the order of preference is:"
 msgstr "For outbound updates the order of preference is:"
 
-#: ../../configuration/firewall/general.rst:497
+#: ../../configuration/firewall/bridge.rst:201
+msgid "For reference, a description can be defined for every defined custom chain."
+msgstr "For reference, a description can be defined for every defined custom chain."
+
+#: ../../configuration/firewall/ipv4.rst:270
+#: ../../configuration/firewall/ipv6.rst:270
 msgid "For reference, a description can be defined for every single rule, and for every defined custom chain."
 msgstr "For reference, a description can be defined for every single rule, and for every defined custom chain."
 
@@ -6279,10 +5703,28 @@ msgstr "For the sake of demonstration, `example #1 in the official documentation
 msgid "For traffic originated by the router, base chain is **output filter**: ``set firewall [ipv4 | ipv6] output filter ...``"
 msgstr "For traffic originated by the router, base chain is **output filter**: ``set firewall [ipv4 | ipv6] output filter ...``"
 
+#: ../../configuration/firewall/bridge.rst:40
+msgid "For traffic that needs to be forwared internally by the bridge, base chain is is **forward**, and it's base command for filtering is ``set firewall bridge forward filter ...``"
+msgstr "For traffic that needs to be forwared internally by the bridge, base chain is is **forward**, and it's base command for filtering is ``set firewall bridge forward filter ...``"
+
+#: ../../configuration/firewall/bridge.rst:40
+msgid "For traffic that needs to be forwared internally by the bridge, base chain is is **forward**, and it's base command for filtering is ``set firewall bridge forward filter ...``, which happens in stage 4, highlightened with red color."
+msgstr "For traffic that needs to be forwared internally by the bridge, base chain is is **forward**, and it's base command for filtering is ``set firewall bridge forward filter ...``, which happens in stage 4, highlightened with red color."
+
+#: ../../configuration/firewall/ipv4.rst:46
+#: ../../configuration/firewall/ipv6.rst:46
+msgid "For traffic towards the router itself, base chain is **input**, while traffic originated by the router, base chain is **output**. A new simplified packet flow diagram is shown next, which shows the path for traffic destinated to the router itself, and traffic generated by the router (starting from circle number 6):"
+msgstr "For traffic towards the router itself, base chain is **input**, while traffic originated by the router, base chain is **output**. A new simplified packet flow diagram is shown next, which shows the path for traffic destinated to the router itself, and traffic generated by the router (starting from circle number 6):"
+
 #: ../../configuration/firewall/general.rst:69
 msgid "For traffic towards the router itself, base chain is **input filter**: ``set firewall [ipv4 | ipv6] input filter ...``"
 msgstr "For traffic towards the router itself, base chain is **input filter**: ``set firewall [ipv4 | ipv6] input filter ...``"
 
+#: ../../configuration/firewall/ipv4.rst:36
+#: ../../configuration/firewall/ipv6.rst:36
+msgid "For transit traffic, which is received by the router and forwarded, base chain is **forward**. A simplified packet flow diagram for transit traffic is shown next:"
+msgstr "For transit traffic, which is received by the router and forwarded, base chain is **forward**. A simplified packet flow diagram for transit traffic is shown next:"
+
 #: ../../configuration/firewall/general.rst:62
 msgid "For transit traffic, which is received by the router and forwarded, base chain is **forward filter**: ``set firewall [ipv4 | ipv6] forward filter ...``"
 msgstr "For transit traffic, which is received by the router and forwarded, base chain is **forward filter**: ``set firewall [ipv4 | ipv6] forward filter ...``"
@@ -6315,6 +5757,14 @@ msgstr "From :rfc:`1930`:"
 msgid "From a security perspective, it is not recommended to let a third party create and share the private key for a secured connection. You should create the private portion on your own and only hand out the public key. Please keep this in mind when using this convenience feature."
 msgstr "From a security perspective, it is not recommended to let a third party create and share the private key for a secured connection. You should create the private portion on your own and only hand out the public key. Please keep this in mind when using this convenience feature."
 
+#: ../../configuration/firewall/bridge.rst:21
+#: ../../configuration/firewall/flowtables.rst:20
+#: ../../configuration/firewall/ipv4.rst:19
+#: ../../configuration/firewall/ipv6.rst:19
+#: ../../configuration/firewall/zone.rst:31
+msgid "From main structure defined in :doc:`Firewall Overview</configuration/firewall/index>` in this section you can find detailed information only for the next part of the general structure:"
+msgstr "From main structure defined in :doc:`Firewall Overview</configuration/firewall/index>` in this section you can find detailed information only for the next part of the general structure:"
+
 #: ../../configuration/highavailability/index.rst:380
 msgid "Fwmark"
 msgstr "Fwmark"
@@ -6369,6 +5819,10 @@ msgstr "General"
 msgid "General Configuration"
 msgstr "General Configuration"
 
+#: ../../configuration/firewall/bridge.rst:291
+msgid "General commands for firewall configuration, counter and statiscits:"
+msgstr "General commands for firewall configuration, counter and statiscits:"
+
 #: ../../configuration/interfaces/wireguard.rst:29
 msgid "Generate Keypair"
 msgstr "Generate Keypair"
@@ -6424,6 +5878,10 @@ msgstr "Get an overview over the encryption counters."
 msgid "Get detailed information about LLDP neighbors."
 msgstr "Get detailed information about LLDP neighbors."
 
+#: ../../configuration/nat/nat66.rst:160
+msgid "Get the DHCPv6-PD prefixes from both routers:"
+msgstr "Get the DHCPv6-PD prefixes from both routers:"
+
 #: ../../configuration/protocols/rpki.rst:39
 msgid "Getting started"
 msgstr "Getting started"
@@ -6444,6 +5902,10 @@ msgstr "Gloabal"
 msgid "Global Options"
 msgstr "Global Options"
 
+#: ../../configuration/firewall/global-options.rst:7
+msgid "Global Options Firewall Configuration"
+msgstr "Global Options Firewall Configuration"
+
 #: ../../configuration/highavailability/index.rst:224
 msgid "Global options"
 msgstr "Global options"
@@ -6465,7 +5927,6 @@ msgstr "Graceful Restart"
 msgid "Gratuitous ARP"
 msgstr "Gratuitous ARP"
 
-#: ../../configuration/firewall/general.rst:184
 #: ../../configuration/firewall/general-legacy.rst:153
 msgid "Groups"
 msgstr "Groups"
@@ -6482,7 +5943,11 @@ msgstr "HQ's router requires the following steps to generate crypto materials fo
 msgid "HTTP-API"
 msgstr "HTTP-API"
 
-#: ../../configuration/service/dns.rst:304
+#: ../../configuration/service/https.rst:5
+msgid "HTTP API"
+msgstr "HTTP API"
+
+#: ../../configuration/service/dns.rst:317
 msgid "HTTP based services"
 msgstr "HTTP based services"
 
@@ -6499,11 +5964,11 @@ msgstr "HTTP client"
 msgid "HT (High Throughput) capabilities (802.11n)"
 msgstr "HT (High Throughput) capabilities (802.11n)"
 
-#: ../../configuration/nat/nat44.rst:398
+#: ../../configuration/nat/nat44.rst:412
 msgid "Hairpin NAT/NAT Reflection"
 msgstr "Hairpin NAT/NAT Reflection"
 
-#: ../../configuration/service/dhcp-server.rst:643
+#: ../../configuration/service/dhcp-server.rst:573
 msgid "Hand out prefixes of size `<length>` to clients in subnet `<prefix>` when they request for prefix delegation."
 msgstr "Hand out prefixes of size `<length>` to clients in subnet `<prefix>` when they request for prefix delegation."
 
@@ -6511,7 +5976,7 @@ msgstr "Hand out prefixes of size `<length>` to clients in subnet `<prefix>` whe
 msgid "Handling and monitoring"
 msgstr "Handling and monitoring"
 
-#: ../../configuration/nat/nat44.rst:389
+#: ../../configuration/nat/nat44.rst:403
 msgid "Having control over the matching of INVALID state traffic, e.g. the ability to selectively log, is an important troubleshooting tool for observing broken protocol behavior. For this reason, VyOS does not globally drop invalid state traffic, instead allowing the operator to make the determination on how the traffic is handled."
 msgstr "Having control over the matching of INVALID state traffic, e.g. the ability to selectively log, is an important troubleshooting tool for observing broken protocol behavior. For this reason, VyOS does not globally drop invalid state traffic, instead allowing the operator to make the determination on how the traffic is handled."
 
@@ -6527,15 +5992,15 @@ msgstr "Health check scripts"
 msgid "Health checks"
 msgstr "Health checks"
 
-#: ../../configuration/nat/nat44.rst:602
+#: ../../configuration/nat/nat44.rst:626
 msgid "Here's an extract of a simple 1-to-1 NAT configuration with one internal and one external interface:"
 msgstr "Here's an extract of a simple 1-to-1 NAT configuration with one internal and one external interface:"
 
-#: ../../configuration/nat/nat44.rst:668
+#: ../../configuration/nat/nat44.rst:692
 msgid "Here's one example of a network environment for an ASP. The ASP requests that all connections from this company should come from 172.29.41.89 - an address that is assigned by the ASP and not in use at the customer site."
 msgstr "Here's one example of a network environment for an ASP. The ASP requests that all connections from this company should come from 172.29.41.89 - an address that is assigned by the ASP and not in use at the customer site."
 
-#: ../../configuration/protocols/isis.rst:357
+#: ../../configuration/protocols/isis.rst:385
 msgid "Here's the IP routes that are populated. Just the loopback:"
 msgstr "Here's the IP routes that are populated. Just the loopback:"
 
@@ -6563,36 +6028,21 @@ msgstr "Here is an example :abbr:`NET (Network Entity Title)` value:"
 msgid "Here is an example route-map to apply to routes learned at import. In this filter we reject prefixes with the state `invalid`, and set a higher `local-preference` if the prefix is RPKI `valid` rather than merely `notfound`."
 msgstr "Here is an example route-map to apply to routes learned at import. In this filter we reject prefixes with the state `invalid`, and set a higher `local-preference` if the prefix is RPKI `valid` rather than merely `notfound`."
 
-#: ../../configuration/protocols/isis.rst:523
+#: ../../configuration/firewall/groups.rst:150
+msgid "Here is an example were multiple groups are created:"
+msgstr "Here is an example were multiple groups are created:"
+
+#: ../../configuration/protocols/isis.rst:551
 #: ../../configuration/protocols/ospf.rst:1036
 #: ../../configuration/protocols/segment-routing.rst:251
 #: ../../configuration/protocols/segment-routing.rst:330
 msgid "Here is the routing tables showing the MPLS segment routing label operations:"
 msgstr "Here is the routing tables showing the MPLS segment routing label operations:"
 
-#: ../../configuration/nat/nat44.rst:633
+#: ../../configuration/nat/nat44.rst:657
 msgid "Here we provide two examples on how to apply NAT Load Balance."
 msgstr "Here we provide two examples on how to apply NAT Load Balance."
 
-#: ../../_include/interface-ip.txt:170
-#: ../../_include/interface-ip.txt:170
-#: ../../_include/interface-ip.txt:170
-#: ../../_include/interface-ip.txt:170
-#: ../../_include/interface-ip.txt:170
-#: ../../_include/interface-ip.txt:170
-#: ../../_include/interface-ip.txt:170
-#: ../../_include/interface-ip.txt:170
-#: ../../_include/interface-ip.txt:170
-#: ../../_include/interface-ip.txt:170
-#: ../../_include/interface-ip.txt:170
-#: ../../_include/interface-ip.txt:170
-#: ../../_include/interface-ip.txt:170
-#: ../../_include/interface-ip.txt:170
-#: ../../_include/interface-ip.txt:170
-#: ../../_include/interface-ip.txt:170
-#: ../../_include/interface-ip.txt:170
-#: ../../_include/interface-ip.txt:170
-#: ../../_include/interface-ip.txt:170
 #: ../../_include/interface-ip.txt:170
 msgid "Hewlett-Packard call it Source-Port filtering or port-isolation"
 msgstr "Hewlett-Packard call it Source-Port filtering or port-isolation"
@@ -6624,7 +6074,7 @@ msgstr "Host Information"
 msgid "Host name"
 msgstr "Host name"
 
-#: ../../configuration/service/dhcp-server.rst:698
+#: ../../configuration/service/dhcp-server.rst:630
 msgid "Host specific mapping shall be named ``client1``"
 msgstr "Host specific mapping shall be named ``client1``"
 
@@ -6676,17 +6126,10 @@ msgstr "IEEE 802.1X/MACsec pre-shared key mode. This allows configuring MACsec w
 msgid "IEEE 802.1X/MACsec replay protection window. This determines a window in which replay is tolerated, to allow receipt of frames that have been misordered by the network."
 msgstr "IEEE 802.1X/MACsec replay protection window. This determines a window in which replay is tolerated, to allow receipt of frames that have been misordered by the network."
 
-#: ../../_include/interface-vlan-8021ad.txt:3
-#: ../../_include/interface-vlan-8021ad.txt:3
 #: ../../_include/interface-vlan-8021ad.txt:3
 msgid "IEEE 802.1ad_ was an Ethernet networking standard informally known as QinQ as an amendment to IEEE standard 802.1q VLAN interfaces as described above. 802.1ad was incorporated into the base 802.1q_ standard in 2011. The technique is also known as provider bridging, Stacked VLANs, or simply QinQ or Q-in-Q. \"Q-in-Q\" can for supported devices apply to C-tag stacking on C-tag (Ethernet Type = 0x8100)."
 msgstr "IEEE 802.1ad_ was an Ethernet networking standard informally known as QinQ as an amendment to IEEE standard 802.1q VLAN interfaces as described above. 802.1ad was incorporated into the base 802.1q_ standard in 2011. The technique is also known as provider bridging, Stacked VLANs, or simply QinQ or Q-in-Q. \"Q-in-Q\" can for supported devices apply to C-tag stacking on C-tag (Ethernet Type = 0x8100)."
 
-#: ../../_include/interface-vlan-8021q.txt:1
-#: ../../_include/interface-vlan-8021q.txt:1
-#: ../../_include/interface-vlan-8021q.txt:1
-#: ../../_include/interface-vlan-8021q.txt:1
-#: ../../_include/interface-vlan-8021q.txt:1
 #: ../../_include/interface-vlan-8021q.txt:1
 msgid "IEEE 802.1q_, often referred to as Dot1q, is the networking standard that supports virtual LANs (VLANs) on an IEEE 802.3 Ethernet network. The standard defines a system of VLAN tagging for Ethernet frames and the accompanying procedures to be used by bridges and switches in handling such frames. The standard also contains provisions for a quality-of-service prioritization scheme commonly known as IEEE 802.1p and defines the Generic Attribute Registration Protocol."
 msgstr "IEEE 802.1q_, often referred to as Dot1q, is the networking standard that supports virtual LANs (VLANs) on an IEEE 802.3 Ethernet network. The standard defines a system of VLAN tagging for Ethernet frames and the accompanying procedures to be used by bridges and switches in handling such frames. The standard also contains provisions for a quality-of-service prioritization scheme commonly known as IEEE 802.1p and defines the Generic Attribute Registration Protocol."
@@ -6695,11 +6138,15 @@ msgstr "IEEE 802.1q_, often referred to as Dot1q, is the networking standard tha
 msgid "IETF published :rfc:`6598`, detailing a shared address space for use in ISP CGN deployments that can handle the same network prefixes occurring both on inbound and outbound interfaces. ARIN returned address space to the :abbr:`IANA (Internet Assigned Numbers Authority)` for this allocation."
 msgstr "IETF published :rfc:`6598`, detailing a shared address space for use in ISP CGN deployments that can handle the same network prefixes occurring both on inbound and outbound interfaces. ARIN returned address space to the :abbr:`IANA (Internet Assigned Numbers Authority)` for this allocation."
 
-#: ../../configuration/protocols/igmp.rst:179
+#: ../../configuration/protocols/pim.rst:176
+msgid "IGMP - Internet Group Management Protocol)"
+msgstr "IGMP - Internet Group Management Protocol)"
+
+#: ../../configuration/protocols/igmp-proxy.rst:7
 msgid "IGMP Proxy"
 msgstr "IGMP Proxy"
 
-#: ../../configuration/nat/nat44.rst:726
+#: ../../configuration/nat/nat44.rst:748
 msgid "IKE Phase:"
 msgstr "IKE Phase:"
 
@@ -6711,11 +6158,11 @@ msgstr "IKE (Internet Key Exchange) Attributes"
 msgid "IKE performs mutual authentication between two parties and establishes an IKE security association (SA) that includes shared secret information that can be used to efficiently establish SAs for Encapsulating Security Payload (ESP) or Authentication Header (AH) and a set of cryptographic algorithms to be used by the SAs to protect the traffic that they carry. https://datatracker.ietf.org/doc/html/rfc5996"
 msgstr "IKE performs mutual authentication between two parties and establishes an IKE security association (SA) that includes shared secret information that can be used to efficiently establish SAs for Encapsulating Security Payload (ESP) or Authentication Header (AH) and a set of cryptographic algorithms to be used by the SAs to protect the traffic that they carry. https://datatracker.ietf.org/doc/html/rfc5996"
 
-#: ../../configuration/vpn/site2site_ipsec.rst:156
+#: ../../configuration/vpn/site2site_ipsec.rst:160
 msgid "IKEv1"
 msgstr "IKEv1"
 
-#: ../../configuration/vpn/site2site_ipsec.rst:267
+#: ../../configuration/vpn/site2site_ipsec.rst:271
 msgid "IKEv2"
 msgstr "IKEv2"
 
@@ -6739,11 +6186,11 @@ msgstr "IPIP6"
 msgid "IPSec:"
 msgstr "IPSec:"
 
-#: ../../configuration/nat/nat44.rst:722
+#: ../../configuration/nat/nat44.rst:744
 msgid "IPSec IKE and ESP"
 msgstr "IPSec IKE and ESP"
 
-#: ../../configuration/nat/nat44.rst:687
+#: ../../configuration/nat/nat44.rst:711
 msgid "IPSec IKE and ESP Groups;"
 msgstr "IPSec IKE and ESP Groups;"
 
@@ -6751,19 +6198,19 @@ msgstr "IPSec IKE and ESP Groups;"
 msgid "IPSec IKEv2 Remote Access VPN"
 msgstr "IPSec IKEv2 Remote Access VPN"
 
-#: ../../configuration/vpn/site2site_ipsec.rst:281
+#: ../../configuration/vpn/site2site_ipsec.rst:285
 msgid "IPSec IKEv2 site2site VPN"
 msgstr "IPSec IKEv2 site2site VPN"
 
-#: ../../configuration/vpn/site2site_ipsec.rst:281
+#: ../../configuration/vpn/site2site_ipsec.rst:285
 msgid "IPSec IKEv2 site2site VPN (source ./draw.io/vpn_s2s_ikev2.drawio)"
 msgstr "IPSec IKEv2 site2site VPN (source ./draw.io/vpn_s2s_ikev2.drawio)"
 
-#: ../../configuration/nat/nat44.rst:758
+#: ../../configuration/nat/nat44.rst:780
 msgid "IPSec VPN Tunnels"
 msgstr "IPSec VPN Tunnels"
 
-#: ../../configuration/nat/nat44.rst:688
+#: ../../configuration/nat/nat44.rst:712
 msgid "IPSec VPN tunnels."
 msgstr "IPSec VPN tunnels."
 
@@ -6771,7 +6218,7 @@ msgstr "IPSec VPN tunnels."
 msgid "IP address"
 msgstr "IP address"
 
-#: ../../configuration/service/dhcp-server.rst:237
+#: ../../configuration/service/dhcp-server.rst:202
 msgid "IP address ``192.168.1.100`` shall be statically mapped to client named ``client1``"
 msgstr "IP address ``192.168.1.100`` shall be statically mapped to client named ``client1``"
 
@@ -6780,19 +6227,19 @@ msgstr "IP address ``192.168.1.100`` shall be statically mapped to client named
 msgid "IP address ``192.168.2.1/24``"
 msgstr "IP address ``192.168.2.1/24``"
 
-#: ../../configuration/service/dhcp-server.rst:319
+#: ../../configuration/service/dhcp-server.rst:286
 msgid "IP address for DHCP server identifier"
 msgstr "IP address for DHCP server identifier"
 
-#: ../../configuration/service/dhcp-server.rst:309
+#: ../../configuration/service/dhcp-server.rst:276
 msgid "IP address of NTP server"
 msgstr "IP address of NTP server"
 
-#: ../../configuration/service/dhcp-server.rst:349
+#: ../../configuration/service/dhcp-server.rst:316
 msgid "IP address of POP3 server"
 msgstr "IP address of POP3 server"
 
-#: ../../configuration/service/dhcp-server.rst:344
+#: ../../configuration/service/dhcp-server.rst:311
 msgid "IP address of SMTP server"
 msgstr "IP address of SMTP server"
 
@@ -6808,7 +6255,7 @@ msgstr "IP address of route to match, based on prefix-list."
 msgid "IP address of route to match, based on specified prefix-length. Note that this can be used for kernel routes only. Do not apply to the routes of dynamic routing protocols (e.g. BGP, RIP, OSFP), as this can lead to unexpected results.."
 msgstr "IP address of route to match, based on specified prefix-length. Note that this can be used for kernel routes only. Do not apply to the routes of dynamic routing protocols (e.g. BGP, RIP, OSFP), as this can lead to unexpected results.."
 
-#: ../../configuration/service/dhcp-server.rst:379
+#: ../../configuration/service/dhcp-server.rst:346
 msgid "IP address to exclude from DHCP lease range"
 msgstr "IP address to exclude from DHCP lease range"
 
@@ -6884,19 +6331,23 @@ msgstr "IPsec"
 msgid "IPsec policy matching GRE"
 msgstr "IPsec policy matching GRE"
 
-#: ../../configuration/service/pppoe-server.rst:359
+#: ../../configuration/service/pppoe-server.rst:346
 msgid "IPv4"
 msgstr "IPv4"
 
-#: ../../configuration/interfaces/vxlan.rst:85
+#: ../../configuration/interfaces/vxlan.rst:106
 msgid "IPv4/IPv6 remote address of the VXLAN tunnel. Alternative to multicast, the remote IPv4/IPv6 address can set directly."
 msgstr "IPv4/IPv6 remote address of the VXLAN tunnel. Alternative to multicast, the remote IPv4/IPv6 address can set directly."
 
-#: ../../configuration/service/dhcp-server.rst:324
+#: ../../configuration/firewall/ipv4.rst:7
+msgid "IPv4 Firewall Configuration"
+msgstr "IPv4 Firewall Configuration"
+
+#: ../../configuration/service/dhcp-server.rst:291
 msgid "IPv4 address of next bootstrap server"
 msgstr "IPv4 address of next bootstrap server"
 
-#: ../../configuration/service/dhcp-server.rst:284
+#: ../../configuration/service/dhcp-server.rst:251
 msgid "IPv4 address of router on the client's subnet"
 msgstr "IPv4 address of router on the client's subnet"
 
@@ -6904,7 +6355,7 @@ msgstr "IPv4 address of router on the client's subnet"
 msgid "IPv4 or IPv6 source address of NetFlow packets"
 msgstr "IPv4 or IPv6 source address of NetFlow packets"
 
-#: ../../configuration/protocols/bgp.rst:1098
+#: ../../configuration/protocols/bgp.rst:1099
 msgid "IPv4 peering"
 msgstr "IPv4 peering"
 
@@ -6925,7 +6376,7 @@ msgid "IPv4 server"
 msgstr "IPv4 server"
 
 #: ../../configuration/interfaces/pppoe.rst:244
-#: ../../configuration/service/pppoe-server.rst:280
+#: ../../configuration/service/pppoe-server.rst:267
 #: ../../configuration/system/ipv6.rst:3
 msgid "IPv6"
 msgstr "IPv6"
@@ -6942,11 +6393,15 @@ msgstr "IPv6 DHCPv6-PD Example"
 msgid "IPv6 DNS addresses are optional."
 msgstr "IPv6 DNS addresses are optional."
 
+#: ../../configuration/firewall/ipv6.rst:7
+msgid "IPv6 Firewall Configuration"
+msgstr "IPv6 Firewall Configuration"
+
 #: ../../configuration/protocols/pim6.rst:5
 msgid "IPv6 Multicast"
 msgstr "IPv6 Multicast"
 
-#: ../../configuration/service/pppoe-server.rst:295
+#: ../../configuration/service/pppoe-server.rst:282
 msgid "IPv6 Prefix Delegation"
 msgstr "IPv6 Prefix Delegation"
 
@@ -6962,7 +6417,7 @@ msgstr "IPv6 SLAAC and IA-PD"
 msgid "IPv6 TCP filters will only match IPv6 packets with no header extension, see https://en.wikipedia.org/wiki/IPv6_packet#Extension_headers"
 msgstr "IPv6 TCP filters will only match IPv6 packets with no header extension, see https://en.wikipedia.org/wiki/IPv6_packet#Extension_headers"
 
-#: ../../configuration/service/dhcp-server.rst:696
+#: ../../configuration/service/dhcp-server.rst:628
 msgid "IPv6 address ``2001:db8::101`` shall be statically mapped"
 msgstr "IPv6 address ``2001:db8::101`` shall be statically mapped"
 
@@ -6978,11 +6433,11 @@ msgstr "IPv6 address of route to match, based on IPv6 prefix-list."
 msgid "IPv6 address of route to match, based on specified prefix-length. Note that this can be used for kernel routes only. Do not apply to the routes of dynamic routing protocols (e.g. BGP, RIP, OSFP), as this can lead to unexpected results.."
 msgstr "IPv6 address of route to match, based on specified prefix-length. Note that this can be used for kernel routes only. Do not apply to the routes of dynamic routing protocols (e.g. BGP, RIP, OSFP), as this can lead to unexpected results.."
 
-#: ../../configuration/service/pppoe-server.rst:283
+#: ../../configuration/service/pppoe-server.rst:270
 msgid "IPv6 client's prefix assignment"
 msgstr "IPv6 client's prefix assignment"
 
-#: ../../configuration/protocols/bgp.rst:1143
+#: ../../configuration/protocols/bgp.rst:1144
 msgid "IPv6 peering"
 msgstr "IPv6 peering"
 
@@ -6990,7 +6445,7 @@ msgstr "IPv6 peering"
 msgid "IPv6 prefix."
 msgstr "IPv6 prefix."
 
-#: ../../configuration/service/dhcp-server.rst:697
+#: ../../configuration/service/dhcp-server.rst:629
 msgid "IPv6 prefix ``2001:db8:0:101::/64`` shall be statically mapped"
 msgstr "IPv6 prefix ``2001:db8:0:101::/64`` shall be statically mapped"
 
@@ -7002,7 +6457,7 @@ msgstr "IPv6 relay"
 msgid "IPv6 route source: bgp, connected, eigrp, isis, kernel, nhrp, ospfv3, ripng, static."
 msgstr "IPv6 route source: bgp, connected, eigrp, isis, kernel, nhrp, ospfv3, ripng, static."
 
-#: ../../configuration/service/dhcp-server.rst:578
+#: ../../configuration/service/dhcp-server.rst:502
 msgid "IPv6 server"
 msgstr "IPv6 server"
 
@@ -7022,11 +6477,11 @@ msgstr "IS-IS Global Configuration"
 msgid "IS-IS SR Configuration"
 msgstr "IS-IS SR Configuration"
 
-#: ../../configuration/service/dhcp-server.rst:266
+#: ../../configuration/service/dhcp-server.rst:233
 msgid "ISC-DHCP Option name"
 msgstr "ISC-DHCP Option name"
 
-#: ../../configuration/vpn/openconnect.rst:226
+#: ../../configuration/vpn/openconnect.rst:233
 msgid "Identity Based Configuration"
 msgstr "Identity Based Configuration"
 
@@ -7042,11 +6497,18 @@ msgstr "If ARP monitoring is used in an etherchannel compatible mode (modes roun
 msgid "If CA is present, this certificate will be included in generated CRLs"
 msgstr "If CA is present, this certificate will be included in generated CRLs"
 
-#: ../../_include/interface-per-client-thread.txt:8
 #: ../../_include/interface-per-client-thread.txt:8
 msgid "If CLI option is not specified, this feature is disabled."
 msgstr "If CLI option is not specified, this feature is disabled."
 
+#: ../../configuration/protocols/pim.rst:35
+msgid "If PIM has the a choice of ECMP nexthops for a particular :abbr:`RPF (Reverse Path Forwarding)`, PIM will cause S,G flows to be spread out amongst the nexthops. If this command is not specified then the first nexthop found will be used."
+msgstr "If PIM has the a choice of ECMP nexthops for a particular :abbr:`RPF (Reverse Path Forwarding)`, PIM will cause S,G flows to be spread out amongst the nexthops. If this command is not specified then the first nexthop found will be used."
+
+#: ../../configuration/protocols/pim.rst:42
+msgid "If PIM is using ECMP and an interface goes down, cause PIM to rebalance all S,G flows across the remaining nexthops. If this command is not configured PIM only modifies those S,G flows that were using the interface that went down."
+msgstr "If PIM is using ECMP and an interface goes down, cause PIM to rebalance all S,G flows across the remaining nexthops. If this command is not configured PIM only modifies those S,G flows that were using the interface that went down."
+
 #: ../../configuration/protocols/bgp.rst:225
 msgid "If :cfgcmd:`strict` is set the BGP session won’t become established until the BGP neighbor sets local Role on its side. This configuration parameter is defined in RFC :rfc:`9234` and is used to enforce the corresponding configuration at your counter-parts side."
 msgstr "If :cfgcmd:`strict` is set the BGP session won’t become established until the BGP neighbor sets local Role on its side. This configuration parameter is defined in RFC :rfc:`9234` and is used to enforce the corresponding configuration at your counter-parts side."
@@ -7072,7 +6534,9 @@ msgstr "If a response is heard, the lease is abandoned, and the server does not
 msgid "If a route has an ORIGINATOR_ID attribute because it has been reflected, that ORIGINATOR_ID will be used. Otherwise, the router-ID of the peer the route was received from will be used."
 msgstr "If a route has an ORIGINATOR_ID attribute because it has been reflected, that ORIGINATOR_ID will be used. Otherwise, the router-ID of the peer the route was received from will be used."
 
-#: ../../configuration/firewall/general.rst:329
+#: ../../configuration/firewall/bridge.rst:67
+#: ../../configuration/firewall/ipv4.rst:83
+#: ../../configuration/firewall/ipv6.rst:83
 msgid "If a rule is defined, then an action must be defined for it. This tells the firewall what to do if all criteria matchers defined for such rule do match."
 msgstr "If a rule is defined, then an action must be defined for it. This tells the firewall what to do if all criteria matchers defined for such rule do match."
 
@@ -7088,71 +6552,18 @@ msgstr "If an ISP deploys a :abbr:`CGN (Carrier-grade NAT)`, and uses :rfc:`1918
 msgid "If an another bridge in the spanning tree does not send out a hello packet for a long period of time, it is assumed to be dead."
 msgstr "If an another bridge in the spanning tree does not send out a hello packet for a long period of time, it is assumed to be dead."
 
-#: ../../_include/interface-ip.txt:72
-#: ../../_include/interface-ip.txt:72
-#: ../../_include/interface-ip.txt:72
-#: ../../_include/interface-ip.txt:72
-#: ../../_include/interface-ip.txt:72
-#: ../../_include/interface-ip.txt:72
-#: ../../_include/interface-ip.txt:72
-#: ../../_include/interface-ip.txt:72
-#: ../../_include/interface-ip.txt:72
-#: ../../_include/interface-ip.txt:72
-#: ../../_include/interface-ip.txt:72
-#: ../../_include/interface-ip.txt:72
-#: ../../_include/interface-ip.txt:72
-#: ../../_include/interface-ip.txt:72
-#: ../../_include/interface-ip.txt:72
-#: ../../_include/interface-ip.txt:72
-#: ../../_include/interface-ip.txt:72
-#: ../../_include/interface-ip.txt:72
-#: ../../_include/interface-ip.txt:72
+#: ../../configuration/protocols/pim.rst:106
+msgid "If choosing a value below 31 seconds be aware that some hardware platforms cannot see data flowing in better than 30 second chunks."
+msgstr "If choosing a value below 31 seconds be aware that some hardware platforms cannot see data flowing in better than 30 second chunks."
+
 #: ../../_include/interface-ip.txt:72
 msgid "If configured, incoming IP directed broadcast packets on this interface will be forwarded."
 msgstr "If configured, incoming IP directed broadcast packets on this interface will be forwarded."
 
-#: ../../_include/interface-ip.txt:124
-#: ../../_include/interface-ip.txt:124
-#: ../../_include/interface-ip.txt:124
-#: ../../_include/interface-ip.txt:124
-#: ../../_include/interface-ip.txt:124
-#: ../../_include/interface-ip.txt:124
-#: ../../_include/interface-ip.txt:124
-#: ../../_include/interface-ip.txt:124
-#: ../../_include/interface-ip.txt:124
-#: ../../_include/interface-ip.txt:124
-#: ../../_include/interface-ip.txt:124
-#: ../../_include/interface-ip.txt:124
-#: ../../_include/interface-ip.txt:124
-#: ../../_include/interface-ip.txt:124
-#: ../../_include/interface-ip.txt:124
-#: ../../_include/interface-ip.txt:124
-#: ../../_include/interface-ip.txt:124
-#: ../../_include/interface-ip.txt:124
-#: ../../_include/interface-ip.txt:124
 #: ../../_include/interface-ip.txt:124
 msgid "If configured, reply only if the target IP address is local address configured on the incoming interface."
 msgstr "If configured, reply only if the target IP address is local address configured on the incoming interface."
 
-#: ../../_include/interface-ip.txt:106
-#: ../../_include/interface-ip.txt:106
-#: ../../_include/interface-ip.txt:106
-#: ../../_include/interface-ip.txt:106
-#: ../../_include/interface-ip.txt:106
-#: ../../_include/interface-ip.txt:106
-#: ../../_include/interface-ip.txt:106
-#: ../../_include/interface-ip.txt:106
-#: ../../_include/interface-ip.txt:106
-#: ../../_include/interface-ip.txt:106
-#: ../../_include/interface-ip.txt:106
-#: ../../_include/interface-ip.txt:106
-#: ../../_include/interface-ip.txt:106
-#: ../../_include/interface-ip.txt:106
-#: ../../_include/interface-ip.txt:106
-#: ../../_include/interface-ip.txt:106
-#: ../../_include/interface-ip.txt:106
-#: ../../_include/interface-ip.txt:106
-#: ../../_include/interface-ip.txt:106
 #: ../../_include/interface-ip.txt:106
 msgid "If configured, try to avoid local addresses that are not in the target's subnet for this interface. This mode is useful when target hosts reachable via this interface require the source IP address in ARP requests to be part of their logical network configured on the receiving interface. When we generate the request we will check all our subnets that include the target IP and will preserve the source address if it is from such subnet. If there is no such subnet we select source address according to the rules for level 2."
 msgstr "If configured, try to avoid local addresses that are not in the target's subnet for this interface. This mode is useful when target hosts reachable via this interface require the source IP address in ARP requests to be part of their logical network configured on the receiving interface. When we generate the request we will check all our subnets that include the target IP and will preserve the source address if it is from such subnet. If there is no such subnet we select source address according to the rules for level 2."
@@ -7161,7 +6572,7 @@ msgstr "If configured, try to avoid local addresses that are not in the target's
 msgid "If configuring VXLAN in a VyOS virtual machine, ensure that MAC spoofing (Hyper-V) or Forged Transmits (ESX) are permitted, otherwise forwarded frames may be blocked by the hypervisor."
 msgstr "If configuring VXLAN in a VyOS virtual machine, ensure that MAC spoofing (Hyper-V) or Forged Transmits (ESX) are permitted, otherwise forwarded frames may be blocked by the hypervisor."
 
-#: ../../configuration/nat/nat44.rst:542
+#: ../../configuration/nat/nat44.rst:564
 msgid "If forwarding traffic to a different port than it is arriving on, you may also configure the translation port using `set nat destination rule [n] translation port`."
 msgstr "If forwarding traffic to a different port than it is arriving on, you may also configure the translation port using `set nat destination rule [n] translation port`."
 
@@ -7169,7 +6580,15 @@ msgstr "If forwarding traffic to a different port than it is arriving on, you ma
 msgid "If guaranteed traffic for a class is met and there is room for more traffic, the ceiling parameter can be used to set how much more bandwidth could be used. If guaranteed traffic is met and there are several classes willing to use their ceilings, the priority parameter will establish the order in which that additional traffic will be allocated. Priority can be any number from 0 to 7. The lower the number, the higher the priority."
 msgstr "If guaranteed traffic for a class is met and there is room for more traffic, the ceiling parameter can be used to set how much more bandwidth could be used. If guaranteed traffic is met and there are several classes willing to use their ceilings, the priority parameter will establish the order in which that additional traffic will be allocated. Priority can be any number from 0 to 7. The lower the number, the higher the priority."
 
-#: ../../configuration/protocols/igmp.rst:221
+#: ../../configuration/firewall/index.rst:82
+msgid "If interface were the packet was received is part of a bridge, then packet is processed at the **Bridge Layer**, which contains a ver basic setup where for bridge filtering:"
+msgstr "If interface were the packet was received is part of a bridge, then packet is processed at the **Bridge Layer**, which contains a ver basic setup where for bridge filtering:"
+
+#: ../../configuration/firewall/index.rst:25
+msgid "If interface were the packet was received isn't part of a bridge, then packet is processed at the **IP Layer**:"
+msgstr "If interface were the packet was received isn't part of a bridge, then packet is processed at the **IP Layer**:"
+
+#: ../../configuration/protocols/igmp-proxy.rst:49
 msgid "If it's vital that the daemon should act exactly like a real multicast client on the upstream interface, this function should be enabled."
 msgstr "If it's vital that the daemon should act exactly like a real multicast client on the upstream interface, this function should be enabled."
 
@@ -7193,7 +6612,7 @@ msgstr "If multi-pathing is enabled, then check whether the routes not yet disti
 msgid "If no connection to an RPKI cache server can be established after a pre-defined timeout, the router will process routes without prefix origin validation. It still will try to establish a connection to an RPKI cache server in the background."
 msgstr "If no connection to an RPKI cache server can be established after a pre-defined timeout, the router will process routes without prefix origin validation. It still will try to establish a connection to an RPKI cache server in the background."
 
-#: ../../configuration/nat/nat44.rst:205
+#: ../../configuration/nat/nat44.rst:217
 msgid "If no destination is specified the rule will match on any destination address and port."
 msgstr "If no destination is specified the rule will match on any destination address and port."
 
@@ -7205,52 +6624,18 @@ msgstr "If no ip prefix list is specified, it acts as permit. If ip prefix list
 msgid "If no option is specified, this defaults to `all`."
 msgstr "If no option is specified, this defaults to `all`."
 
-#: ../../_include/interface-ip.txt:42
-#: ../../_include/interface-ip.txt:42
-#: ../../_include/interface-ip.txt:42
-#: ../../_include/interface-ip.txt:42
-#: ../../_include/interface-ip.txt:42
-#: ../../_include/interface-ip.txt:42
-#: ../../_include/interface-ip.txt:42
-#: ../../_include/interface-ip.txt:42
-#: ../../_include/interface-ip.txt:42
-#: ../../_include/interface-ip.txt:42
-#: ../../_include/interface-ip.txt:42
-#: ../../_include/interface-ip.txt:42
-#: ../../_include/interface-ip.txt:42
-#: ../../_include/interface-ip.txt:42
-#: ../../_include/interface-ip.txt:42
-#: ../../_include/interface-ip.txt:42
-#: ../../_include/interface-ip.txt:42
-#: ../../_include/interface-ip.txt:42
-#: ../../_include/interface-ip.txt:42
 #: ../../_include/interface-ip.txt:42
 msgid "If not set (default) allows you to have multiple network interfaces on the same subnet, and have the ARPs for each interface be answered based on whether or not the kernel would route a packet from the ARP'd IP out that interface (therefore you must use source based routing for this to work)."
 msgstr "If not set (default) allows you to have multiple network interfaces on the same subnet, and have the ARPs for each interface be answered based on whether or not the kernel would route a packet from the ARP'd IP out that interface (therefore you must use source based routing for this to work)."
-
-#: ../../configuration/system/ip.rst:17
-msgid "If set, IPv4 directed broadcast forwarding will be completely disabled regardless of whether per-interface directed broadcast forwarding is enabled or not."
-msgstr "If set, IPv4 directed broadcast forwarding will be completely disabled regardless of whether per-interface directed broadcast forwarding is enabled or not."
-
-#: ../../_include/interface-ip.txt:36
-#: ../../_include/interface-ip.txt:36
-#: ../../_include/interface-ip.txt:36
-#: ../../_include/interface-ip.txt:36
-#: ../../_include/interface-ip.txt:36
-#: ../../_include/interface-ip.txt:36
-#: ../../_include/interface-ip.txt:36
-#: ../../_include/interface-ip.txt:36
-#: ../../_include/interface-ip.txt:36
-#: ../../_include/interface-ip.txt:36
-#: ../../_include/interface-ip.txt:36
-#: ../../_include/interface-ip.txt:36
-#: ../../_include/interface-ip.txt:36
-#: ../../_include/interface-ip.txt:36
-#: ../../_include/interface-ip.txt:36
-#: ../../_include/interface-ip.txt:36
-#: ../../_include/interface-ip.txt:36
-#: ../../_include/interface-ip.txt:36
-#: ../../_include/interface-ip.txt:36
+
+#: ../../configuration/protocols/pim.rst:142
+msgid "If optional profile parameter is used, select a BFD profile for the BFD sessions created via this interface."
+msgstr "If optional profile parameter is used, select a BFD profile for the BFD sessions created via this interface."
+
+#: ../../configuration/system/ip.rst:17
+msgid "If set, IPv4 directed broadcast forwarding will be completely disabled regardless of whether per-interface directed broadcast forwarding is enabled or not."
+msgstr "If set, IPv4 directed broadcast forwarding will be completely disabled regardless of whether per-interface directed broadcast forwarding is enabled or not."
+
 #: ../../_include/interface-ip.txt:36
 msgid "If set the kernel can respond to arp requests with addresses from other interfaces. This may seem wrong but it usually makes sense, because it increases the chance of successful communication. IP addresses are owned by the complete host on Linux, not by particular interfaces. Only for more complex setups like load-balancing, does this behaviour cause problems."
 msgstr "If set the kernel can respond to arp requests with addresses from other interfaces. This may seem wrong but it usually makes sense, because it increases the chance of successful communication. IP addresses are owned by the complete host on Linux, not by particular interfaces. Only for more complex setups like load-balancing, does this behaviour cause problems."
@@ -7259,25 +6644,6 @@ msgstr "If set the kernel can respond to arp requests with addresses from other
 msgid "If suffix is omitted, minutes are implied."
 msgstr "If suffix is omitted, minutes are implied."
 
-#: ../../_include/interface-ip.txt:91
-#: ../../_include/interface-ip.txt:91
-#: ../../_include/interface-ip.txt:91
-#: ../../_include/interface-ip.txt:91
-#: ../../_include/interface-ip.txt:91
-#: ../../_include/interface-ip.txt:91
-#: ../../_include/interface-ip.txt:91
-#: ../../_include/interface-ip.txt:91
-#: ../../_include/interface-ip.txt:91
-#: ../../_include/interface-ip.txt:91
-#: ../../_include/interface-ip.txt:91
-#: ../../_include/interface-ip.txt:91
-#: ../../_include/interface-ip.txt:91
-#: ../../_include/interface-ip.txt:91
-#: ../../_include/interface-ip.txt:91
-#: ../../_include/interface-ip.txt:91
-#: ../../_include/interface-ip.txt:91
-#: ../../_include/interface-ip.txt:91
-#: ../../_include/interface-ip.txt:91
 #: ../../_include/interface-ip.txt:91
 msgid "If the ARP table already contains the IP address of the gratuitous arp frame, the arp table will be updated regardless if this setting is on or off."
 msgstr "If the ARP table already contains the IP address of the gratuitous arp frame, the arp table will be updated regardless if this setting is on or off."
@@ -7318,6 +6684,14 @@ msgstr "If the average queue size is lower than the **min-threshold**, an arrivi
 msgid "If the current queue size is larger than **queue-limit**, then packets will be dropped. The average queue size depends on its former average size and its current one."
 msgstr "If the current queue size is larger than **queue-limit**, then packets will be dropped. The average queue size depends on its former average size and its current one."
 
+#: ../../configuration/firewall/index.rst:83
+msgid "If the interface where the packet was received is part of a bridge, then packetis processed at the **Bridge Layer**, which contains a basic setup for bridge filtering:"
+msgstr "If the interface where the packet was received is part of a bridge, then packetis processed at the **Bridge Layer**, which contains a basic setup for bridge filtering:"
+
+#: ../../configuration/firewall/index.rst:26
+msgid "If the interface where the packet was received isn't part of a bridge, then packetis processed at the **IP Layer**:"
+msgstr "If the interface where the packet was received isn't part of a bridge, then packetis processed at the **IP Layer**:"
+
 #: ../../configuration/interfaces/bonding.rst:187
 #: ../../configuration/interfaces/bonding.rst:216
 msgid "If the protocol is IPv6 then the source and destination addresses are first hashed using ipv6_addr_hash."
@@ -7339,7 +6713,7 @@ msgstr "If the table is empty and you have a warning message, it means conntrack
 msgid "If there are no free addresses but there are abandoned IP addresses, the DHCP server will attempt to reclaim an abandoned IP address regardless of the value of abandon-lease-time."
 msgstr "If there are no free addresses but there are abandoned IP addresses, the DHCP server will attempt to reclaim an abandoned IP address regardless of the value of abandon-lease-time."
 
-#: ../../configuration/vpn/site2site_ipsec.rst:237
+#: ../../configuration/vpn/site2site_ipsec.rst:241
 msgid "If there is SNAT rules on eth1, need to add exclude rule"
 msgstr "If there is SNAT rules on eth1, need to add exclude rule"
 
@@ -7348,7 +6722,7 @@ msgstr "If there is SNAT rules on eth1, need to add exclude rule"
 msgid "If this command is invoked from configure mode with the ``run`` prefix the key is automatically installed to the appropriate interface:"
 msgstr "If this command is invoked from configure mode with the ``run`` prefix the key is automatically installed to the appropriate interface:"
 
-#: ../../configuration/service/dhcp-relay.rst:166
+#: ../../configuration/service/dhcp-relay.rst:168
 msgid "If this is set the relay agent will insert the interface ID. This option is set automatically if more than one listening interfaces are in use."
 msgstr "If this is set the relay agent will insert the interface ID. This option is set automatically if more than one listening interfaces are in use."
 
@@ -7356,52 +6730,14 @@ msgstr "If this is set the relay agent will insert the interface ID. This option
 msgid "If this option is enabled, then the already-selected check, where already selected eBGP routes are preferred, is skipped."
 msgstr "If this option is enabled, then the already-selected check, where already selected eBGP routes are preferred, is skipped."
 
-#: ../../configuration/vpn/sstp.rst:172
+#: ../../configuration/vpn/sstp.rst:183
 msgid "If this option is specified and is greater than 0, then the PPP module will send LCP pings of the echo request every `<interval>` seconds."
 msgstr "If this option is specified and is greater than 0, then the PPP module will send LCP pings of the echo request every `<interval>` seconds."
 
-#: ../../_include/interface-ip.txt:75
-#: ../../_include/interface-ip.txt:75
-#: ../../_include/interface-ip.txt:75
-#: ../../_include/interface-ip.txt:75
-#: ../../_include/interface-ip.txt:75
-#: ../../_include/interface-ip.txt:75
-#: ../../_include/interface-ip.txt:75
-#: ../../_include/interface-ip.txt:75
-#: ../../_include/interface-ip.txt:75
-#: ../../_include/interface-ip.txt:75
-#: ../../_include/interface-ip.txt:75
-#: ../../_include/interface-ip.txt:75
-#: ../../_include/interface-ip.txt:75
-#: ../../_include/interface-ip.txt:75
-#: ../../_include/interface-ip.txt:75
-#: ../../_include/interface-ip.txt:75
-#: ../../_include/interface-ip.txt:75
-#: ../../_include/interface-ip.txt:75
-#: ../../_include/interface-ip.txt:75
 #: ../../_include/interface-ip.txt:75
 msgid "If this option is unset (default), incoming IP directed broadcast packets will not be forwarded."
 msgstr "If this option is unset (default), incoming IP directed broadcast packets will not be forwarded."
 
-#: ../../_include/interface-ip.txt:127
-#: ../../_include/interface-ip.txt:127
-#: ../../_include/interface-ip.txt:127
-#: ../../_include/interface-ip.txt:127
-#: ../../_include/interface-ip.txt:127
-#: ../../_include/interface-ip.txt:127
-#: ../../_include/interface-ip.txt:127
-#: ../../_include/interface-ip.txt:127
-#: ../../_include/interface-ip.txt:127
-#: ../../_include/interface-ip.txt:127
-#: ../../_include/interface-ip.txt:127
-#: ../../_include/interface-ip.txt:127
-#: ../../_include/interface-ip.txt:127
-#: ../../_include/interface-ip.txt:127
-#: ../../_include/interface-ip.txt:127
-#: ../../_include/interface-ip.txt:127
-#: ../../_include/interface-ip.txt:127
-#: ../../_include/interface-ip.txt:127
-#: ../../_include/interface-ip.txt:127
 #: ../../_include/interface-ip.txt:127
 msgid "If this option is unset (default), reply for any local target IP address, configured on any interface."
 msgstr "If this option is unset (default), reply for any local target IP address, configured on any interface."
@@ -7422,7 +6758,7 @@ msgstr "If unset, incoming connections to the RADIUS server will use the nearest
 msgid "If unset, incoming connections to the TACACS server will use the nearest interface address pointing towards the server - making it error prone on e.g. OSPF networks when a link fails and a backup route is taken."
 msgstr "If unset, incoming connections to the TACACS server will use the nearest interface address pointing towards the server - making it error prone on e.g. OSPF networks when a link fails and a backup route is taken."
 
-#: ../../configuration/nat/nat44.rst:788
+#: ../../configuration/nat/nat44.rst:810
 msgid "If you've completed all the above steps you no doubt want to see if it's all working."
 msgstr "If you've completed all the above steps you no doubt want to see if it's all working."
 
@@ -7473,6 +6809,10 @@ msgstr "If you configure a class for **VoIP traffic**, don't give it any *ceilin
 msgid "If you enable this, you will probably want to set diversity-factor and channel below."
 msgstr "If you enable this, you will probably want to set diversity-factor and channel below."
 
+#: ../../configuration/protocols/pim.rst:54
+msgid "If you enter a value smaller than 60 seconds be aware that this can and will affect convergence at scale."
+msgstr "If you enter a value smaller than 60 seconds be aware that this can and will affect convergence at scale."
+
 #: ../../configuration/interfaces/bonding.rst:312
 msgid "If you happen to run this in a virtual environment like by EVE-NG you need to ensure your VyOS NIC is set to use the e1000 driver. Using the default ``virtio-net-pci`` or the ``vmxnet3`` driver will not work. ICMP messages will not be properly processed. They are visible on the virtual wire but will not make it fully up the networking stack."
 msgstr "If you happen to run this in a virtual environment like by EVE-NG you need to ensure your VyOS NIC is set to use the e1000 driver. Using the default ``virtio-net-pci`` or the ``vmxnet3`` driver will not work. ICMP messages will not be properly processed. They are visible on the virtual wire but will not make it fully up the networking stack."
@@ -7493,6 +6833,10 @@ msgstr "If you have a lot of interfaces, and/or a lot of subnets, then enabling
 msgid "If you have configured the `INSIDE-OUT` policy, you will need to add additional rules to permit inbound NAT traffic."
 msgstr "If you have configured the `INSIDE-OUT` policy, you will need to add additional rules to permit inbound NAT traffic."
 
+#: ../../configuration/protocols/pim.rst:171
+msgid "If you have multiple addresses configured on a particular interface and would like PIM to use a specific source address associated with that interface."
+msgstr "If you have multiple addresses configured on a particular interface and would like PIM to use a specific source address associated with that interface."
+
 #: ../../configuration/system/flow-accounting.rst:65
 msgid "If you need to sample also egress traffic, you may want to configure egress flow-accounting:"
 msgstr "If you need to sample also egress traffic, you may want to configure egress flow-accounting:"
@@ -7541,7 +6885,7 @@ msgstr "Ignore VRRP main interface faults"
 msgid "Image thankfully borrowed from https://en.wikipedia.org/wiki/File:SNMP_communication_principles_diagram.PNG which is under the GNU Free Documentation License"
 msgstr "Image thankfully borrowed from https://en.wikipedia.org/wiki/File:SNMP_communication_principles_diagram.PNG which is under the GNU Free Documentation License"
 
-#: ../../configuration/vpn/site2site_ipsec.rst:275
+#: ../../configuration/vpn/site2site_ipsec.rst:279
 msgid "Imagine the following topology"
 msgstr "Imagine the following topology"
 
@@ -7573,36 +6917,15 @@ msgstr "In VyOS, IKE attributes are specified through IKE groups. Multiple propo
 msgid "In VyOS, a class is identified by a number you can choose when configuring it."
 msgstr "In VyOS, a class is identified by a number you can choose when configuring it."
 
-#: ../../_include/interface-vlan-8021ad.txt:22
-#: ../../_include/interface-vlan-8021ad.txt:22
 #: ../../_include/interface-vlan-8021ad.txt:22
 msgid "In VyOS the terms ``vif-s`` and ``vif-c`` stand for the ethertype tags that are used."
 msgstr "In VyOS the terms ``vif-s`` and ``vif-c`` stand for the ethertype tags that are used."
 
-#: ../../_include/interface-ip.txt:166
-#: ../../_include/interface-ip.txt:166
-#: ../../_include/interface-ip.txt:166
-#: ../../_include/interface-ip.txt:166
-#: ../../_include/interface-ip.txt:166
-#: ../../_include/interface-ip.txt:166
-#: ../../_include/interface-ip.txt:166
-#: ../../_include/interface-ip.txt:166
-#: ../../_include/interface-ip.txt:166
-#: ../../_include/interface-ip.txt:166
-#: ../../_include/interface-ip.txt:166
-#: ../../_include/interface-ip.txt:166
-#: ../../_include/interface-ip.txt:166
-#: ../../_include/interface-ip.txt:166
-#: ../../_include/interface-ip.txt:166
-#: ../../_include/interface-ip.txt:166
-#: ../../_include/interface-ip.txt:166
-#: ../../_include/interface-ip.txt:166
-#: ../../_include/interface-ip.txt:166
 #: ../../_include/interface-ip.txt:166
 msgid "In :rfc:`3069` it is called VLAN Aggregation"
 msgstr "In :rfc:`3069` it is called VLAN Aggregation"
 
-#: ../../configuration/firewall/zone.rst:41
+#: ../../configuration/firewall/zone.rst:60
 msgid "In :vytask:`T2199` the syntax of the zone configuration was changed. The zone configuration moved from ``zone-policy zone <name>`` to ``firewall zone <name>``."
 msgstr "In :vytask:`T2199` the syntax of the zone configuration was changed. The zone configuration moved from ``zone-policy zone <name>`` to ``firewall zone <name>``."
 
@@ -7610,8 +6933,6 @@ msgstr "In :vytask:`T2199` the syntax of the zone configuration was changed. The
 msgid "In a minimal configuration, the following must be provided:"
 msgstr "In a minimal configuration, the following must be provided:"
 
-#: ../../_include/interface-vlan-8021ad.txt:16
-#: ../../_include/interface-vlan-8021ad.txt:16
 #: ../../_include/interface-vlan-8021ad.txt:16
 msgid "In a multiple VLAN header context, out of convenience the term \"VLAN tag\" or just \"tag\" for short is often used in place of \"802.1q_ VLAN header\". QinQ allows multiple VLAN tags in an Ethernet frame; together these tags constitute a tag stack. When used in the context of an Ethernet frame, a QinQ frame is a frame that has 2 VLAN 802.1q_ headers (double-tagged)."
 msgstr "In a multiple VLAN header context, out of convenience the term \"VLAN tag\" or just \"tag\" for short is often used in place of \"802.1q_ VLAN header\". QinQ allows multiple VLAN tags in an Ethernet frame; together these tags constitute a tag stack. When used in the context of an Ethernet frame, a QinQ frame is a frame that has 2 VLAN 802.1q_ headers (double-tagged)."
@@ -7632,15 +6953,9 @@ msgstr "In addition to :abbr:`RADIUS (Remote Authentication Dial-In User Service
 msgid "In addition to displaying flow accounting information locally, one can also exported them to a collection server."
 msgstr "In addition to displaying flow accounting information locally, one can also exported them to a collection server."
 
-#: ../../configuration/pki/pki_cli_import_help.txt:1
-#: ../../configuration/pki/pki_cli_import_help.txt:1
-#: ../../configuration/pki/pki_cli_import_help.txt:1
-#: ../../configuration/pki/pki_cli_import_help.txt:1
-#: ../../configuration/pki/pki_cli_import_help.txt:1
-#: ../../configuration/pki/pki_cli_import_help.txt:1
-#: ../../configuration/pki/pki_cli_import_help.txt:1
 #: ../../configuration/pki/index.rst:144
 #: ../../configuration/pki/index.rst:159
+#: ../../configuration/pki/pki_cli_import_help.txt:1
 msgid "In addition to the command above, the output is in a format which can be used to directly import the key into the VyOS CLI by simply copy-pasting the output from op-mode into configuration mode."
 msgstr "In addition to the command above, the output is in a format which can be used to directly import the key into the VyOS CLI by simply copy-pasting the output from op-mode into configuration mode."
 
@@ -7656,8 +6971,7 @@ msgstr "In addition you will specifiy the IP address or FQDN for the client wher
 msgid "In addition you will specify the IP address or FQDN for the client where it will connect to. The address parameter can be used up to two times and is used to assign the clients specific IPv4 (/32) or IPv6 (/128) address."
 msgstr "In addition you will specify the IP address or FQDN for the client where it will connect to. The address parameter can be used up to two times and is used to assign the clients specific IPv4 (/32) or IPv6 (/128) address."
 
-#: ../../configuration/firewall/general.rst:194
-#: ../../configuration/firewall/general-legacy.rst:170
+#: ../../configuration/firewall/groups.rst:21
 msgid "In an **address group** a single IP address or IP address ranges are defined."
 msgstr "In an **address group** a single IP address or IP address ranges are defined."
 
@@ -7681,6 +6995,10 @@ msgstr "In contrast to simple RED, VyOS' Random-Detect uses a Generalized Random
 msgid "In failover mode, one interface is set to be the primary interface and other interfaces are secondary or spare. Instead of balancing traffic across all healthy interfaces, only the primary interface is used and in case of failure, a secondary interface selected from the pool of available interfaces takes over. The primary interface is selected based on its weight and health, others become secondary interfaces. Secondary interfaces to take over a failed primary interface are chosen from the load balancer's interface pool, depending on their weight and health. Interface roles can also be selected based on rule order by including interfaces in balancing rules and ordering those rules accordingly. To put the load balancer in failover mode, create a failover rule:"
 msgstr "In failover mode, one interface is set to be the primary interface and other interfaces are secondary or spare. Instead of balancing traffic across all healthy interfaces, only the primary interface is used and in case of failure, a secondary interface selected from the pool of available interfaces takes over. The primary interface is selected based on its weight and health, others become secondary interfaces. Secondary interfaces to take over a failed primary interface are chosen from the load balancer's interface pool, depending on their weight and health. Interface roles can also be selected based on rule order by including interfaces in balancing rules and ordering those rules accordingly. To put the load balancer in failover mode, create a failover rule:"
 
+#: ../../configuration/firewall/bridge.rst:70
+msgid "In firewall bridge rules, the action can be:"
+msgstr "In firewall bridge rules, the action can be:"
+
 #: ../../configuration/protocols/ospf.rst:339
 msgid "In general, OSPF protocol requires a backbone area (area 0) to be coherent and fully connected. I.e. any backbone area router must have a route to any other backbone area router. Moreover, every ABR must have a link to backbone area. However, it is not always possible to have a physical link to a backbone area. In this case between two ABR (one of them has a link to the backbone area) in the area (not stub area) a virtual link is organized."
 msgstr "In general, OSPF protocol requires a backbone area (area 0) to be coherent and fully connected. I.e. any backbone area router must have a route to any other backbone area router. Moreover, every ABR must have a link to backbone area. However, it is not always possible to have a physical link to a backbone area. In this case between two ABR (one of them has a link to the backbone area) in the area (not stub area) a virtual link is organized."
@@ -7693,7 +7011,7 @@ msgstr "In large deployments it is not reasonable to configure each user individ
 msgid "In order for flow accounting information to be collected and displayed for an interface, the interface must be configured for flow accounting."
 msgstr "In order for flow accounting information to be collected and displayed for an interface, the interface must be configured for flow accounting."
 
-#: ../../configuration/service/dhcp-server.rst:196
+#: ../../configuration/service/dhcp-server.rst:161
 msgid "In order for the primary and the secondary DHCP server to keep their lease tables in sync, they must be able to reach each other on TCP port 647. If you have firewall rules in effect, adjust them accordingly."
 msgstr "In order for the primary and the secondary DHCP server to keep their lease tables in sync, they must be able to reach each other on TCP port 647. If you have firewall rules in effect, adjust them accordingly."
 
@@ -7721,41 +7039,34 @@ msgstr "In order to have VyOS Traffic Control working you need to follow 2 steps
 msgid "In order to have full control and make use of multiple static public IP addresses, your VyOS will have to initiate the PPPoE connection and control it. In order for this method to work, you will have to figure out how to make your DSL Modem/Router switch into a Bridged Mode so it only acts as a DSL Transceiver device to connect between the Ethernet link of your VyOS and the phone cable. Once your DSL Transceiver is in Bridge Mode, you should get no IP address from it. Please make sure you connect to the Ethernet Port 1 if your DSL Transceiver has a switch, as some of them only work this way."
 msgstr "In order to have full control and make use of multiple static public IP addresses, your VyOS will have to initiate the PPPoE connection and control it. In order for this method to work, you will have to figure out how to make your DSL Modem/Router switch into a Bridged Mode so it only acts as a DSL Transceiver device to connect between the Ethernet link of your VyOS and the phone cable. Once your DSL Transceiver is in Bridge Mode, you should get no IP address from it. Please make sure you connect to the Ethernet Port 1 if your DSL Transceiver has a switch, as some of them only work this way."
 
-#: ../../configuration/service/dhcp-server.rst:691
+#: ../../configuration/service/dhcp-server.rst:623
 msgid "In order to map specific IPv6 addresses to specific hosts static mappings can be created. The following example explains the process."
 msgstr "In order to map specific IPv6 addresses to specific hosts static mappings can be created. The following example explains the process."
 
+#: ../../configuration/interfaces/vxlan.rst:82
+msgid "In order to minimize the flooding of ARP and ND messages in the VXLAN network, EVPN includes provisions :rfc:`7432#section-10` that allow participating VTEPs to suppress such messages in case they know the MAC-IP binding and can reply on behalf of the remote host."
+msgstr "In order to minimize the flooding of ARP and ND messages in the VXLAN network, EVPN includes provisions :rfc:`7432#section-10` that allow participating VTEPs to suppress such messages in case they know the MAC-IP binding and can reply on behalf of the remote host."
+
 #: ../../configuration/trafficpolicy/index.rst:402
 msgid "In order to separate traffic, Fair Queue uses a classifier based on source address, destination address and source port. The algorithm enqueues packets to hash buckets based on those tree parameters. Each of these buckets should represent a unique flow. Because multiple flows may get hashed to the same bucket, the hashing algorithm is perturbed at configurable intervals so that the unfairness lasts only for a short while. Perturbation may however cause some inadvertent packet reordering to occur. An advisable value could be 10 seconds."
 msgstr "In order to separate traffic, Fair Queue uses a classifier based on source address, destination address and source port. The algorithm enqueues packets to hash buckets based on those tree parameters. Each of these buckets should represent a unique flow. Because multiple flows may get hashed to the same bucket, the hashing algorithm is perturbed at configurable intervals so that the unfairness lasts only for a short while. Perturbation may however cause some inadvertent packet reordering to occur. An advisable value could be 10 seconds."
 
+#: ../../configuration/protocols/pim.rst:87
+msgid "In order to use PIM, it is necessary to configure a :abbr:`RP (Rendezvous Point)` for join messages to be sent to. Currently the only methodology to do this is via static rendezvous point commands."
+msgstr "In order to use PIM, it is necessary to configure a :abbr:`RP (Rendezvous Point)` for join messages to be sent to. Currently the only methodology to do this is via static rendezvous point commands."
+
 #: ../../configuration/interfaces/ethernet.rst:95
 msgid "In order to use TSO/LRO with VMXNET3 adaters one must also enable the SG offloading option."
 msgstr "In order to use TSO/LRO with VMXNET3 adaters one must also enable the SG offloading option."
 
-#: ../../configuration/nat/nat44.rst:382
+#: ../../configuration/firewall/flowtables.rst:59
+msgid "In order to use flowtables, the minimal configuration needed includes:"
+msgstr "In order to use flowtables, the minimal configuration needed includes:"
+
+#: ../../configuration/nat/nat44.rst:396
 msgid "In other words, connection tracking has already observed the connection be closed and has transition the flow to INVALID to prevent attacks from attempting to reuse the connection."
 msgstr "In other words, connection tracking has already observed the connection be closed and has transition the flow to INVALID to prevent attacks from attempting to reuse the connection."
 
-#: ../../_include/interface-ip.txt:47
-#: ../../_include/interface-ip.txt:47
-#: ../../_include/interface-ip.txt:47
-#: ../../_include/interface-ip.txt:47
-#: ../../_include/interface-ip.txt:47
-#: ../../_include/interface-ip.txt:47
-#: ../../_include/interface-ip.txt:47
-#: ../../_include/interface-ip.txt:47
-#: ../../_include/interface-ip.txt:47
-#: ../../_include/interface-ip.txt:47
-#: ../../_include/interface-ip.txt:47
-#: ../../_include/interface-ip.txt:47
-#: ../../_include/interface-ip.txt:47
-#: ../../_include/interface-ip.txt:47
-#: ../../_include/interface-ip.txt:47
-#: ../../_include/interface-ip.txt:47
-#: ../../_include/interface-ip.txt:47
-#: ../../_include/interface-ip.txt:47
-#: ../../_include/interface-ip.txt:47
 #: ../../_include/interface-ip.txt:47
 msgid "In other words it allows control of which cards (usually 1) will respond to an arp request."
 msgstr "In other words it allows control of which cards (usually 1) will respond to an arp request."
@@ -7764,7 +7075,7 @@ msgstr "In other words it allows control of which cards (usually 1) will respond
 msgid "In our example, we used the key name ``openvpn-1`` which we will reference in our configuration."
 msgstr "In our example, we used the key name ``openvpn-1`` which we will reference in our configuration."
 
-#: ../../configuration/nat/nat44.rst:507
+#: ../../configuration/nat/nat44.rst:527
 msgid "In our example, we will be forwarding web server traffic to an internal web server on 192.168.0.100. HTTP traffic makes use of the TCP protocol on port 80. For other common port numbers, see: https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers"
 msgstr "In our example, we will be forwarding web server traffic to an internal web server on 192.168.0.100. HTTP traffic makes use of the TCP protocol on port 80. For other common port numbers, see: https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers"
 
@@ -7812,15 +7123,15 @@ msgstr "In the case you want to apply some kind of **shaping** to your **inbound
 msgid "In the command above, we set the type of policy we are going to work with and the name we choose for it; a class (so that we can differentiate some traffic) and an identifiable number for that class; then we configure a matching rule (or filter) and a name for it."
 msgstr "In the command above, we set the type of policy we are going to work with and the name we choose for it; a class (so that we can differentiate some traffic) and an identifiable number for that class; then we configure a matching rule (or filter) and a name for it."
 
-#: ../../configuration/service/pppoe-server.rst:272
+#: ../../configuration/service/pppoe-server.rst:259
 msgid "In the example above, the first 499 sessions connect without delay. PADO packets will be delayed 50 ms for connection from 500 to 999, this trick allows other PPPoE servers send PADO faster and clients will connect to other servers. Last command says that this PPPoE server can serve only 3000 clients."
 msgstr "In the example above, the first 499 sessions connect without delay. PADO packets will be delayed 50 ms for connection from 500 to 999, this trick allows other PPPoE servers send PADO faster and clients will connect to other servers. Last command says that this PPPoE server can serve only 3000 clients."
 
-#: ../../configuration/nat/nat44.rst:321
+#: ../../configuration/nat/nat44.rst:333
 msgid "In the example used for the Quick Start configuration above, we demonstrate the following configuration:"
 msgstr "In the example used for the Quick Start configuration above, we demonstrate the following configuration:"
 
-#: ../../configuration/system/login.rst:397
+#: ../../configuration/system/login.rst:399
 msgid "In the following example, both `User1` and `User2` will be able to SSH into VyOS as user ``vyos`` using their very own keys. `User1` is restricted to only be able to connect from a single IP address. In addition if password base login is wanted for the ``vyos`` user a 2FA/MFA keycode is required in addition to the password."
 msgstr "In the following example, both `User1` and `User2` will be able to SSH into VyOS as user ``vyos`` using their very own keys. `User1` is restricted to only be able to connect from a single IP address. In addition if password base login is wanted for the ``vyos`` user a 2FA/MFA keycode is required in addition to the password."
 
@@ -7832,7 +7143,7 @@ msgstr "In the following example, the IPs for the remote clients are defined in
 msgid "In the following example, when VLAN9 transitions, VLAN20 will also transition:"
 msgstr "In the following example, when VLAN9 transitions, VLAN20 will also transition:"
 
-#: ../../configuration/protocols/igmp.rst:37
+#: ../../configuration/protocols/pim.rst:219
 msgid "In the following example we can see a basic multicast setup:"
 msgstr "In the following example we can see a basic multicast setup:"
 
@@ -7856,11 +7167,11 @@ msgstr "In this command tree, all hardware acceleration options will be handled.
 msgid "In this example, some *OpenNIC* servers are used, two IPv4 addresses and two IPv6 addresses:"
 msgstr "In this example, some *OpenNIC* servers are used, two IPv4 addresses and two IPv6 addresses:"
 
-#: ../../configuration/nat/nat44.rst:344
+#: ../../configuration/nat/nat44.rst:358
 msgid "In this example, we use **masquerade** as the translation address instead of an IP address. The **masquerade** target is effectively an alias to say \"use whatever IP address is on the outgoing interface\", rather than a statically configured IP address. This is useful if you use DHCP for your outgoing interface and do not know what the external address will be."
 msgstr "In this example, we use **masquerade** as the translation address instead of an IP address. The **masquerade** target is effectively an alias to say \"use whatever IP address is on the outgoing interface\", rather than a statically configured IP address. This is useful if you use DHCP for your outgoing interface and do not know what the external address will be."
 
-#: ../../configuration/nat/nat44.rst:498
+#: ../../configuration/nat/nat44.rst:518
 msgid "In this example, we will be using the example Quick Start configuration above as a starting point."
 msgstr "In this example, we will be using the example Quick Start configuration above as a starting point."
 
@@ -7880,10 +7191,38 @@ msgstr "In this example we will use the most complicated case: a setup where eac
 msgid "In this method, the DSL Modem/Router connects to the ISP for you with your credentials preprogrammed into the device. This gives you an :rfc:`1918` address, such as ``192.168.1.0/24`` by default."
 msgstr "In this method, the DSL Modem/Router connects to the ISP for you with your credentials preprogrammed into the device. This gives you an :rfc:`1918` address, such as ``192.168.1.0/24`` by default."
 
-#: ../../configuration/service/dns.rst:152
+#: ../../configuration/service/dns.rst:165
 msgid "In this scenario:"
 msgstr "In this scenario:"
 
+#: ../../configuration/firewall/ipv4.rst:13
+msgid "In this section there's useful information of all firewall configuration that can be done regarding IPv4, and appropiate op-mode commands. Configuration commands covered in this section:"
+msgstr "In this section there's useful information of all firewall configuration that can be done regarding IPv4, and appropiate op-mode commands. Configuration commands covered in this section:"
+
+#: ../../configuration/firewall/ipv6.rst:13
+msgid "In this section there's useful information of all firewall configuration that can be done regarding IPv6, and appropiate op-mode commands. Configuration commands covered in this section:"
+msgstr "In this section there's useful information of all firewall configuration that can be done regarding IPv6, and appropiate op-mode commands. Configuration commands covered in this section:"
+
+#: ../../configuration/firewall/bridge.rst:15
+msgid "In this section there's useful information of all firewall configuration that can be done regarding bridge, and appropiate op-mode commands. Configuration commands covered in this section:"
+msgstr "In this section there's useful information of all firewall configuration that can be done regarding bridge, and appropiate op-mode commands. Configuration commands covered in this section:"
+
+#: ../../configuration/firewall/flowtables.rst:15
+msgid "In this section there's useful information of all firewall configuration that can be done regarding flowtables"
+msgstr "In this section there's useful information of all firewall configuration that can be done regarding flowtables"
+
+#: ../../configuration/firewall/flowtables.rst:15
+msgid "In this section there's useful information of all firewall configuration that can be done regarding flowtables."
+msgstr "In this section there's useful information of all firewall configuration that can be done regarding flowtables."
+
+#: ../../configuration/firewall/zone.rst:25
+msgid "In this section there's useful information of all firewall configuration that is needed for zone-based firewall. Configuration commands covered in this section:"
+msgstr "In this section there's useful information of all firewall configuration that is needed for zone-based firewall. Configuration commands covered in this section:"
+
+#: ../../configuration/firewall/bridge.rst:289
+msgid "In this section you can find all useful firewall op-mode commands."
+msgstr "In this section you can find all useful firewall op-mode commands."
+
 #: ../../configuration/service/webproxy.rst:95
 msgid "In transparent proxy mode, all traffic arriving on port 80 and destined for the Internet is automatically forwarded through the proxy. This allows immediate proxy forwarding without configuring client browsers."
 msgstr "In transparent proxy mode, all traffic arriving on port 80 and destined for the Internet is automatically forwarded through the proxy. This allows immediate proxy forwarding without configuring client browsers."
@@ -7896,7 +7235,7 @@ msgstr "In typical uses of SNMP, one or more administrative computers called man
 msgid "In zone-based policy, interfaces are assigned to zones, and inspection policy is applied to traffic moving between the zones and acted on according to firewall rules. A Zone is a group of interfaces that have similar functions or features. It establishes the security borders of a network. A zone defines a boundary where traffic is subjected to policy restrictions as it crosses to another region of a network."
 msgstr "In zone-based policy, interfaces are assigned to zones, and inspection policy is applied to traffic moving between the zones and acted on according to firewall rules. A Zone is a group of interfaces that have similar functions or features. It establishes the security borders of a network. A zone defines a boundary where traffic is subjected to policy restrictions as it crosses to another region of a network."
 
-#: ../../configuration/firewall/zone.rst:24
+#: ../../configuration/firewall/zone.rst:43
 msgid "In zone-based policy, interfaces are assigned to zones, and inspection policy is applied to traffic moving between the zones and acted on according to firewall rules. A zone is a group of interfaces that have similar functions or features. It establishes the security borders of a network. A zone defines a boundary where traffic is subjected to policy restrictions as it crosses to another region of a network."
 msgstr "In zone-based policy, interfaces are assigned to zones, and inspection policy is applied to traffic moving between the zones and acted on according to firewall rules. A zone is a group of interfaces that have similar functions or features. It establishes the security borders of a network. A zone defines a boundary where traffic is subjected to policy restrictions as it crosses to another region of a network."
 
@@ -7916,11 +7255,11 @@ msgstr "Increase Maximum MPDU length to 7991 or 11454 octets (default 3895 octet
 msgid "Indication"
 msgstr "Indication"
 
-#: ../../configuration/service/dhcp-server.rst:84
+#: ../../configuration/service/dhcp-server.rst:64
 msgid "Individual Client Subnet"
 msgstr "Individual Client Subnet"
 
-#: ../../configuration/service/dhcp-server.rst:54
+#: ../../configuration/service/dhcp-server.rst:49
 msgid "Inform client that the DNS server can be found at `<address>`."
 msgstr "Inform client that the DNS server can be found at `<address>`."
 
@@ -7940,53 +7279,19 @@ msgstr "Informational messages"
 msgid "Input from `eth0` network interface"
 msgstr "Input from `eth0` network interface"
 
+#: ../../configuration/firewall/bridge.rst:390
+msgid "Inspect logs:"
+msgstr "Inspect logs:"
+
 #: ../../configuration/vpn/pptp.rst:32
 msgid "Install the client software via apt and execute pptpsetup to generate the configuration."
 msgstr "Install the client software via apt and execute pptpsetup to generate the configuration."
 
-#: ../../_include/interface-ip.txt:15
-#: ../../_include/interface-ipv6.txt:71
-#: ../../_include/interface-ip.txt:15
-#: ../../_include/interface-ipv6.txt:71
-#: ../../_include/interface-ip.txt:15
-#: ../../_include/interface-ipv6.txt:71
-#: ../../_include/interface-ip.txt:15
-#: ../../_include/interface-ipv6.txt:71
-#: ../../_include/interface-ip.txt:15
-#: ../../_include/interface-ipv6.txt:71
-#: ../../_include/interface-ip.txt:15
-#: ../../_include/interface-ipv6.txt:71
-#: ../../_include/interface-ip.txt:15
-#: ../../_include/interface-ipv6.txt:71
-#: ../../_include/interface-ip.txt:15
-#: ../../_include/interface-ipv6.txt:71
-#: ../../_include/interface-ip.txt:15
-#: ../../_include/interface-ipv6.txt:71
-#: ../../_include/interface-ip.txt:15
-#: ../../_include/interface-ipv6.txt:71
 #: ../../configuration/interfaces/pppoe.rst:218
 #: ../../configuration/interfaces/pppoe.rst:264
-#: ../../_include/interface-ip.txt:15
-#: ../../_include/interface-ipv6.txt:71
-#: ../../_include/interface-ip.txt:15
-#: ../../_include/interface-ipv6.txt:71
 #: ../../configuration/interfaces/sstp-client.rst:90
 #: ../../_include/interface-ip.txt:15
 #: ../../_include/interface-ipv6.txt:71
-#: ../../_include/interface-ip.txt:15
-#: ../../_include/interface-ipv6.txt:71
-#: ../../_include/interface-ip.txt:15
-#: ../../_include/interface-ipv6.txt:71
-#: ../../_include/interface-ip.txt:15
-#: ../../_include/interface-ipv6.txt:71
-#: ../../_include/interface-ip.txt:15
-#: ../../_include/interface-ipv6.txt:71
-#: ../../_include/interface-ip.txt:15
-#: ../../_include/interface-ipv6.txt:71
-#: ../../_include/interface-ip.txt:15
-#: ../../_include/interface-ipv6.txt:71
-#: ../../_include/interface-ip.txt:15
-#: ../../_include/interface-ipv6.txt:71
 msgid "Instead of a numerical MSS value `clamp-mss-to-pmtu` can be used to automatically set the proper value."
 msgstr "Instead of a numerical MSS value `clamp-mss-to-pmtu` can be used to automatically set the proper value."
 
@@ -7994,21 +7299,6 @@ msgstr "Instead of a numerical MSS value `clamp-mss-to-pmtu` can be used to auto
 msgid "Instead of password only authentication, 2FA password authentication + OTP key can be used. Alternatively, OTP authentication only, without a password, can be used. To do this, an OTP configuration must be added to the configuration above:"
 msgstr "Instead of password only authentication, 2FA password authentication + OTP key can be used. Alternatively, OTP authentication only, without a password, can be used. To do this, an OTP configuration must be added to the configuration above:"
 
-#: ../../_include/interface-dhcp-options.txt:19
-#: ../../_include/interface-dhcp-options.txt:19
-#: ../../_include/interface-dhcp-options.txt:19
-#: ../../_include/interface-dhcp-options.txt:19
-#: ../../_include/interface-dhcp-options.txt:19
-#: ../../_include/interface-dhcp-options.txt:19
-#: ../../_include/interface-dhcp-options.txt:19
-#: ../../_include/interface-dhcp-options.txt:19
-#: ../../_include/interface-dhcp-options.txt:19
-#: ../../_include/interface-dhcp-options.txt:19
-#: ../../_include/interface-dhcp-options.txt:19
-#: ../../_include/interface-dhcp-options.txt:19
-#: ../../_include/interface-dhcp-options.txt:19
-#: ../../_include/interface-dhcp-options.txt:19
-#: ../../_include/interface-dhcp-options.txt:19
 #: ../../_include/interface-dhcp-options.txt:19
 msgid "Instead of sending the real system hostname to the DHCP server, overwrite the host-name with this given-value."
 msgstr "Instead of sending the real system hostname to the DHCP server, overwrite the host-name with this given-value."
@@ -8035,7 +7325,7 @@ msgstr "Interconnect the global VRF with vrf \"red\" using the veth10 <-> veth 1
 msgid "Interface Configuration"
 msgstr "Interface Configuration"
 
-#: ../../configuration/firewall/general.rst:239
+#: ../../configuration/firewall/groups.rst:66
 msgid "Interface Groups"
 msgstr "Interface Groups"
 
@@ -8043,7 +7333,7 @@ msgstr "Interface Groups"
 msgid "Interface Routes"
 msgstr "Interface Routes"
 
-#: ../../configuration/protocols/igmp.rst:235
+#: ../../configuration/protocols/igmp-proxy.rst:63
 msgid "Interface `eth1` LAN is behind NAT. In order to subscribe `10.0.0.0/23` subnet multicast which is in `eth0` WAN we need to configure igmp-proxy."
 msgstr "Interface `eth1` LAN is behind NAT. In order to subscribe `10.0.0.0/23` subnet multicast which is in `eth0` WAN we need to configure igmp-proxy."
 
@@ -8059,11 +7349,16 @@ msgstr "Interface for DHCP Relay Agent to forward requests out."
 msgid "Interface for DHCP Relay Agent to listen for requests."
 msgstr "Interface for DHCP Relay Agent to listen for requests."
 
+#: ../../configuration/protocols/pim.rst:133
+#: ../../configuration/protocols/pim.rst:186
+msgid "Interface specific commands"
+msgstr "Interface specific commands"
+
 #: ../../configuration/service/conntrack-sync.rst:71
 msgid "Interface to use for syncing conntrack entries."
 msgstr "Interface to use for syncing conntrack entries."
 
-#: ../../configuration/interfaces/vxlan.rst:93
+#: ../../configuration/interfaces/vxlan.rst:114
 msgid "Interface used for VXLAN underlay. This is mandatory when using VXLAN via a multicast network. VXLAN traffic will always enter and exit this interface."
 msgstr "Interface used for VXLAN underlay. This is mandatory when using VXLAN via a multicast network. VXLAN traffic will always enter and exit this interface."
 
@@ -8133,6 +7428,10 @@ msgstr "It's not likely that anyone will need it any time soon, but it does exis
 msgid "It's slower than IPsec due to higher protocol overhead and the fact it runs in user mode while IPsec, on Linux, is in kernel mode"
 msgstr "It's slower than IPsec due to higher protocol overhead and the fact it runs in user mode while IPsec, on Linux, is in kernel mode"
 
+#: ../../configuration/firewall/flowtables.rst:167
+msgid "It's time to check conntrack table, to see if any connection was accepted, and if was properly offloaded"
+msgstr "It's time to check conntrack table, to see if any connection was accepted, and if was properly offloaded"
+
 #: ../../configuration/system/option.rst:111
 msgid "It disables transparent huge pages, and automatic NUMA balancing. It also uses cpupower to set the performance cpufreq governor, and requests a cpu_dma_latency value of 1. It also sets busy_read and busy_poll times to 50 us, and tcp_fastopen to 3."
 msgstr "It disables transparent huge pages, and automatic NUMA balancing. It also uses cpupower to set the performance cpufreq governor, and requests a cpu_dma_latency value of 1. It also sets busy_read and busy_poll times to 50 us, and tcp_fastopen to 3."
@@ -8150,7 +7449,7 @@ msgstr "It generates the keypair, which includes the public and private parts. T
 msgid "It helps to support as HELPER only for planned restarts."
 msgstr "It helps to support as HELPER only for planned restarts."
 
-#: ../../configuration/firewall/zone.rst:87
+#: ../../configuration/firewall/zone.rst:106
 msgid "It helps to think of the syntax as: (see below). The 'rule-set' should be written from the perspective of: *Source Zone*-to->*Destination Zone*"
 msgstr "It helps to think of the syntax as: (see below). The 'rule-set' should be written from the perspective of: *Source Zone*-to->*Destination Zone*"
 
@@ -8158,7 +7457,7 @@ msgstr "It helps to think of the syntax as: (see below). The 'rule-set' should b
 msgid "It is compatible with Cisco (R) AnyConnect (R) clients."
 msgstr "It is compatible with Cisco (R) AnyConnect (R) clients."
 
-#: ../../configuration/service/dhcp-server.rst:660
+#: ../../configuration/service/dhcp-server.rst:590
 msgid "It is connected to ``eth1``"
 msgstr "It is connected to ``eth1``"
 
@@ -8170,11 +7469,15 @@ msgstr "It is highly recommended to use SSH key authentication. By default there
 msgid "It is highly recommended to use the same address for both the LDP router-id and the discovery transport address, but for VyOS MPLS LDP to work both parameters must be explicitly set in the configuration."
 msgstr "It is highly recommended to use the same address for both the LDP router-id and the discovery transport address, but for VyOS MPLS LDP to work both parameters must be explicitly set in the configuration."
 
+#: ../../configuration/nat/nat44.rst:574
+msgid "It is important to note that when creating firewall rules, the DNAT translation occurs **before** traffic traverses the firewall. In other words, the destination address has already been translated to 192.168.0.100."
+msgstr "It is important to note that when creating firewall rules, the DNAT translation occurs **before** traffic traverses the firewall. In other words, the destination address has already been translated to 192.168.0.100."
+
 #: ../../configuration/nat/nat44.rst:549
 msgid "It is important to note that when creating firewall rules that the DNAT translation occurs **before** traffic traverses the firewall. In other words, the destination address has already been translated to 192.168.0.100."
 msgstr "It is important to note that when creating firewall rules that the DNAT translation occurs **before** traffic traverses the firewall. In other words, the destination address has already been translated to 192.168.0.100."
 
-#: ../../configuration/vrf/index.rst:503
+#: ../../configuration/vrf/index.rst:505
 msgid "It is not sufficient to only configure a L3VPN VRFs but L3VPN VRFs must be maintained, too.For L3VPN VRF maintenance the following operational commands are in place."
 msgstr "It is not sufficient to only configure a L3VPN VRFs but L3VPN VRFs must be maintained, too.For L3VPN VRF maintenance the following operational commands are in place."
 
@@ -8190,7 +7493,7 @@ msgstr "It is not valid to use the `vif 1` option for VLAN aware bridges because
 msgid "It is possible to enhance authentication security by using the :abbr:`2FA (Two-factor authentication)`/:abbr:`MFA (Multi-factor authentication)` feature together with :abbr:`OTP (One-Time-Pad)` on VyOS. :abbr:`2FA (Two-factor authentication)`/:abbr:`MFA (Multi-factor authentication)` is configured independently per each user. If an OTP key is configured for a user, 2FA/MFA is automatically enabled for that particular user. If a user does not have an OTP key configured, there is no 2FA/MFA check for that user."
 msgstr "It is possible to enhance authentication security by using the :abbr:`2FA (Two-factor authentication)`/:abbr:`MFA (Multi-factor authentication)` feature together with :abbr:`OTP (One-Time-Pad)` on VyOS. :abbr:`2FA (Two-factor authentication)`/:abbr:`MFA (Multi-factor authentication)` is configured independently per each user. If an OTP key is configured for a user, 2FA/MFA is automatically enabled for that particular user. If a user does not have an OTP key configured, there is no 2FA/MFA check for that user."
 
-#: ../../configuration/vrf/index.rst:494
+#: ../../configuration/vrf/index.rst:496
 msgid "It is possible to permit BGP install VPN prefixes without transport labels. This configuration will install VPN prefixes originated from an e-bgp session, and with the next-hop directly connected."
 msgstr "It is possible to permit BGP install VPN prefixes without transport labels. This configuration will install VPN prefixes originated from an e-bgp session, and with the next-hop directly connected."
 
@@ -8210,22 +7513,6 @@ msgstr "It uses a single TCP or UDP connection and does not rely on packet sourc
 msgid "It uses a stochastic model to classify incoming packets into different flows and is used to provide a fair share of the bandwidth to all the flows using the queue. Each flow is managed by the CoDel queuing  discipline. Reordering within a flow is avoided since Codel internally uses a FIFO queue."
 msgstr "It uses a stochastic model to classify incoming packets into different flows and is used to provide a fair share of the bandwidth to all the flows using the queue. Each flow is managed by the CoDel queuing  discipline. Reordering within a flow is avoided since Codel internally uses a FIFO queue."
 
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:30
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:30
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:30
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:30
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:30
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:30
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:30
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:30
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:30
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:30
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:30
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:30
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:30
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:30
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:30
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:30
 #: ../../_include/interface-dhcpv6-prefix-delegation.txt:30
 msgid "It will be combined with the delegated prefix and the sla-id to form a complete interface address. The default is to use the EUI-64 address of the interface."
 msgstr "It will be combined with the delegated prefix and the sla-id to form a complete interface address. The default is to use the EUI-64 address of the interface."
@@ -8258,11 +7545,11 @@ msgstr "Key Generation"
 msgid "Key Management"
 msgstr "Key Management"
 
-#: ../../configuration/vpn/site2site_ipsec.rst:374
+#: ../../configuration/vpn/site2site_ipsec.rst:383
 msgid "Key Parameters:"
 msgstr "Key Parameters:"
 
-#: ../../configuration/firewall/zone.rst:31
+#: ../../configuration/firewall/zone.rst:50
 msgid "Key Points:"
 msgstr "Key Points:"
 
@@ -8319,7 +7606,7 @@ msgstr "L2TPv3 is described in :rfc:`3931`."
 msgid "L2TPv3 options"
 msgstr "L2TPv3 options"
 
-#: ../../configuration/vrf/index.rst:397
+#: ../../configuration/vrf/index.rst:399
 msgid "L3VPN VRFs"
 msgstr "L3VPN VRFs"
 
@@ -8360,19 +7647,19 @@ msgstr "Label Distribution Protocol"
 msgid "Layer 2 Tunnelling Protocol Version 3 is an IETF standard related to L2TP that can be used as an alternative protocol to :ref:`mpls` for encapsulation of multiprotocol Layer 2 communications traffic over IP networks. Like L2TP, L2TPv3 provides a pseudo-wire service but is scaled to fit carrier requirements."
 msgstr "Layer 2 Tunnelling Protocol Version 3 is an IETF standard related to L2TP that can be used as an alternative protocol to :ref:`mpls` for encapsulation of multiprotocol Layer 2 communications traffic over IP networks. Like L2TP, L2TPv3 provides a pseudo-wire service but is scaled to fit carrier requirements."
 
-#: ../../configuration/service/dhcp-server.rst:663
+#: ../../configuration/service/dhcp-server.rst:593
 msgid "Lease time will be left at the default value which is 24 hours"
 msgstr "Lease time will be left at the default value which is 24 hours"
 
-#: ../../configuration/service/dhcp-server.rst:369
+#: ../../configuration/service/dhcp-server.rst:336
 msgid "Lease timeout in seconds (default: 86400)"
 msgstr "Lease timeout in seconds (default: 86400)"
 
-#: ../../configuration/firewall/index.rst:47
+#: ../../configuration/firewall/index.rst:167
 msgid "Legacy Firewall"
 msgstr "Legacy Firewall"
 
-#: ../../configuration/interfaces/vxlan.rst:112
+#: ../../configuration/interfaces/vxlan.rst:133
 msgid "Let's assume PC4 on Leaf2 wants to ping PC5 on Leaf3. Instead of setting Leaf3 as our remote end manually, Leaf2 encapsulates the packet into a UDP-packet and sends it to its designated multicast-address via Spine1. When Spine1 receives this packet it forwards it to all other leaves who has joined the same multicast-group, in this case Leaf3. When Leaf3 receives the packet it forwards it, while at the same time learning that PC4 is reachable behind Leaf2, because the encapsulated packet had Leaf2's IP address set as source IP."
 msgstr "Let's assume PC4 on Leaf2 wants to ping PC5 on Leaf3. Instead of setting Leaf3 as our remote end manually, Leaf2 encapsulates the packet into a UDP-packet and sends it to its designated multicast-address via Spine1. When Spine1 receives this packet it forwards it to all other leaves who has joined the same multicast-group, in this case Leaf3. When Leaf3 receives the packet it forwards it, while at the same time learning that PC4 is reachable behind Leaf2, because the encapsulated packet had Leaf2's IP address set as source IP."
 
@@ -8404,7 +7691,7 @@ msgstr "Level 4 balancing"
 msgid "Lifetime associated with the default router in units of seconds"
 msgstr "Lifetime associated with the default router in units of seconds"
 
-#: ../../configuration/service/https.rst:72
+#: ../../configuration/service/https.rst:63
 msgid "Lifetime in days; default is 365"
 msgstr "Lifetime in days; default is 365"
 
@@ -8436,7 +7723,7 @@ msgstr "Limiter"
 msgid "Limiter is one of those policies that uses classes_ (Ingress qdisc is actually a classless policy but filters do work in it)."
 msgstr "Limiter is one of those policies that uses classes_ (Ingress qdisc is actually a classless policy but filters do work in it)."
 
-#: ../../configuration/system/login.rst:379
+#: ../../configuration/system/login.rst:381
 msgid "Limits"
 msgstr "Limits"
 
@@ -8452,7 +7739,7 @@ msgstr "Link MTU value placed in RAs, exluded in RAs if unset"
 msgid "Link aggregation"
 msgstr "Link aggregation"
 
-#: ../../configuration/nat/nat44.rst:372
+#: ../../configuration/nat/nat44.rst:386
 msgid "Linux netfilter will not NAT traffic marked as INVALID. This often confuses people into thinking that Linux (or specifically VyOS) has a broken NAT implementation because non-NATed traffic is seen leaving an external interface. This is actually working as intended, and a packet capture of the \"leaky\" traffic should reveal that the traffic is either an additional TCP \"RST\", \"FIN,ACK\", or \"RST,ACK\" sent by client systems after Linux netfilter considers the connection closed. The most common is the additional TCP RST some host implementations send after terminating a connection (which is implementation-specific)."
 msgstr "Linux netfilter will not NAT traffic marked as INVALID. This often confuses people into thinking that Linux (or specifically VyOS) has a broken NAT implementation because non-NATed traffic is seen leaving an external interface. This is actually working as intended, and a packet capture of the \"leaky\" traffic should reveal that the traffic is either an additional TCP \"RST\", \"FIN,ACK\", or \"RST,ACK\" sent by client systems after Linux netfilter considers the connection closed. The most common is the additional TCP RST some host implementations send after terminating a connection (which is implementation-specific)."
 
@@ -8480,7 +7767,7 @@ msgstr "List of supported algorithms: ``diffie-hellman-group1-sha1``, ``diffie-h
 msgid "List of supported ciphers: ``3des-cbc``, ``aes128-cbc``, ``aes192-cbc``, ``aes256-cbc``, ``aes128-ctr``, ``aes192-ctr``, ``aes256-ctr``, ``arcfour128``, ``arcfour256``, ``arcfour``, ``blowfish-cbc``, ``cast128-cbc``"
 msgstr "List of supported ciphers: ``3des-cbc``, ``aes128-cbc``, ``aes192-cbc``, ``aes256-cbc``, ``aes128-ctr``, ``aes192-ctr``, ``aes256-ctr``, ``arcfour128``, ``arcfour256``, ``arcfour``, ``blowfish-cbc``, ``cast128-cbc``"
 
-#: ../../configuration/policy/route-map.rst:360
+#: ../../configuration/policy/route-map.rst:362
 msgid "List of well-known communities"
 msgstr "List of well-known communities"
 
@@ -8504,15 +7791,15 @@ msgstr "Load-balancing algorithms to be used for distributind requests among the
 msgid "Load-balancing schedule algorithm:"
 msgstr "Load-balancing schedule algorithm:"
 
-#: ../../configuration/nat/nat44.rst:632
+#: ../../configuration/nat/nat44.rst:656
 msgid "Load Balance"
 msgstr "Load Balance"
 
-#: ../../configuration/service/pppoe-server.rst:256
+#: ../../configuration/service/pppoe-server.rst:243
 msgid "Load Balancing"
 msgstr "Load Balancing"
 
-#: ../../configuration/system/login.rst:420
+#: ../../configuration/system/login.rst:422
 msgid "Load the container image in op-mode."
 msgstr "Load the container image in op-mode."
 
@@ -8529,7 +7816,7 @@ msgstr "Local Configuration:"
 msgid "Local Configuration - Annotated:"
 msgstr "Local Configuration - Annotated:"
 
-#: ../../configuration/service/dhcp-server.rst:178
+#: ../../configuration/service/dhcp-server.rst:143
 msgid "Local IP `<address>` used when communicating to the failover peer."
 msgstr "Local IP `<address>` used when communicating to the failover peer."
 
@@ -8609,7 +7896,7 @@ msgstr "Log syslog messages to file specified via `<filename>`, for an explanati
 msgid "Log syslog messages to remote host specified by `<address>`. The address can be specified by either FQDN or IP address. For an explanation on :ref:`syslog_facilities` keywords and :ref:`syslog_severity_level` keywords see tables below."
 msgstr "Log syslog messages to remote host specified by `<address>`. The address can be specified by either FQDN or IP address. For an explanation on :ref:`syslog_facilities` keywords and :ref:`syslog_severity_level` keywords see tables below."
 
-#: ../../configuration/system/conntrack.rst:187
+#: ../../configuration/system/conntrack.rst:224
 msgid "Log the connection tracking events per protocol."
 msgstr "Log the connection tracking events per protocol."
 
@@ -8617,7 +7904,9 @@ msgstr "Log the connection tracking events per protocol."
 msgid "Logging"
 msgstr "Logging"
 
-#: ../../configuration/firewall/general.rst:412
+#: ../../configuration/firewall/bridge.rst:151
+#: ../../configuration/firewall/ipv4.rst:198
+#: ../../configuration/firewall/ipv6.rst:198
 msgid "Logging can be enable for every single firewall rule. If enabled, other log options can be defined."
 msgstr "Logging can be enable for every single firewall rule. If enabled, other log options can be defined."
 
@@ -8629,14 +7918,18 @@ msgstr "Logging to a remote host leaves the local logging configuration intact,
 msgid "Login/User Management"
 msgstr "Login/User Management"
 
-#: ../../configuration/system/login.rst:361
+#: ../../configuration/system/login.rst:363
 msgid "Login Banner"
 msgstr "Login Banner"
 
-#: ../../configuration/system/login.rst:381
+#: ../../configuration/system/login.rst:383
 msgid "Login limits"
 msgstr "Login limits"
 
+#: ../../configuration/protocols/isis.rst:306
+msgid "Loop Free Alternate (LFA)"
+msgstr "Loop Free Alternate (LFA)"
+
 #: ../../configuration/interfaces/loopback.rst:7
 msgid "Loopback"
 msgstr "Loopback"
@@ -8660,8 +7953,7 @@ msgstr "MAC/PHY information"
 msgid "MACVLAN - Pseudo Ethernet"
 msgstr "MACVLAN - Pseudo Ethernet"
 
-#: ../../configuration/firewall/general.rst:282
-#: ../../configuration/firewall/general-legacy.rst:240
+#: ../../configuration/firewall/groups.rst:109
 msgid "MAC Groups"
 msgstr "MAC Groups"
 
@@ -8701,52 +7993,14 @@ msgstr "MPLS"
 msgid "MPLS support in VyOS is not finished yet, and therefore its functionality is limited. Currently there is no support for MPLS enabled VPN services such as L2VPNs and mVPNs. RSVP support is also not present as the underlying routing stack (FRR) does not implement it. Currently VyOS implements LDP as described in RFC 5036; other LDP standard are the following ones: RFC 6720, RFC 6667, RFC 5919, RFC 5561, RFC 7552, RFC 4447. Because MPLS is already available (FRR also supports RFC 3031)."
 msgstr "MPLS support in VyOS is not finished yet, and therefore its functionality is limited. Currently there is no support for MPLS enabled VPN services such as L2VPNs and mVPNs. RSVP support is also not present as the underlying routing stack (FRR) does not implement it. Currently VyOS implements LDP as described in RFC 5036; other LDP standard are the following ones: RFC 6720, RFC 6667, RFC 5919, RFC 5561, RFC 7552, RFC 4447. Because MPLS is already available (FRR also supports RFC 3031)."
 
-#: ../../_include/interface-ip.txt:12
-#: ../../_include/interface-ip.txt:12
-#: ../../_include/interface-ip.txt:12
-#: ../../_include/interface-ip.txt:12
-#: ../../_include/interface-ip.txt:12
-#: ../../_include/interface-ip.txt:12
-#: ../../_include/interface-ip.txt:12
-#: ../../_include/interface-ip.txt:12
-#: ../../_include/interface-ip.txt:12
-#: ../../_include/interface-ip.txt:12
 #: ../../configuration/interfaces/pppoe.rst:215
-#: ../../_include/interface-ip.txt:12
-#: ../../_include/interface-ip.txt:12
-#: ../../configuration/interfaces/sstp-client.rst:87
-#: ../../_include/interface-ip.txt:12
-#: ../../_include/interface-ip.txt:12
-#: ../../_include/interface-ip.txt:12
-#: ../../_include/interface-ip.txt:12
-#: ../../_include/interface-ip.txt:12
-#: ../../_include/interface-ip.txt:12
-#: ../../_include/interface-ip.txt:12
-#: ../../_include/interface-ip.txt:12
-msgid "MSS value = MTU - 20 (IP header) - 20 (TCP header), resulting in 1452 bytes on a 1492 byte MTU."
-msgstr "MSS value = MTU - 20 (IP header) - 20 (TCP header), resulting in 1452 bytes on a 1492 byte MTU."
-
-#: ../../_include/interface-ipv6.txt:68
-#: ../../_include/interface-ipv6.txt:68
-#: ../../_include/interface-ipv6.txt:68
-#: ../../_include/interface-ipv6.txt:68
-#: ../../_include/interface-ipv6.txt:68
-#: ../../_include/interface-ipv6.txt:68
-#: ../../_include/interface-ipv6.txt:68
-#: ../../_include/interface-ipv6.txt:68
-#: ../../_include/interface-ipv6.txt:68
-#: ../../_include/interface-ipv6.txt:68
+#: ../../configuration/interfaces/sstp-client.rst:87
+#: ../../_include/interface-ip.txt:12
+msgid "MSS value = MTU - 20 (IP header) - 20 (TCP header), resulting in 1452 bytes on a 1492 byte MTU."
+msgstr "MSS value = MTU - 20 (IP header) - 20 (TCP header), resulting in 1452 bytes on a 1492 byte MTU."
+
 #: ../../configuration/interfaces/pppoe.rst:261
 #: ../../_include/interface-ipv6.txt:68
-#: ../../_include/interface-ipv6.txt:68
-#: ../../_include/interface-ipv6.txt:68
-#: ../../_include/interface-ipv6.txt:68
-#: ../../_include/interface-ipv6.txt:68
-#: ../../_include/interface-ipv6.txt:68
-#: ../../_include/interface-ipv6.txt:68
-#: ../../_include/interface-ipv6.txt:68
-#: ../../_include/interface-ipv6.txt:68
-#: ../../_include/interface-ipv6.txt:68
 msgid "MSS value = MTU - 40 (IPv6 header) - 20 (TCP header), resulting in 1432 bytes on a 1492 byte MTU."
 msgstr "MSS value = MTU - 40 (IPv6 header) - 20 (TCP header), resulting in 1432 bytes on a 1492 byte MTU."
 
@@ -8758,11 +8012,19 @@ msgstr "MTU"
 msgid "Mail system"
 msgstr "Mail system"
 
+#: ../../configuration/firewall/index.rst:20
+msgid "Main notes regarding this packet flow and terminology used in VyOS firewall:"
+msgstr "Main notes regarding this packet flow and terminology used in VyOS firewall:"
+
+#: ../../configuration/firewall/index.rst:91
+msgid "Main structure VyOS firewall cli is shown next:"
+msgstr "Main structure VyOS firewall cli is shown next:"
+
 #: ../../configuration/firewall/general.rst:20
 msgid "Main structure is shown next:"
 msgstr "Main structure is shown next:"
 
-#: ../../configuration/service/pppoe-server.rst:308
+#: ../../configuration/service/pppoe-server.rst:295
 msgid "Maintenance mode"
 msgstr "Maintenance mode"
 
@@ -8786,11 +8048,15 @@ msgstr "Mandatory Settings"
 msgid "Manual Neighbor Configuration"
 msgstr "Manual Neighbor Configuration"
 
-#: ../../configuration/interfaces/vxlan.rst:150
+#: ../../configuration/pki/index.rst:336
+msgid "Manually trigger certificate renewal. This will be done twice a day."
+msgstr "Manually trigger certificate renewal. This will be done twice a day."
+
+#: ../../configuration/interfaces/vxlan.rst:171
 msgid "Maps the VNI to the specified VLAN id. The VLAN can then be consumed by a bridge."
 msgstr "Maps the VNI to the specified VLAN id. The VLAN can then be consumed by a bridge."
 
-#: ../../configuration/vpn/sstp.rst:212
+#: ../../configuration/vpn/sstp.rst:223
 msgid "Mark RADIUS server as offline for this given `<time>` in seconds."
 msgstr "Mark RADIUS server as offline for this given `<time>` in seconds."
 
@@ -8810,7 +8076,8 @@ msgstr "Match BGP large communities."
 msgid "Match IP addresses based on its geolocation. More info: `geoip matching <https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_matching>`_."
 msgstr "Match IP addresses based on its geolocation. More info: `geoip matching <https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_matching>`_."
 
-#: ../../configuration/firewall/general.rst:710
+#: ../../configuration/firewall/ipv4.rst:440
+#: ../../configuration/firewall/ipv6.rst:447
 msgid "Match IP addresses based on its geolocation. More info: `geoip matching <https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_matching>`_. Use inverse-match to match anything except the given country-codes."
 msgstr "Match IP addresses based on its geolocation. More info: `geoip matching <https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_matching>`_. Use inverse-match to match anything except the given country-codes."
 
@@ -8822,18 +8089,18 @@ msgstr "Match RPKI validation result."
 msgid "Match a protocol criteria. A protocol number or a name which is defined in: ``/etc/protocols``. Special names are ``all`` for all protocols and ``tcp_udp`` for tcp and udp based packets. The ``!`` negates the selected protocol."
 msgstr "Match a protocol criteria. A protocol number or a name which is defined in: ``/etc/protocols``. Special names are ``all`` for all protocols and ``tcp_udp`` for tcp and udp based packets. The ``!`` negates the selected protocol."
 
-#: ../../configuration/firewall/general.rst:1091
-#: ../../configuration/firewall/general-legacy.rst:671
+#: ../../configuration/firewall/ipv4.rst:773
+#: ../../configuration/firewall/ipv6.rst:783
 msgid "Match a protocol criteria. A protocol number or a name which is here defined: ``/etc/protocols``. Special names are ``all`` for all protocols and ``tcp_udp`` for tcp and udp based packets. The ``!`` negate the selected protocol."
 msgstr "Match a protocol criteria. A protocol number or a name which is here defined: ``/etc/protocols``. Special names are ``all`` for all protocols and ``tcp_udp`` for tcp and udp based packets. The ``!`` negate the selected protocol."
 
-#: ../../configuration/firewall/general.rst:1158
-#: ../../configuration/firewall/general-legacy.rst:709
+#: ../../configuration/firewall/ipv4.rst:831
+#: ../../configuration/firewall/ipv6.rst:840
 msgid "Match against the state of a packet."
 msgstr "Match against the state of a packet."
 
-#: ../../configuration/firewall/general.rst:924
-#: ../../configuration/firewall/general-legacy.rst:590
+#: ../../configuration/firewall/ipv4.rst:620
+#: ../../configuration/firewall/ipv6.rst:630
 msgid "Match based on dscp value."
 msgstr "Match based on dscp value."
 
@@ -8841,18 +8108,28 @@ msgstr "Match based on dscp value."
 msgid "Match based on dscp value criteria. Multiple values from 0 to 63 and ranges are supported."
 msgstr "Match based on dscp value criteria. Multiple values from 0 to 63 and ranges are supported."
 
-#: ../../configuration/firewall/general.rst:937
-#: ../../configuration/firewall/general-legacy.rst:597
+#: ../../configuration/firewall/ipv4.rst:631
+#: ../../configuration/firewall/ipv6.rst:641
 msgid "Match based on fragment criteria."
 msgstr "Match based on fragment criteria."
 
-#: ../../configuration/firewall/general.rst:956
-#: ../../configuration/firewall/general-legacy.rst:604
+#: ../../configuration/firewall/ipv4.rst:642
+msgid "Match based on icmp code and type."
+msgstr "Match based on icmp code and type."
+
+#: ../../configuration/firewall/ipv4.rst:653
+msgid "Match based on icmp type-name criteria. Use tab for information about what **type-name** criteria are supported."
+msgstr "Match based on icmp type-name criteria. Use tab for information about what **type-name** criteria are supported."
+
+#: ../../configuration/firewall/ipv6.rst:663
+msgid "Match based on icmpv6 type-name criteria. Use tab for information about what **type-name** criteria are supported."
+msgstr "Match based on icmpv6 type-name criteria. Use tab for information about what **type-name** criteria are supported."
+
+#: ../../configuration/firewall/ipv6.rst:652
 #: ../../configuration/policy/route.rst:131
 msgid "Match based on icmp|icmpv6 code and type."
 msgstr "Match based on icmp|icmpv6 code and type."
 
-#: ../../configuration/firewall/general.rst:975
 #: ../../configuration/firewall/general-legacy.rst:610
 msgid "Match based on icmp|icmpv6 type-name criteria. Use tab for information about what **type-name** criteria are supported."
 msgstr "Match based on icmp|icmpv6 type-name criteria. Use tab for information about what **type-name** criteria are supported."
@@ -8869,8 +8146,20 @@ msgstr "Match based on inbound/outbound interface. Wilcard ``*`` can be used. Fo
 msgid "Match based on inbound interface. Wilcard ``*`` can be used. For example: ``eth2*``"
 msgstr "Match based on inbound interface. Wilcard ``*`` can be used. For example: ``eth2*``"
 
-#: ../../configuration/firewall/general.rst:1013
-#: ../../configuration/firewall/general-legacy.rst:630
+#: ../../configuration/firewall/bridge.rst:239
+#: ../../configuration/firewall/ipv4.rst:663
+#: ../../configuration/firewall/ipv6.rst:673
+msgid "Match based on inbound interface. Wilcard ``*`` can be used. For example: ``eth2*``. Prepending character ``!`` for inverted matching criteria is also supportd. For example ``!eth2``"
+msgstr "Match based on inbound interface. Wilcard ``*`` can be used. For example: ``eth2*``. Prepending character ``!`` for inverted matching criteria is also supportd. For example ``!eth2``"
+
+#: ../../configuration/firewall/bridge.rst:248
+#: ../../configuration/firewall/ipv4.rst:674
+#: ../../configuration/firewall/ipv6.rst:684
+msgid "Match based on inbound interface group. Prepending character ``!`` for inverted matching criteria is also supportd. For example ``!IFACE_GROUP``"
+msgstr "Match based on inbound interface group. Prepending character ``!`` for inverted matching criteria is also supportd. For example ``!IFACE_GROUP``"
+
+#: ../../configuration/firewall/ipv4.rst:707
+#: ../../configuration/firewall/ipv6.rst:717
 msgid "Match based on ipsec criteria."
 msgstr "Match based on ipsec criteria."
 
@@ -8878,53 +8167,77 @@ msgstr "Match based on ipsec criteria."
 msgid "Match based on outbound interface. Wilcard ``*`` can be used. For example: ``eth2*``"
 msgstr "Match based on outbound interface. Wilcard ``*`` can be used. For example: ``eth2*``"
 
-#: ../../configuration/firewall/general.rst:1064
-#: ../../configuration/firewall/general-legacy.rst:656
+#: ../../configuration/firewall/bridge.rst:256
+#: ../../configuration/firewall/ipv4.rst:684
+#: ../../configuration/firewall/ipv6.rst:694
+msgid "Match based on outbound interface. Wilcard ``*`` can be used. For example: ``eth2*``. Prepending character ``!`` for inverted matching criteria is also supportd. For example ``!eth2``"
+msgstr "Match based on outbound interface. Wilcard ``*`` can be used. For example: ``eth2*``. Prepending character ``!`` for inverted matching criteria is also supportd. For example ``!eth2``"
+
+#: ../../configuration/firewall/bridge.rst:265
+#: ../../configuration/firewall/ipv4.rst:695
+#: ../../configuration/firewall/ipv6.rst:705
+msgid "Match based on outbound interface group. Prepending character ``!`` for inverted matching criteria is also supportd. For example ``!IFACE_GROUP``"
+msgstr "Match based on outbound interface group. Prepending character ``!`` for inverted matching criteria is also supportd. For example ``!IFACE_GROUP``"
+
+#: ../../configuration/firewall/ipv4.rst:750
+#: ../../configuration/firewall/ipv6.rst:760
 #: ../../configuration/policy/route.rst:176
 msgid "Match based on packet length criteria. Multiple values from 1 to 65535 and ranges are supported."
 msgstr "Match based on packet length criteria. Multiple values from 1 to 65535 and ranges are supported."
 
-#: ../../configuration/firewall/general.rst:1078
-#: ../../configuration/firewall/general-legacy.rst:664
+#: ../../configuration/firewall/ipv4.rst:762
+#: ../../configuration/firewall/ipv6.rst:772
 #: ../../configuration/policy/route.rst:184
 msgid "Match based on packet type criteria."
 msgstr "Match based on packet type criteria."
 
-#: ../../configuration/firewall/general.rst:1039
-#: ../../configuration/firewall/general-legacy.rst:644
+#: ../../configuration/firewall/ipv4.rst:729
+#: ../../configuration/firewall/ipv6.rst:739
 msgid "Match based on the maximum average rate, specified as **integer/unit**. For example **5/minutes**"
 msgstr "Match based on the maximum average rate, specified as **integer/unit**. For example **5/minutes**"
 
-#: ../../configuration/firewall/general.rst:1026
-#: ../../configuration/firewall/general-legacy.rst:637
+#: ../../configuration/firewall/ipv4.rst:718
+#: ../../configuration/firewall/ipv6.rst:728
 msgid "Match based on the maximum number of packets to allow in excess of rate."
 msgstr "Match based on the maximum number of packets to allow in excess of rate."
 
-#: ../../configuration/firewall/general.rst:1124
-#: ../../configuration/firewall/general-legacy.rst:689
+#: ../../configuration/firewall/bridge.rst:273
+msgid "Match based on vlan ID. Range is also supported."
+msgstr "Match based on vlan ID. Range is also supported."
+
+#: ../../configuration/firewall/bridge.rst:280
+msgid "Match based on vlan priority(pcp). Range is also supported."
+msgstr "Match based on vlan priority(pcp). Range is also supported."
+
+#: ../../configuration/firewall/ipv4.rst:801
+#: ../../configuration/firewall/ipv6.rst:810
 msgid "Match bases on recently seen sources."
 msgstr "Match bases on recently seen sources."
 
-#: ../../configuration/firewall/general.rst:562
-#: ../../configuration/firewall/general-legacy.rst:394
+#: ../../configuration/firewall/ipv4.rst:325
+#: ../../configuration/firewall/ipv6.rst:325
 msgid "Match criteria based on connection mark."
 msgstr "Match criteria based on connection mark."
 
-#: ../../configuration/firewall/general.rst:549
-#: ../../configuration/firewall/general-legacy.rst:387
+#: ../../configuration/firewall/ipv4.rst:314
+#: ../../configuration/firewall/ipv6.rst:314
 msgid "Match criteria based on nat connection status."
 msgstr "Match criteria based on nat connection status."
 
-#: ../../configuration/firewall/general.rst:586
+#: ../../configuration/firewall/ipv4.rst:345
+#: ../../configuration/firewall/ipv6.rst:345
 msgid "Match criteria based on source and/or destination address. This is similar to the network groups part, but here you are able to negate the matching addresses."
 msgstr "Match criteria based on source and/or destination address. This is similar to the network groups part, but here you are able to negate the matching addresses."
 
+#: ../../configuration/firewall/bridge.rst:232
+msgid "Match criteria based on source and/or destination mac-address."
+msgstr "Match criteria based on source and/or destination mac-address."
+
 #: ../../configuration/loadbalancing/reverse-proxy.rst:58
 msgid "Match domain name"
 msgstr "Match domain name"
 
-#: ../../configuration/firewall/general.rst:1234
-#: ../../configuration/firewall/general-legacy.rst:732
+#: ../../configuration/firewall/ipv6.rst:894
 #: ../../configuration/policy/route.rst:234
 msgid "Match hop-limit parameter, where 'eq' stands for 'equal'; 'gt' stands for 'greater than', and 'lt' stands for 'less than'."
 msgstr "Match hop-limit parameter, where 'eq' stands for 'equal'; 'gt' stands for 'greater than', and 'lt' stands for 'less than'."
@@ -8937,19 +8250,19 @@ msgstr "Match local preference."
 msgid "Match route metric."
 msgstr "Match route metric."
 
-#: ../../configuration/firewall/general.rst:1222
-#: ../../configuration/firewall/general-legacy.rst:726
+#: ../../configuration/firewall/ipv4.rst:885
 #: ../../configuration/policy/route.rst:229
 msgid "Match time to live parameter, where 'eq' stands for 'equal'; 'gt' stands for 'greater than', and 'lt' stands for 'less than'."
 msgstr "Match time to live parameter, where 'eq' stands for 'equal'; 'gt' stands for 'greater than', and 'lt' stands for 'less than'."
 
-#: ../../configuration/firewall/general.rst:1259
-#: ../../configuration/firewall/general-legacy.rst:742
+#: ../../configuration/firewall/ipv4.rst:906
+#: ../../configuration/firewall/ipv6.rst:915
 msgid "Match when 'count' amount of connections are seen within 'time'. These matching criteria can be used to block brute-force attempts."
 msgstr "Match when 'count' amount of connections are seen within 'time'. These matching criteria can be used to block brute-force attempts."
 
-#: ../../configuration/firewall/general.rst:534
-#: ../../configuration/firewall/general-legacy.rst:378
+#: ../../configuration/firewall/bridge.rst:219
+#: ../../configuration/firewall/ipv4.rst:301
+#: ../../configuration/firewall/ipv6.rst:301
 #: ../../configuration/policy/route.rst:38
 msgid "Matching criteria"
 msgstr "Matching criteria"
@@ -8966,7 +8279,7 @@ msgstr "Maximum A-MSDU length 3839 (default) or 7935 octets"
 msgid "Maximum number of DNS cache entries. 1 million per CPU core will generally suffice for most installations."
 msgstr "Maximum number of DNS cache entries. 1 million per CPU core will generally suffice for most installations."
 
-#: ../../configuration/vpn/sstp.rst:148
+#: ../../configuration/vpn/sstp.rst:159
 msgid "Maximum number of IPv4 nameservers"
 msgstr "Maximum number of IPv4 nameservers"
 
@@ -8978,7 +8291,11 @@ msgstr "Maximum number of authenticator processes to spawn. If you start too few
 msgid "Maximum number of stations allowed in station table. New stations will be rejected after the station table is full. IEEE 802.11 has a limit of 2007 different association IDs, so this number should not be larger than that."
 msgstr "Maximum number of stations allowed in station table. New stations will be rejected after the station table is full. IEEE 802.11 has a limit of 2007 different association IDs, so this number should not be larger than that."
 
-#: ../../configuration/vpn/sstp.rst:239
+#: ../../configuration/service/dns.rst:148
+msgid "Maximum number of times an expired record’s TTL is extended by 30s when serving stale. Extension only occurs if a record cannot be refreshed. A value of 0 means the Serve Stale mechanism is not used. To allow records becoming stale to be served for an hour, use a value of 120."
+msgstr "Maximum number of times an expired record’s TTL is extended by 30s when serving stale. Extension only occurs if a record cannot be refreshed. A value of 0 means the Serve Stale mechanism is not used. To allow records becoming stale to be served for an hour, use a value of 120."
+
+#: ../../configuration/vpn/sstp.rst:250
 msgid "Maximum number of tries to send Access-Request/Accounting-Request queries"
 msgstr "Maximum number of tries to send Access-Request/Accounting-Request queries"
 
@@ -9010,6 +8327,26 @@ msgstr "Metris version, the default is ``2``"
 msgid "Min and max intervals between unsolicited multicast RAs"
 msgstr "Min and max intervals between unsolicited multicast RAs"
 
+#: ../../configuration/firewall/flowtables.rst:106
+msgid "Minumum firewall ruleset is provided, which includes some filtering rules, and appropiate rules for using flowtable offload capabilities."
+msgstr "Minumum firewall ruleset is provided, which includes some filtering rules, and appropiate rules for using flowtable offload capabilities."
+
+#: ../../configuration/protocols/pim.rst:49
+msgid "Modify the join/prune interval that PIM uses to the new value. Time is specified in seconds."
+msgstr "Modify the join/prune interval that PIM uses to the new value. Time is specified in seconds."
+
+#: ../../configuration/protocols/pim.rst:59
+msgid "Modify the time out value for a S,G flow from 1-65535 seconds. If choosing a value below 31 seconds be aware that some hardware platforms cannot see data flowing in better than 30 second chunks."
+msgstr "Modify the time out value for a S,G flow from 1-65535 seconds. If choosing a value below 31 seconds be aware that some hardware platforms cannot see data flowing in better than 30 second chunks."
+
+#: ../../configuration/protocols/pim.rst:98
+msgid "Modify the time out value for a S,G flow from 1-65535 seconds at :abbr:`RP (Rendezvous Point)`. The normal keepalive period for the KAT(S,G) defaults to 210 seconds. However, at the :abbr:`RP (Rendezvous Point)`, the keepalive period must be at least the Register_Suppression_Time, or the RP may time out the (S,G) state before the next Null-Register arrives. Thus, the KAT(S,G) is set to max(Keepalive_Period, RP_Keepalive_Period) when a Register-Stop is sent."
+msgstr "Modify the time out value for a S,G flow from 1-65535 seconds at :abbr:`RP (Rendezvous Point)`. The normal keepalive period for the KAT(S,G) defaults to 210 seconds. However, at the :abbr:`RP (Rendezvous Point)`, the keepalive period must be at least the Register_Suppression_Time, or the RP may time out the (S,G) state before the next Null-Register arrives. Thus, the KAT(S,G) is set to max(Keepalive_Period, RP_Keepalive_Period) when a Register-Stop is sent."
+
+#: ../../configuration/protocols/pim.rst:82
+msgid "Modify the time that pim will register suppress a FHR will send register notifications to the kernel."
+msgstr "Modify the time that pim will register suppress a FHR will send register notifications to the kernel."
+
 #: ../../configuration/interfaces/wireless.rst:22
 msgid "Monitor, the system passively monitors any kind of wireless traffic"
 msgstr "Monitor, the system passively monitors any kind of wireless traffic"
@@ -9034,7 +8371,7 @@ msgstr "Most operating systems include native client support for IPsec IKEv2 VPN
 msgid "Mount a volume into the container"
 msgstr "Mount a volume into the container"
 
-#: ../../configuration/service/dhcp-server.rst:268
+#: ../../configuration/service/dhcp-server.rst:235
 msgid "Multi"
 msgstr "Multi"
 
@@ -9046,16 +8383,15 @@ msgstr "Multi-client server is the most popular OpenVPN mode on routers. It alwa
 msgid "Multi-homed. In a multi-homed network environment, the NAT66 device connects to an internal network and simultaneously connects to different external networks. Address translation can be configured on each external network side interface of the NAT66 device to convert the same internal network address into different external network addresses, and realize the mapping of the same internal address to multiple external addresses."
 msgstr "Multi-homed. In a multi-homed network environment, the NAT66 device connects to an internal network and simultaneously connects to different external networks. Address translation can be configured on each external network side interface of the NAT66 device to convert the same internal network address into different external network addresses, and realize the mapping of the same internal address to multiple external addresses."
 
-#: ../../configuration/service/dhcp-server.rst:392
+#: ../../configuration/service/dhcp-server.rst:359
 msgid "Multi: can be specified multiple times."
 msgstr "Multi: can be specified multiple times."
 
-#: ../../configuration/interfaces/vxlan.rst:89
-#: ../../configuration/protocols/igmp.rst:7
+#: ../../configuration/interfaces/vxlan.rst:110
 msgid "Multicast"
 msgstr "Multicast"
 
-#: ../../configuration/interfaces/vxlan.rst:209
+#: ../../configuration/interfaces/vxlan.rst:230
 msgid "Multicast-routing is required for the leaves to forward traffic between each other in a more scalable way. This also requires PIM to be enabled towards the leaves so that the Spine can learn what multicast groups each Leaf expects traffic from."
 msgstr "Multicast-routing is required for the leaves to forward traffic between each other in a more scalable way. This also requires PIM to be enabled towards the leaves so that the Spine can learn what multicast groups each Leaf expects traffic from."
 
@@ -9063,11 +8399,15 @@ msgstr "Multicast-routing is required for the leaves to forward traffic between
 msgid "Multicast DNS uses the 224.0.0.251 address, which is \"administratively scoped\" and does not leave the subnet. It retransmits mDNS packets from one interface to other interfaces. This enables support for e.g. Apple Airplay devices across multiple VLANs."
 msgstr "Multicast DNS uses the 224.0.0.251 address, which is \"administratively scoped\" and does not leave the subnet. It retransmits mDNS packets from one interface to other interfaces. This enables support for e.g. Apple Airplay devices across multiple VLANs."
 
-#: ../../configuration/interfaces/vxlan.rst:105
+#: ../../configuration/service/mdns.rst:8
+msgid "Multicast DNS uses the reserved address ``224.0.0.251``, which is `\"administratively scoped\"` and does not leave the subnet. mDNS repeater retransmits mDNS packets from one interface to other interfaces. This enables support for devices using mDNS discovery (like network printers, Apple Airplay, Chromecast, various IP based home-automation devices etc) across multiple VLANs."
+msgstr "Multicast DNS uses the reserved address ``224.0.0.251``, which is `\"administratively scoped\"` and does not leave the subnet. mDNS repeater retransmits mDNS packets from one interface to other interfaces. This enables support for devices using mDNS discovery (like network printers, Apple Airplay, Chromecast, various IP based home-automation devices etc) across multiple VLANs."
+
+#: ../../configuration/interfaces/vxlan.rst:126
 msgid "Multicast VXLAN"
 msgstr "Multicast VXLAN"
 
-#: ../../configuration/interfaces/vxlan.rst:99
+#: ../../configuration/interfaces/vxlan.rst:120
 msgid "Multicast group address for VXLAN interface. VXLAN tunnels can be built either via Multicast or via Unicast."
 msgstr "Multicast group address for VXLAN interface. VXLAN tunnels can be built either via Multicast or via Unicast."
 
@@ -9075,7 +8415,7 @@ msgstr "Multicast group address for VXLAN interface. VXLAN tunnels can be built
 msgid "Multicast group to use for syncing conntrack entries."
 msgstr "Multicast group to use for syncing conntrack entries."
 
-#: ../../configuration/protocols/igmp.rst:26
+#: ../../configuration/protocols/pim.rst:22
 msgid "Multicast receivers will talk IGMP to their local router, so, besides having PIM configured in every router, IGMP must also be configured in any router where there could be a multicast receiver locally connected."
 msgstr "Multicast receivers will talk IGMP to their local router, so, besides having PIM configured in every router, IGMP must also be configured in any router where there could be a multicast receiver locally connected."
 
@@ -9083,8 +8423,8 @@ msgstr "Multicast receivers will talk IGMP to their local router, so, besides ha
 msgid "Multicast receivers will talk MLD to their local router, so, besides having PIMv6 configured in every router, MLD must also be configured in any router where there could be a multicast receiver locally connected."
 msgstr "Multicast receivers will talk MLD to their local router, so, besides having PIMv6 configured in every router, MLD must also be configured in any router where there could be a multicast receiver locally connected."
 
-#: ../../configuration/service/dhcp-server.rst:59
-#: ../../configuration/service/dhcp-server.rst:106
+#: ../../configuration/service/dhcp-server.rst:54
+#: ../../configuration/service/dhcp-server.rst:92
 msgid "Multiple DNS servers can be defined."
 msgstr "Multiple DNS servers can be defined."
 
@@ -9096,7 +8436,7 @@ msgstr "Multiple RPKI caching instances can be supplied and they need a preferen
 msgid "Multiple Uplinks"
 msgstr "Multiple Uplinks"
 
-#: ../../configuration/interfaces/vxlan.rst:144
+#: ../../configuration/interfaces/vxlan.rst:165
 msgid "Multiple VLAN to VNI mappings can be configured against the same SVD. This allows for a significant scaling of the number of VNIs since a separate VXLAN interface is no longer required for each VNI."
 msgstr "Multiple VLAN to VNI mappings can be configured against the same SVD. This allows for a significant scaling of the number of VNIs since a separate VXLAN interface is no longer required for each VNI."
 
@@ -9108,7 +8448,7 @@ msgstr "Multiple aliases can pe specified per host-name."
 msgid "Multiple destination ports can be specified as a comma-separated list. The whole list can also be \"negated\" using '!'. For example: '!22,telnet,http,123,1001-1005'"
 msgstr "Multiple destination ports can be specified as a comma-separated list. The whole list can also be \"negated\" using '!'. For example: '!22,telnet,http,123,1001-1005'"
 
-#: ../../configuration/system/conntrack.rst:122
+#: ../../configuration/system/conntrack.rst:150
 msgid "Multiple destination ports can be specified as a comma-separated list. The whole list can also be \"negated\" using '!'. For example: `!22,telnet,http,123,1001-1005``"
 msgstr "Multiple destination ports can be specified as a comma-separated list. The whole list can also be \"negated\" using '!'. For example: `!22,telnet,http,123,1001-1005``"
 
@@ -9125,12 +8465,12 @@ msgstr "Multiple networks/client IP addresses can be configured."
 msgid "Multiple servers can be specified."
 msgstr "Multiple servers can be specified."
 
-#: ../../configuration/service/dns.rst:361
+#: ../../configuration/service/dns.rst:374
 msgid "Multiple services can be used per interface. Just specify as many services per interface as you like!"
 msgstr "Multiple services can be used per interface. Just specify as many services per interface as you like!"
 
-#: ../../configuration/firewall/general.rst:770
-#: ../../configuration/firewall/general-legacy.rst:515
+#: ../../configuration/firewall/ipv4.rst:494
+#: ../../configuration/firewall/ipv6.rst:500
 msgid "Multiple source ports can be specified as a comma-separated list. The whole list can also be \"negated\" using ``!``. For example:"
 msgstr "Multiple source ports can be specified as a comma-separated list. The whole list can also be \"negated\" using ``!``. For example:"
 
@@ -9147,18 +8487,18 @@ msgstr "Multiple users can connect to the same serial device but only one is all
 msgid "Multiprotocol extensions enable BGP to carry routing information for multiple network layer protocols. BGP supports an Address Family Identifier (AFI) for IPv4 and IPv6."
 msgstr "Multiprotocol extensions enable BGP to carry routing information for multiple network layer protocols. BGP supports an Address Family Identifier (AFI) for IPv4 and IPv6."
 
-#: ../../configuration/service/dhcp-server.rst:274
-#: ../../configuration/service/dhcp-server.rst:280
-#: ../../configuration/service/dhcp-server.rst:285
-#: ../../configuration/service/dhcp-server.rst:305
-#: ../../configuration/service/dhcp-server.rst:320
-#: ../../configuration/service/dhcp-server.rst:325
-#: ../../configuration/service/dhcp-server.rst:330
-#: ../../configuration/service/dhcp-server.rst:335
-#: ../../configuration/service/dhcp-server.rst:340
-#: ../../configuration/service/dhcp-server.rst:360
-#: ../../configuration/service/dhcp-server.rst:365
-#: ../../configuration/service/dhcp-server.rst:370
+#: ../../configuration/service/dhcp-server.rst:241
+#: ../../configuration/service/dhcp-server.rst:247
+#: ../../configuration/service/dhcp-server.rst:252
+#: ../../configuration/service/dhcp-server.rst:272
+#: ../../configuration/service/dhcp-server.rst:287
+#: ../../configuration/service/dhcp-server.rst:292
+#: ../../configuration/service/dhcp-server.rst:297
+#: ../../configuration/service/dhcp-server.rst:302
+#: ../../configuration/service/dhcp-server.rst:307
+#: ../../configuration/service/dhcp-server.rst:327
+#: ../../configuration/service/dhcp-server.rst:332
+#: ../../configuration/service/dhcp-server.rst:337
 msgid "N"
 msgstr "N"
 
@@ -9175,19 +8515,31 @@ msgstr "NAT, Routing, Firewall Interaction"
 msgid "NAT44"
 msgstr "NAT44"
 
+#: ../../configuration/nat/nat64.rst:5
+msgid "NAT64"
+msgstr "NAT64"
+
+#: ../../configuration/nat/nat64.rst:62
+msgid "NAT64 client configuration:"
+msgstr "NAT64 client configuration:"
+
+#: ../../configuration/nat/nat64.rst:44
+msgid "NAT64 server configuration:"
+msgstr "NAT64 server configuration:"
+
 #: ../../configuration/nat/nat66.rst:5
 msgid "NAT66(NPTv6)"
 msgstr "NAT66(NPTv6)"
 
-#: ../../configuration/nat/nat44.rst:706
+#: ../../configuration/nat/nat44.rst:730
 msgid "NAT Configuration"
 msgstr "NAT Configuration"
 
-#: ../../configuration/nat/nat44.rst:287
+#: ../../configuration/nat/nat44.rst:299
 msgid "NAT Load Balance"
 msgstr "NAT Load Balance"
 
-#: ../../configuration/nat/nat44.rst:293
+#: ../../configuration/nat/nat44.rst:305
 msgid "NAT Load Balance uses an algorithm that generates a hash and based on it, then it applies corresponding translation. This hash can be generated randomly, or can use data from the ip header: source-address, destination-address, source-port and/or destination-port. By default, it will generate the hash randomly."
 msgstr "NAT Load Balance uses an algorithm that generates a hash and based on it, then it applies corresponding translation. This hash can be generated randomly, or can use data from the ip header: source-address, destination-address, source-port and/or destination-port. By default, it will generate the hash randomly."
 
@@ -9195,16 +8547,15 @@ msgstr "NAT Load Balance uses an algorithm that generates a hash and based on it
 msgid "NAT Ruleset"
 msgstr "NAT Ruleset"
 
-#: ../../configuration/nat/nat44.rst:686
+#: ../../configuration/nat/nat44.rst:710
 msgid "NAT (specifically, Source NAT);"
 msgstr "NAT (specifically, Source NAT);"
 
-#: ../../configuration/nat/nat44.rst:624
+#: ../../configuration/nat/nat44.rst:648
 msgid "NAT before VPN"
 msgstr "NAT before VPN"
 
-#: ../../configuration/nat/nat44.rst:677
-#: ../../configuration/nat/nat44.rst:677
+#: ../../configuration/nat/nat44.rst:701
 msgid "NAT before VPN Topology"
 msgstr "NAT before VPN Topology"
 
@@ -9236,7 +8587,7 @@ msgstr "NTP supplies a warning of any impending leap second adjustment, but no i
 msgid "Name Server"
 msgstr "Name Server"
 
-#: ../../configuration/service/dhcp-server.rst:389
+#: ../../configuration/service/dhcp-server.rst:356
 msgid "Name of static mapping"
 msgstr "Name of static mapping"
 
@@ -9244,11 +8595,11 @@ msgstr "Name of static mapping"
 msgid "Name of the single table Only if set group-metrics single-table."
 msgstr "Name of the single table Only if set group-metrics single-table."
 
-#: ../../configuration/service/dhcp-server.rst:329
+#: ../../configuration/service/dhcp-server.rst:296
 msgid "Name or IPv4 address of TFTP server"
 msgstr "Name or IPv4 address of TFTP server"
 
-#: ../../configuration/service/dhcp-server.rst:314
+#: ../../configuration/service/dhcp-server.rst:281
 msgid "NetBIOS over TCP/IP name server"
 msgstr "NetBIOS over TCP/IP name server"
 
@@ -9276,7 +8627,7 @@ msgstr "NetFlow is usually enabled on a per-interface basis to limit load on the
 msgid "NetFlow v5 example:"
 msgstr "NetFlow v5 example:"
 
-#: ../../configuration/firewall/index.rst:16
+#: ../../configuration/firewall/index.rst:13
 msgid "Netfilter based"
 msgstr "Netfilter based"
 
@@ -9302,8 +8653,7 @@ msgstr "Network Control"
 msgid "Network Emulator"
 msgstr "Network Emulator"
 
-#: ../../configuration/firewall/general.rst:215
-#: ../../configuration/firewall/general-legacy.rst:191
+#: ../../configuration/firewall/groups.rst:42
 msgid "Network Groups"
 msgstr "Network Groups"
 
@@ -9315,7 +8665,7 @@ msgstr "Network ID (SSID) ``Enterprise-TEST``"
 msgid "Network ID (SSID) ``TEST``"
 msgstr "Network ID (SSID) ``TEST``"
 
-#: ../../configuration/protocols/igmp.rst:None
+#: ../../configuration/protocols/pim.rst:-1
 msgid "Network Topology Diagram"
 msgstr "Network Topology Diagram"
 
@@ -9339,7 +8689,7 @@ msgstr "New user will use SHA/AES for authentication and privacy"
 msgid "Next-hop interface for the route"
 msgstr "Next-hop interface for the route"
 
-#: ../../configuration/vpn/openconnect.rst:205
+#: ../../configuration/vpn/openconnect.rst:212
 msgid "Next it is necessary to configure 2FA for OpenConnect:"
 msgstr "Next it is necessary to configure 2FA for OpenConnect:"
 
@@ -9428,7 +8778,7 @@ msgstr "Now we add the option to the scope, adapt to your setup"
 msgid "Now we need to specify the server network settings. In all cases we need to specify the subnet for client tunnel endpoints. Since we want clients to access a specific network behind our router, we will use a push-route option for installing that route on clients."
 msgstr "Now we need to specify the server network settings. In all cases we need to specify the subnet for client tunnel endpoints. Since we want clients to access a specific network behind our router, we will use a push-route option for installing that route on clients."
 
-#: ../../configuration/vpn/openconnect.rst:212
+#: ../../configuration/vpn/openconnect.rst:219
 msgid "Now when connecting the user will first be asked for the password and then the OTP key."
 msgstr "Now when connecting the user will first be asked for the password and then the OTP key."
 
@@ -9480,7 +8830,7 @@ msgstr "OTP-key generation"
 msgid "Offloading"
 msgstr "Offloading"
 
-#: ../../configuration/service/dhcp-server.rst:278
+#: ../../configuration/service/dhcp-server.rst:245
 msgid "Offset of the client's subnet in seconds from Coordinated Universal Time (UTC)"
 msgstr "Offset of the client's subnet in seconds from Coordinated Universal Time (UTC)"
 
@@ -9555,6 +8905,10 @@ msgstr "On the initiator, we need to set the remote-id option so that it can ide
 msgid "On the initiator, we set the peer address to its public address, but on the responder we only set the id."
 msgstr "On the initiator, we set the peer address to its public address, but on the responder we only set the id."
 
+#: ../../configuration/protocols/pim.rst:120
+msgid "On the last hop router if it is desired to not switch over to the SPT tree configure this command."
+msgstr "On the last hop router if it is desired to not switch over to the SPT tree configure this command."
+
 #: ../../configuration/vpn/rsa-keys.rst:57
 msgid "On the responder, we need to set the local id so that initiator can know who's talking to it for the point #3 to work."
 msgstr "On the responder, we need to set the local id so that initiator can know who's talking to it for the point #3 to work."
@@ -9563,25 +8917,6 @@ msgstr "On the responder, we need to set the local id so that initiator can know
 msgid "Once a class has a filter configured, you will also have to define what you want to do with the traffic of that class, what specific Traffic-Control treatment you want to give it. You will have different possibilities depending on the Traffic Policy you are configuring."
 msgstr "Once a class has a filter configured, you will also have to define what you want to do with the traffic of that class, what specific Traffic-Control treatment you want to give it. You will have different possibilities depending on the Traffic Policy you are configuring."
 
-#: ../../_include/interface-ip.txt:21
-#: ../../_include/interface-ip.txt:21
-#: ../../_include/interface-ip.txt:21
-#: ../../_include/interface-ip.txt:21
-#: ../../_include/interface-ip.txt:21
-#: ../../_include/interface-ip.txt:21
-#: ../../_include/interface-ip.txt:21
-#: ../../_include/interface-ip.txt:21
-#: ../../_include/interface-ip.txt:21
-#: ../../_include/interface-ip.txt:21
-#: ../../_include/interface-ip.txt:21
-#: ../../_include/interface-ip.txt:21
-#: ../../_include/interface-ip.txt:21
-#: ../../_include/interface-ip.txt:21
-#: ../../_include/interface-ip.txt:21
-#: ../../_include/interface-ip.txt:21
-#: ../../_include/interface-ip.txt:21
-#: ../../_include/interface-ip.txt:21
-#: ../../_include/interface-ip.txt:21
 #: ../../_include/interface-ip.txt:21
 msgid "Once a neighbor has been found, the entry is considered to be valid for at least for this specific time. An entry's validity will be extended if it receives positive feedback from higher level protocols."
 msgstr "Once a neighbor has been found, the entry is considered to be valid for at least for this specific time. An entry's validity will be extended if it receives positive feedback from higher level protocols."
@@ -9606,6 +8941,10 @@ msgstr "Once flow accounting is configured on an interfaces it provides the abil
 msgid "Once the command is completed, it will add the certificate to the configuration session, to the pki subtree. You can then review the proposed changes and commit them."
 msgstr "Once the command is completed, it will add the certificate to the configuration session, to the pki subtree. You can then review the proposed changes and commit them."
 
+#: ../../configuration/firewall/flowtables.rst:38
+msgid "Once the first packet of the flow successfully goes through the IP forwarding path (black circles path), from the second packet on, you might decide to offload the flow to the flowtable through your ruleset. The flowtable infrastructure provides a rule action that allows you to specify when to add a flow to the flowtable (On forward filtering, red circle number 6)"
+msgstr "Once the first packet of the flow successfully goes through the IP forwarding path (black circles path), from the second packet on, you might decide to offload the flow to the flowtable through your ruleset. The flowtable infrastructure provides a rule action that allows you to specify when to add a flow to the flowtable (On forward filtering, red circle number 6)"
+
 #: ../../configuration/service/pppoe-server.rst:63
 msgid "Once the local tunnel endpoint ``set service pppoe-server gateway-address '10.1.1.2'`` has been defined, the client IP pool can be either defined as a range or as subnet using CIDR notation. If the CIDR notation is used, multiple subnets can be setup which are used sequentially."
 msgstr "Once the local tunnel endpoint ``set service pppoe-server gateway-address '10.1.1.2'`` has been defined, the client IP pool can be either defined as a range or as subnet using CIDR notation. If the CIDR notation is used, multiple subnets can be setup which are used sequentially."
@@ -9614,11 +8953,11 @@ msgstr "Once the local tunnel endpoint ``set service pppoe-server gateway-addres
 msgid "Once the matching rules are set for a class, you can start configuring how you want matching traffic to behave."
 msgstr "Once the matching rules are set for a class, you can start configuring how you want matching traffic to behave."
 
-#: ../../configuration/service/pppoe-server.rst:224
+#: ../../configuration/service/pppoe-server.rst:211
 msgid "Once the user is connected, the user session is using the set limits and can be displayed via 'show pppoe-server sessions'."
 msgstr "Once the user is connected, the user session is using the set limits and can be displayed via 'show pppoe-server sessions'."
 
-#: ../../configuration/vpn/openconnect.rst:250
+#: ../../configuration/vpn/openconnect.rst:257
 msgid "Once you commit the above changes you can create a config file in the /config/auth/ocserv/config-per-user directory that matches a username of a user you have created e.g. \"tst\". Now when logging in with the \"tst\" user the config options you set in this file will be loaded."
 msgstr "Once you commit the above changes you can create a config file in the /config/auth/ocserv/config-per-user directory that matches a username of a user you have created e.g. \"tst\". Now when logging in with the \"tst\" user the config options you set in this file will be loaded."
 
@@ -9626,7 +8965,7 @@ msgstr "Once you commit the above changes you can create a config file in the /c
 msgid "Once you have an Ethernet device connected, i.e. `eth0`, then you can configure it to open the PPPoE session for you and your DSL Transceiver (Modem/Router) just acts to translate your messages in a way that vDSL/aDSL understands."
 msgstr "Once you have an Ethernet device connected, i.e. `eth0`, then you can configure it to open the PPPoE session for you and your DSL Transceiver (Modem/Router) just acts to translate your messages in a way that vDSL/aDSL understands."
 
-#: ../../configuration/vpn/sstp.rst:295
+#: ../../configuration/vpn/sstp.rst:307
 msgid "Once you have setup your SSTP server there comes the time to do some basic testing. The Linux client used for testing is called sstpc_. sstpc_ requires a PPP configuration/peer file."
 msgstr "Once you have setup your SSTP server there comes the time to do some basic testing. The Linux client used for testing is called sstpc_. sstpc_ requires a PPP configuration/peer file."
 
@@ -9650,11 +8989,6 @@ msgstr "One of the important features built on top of the Netfilter framework is
 msgid "One of the uses of Fair Queue might be the mitigation of Denial of Service attacks."
 msgstr "One of the uses of Fair Queue might be the mitigation of Denial of Service attacks."
 
-#: ../../_include/interface-vlan-8021q.txt:32
-#: ../../_include/interface-vlan-8021q.txt:32
-#: ../../_include/interface-vlan-8021q.txt:32
-#: ../../_include/interface-vlan-8021q.txt:32
-#: ../../_include/interface-vlan-8021q.txt:32
 #: ../../_include/interface-vlan-8021q.txt:32
 msgid "Only 802.1Q-tagged packets are accepted on Ethernet vifs."
 msgstr "Only 802.1Q-tagged packets are accepted on Ethernet vifs."
@@ -9663,8 +8997,12 @@ msgstr "Only 802.1Q-tagged packets are accepted on Ethernet vifs."
 msgid "Only VRRP is supported. Required option."
 msgstr "Only VRRP is supported. Required option."
 
-#: ../../configuration/firewall/general.rst:731
-#: ../../configuration/firewall/general-legacy.rst:490
+#: ../../configuration/service/https.rst:18
+msgid "Only allow certain IP addresses or prefixes to access the https webserver."
+msgstr "Only allow certain IP addresses or prefixes to access the https webserver."
+
+#: ../../configuration/firewall/ipv4.rst:459
+#: ../../configuration/firewall/ipv6.rst:466
 msgid "Only in the source criteria, you can specify a mac-address."
 msgstr "Only in the source criteria, you can specify a mac-address."
 
@@ -9672,22 +9010,7 @@ msgstr "Only in the source criteria, you can specify a mac-address."
 msgid "Only one SRGB and default SPF Algorithm is supported"
 msgstr "Only one SRGB and default SPF Algorithm is supported"
 
-#: ../../_include/interface-dhcp-options.txt:43
-#: ../../_include/interface-dhcp-options.txt:43
-#: ../../_include/interface-dhcp-options.txt:43
-#: ../../_include/interface-dhcp-options.txt:43
-#: ../../_include/interface-dhcp-options.txt:43
-#: ../../_include/interface-dhcp-options.txt:43
-#: ../../_include/interface-dhcp-options.txt:43
-#: ../../_include/interface-dhcp-options.txt:43
-#: ../../_include/interface-dhcp-options.txt:43
-#: ../../_include/interface-dhcp-options.txt:43
-#: ../../_include/interface-dhcp-options.txt:43
-#: ../../_include/interface-dhcp-options.txt:43
-#: ../../_include/interface-dhcp-options.txt:43
-#: ../../_include/interface-dhcp-options.txt:43
-#: ../../_include/interface-dhcp-options.txt:43
-#: ../../_include/interface-dhcp-options.txt:43
+#: ../../_include/interface-dhcp-options.txt:48
 msgid "Only request an address from the DHCP server but do not request a default gateway."
 msgstr "Only request an address from the DHCP server but do not request a default gateway."
 
@@ -9703,6 +9026,10 @@ msgstr "Only request an address from the SSTP server but do not install any defa
 msgid "Only the type (``ssh-rsa``) and the key (``AAAB3N...``) are used. Note that the key will usually be several hundred characters long, and you will need to copy and paste it. Some terminal emulators may accidentally split this over several lines. Be attentive when you paste it that it only pastes as a single line. The third part is simply an identifier, and is for your own reference."
 msgstr "Only the type (``ssh-rsa``) and the key (``AAAB3N...``) are used. Note that the key will usually be several hundred characters long, and you will need to copy and paste it. Some terminal emulators may accidentally split this over several lines. Be attentive when you paste it that it only pastes as a single line. The third part is simply an identifier, and is for your own reference."
 
+#: ../../configuration/interfaces/vxlan.rst:96
+msgid "Only works with a VXLAN device with external flag set."
+msgstr "Only works with a VXLAN device with external flag set."
+
 #: ../../configuration/highavailability/index.rst:457
 msgid "Op-mode check virtual-server status"
 msgstr "Op-mode check virtual-server status"
@@ -9715,15 +9042,15 @@ msgstr "OpenConnect"
 msgid "OpenConnect-compatible server feature is available from this release. Openconnect VPN supports SSL connection and offers full network access. SSL VPN network extension connects the end-user system to the corporate network with access controls based only on network layer information, such as destination IP address and port number. So, it provides safe communication for all types of device traffic across public networks and private networks, also encrypts the traffic with SSL protocol."
 msgstr "OpenConnect-compatible server feature is available from this release. Openconnect VPN supports SSL connection and offers full network access. SSL VPN network extension connects the end-user system to the corporate network with access controls based only on network layer information, such as destination IP address and port number. So, it provides safe communication for all types of device traffic across public networks and private networks, also encrypts the traffic with SSL protocol."
 
-#: ../../configuration/vpn/openconnect.rst:274
+#: ../../configuration/vpn/openconnect.rst:281
 msgid "OpenConnect can be configured to send accounting information to a RADIUS server to capture user session data such as time of connect/disconnect, data transferred, and so on."
 msgstr "OpenConnect can be configured to send accounting information to a RADIUS server to capture user session data such as time of connect/disconnect, data transferred, and so on."
 
-#: ../../configuration/vpn/openconnect.rst:267
+#: ../../configuration/vpn/openconnect.rst:274
 msgid "OpenConnect server matches the filename in a case sensitive manner, make sure the username/group name you configure matches the filename exactly."
 msgstr "OpenConnect server matches the filename in a case sensitive manner, make sure the username/group name you configure matches the filename exactly."
 
-#: ../../configuration/vpn/openconnect.rst:228
+#: ../../configuration/vpn/openconnect.rst:235
 msgid "OpenConnect supports a subset of it's configuration options to be applied on a per user/group basis, for configuration purposes we refer to this functionality as \"Identity based config\". The following `OpenConnect Server Manual <https://ocserv.gitlab.io/www/manual.html#:~:text=Configuration%20files%20that% 20will%20be%20applied%20per%20user%20connection%20or%0A%23%20per%20group>`_ outlines the set of configuration options that are allowed. This can be leveraged to apply different sets of configs to different users or groups of users."
 msgstr "OpenConnect supports a subset of it's configuration options to be applied on a per user/group basis, for configuration purposes we refer to this functionality as \"Identity based config\". The following `OpenConnect Server Manual <https://ocserv.gitlab.io/www/manual.html#:~:text=Configuration%20files%20that% 20will%20be%20applied%20per%20user%20connection%20or%0A%23%20per%20group>`_ outlines the set of configuration options that are allowed. This can be leveraged to apply different sets of configs to different users or groups of users."
 
@@ -9778,27 +9105,34 @@ msgstr "Operating Modes"
 #: ../../configuration/interfaces/virtual-ethernet.rst:55
 #: ../../configuration/interfaces/wireless.rst:416
 #: ../../configuration/interfaces/wwan.rst:79
-#: ../../configuration/pki/index.rst:252
-#: ../../configuration/protocols/igmp.rst:245
+#: ../../configuration/pki/index.rst:290
+#: ../../configuration/protocols/igmp-proxy.rst:73
 #: ../../configuration/protocols/static.rst:183
 #: ../../configuration/service/conntrack-sync.rst:103
 #: ../../configuration/service/console-server.rst:76
 #: ../../configuration/service/dhcp-relay.rst:124
-#: ../../configuration/service/dhcp-relay.rst:199
-#: ../../configuration/service/dns.rst:182
+#: ../../configuration/service/dhcp-relay.rst:201
+#: ../../configuration/service/dns.rst:195
 #: ../../configuration/service/lldp.rst:71
+#: ../../configuration/service/mdns.rst:79
 #: ../../configuration/service/ssh.rst:145
 #: ../../configuration/service/webproxy.rst:330
 #: ../../configuration/system/default-route.rst:25
 #: ../../configuration/system/flow-accounting.rst:175
 #: ../../configuration/vrf/index.rst:111
-#: ../../configuration/vrf/index.rst:321
-#: ../../configuration/vrf/index.rst:501
+#: ../../configuration/vrf/index.rst:323
+#: ../../configuration/vrf/index.rst:503
 msgid "Operation"
 msgstr "Operation"
 
-#: ../../configuration/firewall/general.rst:1307
-#: ../../configuration/firewall/general-legacy.rst:778
+#: ../../configuration/firewall/groups.rst:186
+#: ../../configuration/firewall/zone.rst:128
+msgid "Operation-mode"
+msgstr "Operation-mode"
+
+#: ../../configuration/firewall/bridge.rst:284
+#: ../../configuration/firewall/ipv4.rst:954
+#: ../../configuration/firewall/ipv6.rst:962
 msgid "Operation-mode Firewall"
 msgstr "Operation-mode Firewall"
 
@@ -9806,8 +9140,8 @@ msgstr "Operation-mode Firewall"
 msgid "Operation Commands"
 msgstr "Operation Commands"
 
-#: ../../configuration/service/dhcp-server.rst:512
-#: ../../configuration/service/dhcp-server.rst:732
+#: ../../configuration/service/dhcp-server.rst:412
+#: ../../configuration/service/dhcp-server.rst:664
 #: ../../configuration/system/acceleration.rst:42
 msgid "Operation Mode"
 msgstr "Operation Mode"
@@ -9825,7 +9159,7 @@ msgstr "Operational Commands"
 #: ../../configuration/protocols/bgp.rst:950
 #: ../../configuration/protocols/mpls.rst:218
 #: ../../configuration/protocols/ospf.rst:609
-#: ../../configuration/protocols/ospf.rst:1266
+#: ../../configuration/protocols/ospf.rst:1268
 #: ../../configuration/protocols/rip.rst:193
 msgid "Operational Mode Commands"
 msgstr "Operational Mode Commands"
@@ -9843,11 +9177,11 @@ msgstr "Option"
 msgid "Option 43 for UniFI"
 msgstr "Option 43 for UniFI"
 
-#: ../../configuration/service/dhcp-server.rst:267
+#: ../../configuration/service/dhcp-server.rst:234
 msgid "Option description"
 msgstr "Option description"
 
-#: ../../configuration/service/dhcp-server.rst:265
+#: ../../configuration/service/dhcp-server.rst:232
 msgid "Option number"
 msgstr "Option number"
 
@@ -9886,15 +9220,19 @@ msgstr "Optional/default settings"
 msgid "Optional Configuration"
 msgstr "Optional Configuration"
 
+#: ../../configuration/protocols/pim.rst:123
+msgid "Optional parameter prefix-list can be use to control which groups to switch or not switch. If a group is PERMIT as per the prefix-list, then the SPT switchover does not happen for it and if it is DENY, then the SPT switchover happens."
+msgstr "Optional parameter prefix-list can be use to control which groups to switch or not switch. If a group is PERMIT as per the prefix-list, then the SPT switchover does not happen for it and if it is DENY, then the SPT switchover happens."
+
 #: ../../configuration/container/index.rst:47
 msgid "Optionally set a specific static IPv4 or IPv6 address for the container. This address must be within the named network prefix."
 msgstr "Optionally set a specific static IPv4 or IPv6 address for the container. This address must be within the named network prefix."
 
 #: ../../configuration/interfaces/openvpn.rst:631
 #: ../../configuration/service/dhcp-relay.rst:53
-#: ../../configuration/service/dhcp-relay.rst:158
-#: ../../configuration/service/dhcp-server.rst:257
-#: ../../configuration/vpn/sstp.rst:219
+#: ../../configuration/service/dhcp-relay.rst:160
+#: ../../configuration/service/dhcp-server.rst:224
+#: ../../configuration/vpn/sstp.rst:230
 msgid "Options"
 msgstr "Options"
 
@@ -9918,11 +9256,11 @@ msgstr "Or **binary** prefixes."
 msgid "Originate an AS-External (type-5) LSA describing a default route into all external-routing capable areas, of the specified metric and metric type. If the :cfgcmd:`always` keyword is given then the default is always advertised, even when there is no default present in the routing table. The argument :cfgcmd:`route-map` specifies to advertise the default route if the route map is satisfied."
 msgstr "Originate an AS-External (type-5) LSA describing a default route into all external-routing capable areas, of the specified metric and metric type. If the :cfgcmd:`always` keyword is given then the default is always advertised, even when there is no default present in the routing table. The argument :cfgcmd:`route-map` specifies to advertise the default route if the route map is satisfied."
 
-#: ../../configuration/service/pppoe-server.rst:251
+#: ../../configuration/service/pppoe-server.rst:238
 msgid "Other attributes can be used, but they have to be in one of the dictionaries in */usr/share/accel-ppp/radius*."
 msgstr "Other attributes can be used, but they have to be in one of the dictionaries in */usr/share/accel-ppp/radius*."
 
-#: ../../configuration/nat/nat44.rst:512
+#: ../../configuration/nat/nat44.rst:532
 msgid "Our configuration commands would be:"
 msgstr "Our configuration commands would be:"
 
@@ -9962,9 +9300,14 @@ msgstr "Over UDP"
 msgid "Override static-mapping's name-server with a custom one that will be sent only to this host."
 msgstr "Override static-mapping's name-server with a custom one that will be sent only to this host."
 
-#: ../../configuration/firewall/general.rst:11
-#: ../../configuration/firewall/general-legacy.rst:15
+#: ../../configuration/firewall/bridge.rst:13
+#: ../../configuration/firewall/flowtables.rst:13
+#: ../../configuration/firewall/global-options.rst:11
+#: ../../configuration/firewall/ipv4.rst:11
+#: ../../configuration/firewall/ipv6.rst:11
+#: ../../configuration/firewall/zone.rst:11
 #: ../../configuration/nat/nat44.rst:68
+#: ../../configuration/nat/nat64.rst:18
 #: ../../configuration/nat/nat66.rst:15
 msgid "Overview"
 msgstr "Overview"
@@ -9973,8 +9316,8 @@ msgstr "Overview"
 msgid "Overview and basic concepts"
 msgstr "Overview and basic concepts"
 
-#: ../../configuration/firewall/general.rst:1461
-#: ../../configuration/firewall/general-legacy.rst:908
+#: ../../configuration/firewall/groups.rst:190
+#: ../../configuration/firewall/ipv6.rst:1117
 msgid "Overview of defined groups. You see the type, the members, and where the group is used."
 msgstr "Overview of defined groups. You see the type, the members, and where the group is used."
 
@@ -9994,14 +9337,22 @@ msgstr "PC2 is in VRF ``blue`` which is the development department"
 msgid "PC3 and PC4 are connected to a bridge device on router ``R1`` which is in VRF ``red``. Say this is the HR department."
 msgstr "PC3 and PC4 are connected to a bridge device on router ``R1`` which is in VRF ``red``. Say this is the HR department."
 
-#: ../../configuration/interfaces/vxlan.rst:109
+#: ../../configuration/interfaces/vxlan.rst:130
 msgid "PC4 has IP 10.0.0.4/24 and PC5 has IP 10.0.0.5/24, so they believe they are in the same broadcast domain."
 msgstr "PC4 has IP 10.0.0.4/24 and PC5 has IP 10.0.0.5/24, so they believe they are in the same broadcast domain."
 
-#: ../../configuration/interfaces/vxlan.rst:120
+#: ../../configuration/interfaces/vxlan.rst:141
 msgid "PC5 receives the ping echo, responds with an echo reply that Leaf3 receives and this time forwards to Leaf2's unicast address directly because it learned the location of PC4 above. When Leaf2 receives the echo reply from PC5 it sees that it came from Leaf3 and so remembers that PC5 is reachable via Leaf3."
 msgstr "PC5 receives the ping echo, responds with an echo reply that Leaf3 receives and this time forwards to Leaf2's unicast address directly because it learned the location of PC4 above. When Leaf2 receives the echo reply from PC5 it sees that it came from Leaf3 and so remembers that PC5 is reachable via Leaf3."
 
+#: ../../configuration/protocols/pim.rst:31
+msgid "PIM-SM - PIM Sparse Mode"
+msgstr "PIM-SM - PIM Sparse Mode"
+
+#: ../../configuration/protocols/pim6.rst:5
+msgid "PIM6 - Protocol Independent Multicast for IPv6"
+msgstr "PIM6 - Protocol Independent Multicast for IPv6"
+
 #: ../../configuration/protocols/igmp.rst:16
 msgid "PIM (Protocol Independent Multicast) must be configured in every interface of every participating router. Every router must also have the location of the Rendevouz Point manually configured. Then, unidirectional shared trees rooted at the Rendevouz Point will automatically be built for multicast distribution."
 msgstr "PIM (Protocol Independent Multicast) must be configured in every interface of every participating router. Every router must also have the location of the Rendevouz Point manually configured. Then, unidirectional shared trees rooted at the Rendevouz Point will automatically be built for multicast distribution."
@@ -10010,6 +9361,10 @@ msgstr "PIM (Protocol Independent Multicast) must be configured in every interfa
 msgid "PIM and IGMP"
 msgstr "PIM and IGMP"
 
+#: ../../configuration/protocols/pim.rst:7
+msgid "PIM – Protocol Independent Multicast"
+msgstr "PIM – Protocol Independent Multicast"
+
 #: ../../configuration/protocols/pim6.rst:9
 msgid "PIMv6 (Protocol Independent Multicast for IPv6) must be configured in every interface of every participating router. Every router must also have the location of the Rendevouz Point manually configured. Then, unidirectional shared trees rooted at the Rendevouz Point will automatically be built for multicast distribution."
 msgstr "PIMv6 (Protocol Independent Multicast for IPv6) must be configured in every interface of every participating router. Every router must also have the location of the Rendevouz Point manually configured. Then, unidirectional shared trees rooted at the Rendevouz Point will automatically be built for multicast distribution."
@@ -10022,7 +9377,7 @@ msgstr "PKI"
 msgid "PPDU"
 msgstr "PPDU"
 
-#: ../../configuration/vpn/sstp.rst:163
+#: ../../configuration/vpn/sstp.rst:174
 msgid "PPP Settings"
 msgstr "PPP Settings"
 
@@ -10054,11 +9409,11 @@ msgstr "Particularly large networks may wish to run their own RPKI certificate a
 msgid "Path `<cost>` value for Spanning Tree Protocol. Each interface in a bridge could have a different speed and this value is used when deciding which link to use. Faster interfaces should have lower costs."
 msgstr "Path `<cost>` value for Spanning Tree Protocol. Each interface in a bridge could have a different speed and this value is used when deciding which link to use. Faster interfaces should have lower costs."
 
-#: ../../configuration/vpn/sstp.rst:155
+#: ../../configuration/vpn/sstp.rst:166
 msgid "Path to `<file>` pointing to the certificate authority certificate."
 msgstr "Path to `<file>` pointing to the certificate authority certificate."
 
-#: ../../configuration/vpn/sstp.rst:159
+#: ../../configuration/vpn/sstp.rst:170
 msgid "Path to `<file>` pointing to the servers certificate (public portion)."
 msgstr "Path to `<file>` pointing to the servers certificate (public portion)."
 
@@ -10102,7 +9457,7 @@ msgstr "Per default VyOSs has minimal syslog logging enabled which is stored and
 msgid "Per default every packet is sampled (that is, the sampling rate is 1)."
 msgstr "Per default every packet is sampled (that is, the sampling rate is 1)."
 
-#: ../../configuration/service/pppoe-server.rst:336
+#: ../../configuration/service/pppoe-server.rst:323
 msgid "Per default the user session is being replaced if a second authentication request succeeds. Such session requests can be either denied or allowed entirely, which would allow multiple sessions for a user in the latter case. If it is denied, the second session is being rejected even if the authentication succeeds, the user has to terminate its first session and can then authentication again."
 msgstr "Per default the user session is being replaced if a second authentication request succeeds. Such session requests can be either denied or allowed entirely, which would allow multiple sessions for a user in the latter case. If it is denied, the second session is being rejected even if the authentication succeeds, the user has to terminate its first session and can then authentication again."
 
@@ -10126,29 +9481,6 @@ msgstr "Ping uses ICMP protocol's mandatory ECHO_REQUEST datagram to elicit an I
 msgid "Pinging (IPv6) the other host and intercepting the traffic in ``eth1`` will show you the content is encrypted."
 msgstr "Pinging (IPv6) the other host and intercepting the traffic in ``eth1`` will show you the content is encrypted."
 
-#: ../../_include/interface-vrf.txt:4
-#: ../../_include/interface-vrf.txt:4
-#: ../../_include/interface-vrf.txt:4
-#: ../../_include/interface-vrf.txt:4
-#: ../../_include/interface-vrf.txt:4
-#: ../../_include/interface-vrf.txt:4
-#: ../../_include/interface-vrf.txt:4
-#: ../../_include/interface-vrf.txt:4
-#: ../../_include/interface-vrf.txt:4
-#: ../../_include/interface-vrf.txt:4
-#: ../../_include/interface-vrf.txt:4
-#: ../../_include/interface-vrf.txt:4
-#: ../../_include/interface-vrf.txt:4
-#: ../../_include/interface-vrf.txt:4
-#: ../../_include/interface-vrf.txt:4
-#: ../../_include/interface-vrf.txt:4
-#: ../../_include/interface-vrf.txt:4
-#: ../../_include/interface-vrf.txt:4
-#: ../../_include/interface-vrf.txt:4
-#: ../../_include/interface-vrf.txt:4
-#: ../../_include/interface-vrf.txt:4
-#: ../../_include/interface-vrf.txt:4
-#: ../../_include/interface-vrf.txt:4
 #: ../../_include/interface-vrf.txt:4
 msgid "Place interface in given VRF instance."
 msgstr "Place interface in given VRF instance."
@@ -10157,6 +9489,14 @@ msgstr "Place interface in given VRF instance."
 msgid "Play an audible beep to the system speaker when system is ready."
 msgstr "Play an audible beep to the system speaker when system is ready."
 
+#: ../../configuration/firewall/index.rst:137
+msgid "Please, refer to appropiate section for more information about firewall configuration:"
+msgstr "Please, refer to appropiate section for more information about firewall configuration:"
+
+#: ../../configuration/firewall/index.rst:138
+msgid "Please, refer to appropriate section for more information about firewall configuration:"
+msgstr "Please, refer to appropriate section for more information about firewall configuration:"
+
 #: ../../configuration/service/ipoe-server.rst:23
 msgid "Please be aware, due to an upstream bug, config changes/commits will restart the ppp daemon and will reset existing IPoE sessions, in order to become effective."
 msgstr "Please be aware, due to an upstream bug, config changes/commits will restart the ppp daemon and will reset existing IPoE sessions, in order to become effective."
@@ -10173,23 +9513,10 @@ msgstr "Please refer to the :ref:`ipsec` documentation for the individual IPSec
 msgid "Please refer to the :ref:`tunnel-interface` documentation for the individual tunnel related options."
 msgstr "Please refer to the :ref:`tunnel-interface` documentation for the individual tunnel related options."
 
-#: ../../configuration/service/dhcp-server.rst:423
+#: ../../configuration/service/dhcp-server.rst:364
 msgid "Please see the :ref:`dhcp-dns-quick-start` configuration."
 msgstr "Please see the :ref:`dhcp-dns-quick-start` configuration."
 
-#: ../../_include/need_improvement.txt:13
-#: ../../_include/need_improvement.txt:13
-#: ../../_include/need_improvement.txt:13
-#: ../../_include/need_improvement.txt:13
-#: ../../_include/need_improvement.txt:13
-#: ../../_include/need_improvement.txt:13
-#: ../../_include/need_improvement.txt:13
-#: ../../_include/need_improvement.txt:13
-#: ../../_include/need_improvement.txt:13
-#: ../../_include/need_improvement.txt:13
-#: ../../_include/need_improvement.txt:13
-#: ../../_include/need_improvement.txt:13
-#: ../../_include/need_improvement.txt:13
 #: ../../_include/need_improvement.txt:13
 msgid "Please take a look at the Contributing Guide for our :ref:`documentation`."
 msgstr "Please take a look at the Contributing Guide for our :ref:`documentation`."
@@ -10230,12 +9557,11 @@ msgstr "Policy Sections"
 msgid "Policy for checking targets"
 msgstr "Policy for checking targets"
 
-#: ../../configuration/system/conntrack.rst:152
+#: ../../configuration/system/conntrack.rst:57
 msgid "Policy to track previously established connections."
 msgstr "Policy to track previously established connections."
 
-#: ../../configuration/firewall/general.rst:257
-#: ../../configuration/firewall/general-legacy.rst:215
+#: ../../configuration/firewall/groups.rst:84
 msgid "Port Groups"
 msgstr "Port Groups"
 
@@ -10245,7 +9571,7 @@ msgstr "Port Groups"
 msgid "Port Mirror (SPAN)"
 msgstr "Port Mirror (SPAN)"
 
-#: ../../configuration/vpn/sstp.rst:231
+#: ../../configuration/vpn/sstp.rst:242
 msgid "Port for Dynamic Authorization Extension server (DM/CoA)"
 msgstr "Port for Dynamic Authorization Extension server (DM/CoA)"
 
@@ -10261,15 +9587,10 @@ msgstr "Port number used by connection, default is ``9273``"
 msgid "Port number used by connection."
 msgstr "Port number used by connection."
 
-#: ../../configuration/service/https.rst:46
+#: ../../configuration/service/https.rst:37
 msgid "Port to listen for HTTPS requests; default 443"
 msgstr "Port to listen for HTTPS requests; default 443"
 
-#: ../../_include/interface-vlan-8021q.txt:9
-#: ../../_include/interface-vlan-8021q.txt:9
-#: ../../_include/interface-vlan-8021q.txt:9
-#: ../../_include/interface-vlan-8021q.txt:9
-#: ../../_include/interface-vlan-8021q.txt:9
 #: ../../_include/interface-vlan-8021q.txt:9
 msgid "Portions of the network which are VLAN-aware (i.e., IEEE 802.1q_ conformant) can include VLAN tags. When a frame enters the VLAN-aware portion of the network, a tag is added to represent the VLAN membership. Each frame must be distinguishable as being within exactly one VLAN. A frame in the VLAN-aware portion of the network that does not contain a VLAN tag is assumed to be flowing on the native VLAN."
 msgstr "Portions of the network which are VLAN-aware (i.e., IEEE 802.1q_ conformant) can include VLAN tags. When a frame enters the VLAN-aware portion of the network, a tag is added to represent the VLAN membership. Each frame must be distinguishable as being within exactly one VLAN. A frame in the VLAN-aware portion of the network that does not contain a VLAN tag is assumed to be flowing on the native VLAN."
@@ -10335,7 +9656,7 @@ msgstr "Preference associated with the default router"
 msgid "Prefix Conversion"
 msgstr "Prefix Conversion"
 
-#: ../../configuration/service/dhcp-server.rst:634
+#: ../../configuration/service/dhcp-server.rst:564
 msgid "Prefix Delegation"
 msgstr "Prefix Delegation"
 
@@ -10387,11 +9708,11 @@ msgstr "Prepend the given string of AS numbers to the AS_PATH of the BGP path's
 msgid "Principle of SNMP Communication"
 msgstr "Principle of SNMP Communication"
 
-#: ../../configuration/vrf/index.rst:530
+#: ../../configuration/vrf/index.rst:532
 msgid "Print a summary of neighbor connections for the specified AFI/SAFI combination."
 msgstr "Print a summary of neighbor connections for the specified AFI/SAFI combination."
 
-#: ../../configuration/vrf/index.rst:509
+#: ../../configuration/vrf/index.rst:511
 msgid "Print active IPV4 or IPV6 routes advertised via the VPN SAFI."
 msgstr "Print active IPV4 or IPV6 routes advertised via the VPN SAFI."
 
@@ -10408,25 +9729,6 @@ msgstr "Priority Queue"
 msgid "Priority Queue, as other non-shaping policies, is only useful if your outgoing interface is really full. If it is not, VyOS will not own the queue and Priority Queue will have no effect. If there is bandwidth available on the physical link, you can embed_ Priority Queue into a classful shaping policy to make sure it owns the queue. In that case packets can be prioritized based on DSCP."
 msgstr "Priority Queue, as other non-shaping policies, is only useful if your outgoing interface is really full. If it is not, VyOS will not own the queue and Priority Queue will have no effect. If there is bandwidth available on the physical link, you can embed_ Priority Queue into a classful shaping policy to make sure it owns the queue. In that case packets can be prioritized based on DSCP."
 
-#: ../../_include/interface-ip.txt:153
-#: ../../_include/interface-ip.txt:153
-#: ../../_include/interface-ip.txt:153
-#: ../../_include/interface-ip.txt:153
-#: ../../_include/interface-ip.txt:153
-#: ../../_include/interface-ip.txt:153
-#: ../../_include/interface-ip.txt:153
-#: ../../_include/interface-ip.txt:153
-#: ../../_include/interface-ip.txt:153
-#: ../../_include/interface-ip.txt:153
-#: ../../_include/interface-ip.txt:153
-#: ../../_include/interface-ip.txt:153
-#: ../../_include/interface-ip.txt:153
-#: ../../_include/interface-ip.txt:153
-#: ../../_include/interface-ip.txt:153
-#: ../../_include/interface-ip.txt:153
-#: ../../_include/interface-ip.txt:153
-#: ../../_include/interface-ip.txt:153
-#: ../../_include/interface-ip.txt:153
 #: ../../_include/interface-ip.txt:153
 msgid "Private VLAN proxy arp. Basically allow proxy arp replies back to the same interface (from which the ARP request/solicitation was received)."
 msgstr "Private VLAN proxy arp. Basically allow proxy arp replies back to the same interface (from which the ARP request/solicitation was received)."
@@ -10455,8 +9757,7 @@ msgstr "Protocols are: tcp, sctp, dccp, udp, icmp and ipv6-icmp."
 msgid "Provide TFTP server listening on both IPv4 and IPv6 addresses ``192.0.2.1`` and ``2001:db8::1`` serving the content from ``/config/tftpboot``. Uploading via TFTP to this server is disabled."
 msgstr "Provide TFTP server listening on both IPv4 and IPv6 addresses ``192.0.2.1`` and ``2001:db8::1`` serving the content from ``/config/tftpboot``. Uploading via TFTP to this server is disabled."
 
-#: ../../configuration/firewall/general.rst:212
-#: ../../configuration/firewall/general-legacy.rst:188
+#: ../../configuration/firewall/groups.rst:39
 msgid "Provide a IPv4 or IPv6 address group description"
 msgstr "Provide a IPv4 or IPv6 address group description"
 
@@ -10464,39 +9765,43 @@ msgstr "Provide a IPv4 or IPv6 address group description"
 msgid "Provide a IPv4 or IPv6 network group description."
 msgstr "Provide a IPv4 or IPv6 network group description."
 
-#: ../../configuration/firewall/general.rst:515
-#: ../../configuration/firewall/general-legacy.rst:334
+#: ../../configuration/firewall/ipv4.rst:285
+#: ../../configuration/firewall/ipv6.rst:285
 #: ../../configuration/policy/route.rst:30
 msgid "Provide a description for each rule."
 msgstr "Provide a description for each rule."
 
-#: ../../configuration/firewall/general.rst:314
+#: ../../configuration/firewall/flowtables.rst:75
+msgid "Provide a description to the flow table."
+msgstr "Provide a description to the flow table."
+
+#: ../../configuration/firewall/groups.rst:141
 msgid "Provide a domain group description."
 msgstr "Provide a domain group description."
 
-#: ../../configuration/firewall/general.rst:297
+#: ../../configuration/firewall/groups.rst:124
 msgid "Provide a mac group description."
 msgstr "Provide a mac group description."
 
-#: ../../configuration/firewall/general.rst:279
-#: ../../configuration/firewall/general-legacy.rst:237
+#: ../../configuration/firewall/groups.rst:106
 msgid "Provide a port group description."
 msgstr "Provide a port group description."
 
-#: ../../configuration/firewall/general-legacy.rst:281
 #: ../../configuration/policy/route.rst:20
 msgid "Provide a rule-set description."
 msgstr "Provide a rule-set description."
 
-#: ../../configuration/firewall/general.rst:503
+#: ../../configuration/firewall/bridge.rst:205
+#: ../../configuration/firewall/ipv4.rst:275
+#: ../../configuration/firewall/ipv6.rst:275
 msgid "Provide a rule-set description to a custom firewall chain."
 msgstr "Provide a rule-set description to a custom firewall chain."
 
-#: ../../configuration/firewall/general.rst:236
+#: ../../configuration/firewall/groups.rst:63
 msgid "Provide an IPv4 or IPv6 network group description."
 msgstr "Provide an IPv4 or IPv6 network group description."
 
-#: ../../configuration/firewall/general.rst:254
+#: ../../configuration/firewall/groups.rst:81
 msgid "Provide an interface group description"
 msgstr "Provide an interface group description"
 
@@ -10508,7 +9813,6 @@ msgstr "Provider - Customer"
 msgid "Provides a backbone area coherence by virtual link establishment."
 msgstr "Provides a backbone area coherence by virtual link establishment."
 
-#: ../../_include/interface-per-client-thread.txt:4
 #: ../../_include/interface-per-client-thread.txt:4
 msgid "Provides a per-device control to enable/disable the threaded mode for all the NAPI instances of the given network device, without the need for a device up/down."
 msgstr "Provides a per-device control to enable/disable the threaded mode for all the NAPI instances of the given network device, without the need for a device up/down."
@@ -10584,7 +9888,7 @@ msgid "R2 has 192.0.2.2/24 & 2001:db8::2/64"
 msgstr "R2 has 192.0.2.2/24 & 2001:db8::2/64"
 
 #: ../../configuration/system/login.rst:234
-#: ../../configuration/vpn/sstp.rst:196
+#: ../../configuration/vpn/sstp.rst:207
 msgid "RADIUS"
 msgstr "RADIUS"
 
@@ -10604,7 +9908,7 @@ msgstr "RADIUS authentication"
 msgid "RADIUS bandwidth shaping attribute"
 msgstr "RADIUS bandwidth shaping attribute"
 
-#: ../../configuration/service/pppoe-server.rst:125
+#: ../../configuration/service/pppoe-server.rst:112
 msgid "RADIUS provides the IP addresses in the example above via Framed-IP-Address."
 msgstr "RADIUS provides the IP addresses in the example above via Framed-IP-Address."
 
@@ -10624,7 +9928,7 @@ msgstr "RADIUS source address"
 msgid "RFC 3768 defines a virtual MAC address to each VRRP virtual router. This virtual router MAC address will be used as the source in all periodic VRRP messages sent by the active node. When the rfc3768-compatibility option is set, a new VRRP interface is created, to which the MAC address and the virtual IP address is automatically assigned."
 msgstr "RFC 3768 defines a virtual MAC address to each VRRP virtual router. This virtual router MAC address will be used as the source in all periodic VRRP messages sent by the active node. When the rfc3768-compatibility option is set, a new VRRP interface is created, to which the MAC address and the virtual IP address is automatically assigned."
 
-#: ../../configuration/service/dhcp-server.rst:289
+#: ../../configuration/service/dhcp-server.rst:256
 msgid "RFC 868 time server IPv4 address"
 msgstr "RFC 868 time server IPv4 address"
 
@@ -10740,11 +10044,11 @@ msgstr "Recommended for larger installations."
 msgid "Redirect HTTP to HTTPS"
 msgstr "Redirect HTTP to HTTPS"
 
-#: ../../configuration/nat/nat44.rst:417
+#: ../../configuration/nat/nat44.rst:431
 msgid "Redirect Microsoft RDP traffic from the internal (LAN, private) network via :ref:`destination-nat` in rule 110 to the internal, private host 192.0.2.40. We also need a :ref:`source-nat` rule 110 for the reverse path of the traffic. The internal network 192.0.2.0/24 is reachable via interface `eth0.10`."
 msgstr "Redirect Microsoft RDP traffic from the internal (LAN, private) network via :ref:`destination-nat` in rule 110 to the internal, private host 192.0.2.40. We also need a :ref:`source-nat` rule 110 for the reverse path of the traffic. The internal network 192.0.2.0/24 is reachable via interface `eth0.10`."
 
-#: ../../configuration/nat/nat44.rst:413
+#: ../../configuration/nat/nat44.rst:427
 msgid "Redirect Microsoft RDP traffic from the outside (WAN, external) world via :ref:`destination-nat` in rule 100 to the internal, private host 192.0.2.40."
 msgstr "Redirect Microsoft RDP traffic from the outside (WAN, external) world via :ref:`destination-nat` in rule 100 to the internal, private host 192.0.2.40."
 
@@ -10755,7 +10059,7 @@ msgstr "Redirect URL to a new location"
 #: ../../configuration/protocols/babel.rst:154
 #: ../../configuration/protocols/bgp.rst:557
 #: ../../configuration/protocols/ospf.rst:564
-#: ../../configuration/protocols/ospf.rst:1249
+#: ../../configuration/protocols/ospf.rst:1251
 #: ../../configuration/protocols/rip.rst:136
 msgid "Redistribution Configuration"
 msgstr "Redistribution Configuration"
@@ -10764,7 +10068,7 @@ msgstr "Redistribution Configuration"
 msgid "Redundancy and load sharing. There are multiple NAT66 devices at the edge of an IPv6 network to another IPv6 network. The path through the NAT66 device to another IPv6 network forms an equivalent route, and traffic can be load-shared on these NAT66 devices. In this case, you can configure the same source address translation rules on these NAT66 devices, so that any NAT66 device can handle IPv6 traffic between different sites."
 msgstr "Redundancy and load sharing. There are multiple NAT66 devices at the edge of an IPv6 network to another IPv6 network. The path through the NAT66 device to another IPv6 network forms an equivalent route, and traffic can be load-shared on these NAT66 devices. In this case, you can configure the same source address translation rules on these NAT66 devices, so that any NAT66 device can handle IPv6 traffic between different sites."
 
-#: ../../configuration/service/dns.rst:265
+#: ../../configuration/service/dns.rst:278
 msgid "Register DNS record ``example.vyos.io`` on DNS server ``ns1.vyos.io``"
 msgstr "Register DNS record ``example.vyos.io`` on DNS server ``ns1.vyos.io``"
 
@@ -10790,22 +10094,7 @@ msgstr "Regular expression to match against an AS path. For example \"64501 6450
 msgid "Regular expression to match against an extended community list, where text could be:"
 msgstr "Regular expression to match against an extended community list, where text could be:"
 
-#: ../../_include/interface-dhcp-options.txt:66
-#: ../../_include/interface-dhcp-options.txt:66
-#: ../../_include/interface-dhcp-options.txt:66
-#: ../../_include/interface-dhcp-options.txt:66
-#: ../../_include/interface-dhcp-options.txt:66
-#: ../../_include/interface-dhcp-options.txt:66
-#: ../../_include/interface-dhcp-options.txt:66
-#: ../../_include/interface-dhcp-options.txt:66
-#: ../../_include/interface-dhcp-options.txt:66
-#: ../../_include/interface-dhcp-options.txt:66
-#: ../../_include/interface-dhcp-options.txt:66
-#: ../../_include/interface-dhcp-options.txt:66
-#: ../../_include/interface-dhcp-options.txt:66
-#: ../../_include/interface-dhcp-options.txt:66
-#: ../../_include/interface-dhcp-options.txt:66
-#: ../../_include/interface-dhcp-options.txt:66
+#: ../../_include/interface-dhcp-options.txt:71
 msgid "Reject DHCP leases from a given address or range. This is useful when a modem gives a local IP when first starting."
 msgstr "Reject DHCP leases from a given address or range. This is useful when a modem gives a local IP when first starting."
 
@@ -10858,7 +10147,7 @@ msgstr "Remote ``InfluxDB`` bucket name"
 msgid "Remote database name."
 msgstr "Remote database name."
 
-#: ../../configuration/service/dhcp-server.rst:182
+#: ../../configuration/service/dhcp-server.rst:147
 msgid "Remote peer IP `<address>` of the second DHCP server in this failover cluster."
 msgstr "Remote peer IP `<address>` of the second DHCP server in this failover cluster."
 
@@ -10882,26 +10171,11 @@ msgstr "Repeat the procedure on the other router."
 msgid "Replay protection"
 msgstr "Replay protection"
 
-#: ../../_include/interface-dhcpv6-options.txt:50
-#: ../../_include/interface-dhcpv6-options.txt:50
-#: ../../_include/interface-dhcpv6-options.txt:50
-#: ../../_include/interface-dhcpv6-options.txt:50
-#: ../../_include/interface-dhcpv6-options.txt:50
-#: ../../_include/interface-dhcpv6-options.txt:50
-#: ../../_include/interface-dhcpv6-options.txt:50
-#: ../../_include/interface-dhcpv6-options.txt:50
-#: ../../_include/interface-dhcpv6-options.txt:50
-#: ../../_include/interface-dhcpv6-options.txt:50
-#: ../../_include/interface-dhcpv6-options.txt:50
-#: ../../_include/interface-dhcpv6-options.txt:50
-#: ../../_include/interface-dhcpv6-options.txt:50
-#: ../../_include/interface-dhcpv6-options.txt:50
-#: ../../_include/interface-dhcpv6-options.txt:50
 #: ../../_include/interface-dhcpv6-options.txt:50
 msgid "Request only a temporary address and not form an IA_NA (Identity Association for Non-temporary Addresses) partnership."
 msgstr "Request only a temporary address and not form an IA_NA (Identity Association for Non-temporary Addresses) partnership."
 
-#: ../../configuration/service/dhcp-relay.rst:175
+#: ../../configuration/service/dhcp-relay.rst:177
 msgid "Requests are forwarded through ``eth2`` as the `upstream interface`"
 msgstr "Requests are forwarded through ``eth2`` as the `upstream interface`"
 
@@ -10917,11 +10191,12 @@ msgstr "Requirements"
 msgid "Requirements:"
 msgstr "Requirements:"
 
-#: ../../configuration/firewall/general.rst:1279
+#: ../../configuration/firewall/ipv4.rst:926
+#: ../../configuration/firewall/ipv6.rst:935
 msgid "Requirements to enable synproxy:"
 msgstr "Requirements to enable synproxy:"
 
-#: ../../configuration/protocols/bgp.rst:1063
+#: ../../configuration/protocols/bgp.rst:1064
 #: ../../configuration/protocols/mpls.rst:248
 msgid "Reset"
 msgstr "Reset"
@@ -10930,11 +10205,11 @@ msgstr "Reset"
 msgid "Reset OpenVPN"
 msgstr "Reset OpenVPN"
 
-#: ../../configuration/system/ipv6.rst:176
+#: ../../configuration/system/ipv6.rst:150
 msgid "Reset commands"
 msgstr "Reset commands"
 
-#: ../../configuration/service/dns.rst:186
+#: ../../configuration/service/dns.rst:199
 msgid "Resets the local DNS forwarding cache database. You can reset the cache for all entries or only for entries to a specific domain."
 msgstr "Resets the local DNS forwarding cache database. You can reset the cache for all entries or only for entries to a specific domain."
 
@@ -10946,7 +10221,7 @@ msgstr "Restart"
 msgid "Restart DHCP relay service"
 msgstr "Restart DHCP relay service"
 
-#: ../../configuration/service/dhcp-relay.rst:203
+#: ../../configuration/service/dhcp-relay.rst:205
 msgid "Restart DHCPv6 relay agent immediately."
 msgstr "Restart DHCPv6 relay agent immediately."
 
@@ -10954,11 +10229,15 @@ msgstr "Restart DHCPv6 relay agent immediately."
 msgid "Restart a given container"
 msgstr "Restart a given container"
 
-#: ../../configuration/service/dhcp-server.rst:528
+#: ../../configuration/service/mdns.rst:83
+msgid "Restart mDNS repeater service."
+msgstr "Restart mDNS repeater service."
+
+#: ../../configuration/service/dhcp-server.rst:428
 msgid "Restart the DHCP server"
 msgstr "Restart the DHCP server"
 
-#: ../../configuration/protocols/igmp.rst:249
+#: ../../configuration/protocols/igmp-proxy.rst:77
 msgid "Restart the IGMP proxy process."
 msgstr "Restart the IGMP proxy process."
 
@@ -10966,7 +10245,7 @@ msgstr "Restart the IGMP proxy process."
 msgid "Restart the SSH daemon process, the current session is not affected, only the background daemon is restarted."
 msgstr "Restart the SSH daemon process, the current session is not affected, only the background daemon is restarted."
 
-#: ../../configuration/service/dns.rst:191
+#: ../../configuration/service/dns.rst:204
 msgid "Restarts the DNS recursor process. This also invalidates the local DNS forwarding cache."
 msgstr "Restarts the DNS recursor process. This also invalidates the local DNS forwarding cache."
 
@@ -11012,7 +10291,7 @@ msgstr "Route Aggregation Configuration"
 msgid "Route Dampening"
 msgstr "Route Dampening"
 
-#: ../../configuration/protocols/bgp.rst:1188
+#: ../../configuration/protocols/bgp.rst:1189
 msgid "Route Filtering"
 msgstr "Route Filtering"
 
@@ -11052,7 +10331,7 @@ msgstr "Route and Route6 Policy"
 msgid "Route dampening wich described in :rfc:`2439` enables you to identify routes that repeatedly fail and return. If route dampening is enabled, an unstable route accumulates penalties each time the route fails and returns. If the accumulated penalties exceed a threshold, the route is no longer advertised. This is route suppression. Routes that have been suppressed are re-entered into the routing table only when the amount of their penalty falls below a threshold."
 msgstr "Route dampening wich described in :rfc:`2439` enables you to identify routes that repeatedly fail and return. If route dampening is enabled, an unstable route accumulates penalties each time the route fails and returns. If the accumulated penalties exceed a threshold, the route is no longer advertised. This is route suppression. Routes that have been suppressed are re-entered into the routing table only when the amount of their penalty falls below a threshold."
 
-#: ../../configuration/protocols/bgp.rst:1190
+#: ../../configuration/protocols/bgp.rst:1191
 msgid "Route filter can be applied using a route-map:"
 msgstr "Route filter can be applied using a route-map:"
 
@@ -11084,11 +10363,11 @@ msgstr "Router Lifetime"
 msgid "Router receives DHCP client requests on ``eth1`` and relays them to the server at 10.0.1.4 on ``eth2``."
 msgstr "Router receives DHCP client requests on ``eth1`` and relays them to the server at 10.0.1.4 on ``eth2``."
 
-#: ../../configuration/vrf/index.rst:423
+#: ../../configuration/vrf/index.rst:425
 msgid "Routes exported from a unicast VRF to the VPN RIB must be augmented by two parameters:"
 msgstr "Routes exported from a unicast VRF to the VPN RIB must be augmented by two parameters:"
 
-#: ../../configuration/protocols/isis.rst:413
+#: ../../configuration/protocols/isis.rst:441
 msgid "Routes on Node 2:"
 msgstr "Routes on Node 2:"
 
@@ -11120,13 +10399,13 @@ msgstr "Routing"
 msgid "Routing tables that will be used in this example are:"
 msgstr "Routing tables that will be used in this example are:"
 
-#: ../../configuration/firewall/general-legacy.rst:270
 #: ../../configuration/policy/route.rst:10
 msgid "Rule-Sets"
 msgstr "Rule-Sets"
 
-#: ../../configuration/firewall/general.rst:1310
-#: ../../configuration/firewall/general-legacy.rst:781
+#: ../../configuration/firewall/bridge.rst:287
+#: ../../configuration/firewall/ipv4.rst:957
+#: ../../configuration/firewall/ipv6.rst:965
 msgid "Rule-set overview"
 msgstr "Rule-set overview"
 
@@ -11138,6 +10417,10 @@ msgstr "Rule 10 matches requests with the domain name ``node1.example.com`` forw
 msgid "Rule 10 matches requests with the exact URL path ``/.well-known/xxx`` and redirects to location ``/certs/``."
 msgstr "Rule 10 matches requests with the exact URL path ``/.well-known/xxx`` and redirects to location ``/certs/``."
 
+#: ../../configuration/firewall/flowtables.rst:151
+msgid "Rule 110 is hit, so connection is accepted."
+msgstr "Rule 110 is hit, so connection is accepted."
+
 #: ../../configuration/loadbalancing/reverse-proxy.rst:257
 msgid "Rule 20 matches requests with URL paths ending in ``/mail`` or exact path ``/email/bar`` redirect to location ``/postfix/``."
 msgstr "Rule 20 matches requests with URL paths ending in ``/mail`` or exact path ``/email/bar`` redirect to location ``/postfix/``."
@@ -11146,7 +10429,9 @@ msgstr "Rule 20 matches requests with URL paths ending in ``/mail`` or exact pat
 msgid "Rule 20 matches requests with the domain name ``node2.example.com`` forwards to the backend ``bk-api-02``"
 msgstr "Rule 20 matches requests with the domain name ``node2.example.com`` forwards to the backend ``bk-api-02``"
 
-#: ../../configuration/firewall/general.rst:519
+#: ../../configuration/firewall/bridge.rst:208
+#: ../../configuration/firewall/ipv4.rst:288
+#: ../../configuration/firewall/ipv6.rst:288
 msgid "Rule Status"
 msgstr "Rule Status"
 
@@ -11162,7 +10447,7 @@ msgstr "Rules allow to control and route incoming traffic to specific backend ba
 msgid "Rules will be created for both :ref:`source-nat` and :ref:`destination-nat`."
 msgstr "Rules will be created for both :ref:`source-nat` and :ref:`destination-nat`."
 
-#: ../../configuration/service/dns.rst:378
+#: ../../configuration/service/dns.rst:391
 msgid "Running Behind NAT"
 msgstr "Running Behind NAT"
 
@@ -11170,6 +10455,10 @@ msgstr "Running Behind NAT"
 msgid "SNAT"
 msgstr "SNAT"
 
+#: ../../configuration/nat/nat64.rst:26
+msgid "SNAT64"
+msgstr "SNAT64"
+
 #: ../../configuration/nat/nat66.rst:23
 msgid "SNAT66"
 msgstr "SNAT66"
@@ -11218,8 +10507,6 @@ msgstr "SNMPv3"
 msgid "SNMPv3 (version 3 of the SNMP protocol) introduced a whole slew of new security related features that have been missing from the previous versions. Security was one of the biggest weakness of SNMP until v3. Authentication in SNMP Versions 1 and 2 amounts to nothing more than a password (community string) sent in clear text between a manager and agent. Each SNMPv3 message contains security parameters which are encoded as an octet string. The meaning of these security parameters depends on the security model being used."
 msgstr "SNMPv3 (version 3 of the SNMP protocol) introduced a whole slew of new security related features that have been missing from the previous versions. Security was one of the biggest weakness of SNMP until v3. Authentication in SNMP Versions 1 and 2 amounts to nothing more than a password (community string) sent in clear text between a manager and agent. Each SNMPv3 message contains security parameters which are encoded as an octet string. The meaning of these security parameters depends on the security model being used."
 
-#: ../../_include/interface-mirror.txt:1
-#: ../../_include/interface-mirror.txt:1
 #: ../../_include/interface-mirror.txt:1
 msgid "SPAN port mirroring can copy the inbound/outbound traffic of the interface to the specified interface, usually the interface can be connected to some special equipment, such as behavior control system, intrusion detection system and traffic collector, and can copy all related traffic from this port. The benefit of mirroring the traffic is that the application is isolated from the source traffic and so application processing does not affect the traffic or the system performance."
 msgstr "SPAN port mirroring can copy the inbound/outbound traffic of the interface to the specified interface, usually the interface can be connected to some special equipment, such as behavior control system, intrusion detection system and traffic collector, and can copy all related traffic from this port. The benefit of mirroring the traffic is that the application is isolated from the source traffic and so application processing does not affect the traffic or the system performance."
@@ -11258,7 +10545,7 @@ msgid "SSID to be used in IEEE 802.11 management frames"
 msgstr "SSID to be used in IEEE 802.11 management frames"
 
 #: ../../configuration/vpn/openconnect.rst:24
-#: ../../configuration/vpn/sstp.rst:151
+#: ../../configuration/vpn/sstp.rst:162
 msgid "SSL Certificates"
 msgstr "SSL Certificates"
 
@@ -11306,7 +10593,7 @@ msgstr "SaltStack_ is Python-based, open-source software for event-driven IT aut
 msgid "Same as export-list, but it applies to paths announced into specified area as Type-3 summary-LSAs. This command makes sense in ABR only."
 msgstr "Same as export-list, but it applies to paths announced into specified area as Type-3 summary-LSAs. This command makes sense in ABR only."
 
-#: ../../configuration/interfaces/vxlan.rst:153
+#: ../../configuration/interfaces/vxlan.rst:174
 msgid "Sample configuration of SVD with VLAN to VNI mappings is shown below."
 msgstr "Sample configuration of SVD with VLAN to VNI mappings is shown below."
 
@@ -11326,11 +10613,11 @@ msgstr "Script execution"
 msgid "Scripting"
 msgstr "Scripting"
 
-#: ../../configuration/nat/nat44.rst:652
+#: ../../configuration/nat/nat44.rst:676
 msgid "Second scenario: apply source NAT for all outgoing connections from LAN 10.0.0.0/8, using 3 public addresses and equal distribution. We will generate the hash randomly."
 msgstr "Second scenario: apply source NAT for all outgoing connections from LAN 10.0.0.0/8, using 3 public addresses and equal distribution. We will generate the hash randomly."
 
-#: ../../configuration/vpn/sstp.rst:235
+#: ../../configuration/vpn/sstp.rst:246
 msgid "Secret for Dynamic Authorization Extension server (DM/CoA)"
 msgstr "Secret for Dynamic Authorization Extension server (DM/CoA)"
 
@@ -11343,6 +10630,10 @@ msgstr "Security"
 msgid "Security/authentication messages"
 msgstr "Security/authentication messages"
 
+#: ../../configuration/protocols/pim.rst:109
+msgid "See :rfc:`7761#section-4.1` for details."
+msgstr "See :rfc:`7761#section-4.1` for details."
+
 #: ../../configuration/system/ip.rst:52
 msgid "See below the different parameters available for the IPv4 **show** command:"
 msgstr "See below the different parameters available for the IPv4 **show** command:"
@@ -11371,11 +10662,15 @@ msgstr "Segment routing (SR) is used by the IGP protocols to interconnect networ
 msgid "Segment routing defines a control plane network architecture and can be applied to an existing MPLS based dataplane. In the MPLS networks, segments are encoded as MPLS labels and are imposed at the ingress router. MPLS labels are exchanged and populated by IGPs like IS-IS.Segment Routing as per RFC8667 for MPLS dataplane. It supports IPv4, IPv6 and ECMP and has been tested against Cisco & Juniper routers.however,this deployment is still EXPERIMENTAL for FRR."
 msgstr "Segment routing defines a control plane network architecture and can be applied to an existing MPLS based dataplane. In the MPLS networks, segments are encoded as MPLS labels and are imposed at the ingress router. MPLS labels are exchanged and populated by IGPs like IS-IS.Segment Routing as per RFC8667 for MPLS dataplane. It supports IPv4, IPv6 and ECMP and has been tested against Cisco & Juniper routers.however,this deployment is still EXPERIMENTAL for FRR."
 
+#: ../../configuration/service/https.rst:50
+msgid "Select TLS version used."
+msgstr "Select TLS version used."
+
 #: ../../configuration/interfaces/macsec.rst:34
 msgid "Select cipher suite used for cryptographic operations. This setting is mandatory."
 msgstr "Select cipher suite used for cryptographic operations. This setting is mandatory."
 
-#: ../../configuration/vrf/index.rst:466
+#: ../../configuration/vrf/index.rst:468
 msgid "Select how labels are allocated in the given VRF. By default, the per-vrf mode is selected, and one label is used for all prefixes from the VRF. The per-nexthop will use a unique label for all prefixes that are reachable via the same nexthop."
 msgstr "Select how labels are allocated in the given VRF. By default, the per-vrf mode is selected, and one label is used for all prefixes from the VRF. The per-nexthop will use a unique label for all prefixes that are reachable via the same nexthop."
 
@@ -11408,7 +10703,7 @@ msgid "Serial interfaces can be any interface which is directly connected to the
 msgstr "Serial interfaces can be any interface which is directly connected to the CPU or chipset (mostly known as a ttyS interface in Linux) or any other USB to serial converter (Prolific PL2303 or FTDI FT232/FT4232 based chips)."
 
 #: ../../configuration/interfaces/openvpn.rst:325
-#: ../../configuration/vpn/sstp.rst:199
+#: ../../configuration/vpn/sstp.rst:210
 msgid "Server"
 msgstr "Server"
 
@@ -11432,7 +10727,7 @@ msgstr "Server Side"
 msgid "Server configuration"
 msgstr "Server configuration"
 
-#: ../../configuration/service/https.rst:50
+#: ../../configuration/service/https.rst:41
 msgid "Server names for virtual hosts it can be exact, wildcard or regex."
 msgstr "Server names for virtual hosts it can be exact, wildcard or regex."
 
@@ -11457,19 +10752,19 @@ msgstr "Set BGP community-list to exactly match."
 msgid "Set BGP local preference attribute."
 msgstr "Set BGP local preference attribute."
 
-#: ../../configuration/policy/route-map.rst:334
+#: ../../configuration/policy/route-map.rst:336
 msgid "Set BGP origin code."
 msgstr "Set BGP origin code."
 
-#: ../../configuration/policy/route-map.rst:339
+#: ../../configuration/policy/route-map.rst:341
 msgid "Set BGP originator ID attribute."
 msgstr "Set BGP originator ID attribute."
 
-#: ../../configuration/policy/route-map.rst:357
+#: ../../configuration/policy/route-map.rst:359
 msgid "Set BGP weight attribute"
 msgstr "Set BGP weight attribute"
 
-#: ../../configuration/nat/nat44.rst:176
+#: ../../configuration/nat/nat44.rst:188
 msgid "Set DNAT rule 20 to only NAT UDP packets"
 msgstr "Set DNAT rule 20 to only NAT UDP packets"
 
@@ -11481,19 +10776,19 @@ msgstr "Set IPSec inbound match criterias, where:"
 msgid "Set IP fragment match, where:"
 msgstr "Set IP fragment match, where:"
 
-#: ../../configuration/policy/route-map.rst:329
+#: ../../configuration/policy/route-map.rst:331
 msgid "Set OSPF external metric-type."
 msgstr "Set OSPF external metric-type."
 
-#: ../../configuration/nat/nat44.rst:175
+#: ../../configuration/nat/nat44.rst:187
 msgid "Set SNAT rule 20 to only NAT TCP and UDP packets"
 msgstr "Set SNAT rule 20 to only NAT TCP and UDP packets"
 
-#: ../../configuration/nat/nat44.rst:189
+#: ../../configuration/nat/nat44.rst:201
 msgid "Set SNAT rule 20 to only NAT packets arriving from the 192.0.2.0/24 network"
 msgstr "Set SNAT rule 20 to only NAT packets arriving from the 192.0.2.0/24 network"
 
-#: ../../configuration/nat/nat44.rst:191
+#: ../../configuration/nat/nat44.rst:203
 msgid "Set SNAT rule 30 to only NAT packets arriving from the 203.0.113.0/24 network with a source port of 80 and 443"
 msgstr "Set SNAT rule 30 to only NAT packets arriving from the 203.0.113.0/24 network with a source port of 80 and 443"
 
@@ -11501,11 +10796,12 @@ msgstr "Set SNAT rule 30 to only NAT packets arriving from the 203.0.113.0/24 ne
 msgid "Set SSL certeficate <name> for service <name>"
 msgstr "Set SSL certeficate <name> for service <name>"
 
-#: ../../configuration/firewall/general.rst:1271
+#: ../../configuration/firewall/ipv4.rst:918
+#: ../../configuration/firewall/ipv6.rst:927
 msgid "Set TCP-MSS (maximum segment size) for the connection"
 msgstr "Set TCP-MSS (maximum segment size) for the connection"
 
-#: ../../configuration/service/dns.rst:267
+#: ../../configuration/service/dns.rst:280
 msgid "Set TTL to 300 seconds"
 msgstr "Set TTL to 300 seconds"
 
@@ -11517,51 +10813,31 @@ msgstr "Set Virtual Tunnel Interface"
 msgid "Set a container description"
 msgstr "Set a container description"
 
-#: ../../configuration/system/conntrack.rst:114
+#: ../../configuration/system/conntrack.rst:113
+msgid "Set a destination and/or source address. Accepted input for ipv4:"
+msgstr "Set a destination and/or source address. Accepted input for ipv4:"
+
+#: ../../configuration/system/conntrack.rst:142
 msgid "Set a destination and/or source port. Accepted input:"
 msgstr "Set a destination and/or source port. Accepted input:"
 
-#: ../../_include/interface-description.txt:4
-#: ../../_include/interface-description.txt:4
-#: ../../_include/interface-description.txt:4
-#: ../../_include/interface-description.txt:4
-#: ../../_include/interface-description.txt:4
-#: ../../_include/interface-description.txt:4
-#: ../../_include/interface-description.txt:4
-#: ../../_include/interface-description.txt:4
-#: ../../_include/interface-description.txt:4
-#: ../../_include/interface-description.txt:4
-#: ../../_include/interface-description.txt:4
-#: ../../_include/interface-description.txt:4
-#: ../../_include/interface-description.txt:4
-#: ../../_include/interface-description.txt:4
-#: ../../_include/interface-description.txt:4
-#: ../../_include/interface-description.txt:4
-#: ../../_include/interface-description.txt:4
-#: ../../_include/interface-description.txt:4
-#: ../../_include/interface-description.txt:4
-#: ../../_include/interface-description.txt:4
-#: ../../_include/interface-description.txt:4
-#: ../../_include/interface-description.txt:4
-#: ../../_include/interface-description.txt:4
-#: ../../_include/interface-description.txt:4
 #: ../../_include/interface-description.txt:4
 msgid "Set a human readable, descriptive alias for this connection. Alias is used by e.g. the :opcmd:`show interfaces` command or SNMP based monitoring tools."
 msgstr "Set a human readable, descriptive alias for this connection. Alias is used by e.g. the :opcmd:`show interfaces` command or SNMP based monitoring tools."
 
-#: ../../configuration/system/login.rst:385
+#: ../../configuration/system/login.rst:387
 msgid "Set a limit on the maximum number of concurrent logged-in users on the system."
 msgstr "Set a limit on the maximum number of concurrent logged-in users on the system."
 
-#: ../../configuration/firewall/zone.rst:79
+#: ../../configuration/firewall/zone.rst:98
 msgid "Set a meaningful description."
 msgstr "Set a meaningful description."
 
-#: ../../configuration/service/https.rst:18
+#: ../../configuration/service/https.rst:63
 msgid "Set a named api key. Every key has the same, full permissions on the system."
 msgstr "Set a named api key. Every key has the same, full permissions on the system."
 
-#: ../../configuration/system/conntrack.rst:92
+#: ../../configuration/system/conntrack.rst:106
 msgid "Set a rule description."
 msgstr "Set a rule description."
 
@@ -11693,7 +10969,7 @@ msgstr "Set if antenna pattern does not change during the lifetime of an associa
 msgid "Set inbound interface to match."
 msgstr "Set inbound interface to match."
 
-#: ../../configuration/firewall/zone.rst:65
+#: ../../configuration/firewall/zone.rst:84
 msgid "Set interfaces to a zone. A zone can have multiple interfaces. But an interface can only be a member in one zone."
 msgstr "Set interfaces to a zone. A zone can have multiple interfaces. But an interface can only be a member in one zone."
 
@@ -11737,7 +11013,7 @@ msgstr "Set maximum `<size>` of DHCP packets including relay agent information.
 msgid "Set maximum average matching rate. Format for rate: integer/time_unit, where time_unit could be any one of second, minute, hour or day.For example 1/second implies rule to be matched at an average of once per second."
 msgstr "Set maximum average matching rate. Format for rate: integer/time_unit, where time_unit could be any one of second, minute, hour or day.For example 1/second implies rule to be matched at an average of once per second."
 
-#: ../../configuration/service/dhcp-relay.rst:162
+#: ../../configuration/service/dhcp-relay.rst:164
 msgid "Set maximum hop count before packets are discarded, default: 10"
 msgstr "Set maximum hop count before packets are discarded, default: 10"
 
@@ -11779,7 +11055,7 @@ msgstr "Set packet modifications: Packet Differentiated Services Codepoint (DSCP
 msgid "Set parameters for matching recently seen sources. This match could be used by seeting count (source address seen more than <1-255> times) and/or time (source address seen in the last <0-4294967295> seconds)."
 msgstr "Set parameters for matching recently seen sources. This match could be used by seeting count (source address seen more than <1-255> times) and/or time (source address seen in the last <0-4294967295> seconds)."
 
-#: ../../configuration/policy/route-map.rst:348
+#: ../../configuration/policy/route-map.rst:350
 msgid "Set prefixes to table."
 msgstr "Set prefixes to table."
 
@@ -11820,7 +11096,7 @@ msgstr "Set some metric to routes learned from a particular neighbor."
 msgid "Set source-address to your local IP (LAN)."
 msgstr "Set source-address to your local IP (LAN)."
 
-#: ../../configuration/policy/route-map.rst:344
+#: ../../configuration/policy/route-map.rst:346
 msgid "Set source IP/IPv6 address for route."
 msgstr "Set source IP/IPv6 address for route."
 
@@ -11829,7 +11105,7 @@ msgstr "Set source IP/IPv6 address for route."
 msgid "Set source address or prefix to match."
 msgstr "Set source address or prefix to match."
 
-#: ../../configuration/policy/route-map.rst:352
+#: ../../configuration/policy/route-map.rst:354
 msgid "Set tag value for routing protocol."
 msgstr "Set tag value for routing protocol."
 
@@ -11850,8 +11126,7 @@ msgstr "Set the IP address of the local interface to be used for the tunnel."
 msgid "Set the IP address of the remote peer. It may be specified as an IPv4 address or an IPv6 address."
 msgstr "Set the IP address of the remote peer. It may be specified as an IPv4 address or an IPv6 address."
 
-#: ../../configuration/firewall/general.rst:162
-#: ../../configuration/firewall/general-legacy.rst:112
+#: ../../configuration/firewall/global-options.rst:99
 msgid "Set the IPv4 source validation mode. The following system parameter will be altered:"
 msgstr "Set the IPv4 source validation mode. The following system parameter will be altered:"
 
@@ -11876,6 +11151,10 @@ msgstr "Set the MLD version used on this interface. The default value is 2."
 msgid "Set the Maximum Stack Depth supported by the router. The value depend of the MPLS dataplane."
 msgstr "Set the Maximum Stack Depth supported by the router. The value depend of the MPLS dataplane."
 
+#: ../../configuration/protocols/pim.rst:153
+msgid "Set the PIM hello and hold interval for a interface."
+msgstr "Set the PIM hello and hold interval for a interface."
+
 #: ../../configuration/protocols/segment-routing.rst:56
 #: ../../configuration/protocols/segment-routing.rst:134
 msgid "Set the Segment Routing Global Block i.e. the label range used by MPLS to store label in the MPLS FIB for Prefix SID. Note that the block size may not exceed 65535."
@@ -11896,6 +11175,10 @@ msgstr "Set the Segment Routing Local Block i.e. the label range used by MPLS to
 msgid "Set the Segment Routing Local Block i.e. the low label range used by MPLS to store label in the MPLS FIB for Prefix SID. Note that the block size may not exceed 65535.Segment Routing Local Block, The negative command always unsets both."
 msgstr "Set the Segment Routing Local Block i.e. the low label range used by MPLS to store label in the MPLS FIB for Prefix SID. Note that the block size may not exceed 65535.Segment Routing Local Block, The negative command always unsets both."
 
+#: ../../configuration/protocols/pim.rst:147
+msgid "Set the :abbr:`DR (Designated Router)` Priority for the interface. This command is useful to allow the user to influence what node becomes the DR for a LAN segment."
+msgstr "Set the :abbr:`DR (Designated Router)` Priority for the interface. This command is useful to allow the user to influence what node becomes the DR for a LAN segment."
+
 #: ../../configuration/interfaces/pppoe.rst:148
 msgid "Set the :abbr:`MRU (Maximum Receive Unit)` to `mru`. PPPd will ask the peer to send packets of no more than `mru` bytes. The value of `mru` must be between 128 and 16384."
 msgstr "Set the :abbr:`MRU (Maximum Receive Unit)` to `mru`. PPPd will ask the peer to send packets of no more than `mru` bytes. The value of `mru` must be between 128 and 16384."
@@ -11920,22 +11203,7 @@ msgstr "Set the default VRRP version to use. This defaults to 2, but IPv6 instan
 msgid "Set the device's transmit (TX) key. This key must be a hex string that is 16-bytes (GCM-AES-128) or 32-bytes (GCM-AES-256)."
 msgstr "Set the device's transmit (TX) key. This key must be a hex string that is 16-bytes (GCM-AES-128) or 32-bytes (GCM-AES-256)."
 
-#: ../../_include/interface-dhcp-options.txt:55
-#: ../../_include/interface-dhcp-options.txt:55
-#: ../../_include/interface-dhcp-options.txt:55
-#: ../../_include/interface-dhcp-options.txt:55
-#: ../../_include/interface-dhcp-options.txt:55
-#: ../../_include/interface-dhcp-options.txt:55
-#: ../../_include/interface-dhcp-options.txt:55
-#: ../../_include/interface-dhcp-options.txt:55
-#: ../../_include/interface-dhcp-options.txt:55
-#: ../../_include/interface-dhcp-options.txt:55
-#: ../../_include/interface-dhcp-options.txt:55
-#: ../../_include/interface-dhcp-options.txt:55
-#: ../../_include/interface-dhcp-options.txt:55
-#: ../../_include/interface-dhcp-options.txt:55
-#: ../../_include/interface-dhcp-options.txt:55
-#: ../../_include/interface-dhcp-options.txt:55
+#: ../../_include/interface-dhcp-options.txt:60
 msgid "Set the distance for the default gateway sent by the DHCP server."
 msgstr "Set the distance for the default gateway sent by the DHCP server."
 
@@ -11951,15 +11219,15 @@ msgstr "Set the distance for the default gateway sent by the SSTP server."
 msgid "Set the encapsulation type of the tunnel. Valid values for encapsulation are: udp, ip."
 msgstr "Set the encapsulation type of the tunnel. Valid values for encapsulation are: udp, ip."
 
-#: ../../configuration/firewall/general-legacy.rst:136
+#: ../../configuration/firewall/global-options.rst:127
 msgid "Set the global setting for an established connection."
 msgstr "Set the global setting for an established connection."
 
-#: ../../configuration/firewall/general-legacy.rst:142
+#: ../../configuration/firewall/global-options.rst:137
 msgid "Set the global setting for invalid packets."
 msgstr "Set the global setting for invalid packets."
 
-#: ../../configuration/firewall/general-legacy.rst:148
+#: ../../configuration/firewall/global-options.rst:147
 msgid "Set the global setting for related connections."
 msgstr "Set the global setting for related connections."
 
@@ -11975,7 +11243,7 @@ msgstr "Set the maximum hop `<count>` before packets are discarded. Range 0...25
 msgid "Set the maximum length of A-MPDU pre-EOF padding that the station can receive"
 msgstr "Set the maximum length of A-MPDU pre-EOF padding that the station can receive"
 
-#: ../../configuration/system/conntrack.rst:147
+#: ../../configuration/system/conntrack.rst:52
 msgid "Set the maximum number of TCP half-open connections."
 msgstr "Set the maximum number of TCP half-open connections."
 
@@ -11995,7 +11263,7 @@ msgstr "Set the native VLAN ID flag of the interface. When a data packet without
 msgid "Set the next-hop as unchanged. Pass through the route-map without changing its value"
 msgstr "Set the next-hop as unchanged. Pass through the route-map without changing its value"
 
-#: ../../configuration/system/conntrack.rst:157
+#: ../../configuration/system/conntrack.rst:62
 msgid "Set the number of TCP maximum retransmit attempts."
 msgstr "Set the number of TCP maximum retransmit attempts."
 
@@ -12027,6 +11295,10 @@ msgstr "Set the peer-session-id, which is a 32-bit integer value assigned to the
 msgid "Set the restart behavior of the container."
 msgstr "Set the restart behavior of the container."
 
+#: ../../configuration/policy/route-map.rst:323
+msgid "Set the route metric. When used with BGP, set the BGP attribute MED to a specific value. Use ``+/-`` to add or subtract the specified value to/from the existing/MED. Use ``rtt`` to set the MED to the round trip time or ``+rtt/-rtt`` to add/subtract the round trip time to/from the MED."
+msgstr "Set the route metric. When used with BGP, set the BGP attribute MED to a specific value. Use ``+/-`` to add or subtract the specified value to/from the existing/MED. Use ``rtt`` to set the MED to the round trip time or ``+rtt/-rtt`` to add/subtract the round trip time to/from the MED."
+
 #: ../../configuration/policy/route.rst:269
 msgid "Set the routing table to forward packet with."
 msgstr "Set the routing table to forward packet with."
@@ -12043,11 +11315,11 @@ msgstr "Set the size of the hash table. The connection tracking hash table makes
 msgid "Set the source IP of forwarded packets, otherwise original senders address is used."
 msgstr "Set the source IP of forwarded packets, otherwise original senders address is used."
 
-#: ../../configuration/system/conntrack.rst:83
+#: ../../configuration/system/conntrack.rst:97
 msgid "Set the timeout in secounds for a protocol or state."
 msgstr "Set the timeout in secounds for a protocol or state."
 
-#: ../../configuration/system/conntrack.rst:141
+#: ../../configuration/system/conntrack.rst:175
 msgid "Set the timeout in secounds for a protocol or state in a custom rule."
 msgstr "Set the timeout in secounds for a protocol or state in a custom rule."
 
@@ -12056,7 +11328,8 @@ msgstr "Set the timeout in secounds for a protocol or state in a custom rule."
 msgid "Set the tunnel id, which is a 32-bit integer value. Uniquely identifies the tunnel into which the session will be created."
 msgstr "Set the tunnel id, which is a 32-bit integer value. Uniquely identifies the tunnel into which the session will be created."
 
-#: ../../configuration/firewall/general.rst:1275
+#: ../../configuration/firewall/ipv4.rst:922
+#: ../../configuration/firewall/ipv6.rst:931
 msgid "Set the window scale factor for TCP window scaling"
 msgstr "Set the window scale factor for TCP window scaling"
 
@@ -12068,7 +11341,7 @@ msgstr "Set window of concurrently valid codes."
 msgid "Sets the image name in the hub registry"
 msgstr "Sets the image name in the hub registry"
 
-#: ../../configuration/interfaces/vxlan.rst:299
+#: ../../configuration/interfaces/vxlan.rst:320
 msgid "Sets the interface to listen for multicast packets on. Could be a loopback, not yet tested."
 msgstr "Sets the interface to listen for multicast packets on. Could be a loopback, not yet tested."
 
@@ -12076,7 +11349,7 @@ msgstr "Sets the interface to listen for multicast packets on. Could be a loopba
 msgid "Sets the listening port for a listening address. This overrides the default port of 3128 on the specific listen address."
 msgstr "Sets the listening port for a listening address. This overrides the default port of 3128 on the specific listen address."
 
-#: ../../configuration/interfaces/vxlan.rst:306
+#: ../../configuration/interfaces/vxlan.rst:327
 msgid "Sets the unique id for this vxlan-interface. Not sure how it correlates with multicast-address."
 msgstr "Sets the unique id for this vxlan-interface. Not sure how it correlates with multicast-address."
 
@@ -12084,7 +11357,7 @@ msgstr "Sets the unique id for this vxlan-interface. Not sure how it correlates
 msgid "Setting VRRP group priority"
 msgstr "Setting VRRP group priority"
 
-#: ../../configuration/service/dhcp-server.rst:264
+#: ../../configuration/service/dhcp-server.rst:231
 msgid "Setting name"
 msgstr "Setting name"
 
@@ -12116,7 +11389,7 @@ msgstr "Setting up certificates:"
 msgid "Setting up tunnel:"
 msgstr "Setting up tunnel:"
 
-#: ../../configuration/service/dhcp-server.rst:432
+#: ../../configuration/service/dhcp-server.rst:373
 msgid "Setup DHCP failover for network 192.0.2.0/24"
 msgstr "Setup DHCP failover for network 192.0.2.0/24"
 
@@ -12132,7 +11405,7 @@ msgstr "Setup the `<timeout>` in seconds when querying the RADIUS server."
 msgid "Setup the `<timeout>` in seconds when querying the TACACS server."
 msgstr "Setup the `<timeout>` in seconds when querying the TACACS server."
 
-#: ../../configuration/service/dns.rst:314
+#: ../../configuration/service/dns.rst:327
 msgid "Setup the dynamic DNS hostname `<hostname>` associated with the DynDNS provider identified by `<service>` when the IP address on address `<interface>` changes."
 msgstr "Setup the dynamic DNS hostname `<hostname>` associated with the DynDNS provider identified by `<service>` when the IP address on address `<interface>` changes."
 
@@ -12172,7 +11445,7 @@ msgstr "Short GI capabilities for 20 and 40 MHz"
 msgid "Short bursts can be allowed to exceed the limit. On creation, the Rate-Control traffic is stocked with tokens which correspond to the amount of traffic that can be burst in one go. Tokens arrive at a steady rate, until the bucket is full."
 msgstr "Short bursts can be allowed to exceed the limit. On creation, the Rate-Control traffic is stocked with tokens which correspond to the amount of traffic that can be burst in one go. Tokens arrive at a steady rate, until the bucket is full."
 
-#: ../../configuration/vrf/index.rst:486
+#: ../../configuration/vrf/index.rst:488
 msgid "Shortcut syntax for specifying automatic leaking from vrf VRFNAME to the current VRF using the VPN RIB as intermediary. The RD and RT are auto derived and should not be specified explicitly for either the source or destination VRF’s."
 msgstr "Shortcut syntax for specifying automatic leaking from vrf VRFNAME to the current VRF using the VPN RIB as intermediary. The RD and RT are auto derived and should not be specified explicitly for either the source or destination VRF’s."
 
@@ -12181,16 +11454,17 @@ msgstr "Shortcut syntax for specifying automatic leaking from vrf VRFNAME to the
 msgid "Show"
 msgstr "Show"
 
-#: ../../configuration/service/dhcp-server.rst:516
+#: ../../configuration/service/dhcp-server.rst:416
 msgid "Show DHCP server daemon log file"
 msgstr "Show DHCP server daemon log file"
 
-#: ../../configuration/service/dhcp-server.rst:736
+#: ../../configuration/service/dhcp-server.rst:668
 msgid "Show DHCPv6 server daemon log file"
 msgstr "Show DHCPv6 server daemon log file"
 
-#: ../../configuration/firewall/general.rst:1482
-#: ../../configuration/firewall/general-legacy.rst:965
+#: ../../configuration/firewall/bridge.rst:306
+#: ../../configuration/firewall/ipv4.rst:1115
+#: ../../configuration/firewall/ipv6.rst:1138
 msgid "Show Firewall log"
 msgstr "Show Firewall log"
 
@@ -12198,6 +11472,22 @@ msgstr "Show Firewall log"
 msgid "Show LLDP neighbors connected via interface `<interface>`."
 msgstr "Show LLDP neighbors connected via interface `<interface>`."
 
+#: ../../configuration/service/ssh.rst:232
+msgid "Show SSH dynamic-protection log."
+msgstr "Show SSH dynamic-protection log."
+
+#: ../../configuration/service/ssh.rst:224
+msgid "Show SSH server log."
+msgstr "Show SSH server log."
+
+#: ../../configuration/service/ssh.rst:248
+msgid "Show SSH server public key fingerprints, including a visual ASCII art representation."
+msgstr "Show SSH server public key fingerprints, including a visual ASCII art representation."
+
+#: ../../configuration/service/ssh.rst:244
+msgid "Show SSH server public key fingerprints."
+msgstr "Show SSH server public key fingerprints."
+
 #: ../../configuration/loadbalancing/wan.rst:271
 msgid "Show WAN load balancer information including test types and targets. A character at the start of each line depicts the state of the test"
 msgstr "Show WAN load balancer information including test types and targets. A character at the start of each line depicts the state of the test"
@@ -12242,15 +11532,15 @@ msgstr "Show WWAN module signal strength."
 msgid "Show a list available container networks"
 msgstr "Show a list available container networks"
 
-#: ../../configuration/pki/index.rst:259
+#: ../../configuration/pki/index.rst:297
 msgid "Show a list of installed :abbr:`CA (Certificate Authority)` certificates."
 msgstr "Show a list of installed :abbr:`CA (Certificate Authority)` certificates."
 
-#: ../../configuration/pki/index.rst:294
+#: ../../configuration/pki/index.rst:332
 msgid "Show a list of installed :abbr:`CRLs (Certificate Revocation List)`."
 msgstr "Show a list of installed :abbr:`CRLs (Certificate Revocation List)`."
 
-#: ../../configuration/pki/index.rst:277
+#: ../../configuration/pki/index.rst:315
 msgid "Show a list of installed certificates"
 msgstr "Show a list of installed certificates"
 
@@ -12356,44 +11646,52 @@ msgstr "Show info about the Wireguard service. It also shows the latest handshak
 msgid "Show information about physical `<interface>`"
 msgstr "Show information about physical `<interface>`"
 
+#: ../../configuration/service/ssh.rst:240
+msgid "Show list of IPs currently blocked by SSH dynamic-protection."
+msgstr "Show list of IPs currently blocked by SSH dynamic-protection."
+
+#: ../../configuration/service/mdns.rst:87
+msgid "Show logs for mDNS repeater service."
+msgstr "Show logs for mDNS repeater service."
+
 #: ../../configuration/container/index.rst:159
 msgid "Show logs from a given container"
 msgstr "Show logs from a given container"
 
-#: ../../configuration/service/dhcp-server.rst:520
+#: ../../configuration/service/dhcp-server.rst:420
 msgid "Show logs from all DHCP client processes."
 msgstr "Show logs from all DHCP client processes."
 
-#: ../../configuration/service/dhcp-server.rst:740
+#: ../../configuration/service/dhcp-server.rst:672
 msgid "Show logs from all DHCPv6 client processes."
 msgstr "Show logs from all DHCPv6 client processes."
 
-#: ../../configuration/service/dhcp-server.rst:524
+#: ../../configuration/service/dhcp-server.rst:424
 msgid "Show logs from specific `interface` DHCP client process."
 msgstr "Show logs from specific `interface` DHCP client process."
 
-#: ../../configuration/service/dhcp-server.rst:744
+#: ../../configuration/service/dhcp-server.rst:676
 msgid "Show logs from specific `interface` DHCPv6 client process."
 msgstr "Show logs from specific `interface` DHCPv6 client process."
 
-#: ../../configuration/pki/index.rst:273
+#: ../../configuration/pki/index.rst:311
 msgid "Show only information for specified Certificate Authority."
 msgstr "Show only information for specified Certificate Authority."
 
-#: ../../configuration/pki/index.rst:290
+#: ../../configuration/pki/index.rst:328
 msgid "Show only information for specified certificate."
 msgstr "Show only information for specified certificate."
 
-#: ../../configuration/service/dhcp-server.rst:562
-#: ../../configuration/service/dhcp-server.rst:767
+#: ../../configuration/service/dhcp-server.rst:478
+#: ../../configuration/service/dhcp-server.rst:699
 msgid "Show only leases in the specified pool."
 msgstr "Show only leases in the specified pool."
 
-#: ../../configuration/service/dhcp-server.rst:776
+#: ../../configuration/service/dhcp-server.rst:708
 msgid "Show only leases with the specified state. Possible states: abandoned, active, all, backup, expired, free, released, reset (default = active)"
 msgstr "Show only leases with the specified state. Possible states: abandoned, active, all, backup, expired, free, released, reset (default = active)"
 
-#: ../../configuration/service/dhcp-server.rst:571
+#: ../../configuration/service/dhcp-server.rst:496
 msgid "Show only leases with the specified state. Possible states: all, active, free, expired, released, abandoned, reset, backup (default = active)"
 msgstr "Show only leases with the specified state. Possible states: all, active, free, expired, released, abandoned, reset, backup (default = active)"
 
@@ -12405,19 +11703,23 @@ msgstr "Show routing table entry for the default route."
 msgid "Show specific MACsec interface information"
 msgstr "Show specific MACsec interface information"
 
-#: ../../configuration/vpn/site2site_ipsec.rst:217
+#: ../../configuration/vpn/site2site_ipsec.rst:221
 msgid "Show status of new setup:"
 msgstr "Show status of new setup:"
 
-#: ../../configuration/service/dhcp-server.rst:547
+#: ../../configuration/service/dhcp-server.rst:447
 msgid "Show statuses of all active leases:"
 msgstr "Show statuses of all active leases:"
 
-#: ../../configuration/service/dhcp-server.rst:532
+#: ../../configuration/service/dhcp-server.rst:465
+msgid "Show statuses of all active leases granted by local (this server) or remote (failover server):"
+msgstr "Show statuses of all active leases granted by local (this server) or remote (failover server):"
+
+#: ../../configuration/service/dhcp-server.rst:432
 msgid "Show the DHCP server statistics:"
 msgstr "Show the DHCP server statistics:"
 
-#: ../../configuration/service/dhcp-server.rst:543
+#: ../../configuration/service/dhcp-server.rst:443
 msgid "Show the DHCP server statistics for the specified pool."
 msgstr "Show the DHCP server statistics for the specified pool."
 
@@ -12437,11 +11739,22 @@ msgstr "Show the list of all active containers."
 msgid "Show the local container images."
 msgstr "Show the local container images."
 
-#: ../../configuration/firewall/general.rst:1486
 #: ../../configuration/firewall/general-legacy.rst:969
 msgid "Show the logs of a specific Rule-Set."
 msgstr "Show the logs of a specific Rule-Set."
 
+#: ../../configuration/firewall/bridge.rst:316
+msgid "Show the logs of all firewall; show all bridge firewall logs; show all logs for forward hook; show all logs for forward hook and priority filter; show all logs for particular custom chain; show logs for specific Rule-Set."
+msgstr "Show the logs of all firewall; show all bridge firewall logs; show all logs for forward hook; show all logs for forward hook and priority filter; show all logs for particular custom chain; show logs for specific Rule-Set."
+
+#: ../../configuration/firewall/ipv4.rst:1125
+msgid "Show the logs of all firewall; show all ipv4 firewall logs; show all logs for particular hook; show all logs for particular hook and priority; show all logs for particular custom chain; show logs for specific Rule-Set."
+msgstr "Show the logs of all firewall; show all ipv4 firewall logs; show all logs for particular hook; show all logs for particular hook and priority; show all logs for particular custom chain; show logs for specific Rule-Set."
+
+#: ../../configuration/firewall/ipv6.rst:1148
+msgid "Show the logs of all firewall; show all ipv6 firewall logs; show all logs for particular hook; show all logs for particular hook and priority; show all logs for particular custom chain; show logs for specific Rule-Set."
+msgstr "Show the logs of all firewall; show all ipv6 firewall logs; show all logs for particular hook; show all logs for particular hook and priority; show all logs for particular custom chain; show logs for specific Rule-Set."
+
 #: ../../configuration/protocols/failover.rst:75
 #: ../../configuration/protocols/failover.rst:101
 msgid "Show the route"
@@ -12455,7 +11768,7 @@ msgstr "Show transceiver information from plugin modules, e.g SFP+, QSFP"
 msgid "Showing BFD monitored static routes"
 msgstr "Showing BFD monitored static routes"
 
-#: ../../configuration/service/dhcp-server.rst:752
+#: ../../configuration/service/dhcp-server.rst:684
 msgid "Shows status of all assigned leases:"
 msgstr "Shows status of all assigned leases:"
 
@@ -12483,7 +11796,7 @@ msgstr "Sierra Wireless AirPrime MC7455 miniPCIe card (LTE)"
 msgid "Sierra Wireless AirPrime MC7710 miniPCIe card (LTE)"
 msgstr "Sierra Wireless AirPrime MC7710 miniPCIe card (LTE)"
 
-#: ../../configuration/vpn/site2site_ipsec.rst:418
+#: ../../configuration/vpn/site2site_ipsec.rst:427
 msgid "Similar combinations are applicable for the dead-peer-detection."
 msgstr "Similar combinations are applicable for the dead-peer-detection."
 
@@ -12519,7 +11832,11 @@ msgstr "Since the RADIUS server would be a single point of failure, multiple RAD
 msgid "Since the mDNS protocol sends the AA records in the packet itself, the repeater does not need to forge the source address. Instead, the source address is of the interface that repeats the packet."
 msgstr "Since the mDNS protocol sends the AA records in the packet itself, the repeater does not need to forge the source address. Instead, the source address is of the interface that repeats the packet."
 
-#: ../../configuration/interfaces/vxlan.rst:136
+#: ../../configuration/service/mdns.rst:14
+msgid "Since the mDNS protocol sends the :abbr:`AA(Authoritative Answer)` records in the packet itself, the repeater does not need to forge the source address. Instead, the source address is of the interface that repeats the packet."
+msgstr "Since the mDNS protocol sends the :abbr:`AA(Authoritative Answer)` records in the packet itself, the repeater does not need to forge the source address. Instead, the source address is of the interface that repeats the packet."
+
+#: ../../configuration/interfaces/vxlan.rst:157
 msgid "Single VXLAN device (SVD)"
 msgstr "Single VXLAN device (SVD)"
 
@@ -12540,6 +11857,10 @@ msgstr "Site-to-site mode supports x.509 but doesn't require it and can also wor
 msgid "Site to Site VPN"
 msgstr "Site to Site VPN"
 
+#: ../../configuration/pki/index.rst:275
+msgid "Size of the RSA key."
+msgstr "Size of the RSA key."
+
 #: ../../configuration/interfaces/bonding.rst:47
 msgid "Slave selection for outgoing traffic is done according to the transmit hash policy, which may be changed from the default simple XOR policy via the :cfgcmd:`hash-policy` option, documented below."
 msgstr "Slave selection for outgoing traffic is done according to the transmit hash policy, which may be changed from the default simple XOR policy via the :cfgcmd:`hash-policy` option, documented below."
@@ -12548,26 +11869,14 @@ msgstr "Slave selection for outgoing traffic is done according to the transmit h
 msgid "So in our firewall policy, we want to allow traffic coming in on the outside interface, destined for TCP port 80 and the IP address of 192.168.0.100."
 msgstr "So in our firewall policy, we want to allow traffic coming in on the outside interface, destined for TCP port 80 and the IP address of 192.168.0.100."
 
+#: ../../configuration/nat/nat44.rst:579
+msgid "So in our firewall ruleset, we want to allow traffic which previously matched a destination nat rule. In order to avoid creating many rules, one for each destination nat rule, we can accept all **'dnat'** connections with one simple rule, using ``connection-status`` matcher:"
+msgstr "So in our firewall ruleset, we want to allow traffic which previously matched a destination nat rule. In order to avoid creating many rules, one for each destination nat rule, we can accept all **'dnat'** connections with one simple rule, using ``connection-status`` matcher:"
+
 #: ../../configuration/service/snmp.rst:245
 msgid "SolarWinds"
 msgstr "SolarWinds"
 
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:10
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:10
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:10
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:10
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:10
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:10
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:10
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:10
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:10
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:10
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:10
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:10
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:10
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:10
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:10
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:10
 #: ../../_include/interface-dhcpv6-prefix-delegation.txt:10
 msgid "Some ISPs by default only delegate a /64 prefix. To request for a specific prefix size use this option to request for a bigger delegation for this pd `<id>`. This value is in the range from 32 - 64 so you could request up to a /32 prefix (if your ISP allows this) down to a /64 delegation."
 msgstr "Some ISPs by default only delegate a /64 prefix. To request for a specific prefix size use this option to request for a bigger delegation for this pd `<id>`. This value is in the range from 32 - 64 so you could request up to a /32 prefix (if your ISP allows this) down to a /64 delegation."
@@ -12580,15 +11889,18 @@ msgstr "Some IT environments require the use of a proxy to connect to the Intern
 msgid "Some RADIUS_ severs use an access control list which allows or denies queries, make sure to add your VyOS router to the allowed client list."
 msgstr "Some RADIUS_ severs use an access control list which allows or denies queries, make sure to add your VyOS router to the allowed client list."
 
-#: ../../configuration/nat/nat44.rst:626
+#: ../../configuration/nat/nat44.rst:650
 msgid "Some application service providers (ASPs) operate a VPN gateway to provide access to their internal resources, and require that a connecting organisation translate all traffic to the service provider network to a source address provided by the ASP."
 msgstr "Some application service providers (ASPs) operate a VPN gateway to provide access to their internal resources, and require that a connecting organisation translate all traffic to the service provider network to a source address provided by the ASP."
 
-#: ../../configuration/firewall/general.rst:86
 #: ../../configuration/firewall/general-legacy.rst:38
 msgid "Some firewall settings are global and have an affect on the whole system."
 msgstr "Some firewall settings are global and have an affect on the whole system."
 
+#: ../../configuration/firewall/global-options.rst:13
+msgid "Some firewall settings are global and have an affect on the whole system. In this section there's useful information about these global-options that can be configured using vyos cli."
+msgstr "Some firewall settings are global and have an affect on the whole system. In this section there's useful information about these global-options that can be configured using vyos cli."
+
 #: ../../configuration/trafficpolicy/index.rst:327
 msgid "Some policies already include other embedded policies inside. That is the case of Shaper_: each of its classes use fair-queue unless you change it."
 msgstr "Some policies already include other embedded policies inside. That is the case of Shaper_: each of its classes use fair-queue unless you change it."
@@ -12621,15 +11933,15 @@ msgstr "Some users tend to connect their mobile devices using WireGuard to their
 msgid "Sometimes option lines in the generated OpenVPN configuration require quotes. This is done through a hack on our config generator. You can pass quotes using the ``&quot;`` statement."
 msgstr "Sometimes option lines in the generated OpenVPN configuration require quotes. This is done through a hack on our config generator. You can pass quotes using the ``&quot;`` statement."
 
-#: ../../configuration/service/dhcp-server.rst:771
+#: ../../configuration/service/dhcp-server.rst:703
 msgid "Sort the output by the specified key. Possible keys: expires, iaid_duid, ip, last_comm, pool, remaining, state, type (default = ip)"
 msgstr "Sort the output by the specified key. Possible keys: expires, iaid_duid, ip, last_comm, pool, remaining, state, type (default = ip)"
 
-#: ../../configuration/service/dhcp-server.rst:566
+#: ../../configuration/service/dhcp-server.rst:491
 msgid "Sort the output by the specified key. Possible keys: ip, hardware_address, state, start, end, remaining, pool, hostname (default = ip)"
 msgstr "Sort the output by the specified key. Possible keys: ip, hardware_address, state, start, end, remaining, pool, hostname (default = ip)"
 
-#: ../../configuration/nat/nat44.rst:226
+#: ../../configuration/nat/nat44.rst:238
 msgid "Source Address"
 msgstr "Source Address"
 
@@ -12637,7 +11949,7 @@ msgstr "Source Address"
 msgid "Source IP address used for VXLAN underlay. This is mandatory when using VXLAN via L2VPN/EVPN."
 msgstr "Source IP address used for VXLAN underlay. This is mandatory when using VXLAN via L2VPN/EVPN."
 
-#: ../../configuration/vpn/sstp.rst:257
+#: ../../configuration/vpn/sstp.rst:268
 msgid "Source IPv4 address used in all RADIUS server queires."
 msgstr "Source IPv4 address used in all RADIUS server queires."
 
@@ -12661,6 +11973,10 @@ msgstr "Source all connections to the TACACS servers from given VRF `<name>`."
 msgid "Source protocol to match."
 msgstr "Source protocol to match."
 
+#: ../../configuration/vpn/ipsec.rst:225
+msgid "Source tunnel from dummy interface"
+msgstr "Source tunnel from dummy interface"
+
 #: ../../configuration/vpn/ipsec.rst:225
 msgid "Source tunnel from loopbacks"
 msgstr "Source tunnel from loopbacks"
@@ -12685,15 +12001,15 @@ msgstr "Spatial Multiplexing Power Save (SMPS) settings"
 msgid "Specfying nhs makes all multicast packets to be repeated to each statically configured next hop."
 msgstr "Specfying nhs makes all multicast packets to be repeated to each statically configured next hop."
 
-#: ../../configuration/vpn/sstp.rst:227
+#: ../../configuration/vpn/sstp.rst:238
 msgid "Specifies IP address for Dynamic Authorization Extension server (DM/CoA)"
 msgstr "Specifies IP address for Dynamic Authorization Extension server (DM/CoA)"
 
-#: ../../configuration/vpn/sstp.rst:183
+#: ../../configuration/vpn/sstp.rst:194
 msgid "Specifies :abbr:`MPPE (Microsoft Point-to-Point Encryption)` negotioation preference."
 msgstr "Specifies :abbr:`MPPE (Microsoft Point-to-Point Encryption)` negotioation preference."
 
-#: ../../configuration/vrf/index.rst:475
+#: ../../configuration/vrf/index.rst:477
 msgid "Specifies an optional route-map to be applied to routes imported or exported between the current unicast VRF and VPN."
 msgstr "Specifies an optional route-map to be applied to routes imported or exported between the current unicast VRF and VPN."
 
@@ -12705,6 +12021,10 @@ msgstr "Specifies an upstream network `<interface>` from which replies from `<se
 msgid "Specifies how long squid assumes an externally validated username:password pair is valid for - in other words how often the helper program is called for that user. Set this low to force revalidation with short lived passwords."
 msgstr "Specifies how long squid assumes an externally validated username:password pair is valid for - in other words how often the helper program is called for that user. Set this low to force revalidation with short lived passwords."
 
+#: ../../configuration/interfaces/vxlan.rst:89
+msgid "Specifies if unknown source link layer addresses and IP addresses are entered into the VXLAN device forwarding database."
+msgstr "Specifies if unknown source link layer addresses and IP addresses are entered into the VXLAN device forwarding database."
+
 #: ../../configuration/interfaces/bonding.rst:40
 msgid "Specifies one of the bonding policies. The default is 802.3ad. Possible values are:"
 msgstr "Specifies one of the bonding policies. The default is 802.3ad. Possible values are:"
@@ -12737,7 +12057,7 @@ msgstr "Specifies the available :abbr:`MAC (Message Authentication Code)` algori
 msgid "Specifies the base DN under which the users are located."
 msgstr "Specifies the base DN under which the users are located."
 
-#: ../../configuration/service/dhcp-server.rst:272
+#: ../../configuration/service/dhcp-server.rst:239
 msgid "Specifies the clients subnet mask as per RFC 950. If unset, subnet declaration is used."
 msgstr "Specifies the clients subnet mask as per RFC 950. If unset, subnet declaration is used."
 
@@ -12774,31 +12094,35 @@ msgstr "Specifies the port `<port>` that the SSTP port will listen on (default 4
 msgid "Specifies the protection scope (aka realm name) which is to be reported to the client for the authentication scheme. It is commonly part of the text the user will see when prompted for their username and password."
 msgstr "Specifies the protection scope (aka realm name) which is to be reported to the client for the authentication scheme. It is commonly part of the text the user will see when prompted for their username and password."
 
-#: ../../configuration/vrf/index.rst:450
+#: ../../configuration/vrf/index.rst:452
 msgid "Specifies the route-target list to be attached to a route (export) or the route-target list to match against (import) when exporting/importing between the current unicast VRF and VPN.The RTLIST is a space-separated list of route-targets, which are BGP extended community values as described in Extended Communities Attribute."
 msgstr "Specifies the route-target list to be attached to a route (export) or the route-target list to match against (import) when exporting/importing between the current unicast VRF and VPN.The RTLIST is a space-separated list of route-targets, which are BGP extended community values as described in Extended Communities Attribute."
 
-#: ../../configuration/vrf/index.rst:443
+#: ../../configuration/vrf/index.rst:445
 msgid "Specifies the route distinguisher to be added to a route exported from the current unicast VRF to VPN."
 msgstr "Specifies the route distinguisher to be added to a route exported from the current unicast VRF to VPN."
 
-#: ../../configuration/vpn/sstp.rst:270
+#: ../../configuration/vpn/sstp.rst:281
 msgid "Specifies the vendor dictionary, dictionary needs to be in /usr/share/accel-ppp/radius."
 msgstr "Specifies the vendor dictionary, dictionary needs to be in /usr/share/accel-ppp/radius."
 
-#: ../../configuration/vpn/sstp.rst:177
+#: ../../configuration/vpn/sstp.rst:188
 msgid "Specifies timeout in seconds to wait for any peer activity. If this option specified it turns on adaptive lcp echo functionality and \"lcp-echo-failure\" is not used."
 msgstr "Specifies timeout in seconds to wait for any peer activity. If this option specified it turns on adaptive lcp echo functionality and \"lcp-echo-failure\" is not used."
 
-#: ../../configuration/interfaces/vxlan.rst:72
+#: ../../configuration/interfaces/vxlan.rst:77
 msgid "Specifies whether an external control plane (e.g. BGP L2VPN/EVPN) or the internal FDB should be used."
 msgstr "Specifies whether an external control plane (e.g. BGP L2VPN/EVPN) or the internal FDB should be used."
 
+#: ../../configuration/interfaces/vxlan.rst:94
+msgid "Specifies whether the VXLAN device is capable of vni filtering."
+msgstr "Specifies whether the VXLAN device is capable of vni filtering."
+
 #: ../../configuration/protocols/ospf.rst:268
 msgid "Specifies whether this NSSA border router will unconditionally translate Type-7 LSAs into Type-5 LSAs. When role is Always, Type-7 LSAs are translated into Type-5 LSAs regardless of the translator state of other NSSA border routers. When role is Candidate, this router participates in the translator election to determine if it will perform the translations duties. When role is Never, this router will never translate Type-7 LSAs into Type-5 LSAs."
 msgstr "Specifies whether this NSSA border router will unconditionally translate Type-7 LSAs into Type-5 LSAs. When role is Always, Type-7 LSAs are translated into Type-5 LSAs regardless of the translator state of other NSSA border routers. When role is Candidate, this router participates in the translator election to determine if it will perform the translations duties. When role is Never, this router will never translate Type-7 LSAs into Type-5 LSAs."
 
-#: ../../configuration/vpn/sstp.rst:261
+#: ../../configuration/vpn/sstp.rst:272
 msgid "Specifies which RADIUS server attribute contains the rate limit information. The default attribute is `Filter-Id`."
 msgstr "Specifies which RADIUS server attribute contains the rate limit information. The default attribute is `Filter-Id`."
 
@@ -12806,23 +12130,27 @@ msgstr "Specifies which RADIUS server attribute contains the rate limit informat
 msgid "Specify IPv4/IPv6 listen address of SSH server. Multiple addresses can be defined."
 msgstr "Specify IPv4/IPv6 listen address of SSH server. Multiple addresses can be defined."
 
-#: ../../configuration/firewall/general.rst:663
-#: ../../configuration/firewall/general-legacy.rst:455
+#: ../../configuration/firewall/ipv4.rst:401
+#: ../../configuration/firewall/ipv6.rst:408
 msgid "Specify a Fully Qualified Domain Name as source/destination matcher. Ensure router is able to resolve such dns query."
 msgstr "Specify a Fully Qualified Domain Name as source/destination matcher. Ensure router is able to resolve such dns query."
 
-#: ../../configuration/service/dhcp-server.rst:620
+#: ../../configuration/service/dhcp-server.rst:550
 msgid "Specify a NIS+ server address for DHCPv6 clients."
 msgstr "Specify a NIS+ server address for DHCPv6 clients."
 
-#: ../../configuration/service/dhcp-server.rst:615
+#: ../../configuration/service/dhcp-server.rst:545
 msgid "Specify a NIS server address for DHCPv6 clients."
 msgstr "Specify a NIS server address for DHCPv6 clients."
 
-#: ../../configuration/service/dhcp-server.rst:625
+#: ../../configuration/service/dhcp-server.rst:555
 msgid "Specify a :abbr:`SIP (Session Initiation Protocol)` server by IPv6 address of Fully Qualified Domain Name for all DHCPv6 clients."
 msgstr "Specify a :abbr:`SIP (Session Initiation Protocol)` server by IPv6 address of Fully Qualified Domain Name for all DHCPv6 clients."
 
+#: ../../configuration/protocols/pim.rst:129
+msgid "Specify a range of group addresses via a prefix-list that forces PIM to never do :abbr:`SSM (Source-Specific Multicast)` over."
+msgstr "Specify a range of group addresses via a prefix-list that forces PIM to never do :abbr:`SSM (Source-Specific Multicast)` over."
+
 #: ../../configuration/system/task-scheduler.rst:33
 msgid "Specify absolute `<path>` to script which will be run when `<task>` is executed."
 msgstr "Specify absolute `<path>` to script which will be run when `<task>` is executed."
@@ -12869,42 +12197,10 @@ msgstr "Specify the IPv4 source address to use for the BGP session to this neigh
 msgid "Specify the LDAP server to connect to."
 msgstr "Specify the LDAP server to connect to."
 
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:50
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:50
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:50
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:50
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:50
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:50
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:50
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:50
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:50
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:50
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:50
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:50
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:50
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:50
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:50
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:50
 #: ../../_include/interface-dhcpv6-prefix-delegation.txt:50
 msgid "Specify the identifier value of the site-level aggregator (SLA) on the interface. ID must be a decimal number greater then 0 which fits in the length of SLA IDs (see below)."
 msgstr "Specify the identifier value of the site-level aggregator (SLA) on the interface. ID must be a decimal number greater then 0 which fits in the length of SLA IDs (see below)."
 
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:27
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:27
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:27
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:27
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:27
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:27
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:27
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:27
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:27
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:27
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:27
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:27
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:27
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:27
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:27
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:27
 #: ../../_include/interface-dhcpv6-prefix-delegation.txt:27
 msgid "Specify the interface address used locally on the interface where the prefix has been delegated to. ID must be a decimal integer."
 msgstr "Specify the interface address used locally on the interface where the prefix has been delegated to. ID must be a decimal integer."
@@ -12929,7 +12225,7 @@ msgstr "Specify the systems `<timezone>` as the Region/Location that best define
 msgid "Specify the time interval when `<task>` should be executed. The interval is specified as number with one of the following suffixes:"
 msgstr "Specify the time interval when `<task>` should be executed. The interval is specified as number with one of the following suffixes:"
 
-#: ../../configuration/service/dns.rst:256
+#: ../../configuration/service/dns.rst:269
 msgid "Specify timeout / update interval to check if IP address changed."
 msgstr "Specify timeout / update interval to check if IP address changed."
 
@@ -12937,7 +12233,7 @@ msgstr "Specify timeout / update interval to check if IP address changed."
 msgid "Specify timeout interval for keepalive message in seconds."
 msgstr "Specify timeout interval for keepalive message in seconds."
 
-#: ../../configuration/interfaces/vxlan.rst:170
+#: ../../configuration/interfaces/vxlan.rst:191
 msgid "Spine1 is a Cisco IOS router running version 15.4, Leaf2 and Leaf3 is each a VyOS router running 1.2."
 msgstr "Spine1 is a Cisco IOS router running version 15.4, Leaf2 and Leaf3 is each a VyOS router running 1.2."
 
@@ -12953,7 +12249,11 @@ msgstr "Spoke"
 msgid "Squid_ is a caching and forwarding HTTP web proxy. It has a wide variety of uses, including speeding up a web server by caching repeated requests, caching web, DNS and other computer network lookups for a group of people sharing network resources, and aiding security by filtering traffic. Although primarily used for HTTP and FTP, Squid includes limited support for several other protocols including Internet Gopher, SSL,[6] TLS and HTTPS. Squid does not support the SOCKS protocol."
 msgstr "Squid_ is a caching and forwarding HTTP web proxy. It has a wide variety of uses, including speeding up a web server by caching repeated requests, caching web, DNS and other computer network lookups for a group of people sharing network resources, and aiding security by filtering traffic. Although primarily used for HTTP and FTP, Squid includes limited support for several other protocols including Internet Gopher, SSL,[6] TLS and HTTPS. Squid does not support the SOCKS protocol."
 
-#: ../../configuration/nat/nat44.rst:791
+#: ../../configuration/service/https.rst:56
+msgid "Start Webserver in given  VRF."
+msgstr "Start Webserver in given  VRF."
+
+#: ../../configuration/nat/nat44.rst:813
 msgid "Start by checking for IPSec SAs (Security Associations) with:"
 msgstr "Start by checking for IPSec SAs (Security Associations) with:"
 
@@ -12961,6 +12261,10 @@ msgstr "Start by checking for IPSec SAs (Security Associations) with:"
 msgid "Starting from VyOS 1.4-rolling-202308040557, a new firewall structure can be found on all vyos instalations, and zone based firewall is no longer supported. Documentation for most of the new firewall CLI can be found in the `firewall <https://docs.vyos.io/en/latest/configuration/firewall/general.html>`_ chapter. The legacy firewall is still available for versions before 1.4-rolling-202308040557 and can be found in the :ref:`firewall-legacy` chapter. The examples in this section use the legacy firewall configuration commands, since this feature has been removed in earlier releases."
 msgstr "Starting from VyOS 1.4-rolling-202308040557, a new firewall structure can be found on all vyos instalations, and zone based firewall is no longer supported. Documentation for most of the new firewall CLI can be found in the `firewall <https://docs.vyos.io/en/latest/configuration/firewall/general.html>`_ chapter. The legacy firewall is still available for versions before 1.4-rolling-202308040557 and can be found in the :ref:`firewall-legacy` chapter. The examples in this section use the legacy firewall configuration commands, since this feature has been removed in earlier releases."
 
+#: ../../configuration/firewall/zone.rst:13
+msgid "Starting from VyOS 1.4-rolling-202308040557, a new firewall structure can be found on all vyos instalations. Zone based firewall was removed in that version, but re introduced in VyOS 1.4 and 1.5. All versions built after 2023-10-22 has this feature. Documentation for most of the new firewall CLI can be found in the `firewall <https://docs.vyos.io/en/latest/configuration/firewall/general.html>`_ chapter. The legacy firewall is still available for versions before 1.4-rolling-202308040557 and can be found in the :doc:`legacy firewall configuration </configuration/firewall/general-legacy>` chapter."
+msgstr "Starting from VyOS 1.4-rolling-202308040557, a new firewall structure can be found on all vyos instalations. Zone based firewall was removed in that version, but re introduced in VyOS 1.4 and 1.5. All versions built after 2023-10-22 has this feature. Documentation for most of the new firewall CLI can be found in the `firewall <https://docs.vyos.io/en/latest/configuration/firewall/general.html>`_ chapter. The legacy firewall is still available for versions before 1.4-rolling-202308040557 and can be found in the :doc:`legacy firewall configuration </configuration/firewall/general-legacy>` chapter."
+
 #: ../../configuration/firewall/index.rst:8
 msgid "Starting from VyOS 1.4-rolling-202308040557, a new firewall structure can be found on all vyos installations."
 msgstr "Starting from VyOS 1.4-rolling-202308040557, a new firewall structure can be found on all vyos installations."
@@ -12981,7 +12285,7 @@ msgstr "Starting with VyOS 1.2 a :abbr:`mDNS (Multicast DNS)` repeater functiona
 msgid "Static"
 msgstr "Static"
 
-#: ../../configuration/service/dhcp-server.rst:224
+#: ../../configuration/service/dhcp-server.rst:189
 msgid "Static DHCP IP address assign to host identified by `<description>`. IP address must be inside the `<subnet>` which is defined but can be outside the dynamic range created with :cfgcmd:`set service dhcp-server shared-network-name <name> subnet <subnet> range <n>`. If no ip-address is specified, an IP from the dynamic pool is used."
 msgstr "Static DHCP IP address assign to host identified by `<description>`. IP address must be inside the `<subnet>` which is defined but can be outside the dynamic range created with :cfgcmd:`set service dhcp-server shared-network-name <name> subnet <subnet> range <n>`. If no ip-address is specified, an IP from the dynamic pool is used."
 
@@ -13009,13 +12313,13 @@ msgstr "Static Routing or other dynamic routing protocols can be used over the v
 msgid "Static :abbr:`SAK (Secure Authentication Key)` mode can be configured manually on each device wishing to use MACsec. Keys must be set statically on all devices for traffic to flow properly. Key rotation is dependent on the administrator updating all keys manually across connected devices. Static SAK mode can not be used with MKA."
 msgstr "Static :abbr:`SAK (Secure Authentication Key)` mode can be configured manually on each device wishing to use MACsec. Keys must be set statically on all devices for traffic to flow properly. Key rotation is dependent on the administrator updating all keys manually across connected devices. Static SAK mode can not be used with MKA."
 
-#: ../../configuration/service/dhcp-server.rst:209
-#: ../../configuration/service/dhcp-server.rst:689
+#: ../../configuration/service/dhcp-server.rst:174
+#: ../../configuration/service/dhcp-server.rst:621
 msgid "Static mappings"
 msgstr "Static mappings"
 
-#: ../../configuration/service/dhcp-server.rst:557
-#: ../../configuration/service/dhcp-server.rst:762
+#: ../../configuration/service/dhcp-server.rst:460
+#: ../../configuration/service/dhcp-server.rst:694
 msgid "Static mappings aren't shown. To show all states, use ``show dhcp server leases state all``."
 msgstr "Static mappings aren't shown. To show all states, use ``show dhcp server leases state all``."
 
@@ -13059,6 +12363,10 @@ msgstr "Supported Modules"
 msgid "Supported channel width set."
 msgstr "Supported channel width set."
 
+#: ../../configuration/system/frr.rst:30
+msgid "Supported daemons:"
+msgstr "Supported daemons:"
+
 #: ../../configuration/service/router-advert.rst:11
 msgid "Supported interface types:"
 msgstr "Supported interface types:"
@@ -13096,15 +12404,18 @@ msgstr "Synamic instructs to forward to all peers which we have a direct connect
 msgid "Sync groups"
 msgstr "Sync groups"
 
-#: ../../configuration/firewall/general.rst:1264
+#: ../../configuration/firewall/ipv4.rst:911
+#: ../../configuration/firewall/ipv6.rst:920
 msgid "Synproxy"
 msgstr "Synproxy"
 
-#: ../../configuration/firewall/general.rst:1265
+#: ../../configuration/firewall/ipv4.rst:912
+#: ../../configuration/firewall/ipv6.rst:921
 msgid "Synproxy connections"
 msgstr "Synproxy connections"
 
-#: ../../configuration/firewall/general.rst:1282
+#: ../../configuration/firewall/ipv4.rst:929
+#: ../../configuration/firewall/ipv6.rst:938
 msgid "Synproxy relies on syncookies and TCP timestamps, ensure these are enabled"
 msgstr "Synproxy relies on syncookies and TCP timestamps, ensure these are enabled"
 
@@ -13177,7 +12488,7 @@ msgstr "System is unusable - a panic condition"
 msgid "TACACS+"
 msgstr "TACACS+"
 
-#: ../../configuration/system/login.rst:416
+#: ../../configuration/system/login.rst:418
 msgid "TACACS Example"
 msgstr "TACACS Example"
 
@@ -13226,6 +12537,14 @@ msgstr "Telegraf output plugin prometheus-client_"
 msgid "Telegraf output plugin splunk_. HTTP Event Collector."
 msgstr "Telegraf output plugin splunk_. HTTP Event Collector."
 
+#: ../../configuration/protocols/pim.rst:157
+msgid "Tell PIM that we would not like to use this interface to process bootstrap messages."
+msgstr "Tell PIM that we would not like to use this interface to process bootstrap messages."
+
+#: ../../configuration/protocols/pim.rst:162
+msgid "Tell PIM that we would not like to use this interface to process unicast bootstrap messages."
+msgstr "Tell PIM that we would not like to use this interface to process unicast bootstrap messages."
+
 #: ../../configuration/service/router-advert.rst:1
 msgid "Tell hosts to use the administered (stateful) protocol (i.e. DHCP) for autoconfiguration of other (non-address) information"
 msgstr "Tell hosts to use the administered (stateful) protocol (i.e. DHCP) for autoconfiguration of other (non-address) information"
@@ -13234,7 +12553,7 @@ msgstr "Tell hosts to use the administered (stateful) protocol (i.e. DHCP) for a
 msgid "Tell hosts to use the administered stateful protocol (i.e. DHCP) for autoconfiguration"
 msgstr "Tell hosts to use the administered stateful protocol (i.e. DHCP) for autoconfiguration"
 
-#: ../../configuration/vpn/sstp.rst:216
+#: ../../configuration/vpn/sstp.rst:227
 msgid "Temporary disable this RADIUS server."
 msgstr "Temporary disable this RADIUS server."
 
@@ -13266,15 +12585,19 @@ msgstr "Test disconnecting given connection-oriented interface. `<interface>` ca
 msgid "Test disconnecting given connection-oriented interface. `<interface>` can be ``sstpc0`` as the example."
 msgstr "Test disconnecting given connection-oriented interface. `<interface>` can be ``sstpc0`` as the example."
 
-#: ../../configuration/vpn/sstp.rst:293
+#: ../../configuration/nat/nat64.rst:70
+msgid "Test from the IPv6 only client:"
+msgstr "Test from the IPv6 only client:"
+
+#: ../../configuration/vpn/sstp.rst:305
 msgid "Testing SSTP"
 msgstr "Testing SSTP"
 
-#: ../../configuration/nat/nat44.rst:786
+#: ../../configuration/nat/nat44.rst:808
 msgid "Testing and Validation"
 msgstr "Testing and Validation"
 
-#: ../../configuration/interfaces/vxlan.rst:125
+#: ../../configuration/interfaces/vxlan.rst:146
 msgid "Thanks to this discovery, any subsequent traffic between PC4 and PC5 will not be using the multicast-address between the leaves as they both know behind which Leaf the PCs are connected. This saves traffic as less multicast packets sent reduces the load on the network, which improves scalability when more leaves are added."
 msgstr "Thanks to this discovery, any subsequent traffic between PC4 and PC5 will not be using the multicast-address between the leaves as they both know behind which Leaf the PCs are connected. This saves traffic as less multicast packets sent reduces the load on the network, which improves scalability when more leaves are added."
 
@@ -13282,7 +12605,7 @@ msgstr "Thanks to this discovery, any subsequent traffic between PC4 and PC5 wil
 msgid "That is how it is possible to do the so-called \"ingress shaping\"."
 msgstr "That is how it is possible to do the so-called \"ingress shaping\"."
 
-#: ../../configuration/nat/nat44.rst:806
+#: ../../configuration/nat/nat44.rst:828
 msgid "That looks good - we defined 2 tunnels and they're both up and running."
 msgstr "That looks good - we defined 2 tunnels and they're both up and running."
 
@@ -13290,7 +12613,7 @@ msgstr "That looks good - we defined 2 tunnels and they're both up and running."
 msgid "The ARP monitor works by periodically checking the slave devices to determine whether they have sent or received traffic recently (the precise criteria depends upon the bonding mode, and the state of the slave). Regular traffic is generated via ARP probes issued for the addresses specified by the :cfgcmd:`arp-monitor target` option."
 msgstr "The ARP monitor works by periodically checking the slave devices to determine whether they have sent or received traffic recently (the precise criteria depends upon the bonding mode, and the state of the slave). Regular traffic is generated via ARP probes issued for the addresses specified by the :cfgcmd:`arp-monitor target` option."
 
-#: ../../configuration/nat/nat44.rst:724
+#: ../../configuration/nat/nat44.rst:746
 msgid "The ASP has documented their IPSec requirements:"
 msgstr "The ASP has documented their IPSec requirements:"
 
@@ -13306,21 +12629,6 @@ msgstr "The CLI configuration is same as mentioned in above articles. The only d
 msgid "The CLNS address consists of the following parts:"
 msgstr "The CLNS address consists of the following parts:"
 
-#: ../../_include/interface-dhcpv6-options.txt:4
-#: ../../_include/interface-dhcpv6-options.txt:4
-#: ../../_include/interface-dhcpv6-options.txt:4
-#: ../../_include/interface-dhcpv6-options.txt:4
-#: ../../_include/interface-dhcpv6-options.txt:4
-#: ../../_include/interface-dhcpv6-options.txt:4
-#: ../../_include/interface-dhcpv6-options.txt:4
-#: ../../_include/interface-dhcpv6-options.txt:4
-#: ../../_include/interface-dhcpv6-options.txt:4
-#: ../../_include/interface-dhcpv6-options.txt:4
-#: ../../_include/interface-dhcpv6-options.txt:4
-#: ../../_include/interface-dhcpv6-options.txt:4
-#: ../../_include/interface-dhcpv6-options.txt:4
-#: ../../_include/interface-dhcpv6-options.txt:4
-#: ../../_include/interface-dhcpv6-options.txt:4
 #: ../../_include/interface-dhcpv6-options.txt:4
 msgid "The DHCP unique identifier (DUID) is used by a client to get an IP address from a DHCPv6 server. It has a 2-byte DUID type field, and a variable-length identifier field up to 128 bytes. Its actual length depends on its type. The server compares the DUID with its database and delivers configuration data (address, lease times, DNS servers, etc.) to the client."
 msgstr "The DHCP unique identifier (DUID) is used by a client to get an IP address from a DHCPv6 server. It has a 2-byte DUID type field, and a variable-length identifier field up to 128 bytes. Its actual length depends on its type. The server compares the DUID with its database and delivers configuration data (address, lease times, DNS servers, etc.) to the client."
@@ -13341,7 +12649,7 @@ msgstr "The FQ-CoDel policy distributes the traffic into 1024 FIFO queues and tr
 msgid "The HTTP service listen on TCP port 80."
 msgstr "The HTTP service listen on TCP port 80."
 
-#: ../../configuration/nat/nat44.rst:505
+#: ../../configuration/nat/nat44.rst:525
 msgid "The IP address of the internal system we wish to forward traffic to."
 msgstr "The IP address of the internal system we wish to forward traffic to."
 
@@ -13365,7 +12673,7 @@ msgstr "The PowerDNS recursor has 5 different levels of DNSSEC processing, which
 msgid "The Priority Queue is a classful scheduling policy. It does not delay packets (Priority Queue is not a shaping policy), it simply dequeues packets according to their priority."
 msgstr "The Priority Queue is a classful scheduling policy. It does not delay packets (Priority Queue is not a shaping policy), it simply dequeues packets according to their priority."
 
-#: ../../configuration/vpn/openconnect.rst:287
+#: ../../configuration/vpn/openconnect.rst:294
 msgid "The RADIUS accounting feature must be used with the OpenConnect authentication mode RADIUS. It cannot be used with local authentication. You must configure the OpenConnect authentication mode to \"radius\"."
 msgstr "The RADIUS accounting feature must be used with the OpenConnect authentication mode RADIUS. It cannot be used with local authentication. You must configure the OpenConnect authentication mode to \"radius\"."
 
@@ -13393,18 +12701,22 @@ msgstr "The VXLAN specification was originally created by VMware, Arista Network
 msgid "The VyOS DNS forwarder does not require an upstream DNS server. It can serve as a full recursive DNS server - but it can also forward queries to configurable upstream DNS servers. By not configuring any upstream DNS servers you also avoid being tracked by the provider of your upstream DNS server."
 msgstr "The VyOS DNS forwarder does not require an upstream DNS server. It can serve as a full recursive DNS server - but it can also forward queries to configurable upstream DNS servers. By not configuring any upstream DNS servers you also avoid being tracked by the provider of your upstream DNS server."
 
-#: ../../configuration/service/dns.rst:160
+#: ../../configuration/service/dns.rst:173
 msgid "The VyOS DNS forwarder will only accept lookup requests from the LAN subnets - 192.168.1.0/24 and 2001:db8::/64"
 msgstr "The VyOS DNS forwarder will only accept lookup requests from the LAN subnets - 192.168.1.0/24 and 2001:db8::/64"
 
-#: ../../configuration/service/dns.rst:158
+#: ../../configuration/service/dns.rst:171
 msgid "The VyOS DNS forwarder will only listen for requests on the eth1 (LAN) interface addresses - 192.168.1.254 for IPv4 and 2001:db8::ffff for IPv6"
 msgstr "The VyOS DNS forwarder will only listen for requests on the eth1 (LAN) interface addresses - 192.168.1.254 for IPv4 and 2001:db8::ffff for IPv6"
 
-#: ../../configuration/service/dns.rst:162
+#: ../../configuration/service/dns.rst:175
 msgid "The VyOS DNS forwarder will pass reverse lookups for  10.in-addr.arpa, 168.192.in-addr.arpa, 16-31.172.in-addr.arpa zones to upstream server."
 msgstr "The VyOS DNS forwarder will pass reverse lookups for  10.in-addr.arpa, 168.192.in-addr.arpa, 16-31.172.in-addr.arpa zones to upstream server."
 
+#: ../../configuration/pki/index.rst:254
+msgid "The VyOS PKI subsystem can also be used to automatically retrieve Certificates using the :abbr:`ACME (Automatic Certificate Management Environment)` protocol."
+msgstr "The VyOS PKI subsystem can also be used to automatically retrieve Certificates using the :abbr:`ACME (Automatic Certificate Management Environment)` protocol."
+
 #: ../../configuration/container/index.rst:7
 msgid "The VyOS container implementation is based on `Podman<https://podman.io/>` as a deamonless container engine."
 msgstr "The VyOS container implementation is based on `Podman<https://podman.io/>` as a deamonless container engine."
@@ -13466,14 +12778,19 @@ msgstr "The ``source-address`` must be configured on one of VyOS interface. Best
 msgid "The `show bridge` operational command can be used to display configured bridges:"
 msgstr "The `show bridge` operational command can be used to display configured bridges:"
 
-#: ../../configuration/vpn/openconnect.rst:246
+#: ../../configuration/vpn/openconnect.rst:253
 msgid "The above directory and default-config must be a child directory of /config/auth, since files outside this directory are not persisted after an image upgrade."
 msgstr "The above directory and default-config must be a child directory of /config/auth, since files outside this directory are not persisted after an image upgrade."
 
-#: ../../configuration/firewall/general.rst:332
+#: ../../configuration/firewall/ipv4.rst:86
+#: ../../configuration/firewall/ipv6.rst:86
 msgid "The action can be :"
 msgstr "The action can be :"
 
+#: ../../configuration/pki/index.rst:271
+msgid "The address the server listens to during http-01 challenge"
+msgstr "The address the server listens to during http-01 challenge"
+
 #: ../../configuration/protocols/bgp.rst:775
 msgid "The advantage of this is that the route-selection (at this point) will be more deterministic. The disadvantage is that a few or even one lowest-ID router may attract all traffic to otherwise-equal paths because of this check. It may increase the possibility of MED or IGP oscillation, unless other measures were taken to avoid these. The exact behaviour will be sensitive to the iBGP and reflection topology."
 msgstr "The advantage of this is that the route-selection (at this point) will be more deterministic. The disadvantage is that a few or even one lowest-ID router may attract all traffic to otherwise-equal paths because of this check. It may increase the possibility of MED or IGP oscillation, unless other measures were taken to avoid these. The exact behaviour will be sensitive to the iBGP and reflection topology."
@@ -13482,25 +12799,6 @@ msgstr "The advantage of this is that the route-selection (at this point) will b
 msgid "The allocated address block is 100.64.0.0/10."
 msgstr "The allocated address block is 100.64.0.0/10."
 
-#: ../../_include/interface-ipv6.txt:92
-#: ../../_include/interface-ipv6.txt:92
-#: ../../_include/interface-ipv6.txt:92
-#: ../../_include/interface-ipv6.txt:92
-#: ../../_include/interface-ipv6.txt:92
-#: ../../_include/interface-ipv6.txt:92
-#: ../../_include/interface-ipv6.txt:92
-#: ../../_include/interface-ipv6.txt:92
-#: ../../_include/interface-ipv6.txt:92
-#: ../../_include/interface-ipv6.txt:92
-#: ../../_include/interface-ipv6.txt:92
-#: ../../_include/interface-ipv6.txt:92
-#: ../../_include/interface-ipv6.txt:92
-#: ../../_include/interface-ipv6.txt:92
-#: ../../_include/interface-ipv6.txt:92
-#: ../../_include/interface-ipv6.txt:92
-#: ../../_include/interface-ipv6.txt:92
-#: ../../_include/interface-ipv6.txt:92
-#: ../../_include/interface-ipv6.txt:92
 #: ../../_include/interface-ipv6.txt:92
 msgid "The amount of Duplicate Address Detection probes to send."
 msgstr "The amount of Duplicate Address Detection probes to send."
@@ -13525,7 +12823,7 @@ msgstr "The bonding interface provides a method for aggregating multiple network
 msgid "The case of ingress shaping"
 msgstr "The case of ingress shaping"
 
-#: ../../configuration/service/pppoe-server.rst:398
+#: ../../configuration/service/pppoe-server.rst:385
 msgid "The client, once successfully authenticated, will receive an IPv4 and an IPv6 /64 address to terminate the pppoe endpoint on the client side and a /56 subnet for the clients internal use."
 msgstr "The client, once successfully authenticated, will receive an IPv4 and an IPv6 /64 address to terminate the pppoe endpoint on the client side and a /56 subnet for the clients internal use."
 
@@ -13541,7 +12839,7 @@ msgstr "The command :opcmd:`show interfaces wireguard wg01 public-key` will then
 msgid "The command also generates a configuration snipped which can be copy/pasted into the VyOS CLI if needed. The supplied ``<name>`` on the CLI will become the peer name in the snippet."
 msgstr "The command also generates a configuration snipped which can be copy/pasted into the VyOS CLI if needed. The supplied ``<name>`` on the CLI will become the peer name in the snippet."
 
-#: ../../configuration/service/pppoe-server.rst:244
+#: ../../configuration/service/pppoe-server.rst:231
 msgid "The command below enables it, assuming the RADIUS connection has been setup and is working."
 msgstr "The command below enables it, assuming the RADIUS connection has been setup and is working."
 
@@ -13557,9 +12855,9 @@ msgstr "The command pon TESTUNNEL establishes the PPTP tunnel to the remote syst
 msgid "The computers on an internal network can use any of the addresses set aside by the :abbr:`IANA (Internet Assigned Numbers Authority)` for private addressing (see :rfc:`1918`). These reserved IP addresses are not in use on the Internet, so an external machine will not directly route to them. The following addresses are reserved for private use:"
 msgstr "The computers on an internal network can use any of the addresses set aside by the :abbr:`IANA (Internet Assigned Numbers Authority)` for private addressing (see :rfc:`1918`). These reserved IP addresses are not in use on the Internet, so an external machine will not directly route to them. The following addresses are reserved for private use:"
 
-#: ../../configuration/service/dhcp-server.rst:244
-#: ../../configuration/service/dhcp-server.rst:670
-#: ../../configuration/service/dhcp-server.rst:712
+#: ../../configuration/service/dhcp-server.rst:210
+#: ../../configuration/service/dhcp-server.rst:601
+#: ../../configuration/service/dhcp-server.rst:644
 msgid "The configuration will look as follows:"
 msgstr "The configuration will look as follows:"
 
@@ -13579,7 +12877,7 @@ msgstr "The connection tracking expect table contains one entry for each expecte
 msgid "The connection tracking table contains one entry for each connection being tracked by the system."
 msgstr "The connection tracking table contains one entry for each connection being tracked by the system."
 
-#: ../../configuration/service/pppoe-server.rst:238
+#: ../../configuration/service/pppoe-server.rst:225
 msgid "The current attribute 'Filter-Id' is being used as default and can be setup within RADIUS:"
 msgstr "The current attribute 'Filter-Id' is being used as default and can be setup within RADIUS:"
 
@@ -13607,30 +12905,18 @@ msgstr "The default hostname used is `vyos`."
 msgid "The default is 1492."
 msgstr "The default is 1492."
 
-#: ../../configuration/service/dhcp-server.rst:596
+#: ../../configuration/service/dhcp-server.rst:526
 msgid "The default lease time for DHCPv6 leases is 24 hours. This can be changed by supplying a ``default-time``, ``maximum-time`` and ``minimum-time``. All values need to be supplied in seconds."
 msgstr "The default lease time for DHCPv6 leases is 24 hours. This can be changed by supplying a ``default-time``, ``maximum-time`` and ``minimum-time``. All values need to be supplied in seconds."
 
-#: ../../configuration/interfaces/vxlan.rst:336
+#: ../../configuration/interfaces/vxlan.rst:357
 msgid "The default port udp is set to 8472. It can be changed with ``set interface vxlan <vxlanN> port <port>``"
 msgstr "The default port udp is set to 8472. It can be changed with ``set interface vxlan <vxlanN> port <port>``"
 
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:15
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:15
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:15
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:15
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:15
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:15
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:15
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:15
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:15
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:15
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:15
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:15
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:15
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:15
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:15
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:15
+#: ../../configuration/protocols/pim.rst:52
+msgid "The default time is 60 seconds."
+msgstr "The default time is 60 seconds."
+
 #: ../../_include/interface-dhcpv6-prefix-delegation.txt:15
 msgid "The default value corresponds to 64."
 msgstr "The default value corresponds to 64."
@@ -13643,7 +12929,15 @@ msgstr "The default value is 0. This will cause the carrier to be asserted (for
 msgid "The default value is 300 seconds."
 msgstr "The default value is 300 seconds."
 
-#: ../../configuration/service/dhcp-server.rst:113
+#: ../../configuration/protocols/pim.rst:214
+msgid "The default value is 3."
+msgstr "The default value is 3."
+
+#: ../../configuration/protocols/pim.rst:68
+msgid "The default value is 3 packets."
+msgstr "The default value is 3 packets."
+
+#: ../../configuration/service/dhcp-server.rst:99
 msgid "The default value is 86400 seconds which corresponds to one day."
 msgstr "The default value is 86400 seconds which corresponds to one day."
 
@@ -13655,25 +12949,29 @@ msgstr "The default value is slow."
 msgid "The default values for the minimum-threshold depend on IP precedence:"
 msgstr "The default values for the minimum-threshold depend on IP precedence:"
 
-#: ../../configuration/interfaces/vxlan.rst:313
+#: ../../configuration/interfaces/vxlan.rst:334
 msgid "The destination port used for creating a VXLAN interface in Linux defaults to its pre-standard value of 8472 to preserve backward compatibility. A configuration directive to support a user-specified destination port to override that behavior is available using the above command."
 msgstr "The destination port used for creating a VXLAN interface in Linux defaults to its pre-standard value of 8472 to preserve backward compatibility. A configuration directive to support a user-specified destination port to override that behavior is available using the above command."
 
-#: ../../configuration/service/dhcp-server.rst:200
+#: ../../configuration/interfaces/vxlan.rst:98
+msgid "The device can only receive packets with VNIs configured in the VNI filtering table."
+msgstr "The device can only receive packets with VNIs configured in the VNI filtering table."
+
+#: ../../configuration/service/dhcp-server.rst:165
 msgid "The dialogue between failover partners is neither encrypted nor authenticated. Since most DHCP servers exist within an organisation's own secure Intranet, this would be an unnecessary overhead. However, if you have DHCP failover peers whose communications traverse insecure networks, then we recommend that you consider the use of VPN tunneling between them to ensure that the failover partnership is immune to disruption (accidental or otherwise) via third parties."
 msgstr "The dialogue between failover partners is neither encrypted nor authenticated. Since most DHCP servers exist within an organisation's own secure Intranet, this would be an unnecessary overhead. However, if you have DHCP failover peers whose communications traverse insecure networks, then we recommend that you consider the use of VPN tunneling between them to ensure that the failover partnership is immune to disruption (accidental or otherwise) via third parties."
 
-#: ../../configuration/service/dhcp-server.rst:36
-#: ../../configuration/service/dhcp-server.rst:138
+#: ../../configuration/service/dhcp-server.rst:31
+#: ../../configuration/service/dhcp-server.rst:124
 msgid "The domain-name parameter should be the domain name that will be appended to the client's hostname to form a fully-qualified domain-name (FQDN) (DHCP Option 015)."
 msgstr "The domain-name parameter should be the domain name that will be appended to the client's hostname to form a fully-qualified domain-name (FQDN) (DHCP Option 015)."
 
-#: ../../configuration/service/dhcp-server.rst:45
-#: ../../configuration/service/dhcp-server.rst:145
+#: ../../configuration/service/dhcp-server.rst:40
+#: ../../configuration/service/dhcp-server.rst:131
 msgid "The domain-name parameter should be the domain name used when completing DNS request where no full FQDN is passed. This option can be given multiple times if you need multiple search domains (DHCP Option 119)."
 msgstr "The domain-name parameter should be the domain name used when completing DNS request where no full FQDN is passed. This option can be given multiple times if you need multiple search domains (DHCP Option 119)."
 
-#: ../../configuration/nat/nat44.rst:694
+#: ../../configuration/nat/nat44.rst:718
 msgid "The dummy interface allows us to have an equivalent of the Cisco IOS Loopback interface - a router-internal interface we can use for IP addresses the router must know about, but which are not actually assigned to a real network."
 msgstr "The dummy interface allows us to have an equivalent of the Cisco IOS Loopback interface - a router-internal interface we can use for IP addresses the router must know about, but which are not actually assigned to a real network."
 
@@ -13689,11 +12987,11 @@ msgstr "The embedded Squid proxy can use LDAP to authenticate users against a co
 msgid "The example above uses 192.0.2.2 as external IP address. A LAC normally requires an authentication password, which is set in the example configuration to ``lns shared-secret 'secret'``. This setup requires the Compression Control Protocol (CCP) being disabled, the command ``set vpn l2tp remote-access ccp-disable`` accomplishes that."
 msgstr "The example above uses 192.0.2.2 as external IP address. A LAC normally requires an authentication password, which is set in the example configuration to ``lns shared-secret 'secret'``. This setup requires the Compression Control Protocol (CCP) being disabled, the command ``set vpn l2tp remote-access ccp-disable`` accomplishes that."
 
-#: ../../configuration/service/pppoe-server.rst:382
+#: ../../configuration/service/pppoe-server.rst:369
 msgid "The example below covers a dual-stack configuration via pppoe-server."
 msgstr "The example below covers a dual-stack configuration via pppoe-server."
 
-#: ../../configuration/service/pppoe-server.rst:361
+#: ../../configuration/service/pppoe-server.rst:348
 msgid "The example below uses ACN as access-concentrator name, assigns an address from the pool 10.1.1.100-111, terminates at the local endpoint 10.1.1.1 and serves requests only on eth1."
 msgstr "The example below uses ACN as access-concentrator name, assigns an address from the pool 10.1.1.100-111, terminates at the local endpoint 10.1.1.1 and serves requests only on eth1."
 
@@ -13705,7 +13003,7 @@ msgstr "The example configuration below will assign an IP to the client on the i
 msgid "The example creates a wireless station (commonly referred to as Wi-Fi client) that accesses the network through the WAP defined in the above example. The default physical device (``phy0``) is used."
 msgstr "The example creates a wireless station (commonly referred to as Wi-Fi client) that accesses the network through the WAP defined in the above example. The default physical device (``phy0``) is used."
 
-#: ../../configuration/nat/nat44.rst:319
+#: ../../configuration/nat/nat44.rst:331
 msgid "The external IP address to translate to"
 msgstr "The external IP address to translate to"
 
@@ -13729,24 +13027,19 @@ msgstr "The first address of the parameter ``client-subnet``, will be used as th
 msgid "The first and arguably cleaner option is to make your IPsec policy match GRE packets between external addresses of your routers. This is the best option if both routers have static external addresses."
 msgstr "The first and arguably cleaner option is to make your IPsec policy match GRE packets between external addresses of your routers. This is the best option if both routers have static external addresses."
 
-#: ../../_include/interface-disable-flow-control.txt:8
-#: ../../_include/interface-disable-flow-control.txt:8
-#: ../../_include/interface-disable-flow-control.txt:8
-#: ../../_include/interface-disable-flow-control.txt:8
-#: ../../_include/interface-disable-flow-control.txt:8
-#: ../../_include/interface-disable-flow-control.txt:8
-#: ../../_include/interface-disable-flow-control.txt:8
-#: ../../_include/interface-disable-flow-control.txt:8
-#: ../../_include/interface-disable-flow-control.txt:8
 #: ../../_include/interface-disable-flow-control.txt:8
 msgid "The first flow control mechanism, the pause frame, was defined by the IEEE 802.3x standard."
 msgstr "The first flow control mechanism, the pause frame, was defined by the IEEE 802.3x standard."
 
+#: ../../configuration/protocols/pim.rst:93
+msgid "The first ip address is the RP's address and the second value is the matching prefix of group ranges covered."
+msgstr "The first ip address is the RP's address and the second value is the matching prefix of group ranges covered."
+
 #: ../../configuration/vpn/dmvpn.rst:63
 msgid "The first registration request is sent to the protocol broadcast address, and the server's real protocol address is dynamically detected from the first registration reply."
 msgstr "The first registration request is sent to the protocol broadcast address, and the server's real protocol address is dynamically detected from the first registration reply."
 
-#: ../../configuration/vpn/sstp.rst:299
+#: ../../configuration/vpn/sstp.rst:311
 msgid "The following PPP configuration tests MSCHAP-v2:"
 msgstr "The following PPP configuration tests MSCHAP-v2:"
 
@@ -13810,6 +13103,10 @@ msgstr "The following example topology was built using EVE-NG."
 msgid "The following example will show how VyOS can be used to redirect web traffic to an external transparent proxy:"
 msgstr "The following example will show how VyOS can be used to redirect web traffic to an external transparent proxy:"
 
+#: ../../configuration/nat/nat64.rst:40
+msgid "The following examples show how to configure NAT64 on a VyOS router. The 192.0.2.10 address is used as the IPv4 address for the translation pool."
+msgstr "The following examples show how to configure NAT64 on a VyOS router. The 192.0.2.10 address is used as the IPv4 address for the translation pool."
+
 #: ../../configuration/interfaces/wwan.rst:309
 msgid "The following hardware modules have been tested successfully in an :ref:`pc-engines-apu4` board:"
 msgstr "The following hardware modules have been tested successfully in an :ref:`pc-engines-apu4` board:"
@@ -13839,7 +13136,7 @@ msgid "The forwarding delay time is the time spent in each of the listening and
 msgstr "The forwarding delay time is the time spent in each of the listening and learning states before the Forwarding state is entered. This delay is so that when a new bridge comes onto a busy network it looks at some traffic before participating."
 
 #: ../../configuration/service/dhcp-relay.rst:98
-#: ../../configuration/service/dhcp-relay.rst:184
+#: ../../configuration/service/dhcp-relay.rst:186
 msgid "The generated configuration will look like:"
 msgstr "The generated configuration will look like:"
 
@@ -13871,7 +13168,7 @@ msgstr "The hostname can be up to 63 characters. A hostname must start and end w
 msgid "The hostname or IP address of the master"
 msgstr "The hostname or IP address of the master"
 
-#: ../../configuration/service/dhcp-server.rst:700
+#: ../../configuration/service/dhcp-server.rst:632
 msgid "The identifier is the device's DUID: colon-separated hex list (as used by isc-dhcp option dhcpv6.client-id). If the device already has a dynamic lease from the DHCPv6 server, its DUID can be found with ``show service dhcpv6 server leases``. The DUID begins at the 5th octet (after the 4th colon) of IAID_DUID."
 msgstr "The identifier is the device's DUID: colon-separated hex list (as used by isc-dhcp option dhcpv6.client-id). If the device already has a dynamic lease from the DHCPv6 server, its DUID can be found with ``show service dhcpv6 server leases``. The DUID begins at the 5th octet (after the 4th colon) of IAID_DUID."
 
@@ -13879,13 +13176,11 @@ msgstr "The identifier is the device's DUID: colon-separated hex list (as used b
 msgid "The individual spoke configurations only differ in the local IP address on the ``tun10`` interface. See the above diagram for the individual IP addresses."
 msgstr "The individual spoke configurations only differ in the local IP address on the ``tun10`` interface. See the above diagram for the individual IP addresses."
 
-#: ../../_include/interface-vlan-8021ad.txt:25
-#: ../../_include/interface-vlan-8021ad.txt:25
 #: ../../_include/interface-vlan-8021ad.txt:25
 msgid "The inner tag is the tag which is closest to the payload portion of the frame. It is officially called C-TAG (customer tag, with ethertype 0x8100). The outer tag is the one closer/closest to the Ethernet header, its name is S-TAG (service tag with Ethernet Type = 0x88a8)."
 msgstr "The inner tag is the tag which is closest to the payload portion of the frame. It is officially called C-TAG (customer tag, with ethertype 0x8100). The outer tag is the one closer/closest to the Ethernet header, its name is S-TAG (service tag with Ethernet Type = 0x88a8)."
 
-#: ../../configuration/nat/nat44.rst:503
+#: ../../configuration/nat/nat44.rst:523
 msgid "The interface traffic will be coming in on;"
 msgstr "The interface traffic will be coming in on;"
 
@@ -13893,7 +13188,7 @@ msgstr "The interface traffic will be coming in on;"
 msgid "The interface used to receive and relay individual broadcast packets. If you want to receive/relay packets on both `eth1` and `eth2` both interfaces need to be added."
 msgstr "The interface used to receive and relay individual broadcast packets. If you want to receive/relay packets on both `eth1` and `eth2` both interfaces need to be added."
 
-#: ../../configuration/nat/nat44.rst:317
+#: ../../configuration/nat/nat44.rst:329
 msgid "The internal IP addresses we want to translate"
 msgstr "The internal IP addresses we want to translate"
 
@@ -13937,6 +13232,14 @@ msgstr "The local site will have a subnet of 10.0.0.0/16."
 msgid "The loopback networking interface is a virtual network device implemented entirely in software. All traffic sent to it \"loops back\" and just targets services on your local machine."
 msgstr "The loopback networking interface is a virtual network device implemented entirely in software. All traffic sent to it \"loops back\" and just targets services on your local machine."
 
+#: ../../configuration/firewall/index.rst:20
+msgid "The main points regarding this packet flow and terminology used in VyOS firewall are covered below:"
+msgstr "The main points regarding this packet flow and terminology used in VyOS firewall are covered below:"
+
+#: ../../configuration/firewall/index.rst:92
+msgid "The main structure VyOS firewall cli is shown next:"
+msgstr "The main structure VyOS firewall cli is shown next:"
+
 #: ../../configuration/interfaces/bonding.rst:271
 msgid "The maximum number of targets that can be specified is 16. The default value is no IP address."
 msgstr "The maximum number of targets that can be specified is 16. The default value is no IP address."
@@ -13961,7 +13264,7 @@ msgstr "The minimal echo receive transmission interval that this system is capab
 msgid "The most visible application of the protocol is for access to shell accounts on Unix-like operating systems, but it sees some limited use on Windows as well. In 2015, Microsoft announced that they would include native support for SSH in a future release."
 msgstr "The most visible application of the protocol is for access to shell accounts on Unix-like operating systems, but it sees some limited use on Windows as well. In 2015, Microsoft announced that they would include native support for SSH in a future release."
 
-#: ../../configuration/interfaces/vxlan.rst:292
+#: ../../configuration/interfaces/vxlan.rst:313
 msgid "The multicast-group used by all leaves for this vlan extension. Has to be the same on all leaves that has this interface."
 msgstr "The multicast-group used by all leaves for this vlan extension. Has to be the same on all leaves that has this interface."
 
@@ -14009,13 +13312,11 @@ msgstr "The optional `disable` option allows to exclude interface from passive s
 msgid "The optional parameter register specifies that Registration Request should be sent to this peer on startup."
 msgstr "The optional parameter register specifies that Registration Request should be sent to this peer on startup."
 
-#: ../../_include/interface-vlan-8021ad.txt:10
-#: ../../_include/interface-vlan-8021ad.txt:10
 #: ../../_include/interface-vlan-8021ad.txt:10
 msgid "The original 802.1q_ specification allows a single Virtual Local Area Network (VLAN) header to be inserted into an Ethernet frame. QinQ allows multiple VLAN tags to be inserted into a single frame, an essential capability for implementing Metro Ethernet network topologies. Just as QinQ extends 802.1Q, QinQ itself is extended by other Metro Ethernet protocols."
 msgstr "The original 802.1q_ specification allows a single Virtual Local Area Network (VLAN) header to be inserted into an Ethernet frame. QinQ allows multiple VLAN tags to be inserted into a single frame, an essential capability for implementing Metro Ethernet network topologies. Just as QinQ extends 802.1Q, QinQ itself is extended by other Metro Ethernet protocols."
 
-#: ../../configuration/nat/nat44.rst:318
+#: ../../configuration/nat/nat44.rst:330
 msgid "The outgoing interface to perform the translation on"
 msgstr "The outgoing interface to perform the translation on"
 
@@ -14051,11 +13352,11 @@ msgstr "The prefix and ASN that originated it match a signed ROA. These are prob
 msgid "The prefix or prefix length and ASN that originated it doesn't match any existing ROA. This could be the result of a prefix hijack, or merely a misconfiguration, but should probably be treated as untrustworthy route announcements."
 msgstr "The prefix or prefix length and ASN that originated it doesn't match any existing ROA. This could be the result of a prefix hijack, or merely a misconfiguration, but should probably be treated as untrustworthy route announcements."
 
-#: ../../configuration/service/dhcp-server.rst:434
+#: ../../configuration/service/dhcp-server.rst:375
 msgid "The primary DHCP server uses address `192.168.189.252`"
 msgstr "The primary DHCP server uses address `192.168.189.252`"
 
-#: ../../configuration/service/dhcp-server.rst:193
+#: ../../configuration/service/dhcp-server.rst:158
 msgid "The primary and secondary statements determines whether the server is primary or secondary."
 msgstr "The primary and secondary statements determines whether the server is primary or secondary."
 
@@ -14067,7 +13368,7 @@ msgstr "The primary option is only valid for active-backup, transmit-load-balanc
 msgid "The priority must be an integer number from 1 to 255. Higher priority value increases router's precedence in the master elections."
 msgstr "The priority must be an integer number from 1 to 255. Higher priority value increases router's precedence in the master elections."
 
-#: ../../configuration/service/dhcp-server.rst:609
+#: ../../configuration/service/dhcp-server.rst:539
 msgid "The procedure to specify a :abbr:`NIS+ (Network Information Service Plus)` domain is similar to the NIS domain one:"
 msgstr "The procedure to specify a :abbr:`NIS+ (Network Information Service Plus)` domain is similar to the NIS domain one:"
 
@@ -14075,7 +13376,7 @@ msgstr "The procedure to specify a :abbr:`NIS+ (Network Information Service Plus
 msgid "The prompt is adjusted to reflect this change in both config and op-mode."
 msgstr "The prompt is adjusted to reflect this change in both config and op-mode."
 
-#: ../../configuration/nat/nat44.rst:504
+#: ../../configuration/nat/nat44.rst:524
 msgid "The protocol and port we wish to forward;"
 msgstr "The protocol and port we wish to forward;"
 
@@ -14124,7 +13425,7 @@ msgstr "The remote user will use the openconnect client to connect to the router
 msgid "The required config file may look like this:"
 msgstr "The required config file may look like this:"
 
-#: ../../configuration/nat/nat44.rst:683
+#: ../../configuration/nat/nat44.rst:707
 msgid "The required configuration can be broken down into 4 major pieces:"
 msgstr "The required configuration can be broken down into 4 major pieces:"
 
@@ -14160,7 +13461,7 @@ msgstr "The router should discard DHCP packages already containing relay agent i
 msgid "The sFlow accounting based on hsflowd https://sflow.net/"
 msgstr "The sFlow accounting based on hsflowd https://sflow.net/"
 
-#: ../../configuration/vpn/openconnect.rst:263
+#: ../../configuration/vpn/openconnect.rst:270
 msgid "The same configuration options apply when Identity based config is configured in group mode except that group mode can only be used with RADIUS authentication."
 msgstr "The same configuration options apply when Identity based config is configured in group mode except that group mode can only be used with RADIUS authentication."
 
@@ -14172,7 +13473,7 @@ msgstr "The scheme above doesn't work when one of the routers has a dynamic exte
 msgid "The search filter can contain up to 15 occurrences of %s which will be replaced by the username, as in \"uid=%s\" for :rfc:`2037` directories. For a detailed description of LDAP search filter syntax see :rfc:`2254`."
 msgstr "The search filter can contain up to 15 occurrences of %s which will be replaced by the username, as in \"uid=%s\" for :rfc:`2037` directories. For a detailed description of LDAP search filter syntax see :rfc:`2254`."
 
-#: ../../configuration/service/dhcp-server.rst:435
+#: ../../configuration/service/dhcp-server.rst:376
 msgid "The secondary DHCP server uses address `192.168.189.253`"
 msgstr "The secondary DHCP server uses address `192.168.189.253`"
 
@@ -14184,7 +13485,7 @@ msgstr "The security approach in SNMPv3 targets:"
 msgid "The sequence ``^Ec?`` translates to: ``Ctrl+E c ?``. To quit the session use: ``Ctrl+E c .``"
 msgstr "The sequence ``^Ec?`` translates to: ``Ctrl+E c ?``. To quit the session use: ``Ctrl+E c .``"
 
-#: ../../configuration/interfaces/vxlan.rst:168
+#: ../../configuration/interfaces/vxlan.rst:189
 msgid "The setup is this: Leaf2 - Spine1 - Leaf3"
 msgstr "The setup is this: Leaf2 - Spine1 - Leaf3"
 
@@ -14196,11 +13497,6 @@ msgstr "The size of the on-disk Proxy cache is user configurable. The Proxies de
 msgid "The speed (baudrate) of the console device. Supported values are:"
 msgstr "The speed (baudrate) of the console device. Supported values are:"
 
-#: ../../_include/interface-vlan-8021q.txt:16
-#: ../../_include/interface-vlan-8021q.txt:16
-#: ../../_include/interface-vlan-8021q.txt:16
-#: ../../_include/interface-vlan-8021q.txt:16
-#: ../../_include/interface-vlan-8021q.txt:16
 #: ../../_include/interface-vlan-8021q.txt:16
 msgid "The standard was developed by IEEE 802.1, a working group of the IEEE 802 standards committee, and continues to be actively revised. One of the notable revisions is 802.1Q-2014 which incorporated IEEE 802.1aq (Shortest Path Bridging) and much of the IEEE 802.1d standard."
 msgstr "The standard was developed by IEEE 802.1, a working group of the IEEE 802 standards committee, and continues to be actively revised. One of the notable revisions is 802.1Q-2014 which incorporated IEEE 802.1aq (Shortest Path Bridging) and much of the IEEE 802.1d standard."
@@ -14221,7 +13517,7 @@ msgstr "The table consists of following data:"
 msgid "The task scheduler allows you to execute tasks on a given schedule. It makes use of UNIX cron_."
 msgstr "The task scheduler allows you to execute tasks on a given schedule. It makes use of UNIX cron_."
 
-#: ../../configuration/nat/nat44.rst:233
+#: ../../configuration/nat/nat44.rst:245
 msgid "The translation address must be set to one of the available addresses on the configured `outbound-interface` or it must be set to `masquerade` which will use the primary IP address of the `outbound-interface` as its translation address."
 msgstr "The translation address must be set to one of the available addresses on the configured `outbound-interface` or it must be set to `masquerade` which will use the primary IP address of the `outbound-interface` as its translation address."
 
@@ -14245,22 +13541,7 @@ msgstr "The use of IPoE addresses the disadvantage that PPP is unsuited for mult
 msgid "The value of the attribute ``NAS-Port-Id`` must be less than 16 characters, otherwise the interface won't be renamed."
 msgstr "The value of the attribute ``NAS-Port-Id`` must be less than 16 characters, otherwise the interface won't be renamed."
 
-#: ../../_include/interface-dhcp-options.txt:31
-#: ../../_include/interface-dhcp-options.txt:31
-#: ../../_include/interface-dhcp-options.txt:31
-#: ../../_include/interface-dhcp-options.txt:31
-#: ../../_include/interface-dhcp-options.txt:31
-#: ../../_include/interface-dhcp-options.txt:31
-#: ../../_include/interface-dhcp-options.txt:31
-#: ../../_include/interface-dhcp-options.txt:31
-#: ../../_include/interface-dhcp-options.txt:31
-#: ../../_include/interface-dhcp-options.txt:31
-#: ../../_include/interface-dhcp-options.txt:31
-#: ../../_include/interface-dhcp-options.txt:31
-#: ../../_include/interface-dhcp-options.txt:31
-#: ../../_include/interface-dhcp-options.txt:31
-#: ../../_include/interface-dhcp-options.txt:31
-#: ../../_include/interface-dhcp-options.txt:31
+#: ../../_include/interface-dhcp-options.txt:36
 msgid "The vendor-class-id option can be used to request a specific class of vendor options from the server."
 msgstr "The vendor-class-id option can be used to request a specific class of vendor options from the server."
 
@@ -14276,7 +13557,7 @@ msgstr "The window size must be between 1 and 21."
 msgid "The wireless client (supplicant) authenticates against the RADIUS server (authentication server) using an :abbr:`EAP (Extensible Authentication Protocol)`  method configured on the RADIUS server. The WAP (also referred to as authenticator) role is to send all authentication messages between the supplicant and the configured authentication server, thus the RADIUS server is responsible for authenticating the users."
 msgstr "The wireless client (supplicant) authenticates against the RADIUS server (authentication server) using an :abbr:`EAP (Extensible Authentication Protocol)`  method configured on the RADIUS server. The WAP (also referred to as authenticator) role is to send all authentication messages between the supplicant and the configured authentication server, thus the RADIUS server is responsible for authenticating the users."
 
-#: ../../configuration/nat/nat44.rst:597
+#: ../../configuration/nat/nat44.rst:621
 msgid "Then a corresponding SNAT rule is created to NAT outgoing traffic for the internal IP to a reserved external IP. This dedicates an external IP address to an internal IP address and is useful for protocols which don't have the notion of ports, such as GRE."
 msgstr "Then a corresponding SNAT rule is created to NAT outgoing traffic for the internal IP to a reserved external IP. This dedicates an external IP address to an internal IP address and is useful for protocols which don't have the notion of ports, such as GRE."
 
@@ -14300,16 +13581,22 @@ msgstr "There's a variety of client GUI frontends for any platform"
 msgid "There are 3 default NTP server set. You are able to change them."
 msgstr "There are 3 default NTP server set. You are able to change them."
 
-#: ../../configuration/firewall/general.rst:536
-#: ../../configuration/firewall/general-legacy.rst:380
+#: ../../configuration/firewall/ipv4.rst:269
+#: ../../configuration/firewall/ipv6.rst:269
 msgid "There are a lot of matching criteria against which the package can be tested."
 msgstr "There are a lot of matching criteria against which the package can be tested."
 
+#: ../../configuration/firewall/bridge.rst:221
+#: ../../configuration/firewall/ipv4.rst:303
+#: ../../configuration/firewall/ipv6.rst:303
+msgid "There are a lot of matching criteria against which the packet can be tested."
+msgstr "There are a lot of matching criteria against which the packet can be tested."
+
 #: ../../configuration/policy/route.rst:40
 msgid "There are a lot of matching criteria options available, both for ``policy route`` and ``policy route6``. These options are listed in this section."
 msgstr "There are a lot of matching criteria options available, both for ``policy route`` and ``policy route6``. These options are listed in this section."
 
-#: ../../configuration/system/ipv6.rst:91
+#: ../../configuration/system/ipv6.rst:92
 msgid "There are different parameters for getting prefix-list information:"
 msgstr "There are different parameters for getting prefix-list information:"
 
@@ -14344,51 +13631,27 @@ msgstr "There are two types of Network Admins who deal with BGP, those who have
 #: ../../configuration/protocols/bgp.rst:896
 msgid "There are two ways that help us to mitigate the BGPs full-mesh requirement in a network:"
 msgstr "There are two ways that help us to mitigate the BGPs full-mesh requirement in a network:"
-
-#: ../../configuration/interfaces/loopback.rst:13
-msgid "There can only be one loopback ``lo`` interface on the system. If you need multiple interfaces, please use the :ref:`dummy-interface` interface type."
-msgstr "There can only be one loopback ``lo`` interface on the system. If you need multiple interfaces, please use the :ref:`dummy-interface` interface type."
-
-#: ../../configuration/policy/index.rst:13
-msgid "There could be a wide range of routing policies. Some examples are listed below:"
-msgstr "There could be a wide range of routing policies. Some examples are listed below:"
-
-#: ../../configuration/nat/nat44.rst:115
-msgid "There is a very nice picture/explanation in the Vyatta documentation which should be rewritten here."
-msgstr "There is a very nice picture/explanation in the Vyatta documentation which should be rewritten here."
-
-#: ../../configuration/interfaces/tunnel.rst:282
-msgid "There is also a GRE over IPv6 encapsulation available, it is called: ``ip6gre``."
-msgstr "There is also a GRE over IPv6 encapsulation available, it is called: ``ip6gre``."
-
-#: ../../_include/interface-vrf.txt:6
-#: ../../_include/interface-vrf.txt:6
-#: ../../_include/interface-vrf.txt:6
-#: ../../_include/interface-vrf.txt:6
-#: ../../_include/interface-vrf.txt:6
-#: ../../_include/interface-vrf.txt:6
-#: ../../_include/interface-vrf.txt:6
-#: ../../_include/interface-vrf.txt:6
-#: ../../_include/interface-vrf.txt:6
-#: ../../_include/interface-vrf.txt:6
-#: ../../_include/interface-vrf.txt:6
-#: ../../_include/interface-vrf.txt:6
-#: ../../_include/interface-vrf.txt:6
-#: ../../_include/interface-vrf.txt:6
-#: ../../_include/interface-vrf.txt:6
-#: ../../_include/interface-vrf.txt:6
-#: ../../_include/interface-vrf.txt:6
-#: ../../_include/interface-vrf.txt:6
-#: ../../_include/interface-vrf.txt:6
-#: ../../_include/interface-vrf.txt:6
-#: ../../_include/interface-vrf.txt:6
-#: ../../_include/interface-vrf.txt:6
-#: ../../_include/interface-vrf.txt:6
+
+#: ../../configuration/interfaces/loopback.rst:13
+msgid "There can only be one loopback ``lo`` interface on the system. If you need multiple interfaces, please use the :ref:`dummy-interface` interface type."
+msgstr "There can only be one loopback ``lo`` interface on the system. If you need multiple interfaces, please use the :ref:`dummy-interface` interface type."
+
+#: ../../configuration/policy/index.rst:13
+msgid "There could be a wide range of routing policies. Some examples are listed below:"
+msgstr "There could be a wide range of routing policies. Some examples are listed below:"
+
+#: ../../configuration/nat/nat44.rst:115
+msgid "There is a very nice picture/explanation in the Vyatta documentation which should be rewritten here."
+msgstr "There is a very nice picture/explanation in the Vyatta documentation which should be rewritten here."
+
+#: ../../configuration/interfaces/tunnel.rst:282
+msgid "There is also a GRE over IPv6 encapsulation available, it is called: ``ip6gre``."
+msgstr "There is also a GRE over IPv6 encapsulation available, it is called: ``ip6gre``."
+
 #: ../../_include/interface-vrf.txt:6
 msgid "There is an entire chapter about how to configure a :ref:`vrf`, please check this for additional information."
 msgstr "There is an entire chapter about how to configure a :ref:`vrf`, please check this for additional information."
 
-#: ../../configuration/protocols/igmp.rst:93
 #: ../../configuration/protocols/pim6.rst:27
 msgid "These are the commands for a basic setup."
 msgstr "These are the commands for a basic setup."
@@ -14413,6 +13676,10 @@ msgstr "These parameters need to be part of the DHCP global options. They stay u
 msgid "They can be **decimal** prefixes."
 msgstr "They can be **decimal** prefixes."
 
+#: ../../configuration/firewall/flowtables.rst:102
+msgid "Things to be considred in this setup:"
+msgstr "Things to be considred in this setup:"
+
 #: ../../configuration/interfaces/l2tpv3.rst:54
 msgid "This address must be the address of a local interface. It may be specified as an IPv4 address or an IPv6 address."
 msgstr "This address must be the address of a local interface. It may be specified as an IPv4 address or an IPv6 address."
@@ -14438,6 +13705,10 @@ msgstr "This algorithm will place all traffic to a particular network peer on th
 msgid "This allows avoiding the timers defined in BGP and OSPF protocol to expires."
 msgstr "This allows avoiding the timers defined in BGP and OSPF protocol to expires."
 
+#: ../../configuration/system/frr.rst:17
+msgid "This allows the operator to control the number of open file descriptors each daemon is allowed to start with. If the operator plans to run bgp with several thousands of peers then this is where we would modify FRR to allow this to happen."
+msgstr "This allows the operator to control the number of open file descriptors each daemon is allowed to start with. If the operator plans to run bgp with several thousands of peers then this is where we would modify FRR to allow this to happen."
+
 #: ../../configuration/service/dns.rst:41
 msgid "This also works for reverse-lookup zones (``18.172.in-addr.arpa``)."
 msgstr "This also works for reverse-lookup zones (``18.172.in-addr.arpa``)."
@@ -14503,7 +13774,7 @@ msgstr "This command allows to specify the distribution type for the network con
 msgid "This command allows to use route map to filter redistributed routes. There are six modes available for route source: connected, kernel, ospf, rip, static, table."
 msgstr "This command allows to use route map to filter redistributed routes. There are six modes available for route source: connected, kernel, ospf, rip, static, table."
 
-#: ../../configuration/protocols/ospf.rst:1259
+#: ../../configuration/protocols/ospf.rst:1261
 msgid "This command allows to use route map to filter redistributed routes from given route source. There are five modes available for route source: bgp, connected, kernel, ripng, static."
 msgstr "This command allows to use route map to filter redistributed routes from given route source. There are five modes available for route source: bgp, connected, kernel, ripng, static."
 
@@ -14734,23 +14005,27 @@ msgstr "This command disables route reflection between route reflector clients.
 msgid "This command disables split-horizon on the interface. By default, VyOS does not advertise RIP routes out the interface over which they were learned (split horizon).3"
 msgstr "This command disables split-horizon on the interface. By default, VyOS does not advertise RIP routes out the interface over which they were learned (split horizon).3"
 
-#: ../../configuration/protocols/bgp.rst:1008
+#: ../../configuration/protocols/isis.rst:318
+msgid "This command disables the load sharing across multiple LFA backups."
+msgstr "This command disables the load sharing across multiple LFA backups."
+
+#: ../../configuration/protocols/bgp.rst:1009
 msgid "This command displays BGP dampened routes."
 msgstr "This command displays BGP dampened routes."
 
-#: ../../configuration/protocols/bgp.rst:1031
+#: ../../configuration/protocols/bgp.rst:1032
 msgid "This command displays BGP received-routes that are accepted after filtering."
 msgstr "This command displays BGP received-routes that are accepted after filtering."
 
-#: ../../configuration/protocols/bgp.rst:1021
+#: ../../configuration/protocols/bgp.rst:1022
 msgid "This command displays BGP routes advertised to a neighbor."
 msgstr "This command displays BGP routes advertised to a neighbor."
 
-#: ../../configuration/protocols/bgp.rst:1016
+#: ../../configuration/protocols/bgp.rst:1017
 msgid "This command displays BGP routes allowed by the specified AS Path access list."
 msgstr "This command displays BGP routes allowed by the specified AS Path access list."
 
-#: ../../configuration/protocols/bgp.rst:1025
+#: ../../configuration/protocols/bgp.rst:1026
 msgid "This command displays BGP routes originating from the specified BGP neighbor before inbound policy is applied. To use this command inbound soft reconfiguration must be enabled."
 msgstr "This command displays BGP routes originating from the specified BGP neighbor before inbound policy is applied. To use this command inbound soft reconfiguration must be enabled."
 
@@ -14763,17 +14038,17 @@ msgid "This command displays RIP routes."
 msgstr "This command displays RIP routes."
 
 #: ../../configuration/protocols/ospf.rst:785
-#: ../../configuration/protocols/ospf.rst:1304
+#: ../../configuration/protocols/ospf.rst:1306
 msgid "This command displays a database contents for a specific link advertisement type."
 msgstr "This command displays a database contents for a specific link advertisement type."
 
 #: ../../configuration/protocols/ospf.rst:752
-#: ../../configuration/protocols/ospf.rst:1299
+#: ../../configuration/protocols/ospf.rst:1301
 msgid "This command displays a summary table with a database contents (LSA)."
 msgstr "This command displays a summary table with a database contents (LSA)."
 
 #: ../../configuration/protocols/ospf.rst:747
-#: ../../configuration/protocols/ospf.rst:1294
+#: ../../configuration/protocols/ospf.rst:1296
 msgid "This command displays a table of paths to area boundary and autonomous system boundary routers."
 msgstr "This command displays a table of paths to area boundary and autonomous system boundary routers."
 
@@ -14781,35 +14056,35 @@ msgstr "This command displays a table of paths to area boundary and autonomous s
 msgid "This command displays all entries in BGP routing table."
 msgstr "This command displays all entries in BGP routing table."
 
-#: ../../configuration/protocols/bgp.rst:1035
+#: ../../configuration/protocols/bgp.rst:1036
 msgid "This command displays dampened routes received from BGP neighbor."
 msgstr "This command displays dampened routes received from BGP neighbor."
 
-#: ../../configuration/protocols/ospf.rst:1309
+#: ../../configuration/protocols/ospf.rst:1311
 msgid "This command displays external information redistributed into OSPFv3"
 msgstr "This command displays external information redistributed into OSPFv3"
 
-#: ../../configuration/protocols/bgp.rst:1039
+#: ../../configuration/protocols/bgp.rst:1040
 msgid "This command displays information about BGP routes whose AS path matches the specified regular expression."
 msgstr "This command displays information about BGP routes whose AS path matches the specified regular expression."
 
-#: ../../configuration/protocols/bgp.rst:1012
+#: ../../configuration/protocols/bgp.rst:1013
 msgid "This command displays information about flapping BGP routes."
 msgstr "This command displays information about flapping BGP routes."
 
-#: ../../configuration/protocols/bgp.rst:976
+#: ../../configuration/protocols/bgp.rst:977
 msgid "This command displays information about the particular entry in the BGP routing table."
 msgstr "This command displays information about the particular entry in the BGP routing table."
 
-#: ../../configuration/protocols/bgp.rst:1003
+#: ../../configuration/protocols/bgp.rst:1004
 msgid "This command displays routes that are permitted by the BGP community list."
 msgstr "This command displays routes that are permitted by the BGP community list."
 
-#: ../../configuration/protocols/bgp.rst:996
+#: ../../configuration/protocols/bgp.rst:997
 msgid "This command displays routes that belong to specified BGP communities. Valid value is a community number in the range from 1 to 4294967200, or AA:NN (autonomous system-community number/2-byte number), no-export, local-as, or no-advertise."
 msgstr "This command displays routes that belong to specified BGP communities. Valid value is a community number in the range from 1 to 4294967200, or AA:NN (autonomous system-community number/2-byte number), no-export, local-as, or no-advertise."
 
-#: ../../configuration/protocols/bgp.rst:992
+#: ../../configuration/protocols/bgp.rst:993
 msgid "This command displays routes with classless interdomain routing (CIDR)."
 msgstr "This command displays routes with classless interdomain routing (CIDR)."
 
@@ -14817,11 +14092,11 @@ msgstr "This command displays routes with classless interdomain routing (CIDR)."
 msgid "This command displays state and configuration of OSPF the specified interface, or all interfaces if no interface is given."
 msgstr "This command displays state and configuration of OSPF the specified interface, or all interfaces if no interface is given."
 
-#: ../../configuration/protocols/ospf.rst:1283
+#: ../../configuration/protocols/ospf.rst:1285
 msgid "This command displays state and configuration of OSPF the specified interface, or all interfaces if no interface is given. Whith the argument :cfgcmd:`prefix` this command shows connected prefixes to advertise."
 msgstr "This command displays state and configuration of OSPF the specified interface, or all interfaces if no interface is given. Whith the argument :cfgcmd:`prefix` this command shows connected prefixes to advertise."
 
-#: ../../configuration/protocols/ospf.rst:1289
+#: ../../configuration/protocols/ospf.rst:1291
 msgid "This command displays the OSPF routing table, as determined by the most recent SPF calculation."
 msgstr "This command displays the OSPF routing table, as determined by the most recent SPF calculation."
 
@@ -14829,12 +14104,12 @@ msgstr "This command displays the OSPF routing table, as determined by the most
 msgid "This command displays the OSPF routing table, as determined by the most recent SPF calculation. With the optional :cfgcmd:`detail` argument, each route item's advertiser router and network attribute will be shown."
 msgstr "This command displays the OSPF routing table, as determined by the most recent SPF calculation. With the optional :cfgcmd:`detail` argument, each route item's advertiser router and network attribute will be shown."
 
-#: ../../configuration/protocols/ospf.rst:1279
+#: ../../configuration/protocols/ospf.rst:1281
 msgid "This command displays the neighbor DR choice information."
 msgstr "This command displays the neighbor DR choice information."
 
 #: ../../configuration/protocols/ospf.rst:623
-#: ../../configuration/protocols/ospf.rst:1274
+#: ../../configuration/protocols/ospf.rst:1276
 msgid "This command displays the neighbors information in a detailed form, not just a summary table."
 msgstr "This command displays the neighbors information in a detailed form, not just a summary table."
 
@@ -14843,7 +14118,7 @@ msgid "This command displays the neighbors information in a detailed form for a
 msgstr "This command displays the neighbors information in a detailed form for a neighbor whose IP address is specified."
 
 #: ../../configuration/protocols/ospf.rst:613
-#: ../../configuration/protocols/ospf.rst:1270
+#: ../../configuration/protocols/ospf.rst:1272
 msgid "This command displays the neighbors status."
 msgstr "This command displays the neighbors status."
 
@@ -14851,7 +14126,7 @@ msgstr "This command displays the neighbors status."
 msgid "This command displays the neighbors status for a neighbor on the specified interface."
 msgstr "This command displays the neighbors status for a neighbor on the specified interface."
 
-#: ../../configuration/protocols/bgp.rst:1044
+#: ../../configuration/protocols/bgp.rst:1045
 msgid "This command displays the status of all BGP connections."
 msgstr "This command displays the status of all BGP connections."
 
@@ -14863,6 +14138,10 @@ msgstr "This command enable/disables summarisation for the configured address ra
 msgid "This command enable logging neighbor up/down changes and reset reason."
 msgstr "This command enable logging neighbor up/down changes and reset reason."
 
+#: ../../configuration/protocols/isis.rst:311
+msgid "This command enables IP fast re-routing that is part of :rfc:`5286`. Specifically this is a prefix list which references a prefix in which will select eligible PQ nodes for remote LFA backups."
+msgstr "This command enables IP fast re-routing that is part of :rfc:`5286`. Specifically this is a prefix list which references a prefix in which will select eligible PQ nodes for remote LFA backups."
+
 #: ../../configuration/protocols/isis.rst:70
 msgid "This command enables IS-IS on this interface, and allows for adjacency to occur. Note that the name of IS-IS instance must be the same as the one used to configure the IS-IS process."
 msgstr "This command enables IS-IS on this interface, and allows for adjacency to occur. Note that the name of IS-IS instance must be the same as the one used to configure the IS-IS process."
@@ -14946,6 +14225,10 @@ msgstr "This command is only allowed for eBGP peers."
 msgid "This command is only allowed for eBGP peers. It is not applicable for peer groups."
 msgstr "This command is only allowed for eBGP peers. It is not applicable for peer groups."
 
+#: ../../configuration/protocols/pim.rst:70
+msgid "This command is only useful at scale when you can possibly have a large number of PIM control packets flowing."
+msgstr "This command is only useful at scale when you can possibly have a large number of PIM control packets flowing."
+
 #: ../../configuration/protocols/rip.rst:106
 msgid "This command is specific to FRR and VyOS. The route command makes a static route only inside RIP. This command should be used only by advanced users who are particularly knowledgeable about the RIP protocol. In most cases, we recommend creating a static route in VyOS and redistributing it in RIP using :cfgcmd:`redistribute static`."
 msgstr "This command is specific to FRR and VyOS. The route command makes a static route only inside RIP. This command should be used only by advanced users who are particularly knowledgeable about the RIP protocol. In most cases, we recommend creating a static route in VyOS and redistributing it in RIP using :cfgcmd:`redistribute static`."
@@ -15006,7 +14289,7 @@ msgstr "This command redistributes routing information from the given route sour
 msgid "This command redistributes routing information from the given route source to the OSPF process. There are five modes available for route source: bgp, connected, kernel, rip, static."
 msgstr "This command redistributes routing information from the given route source to the OSPF process. There are five modes available for route source: bgp, connected, kernel, rip, static."
 
-#: ../../configuration/protocols/ospf.rst:1253
+#: ../../configuration/protocols/ospf.rst:1255
 msgid "This command redistributes routing information from the given route source to the OSPFv3 process. There are five modes available for route source: bgp, connected, kernel, ripng, static."
 msgstr "This command redistributes routing information from the given route source to the OSPFv3 process. There are five modes available for route source: bgp, connected, kernel, ripng, static."
 
@@ -15014,19 +14297,19 @@ msgstr "This command redistributes routing information from the given route sour
 msgid "This command removes the private ASN of routes that are advertised to the configured peer. It removes only private ASNs on routes advertised to EBGP peers."
 msgstr "This command removes the private ASN of routes that are advertised to the configured peer. It removes only private ASNs on routes advertised to EBGP peers."
 
-#: ../../configuration/protocols/bgp.rst:1067
+#: ../../configuration/protocols/bgp.rst:1068
 msgid "This command resets BGP connections to the specified neighbor IP address. With argument :cfgcmd:`soft` this command initiates a soft reset. If you do not specify the :cfgcmd:`in` or :cfgcmd:`out` options, both inbound and outbound soft reconfiguration are triggered."
 msgstr "This command resets BGP connections to the specified neighbor IP address. With argument :cfgcmd:`soft` this command initiates a soft reset. If you do not specify the :cfgcmd:`in` or :cfgcmd:`out` options, both inbound and outbound soft reconfiguration are triggered."
 
-#: ../../configuration/protocols/bgp.rst:1087
+#: ../../configuration/protocols/bgp.rst:1088
 msgid "This command resets BGP connections to the specified peer group. With argument :cfgcmd:`soft` this command initiates a soft reset. If you do not specify the :cfgcmd:`in` or :cfgcmd:`out` options, both inbound and outbound soft reconfiguration are triggered."
 msgstr "This command resets BGP connections to the specified peer group. With argument :cfgcmd:`soft` this command initiates a soft reset. If you do not specify the :cfgcmd:`in` or :cfgcmd:`out` options, both inbound and outbound soft reconfiguration are triggered."
 
-#: ../../configuration/protocols/bgp.rst:1074
+#: ../../configuration/protocols/bgp.rst:1075
 msgid "This command resets all BGP connections of given router."
 msgstr "This command resets all BGP connections of given router."
 
-#: ../../configuration/protocols/bgp.rst:1083
+#: ../../configuration/protocols/bgp.rst:1084
 msgid "This command resets all external BGP peers of given router."
 msgstr "This command resets all external BGP peers of given router."
 
@@ -15431,56 +14714,18 @@ msgstr "This command summarizes intra area paths from specified area into one su
 msgid "This command to ensure not advertise the summary lsa for the matched external LSAs."
 msgstr "This command to ensure not advertise the summary lsa for the matched external LSAs."
 
-#: ../../configuration/protocols/bgp.rst:1078
+#: ../../configuration/protocols/bgp.rst:1079
 msgid "This command uses to clear BGP route dampening information and to unsuppress suppressed routes."
 msgstr "This command uses to clear BGP route dampening information and to unsuppress suppressed routes."
 
-#: ../../_include/interface-ipv6.txt:65
-#: ../../_include/interface-ipv6.txt:65
-#: ../../_include/interface-ipv6.txt:65
-#: ../../_include/interface-ipv6.txt:65
-#: ../../_include/interface-ipv6.txt:65
-#: ../../_include/interface-ipv6.txt:65
-#: ../../_include/interface-ipv6.txt:65
-#: ../../_include/interface-ipv6.txt:65
-#: ../../_include/interface-ipv6.txt:65
-#: ../../_include/interface-ipv6.txt:65
-#: ../../_include/interface-ipv6.txt:65
-#: ../../_include/interface-ipv6.txt:65
-#: ../../_include/interface-ipv6.txt:65
-#: ../../_include/interface-ipv6.txt:65
-#: ../../_include/interface-ipv6.txt:65
-#: ../../_include/interface-ipv6.txt:65
-#: ../../_include/interface-ipv6.txt:65
-#: ../../_include/interface-ipv6.txt:65
-#: ../../_include/interface-ipv6.txt:65
 #: ../../_include/interface-ipv6.txt:65
 msgid "This command was introduced in VyOS 1.4 - it was previously called: ``set firewall options interface <name> adjust-mss6 <value>``"
 msgstr "This command was introduced in VyOS 1.4 - it was previously called: ``set firewall options interface <name> adjust-mss6 <value>``"
 
-#: ../../_include/interface-ip.txt:9
-#: ../../_include/interface-ip.txt:9
-#: ../../_include/interface-ip.txt:9
-#: ../../_include/interface-ip.txt:9
-#: ../../_include/interface-ip.txt:9
-#: ../../_include/interface-ip.txt:9
-#: ../../_include/interface-ip.txt:9
-#: ../../_include/interface-ip.txt:9
-#: ../../_include/interface-ip.txt:9
-#: ../../_include/interface-ip.txt:9
 #: ../../configuration/interfaces/pppoe.rst:212
 #: ../../configuration/interfaces/pppoe.rst:258
-#: ../../_include/interface-ip.txt:9
-#: ../../_include/interface-ip.txt:9
 #: ../../configuration/interfaces/sstp-client.rst:84
 #: ../../_include/interface-ip.txt:9
-#: ../../_include/interface-ip.txt:9
-#: ../../_include/interface-ip.txt:9
-#: ../../_include/interface-ip.txt:9
-#: ../../_include/interface-ip.txt:9
-#: ../../_include/interface-ip.txt:9
-#: ../../_include/interface-ip.txt:9
-#: ../../_include/interface-ip.txt:9
 msgid "This command was introduced in VyOS 1.4 - it was previously called: ``set firewall options interface <name> adjust-mss <value>``"
 msgstr "This command was introduced in VyOS 1.4 - it was previously called: ``set firewall options interface <name> adjust-mss <value>``"
 
@@ -15494,6 +14739,10 @@ msgstr "This command will change the hold down value for IGP-LDP synchronization
 msgid "This command will change the hold down value globally for IGP-LDP synchronization during convergence/interface flap events."
 msgstr "This command will change the hold down value globally for IGP-LDP synchronization during convergence/interface flap events."
 
+#: ../../configuration/protocols/isis.rst:324
+msgid "This command will configure a tie-breaker for multiple local LFA backups. The lower index numbers will be processed first."
+msgstr "This command will configure a tie-breaker for multiple local LFA backups. The lower index numbers will be processed first."
+
 #: ../../configuration/protocols/isis.rst:134
 msgid "This command will enable IGP-LDP synchronization globally for ISIS. This requires for LDP to be functional. This is described in :rfc:`5443`. By default all interfaces operational in IS-IS are enabled for synchronization. Loopbacks are exempt."
 msgstr "This command will enable IGP-LDP synchronization globally for ISIS. This requires for LDP to be functional. This is described in :rfc:`5443`. By default all interfaces operational in IS-IS are enabled for synchronization. Loopbacks are exempt."
@@ -15510,25 +14759,32 @@ msgstr "This command will generate a default-route in L1 database."
 msgid "This command will generate a default-route in L2 database."
 msgstr "This command will generate a default-route in L2 database."
 
-#: ../../configuration/firewall/general.rst:1457
-#: ../../configuration/firewall/general-legacy.rst:904
+#: ../../configuration/firewall/ipv6.rst:1113
 msgid "This command will give an overview of a rule in a single rule-set"
 msgstr "This command will give an overview of a rule in a single rule-set"
 
+#: ../../configuration/firewall/ipv4.rst:1091
+msgid "This command will give an overview of a rule in a single rule-set, plus information for default action."
+msgstr "This command will give an overview of a rule in a single rule-set, plus information for default action."
+
 #: ../../configuration/firewall/general-legacy.rst:940
 msgid "This command will give an overview of a rule in a single rule-set."
 msgstr "This command will give an overview of a rule in a single rule-set."
 
-#: ../../configuration/firewall/general.rst:1435
-#: ../../configuration/firewall/general-legacy.rst:932
+#: ../../configuration/firewall/ipv4.rst:1072
+#: ../../configuration/firewall/ipv6.rst:1088
 msgid "This command will give an overview of a single rule-set."
 msgstr "This command will give an overview of a single rule-set."
 
+#: ../../configuration/protocols/isis.rst:330
+msgid "This command will limit LFA backup computation up to the specified prefix priority."
+msgstr "This command will limit LFA backup computation up to the specified prefix priority."
+
 #: ../../configuration/protocols/bgp.rst:268
 msgid "This command would allow the dynamic update of capabilities over an established BGP session."
 msgstr "This command would allow the dynamic update of capabilities over an established BGP session."
 
-#: ../../configuration/interfaces/vxlan.rst:272
+#: ../../configuration/interfaces/vxlan.rst:293
 msgid "This commands creates a bridge that is used to bind traffic on eth1 vlan 241 with the vxlan241-interface. The IP address is not required. It may however be used as a default gateway for each Leaf which allows devices on the vlan to reach other subnets. This requires that the subnets are redistributed by OSPF so that the Spine will learn how to reach it. To do this you need to change the OSPF network from '10.0.0.0/8' to '0.0.0.0/0' to allow 172.16/12-networks to be advertised."
 msgstr "This commands creates a bridge that is used to bind traffic on eth1 vlan 241 with the vxlan241-interface. The IP address is not required. It may however be used as a default gateway for each Leaf which allows devices on the vlan to reach other subnets. This requires that the subnets are redistributed by OSPF so that the Spine will learn how to reach it. To do this you need to change the OSPF network from '10.0.0.0/8' to '0.0.0.0/0' to allow 172.16/12-networks to be advertised."
 
@@ -15548,7 +14804,12 @@ msgstr "This configuration listen on port 80 and redirect incoming requests to H
 msgid "This configuration modifies the behavior of the network statement. If you have this configured the underlying network must exist in the routing table."
 msgstr "This configuration modifies the behavior of the network statement. If you have this configured the underlying network must exist in the routing table."
 
-#: ../../configuration/service/dhcp-server.rst:78
+#: ../../configuration/service/dhcp-server.rst:76
+#: ../../configuration/service/dhcp-server.rst:520
+msgid "This configuration parameter is required and must be unique to each subnet. It is required to map subnets to lease file entries."
+msgstr "This configuration parameter is required and must be unique to each subnet. It is required to map subnets to lease file entries."
+
+#: ../../configuration/service/dhcp-server.rst:58
 msgid "This configuration parameter lets the DHCP server to listen for DHCP requests sent to the specified address, it is only realistically useful for a server whose only clients are reached via unicasts, such as via DHCP relay agents."
 msgstr "This configuration parameter lets the DHCP server to listen for DHCP requests sent to the specified address, it is only realistically useful for a server whose only clients are reached via unicasts, such as via DHCP relay agents."
 
@@ -15572,29 +14833,10 @@ msgstr "This defaults to 1812."
 msgid "This defaults to 2007."
 msgstr "This defaults to 2007."
 
-#: ../../configuration/service/dns.rst:258
+#: ../../configuration/service/dns.rst:271
 msgid "This defaults to 300 seconds."
 msgstr "This defaults to 300 seconds."
 
-#: ../../_include/interface-ip.txt:25
-#: ../../_include/interface-ip.txt:25
-#: ../../_include/interface-ip.txt:25
-#: ../../_include/interface-ip.txt:25
-#: ../../_include/interface-ip.txt:25
-#: ../../_include/interface-ip.txt:25
-#: ../../_include/interface-ip.txt:25
-#: ../../_include/interface-ip.txt:25
-#: ../../_include/interface-ip.txt:25
-#: ../../_include/interface-ip.txt:25
-#: ../../_include/interface-ip.txt:25
-#: ../../_include/interface-ip.txt:25
-#: ../../_include/interface-ip.txt:25
-#: ../../_include/interface-ip.txt:25
-#: ../../_include/interface-ip.txt:25
-#: ../../_include/interface-ip.txt:25
-#: ../../_include/interface-ip.txt:25
-#: ../../_include/interface-ip.txt:25
-#: ../../_include/interface-ip.txt:25
 #: ../../_include/interface-ip.txt:25
 msgid "This defaults to 30 seconds."
 msgstr "This defaults to 30 seconds."
@@ -15611,6 +14853,14 @@ msgstr "This defaults to 5."
 msgid "This defaults to UDP"
 msgstr "This defaults to UDP"
 
+#: ../../configuration/service/https.rst:52
+msgid "This defaults to both 1.2 and 1.3."
+msgstr "This defaults to both 1.2 and 1.3."
+
+#: ../../configuration/pki/index.rst:283
+msgid "This defaults to https://acme-v02.api.letsencrypt.org/directory"
+msgstr "This defaults to https://acme-v02.api.letsencrypt.org/directory"
+
 #: ../../configuration/interfaces/wireless.rst:101
 msgid "This defaults to phy0."
 msgstr "This defaults to phy0."
@@ -15635,7 +14885,7 @@ msgstr "This enables :rfc:`3137` support, where the OSPF process describes its t
 msgid "This enables the greenfield option which sets the ``[GF]`` option"
 msgstr "This enables the greenfield option which sets the ``[GF]`` option"
 
-#: ../../configuration/nat/nat44.rst:546
+#: ../../configuration/nat/nat44.rst:568
 msgid "This establishes our Port Forward rule, but if we created a firewall policy it will likely block the traffic."
 msgstr "This establishes our Port Forward rule, but if we created a firewall policy it will likely block the traffic."
 
@@ -15647,28 +14897,28 @@ msgstr "This example shows how to target an MSS clamp (in our example to 1360 by
 msgid "This feature summarises originated external LSAs (Type-5 and Type-7). Summary Route will be originated on-behalf of all matched external LSAs."
 msgstr "This feature summarises originated external LSAs (Type-5 and Type-7). Summary Route will be originated on-behalf of all matched external LSAs."
 
-#: ../../configuration/service/dns.rst:391
+#: ../../configuration/service/dns.rst:404
 msgid "This functionality is controlled by adding the following configuration:"
 msgstr "This functionality is controlled by adding the following configuration:"
 
-#: ../../configuration/firewall/general.rst:626
-#: ../../configuration/firewall/general-legacy.rst:431
+#: ../../configuration/firewall/ipv4.rst:376
+#: ../../configuration/firewall/ipv6.rst:378
 msgid "This functions for both individual addresses and address groups."
 msgstr "This functions for both individual addresses and address groups."
 
-#: ../../configuration/protocols/isis.rst:449
+#: ../../configuration/protocols/isis.rst:477
 #: ../../configuration/protocols/ospf.rst:968
 msgid "This gives us IGP-LDP synchronization for all non-loopback interfaces with a holddown timer of zero seconds:"
 msgstr "This gives us IGP-LDP synchronization for all non-loopback interfaces with a holddown timer of zero seconds:"
 
-#: ../../configuration/protocols/isis.rst:501
+#: ../../configuration/protocols/isis.rst:529
 #: ../../configuration/protocols/ospf.rst:1018
 #: ../../configuration/protocols/segment-routing.rst:229
 #: ../../configuration/protocols/segment-routing.rst:312
 msgid "This gives us MPLS segment routing enabled and labels for far end loopbacks:"
 msgstr "This gives us MPLS segment routing enabled and labels for far end loopbacks:"
 
-#: ../../configuration/protocols/isis.rst:339
+#: ../../configuration/protocols/isis.rst:367
 msgid "This gives us the following neighborships, Level 1 and Level 2:"
 msgstr "This gives us the following neighborships, Level 1 and Level 2:"
 
@@ -15680,11 +14930,11 @@ msgstr "This instructs opennhrp to reply with authorative answers on NHRP Resolu
 msgid "This is a common scenario where both :ref:`source-nat` and :ref:`destination-nat` are configured at the same time. It's commonly used when internal (private) hosts need to establish a connection with external resources and external systems need to access internal (private) resources."
 msgstr "This is a common scenario where both :ref:`source-nat` and :ref:`destination-nat` are configured at the same time. It's commonly used when internal (private) hosts need to establish a connection with external resources and external systems need to access internal (private) resources."
 
-#: ../../configuration/service/dhcp-server.rst:96
+#: ../../configuration/service/dhcp-server.rst:82
 msgid "This is a configuration parameter for the `<subnet>`, saying that as part of the response, tell the client that the default gateway can be reached at `<address>`."
 msgstr "This is a configuration parameter for the `<subnet>`, saying that as part of the response, tell the client that the default gateway can be reached at `<address>`."
 
-#: ../../configuration/service/dhcp-server.rst:103
+#: ../../configuration/service/dhcp-server.rst:89
 msgid "This is a configuration parameter for the subnet, saying that as part of the response, tell the client that the DNS server can be found at `<address>`."
 msgstr "This is a configuration parameter for the subnet, saying that as part of the response, tell the client that the DNS server can be found at `<address>`."
 
@@ -15696,6 +14946,11 @@ msgstr "This is a mandatory command. Sets regular expression to match against lo
 msgid "This is a mandatory command. Sets the full path to the script. The script file must be executable."
 msgstr "This is a mandatory command. Sets the full path to the script. The script file must be executable."
 
+#: ../../configuration/pki/index.rst:261
+#: ../../configuration/pki/index.rst:267
+msgid "This is a mandatory option"
+msgstr "This is a mandatory option"
+
 #: ../../configuration/protocols/rpki.rst:117
 #: ../../configuration/protocols/rpki.rst:124
 msgid "This is a mandatory setting."
@@ -15725,30 +14980,11 @@ msgstr "This is an optional command. Filters log messages by syslog-identifier."
 msgid "This is an optional command because the event handler will be automatically created after any of the next commands."
 msgstr "This is an optional command because the event handler will be automatically created after any of the next commands."
 
-#: ../../_include/interface-ip.txt:156
-#: ../../_include/interface-ip.txt:156
-#: ../../_include/interface-ip.txt:156
-#: ../../_include/interface-ip.txt:156
-#: ../../_include/interface-ip.txt:156
-#: ../../_include/interface-ip.txt:156
-#: ../../_include/interface-ip.txt:156
-#: ../../_include/interface-ip.txt:156
-#: ../../_include/interface-ip.txt:156
-#: ../../_include/interface-ip.txt:156
-#: ../../_include/interface-ip.txt:156
-#: ../../_include/interface-ip.txt:156
-#: ../../_include/interface-ip.txt:156
-#: ../../_include/interface-ip.txt:156
-#: ../../_include/interface-ip.txt:156
-#: ../../_include/interface-ip.txt:156
-#: ../../_include/interface-ip.txt:156
-#: ../../_include/interface-ip.txt:156
-#: ../../_include/interface-ip.txt:156
 #: ../../_include/interface-ip.txt:156
 msgid "This is done to support (ethernet) switch features, like :rfc:`3069`, where the individual ports are NOT allowed to communicate with each other, but they are allowed to talk to the upstream router. As described in :rfc:`3069`, it is possible to allow these hosts to communicate through the upstream router by proxy_arp'ing."
 msgstr "This is done to support (ethernet) switch features, like :rfc:`3069`, where the individual ports are NOT allowed to communicate with each other, but they are allowed to talk to the upstream router. As described in :rfc:`3069`, it is possible to allow these hosts to communicate through the upstream router by proxy_arp'ing."
 
-#: ../../configuration/protocols/igmp.rst:208
+#: ../../configuration/protocols/igmp-proxy.rst:36
 msgid "This is especially useful for the upstream interface, since the source for multicast traffic is often from a remote location."
 msgstr "This is especially useful for the upstream interface, since the source for multicast traffic is often from a remote location."
 
@@ -15777,13 +15013,13 @@ msgstr "This is the LAN extension use case. The eth0 port of the distant VPN pee
 msgid "This is the LCD model used in your system."
 msgstr "This is the LCD model used in your system."
 
-#: ../../configuration/service/dhcp-server.rst:40
-#: ../../configuration/service/dhcp-server.rst:49
-#: ../../configuration/service/dhcp-server.rst:56
+#: ../../configuration/service/dhcp-server.rst:35
+#: ../../configuration/service/dhcp-server.rst:44
+#: ../../configuration/service/dhcp-server.rst:51
 msgid "This is the configuration parameter for the entire shared network definition. All subnets will inherit this configuration item if not specified locally."
 msgstr "This is the configuration parameter for the entire shared network definition. All subnets will inherit this configuration item if not specified locally."
 
-#: ../../configuration/service/dhcp-server.rst:232
+#: ../../configuration/service/dhcp-server.rst:197
 msgid "This is the equivalent of the host block in dhcpd.conf of isc-dhcpd."
 msgstr "This is the equivalent of the host block in dhcpd.conf of isc-dhcpd."
 
@@ -15795,7 +15031,7 @@ msgstr "This is the name of the physical interface used to connect to your LCD d
 msgid "This is the policy that requieres the lowest resources for the same amount of traffic. But **very likely you do not need it as you cannot get much from it. Sometimes it is used just to enable logging.**"
 msgstr "This is the policy that requieres the lowest resources for the same amount of traffic. But **very likely you do not need it as you cannot get much from it. Sometimes it is used just to enable logging.**"
 
-#: ../../configuration/service/dhcp-server.rst:230
+#: ../../configuration/service/dhcp-server.rst:195
 msgid "This is useful, for example, in combination with hostfile update."
 msgstr "This is useful, for example, in combination with hostfile update."
 
@@ -15807,25 +15043,6 @@ msgstr "This is where \"UDP broadcast relay\" comes into play! It will forward r
 msgid "This makes the server authoritatively not aware of: 10.in-addr.arpa, 168.192.in-addr.arpa, 16-31.172.in-addr.arpa, which enabling upstream DNS server(s) to be used for reverse lookups of these zones."
 msgstr "This makes the server authoritatively not aware of: 10.in-addr.arpa, 168.192.in-addr.arpa, 16-31.172.in-addr.arpa, which enabling upstream DNS server(s) to be used for reverse lookups of these zones."
 
-#: ../../_include/interface-ipv6.txt:12
-#: ../../_include/interface-ipv6.txt:12
-#: ../../_include/interface-ipv6.txt:12
-#: ../../_include/interface-ipv6.txt:12
-#: ../../_include/interface-ipv6.txt:12
-#: ../../_include/interface-ipv6.txt:12
-#: ../../_include/interface-ipv6.txt:12
-#: ../../_include/interface-ipv6.txt:12
-#: ../../_include/interface-ipv6.txt:12
-#: ../../_include/interface-ipv6.txt:12
-#: ../../_include/interface-ipv6.txt:12
-#: ../../_include/interface-ipv6.txt:12
-#: ../../_include/interface-ipv6.txt:12
-#: ../../_include/interface-ipv6.txt:12
-#: ../../_include/interface-ipv6.txt:12
-#: ../../_include/interface-ipv6.txt:12
-#: ../../_include/interface-ipv6.txt:12
-#: ../../_include/interface-ipv6.txt:12
-#: ../../_include/interface-ipv6.txt:12
 #: ../../_include/interface-ipv6.txt:12
 msgid "This method automatically disables IPv6 traffic forwarding on the interface in question."
 msgstr "This method automatically disables IPv6 traffic forwarding on the interface in question."
@@ -15847,11 +15064,11 @@ msgstr "This mode provides load balancing and fault tolerance."
 msgid "This option adds Power Constraint element when applicable and Country element is added. Power Constraint element is required by Transmit Power Control."
 msgstr "This option adds Power Constraint element when applicable and Country element is added. Power Constraint element is required by Transmit Power Control."
 
-#: ../../configuration/service/dhcp-server.rst:133
+#: ../../configuration/service/dhcp-server.rst:119
 msgid "This option can be specified multiple times."
 msgstr "This option can be specified multiple times."
 
-#: ../../configuration/protocols/igmp.rst:211
+#: ../../configuration/protocols/igmp-proxy.rst:39
 msgid "This option can be supplied multiple times."
 msgstr "This option can be supplied multiple times."
 
@@ -15863,7 +15080,15 @@ msgstr "This option is mandatory in Access-Point mode."
 msgid "This option is required when running a DMVPN spoke."
 msgstr "This option is required when running a DMVPN spoke."
 
-#: ../../configuration/system/login.rst:388
+#: ../../_include/interface-dhcp-options.txt:86
+msgid "This option is used by some DHCP clients as a way for users to specify identifying information to the client. This can be used in a similar way to the vendor-class-identifier option, but the value of the option is specified by the user, not the vendor."
+msgstr "This option is used by some DHCP clients as a way for users to specify identifying information to the client. This can be used in a similar way to the vendor-class-identifier option, but the value of the option is specified by the user, not the vendor."
+
+#: ../../_include/interface-dhcp-options.txt:31
+msgid "This option is used by some DHCP clients to identify the vendor type and possibly the configuration of a DHCP client. The information is a string of bytes whose contents are specific to the vendor and are not specified in a standard."
+msgstr "This option is used by some DHCP clients to identify the vendor type and possibly the configuration of a DHCP client. The information is a string of bytes whose contents are specific to the vendor and are not specified in a standard."
+
+#: ../../configuration/system/login.rst:390
 msgid "This option must be used with ``timeout`` option."
 msgstr "This option must be used with ``timeout`` option."
 
@@ -15876,6 +15101,10 @@ msgstr "This option only affects 802.3ad mode."
 msgid "This option specifies a delay in seconds before vrrp instances start up after keepalived starts."
 msgstr "This option specifies a delay in seconds before vrrp instances start up after keepalived starts."
 
+#: ../../configuration/pki/index.rst:277
+msgid "This options defaults to 2048"
+msgstr "This options defaults to 2048"
+
 #: ../../configuration/protocols/ospf.rst:326
 msgid "This parameter allows to \"shortcut\" routes (non-backbone) for inter-area routes. There are three modes available for routes shortcutting:"
 msgstr "This parameter allows to \"shortcut\" routes (non-backbone) for inter-area routes. There are three modes available for routes shortcutting:"
@@ -15892,7 +15121,9 @@ msgstr "This prompted some ISPs to develop a policy within the :abbr:`ARIN (Amer
 msgid "This required setting defines the action of the current rule. If action is set to ``jump``, then ``jump-target`` is also needed."
 msgstr "This required setting defines the action of the current rule. If action is set to ``jump``, then ``jump-target`` is also needed."
 
-#: ../../configuration/firewall/general.rst:360
+#: ../../configuration/firewall/bridge.rst:90
+#: ../../configuration/firewall/ipv4.rst:114
+#: ../../configuration/firewall/ipv6.rst:114
 msgid "This required setting defines the action of the current rule. If action is set to jump, then jump-target is also needed."
 msgstr "This required setting defines the action of the current rule. If action is set to jump, then jump-target is also needed."
 
@@ -15905,7 +15136,7 @@ msgstr "This requires two files, one to create the device (XXX.netdev) and one t
 msgid "This results in the active configuration:"
 msgstr "This results in the active configuration:"
 
-#: ../../configuration/service/dhcp-server.rst:88
+#: ../../configuration/service/dhcp-server.rst:68
 msgid "This says that this device is the only DHCP server for this network. If other devices are trying to offer DHCP leases, this machine will send 'DHCPNAK' to any device trying to request an IP address that is not valid for this network."
 msgstr "This says that this device is the only DHCP server for this network. If other devices are trying to offer DHCP leases, this machine will send 'DHCPNAK' to any device trying to request an IP address that is not valid for this network."
 
@@ -15917,19 +15148,6 @@ msgstr "This section describes configuring DNS on the system, namely:"
 msgid "This section describes the system's host information and how to configure them, it covers the following topics:"
 msgstr "This section describes the system's host information and how to configure them, it covers the following topics:"
 
-#: ../../_include/need_improvement.txt:11
-#: ../../_include/need_improvement.txt:11
-#: ../../_include/need_improvement.txt:11
-#: ../../_include/need_improvement.txt:11
-#: ../../_include/need_improvement.txt:11
-#: ../../_include/need_improvement.txt:11
-#: ../../_include/need_improvement.txt:11
-#: ../../_include/need_improvement.txt:11
-#: ../../_include/need_improvement.txt:11
-#: ../../_include/need_improvement.txt:11
-#: ../../_include/need_improvement.txt:11
-#: ../../_include/need_improvement.txt:11
-#: ../../_include/need_improvement.txt:11
 #: ../../_include/need_improvement.txt:11
 msgid "This section needs improvements, examples and explanations."
 msgstr "This section needs improvements, examples and explanations."
@@ -15938,10 +15156,17 @@ msgstr "This section needs improvements, examples and explanations."
 msgid "This set the default action of the rule-set if no rule matched a packet criteria. If defacult-action is set to ``jump``, then ``default-jump-target`` is also needed."
 msgstr "This set the default action of the rule-set if no rule matched a packet criteria. If defacult-action is set to ``jump``, then ``default-jump-target`` is also needed."
 
-#: ../../configuration/firewall/general.rst:392
+#: ../../configuration/firewall/ipv4.rst:142
+#: ../../configuration/firewall/ipv6.rst:142
 msgid "This set the default action of the rule-set if no rule matched a packet criteria. If defacult-action is set to ``jump``, then ``default-jump-target`` is also needed. Note that for base chains, default action can only be set to ``accept`` or ``drop``, while on custom chain, more actions are available."
 msgstr "This set the default action of the rule-set if no rule matched a packet criteria. If defacult-action is set to ``jump``, then ``default-jump-target`` is also needed. Note that for base chains, default action can only be set to ``accept`` or ``drop``, while on custom chain, more actions are available."
 
+#: ../../configuration/firewall/bridge.rst:132
+#: ../../configuration/firewall/ipv4.rst:179
+#: ../../configuration/firewall/ipv6.rst:179
+msgid "This set the default action of the rule-set if no rule matched a packet criteria. If default-action is set to ``jump``, then ``default-jump-target`` is also needed. Note that for base chains, default action can only be set to ``accept`` or ``drop``, while on custom chain, more actions are available."
+msgstr "This set the default action of the rule-set if no rule matched a packet criteria. If default-action is set to ``jump``, then ``default-jump-target`` is also needed. Note that for base chains, default action can only be set to ``accept`` or ``drop``, while on custom chain, more actions are available."
+
 #: ../../configuration/interfaces/openvpn.rst:278
 msgid "This sets the accepted ciphers to use when version => 2.4.0 and NCP is enabled (which is the default). Default NCP cipher for versions >= 2.4.0 is aes256gcm. The first cipher in this list is what server pushes to clients."
 msgstr "This sets the accepted ciphers to use when version => 2.4.0 and NCP is enabled (which is the default). Default NCP cipher for versions >= 2.4.0 is aes256gcm. The first cipher in this list is what server pushes to clients."
@@ -15958,13 +15183,11 @@ msgstr "This setting, which defaults to 3600 seconds, puts a maximum on the amou
 msgid "This setting defaults to 1500 and is valid between 10 and 60000."
 msgstr "This setting defaults to 1500 and is valid between 10 and 60000."
 
-#: ../../configuration/firewall/general.rst:121
-#: ../../configuration/firewall/general-legacy.rst:73
+#: ../../configuration/firewall/global-options.rst:58
 msgid "This setting enable or disable the response of icmp broadcast messages. The following system parameter will be altered:"
 msgstr "This setting enable or disable the response of icmp broadcast messages. The following system parameter will be altered:"
 
-#: ../../configuration/firewall/general.rst:129
-#: ../../configuration/firewall/general-legacy.rst:81
+#: ../../configuration/firewall/global-options.rst:66
 msgid "This setting handle if VyOS accept packets with a source route option. The following system parameter will be altered:"
 msgstr "This setting handle if VyOS accept packets with a source route option. The following system parameter will be altered:"
 
@@ -15972,21 +15195,6 @@ msgstr "This setting handle if VyOS accept packets with a source route option. T
 msgid "This setup will make the VRRP process execute the ``/config/scripts/vrrp-check.sh script`` every 60 seconds, and transition the group to the fault state if it fails (i.e. exits with non-zero status) three times:"
 msgstr "This setup will make the VRRP process execute the ``/config/scripts/vrrp-check.sh script`` every 60 seconds, and transition the group to the fault state if it fails (i.e. exits with non-zero status) three times:"
 
-#: ../../_include/interface-dhcpv6-options.txt:28
-#: ../../_include/interface-dhcpv6-options.txt:28
-#: ../../_include/interface-dhcpv6-options.txt:28
-#: ../../_include/interface-dhcpv6-options.txt:28
-#: ../../_include/interface-dhcpv6-options.txt:28
-#: ../../_include/interface-dhcpv6-options.txt:28
-#: ../../_include/interface-dhcpv6-options.txt:28
-#: ../../_include/interface-dhcpv6-options.txt:28
-#: ../../_include/interface-dhcpv6-options.txt:28
-#: ../../_include/interface-dhcpv6-options.txt:28
-#: ../../_include/interface-dhcpv6-options.txt:28
-#: ../../_include/interface-dhcpv6-options.txt:28
-#: ../../_include/interface-dhcpv6-options.txt:28
-#: ../../_include/interface-dhcpv6-options.txt:28
-#: ../../_include/interface-dhcpv6-options.txt:28
 #: ../../_include/interface-dhcpv6-options.txt:28
 msgid "This statement specifies dhcp6c to only exchange informational configuration parameters with servers. A list of DNS server addresses is an example of such parameters. This statement is useful when the client does not need stateful configuration parameters such as IPv6 addresses or prefixes."
 msgstr "This statement specifies dhcp6c to only exchange informational configuration parameters with servers. A list of DNS server addresses is an example of such parameters. This statement is useful when the client does not need stateful configuration parameters such as IPv6 addresses or prefixes."
@@ -15995,29 +15203,10 @@ msgstr "This statement specifies dhcp6c to only exchange informational configura
 msgid "This support may be enabled administratively (and indefinitely) with the :cfgcmd:`administrative` command. It may also be enabled conditionally. Conditional enabling of max-metric router-lsas can be for a period of seconds after startup with the :cfgcmd:`on-startup <seconds>` command and/or for a period of seconds prior to shutdown with the :cfgcmd:`on-shutdown <seconds>` command. The time range is 5 to 86400."
 msgstr "This support may be enabled administratively (and indefinitely) with the :cfgcmd:`administrative` command. It may also be enabled conditionally. Conditional enabling of max-metric router-lsas can be for a period of seconds after startup with the :cfgcmd:`on-startup <seconds>` command and/or for a period of seconds prior to shutdown with the :cfgcmd:`on-shutdown <seconds>` command. The time range is 5 to 86400."
 
-#: ../../configuration/nat/nat44.rst:409
+#: ../../configuration/nat/nat44.rst:423
 msgid "This technique is commonly referred to as NAT Reflection or Hairpin NAT."
 msgstr "This technique is commonly referred to as NAT Reflection or Hairpin NAT."
 
-#: ../../_include/interface-ip.txt:164
-#: ../../_include/interface-ip.txt:164
-#: ../../_include/interface-ip.txt:164
-#: ../../_include/interface-ip.txt:164
-#: ../../_include/interface-ip.txt:164
-#: ../../_include/interface-ip.txt:164
-#: ../../_include/interface-ip.txt:164
-#: ../../_include/interface-ip.txt:164
-#: ../../_include/interface-ip.txt:164
-#: ../../_include/interface-ip.txt:164
-#: ../../_include/interface-ip.txt:164
-#: ../../_include/interface-ip.txt:164
-#: ../../_include/interface-ip.txt:164
-#: ../../_include/interface-ip.txt:164
-#: ../../_include/interface-ip.txt:164
-#: ../../_include/interface-ip.txt:164
-#: ../../_include/interface-ip.txt:164
-#: ../../_include/interface-ip.txt:164
-#: ../../_include/interface-ip.txt:164
 #: ../../_include/interface-ip.txt:164
 msgid "This technology is known by different names:"
 msgstr "This technology is known by different names:"
@@ -16026,7 +15215,7 @@ msgstr "This technology is known by different names:"
 msgid "This the simplest queue possible you can apply to your traffic. Traffic must go through a finite queue before it is actually sent. You must define how many packets that queue can contain."
 msgstr "This the simplest queue possible you can apply to your traffic. Traffic must go through a finite queue before it is actually sent. You must define how many packets that queue can contain."
 
-#: ../../configuration/interfaces/vxlan.rst:173
+#: ../../configuration/interfaces/vxlan.rst:194
 msgid "This topology was built using GNS3."
 msgstr "This topology was built using GNS3."
 
@@ -16042,26 +15231,37 @@ msgstr "This will configure a static ARP entry always resolving `<address>` to `
 msgid "This will match TCP traffic with source port 80."
 msgstr "This will match TCP traffic with source port 80."
 
-#: ../../configuration/service/dns.rst:282
+#: ../../configuration/service/dns.rst:295
 msgid "This will render the following ddclient_ configuration entry:"
 msgstr "This will render the following ddclient_ configuration entry:"
 
-#: ../../configuration/firewall/general.rst:1314
-#: ../../configuration/firewall/general-legacy.rst:785
+#: ../../configuration/firewall/ipv6.rst:969
 msgid "This will show you a basic firewall overview"
 msgstr "This will show you a basic firewall overview"
 
+#: ../../configuration/firewall/ipv4.rst:961
+msgid "This will show you a basic firewall overview, for all ruleset, and not only for ipv4"
+msgstr "This will show you a basic firewall overview, for all ruleset, and not only for ipv4"
+
+#: ../../configuration/firewall/zone.rst:149
+msgid "This will show you a basic summary of a particular zone."
+msgstr "This will show you a basic summary of a particular zone."
+
+#: ../../configuration/firewall/zone.rst:132
+msgid "This will show you a basic summary of zones configuration."
+msgstr "This will show you a basic summary of zones configuration."
+
 #: ../../configuration/firewall/general-legacy.rst:936
 msgid "This will show you a rule-set statistic since the last boot."
 msgstr "This will show you a rule-set statistic since the last boot."
 
-#: ../../configuration/firewall/general.rst:1479
-#: ../../configuration/firewall/general-legacy.rst:900
+#: ../../configuration/firewall/ipv4.rst:1112
+#: ../../configuration/firewall/ipv6.rst:1135
 msgid "This will show you a statistic of all rule-sets since the last boot."
 msgstr "This will show you a statistic of all rule-sets since the last boot."
 
-#: ../../configuration/firewall/general.rst:1377
-#: ../../configuration/firewall/general-legacy.rst:851
+#: ../../configuration/firewall/ipv4.rst:1016
+#: ../../configuration/firewall/ipv6.rst:1032
 msgid "This will show you a summary of rule-sets and groups"
 msgstr "This will show you a summary of rule-sets and groups"
 
@@ -16069,7 +15269,7 @@ msgstr "This will show you a summary of rule-sets and groups"
 msgid "This workaround lets you apply a shaping policy to the ingress traffic by first redirecting it to an in-between virtual interface (`Intermediate Functional Block`_). There, in that virtual interface, you will be able to apply any of the policies that work for outbound traffic, for instance, a shaping one."
 msgstr "This workaround lets you apply a shaping policy to the ingress traffic by first redirecting it to an in-between virtual interface (`Intermediate Functional Block`_). There, in that virtual interface, you will be able to apply any of the policies that work for outbound traffic, for instance, a shaping one."
 
-#: ../../configuration/nat/nat44.rst:566
+#: ../../configuration/nat/nat44.rst:590
 msgid "This would generate the following configuration:"
 msgstr "This would generate the following configuration:"
 
@@ -16105,8 +15305,8 @@ msgstr "Time in seconds that the prefix will remain valid (default: 30 days)"
 msgid "Time is in minutes and defaults to 60."
 msgstr "Time is in minutes and defaults to 60."
 
-#: ../../configuration/firewall/general.rst:1211
-#: ../../configuration/firewall/general-legacy.rst:722
+#: ../../configuration/firewall/ipv4.rst:874
+#: ../../configuration/firewall/ipv6.rst:883
 #: ../../configuration/policy/route.rst:225
 msgid "Time to match the defined rule."
 msgstr "Time to match the defined rule."
@@ -16115,11 +15315,11 @@ msgstr "Time to match the defined rule."
 msgid "Timeout in seconds between health target checks."
 msgstr "Timeout in seconds between health target checks."
 
-#: ../../configuration/vpn/sstp.rst:223
+#: ../../configuration/vpn/sstp.rst:234
 msgid "Timeout to wait reply for Interim-Update packets. (default 3 seconds)"
 msgstr "Timeout to wait reply for Interim-Update packets. (default 3 seconds)"
 
-#: ../../configuration/vpn/sstp.rst:243
+#: ../../configuration/vpn/sstp.rst:254
 msgid "Timeout to wait response from server (seconds)"
 msgstr "Timeout to wait response from server (seconds)"
 
@@ -16136,7 +15336,15 @@ msgstr "To activate the VLAN aware bridge, you must activate this setting to use
 msgid "To allow VPN-clients access via your external address, a NAT rule is required:"
 msgstr "To allow VPN-clients access via your external address, a NAT rule is required:"
 
-#: ../../configuration/vpn/site2site_ipsec.rst:253
+#: ../../configuration/service/mdns.rst:68
+msgid "To allow listing additional custom domain, for example ``openthread.thread.home.arpa``, so that it can reflected in addition to the default ``local``, use the following command:"
+msgstr "To allow listing additional custom domain, for example ``openthread.thread.home.arpa``, so that it can reflected in addition to the default ``local``, use the following command:"
+
+#: ../../configuration/service/mdns.rst:60
+msgid "To allow only specific services, for example ``_airplay._tcp`` or ``_ipp._tcp``, (instead of all services) to be re-broadcasted, use the following command:"
+msgstr "To allow only specific services, for example ``_airplay._tcp`` or ``_ipp._tcp``, (instead of all services) to be re-broadcasted, use the following command:"
+
+#: ../../configuration/vpn/site2site_ipsec.rst:257
 msgid "To allow traffic to pass through to clients, you need to add the following rules. (if you used the default configuration at the top of this page)"
 msgstr "To allow traffic to pass through to clients, you need to add the following rules. (if you used the default configuration at the top of this page)"
 
@@ -16152,16 +15360,45 @@ msgstr "To auto update the blacklist files"
 msgid "To automatically assign the client an IP address as tunnel endpoint, a client IP pool is needed. The source can be either RADIUS or a local subnet or IP range definition."
 msgstr "To automatically assign the client an IP address as tunnel endpoint, a client IP pool is needed. The source can be either RADIUS or a local subnet or IP range definition."
 
+#: ../../configuration/service/pppoe-server.rst:59
+msgid "To automatically assign the client an IP address as tunnel endpoint, a client IP pool is needed. The source can be either RADIUS or a named pool. There is possibility to create multiple named pools. Each named pool can include only one address range. To use multiple address ranges configure ``next-pool`` option."
+msgstr "To automatically assign the client an IP address as tunnel endpoint, a client IP pool is needed. The source can be either RADIUS or a named pool. There is possibility to create multiple named pools. Each named pool can include only one address range. To use multiple address ranges configure ``next-pool`` option."
+
 #: ../../configuration/firewall/general-legacy.rst:314
 msgid "To be used only when ``action`` is set to ``jump``. Use this command to specify jump target."
 msgstr "To be used only when ``action`` is set to ``jump``. Use this command to specify jump target."
 
-#: ../../configuration/firewall/general.rst:401
-#: ../../configuration/firewall/general-legacy.rst:295
+#: ../../configuration/firewall/bridge.rst:140
+#: ../../configuration/firewall/ipv4.rst:187
+#: ../../configuration/firewall/ipv6.rst:187
 msgid "To be used only when ``defult-action`` is set to ``jump``. Use this command to specify jump target for default rule."
 msgstr "To be used only when ``defult-action`` is set to ``jump``. Use this command to specify jump target for default rule."
 
-#: ../../configuration/firewall/general.rst:374
+#: ../../configuration/firewall/ipv4.rst:126
+#: ../../configuration/firewall/ipv6.rst:126
+msgid "To be used only when action is set to ``jump``. Use this command to specify jump target."
+msgstr "To be used only when action is set to ``jump``. Use this command to specify jump target."
+
+#: ../../configuration/firewall/bridge.rst:120
+#: ../../configuration/firewall/ipv4.rst:163
+#: ../../configuration/firewall/ipv6.rst:163
+msgid "To be used only when action is set to ``queue``. Use this command to distribute packets between several queues."
+msgstr "To be used only when action is set to ``queue``. Use this command to distribute packets between several queues."
+
+#: ../../configuration/firewall/bridge.rst:111
+#: ../../configuration/firewall/ipv4.rst:150
+#: ../../configuration/firewall/ipv6.rst:150
+msgid "To be used only when action is set to ``queue``. Use this command to let packet go through firewall when no userspace software is connected to the queue."
+msgstr "To be used only when action is set to ``queue``. Use this command to let packet go through firewall when no userspace software is connected to the queue."
+
+#: ../../configuration/firewall/bridge.rst:103
+#: ../../configuration/firewall/ipv4.rst:138
+#: ../../configuration/firewall/ipv6.rst:138
+msgid "To be used only when action is set to ``queue``. Use this command to specify queue target to use. Queue range is also supported."
+msgstr "To be used only when action is set to ``queue``. Use this command to specify queue target to use. Queue range is also supported."
+
+#: ../../configuration/firewall/ipv4.rst:126
+#: ../../configuration/firewall/ipv6.rst:126
 msgid "To be used only when action is set to jump. Use this command to specify jump target."
 msgstr "To be used only when action is set to jump. Use this command to specify jump target."
 
@@ -16177,11 +15414,11 @@ msgstr "To bypass the proxy for every request that is directed to a specific des
 msgid "To configure IPv6 assignments for clients, two options need to be configured. A global prefix which is terminated on the clients cpe and a delegated prefix, the client can use for devices routed via the clients cpe."
 msgstr "To configure IPv6 assignments for clients, two options need to be configured. A global prefix which is terminated on the clients cpe and a delegated prefix, the client can use for devices routed via the clients cpe."
 
-#: ../../configuration/firewall/index.rst:58
+#: ../../configuration/firewall/index.rst:179
 msgid "To configure VyOS with the :doc:`legacy firewall configuration </configuration/firewall/general-legacy>`"
 msgstr "To configure VyOS with the :doc:`legacy firewall configuration </configuration/firewall/general-legacy>`"
 
-#: ../../configuration/firewall/index.rst:79
+#: ../../configuration/firewall/index.rst:173
 msgid "To configure VyOS with the :doc:`zone-based firewall configuration </configuration/firewall/zone>`"
 msgstr "To configure VyOS with the :doc:`zone-based firewall configuration </configuration/firewall/zone>`"
 
@@ -16209,7 +15446,7 @@ msgstr "To configure your LCD display you must first identify the used hardware,
 msgid "To create VLANs per user during runtime, the following settings are required on a per interface basis. VLAN ID and VLAN range can be present in the configuration at the same time."
 msgstr "To create VLANs per user during runtime, the following settings are required on a per interface basis. VLAN ID and VLAN range can be present in the configuration at the same time."
 
-#: ../../configuration/system/login.rst:375
+#: ../../configuration/system/login.rst:377
 msgid "To create a new line in your login message you need to escape the new line character by using ``\\\\n``."
 msgstr "To create a new line in your login message you need to escape the new line character by using ``\\\\n``."
 
@@ -16221,7 +15458,7 @@ msgstr "To create more than one tunnel, use distinct UDP ports."
 msgid "To create routing table 100 and add a new default gateway to be used by traffic matching our route policy:"
 msgstr "To create routing table 100 and add a new default gateway to be used by traffic matching our route policy:"
 
-#: ../../configuration/firewall/zone.rst:61
+#: ../../configuration/firewall/zone.rst:80
 msgid "To define a zone setup either one with interfaces or a local zone."
 msgstr "To define a zone setup either one with interfaces or a local zone."
 
@@ -16233,7 +15470,7 @@ msgstr "To disable advertisements without deleting the configuration:"
 msgid "To display the configured OTP user key, use the command:"
 msgstr "To display the configured OTP user key, use the command:"
 
-#: ../../configuration/vpn/openconnect.rst:219
+#: ../../configuration/vpn/openconnect.rst:226
 msgid "To display the configured OTP user settings, use the command:"
 msgstr "To display the configured OTP user settings, use the command:"
 
@@ -16254,7 +15491,7 @@ msgstr "To enable RADIUS based authentication, the authentication mode needs to
 msgid "To enable bandwidth shaping via RADIUS, the option rate-limit needs to be enabled."
 msgstr "To enable bandwidth shaping via RADIUS, the option rate-limit needs to be enabled."
 
-#: ../../configuration/service/https.rst:23
+#: ../../configuration/service/https.rst:68
 msgid "To enable debug messages. Available via :opcmd:`show log` or :opcmd:`monitor log`"
 msgstr "To enable debug messages. Available via :opcmd:`show log` or :opcmd:`monitor log`"
 
@@ -16262,6 +15499,14 @@ msgstr "To enable debug messages. Available via :opcmd:`show log` or :opcmd:`mon
 msgid "To enable mDNS repeater you need to configure at least two interfaces. To re-broadcast all incoming mDNS packets from any interface configured here to any other interface configured under this section."
 msgstr "To enable mDNS repeater you need to configure at least two interfaces. To re-broadcast all incoming mDNS packets from any interface configured here to any other interface configured under this section."
 
+#: ../../configuration/service/mdns.rst:23
+msgid "To enable mDNS repeater you need to configure at least two interfaces so that all incoming mDNS packets from one interface configured here can be re-broadcasted to any other interface(s) configured under this section."
+msgstr "To enable mDNS repeater you need to configure at least two interfaces so that all incoming mDNS packets from one interface configured here can be re-broadcasted to any other interface(s) configured under this section."
+
+#: ../../configuration/vpn/openconnect.rst:168
+msgid "To enable the HTTP security headers in the configuration file, use the command:"
+msgstr "To enable the HTTP security headers in the configuration file, use the command:"
+
 #: ../../configuration/loadbalancing/wan.rst:115
 msgid "To exclude traffic from load balancing, traffic matching an exclude rule is not balanced but routed through the system routing table instead:"
 msgstr "To exclude traffic from load balancing, traffic matching an exclude rule is not balanced but routed through the system routing table instead:"
@@ -16282,7 +15527,7 @@ msgstr "To generate the CA, the server private key and certificates the followin
 msgid "To get it to work as an access point with this configuration you will need to set up a DHCP server to work with that network. You can - of course - also bridge the Wireless interface with any configured bridge (:ref:`bridge-interface`) on the system."
 msgstr "To get it to work as an access point with this configuration you will need to set up a DHCP server to work with that network. You can - of course - also bridge the Wireless interface with any configured bridge (:ref:`bridge-interface`) on the system."
 
-#: ../../configuration/service/dhcp-server.rst:636
+#: ../../configuration/service/dhcp-server.rst:566
 msgid "To hand out individual prefixes to your clients the following configuration is used:"
 msgstr "To hand out individual prefixes to your clients the following configuration is used:"
 
@@ -16290,7 +15535,7 @@ msgstr "To hand out individual prefixes to your clients the following configurat
 msgid "To know more about scripting, check the :ref:`command-scripting` section."
 msgstr "To know more about scripting, check the :ref:`command-scripting` section."
 
-#: ../../configuration/service/mdns.rst:36
+#: ../../configuration/service/mdns.rst:52
 msgid "To listen on both `eth0` and `eth1` mDNS packets and also repeat packets received on `eth0` to `eth1` (and vice-versa) use the following commands:"
 msgstr "To listen on both `eth0` and `eth1` mDNS packets and also repeat packets received on `eth0` to `eth1` (and vice-versa) use the following commands:"
 
@@ -16303,35 +15548,19 @@ msgstr "To manipulate or display ARP_ table entries, the following commands are
 msgid "To perform a graceful shutdown, the FRR ``graceful-restart prepare ip ospf`` EXEC-level command needs to be issued before restarting the ospfd daemon."
 msgstr "To perform a graceful shutdown, the FRR ``graceful-restart prepare ip ospf`` EXEC-level command needs to be issued before restarting the ospfd daemon."
 
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:17
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:17
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:17
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:17
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:17
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:17
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:17
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:17
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:17
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:17
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:17
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:17
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:17
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:17
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:17
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:17
 #: ../../_include/interface-dhcpv6-prefix-delegation.txt:17
 msgid "To request a /56 prefix from your ISP use:"
 msgstr "To request a /56 prefix from your ISP use:"
 
-#: ../../configuration/service/dhcp-server.rst:748
+#: ../../configuration/service/dhcp-server.rst:680
 msgid "To restart the DHCPv6 server"
 msgstr "To restart the DHCPv6 server"
 
-#: ../../configuration/nat/nat44.rst:315
+#: ../../configuration/nat/nat44.rst:327
 msgid "To setup SNAT, we need to know:"
 msgstr "To setup SNAT, we need to know:"
 
-#: ../../configuration/nat/nat44.rst:501
+#: ../../configuration/nat/nat44.rst:521
 msgid "To setup a destination NAT rule we need to gather:"
 msgstr "To setup a destination NAT rule we need to gather:"
 
@@ -16343,11 +15572,11 @@ msgstr "To update the firmware, VyOS also ships the `qmi-firmware-update` binary
 msgid "To use a RADIUS server for authentication and bandwidth-shaping, the following example configuration can be used."
 msgstr "To use a RADIUS server for authentication and bandwidth-shaping, the following example configuration can be used."
 
-#: ../../configuration/service/pppoe-server.rst:106
+#: ../../configuration/service/pppoe-server.rst:93
 msgid "To use a radius server, you need to switch to authentication mode RADIUS and then configure it."
 msgstr "To use a radius server, you need to switch to authentication mode RADIUS and then configure it."
 
-#: ../../configuration/service/dns.rst:308
+#: ../../configuration/service/dns.rst:321
 msgid "To use such a service, one must define a login, password, one or multiple hostnames, protocol and server."
 msgstr "To use such a service, one must define a login, password, one or multiple hostnames, protocol and server."
 
@@ -16355,15 +15584,15 @@ msgstr "To use such a service, one must define a login, password, one or multipl
 msgid "To use the Salt-Minion, a running Salt-Master is required. You can find more in the `Salt Poject Documentaion <https://docs.saltproject.io/en/latest/contents.html>`_"
 msgstr "To use the Salt-Minion, a running Salt-Master is required. You can find more in the `Salt Poject Documentaion <https://docs.saltproject.io/en/latest/contents.html>`_"
 
-#: ../../configuration/service/https.rst:86
+#: ../../configuration/service/https.rst:77
 msgid "To use this full configuration we asume a public accessible hostname."
 msgstr "To use this full configuration we asume a public accessible hostname."
 
-#: ../../configuration/interfaces/vxlan.rst:175
+#: ../../configuration/interfaces/vxlan.rst:196
 msgid "Topology:"
 msgstr "Topology:"
 
-#: ../../configuration/interfaces/vxlan.rst:107
+#: ../../configuration/interfaces/vxlan.rst:128
 msgid "Topology: PC4 - Leaf2 - Spine1 - Leaf3 - PC5"
 msgstr "Topology: PC4 - Leaf2 - Spine1 - Leaf3 - PC5"
 
@@ -16379,7 +15608,7 @@ msgstr "Track option to track non VRRP interface states. VRRP changes status to
 msgid "Traditional BGP did not have the feature to detect a remote peer's capabilities, e.g. whether it can handle prefix types other than IPv4 unicast routes. This was a big problem using Multiprotocol Extension for BGP in an operational network. :rfc:`2842` adopted a feature called Capability Negotiation. *bgpd* use this Capability Negotiation to detect the remote peer's capabilities. If a peer is only configured as an IPv4 unicast neighbor, *bgpd* does not send these Capability Negotiation packets (at least not unless other optional BGP features require capability negotiation)."
 msgstr "Traditional BGP did not have the feature to detect a remote peer's capabilities, e.g. whether it can handle prefix types other than IPv4 unicast routes. This was a big problem using Multiprotocol Extension for BGP in an operational network. :rfc:`2842` adopted a feature called Capability Negotiation. *bgpd* use this Capability Negotiation to detect the remote peer's capabilities. If a peer is only configured as an IPv4 unicast neighbor, *bgpd* does not send these Capability Negotiation packets (at least not unless other optional BGP features require capability negotiation)."
 
-#: ../../configuration/firewall/index.rst:54
+#: ../../configuration/firewall/index.rst:175
 msgid "Traditionally firewalls weere configured with the concept of data going in and out of an interface. The router just listened to the data flowing through and responding as required if it was directed at the router itself."
 msgstr "Traditionally firewalls weere configured with the concept of data going in and out of an interface. The router just listened to the data flowing through and responding as required if it was directed at the router itself."
 
@@ -16399,7 +15628,7 @@ msgstr "Traffic Filters are used to control which packets will have the defined
 msgid "Traffic Policy"
 msgstr "Traffic Policy"
 
-#: ../../configuration/firewall/zone.rst:37
+#: ../../configuration/firewall/zone.rst:56
 msgid "Traffic cannot flow between zone member interface and any interface that is not a zone member."
 msgstr "Traffic cannot flow between zone member interface and any interface that is not a zone member."
 
@@ -16411,10 +15640,19 @@ msgstr "Traffic from multicast sources will go to the Rendezvous Point, and rece
 msgid "Traffic from multicast sources will go to the Rendezvous Point, and receivers will pull it from a shared tree using MLD (Multicast Listener Discovery)."
 msgstr "Traffic from multicast sources will go to the Rendezvous Point, and receivers will pull it from a shared tree using MLD (Multicast Listener Discovery)."
 
-#: ../../configuration/firewall/general.rst:1281
+#: ../../configuration/protocols/pim.rst:18
+msgid "Traffic from multicast sources will go to the Rendezvous Point, and receivers will pull it from a shared tree using :abbr:`IGMP (Internet Group Management Protocol)`."
+msgstr "Traffic from multicast sources will go to the Rendezvous Point, and receivers will pull it from a shared tree using :abbr:`IGMP (Internet Group Management Protocol)`."
+
+#: ../../configuration/firewall/ipv4.rst:928
+#: ../../configuration/firewall/ipv6.rst:937
 msgid "Traffic must be symmetric"
 msgstr "Traffic must be symmetric"
 
+#: ../../configuration/firewall/bridge.rst:34
+msgid "Traffic which is received by the router on an interface which is member of a bridge is processed on the **Bridge Layer**. A simplified packet flow diagram for this layer is shown next:"
+msgstr "Traffic which is received by the router on an interface which is member of a bridge is processed on the **Bridge Layer**. A simplified packet flow diagram for this layer is shown next:"
+
 #: ../../configuration/highavailability/index.rst:322
 msgid "Transition scripts"
 msgstr "Transition scripts"
@@ -16427,11 +15665,11 @@ msgstr "Transition scripts can help you implement various fixups, such as starti
 msgid "Transparent Proxy"
 msgstr "Transparent Proxy"
 
+#: ../../configuration/interfaces/openvpn.rst:701
 #: ../../configuration/interfaces/tunnel.rst:227
 msgid "Troubleshooting"
 msgstr "Troubleshooting"
 
-#: ../../configuration/protocols/igmp.rst:119
 #: ../../configuration/protocols/pim6.rst:41
 msgid "Tuning commands"
 msgstr "Tuning commands"
@@ -16448,6 +15686,10 @@ msgstr "Tunnel keys"
 msgid "Two environment variables are available:"
 msgstr "Two environment variables are available:"
 
+#: ../../configuration/firewall/flowtables.rst:104
+msgid "Two interfaces are going to be used in the flowtables: eth0 and eth1"
+msgstr "Two interfaces are going to be used in the flowtables: eth0 and eth1"
+
 #: ../../configuration/service/ssh.rst:188
 msgid "Two new files ``/config/auth/id_rsa_rpki`` and ``/config/auth/id_rsa_rpki.pub`` will be created."
 msgstr "Two new files ``/config/auth/id_rsa_rpki`` and ``/config/auth/id_rsa_rpki.pub`` will be created."
@@ -16460,7 +15702,7 @@ msgstr "Two routers connected both via eth1 through an untrusted switch"
 msgid "Type of metrics grouping when push to Azure Data Explorer. The default is ``table-per-metric``."
 msgstr "Type of metrics grouping when push to Azure Data Explorer. The default is ``table-per-metric``."
 
-#: ../../configuration/nat/nat44.rst:594
+#: ../../configuration/nat/nat44.rst:618
 msgid "Typically, a 1-to-1 NAT rule omits the destination port (all ports) and replaces the protocol with either **all** or **ip**."
 msgstr "Typically, a 1-to-1 NAT rule omits the destination port (all ports) and replaces the protocol with either **all** or **ip**."
 
@@ -16504,7 +15746,7 @@ msgstr "USB to serial converters will handle most of their work in software so y
 msgid "UUCP subsystem"
 msgstr "UUCP subsystem"
 
-#: ../../configuration/interfaces/vxlan.rst:81
+#: ../../configuration/interfaces/vxlan.rst:102
 msgid "Unicast"
 msgstr "Unicast"
 
@@ -16512,7 +15754,7 @@ msgstr "Unicast"
 msgid "Unicast VRRP"
 msgstr "Unicast VRRP"
 
-#: ../../configuration/interfaces/vxlan.rst:319
+#: ../../configuration/interfaces/vxlan.rst:340
 msgid "Unicast VXLAN"
 msgstr "Unicast VXLAN"
 
@@ -16540,11 +15782,15 @@ msgstr "Update"
 msgid "Update container image"
 msgstr "Update container image"
 
-#: ../../configuration/firewall/general.rst:1540
-#: ../../configuration/firewall/general-legacy.rst:1050
+#: ../../configuration/firewall/ipv4.rst:1175
+#: ../../configuration/firewall/ipv6.rst:1191
 msgid "Update geoip database"
 msgstr "Update geoip database"
 
+#: ../../configuration/system/updates.rst:3
+msgid "Updates"
+msgstr "Updates"
+
 #: ../../configuration/protocols/rpki.rst:99
 msgid "Updates from the RPKI cache servers are directly applied and path selection is updated accordingly. (Soft reconfiguration must be enabled for this to work)."
 msgstr "Updates from the RPKI cache servers are directly applied and path selection is updated accordingly. (Soft reconfiguration must be enabled for this to work)."
@@ -16566,7 +15812,11 @@ msgstr "Upon shutdown, this option will deprecate the prefix by announcing it in
 msgid "Use 802.11n protocol"
 msgstr "Use 802.11n protocol"
 
-#: ../../configuration/service/dns.rst:352
+#: ../../configuration/service/https.rst:23
+msgid "Use CA certificate from PKI subsystem"
+msgstr "Use CA certificate from PKI subsystem"
+
+#: ../../configuration/service/dns.rst:365
 msgid "Use DynDNS as your preferred provider:"
 msgstr "Use DynDNS as your preferred provider:"
 
@@ -16578,6 +15828,10 @@ msgstr "Use TLS but skip host validation"
 msgid "Use TLS encryption."
 msgstr "Use TLS encryption."
 
+#: ../../configuration/service/https.rst:31
+msgid "Use :abbr:`DH (Diffie–Hellman)` parameters from PKI subsystem. Must be at least 2048 bits in length."
+msgstr "Use :abbr:`DH (Diffie–Hellman)` parameters from PKI subsystem. Must be at least 2048 bits in length."
+
 #: ../../configuration/vpn/sstp.rst:121
 msgid "Use `<subnet>` as the IP pool for all connecting clients."
 msgstr "Use `<subnet>` as the IP pool for all connecting clients."
@@ -16594,67 +15848,52 @@ msgstr "Use `delete system conntrack modules` to deactive all modules."
 msgid "Use a persistent LDAP connection. Normally the LDAP connection is only open while validating a username to preserve resources at the LDAP server. This option causes the LDAP connection to be kept open, allowing it to be reused for further user validations."
 msgstr "Use a persistent LDAP connection. Normally the LDAP connection is only open while validating a username to preserve resources at the LDAP server. This option causes the LDAP connection to be kept open, allowing it to be reused for further user validations."
 
-#: ../../configuration/firewall/general.rst:799
-#: ../../configuration/firewall/general-legacy.rst:531
+#: ../../configuration/firewall/ipv4.rst:515
+#: ../../configuration/firewall/ipv6.rst:525
 msgid "Use a specific address-group. Prepend character ``!`` for inverted matching criteria."
 msgstr "Use a specific address-group. Prepend character ``!`` for inverted matching criteria."
 
-#: ../../configuration/firewall/general.rst:874
-#: ../../configuration/firewall/general-legacy.rst:567
+#: ../../configuration/firewall/ipv4.rst:578
+#: ../../configuration/firewall/ipv6.rst:588
 msgid "Use a specific domain-group. Prepend character ``!`` for inverted matching criteria."
 msgstr "Use a specific domain-group. Prepend character ``!`` for inverted matching criteria."
 
-#: ../../configuration/firewall/general.rst:899
-#: ../../configuration/firewall/general-legacy.rst:579
+#: ../../configuration/firewall/ipv4.rst:599
+#: ../../configuration/firewall/ipv6.rst:609
 msgid "Use a specific mac-group. Prepend character ``!`` for inverted matching criteria."
 msgstr "Use a specific mac-group. Prepend character ``!`` for inverted matching criteria."
 
-#: ../../configuration/firewall/general.rst:824
-#: ../../configuration/firewall/general-legacy.rst:543
+#: ../../configuration/firewall/ipv4.rst:536
+#: ../../configuration/firewall/ipv6.rst:546
 msgid "Use a specific network-group. Prepend character ``!`` for inverted matching criteria."
 msgstr "Use a specific network-group. Prepend character ``!`` for inverted matching criteria."
 
-#: ../../configuration/firewall/general.rst:849
-#: ../../configuration/firewall/general-legacy.rst:555
+#: ../../configuration/firewall/ipv4.rst:557
+#: ../../configuration/firewall/ipv6.rst:567
 msgid "Use a specific port-group. Prepend character ``!`` for inverted matching criteria."
 msgstr "Use a specific port-group. Prepend character ``!`` for inverted matching criteria."
 
-#: ../../configuration/nat/nat44.rst:247
+#: ../../configuration/nat/nat44.rst:259
 msgid "Use address `masquerade` (the interfaces primary address) on rule 30"
 msgstr "Use address `masquerade` (the interfaces primary address) on rule 30"
 
-#: ../../configuration/service/https.rst:67
+#: ../../configuration/service/https.rst:58
 msgid "Use an automatically generated self-signed certificate"
 msgstr "Use an automatically generated self-signed certificate"
 
-#: ../../_include/interface-ip.txt:104
-#: ../../_include/interface-ip.txt:104
-#: ../../_include/interface-ip.txt:104
-#: ../../_include/interface-ip.txt:104
-#: ../../_include/interface-ip.txt:104
-#: ../../_include/interface-ip.txt:104
-#: ../../_include/interface-ip.txt:104
-#: ../../_include/interface-ip.txt:104
-#: ../../_include/interface-ip.txt:104
-#: ../../_include/interface-ip.txt:104
-#: ../../_include/interface-ip.txt:104
-#: ../../_include/interface-ip.txt:104
-#: ../../_include/interface-ip.txt:104
-#: ../../_include/interface-ip.txt:104
-#: ../../_include/interface-ip.txt:104
-#: ../../_include/interface-ip.txt:104
-#: ../../_include/interface-ip.txt:104
-#: ../../_include/interface-ip.txt:104
-#: ../../_include/interface-ip.txt:104
 #: ../../_include/interface-ip.txt:104
 msgid "Use any local address, configured on any interface if this is not set."
 msgstr "Use any local address, configured on any interface if this is not set."
 
-#: ../../configuration/service/dns.rst:266
+#: ../../configuration/service/dns.rst:279
 msgid "Use auth key file at ``/config/auth/my.key``"
 msgstr "Use auth key file at ``/config/auth/my.key``"
 
-#: ../../configuration/service/dns.rst:395
+#: ../../configuration/service/https.rst:27
+msgid "Use certificate from PKI subsystem"
+msgstr "Use certificate from PKI subsystem"
+
+#: ../../configuration/service/dns.rst:408
 msgid "Use configured `<url>` to determine your IP address. ddclient_ will load `<url>` and tries to extract your IP address from the response."
 msgstr "Use configured `<url>` to determine your IP address. ddclient_ will load `<url>` and tries to extract your IP address from the response."
 
@@ -16666,7 +15905,7 @@ msgstr "Use inverse-match to match anything except the given country-codes."
 msgid "Use local socket for API"
 msgstr "Use local socket for API"
 
-#: ../../configuration/vpn/sstp.rst:277
+#: ../../configuration/vpn/sstp.rst:288
 msgid "Use local user `foo` with password `bar`"
 msgstr "Use local user `foo` with password `bar`"
 
@@ -16682,6 +15921,10 @@ msgstr "Use the address of the specified interface on the local machine as the s
 msgid "Use the following topology to build a nat66 based isolated network between internal and external networks (dynamic prefix is not supported):"
 msgstr "Use the following topology to build a nat66 based isolated network between internal and external networks (dynamic prefix is not supported):"
 
+#: ../../configuration/nat/nat66.rst:142
+msgid "Use the following topology to translate internal user local addresses (``fc::/7``) to DHCPv6-PD provided prefixes from an ISP connected to a VyOS HA pair."
+msgstr "Use the following topology to translate internal user local addresses (``fc::/7``) to DHCPv6-PD provided prefixes from an ISP connected to a VyOS HA pair."
+
 #: ../../configuration/system/option.rst:48
 msgid "Use the specified address on the local machine as the source address of the connection. Only useful on systems with more than one address."
 msgstr "Use the specified address on the local machine as the source address of the connection. Only useful on systems with more than one address."
@@ -16710,11 +15953,11 @@ msgstr "Use this PIM command in the selected interface to set the priority (1-42
 msgid "Use this PIM command to modify the time out value (31-60000 seconds) for an `(S,G) <https://tools.ietf.org/html/rfc7761#section-4.1>`_ flow. 31 seconds is chosen for a lower bound as some hardware platforms cannot see data flowing in better than 30 seconds chunks."
 msgstr "Use this PIM command to modify the time out value (31-60000 seconds) for an `(S,G) <https://tools.ietf.org/html/rfc7761#section-4.1>`_ flow. 31 seconds is chosen for a lower bound as some hardware platforms cannot see data flowing in better than 30 seconds chunks."
 
-#: ../../configuration/service/pppoe-server.rst:288
+#: ../../configuration/service/pppoe-server.rst:275
 msgid "Use this comand to set the IPv6 address pool from which a PPPoE client will get an IPv6 prefix of your defined length (mask) to terminate the PPPoE endpoint at their side. The mask length can be set from 48 to 128 bit long, the default value is 64."
 msgstr "Use this comand to set the IPv6 address pool from which a PPPoE client will get an IPv6 prefix of your defined length (mask) to terminate the PPPoE endpoint at their side. The mask length can be set from 48 to 128 bit long, the default value is 64."
 
-#: ../../configuration/vpn/sstp.rst:126
+#: ../../configuration/vpn/sstp.rst:137
 msgid "Use this comand to set the IPv6 address pool from which an SSTP client will get an IPv6 prefix of your defined length (mask) to terminate the SSTP endpoint at their side. The mask length can be set from 48 to 128 bit long, the default value is 64."
 msgstr "Use this comand to set the IPv6 address pool from which an SSTP client will get an IPv6 prefix of your defined length (mask) to terminate the SSTP endpoint at their side. The mask length can be set from 48 to 128 bit long, the default value is 64."
 
@@ -16742,7 +15985,7 @@ msgstr "Use this command if you would like to set the TCP session hold time inte
 msgid "Use this command to allow the selected interface to join a multicast group."
 msgstr "Use this command to allow the selected interface to join a multicast group."
 
-#: ../../configuration/protocols/igmp.rst:149
+#: ../../configuration/protocols/pim.rst:191
 msgid "Use this command to allow the selected interface to join a multicast group defining the multicast address you want to join and the source IP address too."
 msgstr "Use this command to allow the selected interface to join a multicast group defining the multicast address you want to join and the source IP address too."
 
@@ -16762,19 +16005,19 @@ msgstr "Use this command to check the tunnel status for OpenVPN server interface
 msgid "Use this command to check the tunnel status for OpenVPN site-to-site interfaces."
 msgstr "Use this command to check the tunnel status for OpenVPN site-to-site interfaces."
 
-#: ../../configuration/system/ipv6.rst:180
+#: ../../configuration/system/ipv6.rst:154
 msgid "Use this command to clear Border Gateway Protocol statistics or status."
 msgstr "Use this command to clear Border Gateway Protocol statistics or status."
 
-#: ../../configuration/service/pppoe-server.rst:300
+#: ../../configuration/service/pppoe-server.rst:287
 msgid "Use this command to configure DHCPv6 Prefix Delegation (RFC3633). You will have to set your IPv6 pool and the length of the delegation prefix. From the defined IPv6 pool you will be handing out networks of the defined length (delegation-prefix). The length of the delegation prefix can be set from 32 to 64 bit long."
 msgstr "Use this command to configure DHCPv6 Prefix Delegation (RFC3633). You will have to set your IPv6 pool and the length of the delegation prefix. From the defined IPv6 pool you will be handing out networks of the defined length (delegation-prefix). The length of the delegation prefix can be set from 32 to 64 bit long."
 
-#: ../../configuration/vpn/sstp.rst:135
+#: ../../configuration/vpn/sstp.rst:146
 msgid "Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on SSTP. You will have to set your IPv6 pool and the length of the delegation prefix. From the defined IPv6 pool you will be handing out networks of the defined length (delegation-prefix). The length of the delegation prefix can be set from 32 to 64 bit long."
 msgstr "Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on SSTP. You will have to set your IPv6 pool and the length of the delegation prefix. From the defined IPv6 pool you will be handing out networks of the defined length (delegation-prefix). The length of the delegation prefix can be set from 32 to 64 bit long."
 
-#: ../../configuration/service/pppoe-server.rst:133
+#: ../../configuration/service/pppoe-server.rst:120
 msgid "Use this command to configure Dynamic Authorization Extensions to RADIUS so that you can remotely disconnect sessions and change some authentication parameters."
 msgstr "Use this command to configure Dynamic Authorization Extensions to RADIUS so that you can remotely disconnect sessions and change some authentication parameters."
 
@@ -16855,7 +16098,7 @@ msgstr "Use this command to configure a Shaper policy, set its name, define a cl
 msgid "Use this command to configure a Shaper policy, set its name and the maximum bandwidth for all combined traffic."
 msgstr "Use this command to configure a Shaper policy, set its name and the maximum bandwidth for all combined traffic."
 
-#: ../../configuration/service/pppoe-server.rst:206
+#: ../../configuration/service/pppoe-server.rst:193
 msgid "Use this command to configure a data-rate limit to PPPOoE clients for traffic download or upload. The rate-limit is set in kbit/sec."
 msgstr "Use this command to configure a data-rate limit to PPPOoE clients for traffic download or upload. The rate-limit is set in kbit/sec."
 
@@ -16919,10 +16162,18 @@ msgstr "Use this command to configure an interface with IGMP so that PIM can rec
 msgid "Use this command to configure authentication for LDP peers. Set the IP address of the LDP peer and a password that should be shared in order to become neighbors."
 msgstr "Use this command to configure authentication for LDP peers. Set the IP address of the LDP peer and a password that should be shared in order to become neighbors."
 
-#: ../../configuration/protocols/igmp.rst:156
+#: ../../configuration/protocols/pim.rst:198
 msgid "Use this command to configure in the selected interface the IGMP host query interval (1-1800) in seconds that PIM will use."
 msgstr "Use this command to configure in the selected interface the IGMP host query interval (1-1800) in seconds that PIM will use."
 
+#: ../../configuration/protocols/pim.rst:202
+msgid "Use this command to configure in the selected interface the IGMP query response timeout value (10-250) in deciseconds. If a report is not returned in the specified time, it will be assumed the (S,G) or (*,G) state :rfc:`7761#section-4.1` has timed out."
+msgstr "Use this command to configure in the selected interface the IGMP query response timeout value (10-250) in deciseconds. If a report is not returned in the specified time, it will be assumed the (S,G) or (*,G) state :rfc:`7761#section-4.1` has timed out."
+
+#: ../../configuration/protocols/pim.rst:204
+msgid "Use this command to configure in the selected interface the IGMP query response timeout value (10-250) in deciseconds. If a report is not returned in the specified time, it will be assumed the (S,G) or (\\*,G) state :rfc:`7761#section-4.1` has timed out."
+msgstr "Use this command to configure in the selected interface the IGMP query response timeout value (10-250) in deciseconds. If a report is not returned in the specified time, it will be assumed the (S,G) or (\\*,G) state :rfc:`7761#section-4.1` has timed out."
+
 #: ../../configuration/protocols/igmp.rst:163
 msgid "Use this command to configure in the selected interface the IGMP query response timeout value (10-250) in deciseconds. If a report is not returned in the specified time, it will be assumed the `(S,G) or (*,G) state <https://tools.ietf.org/html/rfc7761#section-4.1>`_ has timed out."
 msgstr "Use this command to configure in the selected interface the IGMP query response timeout value (10-250) in deciseconds. If a report is not returned in the specified time, it will be assumed the `(S,G) or (*,G) state <https://tools.ietf.org/html/rfc7761#section-4.1>`_ has timed out."
@@ -16931,7 +16182,7 @@ msgstr "Use this command to configure in the selected interface the IGMP query r
 msgid "Use this command to configure in the selected interface the MLD host query interval (1-65535) in seconds that PIM will use. The default value is 125 seconds."
 msgstr "Use this command to configure in the selected interface the MLD host query interval (1-65535) in seconds that PIM will use. The default value is 125 seconds."
 
-#: ../../configuration/service/pppoe-server.rst:112
+#: ../../configuration/service/pppoe-server.rst:99
 msgid "Use this command to configure the IP address and the shared secret key of your RADIUS server.  You can have multiple RADIUS servers configured if you wish to achieve redundancy."
 msgstr "Use this command to configure the IP address and the shared secret key of your RADIUS server.  You can have multiple RADIUS servers configured if you wish to achieve redundancy."
 
@@ -16983,18 +16234,35 @@ msgstr "Use this command to define a Fair-Queue policy, based on the Stochastic
 msgid "Use this command to define a Fair-Queue policy, based on the Stochastic Fairness Queueing, and set the number of seconds at which a new queue algorithm perturbation will occur (maximum 4294967295)."
 msgstr "Use this command to define a Fair-Queue policy, based on the Stochastic Fairness Queueing, and set the number of seconds at which a new queue algorithm perturbation will occur (maximum 4294967295)."
 
+#: ../../configuration/service/pppoe-server.rst:81
+#: ../../configuration/vpn/sstp.rst:132
+msgid "Use this command to define default address pool name."
+msgstr "Use this command to define default address pool name."
+
 #: ../../configuration/system/name-server.rst:53
 msgid "Use this command to define domains, one at a time, so that the system uses them to complete unqualified host names. Maximum: 6 entries."
 msgstr "Use this command to define domains, one at a time, so that the system uses them to complete unqualified host names. Maximum: 6 entries."
 
+#: ../../configuration/protocols/pim.rst:211
+msgid "Use this command to define in the selected interface whether you choose IGMP version 2 or 3."
+msgstr "Use this command to define in the selected interface whether you choose IGMP version 2 or 3."
+
 #: ../../configuration/protocols/igmp.rst:172
 msgid "Use this command to define in the selected interface whether you choose IGMP version 2 or 3. The default value is 3."
 msgstr "Use this command to define in the selected interface whether you choose IGMP version 2 or 3. The default value is 3."
 
+#: ../../configuration/service/pppoe-server.rst:70
+msgid "Use this command to define the IP address range to be given to PPPoE clients. If notation ``x.x.x.x-x.x.x.x``, it must be within a /24 subnet. If notation ``x.x.x.x/x`` is used there is possibility to set host/netmask."
+msgstr "Use this command to define the IP address range to be given to PPPoE clients. If notation ``x.x.x.x-x.x.x.x``, it must be within a /24 subnet. If notation ``x.x.x.x/x`` is used there is possibility to set host/netmask."
+
 #: ../../configuration/service/pppoe-server.rst:73
 msgid "Use this command to define the first IP address of a pool of addresses to be given to PPPoE clients. It must be within a /24 subnet."
 msgstr "Use this command to define the first IP address of a pool of addresses to be given to PPPoE clients. It must be within a /24 subnet."
 
+#: ../../configuration/vpn/sstp.rst:121
+msgid "Use this command to define the first IP address of a pool of addresses to be given to SSTP clients. If notation ``x.x.x.x-x.x.x.x``, it must be within a /24 subnet. If notation ``x.x.x.x/x`` is used there is possibility to set host/netmask."
+msgstr "Use this command to define the first IP address of a pool of addresses to be given to SSTP clients. If notation ``x.x.x.x-x.x.x.x``, it must be within a /24 subnet. If notation ``x.x.x.x/x`` is used there is possibility to set host/netmask."
+
 #: ../../configuration/service/pppoe-server.rst:42
 msgid "Use this command to define the interface the PPPoE server will use to listen for PPPoE clients."
 msgstr "Use this command to define the interface the PPPoE server will use to listen for PPPoE clients."
@@ -17015,29 +16283,15 @@ msgstr "Use this command to define the maximum number of entries to keep in the
 msgid "Use this command to define the maximum number of entries to keep in the Neighbor cache (1024, 2048, 4096, 8192, 16384, 32768)."
 msgstr "Use this command to define the maximum number of entries to keep in the Neighbor cache (1024, 2048, 4096, 8192, 16384, 32768)."
 
+#: ../../configuration/service/pppoe-server.rst:77
+#: ../../configuration/vpn/sstp.rst:128
+msgid "Use this command to define the next address pool name."
+msgstr "Use this command to define the next address pool name."
+
 #: ../../configuration/service/pppoe-server.rst:31
 msgid "Use this command to define whether your PPPoE clients will locally authenticate in your VyOS system or in RADIUS server."
 msgstr "Use this command to define whether your PPPoE clients will locally authenticate in your VyOS system or in RADIUS server."
 
-#: ../../_include/interface-disable-link-detect.txt:4
-#: ../../_include/interface-disable-link-detect.txt:4
-#: ../../_include/interface-disable-link-detect.txt:4
-#: ../../_include/interface-disable-link-detect.txt:4
-#: ../../_include/interface-disable-link-detect.txt:4
-#: ../../_include/interface-disable-link-detect.txt:4
-#: ../../_include/interface-disable-link-detect.txt:4
-#: ../../_include/interface-disable-link-detect.txt:4
-#: ../../_include/interface-disable-link-detect.txt:4
-#: ../../_include/interface-disable-link-detect.txt:4
-#: ../../_include/interface-disable-link-detect.txt:4
-#: ../../_include/interface-disable-link-detect.txt:4
-#: ../../_include/interface-disable-link-detect.txt:4
-#: ../../_include/interface-disable-link-detect.txt:4
-#: ../../_include/interface-disable-link-detect.txt:4
-#: ../../_include/interface-disable-link-detect.txt:4
-#: ../../_include/interface-disable-link-detect.txt:4
-#: ../../_include/interface-disable-link-detect.txt:4
-#: ../../_include/interface-disable-link-detect.txt:4
 #: ../../_include/interface-disable-link-detect.txt:4
 msgid "Use this command to direct an interface to not detect any physical state changes on a link, for example, when the cable is unplugged."
 msgstr "Use this command to direct an interface to not detect any physical state changes on a link, for example, when the cable is unplugged."
@@ -17058,15 +16312,6 @@ msgstr "Use this command to disable IPv6 forwarding on all interfaces."
 msgid "Use this command to disable IPv6 operation on interface when Duplicate Address Detection fails on Link-Local address."
 msgstr "Use this command to disable IPv6 operation on interface when Duplicate Address Detection fails on Link-Local address."
 
-#: ../../_include/interface-disable-flow-control.txt:16
-#: ../../_include/interface-disable-flow-control.txt:16
-#: ../../_include/interface-disable-flow-control.txt:16
-#: ../../_include/interface-disable-flow-control.txt:16
-#: ../../_include/interface-disable-flow-control.txt:16
-#: ../../_include/interface-disable-flow-control.txt:16
-#: ../../_include/interface-disable-flow-control.txt:16
-#: ../../_include/interface-disable-flow-control.txt:16
-#: ../../_include/interface-disable-flow-control.txt:16
 #: ../../_include/interface-disable-flow-control.txt:16
 msgid "Use this command to disable the generation of Ethernet flow control (pause frames)."
 msgstr "Use this command to disable the generation of Ethernet flow control (pause frames)."
@@ -17107,29 +16352,10 @@ msgstr "Use this command to enable PIMv6 in the selected interface so that it ca
 msgid "Use this command to enable acquisition of IPv6 address using stateless autoconfig (SLAAC)."
 msgstr "Use this command to enable acquisition of IPv6 address using stateless autoconfig (SLAAC)."
 
-#: ../../configuration/service/pppoe-server.rst:249
+#: ../../configuration/service/pppoe-server.rst:236
 msgid "Use this command to enable bandwidth shaping via RADIUS."
 msgstr "Use this command to enable bandwidth shaping via RADIUS."
 
-#: ../../_include/interface-ip.txt:137
-#: ../../_include/interface-ip.txt:137
-#: ../../_include/interface-ip.txt:137
-#: ../../_include/interface-ip.txt:137
-#: ../../_include/interface-ip.txt:137
-#: ../../_include/interface-ip.txt:137
-#: ../../_include/interface-ip.txt:137
-#: ../../_include/interface-ip.txt:137
-#: ../../_include/interface-ip.txt:137
-#: ../../_include/interface-ip.txt:137
-#: ../../_include/interface-ip.txt:137
-#: ../../_include/interface-ip.txt:137
-#: ../../_include/interface-ip.txt:137
-#: ../../_include/interface-ip.txt:137
-#: ../../_include/interface-ip.txt:137
-#: ../../_include/interface-ip.txt:137
-#: ../../_include/interface-ip.txt:137
-#: ../../_include/interface-ip.txt:137
-#: ../../_include/interface-ip.txt:137
 #: ../../_include/interface-ip.txt:137
 msgid "Use this command to enable proxy Address Resolution Protocol (ARP) on this interface. Proxy ARP allows an Ethernet interface to respond with its own :abbr:`MAC (Media Access Control)` address to ARP requests for destination IP addresses on subnets attached to other interfaces on the system. Subsequent packets sent to those destination IP addresses are forwarded appropriately by the system."
 msgstr "Use this command to enable proxy Address Resolution Protocol (ARP) on this interface. Proxy ARP allows an Ethernet interface to respond with its own :abbr:`MAC (Media Access Control)` address to ARP requests for destination IP addresses on subnets attached to other interfaces on the system. Subsequent packets sent to those destination IP addresses are forwarded appropriately by the system."
@@ -17138,7 +16364,7 @@ msgstr "Use this command to enable proxy Address Resolution Protocol (ARP) on th
 msgid "Use this command to enable targeted LDP sessions to the local router. The router will then respond to any sessions that are trying to connect to it that are not a link local type of TCP connection."
 msgstr "Use this command to enable targeted LDP sessions to the local router. The router will then respond to any sessions that are trying to connect to it that are not a link local type of TCP connection."
 
-#: ../../configuration/service/pppoe-server.rst:262
+#: ../../configuration/service/pppoe-server.rst:249
 msgid "Use this command to enable the delay of PADO (PPPoE Active Discovery Offer) packets, which can be used as a session balancing mechanism with other PPPoE servers."
 msgstr "Use this command to enable the delay of PADO (PPPoE Active Discovery Offer) packets, which can be used as a session balancing mechanism with other PPPoE servers."
 
@@ -17154,7 +16380,13 @@ msgstr "Use this command to enable the logging of the default action."
 msgid "Use this command to enable the logging of the default action on custom chains."
 msgstr "Use this command to enable the logging of the default action on custom chains."
 
-#: ../../configuration/system/ipv6.rst:191
+#: ../../configuration/firewall/bridge.rst:163
+#: ../../configuration/firewall/ipv4.rst:214
+#: ../../configuration/firewall/ipv6.rst:214
+msgid "Use this command to enable the logging of the default action on the specified chain."
+msgstr "Use this command to enable the logging of the default action on the specified chain."
+
+#: ../../configuration/system/ipv6.rst:165
 msgid "Use this command to flush the kernel IPv6 route cache. An address can be added to flush it only for that route."
 msgstr "Use this command to flush the kernel IPv6 route cache. An address can be added to flush it only for that route."
 
@@ -17162,11 +16394,11 @@ msgstr "Use this command to flush the kernel IPv6 route cache. An address can be
 msgid "Use this command to get an overview of a zone."
 msgstr "Use this command to get an overview of a zone."
 
-#: ../../configuration/system/ipv6.rst:146
+#: ../../configuration/system/ipv6.rst:120
 msgid "Use this command to get information about OSPFv3."
 msgstr "Use this command to get information about OSPFv3."
 
-#: ../../configuration/system/ipv6.rst:168
+#: ../../configuration/system/ipv6.rst:142
 msgid "Use this command to get information about the RIPNG protocol"
 msgstr "Use this command to get information about the RIPNG protocol"
 
@@ -17178,7 +16410,7 @@ msgstr "Use this command to instruct the system to establish a PPPoE connection
 msgid "Use this command to link the PPPoE connection to a physical interface. Each PPPoE connection must be established over a physical interface. Interfaces can be regular Ethernet interfaces, VIFs or bonding interfaces/VIFs."
 msgstr "Use this command to link the PPPoE connection to a physical interface. Each PPPoE connection must be established over a physical interface. Interfaces can be regular Ethernet interfaces, VIFs or bonding interfaces/VIFs."
 
-#: ../../configuration/service/pppoe-server.rst:324
+#: ../../configuration/service/pppoe-server.rst:311
 msgid "Use this command to locally check the active sessions in the PPPoE server."
 msgstr "Use this command to locally check the active sessions in the PPPoE server."
 
@@ -17195,7 +16427,7 @@ msgstr "Use this command to not install advertised DNS nameservers into the loca
 msgid "Use this command to prefer IPv4 for TCP peer transport connection for LDP when both an IPv4 and IPv6 LDP address are configured on the same interface."
 msgstr "Use this command to prefer IPv4 for TCP peer transport connection for LDP when both an IPv4 and IPv6 LDP address are configured on the same interface."
 
-#: ../../configuration/system/ipv6.rst:186
+#: ../../configuration/system/ipv6.rst:160
 msgid "Use this command to reset IPv6 Neighbor Discovery Protocol cache for an address or interface."
 msgstr "Use this command to reset IPv6 Neighbor Discovery Protocol cache for an address or interface."
 
@@ -17295,15 +16527,15 @@ msgstr "Use this command to show IPv6 multicast group membership."
 msgid "Use this command to show IPv6 routes."
 msgstr "Use this command to show IPv6 routes."
 
-#: ../../configuration/system/ipv6.rst:104
+#: ../../configuration/system/ipv6.rst:105
 msgid "Use this command to show all IPv6 access lists"
 msgstr "Use this command to show all IPv6 access lists"
 
-#: ../../configuration/system/ipv6.rst:89
+#: ../../configuration/system/ipv6.rst:90
 msgid "Use this command to show all IPv6 prefix lists"
 msgstr "Use this command to show all IPv6 prefix lists"
 
-#: ../../configuration/system/ipv6.rst:172
+#: ../../configuration/system/ipv6.rst:146
 msgid "Use this command to show the status of the RIPNG protocol"
 msgstr "Use this command to show the status of the RIPNG protocol"
 
@@ -17420,7 +16652,7 @@ msgstr "VHT operating channel center frequency - center freq 2 (for use with the
 msgid "VLAN"
 msgstr "VLAN"
 
-#: ../../configuration/service/pppoe-server.rst:176
+#: ../../configuration/service/pppoe-server.rst:163
 msgid "VLAN's can be created by Accel-ppp on the fly via the use of a Kernel module named `vlan_mon`, which is monitoring incoming vlans and creates the necessary VLAN if required and allowed. VyOS supports the use of either VLAN ID's or entire ranges, both values can be defined at the same time for an interface."
 msgstr "VLAN's can be created by Accel-ppp on the fly via the use of a Kernel module named `vlan_mon`, which is monitoring incoming vlans and creates the necessary VLAN if required and allowed. VyOS supports the use of either VLAN ID's or entire ranges, both values can be defined at the same time for an interface."
 
@@ -17456,7 +16688,7 @@ msgstr "VPN-clients will request configuration parameters, optionally you can DN
 msgid "VRF"
 msgstr "VRF"
 
-#: ../../configuration/vrf/index.rst:409
+#: ../../configuration/vrf/index.rst:411
 msgid "VRF Route Leaking"
 msgstr "VRF Route Leaking"
 
@@ -17464,15 +16696,15 @@ msgstr "VRF Route Leaking"
 msgid "VRF and NAT"
 msgstr "VRF and NAT"
 
-#: ../../configuration/vrf/index.rst:378
+#: ../../configuration/vrf/index.rst:380
 msgid "VRF blue routing table"
 msgstr "VRF blue routing table"
 
-#: ../../configuration/vrf/index.rst:345
+#: ../../configuration/vrf/index.rst:347
 msgid "VRF default routing table"
 msgstr "VRF default routing table"
 
-#: ../../configuration/vrf/index.rst:361
+#: ../../configuration/vrf/index.rst:363
 msgid "VRF red routing table"
 msgstr "VRF red routing table"
 
@@ -17537,11 +16769,11 @@ msgstr "Valid values are 0..255."
 msgid "Value"
 msgstr "Value"
 
-#: ../../configuration/vpn/sstp.rst:252
+#: ../../configuration/vpn/sstp.rst:263
 msgid "Value to send to RADIUS server in NAS-IP-Address attribute and to be matched in DM/CoA requests. Also DM/CoA server will bind to that address."
 msgstr "Value to send to RADIUS server in NAS-IP-Address attribute and to be matched in DM/CoA requests. Also DM/CoA server will bind to that address."
 
-#: ../../configuration/vpn/sstp.rst:247
+#: ../../configuration/vpn/sstp.rst:258
 msgid "Value to send to RADIUS server in NAS-Identifier attribute and to be matched in DM/CoA requests."
 msgstr "Value to send to RADIUS server in NAS-Identifier attribute and to be matched in DM/CoA requests."
 
@@ -17555,6 +16787,10 @@ msgstr "Verification"
 msgid "Verification:"
 msgstr "Verification:"
 
+#: ../../configuration/nat/nat66.rst:226
+msgid "Verify that connections are hitting the rule on both sides:"
+msgstr "Verify that connections are hitting the rule on both sides:"
+
 #: ../../configuration/highavailability/index.rst:291
 msgid "Version"
 msgstr "Version"
@@ -17583,22 +16819,6 @@ msgstr "Volume is either mounted as rw (read-write - default) or ro (read-only)"
 msgid "VyOS 1.1 supported login as user ``root``. This has been removed due to tighter security in VyOS 1.2."
 msgstr "VyOS 1.1 supported login as user ``root``. This has been removed due to tighter security in VyOS 1.2."
 
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:3
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:3
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:3
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:3
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:3
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:3
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:3
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:3
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:3
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:3
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:3
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:3
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:3
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:3
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:3
-#: ../../_include/interface-dhcpv6-prefix-delegation.txt:3
 #: ../../_include/interface-dhcpv6-prefix-delegation.txt:3
 msgid "VyOS 1.3 (equuleus) supports DHCPv6-PD (:rfc:`3633`). DHCPv6 Prefix Delegation is supported by most ISPs who provide native IPv6 for consumers on fixed networks."
 msgstr "VyOS 1.3 (equuleus) supports DHCPv6-PD (:rfc:`3633`). DHCPv6 Prefix Delegation is supported by most ISPs who provide native IPv6 for consumers on fixed networks."
@@ -17615,7 +16835,7 @@ msgstr "VyOS 1.4 changed the way in how encrytion keys or certificates are store
 msgid "VyOS 1.4 uses chrony instead of ntpd (see :vytask:`T3008`) which will no longer accept anonymous NTP requests as in VyOS 1.3. All configurations will be migrated to keep the anonymous functionality. For new setups if you have clients using your VyOS installation as NTP server, you must specify the `allow-client` directive."
 msgstr "VyOS 1.4 uses chrony instead of ntpd (see :vytask:`T3008`) which will no longer accept anonymous NTP requests as in VyOS 1.3. All configurations will be migrated to keep the anonymous functionality. For new setups if you have clients using your VyOS installation as NTP server, you must specify the `allow-client` directive."
 
-#: ../../configuration/interfaces/bonding.rst:None
+#: ../../configuration/interfaces/bonding.rst:-1
 msgid "VyOS Arista EOS setup"
 msgstr "VyOS Arista EOS setup"
 
@@ -17635,7 +16855,11 @@ msgstr "VyOS IKE group has the next options:"
 msgid "VyOS MIBs"
 msgstr "VyOS MIBs"
 
-#: ../../configuration/nat/nat66.rst:None
+#: ../../configuration/nat/nat66.rst:-1
+msgid "VyOS NAT66 DHCPv6 using a dummy interface"
+msgstr "VyOS NAT66 DHCPv6 using a dummy interface"
+
+#: ../../configuration/nat/nat66.rst:-1
 msgid "VyOS NAT66 Simple Configure"
 msgstr "VyOS NAT66 Simple Configure"
 
@@ -17659,7 +16883,7 @@ msgstr "VyOS SNMP supports both IPv4 and IPv6."
 msgid "VyOS also comes with a build in SSTP server, see :ref:`sstp`."
 msgstr "VyOS also comes with a build in SSTP server, see :ref:`sstp`."
 
-#: ../../configuration/service/dhcp-server.rst:580
+#: ../../configuration/service/dhcp-server.rst:504
 msgid "VyOS also provides DHCPv6 server functionality which is described in this section."
 msgstr "VyOS also provides DHCPv6 server functionality which is described in this section."
 
@@ -17704,11 +16928,11 @@ msgstr "VyOS facilitates IP Multicast by supporting **PIM Sparse Mode**, **IGMP*
 msgid "VyOS facilitates IPv6 Multicast by supporting **PIMv6** and **MLD**."
 msgstr "VyOS facilitates IPv6 Multicast by supporting **PIMv6** and **MLD**."
 
-#: ../../configuration/service/dns.rst:201
+#: ../../configuration/service/dns.rst:214
 msgid "VyOS is able to update a remote DNS record when an interface gets a new IP address. In order to do so, VyOS includes ddclient_, a Perl script written for this only one purpose."
 msgstr "VyOS is able to update a remote DNS record when an interface gets a new IP address. In order to do so, VyOS includes ddclient_, a Perl script written for this only one purpose."
 
-#: ../../configuration/service/dns.rst:306
+#: ../../configuration/service/dns.rst:319
 msgid "VyOS is also able to use any service relying on protocols supported by ddclient."
 msgstr "VyOS is also able to use any service relying on protocols supported by ddclient."
 
@@ -17720,7 +16944,6 @@ msgstr "VyOS itself supports SNMPv2_ (version 2) and SNMPv3_ (version 3) where t
 msgid "VyOS lets you control traffic in many different ways, here we will cover every possibility. You can configure as many policies as you want, but you will only be able to apply one policy per interface and direction (inbound or outbound)."
 msgstr "VyOS lets you control traffic in many different ways, here we will cover every possibility. You can configure as many policies as you want, but you will only be able to apply one policy per interface and direction (inbound or outbound)."
 
-#: ../../configuration/firewall/general.rst:13
 #: ../../configuration/firewall/general-legacy.rst:17
 msgid "VyOS makes use of Linux `netfilter <https://netfilter.org/>`_ for packet filtering."
 msgstr "VyOS makes use of Linux `netfilter <https://netfilter.org/>`_ for packet filtering."
@@ -17737,7 +16960,7 @@ msgstr "VyOS not only can now manage certificates issued by 3rd party Certificat
 msgid "VyOS now also has the ability to create CAs, keys, Diffie-Hellman and other keypairs from an easy to access operational level command."
 msgstr "VyOS now also has the ability to create CAs, keys, Diffie-Hellman and other keypairs from an easy to access operational level command."
 
-#: ../../configuration/pki/index.rst:254
+#: ../../configuration/pki/index.rst:292
 msgid "VyOS operational mode commands are not only available for generating keys but also to display them."
 msgstr "VyOS operational mode commands are not only available for generating keys but also to display them."
 
@@ -17773,7 +16996,7 @@ msgstr "VyOS provides policies commands exclusively for BGP traffic filtering an
 msgid "VyOS provides some operational commands on OpenVPN."
 msgstr "VyOS provides some operational commands on OpenVPN."
 
-#: ../../configuration/service/dhcp-server.rst:173
+#: ../../configuration/service/dhcp-server.rst:138
 msgid "VyOS provides support for DHCP failover. DHCP failover must be configured explicitly by the following statements."
 msgstr "VyOS provides support for DHCP failover. DHCP failover must be configured explicitly by the following statements."
 
@@ -17781,7 +17004,11 @@ msgstr "VyOS provides support for DHCP failover. DHCP failover must be configure
 msgid "VyOS reverse-proxy is balancer and proxy server that provides high-availability, load balancing and proxying for TCP (level 4) and HTTP-based (level 7) applications."
 msgstr "VyOS reverse-proxy is balancer and proxy server that provides high-availability, load balancing and proxying for TCP (level 4) and HTTP-based (level 7) applications."
 
-#: ../../configuration/protocols/igmp.rst:30
+#: ../../configuration/protocols/pim.rst:9
+msgid "VyOS supports :abbr:`PIM-SM (PIM Sparse Mode)` as well as :abbr:`IGMP (Internet Group Management Protocol)` v2 and v3"
+msgstr "VyOS supports :abbr:`PIM-SM (PIM Sparse Mode)` as well as :abbr:`IGMP (Internet Group Management Protocol)` v2 and v3"
+
+#: ../../configuration/protocols/pim.rst:26
 msgid "VyOS supports both IGMP version 2 and version 3 (which allows source-specific multicast)."
 msgstr "VyOS supports both IGMP version 2 and version 3 (which allows source-specific multicast)."
 
@@ -17793,11 +17020,15 @@ msgstr "VyOS supports both MLD version 1 and version 2 (which allows source-spec
 msgid "VyOS supports flow-accounting for both IPv4 and IPv6 traffic. The system acts as a flow exporter, and you are free to use it with any compatible collector."
 msgstr "VyOS supports flow-accounting for both IPv4 and IPv6 traffic. The system acts as a flow exporter, and you are free to use it with any compatible collector."
 
+#: ../../configuration/system/updates.rst:5
+msgid "VyOS supports online checking for updates"
+msgstr "VyOS supports online checking for updates"
+
 #: ../../configuration/system/sflow.rst:5
 msgid "VyOS supports sFlow accounting for both IPv4 and IPv6 traffic. The system acts as a flow exporter, and you are free to use it with any compatible collector."
 msgstr "VyOS supports sFlow accounting for both IPv4 and IPv6 traffic. The system acts as a flow exporter, and you are free to use it with any compatible collector."
 
-#: ../../configuration/system/conntrack.rst:53
+#: ../../configuration/system/conntrack.rst:67
 msgid "VyOS supports setting timeouts for connections according to the connection type. You can set timeout values for generic connections, for ICMP connections, UDP connections, or for TCP connections in a number of different states."
 msgstr "VyOS supports setting timeouts for connections according to the connection type. You can set timeout values for generic connections, for ICMP connections, UDP connections, or for TCP connections in a number of different states."
 
@@ -17809,12 +17040,18 @@ msgstr "VyOS supports setting up PPPoE in two different ways to a PPPoE internet
 msgid "VyOS uses ISC DHCP server for both IPv4 and IPv6 address assignment."
 msgstr "VyOS uses ISC DHCP server for both IPv4 and IPv6 address assignment."
 
+#: ../../configuration/service/dhcp-server.rst:7
+msgid "VyOS uses Kea DHCP server for both IPv4 and IPv6 address assignment."
+msgstr "VyOS uses Kea DHCP server for both IPv4 and IPv6 address assignment."
+
+#: ../../configuration/system/frr.rst:7
+msgid "VyOS uses [FRRouting](https://frrouting.org/) as the control plane for dynamic and static routing. The routing daemon behavior can be adjusted during runtime, but require either a restart of the routing daemon, or a reboot of the system."
+msgstr "VyOS uses [FRRouting](https://frrouting.org/) as the control plane for dynamic and static routing. The routing daemon behavior can be adjusted during runtime, but require either a restart of the routing daemon, or a reboot of the system."
+
 #: ../../configuration/interfaces/wwan.rst:12
 msgid "VyOS uses the `interfaces wwan` subsystem for configuration."
 msgstr "VyOS uses the `interfaces wwan` subsystem for configuration."
 
-#: ../../_include/interface-mirror.txt:9
-#: ../../_include/interface-mirror.txt:9
 #: ../../_include/interface-mirror.txt:9
 msgid "VyOS uses the `mirror` option to configure port mirroring. The configuration is divided into 2 different directions. Destination ports should be configured for different traffic directions."
 msgstr "VyOS uses the `mirror` option to configure port mirroring. The configuration is divided into 2 different directions. Destination ports should be configured for different traffic directions."
@@ -17839,7 +17076,7 @@ msgstr "VyOS utilizes accel-ppp_ to provide SSTP server functionality. We suppor
 msgid "WAN Load Balacing should not be used when dynamic routing protocol is used/needed. This feature creates customized routing tables and firewall rules, that makes it incompatible to use with routing protocols."
 msgstr "WAN Load Balacing should not be used when dynamic routing protocol is used/needed. This feature creates customized routing tables and firewall rules, that makes it incompatible to use with routing protocols."
 
-#: ../../configuration/vpn/site2site_ipsec.rst:160
+#: ../../configuration/vpn/site2site_ipsec.rst:164
 msgid "WAN interface on `eth1`"
 msgstr "WAN interface on `eth1`"
 
@@ -17876,7 +17113,7 @@ msgstr "Warning conditions"
 msgid "We'll configure OpenVPN using self-signed certificates, and then discuss the legacy pre-shared key mode."
 msgstr "We'll configure OpenVPN using self-signed certificates, and then discuss the legacy pre-shared key mode."
 
-#: ../../configuration/nat/nat44.rst:760
+#: ../../configuration/nat/nat44.rst:782
 msgid "We'll use the IKE and ESP groups created above for this VPN. Because we need access to 2 different subnets on the far side, we will need two different tunnels. If you changed the names of the ESP group and IKE group in the previous step, make sure you use the correct names here too."
 msgstr "We'll use the IKE and ESP groups created above for this VPN. Because we need access to 2 different subnets on the far side, we will need two different tunnels. If you changed the names of the ESP group and IKE group in the previous step, make sure you use the correct names here too."
 
@@ -17896,7 +17133,7 @@ msgstr "We can also create the certificates using Cerbort which is an easy-to-us
 msgid "We can build route-maps for import based on these states. Here is a simple RPKI configuration, where `routinator` is the RPKI-validating \"cache\" server with ip `192.0.2.1`:"
 msgstr "We can build route-maps for import based on these states. Here is a simple RPKI configuration, where `routinator` is the RPKI-validating \"cache\" server with ip `192.0.2.1`:"
 
-#: ../../configuration/protocols/bgp.rst:1248
+#: ../../configuration/protocols/bgp.rst:1249
 msgid "We could expand on this and also deny link local and multicast in the rule 20 action deny."
 msgstr "We could expand on this and also deny link local and multicast in the rule 20 action deny."
 
@@ -17924,7 +17161,7 @@ msgstr "We now utilize `tuned` for dynamic resource balancing based on profiles.
 msgid "We only allow the 192.168.2.0/24 subnet to travel over the tunnel"
 msgstr "We only allow the 192.168.2.0/24 subnet to travel over the tunnel"
 
-#: ../../configuration/nat/nat44.rst:699
+#: ../../configuration/nat/nat44.rst:723
 msgid "We only need a single step for this interface:"
 msgstr "We only need a single step for this interface:"
 
@@ -17932,11 +17169,15 @@ msgstr "We only need a single step for this interface:"
 msgid "We route all traffic for the 192.168.2.0/24 network to interface `wg01`"
 msgstr "We route all traffic for the 192.168.2.0/24 network to interface `wg01`"
 
-#: ../../configuration/system/login.rst:418
+#: ../../configuration/system/login.rst:420
 msgid "We use a vontainer providing the TACACS serve rin this example."
 msgstr "We use a vontainer providing the TACACS serve rin this example."
 
-#: ../../configuration/service/dhcp-server.rst:364
+#: ../../configuration/firewall/flowtables.rst:114
+msgid "We will only accept traffic comming from interface eth0, protocol tcp and destination port 1122. All other traffic traspassing the router should be blocked."
+msgstr "We will only accept traffic comming from interface eth0, protocol tcp and destination port 1122. All other traffic traspassing the router should be blocked."
+
+#: ../../configuration/service/dhcp-server.rst:331
 msgid "Web Proxy Autodiscovery (WPAD) URL"
 msgstr "Web Proxy Autodiscovery (WPAD) URL"
 
@@ -17944,19 +17185,31 @@ msgstr "Web Proxy Autodiscovery (WPAD) URL"
 msgid "Webproxy"
 msgstr "Webproxy"
 
+#: ../../configuration/service/https.rst:40
+msgid "Webserver should listen on specified port."
+msgstr "Webserver should listen on specified port."
+
+#: ../../configuration/service/https.rst:36
+msgid "Webserver should only listen on specified IP address"
+msgstr "Webserver should only listen on specified IP address"
+
 #: ../../configuration/protocols/mpls.rst:220
 msgid "When LDP is working, you will be able to see label information in the outcome of ``show ip route``. Besides that information, there are also specific *show* commands for LDP:"
 msgstr "When LDP is working, you will be able to see label information in the outcome of ``show ip route``. Besides that information, there are also specific *show* commands for LDP:"
 
+#: ../../configuration/protocols/pim.rst:75
+msgid "When PIM receives a register packet the source of the packet will be compared to the prefix-list specified, and if a permit is received normal processing continues. If a deny is returned for the source address of the register packet a register stop message is sent to the source."
+msgstr "When PIM receives a register packet the source of the packet will be compared to the prefix-list specified, and if a permit is received normal processing continues. If a deny is returned for the source address of the register packet a register stop message is sent to the source."
+
 #: ../../configuration/vrf/index.rst:73
 msgid "When VRFs are used it is not only mandatory to create a VRF but also the VRF itself needs to be assigned to an interface."
 msgstr "When VRFs are used it is not only mandatory to create a VRF but also the VRF itself needs to be assigned to an interface."
 
-#: ../../configuration/service/dns.rst:341
+#: ../../configuration/service/dns.rst:354
 msgid "When a ``custom`` DynDNS provider is used the `<server>` where update requests are being sent to must be specified."
 msgstr "When a ``custom`` DynDNS provider is used the `<server>` where update requests are being sent to must be specified."
 
-#: ../../configuration/service/dns.rst:334
+#: ../../configuration/service/dns.rst:347
 msgid "When a ``custom`` DynDNS provider is used the protocol used for communicating to the provider must be specified under `<protocol>`. See the embedded completion helper for available protocols."
 msgstr "When a ``custom`` DynDNS provider is used the protocol used for communicating to the provider must be specified under `<protocol>`. See the embedded completion helper for available protocols."
 
@@ -17980,7 +17233,11 @@ msgstr "When a route fails, a routing update is sent to withdraw the route from
 msgid "When adding IPv6 routing information exchange feature to BGP. There were some proposals. :abbr:`IETF (Internet Engineering Task Force)` :abbr:`IDR (Inter Domain Routing)` adopted a proposal called Multiprotocol Extension for BGP. The specification is described in :rfc:`2283`. The protocol does not define new protocols. It defines new attributes to existing BGP. When it is used exchanging IPv6 routing information it is called BGP-4+. When it is used for exchanging multicast routing information it is called MBGP."
 msgstr "When adding IPv6 routing information exchange feature to BGP. There were some proposals. :abbr:`IETF (Internet Engineering Task Force)` :abbr:`IDR (Inter Domain Routing)` adopted a proposal called Multiprotocol Extension for BGP. The specification is described in :rfc:`2283`. The protocol does not define new protocols. It defines new attributes to existing BGP. When it is used exchanging IPv6 routing information it is called BGP-4+. When it is used for exchanging multicast routing information it is called MBGP."
 
-#: ../../configuration/service/pppoe-server.rst:182
+#: ../../configuration/service/dns.rst:155
+msgid "When an authoritative server does not answer a query or sends a reply the recursor does not like, it is throttled. Any servers matching the supplied netmasks will never be throttled."
+msgstr "When an authoritative server does not answer a query or sends a reply the recursor does not like, it is throttled. Any servers matching the supplied netmasks will never be throttled."
+
+#: ../../configuration/service/pppoe-server.rst:169
 msgid "When configured, PPPoE will create the necessary VLANs when required. Once the user session has been cancelled and the VLAN is not needed anymore, VyOS will remove it again."
 msgstr "When configured, PPPoE will create the necessary VLANs when required. Once the user session has been cancelled and the VLAN is not needed anymore, VyOS will remove it again."
 
@@ -17996,11 +17253,13 @@ msgstr "When configuring your filter, you can use the ``Tab`` key to see the man
 msgid "When configuring your traffic policy, you will have to set data rate values, watch out the units you are managing, it is easy to get confused with the different prefixes and suffixes you can use. VyOS will always show you the different units you can use."
 msgstr "When configuring your traffic policy, you will have to set data rate values, watch out the units you are managing, it is easy to get confused with the different prefixes and suffixes you can use. VyOS will always show you the different units you can use."
 
-#: ../../configuration/firewall/general.rst:521
+#: ../../configuration/firewall/bridge.rst:210
+#: ../../configuration/firewall/ipv4.rst:290
+#: ../../configuration/firewall/ipv6.rst:290
 msgid "When defining a rule, it is enable by default. In some cases, it is useful to just disable the rule, rather than removing it."
 msgstr "When defining a rule, it is enable by default. In some cases, it is useful to just disable the rule, rather than removing it."
 
-#: ../../configuration/nat/nat44.rst:299
+#: ../../configuration/nat/nat44.rst:311
 msgid "When defining the translated address, called ``backends``, a ``weight`` must be configured. This lets the user define load balance distribution according to their needs. Them sum of all the weights defined for the backends should be equal to 100. In oder words, the weight defined for the backend is the percentage of the connections that will receive such backend."
 msgstr "When defining the translated address, called ``backends``, a ``weight`` must be configured. This lets the user define load balance distribution according to their needs. Them sum of all the weights defined for the backends should be equal to 100. In oder words, the weight defined for the backend is the percentage of the connections that will receive such backend."
 
@@ -18030,21 +17289,6 @@ msgstr "When loading the certificate you need to manually strip the ``-----BEGIN
 msgid "When mathcing all patterns defined in a rule, then different actions can be made. This includes droping the packet, modifying certain data, or setting a different routing table."
 msgstr "When mathcing all patterns defined in a rule, then different actions can be made. This includes droping the packet, modifying certain data, or setting a different routing table."
 
-#: ../../_include/interface-dhcpv6-options.txt:17
-#: ../../_include/interface-dhcpv6-options.txt:17
-#: ../../_include/interface-dhcpv6-options.txt:17
-#: ../../_include/interface-dhcpv6-options.txt:17
-#: ../../_include/interface-dhcpv6-options.txt:17
-#: ../../_include/interface-dhcpv6-options.txt:17
-#: ../../_include/interface-dhcpv6-options.txt:17
-#: ../../_include/interface-dhcpv6-options.txt:17
-#: ../../_include/interface-dhcpv6-options.txt:17
-#: ../../_include/interface-dhcpv6-options.txt:17
-#: ../../_include/interface-dhcpv6-options.txt:17
-#: ../../_include/interface-dhcpv6-options.txt:17
-#: ../../_include/interface-dhcpv6-options.txt:17
-#: ../../_include/interface-dhcpv6-options.txt:17
-#: ../../_include/interface-dhcpv6-options.txt:17
 #: ../../_include/interface-dhcpv6-options.txt:17
 msgid "When no-release is specified, dhcp6c will send a release message on client exit to prevent losing an assigned address or prefix."
 msgstr "When no-release is specified, dhcp6c will send a release message on client exit to prevent losing an assigned address or prefix."
@@ -18053,21 +17297,10 @@ msgstr "When no-release is specified, dhcp6c will send a release message on clie
 msgid "When no options/parameters are used, the contents of the main syslog file are displayed."
 msgstr "When no options/parameters are used, the contents of the main syslog file are displayed."
 
-#: ../../_include/interface-dhcpv6-options.txt:40
-#: ../../_include/interface-dhcpv6-options.txt:40
-#: ../../_include/interface-dhcpv6-options.txt:40
-#: ../../_include/interface-dhcpv6-options.txt:40
-#: ../../_include/interface-dhcpv6-options.txt:40
-#: ../../_include/interface-dhcpv6-options.txt:40
-#: ../../_include/interface-dhcpv6-options.txt:40
-#: ../../_include/interface-dhcpv6-options.txt:40
-#: ../../_include/interface-dhcpv6-options.txt:40
-#: ../../_include/interface-dhcpv6-options.txt:40
-#: ../../_include/interface-dhcpv6-options.txt:40
-#: ../../_include/interface-dhcpv6-options.txt:40
-#: ../../_include/interface-dhcpv6-options.txt:40
-#: ../../_include/interface-dhcpv6-options.txt:40
-#: ../../_include/interface-dhcpv6-options.txt:40
+#: ../../configuration/protocols/pim.rst:65
+msgid "When processing packets from a neighbor process the number of packets incoming at one time before moving on to the next task."
+msgstr "When processing packets from a neighbor process the number of packets incoming at one time before moving on to the next task."
+
 #: ../../_include/interface-dhcpv6-options.txt:40
 msgid "When rapid-commit is specified, dhcp6c will include a rapid-commit option in solicit messages and wait for an immediate reply instead of advertisements."
 msgstr "When rapid-commit is specified, dhcp6c will include a rapid-commit option in solicit messages and wait for an immediate reply instead of advertisements."
@@ -18080,6 +17313,10 @@ msgstr "When remote peer does not have capability negotiation feature, remote pe
 msgid "When running it at 1Gbit and lower, you may want to reduce the `queue-limit` to 1000 packets or less. In rates like 10Mbit, you may want to set it to 600 packets."
 msgstr "When running it at 1Gbit and lower, you may want to reduce the `queue-limit` to 1000 packets or less. In rates like 10Mbit, you may want to set it to 600 packets."
 
+#: ../../configuration/protocols/pim.rst:113
+msgid "When sending PIM hello packets tell PIM to not send any v6 secondary addresses on the interface. This information is used to allow PIM to use v6 nexthops in it's decision for :abbr:`RPF (Reverse Path Forwarding)` lookup if this option is not set (default)."
+msgstr "When sending PIM hello packets tell PIM to not send any v6 secondary addresses on the interface. This information is used to allow PIM to use v6 nexthops in it's decision for :abbr:`RPF (Reverse Path Forwarding)` lookup if this option is not set (default)."
+
 #: ../../configuration/interfaces/pppoe.rst:108
 msgid "When set the interface is enabled for \"dial-on-demand\"."
 msgstr "When set the interface is enabled for \"dial-on-demand\"."
@@ -18097,36 +17334,18 @@ msgstr "When starting a VyOS live system (the installation CD) the configured ke
 msgid "When the DHCP server is considering dynamically allocating an IP address to a client, it first sends an ICMP Echo request (a ping) to the address being assigned. It waits for a second, and if no ICMP Echo response has been heard, it assigns the address."
 msgstr "When the DHCP server is considering dynamically allocating an IP address to a client, it first sends an ICMP Echo request (a ping) to the address being assigned. It waits for a second, and if no ICMP Echo response has been heard, it assigns the address."
 
-#: ../../configuration/vpn/site2site_ipsec.rst:407
+#: ../../configuration/vpn/site2site_ipsec.rst:416
 msgid "When the close-action option is set on the peers, the connection-type of each peer has to considered carefully. For example, if the option is set on both peers, then both would attempt to initiate and hold open multiple copies of each child SA. This might lead to instability of the device or cpu/memory utilization."
 msgstr "When the close-action option is set on the peers, the connection-type of each peer has to considered carefully. For example, if the option is set on both peers, then both would attempt to initiate and hold open multiple copies of each child SA. This might lead to instability of the device or cpu/memory utilization."
 
-#: ../../configuration/firewall/general.rst:106
-#: ../../configuration/firewall/general-legacy.rst:58
+#: ../../configuration/firewall/global-options.rst:43
 msgid "When the command above is set, VyOS will answer every ICMP echo request addressed to itself, but that will only happen if no other rule is applied dropping or rejecting local echo requests. In case of conflict, VyOS will not answer ICMP echo requests."
 msgstr "When the command above is set, VyOS will answer every ICMP echo request addressed to itself, but that will only happen if no other rule is applied dropping or rejecting local echo requests. In case of conflict, VyOS will not answer ICMP echo requests."
 
-#: ../../configuration/firewall/general.rst:115
-#: ../../configuration/firewall/general-legacy.rst:67
+#: ../../configuration/firewall/global-options.rst:52
 msgid "When the command above is set, VyOS will answer no ICMP echo request addressed to itself at all, no matter where it comes from or whether more specific rules are being applied to accept them."
 msgstr "When the command above is set, VyOS will answer no ICMP echo request addressed to itself at all, no matter where it comes from or whether more specific rules are being applied to accept them."
 
-#: ../../_include/interface-address-with-dhcp.txt:14
-#: ../../_include/interface-address-with-dhcp.txt:14
-#: ../../_include/interface-address-with-dhcp.txt:14
-#: ../../_include/interface-address-with-dhcp.txt:14
-#: ../../_include/interface-address-with-dhcp.txt:14
-#: ../../_include/interface-address-with-dhcp.txt:14
-#: ../../_include/interface-address-with-dhcp.txt:14
-#: ../../_include/interface-address-with-dhcp.txt:14
-#: ../../_include/interface-address-with-dhcp.txt:14
-#: ../../_include/interface-address-with-dhcp.txt:14
-#: ../../_include/interface-address-with-dhcp.txt:14
-#: ../../_include/interface-address-with-dhcp.txt:14
-#: ../../_include/interface-address-with-dhcp.txt:14
-#: ../../_include/interface-address-with-dhcp.txt:14
-#: ../../_include/interface-address-with-dhcp.txt:14
-#: ../../_include/interface-address-with-dhcp.txt:14
 #: ../../_include/interface-address-with-dhcp.txt:14
 msgid "When using DHCP to retrieve IPv4 address and if local customizations are needed, they should be possible using the enter and exit hooks provided. The hook dirs are:"
 msgstr "When using DHCP to retrieve IPv4 address and if local customizations are needed, they should be possible using the enter and exit hooks provided. The hook dirs are:"
@@ -18135,11 +17354,11 @@ msgstr "When using DHCP to retrieve IPv4 address and if local customizations are
 msgid "When using EVE-NG to lab this environment ensure you are using e1000 as the desired driver for your VyOS network interfaces. When using the regular virtio network driver no LACP PDUs will be sent by VyOS thus the port-channel will never become active!"
 msgstr "When using EVE-NG to lab this environment ensure you are using e1000 as the desired driver for your VyOS network interfaces. When using the regular virtio network driver no LACP PDUs will be sent by VyOS thus the port-channel will never become active!"
 
-#: ../../configuration/nat/nat44.rst:351
+#: ../../configuration/nat/nat44.rst:365
 msgid "When using NAT for a large number of host systems it recommended that a minimum of 1 IP address is used to NAT every 256 host systems. This is due to the limit of 65,000 port numbers available for unique translations and a reserving an average of 200-300 sessions per host system."
 msgstr "When using NAT for a large number of host systems it recommended that a minimum of 1 IP address is used to NAT every 256 host systems. This is due to the limit of 65,000 port numbers available for unique translations and a reserving an average of 200-300 sessions per host system."
 
-#: ../../configuration/nat/nat44.rst:238
+#: ../../configuration/nat/nat44.rst:250
 msgid "When using NAT for a large number of host systems it recommended that a minimum of 1 IP address is used to NAT every 256 private host systems. This is due to the limit of 65,000 port numbers available for unique translations and a reserving an average of 200-300 sessions per host system."
 msgstr "When using NAT for a large number of host systems it recommended that a minimum of 1 IP address is used to NAT every 256 private host systems. This is due to the limit of 65,000 port numbers available for unique translations and a reserving an average of 200-300 sessions per host system."
 
@@ -18147,7 +17366,7 @@ msgstr "When using NAT for a large number of host systems it recommended that a
 msgid "When using SSH, known-hosts-file, private-key-file and public-key-file are mandatory options."
 msgstr "When using SSH, known-hosts-file, private-key-file and public-key-file are mandatory options."
 
-#: ../../configuration/vpn/openconnect.rst:215
+#: ../../configuration/vpn/openconnect.rst:222
 msgid "When using Time-based one-time password (TOTP) (OTP HOTP-time), be sure that the time on the server and the OTP token generator are synchronized by NTP"
 msgstr "When using Time-based one-time password (TOTP) (OTP HOTP-time), be sure that the time on the server and the OTP token generator are synchronized by NTP"
 
@@ -18171,47 +17390,35 @@ msgstr "Where, main key words and configuration paths that needs to be understoo
 msgid "Where both routes were received from eBGP peers, then prefer the route which is already selected. Note that this check is not applied if :cfgcmd:`bgp bestpath compare-routerid` is configured. This check can prevent some cases of oscillation."
 msgstr "Where both routes were received from eBGP peers, then prefer the route which is already selected. Note that this check is not applied if :cfgcmd:`bgp bestpath compare-routerid` is configured. This check can prevent some cases of oscillation."
 
+#: ../../configuration/firewall/ipv4.rst:42
+msgid "Where firewall base chain to configure firewall filtering rules for transit traffic is ``set firewall ipv4 forward filter ...``, which happens in stage 5, highlightened with red color."
+msgstr "Where firewall base chain to configure firewall filtering rules for transit traffic is ``set firewall ipv4 forward filter ...``, which happens in stage 5, highlightened with red color."
+
+#: ../../configuration/firewall/ipv6.rst:42
+msgid "Where firewall base chain to configure firewall filtering rules for transit traffic is ``set firewall ipv6 forward filter ...``, which happens in stage 5, highlightened with red color."
+msgstr "Where firewall base chain to configure firewall filtering rules for transit traffic is ``set firewall ipv6 forward filter ...``, which happens in stage 5, highlightened with red color."
+
 #: ../../configuration/protocols/bgp.rst:86
 msgid "Where routes with a MED were received from the same AS, prefer the route with the lowest MED."
 msgstr "Where routes with a MED were received from the same AS, prefer the route with the lowest MED."
 
-#: ../../_include/interface-ipv6.txt:77
-#: ../../_include/interface-ipv6.txt:77
-#: ../../_include/interface-ipv6.txt:77
-#: ../../_include/interface-ipv6.txt:77
-#: ../../_include/interface-ipv6.txt:77
-#: ../../_include/interface-ipv6.txt:77
-#: ../../_include/interface-ipv6.txt:77
-#: ../../_include/interface-ipv6.txt:77
-#: ../../_include/interface-ipv6.txt:77
-#: ../../_include/interface-ipv6.txt:77
-#: ../../_include/interface-ipv6.txt:77
-#: ../../_include/interface-ipv6.txt:77
-#: ../../_include/interface-ipv6.txt:77
-#: ../../_include/interface-ipv6.txt:77
-#: ../../_include/interface-ipv6.txt:77
-#: ../../_include/interface-ipv6.txt:77
-#: ../../_include/interface-ipv6.txt:77
-#: ../../_include/interface-ipv6.txt:77
-#: ../../_include/interface-ipv6.txt:77
 #: ../../_include/interface-ipv6.txt:77
 msgid "Whether to accept DAD (Duplicate Address Detection)."
 msgstr "Whether to accept DAD (Duplicate Address Detection)."
 
-#: ../../configuration/nat/nat44.rst:330
+#: ../../configuration/nat/nat44.rst:342
 msgid "Which generates the following configuration:"
 msgstr "Which generates the following configuration:"
 
-#: ../../configuration/nat/nat44.rst:444
+#: ../../configuration/nat/nat44.rst:458
 msgid "Which results in a configuration of:"
 msgstr "Which results in a configuration of:"
 
-#: ../../configuration/nat/nat44.rst:522
+#: ../../configuration/nat/nat44.rst:542
 msgid "Which would generate the following NAT destination configuration:"
 msgstr "Which would generate the following NAT destination configuration:"
 
-#: ../../configuration/firewall/general.rst:217
-#: ../../configuration/firewall/general-legacy.rst:193
+#: ../../configuration/firewall/groups.rst:44
 msgid "While **network groups** accept IP networks in CIDR notation, specific IP addresses can be added as a 32-bit prefix. If you foresee the need to add a mix of addresses and networks, the network group is recommended."
 msgstr "While **network groups** accept IP networks in CIDR notation, specific IP addresses can be added as a 32-bit prefix. If you foresee the need to add a mix of addresses and networks, the network group is recommended."
 
@@ -18293,7 +17500,7 @@ msgstr "Wireless options"
 msgid "Wireless options (Station/Client)"
 msgstr "Wireless options (Station/Client)"
 
-#: ../../configuration/firewall/index.rst:23
+#: ../../configuration/firewall/index.rst:7
 msgid "With VyOS being based on top of Linux and its kernel, the Netfilter project created the iptables and now the successor nftables for the Linux kernel to work directly on the data flows. This now extends the concept of zone-based security to allow for manipulating the data at multiple stages once accepted by the network interface and the driver before being handed off to the destination (e.g. a web server OR another device)."
 msgstr "With VyOS being based on top of Linux and its kernel, the Netfilter project created the iptables and now the successor nftables for the Linux kernel to work directly on the data flows. This now extends the concept of zone-based security to allow for manipulating the data at multiple stages once accepted by the network interface and the driver before being handed off to the destination (e.g. a web server OR another device)."
 
@@ -18305,8 +17512,7 @@ msgstr "With WireGuard, a Road Warrior VPN config is similar to a site-to-site V
 msgid "With the ``name-server`` option set to ``none``, VyOS will ignore the nameservers your ISP sends you and thus you can fully rely on the ones you have configured statically."
 msgstr "With the ``name-server`` option set to ``none``, VyOS will ignore the nameservers your ISP sends you and thus you can fully rely on the ones you have configured statically."
 
-#: ../../configuration/firewall/general.rst:94
-#: ../../configuration/firewall/general-legacy.rst:46
+#: ../../configuration/firewall/global-options.rst:31
 msgid "With the firewall you can set rules to accept, drop or reject ICMP in, out or local traffic. You can also use the general **firewall all-ping** command. This command affects only to LOCAL (packets destined for your VyOS system), not to IN or OUT traffic."
 msgstr "With the firewall you can set rules to accept, drop or reject ICMP in, out or local traffic. You can also use the general **firewall all-ping** command. This command affects only to LOCAL (packets destined for your VyOS system), not to IN or OUT traffic."
 
@@ -18314,29 +17520,29 @@ msgstr "With the firewall you can set rules to accept, drop or reject ICMP in, o
 msgid "With this command, you can specify how the URL path should be matched against incoming requests."
 msgstr "With this command, you can specify how the URL path should be matched against incoming requests."
 
-#: ../../configuration/firewall/index.rst:73
+#: ../../configuration/firewall/index.rst:166
 msgid "With zone-based firewalls a new concept was implemented, in addtion to the standard in and out traffic flows, a local flow was added. This local was for traffic originating and destined to the router itself. Which means additional rules were required to secure the firewall itself from the network, in addition to the existing inbound and outbound rules from the traditional concept above."
 msgstr "With zone-based firewalls a new concept was implemented, in addtion to the standard in and out traffic flows, a local flow was added. This local was for traffic originating and destined to the router itself. Which means additional rules were required to secure the firewall itself from the network, in addition to the existing inbound and outbound rules from the traditional concept above."
 
-#: ../../configuration/service/dhcp-server.rst:290
-#: ../../configuration/service/dhcp-server.rst:295
-#: ../../configuration/service/dhcp-server.rst:300
-#: ../../configuration/service/dhcp-server.rst:310
-#: ../../configuration/service/dhcp-server.rst:315
-#: ../../configuration/service/dhcp-server.rst:345
-#: ../../configuration/service/dhcp-server.rst:350
-#: ../../configuration/service/dhcp-server.rst:355
-#: ../../configuration/service/dhcp-server.rst:375
-#: ../../configuration/service/dhcp-server.rst:380
-#: ../../configuration/service/dhcp-server.rst:390
+#: ../../configuration/service/dhcp-server.rst:257
+#: ../../configuration/service/dhcp-server.rst:262
+#: ../../configuration/service/dhcp-server.rst:267
+#: ../../configuration/service/dhcp-server.rst:277
+#: ../../configuration/service/dhcp-server.rst:282
+#: ../../configuration/service/dhcp-server.rst:312
+#: ../../configuration/service/dhcp-server.rst:317
+#: ../../configuration/service/dhcp-server.rst:322
+#: ../../configuration/service/dhcp-server.rst:342
+#: ../../configuration/service/dhcp-server.rst:347
+#: ../../configuration/service/dhcp-server.rst:357
 msgid "Y"
 msgstr "Y"
 
-#: ../../configuration/firewall/zone.rst:99
+#: ../../configuration/firewall/zone.rst:118
 msgid "You apply a rule-set always to a zone from an other zone, it is recommended to create one rule-set for each zone pair."
 msgstr "You apply a rule-set always to a zone from an other zone, it is recommended to create one rule-set for each zone pair."
 
-#: ../../configuration/system/login.rst:363
+#: ../../configuration/system/login.rst:365
 msgid "You are able to set post-login or pre-login banner messages to display certain information for this system."
 msgstr "You are able to set post-login or pre-login banner messages to display certain information for this system."
 
@@ -18348,24 +17554,23 @@ msgstr "You are be able to download the files using SCP, once the SSH service ha
 msgid "You can also configure the time interval for preemption with the \"preempt-delay\" option. For example, to set the higher priority router to take over in 180 seconds, use:"
 msgstr "You can also configure the time interval for preemption with the \"preempt-delay\" option. For example, to set the higher priority router to take over in 180 seconds, use:"
 
-#: ../../configuration/system/conntrack.rst:86
+#: ../../configuration/system/conntrack.rst:99
 msgid "You can also define custom timeout values to apply to a specific subset of connections, based on a packet and flow selector. To do this, you need to create a rule defining the packet and flow selector."
 msgstr "You can also define custom timeout values to apply to a specific subset of connections, based on a packet and flow selector. To do this, you need to create a rule defining the packet and flow selector."
 
-#: ../../configuration/service/dns.rst:299
+#: ../../configuration/service/dns.rst:312
 msgid "You can also keep different DNS zone updated. Just create a new config node: ``set service dns dynamic interface <interface> rfc2136 <other-service-name>``"
 msgstr "You can also keep different DNS zone updated. Just create a new config node: ``set service dns dynamic interface <interface> rfc2136 <other-service-name>``"
 
-#: ../../configuration/system/ipv6.rst:106
+#: ../../configuration/system/ipv6.rst:107
 msgid "You can also specify which IPv6 access-list should be shown:"
 msgstr "You can also specify which IPv6 access-list should be shown:"
 
-#: ../../configuration/protocols/igmp.rst:121
 #: ../../configuration/protocols/pim6.rst:42
 msgid "You can also tune multicast with the following commands."
 msgstr "You can also tune multicast with the following commands."
 
-#: ../../configuration/service/pppoe-server.rst:152
+#: ../../configuration/service/pppoe-server.rst:139
 msgid "You can also use another attributes for identify client for disconnect, like Framed-IP-Address, Acct-Session-Id, etc. Result commands appears in log."
 msgstr "You can also use another attributes for identify client for disconnect, like Framed-IP-Address, Acct-Session-Id, etc. Result commands appears in log."
 
@@ -18377,7 +17582,7 @@ msgstr "You can also write a description for a filter:"
 msgid "You can assign multiple keys to the same user by using a unique identifier per SSH key."
 msgstr "You can assign multiple keys to the same user by using a unique identifier per SSH key."
 
-#: ../../configuration/nat/nat44.rst:386
+#: ../../configuration/nat/nat44.rst:400
 msgid "You can avoid the \"leaky\" behavior by using a firewall policy that drops \"invalid\" state packets."
 msgstr "You can avoid the \"leaky\" behavior by using a firewall policy that drops \"invalid\" state packets."
 
@@ -18401,11 +17606,6 @@ msgstr "You can configure multiple interfaces which whould participate in flow a
 msgid "You can configure multiple interfaces which whould participate in sflow accounting."
 msgstr "You can configure multiple interfaces which whould participate in sflow accounting."
 
-#: ../../_include/interface-vlan-8021q.txt:29
-#: ../../_include/interface-vlan-8021q.txt:29
-#: ../../_include/interface-vlan-8021q.txt:29
-#: ../../_include/interface-vlan-8021q.txt:29
-#: ../../_include/interface-vlan-8021q.txt:29
 #: ../../_include/interface-vlan-8021q.txt:29
 msgid "You can create multiple VLAN interfaces on a physical interface. The VLAN ID range is from 0 to 4094."
 msgstr "You can create multiple VLAN interfaces on a physical interface. The VLAN ID range is from 0 to 4094."
@@ -18414,7 +17614,7 @@ msgstr "You can create multiple VLAN interfaces on a physical interface. The VLA
 msgid "You can disable a VRRP group with ``disable`` option:"
 msgstr "You can disable a VRRP group with ``disable`` option:"
 
-#: ../../configuration/system/ipv6.rst:148
+#: ../../configuration/system/ipv6.rst:122
 msgid "You can get more specific OSPFv3 information by using the parameters shown below:"
 msgstr "You can get more specific OSPFv3 information by using the parameters shown below:"
 
@@ -18422,15 +17622,15 @@ msgstr "You can get more specific OSPFv3 information by using the parameters sho
 msgid "You can not assign the same allowed-ips statement to multiple WireGuard peers. This a design decision. For more information please check the `WireGuard mailing list`_."
 msgstr "You can not assign the same allowed-ips statement to multiple WireGuard peers. This a design decision. For more information please check the `WireGuard mailing list`_."
 
-#: ../../configuration/service/mdns.rst:30
+#: ../../configuration/service/mdns.rst:46
 msgid "You can not run this in a VRRP setup, if multiple mDNS repeaters are launched in a subnet you will experience the mDNS packet storm death!"
 msgstr "You can not run this in a VRRP setup, if multiple mDNS repeaters are launched in a subnet you will experience the mDNS packet storm death!"
 
-#: ../../configuration/vpn/sstp.rst:320
+#: ../../configuration/vpn/sstp.rst:332
 msgid "You can now \"dial\" the peer with the follwoing command: ``sstpc --log-level 4 --log-stderr --user vyos --password vyos vpn.example.com -- call vyos``."
 msgstr "You can now \"dial\" the peer with the follwoing command: ``sstpc --log-level 4 --log-stderr --user vyos --password vyos vpn.example.com -- call vyos``."
 
-#: ../../configuration/system/login.rst:441
+#: ../../configuration/system/login.rst:443
 msgid "You can now SSH into your system using admin/admin as a default user supplied from the ``lfkeitel/tacacs_plus:latest`` container."
 msgstr "You can now SSH into your system using admin/admin as a default user supplied from the ``lfkeitel/tacacs_plus:latest`` container."
 
@@ -18442,7 +17642,7 @@ msgstr "You can only apply one policy per interface and direction, but you could
 msgid "You can run the UDP broadcast relay service on multiple routers connected to a subnet. There is **NO** UDP broadcast relay packet storm!"
 msgstr "You can run the UDP broadcast relay service on multiple routers connected to a subnet. There is **NO** UDP broadcast relay packet storm!"
 
-#: ../../configuration/service/dhcp-server.rst:211
+#: ../../configuration/service/dhcp-server.rst:176
 msgid "You can specify a static DHCP assignment on a per host basis. You will need the MAC address of the station and your desired IP address. The address must be inside the subnet definition but can be outside of the range statement."
 msgstr "You can specify a static DHCP assignment on a per host basis. You will need the MAC address of the station and your desired IP address. The address must be inside the subnet definition but can be outside of the range statement."
 
@@ -18462,7 +17662,7 @@ msgstr "You can verify your VRRP group status with the operational mode ``run sh
 msgid "You can view that the policy is being correctly (or incorrectly) utilised with the following command:"
 msgstr "You can view that the policy is being correctly (or incorrectly) utilised with the following command:"
 
-#: ../../configuration/protocols/ospf.rst:1342
+#: ../../configuration/protocols/ospf.rst:1344
 msgid "You cannot easily redistribute IPv6 routes via OSPFv3 on a WireGuard interface link. This requires you to configure link-local addresses manually on the WireGuard interfaces, see :vytask:`T1483`."
 msgstr "You cannot easily redistribute IPv6 routes via OSPFv3 on a WireGuard interface link. This requires you to configure link-local addresses manually on the WireGuard interfaces, see :vytask:`T1483`."
 
@@ -18482,7 +17682,7 @@ msgstr "You may prefer locally configured capabilities more than the negotiated
 msgid "You may want to disable sending Capability Negotiation OPEN message optional parameter to the peer when remote peer does not implement Capability Negotiation. Please use :cfgcmd:`disable-capability-negotiation` command to disable the feature."
 msgstr "You may want to disable sending Capability Negotiation OPEN message optional parameter to the peer when remote peer does not implement Capability Negotiation. Please use :cfgcmd:`disable-capability-negotiation` command to disable the feature."
 
-#: ../../configuration/firewall/zone.rst:39
+#: ../../configuration/firewall/zone.rst:58
 msgid "You need 2 separate firewalls to define traffic: one for each direction."
 msgstr "You need 2 separate firewalls to define traffic: one for each direction."
 
@@ -18534,7 +17734,7 @@ msgstr "Zebra supports prefix-lists and Route Mapss to match routes received fro
 msgid "Zone-Policy Overview"
 msgstr "Zone-Policy Overview"
 
-#: ../../configuration/firewall/index.rst:66
+#: ../../configuration/firewall/index.rst:159
 msgid "Zone-based firewall"
 msgstr "Zone-based firewall"
 
@@ -18586,25 +17786,6 @@ msgstr ":abbr:`DNAT (Destination Network Address Translation)` changes the desti
 msgid ":abbr:`EAP (Extensible Authentication Protocol)` over LAN (EAPoL) is a network port authentication protocol used in IEEE 802.1X (Port Based Network Access Control) developed to give a generic network sign-on to access network resources."
 msgstr ":abbr:`EAP (Extensible Authentication Protocol)` over LAN (EAPoL) is a network port authentication protocol used in IEEE 802.1X (Port Based Network Access Control) developed to give a generic network sign-on to access network resources."
 
-#: ../../_include/interface-ipv6.txt:25
-#: ../../_include/interface-ipv6.txt:25
-#: ../../_include/interface-ipv6.txt:25
-#: ../../_include/interface-ipv6.txt:25
-#: ../../_include/interface-ipv6.txt:25
-#: ../../_include/interface-ipv6.txt:25
-#: ../../_include/interface-ipv6.txt:25
-#: ../../_include/interface-ipv6.txt:25
-#: ../../_include/interface-ipv6.txt:25
-#: ../../_include/interface-ipv6.txt:25
-#: ../../_include/interface-ipv6.txt:25
-#: ../../_include/interface-ipv6.txt:25
-#: ../../_include/interface-ipv6.txt:25
-#: ../../_include/interface-ipv6.txt:25
-#: ../../_include/interface-ipv6.txt:25
-#: ../../_include/interface-ipv6.txt:25
-#: ../../_include/interface-ipv6.txt:25
-#: ../../_include/interface-ipv6.txt:25
-#: ../../_include/interface-ipv6.txt:25
 #: ../../_include/interface-ipv6.txt:25
 msgid ":abbr:`EUI-64 (64-Bit Extended Unique Identifier)` as specified in :rfc:`4291` allows a host to assign iteslf a unique 64-Bit IPv6 address."
 msgstr ":abbr:`EUI-64 (64-Bit Extended Unique Identifier)` as specified in :rfc:`4291` allows a host to assign iteslf a unique 64-Bit IPv6 address."
@@ -18625,7 +17806,7 @@ msgstr ":abbr:`GRO (Generic receive offload)` is the complement to GSO. Ideally
 msgid ":abbr:`GSO (Generic Segmentation Offload)` is a pure software offload that is meant to deal with cases where device drivers cannot perform the offloads described above. What occurs in GSO is that a given skbuff will have its data broken out over multiple skbuffs that have been resized to match the MSS provided via skb_shinfo()->gso_size."
 msgstr ":abbr:`GSO (Generic Segmentation Offload)` is a pure software offload that is meant to deal with cases where device drivers cannot perform the offloads described above. What occurs in GSO is that a given skbuff will have its data broken out over multiple skbuffs that have been resized to match the MSS provided via skb_shinfo()->gso_size."
 
-#: ../../configuration/protocols/igmp.rst:181
+#: ../../configuration/protocols/igmp-proxy.rst:9
 msgid ":abbr:`IGMP (Internet Group Management Protocol)` proxy sends IGMP host messages on behalf of a connected client. The configuration must define one, and only one upstream interface, and one or more downstream interfaces."
 msgstr ":abbr:`IGMP (Internet Group Management Protocol)` proxy sends IGMP host messages on behalf of a connected client. The configuration must define one, and only one upstream interface, and one or more downstream interfaces."
 
@@ -18637,7 +17818,7 @@ msgstr ":abbr:`IPSec (IP Security)` - too many RFCs to list, but start with :rfc
 msgid ":abbr:`IS-IS (Intermediate System to Intermediate System)` is a link-state interior gateway protocol (IGP) which is described in ISO10589, :rfc:`1195`, :rfc:`5308`. IS-IS runs the Dijkstra shortest-path first (SPF) algorithm to create a database of the network’s topology, and from that database to determine the best (that is, lowest cost) path to a destination. The intermediate systems (the name for routers) exchange topology information with their directly conencted neighbors. IS-IS runs directly on the data link layer (Layer 2). IS-IS addresses are called :abbr:`NETs (Network Entity Titles)` and can be 8 to 20 bytes long, but are generally 10 bytes long. The tree database that is created with IS-IS is similar to the one that is created with OSPF in that the paths chosen should be similar. Comparisons to OSPF are inevitable and often are reasonable ones to make in regards to the way a network will respond with either IGP."
 msgstr ":abbr:`IS-IS (Intermediate System to Intermediate System)` is a link-state interior gateway protocol (IGP) which is described in ISO10589, :rfc:`1195`, :rfc:`5308`. IS-IS runs the Dijkstra shortest-path first (SPF) algorithm to create a database of the network’s topology, and from that database to determine the best (that is, lowest cost) path to a destination. The intermediate systems (the name for routers) exchange topology information with their directly conencted neighbors. IS-IS runs directly on the data link layer (Layer 2). IS-IS addresses are called :abbr:`NETs (Network Entity Titles)` and can be 8 to 20 bytes long, but are generally 10 bytes long. The tree database that is created with IS-IS is similar to the one that is created with OSPF in that the paths chosen should be similar. Comparisons to OSPF are inevitable and often are reasonable ones to make in regards to the way a network will respond with either IGP."
 
-#: ../../configuration/vrf/index.rst:399
+#: ../../configuration/vrf/index.rst:401
 msgid ":abbr:`L3VPN VRFs ( Layer 3 Virtual Private Networks )` bgpd supports for IPv4 RFC 4364 and IPv6 RFC 4659. L3VPN routes, and their associated VRF MPLS labels, can be distributed to VPN SAFI neighbors in the default, i.e., non VRF, BGP instance. VRF MPLS labels are reached using core MPLS labels which are distributed using LDP or BGP labeled unicast. bgpd also supports inter-VRF route leaking."
 msgstr ":abbr:`L3VPN VRFs ( Layer 3 Virtual Private Networks )` bgpd supports for IPv4 RFC 4364 and IPv6 RFC 4659. L3VPN routes, and their associated VRF MPLS labels, can be distributed to VPN SAFI neighbors in the default, i.e., non VRF, BGP instance. VRF MPLS labels are reached using core MPLS labels which are distributed using LDP or BGP labeled unicast. bgpd also supports inter-VRF route leaking."
 
@@ -18657,6 +17838,10 @@ msgstr ":abbr:`MKA (MACsec Key Agreement protocol)` is used to synchronize keys
 msgid ":abbr:`MPLS (Multi-Protocol Label Switching)` is a packet forwarding paradigm which differs from regular IP forwarding. Instead of IP addresses being used to make the decision on finding the exit interface, a router will instead use an exact match on a 32 bit/4 byte header called the MPLS label. This label is inserted between the ethernet (layer 2) header and the IP (layer 3) header. One can statically or dynamically assign label allocations, but we will focus on dynamic allocation of labels using some sort of label distribution protocol (such as the aptly named Label Distribution Protocol / LDP, Resource Reservation Protocol / RSVP, or Segment Routing through OSPF/ISIS). These protocols allow for the creation of a unidirectional/unicast path called a labeled switched path (initialized as LSP) throughout the network that operates very much like a tunnel through the network. An easy way of thinking about how an MPLS LSP actually forwards traffic throughout a network is to think of a GRE tunnel. They are not the same in how they operate, but they are the same in how they handle the tunneled packet. It would be good to think of MPLS as a tunneling technology that can be used to transport many different types of packets, to aid in traffic engineering by allowing one to specify paths throughout the network (using RSVP or SR), and to generally allow for easier intra/inter network transport of data packets."
 msgstr ":abbr:`MPLS (Multi-Protocol Label Switching)` is a packet forwarding paradigm which differs from regular IP forwarding. Instead of IP addresses being used to make the decision on finding the exit interface, a router will instead use an exact match on a 32 bit/4 byte header called the MPLS label. This label is inserted between the ethernet (layer 2) header and the IP (layer 3) header. One can statically or dynamically assign label allocations, but we will focus on dynamic allocation of labels using some sort of label distribution protocol (such as the aptly named Label Distribution Protocol / LDP, Resource Reservation Protocol / RSVP, or Segment Routing through OSPF/ISIS). These protocols allow for the creation of a unidirectional/unicast path called a labeled switched path (initialized as LSP) throughout the network that operates very much like a tunnel through the network. An easy way of thinking about how an MPLS LSP actually forwards traffic throughout a network is to think of a GRE tunnel. They are not the same in how they operate, but they are the same in how they handle the tunneled packet. It would be good to think of MPLS as a tunneling technology that can be used to transport many different types of packets, to aid in traffic engineering by allowing one to specify paths throughout the network (using RSVP or SR), and to generally allow for easier intra/inter network transport of data packets."
 
+#: ../../configuration/nat/nat64.rst:7
+msgid ":abbr:`NAT64 (IPv6-to-IPv4 Prefix Translation)` is a critical component in modern networking, facilitating communication between IPv6 and IPv4 networks. This documentation outlines the setup, configuration, and usage of the NAT64 feature in your project. Whether you are transitioning to IPv6 or need to seamlessly connect IPv4 and IPv6 devices. NAT64 is a stateful translation mechanism that translates IPv6 addresses to IPv4 addresses and IPv4 addresses to IPv6 addresses. NAT64 is used to enable IPv6-only clients to contact IPv4 servers using unicast UDP, TCP, or ICMP."
+msgstr ":abbr:`NAT64 (IPv6-to-IPv4 Prefix Translation)` is a critical component in modern networking, facilitating communication between IPv6 and IPv4 networks. This documentation outlines the setup, configuration, and usage of the NAT64 feature in your project. Whether you are transitioning to IPv6 or need to seamlessly connect IPv4 and IPv6 devices. NAT64 is a stateful translation mechanism that translates IPv6 addresses to IPv4 addresses and IPv4 addresses to IPv6 addresses. NAT64 is used to enable IPv6-only clients to contact IPv4 servers using unicast UDP, TCP, or ICMP."
+
 #: ../../configuration/nat/nat44.rst:7
 msgid ":abbr:`NAT (Network Address Translation)` is a common method of remapping one IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic routing device. The technique was originally used as a shortcut to avoid the need to readdress every host when a network was moved. It has become a popular and essential tool in conserving global address space in the face of IPv4 address exhaustion. One Internet-routable IP address of a NAT gateway can be used for an entire private network."
 msgstr ":abbr:`NAT (Network Address Translation)` is a common method of remapping one IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic routing device. The technique was originally used as a shortcut to avoid the need to readdress every host when a network was moved. It has become a popular and essential tool in conserving global address space in the face of IPv4 address exhaustion. One Internet-routable IP address of a NAT gateway can be used for an entire private network."
@@ -18685,6 +17870,10 @@ msgstr ":abbr:`NTP (Network Time Protocol`) is a networking protocol for clock s
 msgid ":abbr:`OSPF (Open Shortest Path First)` is a routing protocol for Internet Protocol (IP) networks. It uses a link state routing (LSR) algorithm and falls into the group of interior gateway protocols (IGPs), operating within a single autonomous system (AS). It is defined as OSPF Version 2 in :rfc:`2328` (1998) for IPv4. Updates for IPv6 are specified as OSPF Version 3 in :rfc:`5340` (2008). OSPF supports the :abbr:`CIDR (Classless Inter-Domain Routing)` addressing model."
 msgstr ":abbr:`OSPF (Open Shortest Path First)` is a routing protocol for Internet Protocol (IP) networks. It uses a link state routing (LSR) algorithm and falls into the group of interior gateway protocols (IGPs), operating within a single autonomous system (AS). It is defined as OSPF Version 2 in :rfc:`2328` (1998) for IPv4. Updates for IPv6 are specified as OSPF Version 3 in :rfc:`5340` (2008). OSPF supports the :abbr:`CIDR (Classless Inter-Domain Routing)` addressing model."
 
+#: ../../configuration/protocols/pim.rst:12
+msgid ":abbr:`PIM (Protocol Independent Multicast)` must be configured in every interface of every participating router. Every router must also have the location of the Rendevouz Point manually configured. Then, unidirectional shared trees rooted at the Rendevouz Point will automatically be built for multicast distribution."
+msgstr ":abbr:`PIM (Protocol Independent Multicast)` must be configured in every interface of every participating router. Every router must also have the location of the Rendevouz Point manually configured. Then, unidirectional shared trees rooted at the Rendevouz Point will automatically be built for multicast distribution."
+
 #: ../../configuration/interfaces/pppoe.rst:9
 msgid ":abbr:`PPPoE (Point-to-Point Protocol over Ethernet)` is a network protocol for encapsulating PPP frames inside Ethernet frames. It appeared in 1999, in the context of the boom of DSL as the solution for tunneling packets over the DSL connection to the :abbr:`ISPs (Internet Service Providers)` IP network, and from there to the rest of the Internet. A 2005 networking book noted that \"Most DSL providers use PPPoE, which provides authentication, encryption, and compression.\" Typical use of PPPoE involves leveraging the PPP facilities for authenticating the user with a username and password, predominately via the PAP protocol and less often via CHAP."
 msgstr ":abbr:`PPPoE (Point-to-Point Protocol over Ethernet)` is a network protocol for encapsulating PPP frames inside Ethernet frames. It appeared in 1999, in the context of the boom of DSL as the solution for tunneling packets over the DSL connection to the :abbr:`ISPs (Internet Service Providers)` IP network, and from there to the rest of the Internet. A 2005 networking book noted that \"Most DSL providers use PPPoE, which provides authentication, encryption, and compression.\" Typical use of PPPoE involves leveraging the PPP facilities for authenticating the user with a username and password, predominately via the PAP protocol and less often via CHAP."
@@ -18694,40 +17883,25 @@ msgid ":abbr:`RAs (Router advertisements)` are described in :rfc:`4861#section-4
 msgstr ":abbr:`RAs (Router advertisements)` are described in :rfc:`4861#section-4.6.2`. They are part of what is known as :abbr:`SLAAC (Stateless Address Autoconfiguration)`."
 
 #: ../../configuration/protocols/rip.rst:9
-msgid ":abbr:`RIP (Routing Information Protocol)` is a widely deployed interior gateway protocol. RIP was developed in the 1970s at Xerox Labs as part of the XNS routing protocol. RIP is a distance-vector protocol and is based on the Bellman-Ford algorithms. As a distance-vector protocol, RIP router send updates to its neighbors periodically, thus allowing the convergence to a known topology. In each update, the distance to any given network will be broadcast to its neighboring router."
-msgstr ":abbr:`RIP (Routing Information Protocol)` is a widely deployed interior gateway protocol. RIP was developed in the 1970s at Xerox Labs as part of the XNS routing protocol. RIP is a distance-vector protocol and is based on the Bellman-Ford algorithms. As a distance-vector protocol, RIP router send updates to its neighbors periodically, thus allowing the convergence to a known topology. In each update, the distance to any given network will be broadcast to its neighboring router."
-
-#: ../../configuration/protocols/rpki.rst:14
-msgid ":abbr:`RPKI (Resource Public Key Infrastructure)` is a framework :abbr:`PKI (Public Key Infrastructure)` designed to secure the Internet routing infrastructure. It associates BGP route announcements with the correct originating :abbr:`ASN (Autonomus System Number)` which BGP routers can then use to check each route against the corresponding :abbr:`ROA (Route Origin Authorisation)` for validity. RPKI is described in :rfc:`6480`."
-msgstr ":abbr:`RPKI (Resource Public Key Infrastructure)` is a framework :abbr:`PKI (Public Key Infrastructure)` designed to secure the Internet routing infrastructure. It associates BGP route announcements with the correct originating :abbr:`ASN (Autonomus System Number)` which BGP routers can then use to check each route against the corresponding :abbr:`ROA (Route Origin Authorisation)` for validity. RPKI is described in :rfc:`6480`."
-
-#: ../../configuration/interfaces/ethernet.rst:82
-msgid ":abbr:`RPS (Receive Packet Steering)` is logically a software implementation of :abbr:`RSS (Receive Side Scaling)`. Being in software, it is necessarily called later in the datapath. Whereas RSS selects the queue and hence CPU that will run the hardware interrupt handler, RPS selects the CPU to perform protocol processing above the interrupt handler. This is accomplished by placing the packet on the desired CPU's backlog queue and waking up the CPU for processing. RPS has some advantages over RSS:"
-msgstr ":abbr:`RPS (Receive Packet Steering)` is logically a software implementation of :abbr:`RSS (Receive Side Scaling)`. Being in software, it is necessarily called later in the datapath. Whereas RSS selects the queue and hence CPU that will run the hardware interrupt handler, RPS selects the CPU to perform protocol processing above the interrupt handler. This is accomplished by placing the packet on the desired CPU's backlog queue and waking up the CPU for processing. RPS has some advantages over RSS:"
-
-#: ../../_include/interface-ipv6.txt:4
-#: ../../_include/interface-ipv6.txt:4
-#: ../../_include/interface-ipv6.txt:4
-#: ../../_include/interface-ipv6.txt:4
-#: ../../_include/interface-ipv6.txt:4
-#: ../../_include/interface-ipv6.txt:4
-#: ../../_include/interface-ipv6.txt:4
-#: ../../_include/interface-ipv6.txt:4
-#: ../../_include/interface-ipv6.txt:4
-#: ../../_include/interface-ipv6.txt:4
-#: ../../_include/interface-ipv6.txt:4
-#: ../../_include/interface-ipv6.txt:4
-#: ../../_include/interface-ipv6.txt:4
-#: ../../_include/interface-ipv6.txt:4
-#: ../../_include/interface-ipv6.txt:4
-#: ../../_include/interface-ipv6.txt:4
-#: ../../_include/interface-ipv6.txt:4
-#: ../../_include/interface-ipv6.txt:4
-#: ../../_include/interface-ipv6.txt:4
+msgid ":abbr:`RIP (Routing Information Protocol)` is a widely deployed interior gateway protocol. RIP was developed in the 1970s at Xerox Labs as part of the XNS routing protocol. RIP is a distance-vector protocol and is based on the Bellman-Ford algorithms. As a distance-vector protocol, RIP router send updates to its neighbors periodically, thus allowing the convergence to a known topology. In each update, the distance to any given network will be broadcast to its neighboring router."
+msgstr ":abbr:`RIP (Routing Information Protocol)` is a widely deployed interior gateway protocol. RIP was developed in the 1970s at Xerox Labs as part of the XNS routing protocol. RIP is a distance-vector protocol and is based on the Bellman-Ford algorithms. As a distance-vector protocol, RIP router send updates to its neighbors periodically, thus allowing the convergence to a known topology. In each update, the distance to any given network will be broadcast to its neighboring router."
+
+#: ../../configuration/protocols/rpki.rst:14
+msgid ":abbr:`RPKI (Resource Public Key Infrastructure)` is a framework :abbr:`PKI (Public Key Infrastructure)` designed to secure the Internet routing infrastructure. It associates BGP route announcements with the correct originating :abbr:`ASN (Autonomus System Number)` which BGP routers can then use to check each route against the corresponding :abbr:`ROA (Route Origin Authorisation)` for validity. RPKI is described in :rfc:`6480`."
+msgstr ":abbr:`RPKI (Resource Public Key Infrastructure)` is a framework :abbr:`PKI (Public Key Infrastructure)` designed to secure the Internet routing infrastructure. It associates BGP route announcements with the correct originating :abbr:`ASN (Autonomus System Number)` which BGP routers can then use to check each route against the corresponding :abbr:`ROA (Route Origin Authorisation)` for validity. RPKI is described in :rfc:`6480`."
+
+#: ../../configuration/interfaces/ethernet.rst:82
+msgid ":abbr:`RPS (Receive Packet Steering)` is logically a software implementation of :abbr:`RSS (Receive Side Scaling)`. Being in software, it is necessarily called later in the datapath. Whereas RSS selects the queue and hence CPU that will run the hardware interrupt handler, RPS selects the CPU to perform protocol processing above the interrupt handler. This is accomplished by placing the packet on the desired CPU's backlog queue and waking up the CPU for processing. RPS has some advantages over RSS:"
+msgstr ":abbr:`RPS (Receive Packet Steering)` is logically a software implementation of :abbr:`RSS (Receive Side Scaling)`. Being in software, it is necessarily called later in the datapath. Whereas RSS selects the queue and hence CPU that will run the hardware interrupt handler, RPS selects the CPU to perform protocol processing above the interrupt handler. This is accomplished by placing the packet on the desired CPU's backlog queue and waking up the CPU for processing. RPS has some advantages over RSS:"
+
 #: ../../_include/interface-ipv6.txt:4
 msgid ":abbr:`SLAAC (Stateless Address Autoconfiguration)` :rfc:`4862`. IPv6 hosts can configure themselves automatically when connected to an IPv6 network using the Neighbor Discovery Protocol via :abbr:`ICMPv6 (Internet Control Message Protocol version 6)` router discovery messages. When first connected to a network, a host sends a link-local router solicitation multicast request for its configuration parameters; routers respond to such a request with a router advertisement packet that contains Internet Layer configuration parameters."
 msgstr ":abbr:`SLAAC (Stateless Address Autoconfiguration)` :rfc:`4862`. IPv6 hosts can configure themselves automatically when connected to an IPv6 network using the Neighbor Discovery Protocol via :abbr:`ICMPv6 (Internet Control Message Protocol version 6)` router discovery messages. When first connected to a network, a host sends a link-local router solicitation multicast request for its configuration parameters; routers respond to such a request with a router advertisement packet that contains Internet Layer configuration parameters."
 
+#: ../../configuration/nat/nat64.rst:28
+msgid ":abbr:`SNAT64 (IPv6-to-IPv4 Source Address Translation)` is a stateful translation mechanism that translates IPv6 addresses to IPv4 addresses."
+msgstr ":abbr:`SNAT64 (IPv6-to-IPv4 Source Address Translation)` is a stateful translation mechanism that translates IPv6 addresses to IPv4 addresses."
+
 #: ../../configuration/nat/nat44.rst:78
 msgid ":abbr:`SNAT (Source Network Address Translation)` is the most common form of :abbr:`NAT (Network Address Translation)` and is typically referred to simply as NAT. To be more correct, what most people refer to as :abbr:`NAT (Network Address Translation)` is actually the process of :abbr:`PAT (Port Address Translation)`, or NAT overload. SNAT is typically used by internal users/private hosts to access the Internet - the source address is translated and thus kept private."
 msgstr ":abbr:`SNAT (Source Network Address Translation)` is the most common form of :abbr:`NAT (Network Address Translation)` and is typically referred to simply as NAT. To be more correct, what most people refer to as :abbr:`NAT (Network Address Translation)` is actually the process of :abbr:`PAT (Port Address Translation)`, or NAT overload. SNAT is typically used by internal users/private hosts to access the Internet - the source address is translated and thus kept private."
@@ -18876,26 +18050,11 @@ msgstr ":ref:`routing-static`"
 msgid ":ref:`routing-static`: ``set vrf name <name> protocols static ...``"
 msgstr ":ref:`routing-static`: ``set vrf name <name> protocols static ...``"
 
-#: ../../_include/interface-dhcp-options.txt:4
-#: ../../_include/interface-dhcp-options.txt:4
-#: ../../_include/interface-dhcp-options.txt:4
-#: ../../_include/interface-dhcp-options.txt:4
-#: ../../_include/interface-dhcp-options.txt:4
-#: ../../_include/interface-dhcp-options.txt:4
-#: ../../_include/interface-dhcp-options.txt:4
-#: ../../_include/interface-dhcp-options.txt:4
-#: ../../_include/interface-dhcp-options.txt:4
-#: ../../_include/interface-dhcp-options.txt:4
-#: ../../_include/interface-dhcp-options.txt:4
-#: ../../_include/interface-dhcp-options.txt:4
-#: ../../_include/interface-dhcp-options.txt:4
-#: ../../_include/interface-dhcp-options.txt:4
-#: ../../_include/interface-dhcp-options.txt:4
 #: ../../_include/interface-dhcp-options.txt:4
 msgid ":rfc:`2131` states: The client MAY choose to explicitly provide the identifier through the 'client identifier' option. If the client supplies a 'client identifier', the client MUST use the same 'client identifier' in all subsequent messages, and the server MUST use that identifier to identify the client."
 msgstr ":rfc:`2131` states: The client MAY choose to explicitly provide the identifier through the 'client identifier' option. If the client supplies a 'client identifier', the client MUST use the same 'client identifier' in all subsequent messages, and the server MUST use that identifier to identify the client."
 
-#: ../../configuration/service/dns.rst:217
+#: ../../configuration/service/dns.rst:230
 msgid ":rfc:`2136` Based"
 msgstr ":rfc:`2136` Based"
 
@@ -18923,7 +18082,7 @@ msgstr "`3. Add a full path to the script`_"
 msgid "`4. Add optional parameters`_"
 msgstr "`4. Add optional parameters`_"
 
-#: ../../configuration/service/dhcp-server.rst:189
+#: ../../configuration/service/dhcp-server.rst:154
 msgid "`<name>` must be identical on both sides!"
 msgstr "`<name>` must be identical on both sides!"
 
@@ -18951,42 +18110,10 @@ msgstr "``+`` successful"
 msgid "``-`` failed"
 msgstr "``-`` failed"
 
-#: ../../_include/interface-address-with-dhcp.txt:19
-#: ../../_include/interface-address-with-dhcp.txt:19
-#: ../../_include/interface-address-with-dhcp.txt:19
-#: ../../_include/interface-address-with-dhcp.txt:19
-#: ../../_include/interface-address-with-dhcp.txt:19
-#: ../../_include/interface-address-with-dhcp.txt:19
-#: ../../_include/interface-address-with-dhcp.txt:19
-#: ../../_include/interface-address-with-dhcp.txt:19
-#: ../../_include/interface-address-with-dhcp.txt:19
-#: ../../_include/interface-address-with-dhcp.txt:19
-#: ../../_include/interface-address-with-dhcp.txt:19
-#: ../../_include/interface-address-with-dhcp.txt:19
-#: ../../_include/interface-address-with-dhcp.txt:19
-#: ../../_include/interface-address-with-dhcp.txt:19
-#: ../../_include/interface-address-with-dhcp.txt:19
-#: ../../_include/interface-address-with-dhcp.txt:19
 #: ../../_include/interface-address-with-dhcp.txt:19
 msgid "``/config/scripts/dhcp-client/post-hooks.d/``"
 msgstr "``/config/scripts/dhcp-client/post-hooks.d/``"
 
-#: ../../_include/interface-address-with-dhcp.txt:18
-#: ../../_include/interface-address-with-dhcp.txt:18
-#: ../../_include/interface-address-with-dhcp.txt:18
-#: ../../_include/interface-address-with-dhcp.txt:18
-#: ../../_include/interface-address-with-dhcp.txt:18
-#: ../../_include/interface-address-with-dhcp.txt:18
-#: ../../_include/interface-address-with-dhcp.txt:18
-#: ../../_include/interface-address-with-dhcp.txt:18
-#: ../../_include/interface-address-with-dhcp.txt:18
-#: ../../_include/interface-address-with-dhcp.txt:18
-#: ../../_include/interface-address-with-dhcp.txt:18
-#: ../../_include/interface-address-with-dhcp.txt:18
-#: ../../_include/interface-address-with-dhcp.txt:18
-#: ../../_include/interface-address-with-dhcp.txt:18
-#: ../../_include/interface-address-with-dhcp.txt:18
-#: ../../_include/interface-address-with-dhcp.txt:18
 #: ../../_include/interface-address-with-dhcp.txt:18
 msgid "``/config/scripts/dhcp-client/pre-hooks.d/``"
 msgstr "``/config/scripts/dhcp-client/pre-hooks.d/``"
@@ -19063,6 +18190,10 @@ msgstr "``4800`` - 4800 bps"
 msgid "``57600`` - 57,600 bps"
 msgstr "``57600`` - 57,600 bps"
 
+#: ../../configuration/nat/nat64.rst:31
+msgid "``64:ff9b::/96`` is the well-known prefix for IPv4-embedded IPv6 addresses. The prefix is used to represent IPv4 addresses in an IPv6 address format. The IPv4 address is encoded in the low-order 32 bits of the IPv6 address. The high-order 32 bits are set to the well-known prefix 64:ff9b::/96."
+msgstr "``64:ff9b::/96`` is the well-known prefix for IPv4-embedded IPv6 addresses. The prefix is used to represent IPv4 addresses in an IPv6 address format. The IPv4 address is encoded in the low-order 32 bits of the IPv6 address. The high-order 32 bits are set to the well-known prefix 64:ff9b::/96."
+
 #: ../../configuration/interfaces/bonding.rst:43
 msgid "``802.3ad`` - IEEE 802.3ad Dynamic link aggregation. Creates aggregation groups that share the same speed and duplex settings. Utilizes all slaves in the active aggregator according to the 802.3ad specification."
 msgstr "``802.3ad`` - IEEE 802.3ad Dynamic link aggregation. Creates aggregation groups that share the same speed and duplex settings. Utilizes all slaves in the active aggregator according to the 802.3ad specification."
@@ -19095,15 +18226,17 @@ msgstr "``a`` - 802.11a - 54 Mbits/sec"
 msgid "``ac`` - 802.11ac - 1300 Mbits/sec"
 msgstr "``ac`` - 802.11ac - 1300 Mbits/sec"
 
-#: ../../configuration/policy/route-map.rst:373
+#: ../../configuration/policy/route-map.rst:375
 msgid "``accept-own-nexthop`` -           Well-known communities value accept-own-nexthop 0xFFFF0008"
 msgstr "``accept-own-nexthop`` -           Well-known communities value accept-own-nexthop 0xFFFF0008"
 
-#: ../../configuration/policy/route-map.rst:366
+#: ../../configuration/policy/route-map.rst:368
 msgid "``accept-own`` -                   Well-known communities value ACCEPT_OWN 0xFFFF0001"
 msgstr "``accept-own`` -                   Well-known communities value ACCEPT_OWN 0xFFFF0001"
 
-#: ../../configuration/firewall/general.rst:334
+#: ../../configuration/firewall/bridge.rst:72
+#: ../../configuration/firewall/ipv4.rst:88
+#: ../../configuration/firewall/ipv6.rst:88
 msgid "``accept``: accept the packet."
 msgstr "``accept``: accept the packet."
 
@@ -19135,7 +18268,7 @@ msgstr "``all-available`` all checking target addresses must be available to pas
 msgid "``any-available`` any of the checking target addresses must be available to pass this check"
 msgstr "``any-available`` any of the checking target addresses must be available to pass this check"
 
-#: ../../configuration/vpn/site2site_ipsec.rst:376
+#: ../../configuration/vpn/site2site_ipsec.rst:385
 msgid "``authentication local-id/remote-id`` - IKE identification is used for validation of VPN peer devices during IKE negotiation. If you do not configure local/remote-identity, the device uses the IPv4 or IPv6 address that corresponds to the local/remote peer by default. In certain network setups (like ipsec interface with dynamic address, or behind the NAT ), the IKE ID received from the peer does not match the IKE gateway configured on the device. This can lead to a Phase 1 validation failure. So, make sure to configure the local/remote id explicitly and ensure that the IKE ID is the same as the remote-identity configured on the peer device."
 msgstr "``authentication local-id/remote-id`` - IKE identification is used for validation of VPN peer devices during IKE negotiation. If you do not configure local/remote-identity, the device uses the IPv4 or IPv6 address that corresponds to the local/remote peer by default. In certain network setups (like ipsec interface with dynamic address, or behind the NAT ), the IKE ID received from the peer does not match the IKE gateway configured on the device. This can lead to a Phase 1 validation failure. So, make sure to configure the local/remote id explicitly and ensure that the IKE ID is the same as the remote-identity configured on the peer device."
 
@@ -19163,7 +18296,7 @@ msgstr "``bgp`` - Border Gateway Protocol (BGP)"
 msgid "``bind`` - select a VTI interface to bind to this peer;"
 msgstr "``bind`` - select a VTI interface to bind to this peer;"
 
-#: ../../configuration/policy/route-map.rst:374
+#: ../../configuration/policy/route-map.rst:376
 msgid "``blackhole`` -                    Well-known communities value BLACKHOLE 0xFFFF029A"
 msgstr "``blackhole`` -                    Well-known communities value BLACKHOLE 0xFFFF029A"
 
@@ -19191,7 +18324,7 @@ msgstr "``cert-file`` - certificate file, which will be used for authenticating
 msgid "``clear`` set action to clear;"
 msgstr "``clear`` set action to clear;"
 
-#: ../../configuration/vpn/site2site_ipsec.rst:402
+#: ../../configuration/vpn/site2site_ipsec.rst:411
 msgid "``close-action = none | clear | hold | restart`` - defines the action to take if the remote peer unexpectedly closes a CHILD_SA (see above for meaning of values). A closeaction should not be used if the peer uses reauthentication or uniqueids."
 msgstr "``close-action = none | clear | hold | restart`` - defines the action to take if the remote peer unexpectedly closes a CHILD_SA (see above for meaning of values). A closeaction should not be used if the peer uses reauthentication or uniqueids."
 
@@ -19215,6 +18348,12 @@ msgstr "``connected`` - Connected routes (directly attached subnet or host)"
 msgid "``connection-type`` - how to handle this connection process. Possible variants:"
 msgstr "``connection-type`` - how to handle this connection process. Possible variants:"
 
+#: ../../configuration/firewall/bridge.rst:74
+#: ../../configuration/firewall/ipv4.rst:90
+#: ../../configuration/firewall/ipv6.rst:90
+msgid "``continue``: continue parsing next rule."
+msgstr "``continue``: continue parsing next rule."
+
 #: ../../configuration/vpn/site2site_ipsec.rst:62
 msgid "``crl-file`` - file with the Certificate Revocation List. Using to check if a certificate for the remote peer is valid or revoked;"
 msgstr "``crl-file`` - file with the Certificate Revocation List. Using to check if a certificate for the remote peer is valid or revoked;"
@@ -19223,7 +18362,7 @@ msgstr "``crl-file`` - file with the Certificate Revocation List. Using to check
 msgid "``d`` - Execution interval in days"
 msgstr "``d`` - Execution interval in days"
 
-#: ../../configuration/vpn/site2site_ipsec.rst:391
+#: ../../configuration/vpn/site2site_ipsec.rst:400
 msgid "``dead-peer-detection action = clear | hold | restart`` - R_U_THERE notification messages(IKEv1) or empty INFORMATIONAL messages (IKEv2) are periodically sent in order to check the liveliness of the IPsec peer. The values clear, hold, and restart all activate DPD and determine the action to perform on a timeout. With ``clear`` the connection is closed with no further actions taken. ``hold`` installs a trap policy, which will catch matching traffic and tries to re-negotiate the connection on demand. ``restart`` will immediately trigger an attempt to re-negotiate the connection."
 msgstr "``dead-peer-detection action = clear | hold | restart`` - R_U_THERE notification messages(IKEv1) or empty INFORMATIONAL messages (IKEv2) are periodically sent in order to check the liveliness of the IPsec peer. The values clear, hold, and restart all activate DPD and determine the action to perform on a timeout. With ``clear`` the connection is closed with no further actions taken. ``hold`` installs a trap policy, which will catch matching traffic and tries to re-negotiate the connection on demand. ``restart`` will immediately trigger an attempt to re-negotiate the connection."
 
@@ -19255,7 +18394,7 @@ msgstr "``dhcp-interface`` - use an IP address, received from DHCP for IPSec con
 msgid "``disable-mobike`` disables MOBIKE Support. MOBIKE is only available for IKEv2 and enabled by default."
 msgstr "``disable-mobike`` disables MOBIKE Support. MOBIKE is only available for IKEv2 and enabled by default."
 
-#: ../../configuration/vpn/site2site_ipsec.rst:387
+#: ../../configuration/vpn/site2site_ipsec.rst:396
 msgid "``disable-route-autoinstall`` - This option when configured disables the routes installed in the default table 220 for site-to-site ipsec. It is mostly used with VTI configuration."
 msgstr "``disable-route-autoinstall`` - This option when configured disables the routes installed in the default table 220 for site-to-site ipsec. It is mostly used with VTI configuration."
 
@@ -19279,7 +18418,9 @@ msgstr "``disable`` disable IPComp compression (default);"
 msgid "``disable`` disable MOBIKE;"
 msgstr "``disable`` disable MOBIKE;"
 
-#: ../../configuration/firewall/general.rst:336
+#: ../../configuration/firewall/bridge.rst:76
+#: ../../configuration/firewall/ipv4.rst:92
+#: ../../configuration/firewall/ipv6.rst:92
 msgid "``drop``: drop the packet."
 msgstr "``drop``: drop the packet."
 
@@ -19347,6 +18488,10 @@ msgstr "``file`` - path to the key file;"
 msgid "``flexvpn`` Allow FlexVPN vendor ID payload (IKEv2 only). Send the Cisco FlexVPN vendor ID payload (IKEv2 only), which is required in order to make Cisco brand devices allow negotiating a local traffic selector (from strongSwan's point of view) that is not the assigned virtual IP address if such an address is requested by strongSwan. Sending the Cisco FlexVPN vendor ID prevents the peer from narrowing the initiator's local traffic selector and allows it to e.g. negotiate a TS of 0.0.0.0/0 == 0.0.0.0/0 instead. This has been tested with a \"tunnel mode ipsec ipv4\" Cisco template but should also work for GRE encapsulation;"
 msgstr "``flexvpn`` Allow FlexVPN vendor ID payload (IKEv2 only). Send the Cisco FlexVPN vendor ID payload (IKEv2 only), which is required in order to make Cisco brand devices allow negotiating a local traffic selector (from strongSwan's point of view) that is not the assigned virtual IP address if such an address is requested by strongSwan. Sending the Cisco FlexVPN vendor ID prevents the peer from narrowing the initiator's local traffic selector and allows it to e.g. negotiate a TS of 0.0.0.0/0 == 0.0.0.0/0 instead. This has been tested with a \"tunnel mode ipsec ipv4\" Cisco template but should also work for GRE encapsulation;"
 
+#: ../../configuration/vpn/ipsec.rst:164
+msgid "``flexvpn`` Allows FlexVPN vendor ID payload (IKEv2 only). Send the Cisco FlexVPN vendor ID payload (IKEv2 only), which is required in order to make Cisco brand devices allow negotiating a local traffic selector (from strongSwan's point of view) that is not the assigned virtual IP address if such an address is requested by strongSwan. Sending the Cisco FlexVPN vendor ID prevents the peer from narrowing the initiator's local traffic selector and allows it to e.g. negotiate a TS of 0.0.0.0/0 == 0.0.0.0/0 instead. This has been tested with a \"tunnel mode ipsec ipv4\" Cisco template but should also work for GRE encapsulation;"
+msgstr "``flexvpn`` Allows FlexVPN vendor ID payload (IKEv2 only). Send the Cisco FlexVPN vendor ID payload (IKEv2 only), which is required in order to make Cisco brand devices allow negotiating a local traffic selector (from strongSwan's point of view) that is not the assigned virtual IP address if such an address is requested by strongSwan. Sending the Cisco FlexVPN vendor ID prevents the peer from narrowing the initiator's local traffic selector and allows it to e.g. negotiate a TS of 0.0.0.0/0 == 0.0.0.0/0 instead. This has been tested with a \"tunnel mode ipsec ipv4\" Cisco template but should also work for GRE encapsulation;"
+
 #: ../../configuration/vpn/site2site_ipsec.rst:97
 msgid "``force-udp-encapsulation`` - force encapsulation of ESP into UDP datagrams. Useful in case if between local and remote side is firewall or NAT, which not allows passing plain ESP packets between them;"
 msgstr "``force-udp-encapsulation`` - force encapsulation of ESP into UDP datagrams. Useful in case if between local and remote side is firewall or NAT, which not allows passing plain ESP packets between them;"
@@ -19355,7 +18500,7 @@ msgstr "``force-udp-encapsulation`` - force encapsulation of ESP into UDP datagr
 msgid "``g`` - 802.11g - 54 Mbits/sec (default)"
 msgstr "``g`` - 802.11g - 54 Mbits/sec (default)"
 
-#: ../../configuration/policy/route-map.rst:365
+#: ../../configuration/policy/route-map.rst:367
 msgid "``graceful-shutdown`` -            Well-known communities value GRACEFUL_SHUTDOWN 0xFFFF0000"
 msgstr "``graceful-shutdown`` -            Well-known communities value GRACEFUL_SHUTDOWN 0xFFFF0000"
 
@@ -19435,7 +18580,7 @@ msgstr "``interface`` Interface Name to use. The name of the interface on which
 msgid "``interface`` is used for the VyOS CLI command to identify the WireGuard interface where this private key is to be used."
 msgstr "``interface`` is used for the VyOS CLI command to identify the WireGuard interface where this private key is to be used."
 
-#: ../../configuration/policy/route-map.rst:364
+#: ../../configuration/policy/route-map.rst:366
 msgid "``internet`` -                     Well-known communities value 0"
 msgstr "``internet`` -                     Well-known communities value 0"
 
@@ -19447,7 +18592,9 @@ msgstr "``interval`` keep-alive interval in seconds <2-86400> (default 30);"
 msgid "``isis`` - Intermediate System to Intermediate System (IS-IS)"
 msgstr "``isis`` - Intermediate System to Intermediate System (IS-IS)"
 
-#: ../../configuration/firewall/general.rst:340
+#: ../../configuration/firewall/bridge.rst:78
+#: ../../configuration/firewall/ipv4.rst:96
+#: ../../configuration/firewall/ipv6.rst:96
 msgid "``jump``: jump to another custom chain."
 msgstr "``jump``: jump to another custom chain."
 
@@ -19471,6 +18618,10 @@ msgstr "``latency``: A server profile focused on lowering network latency. This
 msgid "``least-connection`` Distributes requests to the server with the fewest active connections"
 msgstr "``least-connection`` Distributes requests to the server with the fewest active connections"
 
+#: ../../configuration/loadbalancing/reverse-proxy.rst:108
+msgid "``least-connection`` Distributes requests tp tje server wotj the fewest active connections"
+msgstr "``least-connection`` Distributes requests tp tje server wotj the fewest active connections"
+
 #: ../../configuration/vpn/ipsec.rst:125
 msgid "``life-bytes`` ESP life in bytes <1024-26843545600000>. Number of bytes transmitted over an IPsec SA before it expires;"
 msgstr "``life-bytes`` ESP life in bytes <1024-26843545600000>. Number of bytes transmitted over an IPsec SA before it expires;"
@@ -19491,7 +18642,7 @@ msgstr "``lifetime`` IKE lifetime in seconds <0-86400> (default 28800);"
 msgid "``lifetime`` IKE lifetime in seconds <30-86400> (default 28800);"
 msgstr "``lifetime`` IKE lifetime in seconds <30-86400> (default 28800);"
 
-#: ../../configuration/policy/route-map.rst:371
+#: ../../configuration/policy/route-map.rst:373
 msgid "``llgr-stale`` -                   Well-known communities value LLGR_STALE 0xFFFF0006"
 msgstr "``llgr-stale`` -                   Well-known communities value LLGR_STALE 0xFFFF0006"
 
@@ -19499,7 +18650,7 @@ msgstr "``llgr-stale`` -                   Well-known communities value LLGR_STA
 msgid "``local-address`` - local IP address for IPSec connection with this peer. If defined ``any``, then an IP address which configured on interface with default route will be used;"
 msgstr "``local-address`` - local IP address for IPSec connection with this peer. If defined ``any``, then an IP address which configured on interface with default route will be used;"
 
-#: ../../configuration/policy/route-map.rst:361
+#: ../../configuration/policy/route-map.rst:363
 msgid "``local-as`` -                     Well-known communities value NO_EXPORT_SUBCONFED 0xFFFFFF03"
 msgstr "``local-as`` -                     Well-known communities value NO_EXPORT_SUBCONFED 0xFFFFFF03"
 
@@ -19563,79 +18714,63 @@ msgstr "``multi-user-beamformer`` - Support for operation as single user beamfor
 msgid "``n`` - 802.11n - 600 Mbits/sec"
 msgstr "``n`` - 802.11n - 600 Mbits/sec"
 
-#: ../../configuration/pki/pki_cli_import_help.txt:5
-#: ../../configuration/pki/pki_cli_import_help.txt:5
-#: ../../configuration/pki/pki_cli_import_help.txt:5
-#: ../../configuration/pki/pki_cli_import_help.txt:5
-#: ../../configuration/pki/pki_cli_import_help.txt:5
-#: ../../configuration/pki/pki_cli_import_help.txt:5
 #: ../../configuration/pki/pki_cli_import_help.txt:5
 msgid "``name`` is used for the VyOS CLI command to identify this key. This key ``name`` is then used in the CLI configuration to reference the key instance."
 msgstr "``name`` is used for the VyOS CLI command to identify this key. This key ``name`` is then used in the CLI configuration to reference the key instance."
 
-#: ../../configuration/firewall/general.rst:142
-#: ../../configuration/firewall/general-legacy.rst:93
+#: ../../configuration/firewall/global-options.rst:79
 msgid "``net.ipv4.conf.all.accept_redirects``"
 msgstr "``net.ipv4.conf.all.accept_redirects``"
 
-#: ../../configuration/firewall/general.rst:132
-#: ../../configuration/firewall/general-legacy.rst:84
+#: ../../configuration/firewall/global-options.rst:69
 msgid "``net.ipv4.conf.all.accept_source_route``"
 msgstr "``net.ipv4.conf.all.accept_source_route``"
 
-#: ../../configuration/firewall/general.rst:157
-#: ../../configuration/firewall/general-legacy.rst:108
+#: ../../configuration/firewall/global-options.rst:94
 msgid "``net.ipv4.conf.all.log_martians``"
 msgstr "``net.ipv4.conf.all.log_martians``"
 
-#: ../../configuration/firewall/general.rst:165
-#: ../../configuration/firewall/general-legacy.rst:115
+#: ../../configuration/firewall/global-options.rst:102
 msgid "``net.ipv4.conf.all.rp_filter``"
 msgstr "``net.ipv4.conf.all.rp_filter``"
 
-#: ../../configuration/firewall/general.rst:150
-#: ../../configuration/firewall/general-legacy.rst:101
+#: ../../configuration/firewall/global-options.rst:87
 msgid "``net.ipv4.conf.all.send_redirects``"
 msgstr "``net.ipv4.conf.all.send_redirects``"
 
-#: ../../configuration/firewall/general.rst:124
-#: ../../configuration/firewall/general-legacy.rst:76
+#: ../../configuration/firewall/global-options.rst:61
 msgid "``net.ipv4.icmp_echo_ignore_broadcasts``"
 msgstr "``net.ipv4.icmp_echo_ignore_broadcasts``"
 
-#: ../../configuration/firewall/general.rst:180
-#: ../../configuration/firewall/general-legacy.rst:129
+#: ../../configuration/firewall/global-options.rst:117
 msgid "``net.ipv4.tcp_rfc1337``"
 msgstr "``net.ipv4.tcp_rfc1337``"
 
-#: ../../configuration/firewall/general.rst:172
-#: ../../configuration/firewall/general-legacy.rst:122
+#: ../../configuration/firewall/global-options.rst:109
 msgid "``net.ipv4.tcp_syncookies``"
 msgstr "``net.ipv4.tcp_syncookies``"
 
-#: ../../configuration/firewall/general.rst:143
-#: ../../configuration/firewall/general-legacy.rst:94
+#: ../../configuration/firewall/global-options.rst:80
 msgid "``net.ipv6.conf.all.accept_redirects``"
 msgstr "``net.ipv6.conf.all.accept_redirects``"
 
-#: ../../configuration/firewall/general.rst:133
-#: ../../configuration/firewall/general-legacy.rst:85
+#: ../../configuration/firewall/global-options.rst:70
 msgid "``net.ipv6.conf.all.accept_source_route``"
 msgstr "``net.ipv6.conf.all.accept_source_route``"
 
-#: ../../configuration/policy/route-map.rst:362
+#: ../../configuration/policy/route-map.rst:364
 msgid "``no-advertise`` -                 Well-known communities value NO_ADVERTISE 0xFFFFFF02"
 msgstr "``no-advertise`` -                 Well-known communities value NO_ADVERTISE 0xFFFFFF02"
 
-#: ../../configuration/policy/route-map.rst:363
+#: ../../configuration/policy/route-map.rst:365
 msgid "``no-export`` -                    Well-known communities value NO_EXPORT 0xFFFFFF01"
 msgstr "``no-export`` -                    Well-known communities value NO_EXPORT 0xFFFFFF01"
 
-#: ../../configuration/policy/route-map.rst:372
+#: ../../configuration/policy/route-map.rst:374
 msgid "``no-llgr`` -                      Well-known communities value NO_LLGR 0xFFFF0007"
 msgstr "``no-llgr`` -                      Well-known communities value NO_LLGR 0xFFFF0007"
 
-#: ../../configuration/policy/route-map.rst:375
+#: ../../configuration/policy/route-map.rst:377
 msgid "``no-peer`` -                      Well-known communities value NOPEER 0xFFFFFF04"
 msgstr "``no-peer`` -                      Well-known communities value NOPEER 0xFFFFFF04"
 
@@ -19740,7 +18875,9 @@ msgstr "``protocol`` - define the protocol for match traffic, which should be en
 msgid "``psk`` - Preshared secret key name:"
 msgstr "``psk`` - Preshared secret key name:"
 
-#: ../../configuration/firewall/general.rst:345
+#: ../../configuration/firewall/bridge.rst:83
+#: ../../configuration/firewall/ipv4.rst:101
+#: ../../configuration/firewall/ipv6.rst:101
 msgid "``queue``: Enqueue packet to userspace."
 msgstr "``queue``: Enqueue packet to userspace."
 
@@ -19748,7 +18885,8 @@ msgstr "``queue``: Enqueue packet to userspace."
 msgid "``rate``: Number of packets. Default 5."
 msgstr "``rate``: Number of packets. Default 5."
 
-#: ../../configuration/firewall/general.rst:338
+#: ../../configuration/firewall/ipv4.rst:94
+#: ../../configuration/firewall/ipv6.rst:94
 msgid "``reject``: reject the packet."
 msgstr "``reject``: reject the packet."
 
@@ -19781,7 +18919,9 @@ msgstr "``respond`` - does not try to initiate a connection to a remote peer. In
 msgid "``restart`` set action to restart;"
 msgstr "``restart`` set action to restart;"
 
-#: ../../configuration/firewall/general.rst:342
+#: ../../configuration/firewall/bridge.rst:80
+#: ../../configuration/firewall/ipv4.rst:98
+#: ../../configuration/firewall/ipv6.rst:98
 msgid "``return``: Return from the current chain and continue at the next rule of the last chain."
 msgstr "``return``: Return from the current chain and continue at the next rule of the last chain."
 
@@ -19801,19 +18941,19 @@ msgstr "``round-robin`` - Round-robin policy: Transmit packets in sequential ord
 msgid "``round-robin`` Distributes requests in a circular manner, sequentially sending each request to the next server in line"
 msgstr "``round-robin`` Distributes requests in a circular manner, sequentially sending each request to the next server in line"
 
-#: ../../configuration/policy/route-map.rst:367
+#: ../../configuration/policy/route-map.rst:369
 msgid "``route-filter-translated-v4`` -   Well-known communities value ROUTE_FILTER_TRANSLATED_v4 0xFFFF0002"
 msgstr "``route-filter-translated-v4`` -   Well-known communities value ROUTE_FILTER_TRANSLATED_v4 0xFFFF0002"
 
-#: ../../configuration/policy/route-map.rst:369
+#: ../../configuration/policy/route-map.rst:371
 msgid "``route-filter-translated-v6`` -   Well-known communities value ROUTE_FILTER_TRANSLATED_v6 0xFFFF0004"
 msgstr "``route-filter-translated-v6`` -   Well-known communities value ROUTE_FILTER_TRANSLATED_v6 0xFFFF0004"
 
-#: ../../configuration/policy/route-map.rst:368
+#: ../../configuration/policy/route-map.rst:370
 msgid "``route-filter-v4`` -              Well-known communities value ROUTE_FILTER_v4 0xFFFF0003"
 msgstr "``route-filter-v4`` -              Well-known communities value ROUTE_FILTER_v4 0xFFFF0003"
 
-#: ../../configuration/policy/route-map.rst:370
+#: ../../configuration/policy/route-map.rst:372
 msgid "``route-filter-v6`` -              Well-known communities value ROUTE_FILTER_v6 0xFFFF0005"
 msgstr "``route-filter-v6`` -              Well-known communities value ROUTE_FILTER_v6 0xFFFF0005"
 
@@ -19829,6 +18969,31 @@ msgstr "``rsa`` - use simple shared RSA key. The key must be defined in the ``se
 msgid "``secret`` - predefined shared secret. Used if configured mode ``pre-shared-secret``;"
 msgstr "``secret`` - predefined shared secret. Used if configured mode ``pre-shared-secret``;"
 
+#: ../../configuration/firewall/index.rst:90
+msgid "``set firewall bridge forward filter ...``."
+msgstr "``set firewall bridge forward filter ...``."
+
+#: ../../configuration/firewall/index.rst:61
+msgid "``set firewall ipv4 forward filter ...``."
+msgstr "``set firewall ipv4 forward filter ...``."
+
+#: ../../configuration/firewall/index.rst:54
+#: ../../configuration/firewall/index.rst:72
+msgid "``set firewall ipv4 input filter ...``."
+msgstr "``set firewall ipv4 input filter ...``."
+
+#: ../../configuration/firewall/index.rst:63
+msgid "``set firewall ipv6 forward filter ...``."
+msgstr "``set firewall ipv6 forward filter ...``."
+
+#: ../../configuration/firewall/index.rst:56
+msgid "``set firewall ipv6 input filter ...``."
+msgstr "``set firewall ipv6 input filter ...``."
+
+#: ../../configuration/firewall/index.rst:74
+msgid "``set firewall ipv6 output filter ...``."
+msgstr "``set firewall ipv6 output filter ...``."
+
 #: ../../configuration/interfaces/wireless.rst:238
 msgid "``single-user-beamformee`` - Support for operation as single user beamformee"
 msgstr "``single-user-beamformee`` - Support for operation as single user beamformee"
@@ -19877,7 +19042,8 @@ msgstr "``static`` - Statically configured routes"
 msgid "``station`` - Connects to another access point"
 msgstr "``station`` - Connects to another access point"
 
-#: ../../configuration/firewall/general.rst:347
+#: ../../configuration/firewall/ipv4.rst:103
+#: ../../configuration/firewall/ipv6.rst:103
 msgid "``synproxy``: synproxy the packet."
 msgstr "``synproxy``: synproxy the packet."
 
@@ -19961,10 +19127,18 @@ msgstr "``type``: Specify the type of test. type can be ping, ttl or a user defi
 msgid "``use-x509-id`` - use local ID from x509 certificate. Cannot be used when ``id`` is defined;"
 msgstr "``use-x509-id`` - use local ID from x509 certificate. Cannot be used when ``id`` is defined;"
 
+#: ../../configuration/vpn/site2site_ipsec.rst:152
+msgid "``virtual-address`` - Defines a virtual IP address which is requested by the initiator and one or several IPv4 and/or IPv6 addresses are assigned from multiple pools by the responder."
+msgstr "``virtual-address`` - Defines a virtual IP address which is requested by the initiator and one or several IPv4 and/or IPv6 addresses are assigned from multiple pools by the responder."
+
 #: ../../configuration/vpn/ipsec.rst:168
 msgid "``virtual-ip`` Allow install virtual-ip addresses. Comma separated list of virtual IPs to request in IKEv2 configuration payloads or IKEv1 Mode Config. The wildcard addresses 0.0.0.0 and :: request an arbitrary address, specific addresses may be defined. The responder may return a different address, though, or none at all."
 msgstr "``virtual-ip`` Allow install virtual-ip addresses. Comma separated list of virtual IPs to request in IKEv2 configuration payloads or IKEv1 Mode Config. The wildcard addresses 0.0.0.0 and :: request an arbitrary address, specific addresses may be defined. The responder may return a different address, though, or none at all."
 
+#: ../../configuration/vpn/ipsec.rst:168
+msgid "``virtual-ip`` Allows to install virtual-ip addresses. Comma separated list of virtual IPs to request in IKEv2 configuration payloads or IKEv1 Mode Config. The wildcard addresses 0.0.0.0 and :: request an arbitrary address, specific addresses may be defined. The responder may return a different address, though, or none at all. Define the ``virtual-address`` option to configure the IP address in site-to-site hierarchy."
+msgstr "``virtual-ip`` Allows to install virtual-ip addresses. Comma separated list of virtual IPs to request in IKEv2 configuration payloads or IKEv1 Mode Config. The wildcard addresses 0.0.0.0 and :: request an arbitrary address, specific addresses may be defined. The responder may return a different address, though, or none at all. Define the ``virtual-address`` option to configure the IP address in site-to-site hierarchy."
+
 #: ../../configuration/policy/route-map.rst:175
 msgid "``vnc`` - Virtual Network Control (VNC)"
 msgstr "``vnc`` - Virtual Network Control (VNC)"
@@ -19993,7 +19167,7 @@ msgstr "``yes`` enable remote host re-authentication during an IKE rekey;"
 msgid "`source-address` and `source-interface` can not be used at the same time."
 msgstr "`source-address` and `source-interface` can not be used at the same time."
 
-#: ../../configuration/protocols/rpki.rst:16
+#: ../../configuration/protocols/rpki.rst:12
 msgid "`tweet by EvilMog`_, 2020-02-21"
 msgstr "`tweet by EvilMog`_, 2020-02-21"
 
@@ -20005,8 +19179,8 @@ msgstr "a bandwidth test over the VPN got these results:"
 msgid "a blank indicates that no test has been carried out"
 msgstr "a blank indicates that no test has been carried out"
 
-#: ../../configuration/nat/nat44.rst:728
-#: ../../configuration/nat/nat44.rst:733
+#: ../../configuration/nat/nat44.rst:750
+#: ../../configuration/nat/nat44.rst:755
 msgid "aes256 Encryption"
 msgstr "aes256 Encryption"
 
@@ -20020,7 +19194,7 @@ msgstr "alert"
 msgid "all"
 msgstr "all"
 
-#: ../../configuration/vrf/index.rst:426
+#: ../../configuration/vrf/index.rst:428
 msgid "an RD / RTLIST"
 msgstr "an RD / RTLIST"
 
@@ -20052,27 +19226,31 @@ msgstr "auto - interface duplex setting is auto-negotiated"
 msgid "auto - interface speed is auto-negotiated"
 msgstr "auto - interface speed is auto-negotiated"
 
+#: ../../configuration/system/frr.rst:32
+msgid "bgpd"
+msgstr "bgpd"
+
 #: ../../configuration/service/router-advert.rst:13
 msgid "bonding"
 msgstr "bonding"
 
-#: ../../configuration/service/dhcp-server.rst:338
+#: ../../configuration/service/dhcp-server.rst:305
 msgid "boot-size"
 msgstr "boot-size"
 
-#: ../../configuration/service/dhcp-server.rst:331
+#: ../../configuration/service/dhcp-server.rst:298
 msgid "bootfile-name"
 msgstr "bootfile-name"
 
-#: ../../configuration/service/dhcp-server.rst:333
+#: ../../configuration/service/dhcp-server.rst:300
 msgid "bootfile-name, filename"
 msgstr "bootfile-name, filename"
 
-#: ../../configuration/service/dhcp-server.rst:321
+#: ../../configuration/service/dhcp-server.rst:288
 msgid "bootfile-server"
 msgstr "bootfile-server"
 
-#: ../../configuration/service/dhcp-server.rst:336
+#: ../../configuration/service/dhcp-server.rst:303
 msgid "bootfile-size"
 msgstr "bootfile-size"
 
@@ -20080,7 +19258,7 @@ msgstr "bootfile-size"
 msgid "bridge"
 msgstr "bridge"
 
-#: ../../configuration/service/dhcp-server.rst:269
+#: ../../configuration/service/dhcp-server.rst:236
 msgid "client-prefix-length"
 msgstr "client-prefix-length"
 
@@ -20112,11 +19290,11 @@ msgstr "daemon"
 msgid "ddclient_ has another way to determine the WAN IP address. This is controlled by:"
 msgstr "ddclient_ has another way to determine the WAN IP address. This is controlled by:"
 
-#: ../../configuration/service/dns.rst:205
+#: ../../configuration/service/dns.rst:218
 msgid "ddclient_ uses two methods to update a DNS record. The first one will send updates directly to the DNS daemon, in compliance with :rfc:`2136`. The second one involves a third party service, like DynDNS.com or any other similar website. This method uses HTTP requests to transmit the new IP address. You can configure both in VyOS."
 msgstr "ddclient_ uses two methods to update a DNS record. The first one will send updates directly to the DNS daemon, in compliance with :rfc:`2136`. The second one involves a third party service, like DynDNS.com or any other similar website. This method uses HTTP requests to transmit the new IP address. You can configure both in VyOS."
 
-#: ../../configuration/service/dns.rst:400
+#: ../../configuration/service/dns.rst:413
 msgid "ddclient_ will skip any address located before the string set in `<pattern>`."
 msgstr "ddclient_ will skip any address located before the string set in `<pattern>`."
 
@@ -20128,7 +19306,7 @@ msgstr "debug"
 msgid "decrement-lifetime"
 msgstr "decrement-lifetime"
 
-#: ../../configuration/service/dhcp-server.rst:368
+#: ../../configuration/service/dhcp-server.rst:335
 msgid "default-lease-time, max-lease-time"
 msgstr "default-lease-time, max-lease-time"
 
@@ -20140,7 +19318,7 @@ msgstr "default-lifetime"
 msgid "default-preference"
 msgstr "default-preference"
 
-#: ../../configuration/service/dhcp-server.rst:281
+#: ../../configuration/service/dhcp-server.rst:248
 msgid "default-router"
 msgstr "default-router"
 
@@ -20156,7 +19334,7 @@ msgstr "deprecate-prefix"
 msgid "destination-hashing"
 msgstr "destination-hashing"
 
-#: ../../configuration/service/dhcp-server.rst:318
+#: ../../configuration/service/dhcp-server.rst:285
 msgid "dhcp-server-identifier"
 msgstr "dhcp-server-identifier"
 
@@ -20168,28 +19346,9 @@ msgstr "direct"
 msgid "directory"
 msgstr "directory"
 
-#: ../../_include/interface-ip.txt:190
-#: ../../_include/interface-ip.txt:190
-#: ../../_include/interface-ip.txt:190
-#: ../../_include/interface-ip.txt:190
-#: ../../_include/interface-ip.txt:190
-#: ../../_include/interface-ip.txt:190
-#: ../../_include/interface-ip.txt:190
-#: ../../_include/interface-ip.txt:190
-#: ../../_include/interface-ip.txt:190
-#: ../../_include/interface-ip.txt:190
 #: ../../configuration/interfaces/pppoe.rst:241
-#: ../../_include/interface-ip.txt:190
-#: ../../_include/interface-ip.txt:190
 #: ../../configuration/interfaces/sstp-client.rst:113
 #: ../../_include/interface-ip.txt:190
-#: ../../_include/interface-ip.txt:190
-#: ../../_include/interface-ip.txt:190
-#: ../../_include/interface-ip.txt:190
-#: ../../_include/interface-ip.txt:190
-#: ../../_include/interface-ip.txt:190
-#: ../../_include/interface-ip.txt:190
-#: ../../_include/interface-ip.txt:190
 msgid "disable: No source validation"
 msgstr "disable: No source validation"
 
@@ -20197,17 +19356,17 @@ msgstr "disable: No source validation"
 msgid "dnssl"
 msgstr "dnssl"
 
-#: ../../configuration/service/dhcp-server.rst:296
-#: ../../configuration/service/dhcp-server.rst:298
+#: ../../configuration/service/dhcp-server.rst:263
+#: ../../configuration/service/dhcp-server.rst:265
 msgid "domain-name"
 msgstr "domain-name"
 
-#: ../../configuration/service/dhcp-server.rst:293
+#: ../../configuration/service/dhcp-server.rst:260
 msgid "domain-name-servers"
 msgstr "domain-name-servers"
 
-#: ../../configuration/service/dhcp-server.rst:351
-#: ../../configuration/service/dhcp-server.rst:353
+#: ../../configuration/service/dhcp-server.rst:318
+#: ../../configuration/service/dhcp-server.rst:320
 msgid "domain-search"
 msgstr "domain-search"
 
@@ -20215,7 +19374,7 @@ msgstr "domain-search"
 msgid "emerg"
 msgstr "emerg"
 
-#: ../../configuration/firewall/general.rst:147
+#: ../../configuration/firewall/global-options.rst:84
 msgid "enable or disable ICMPv4 redirect messages send by VyOS The following system parameter will be altered:"
 msgstr "enable or disable ICMPv4 redirect messages send by VyOS The following system parameter will be altered:"
 
@@ -20223,13 +19382,11 @@ msgstr "enable or disable ICMPv4 redirect messages send by VyOS The following sy
 msgid "enable or disable  ICMPv4 redirect messages send by VyOS The following system parameter will be altered:"
 msgstr "enable or disable  ICMPv4 redirect messages send by VyOS The following system parameter will be altered:"
 
-#: ../../configuration/firewall/general.rst:139
-#: ../../configuration/firewall/general-legacy.rst:90
+#: ../../configuration/firewall/global-options.rst:76
 msgid "enable or disable of ICMPv4 or ICMPv6 redirect messages accepted by VyOS. The following system parameter will be altered:"
 msgstr "enable or disable of ICMPv4 or ICMPv6 redirect messages accepted by VyOS. The following system parameter will be altered:"
 
-#: ../../configuration/firewall/general.rst:154
-#: ../../configuration/firewall/general-legacy.rst:105
+#: ../../configuration/firewall/global-options.rst:91
 msgid "enable or disable the logging of martian IPv4 packets. The following system parameter will be altered:"
 msgstr "enable or disable the logging of martian IPv4 packets. The following system parameter will be altered:"
 
@@ -20245,11 +19402,11 @@ msgstr "ethernet"
 msgid "exact-match: exact match of the network prefixes."
 msgstr "exact-match: exact match of the network prefixes."
 
-#: ../../configuration/service/dhcp-server.rst:376
+#: ../../configuration/service/dhcp-server.rst:343
 msgid "exclude"
 msgstr "exclude"
 
-#: ../../configuration/service/dhcp-server.rst:381
+#: ../../configuration/service/dhcp-server.rst:348
 msgid "failover"
 msgstr "failover"
 
@@ -20318,11 +19475,15 @@ msgstr "invalid"
 msgid "inverse-match: network/netmask to match (requires network be defined)."
 msgstr "inverse-match: network/netmask to match (requires network be defined)."
 
-#: ../../configuration/service/dhcp-server.rst:301
-#: ../../configuration/service/dhcp-server.rst:303
+#: ../../configuration/service/dhcp-server.rst:268
+#: ../../configuration/service/dhcp-server.rst:270
 msgid "ip-forwarding"
 msgstr "ip-forwarding"
 
+#: ../../configuration/system/frr.rst:33
+msgid "isisd"
+msgstr "isisd"
+
 #: ../../configuration/interfaces/ethernet.rst:90
 msgid "it can be used with any NIC,"
 msgstr "it can be used with any NIC,"
@@ -20339,7 +19500,11 @@ msgstr "kern"
 msgid "l2tpv3"
 msgstr "l2tpv3"
 
-#: ../../configuration/service/dhcp-server.rst:366
+#: ../../configuration/system/frr.rst:34
+msgid "ldpd"
+msgstr "ldpd"
+
+#: ../../configuration/service/dhcp-server.rst:333
 msgid "lease"
 msgstr "lease"
 
@@ -20347,19 +19512,19 @@ msgstr "lease"
 msgid "least-connection"
 msgstr "least-connection"
 
-#: ../../configuration/vpn/site2site_ipsec.rst:271
+#: ../../configuration/vpn/site2site_ipsec.rst:275
 msgid "left local_ip: 192.168.0.10 # VPN Gateway, behind NAT device"
 msgstr "left local_ip: 192.168.0.10 # VPN Gateway, behind NAT device"
 
-#: ../../configuration/vpn/site2site_ipsec.rst:163
+#: ../../configuration/vpn/site2site_ipsec.rst:167
 msgid "left local_ip: `198.51.100.3` # server side WAN IP"
 msgstr "left local_ip: `198.51.100.3` # server side WAN IP"
 
-#: ../../configuration/vpn/site2site_ipsec.rst:272
+#: ../../configuration/vpn/site2site_ipsec.rst:276
 msgid "left public_ip:172.18.201.10"
 msgstr "left public_ip:172.18.201.10"
 
-#: ../../configuration/vpn/site2site_ipsec.rst:161
+#: ../../configuration/vpn/site2site_ipsec.rst:165
 msgid "left subnet: `192.168.0.0/24` site1, server side (i.e. locality, actually there is no client or server roles)"
 msgstr "left subnet: `192.168.0.0/24` site1, server side (i.e. locality, actually there is no client or server roles)"
 
@@ -20439,28 +19604,9 @@ msgstr "logalert"
 msgid "logaudit"
 msgstr "logaudit"
 
-#: ../../_include/interface-ip.txt:186
-#: ../../_include/interface-ip.txt:186
-#: ../../_include/interface-ip.txt:186
-#: ../../_include/interface-ip.txt:186
-#: ../../_include/interface-ip.txt:186
-#: ../../_include/interface-ip.txt:186
-#: ../../_include/interface-ip.txt:186
-#: ../../_include/interface-ip.txt:186
-#: ../../_include/interface-ip.txt:186
-#: ../../_include/interface-ip.txt:186
 #: ../../configuration/interfaces/pppoe.rst:237
-#: ../../_include/interface-ip.txt:186
-#: ../../_include/interface-ip.txt:186
 #: ../../configuration/interfaces/sstp-client.rst:109
 #: ../../_include/interface-ip.txt:186
-#: ../../_include/interface-ip.txt:186
-#: ../../_include/interface-ip.txt:186
-#: ../../_include/interface-ip.txt:186
-#: ../../_include/interface-ip.txt:186
-#: ../../_include/interface-ip.txt:186
-#: ../../_include/interface-ip.txt:186
-#: ../../_include/interface-ip.txt:186
 msgid "loose: Each incoming packet's source address is also tested against the FIB and if the source address is not reachable via any interface the packet check will fail."
 msgstr "loose: Each incoming packet's source address is also tested against the FIB and if the source address is not reachable via any interface the packet check will fail."
 
@@ -20472,7 +19618,15 @@ msgstr "lpr"
 msgid "mDNS Repeater"
 msgstr "mDNS Repeater"
 
-#: ../../configuration/service/mdns.rst:28
+#: ../../configuration/service/mdns.rst:38
+msgid "mDNS repeater can be configured to re-broadcast only specific services. By default, all services are re-broadcasted."
+msgstr "mDNS repeater can be configured to re-broadcast only specific services. By default, all services are re-broadcasted."
+
+#: ../../configuration/service/mdns.rst:33
+msgid "mDNS repeater can be enabled either on IPv4 socket or on IPv6 socket or both to re-broadcast. By default, mDNS repeater will listen on both IPv4 and IPv6."
+msgstr "mDNS repeater can be enabled either on IPv4 socket or on IPv6 socket or both to re-broadcast. By default, mDNS repeater will listen on both IPv4 and IPv6."
+
+#: ../../configuration/service/mdns.rst:29
 msgid "mDNS repeater can be temporarily disabled without deleting the service using"
 msgstr "mDNS repeater can be temporarily disabled without deleting the service using"
 
@@ -20512,12 +19666,12 @@ msgstr "more information related IGP  - :ref:`routing-isis`"
 msgid "more information related IGP  - :ref:`routing-ospf`"
 msgstr "more information related IGP  - :ref:`routing-ospf`"
 
-#: ../../configuration/service/dhcp-server.rst:291
+#: ../../configuration/service/dhcp-server.rst:258
 #: ../../configuration/service/router-advert.rst:1
 msgid "name-server"
 msgstr "name-server"
 
-#: ../../configuration/service/dhcp-server.rst:313
+#: ../../configuration/service/dhcp-server.rst:280
 msgid "netbios-name-servers"
 msgstr "netbios-name-servers"
 
@@ -20533,7 +19687,7 @@ msgstr "network: network/netmask to match (requires inverse-match be defined) BU
 msgid "news"
 msgstr "news"
 
-#: ../../configuration/service/dhcp-server.rst:323
+#: ../../configuration/service/dhcp-server.rst:290
 msgid "next-server"
 msgstr "next-server"
 
@@ -20557,11 +19711,11 @@ msgstr "notice"
 msgid "ntp"
 msgstr "ntp"
 
-#: ../../configuration/service/dhcp-server.rst:306
+#: ../../configuration/service/dhcp-server.rst:273
 msgid "ntp-server"
 msgstr "ntp-server"
 
-#: ../../configuration/service/dhcp-server.rst:308
+#: ../../configuration/service/dhcp-server.rst:275
 msgid "ntp-servers"
 msgstr "ntp-servers"
 
@@ -20573,6 +19727,14 @@ msgstr "one rule with a LAN (inbound-interface) and the WAN (interface)."
 msgid "openvpn"
 msgstr "openvpn"
 
+#: ../../configuration/system/frr.rst:35
+msgid "ospf6d"
+msgstr "ospf6d"
+
+#: ../../configuration/system/frr.rst:36
+msgid "ospfd"
+msgstr "ospfd"
+
 #: ../../configuration/protocols/ospf.rst:207
 msgid "ospfd supports Opaque LSA :rfc:`2370` as partial support for MPLS Traffic Engineering LSAs. The opaque-lsa capability must be enabled in the configuration."
 msgstr "ospfd supports Opaque LSA :rfc:`2370` as partial support for MPLS Traffic Engineering LSAs. The opaque-lsa capability must be enabled in the configuration."
@@ -20601,8 +19763,8 @@ msgstr "policy extcommunity-list"
 msgid "policy large-community-list"
 msgstr "policy large-community-list"
 
-#: ../../configuration/service/dhcp-server.rst:346
-#: ../../configuration/service/dhcp-server.rst:348
+#: ../../configuration/service/dhcp-server.rst:313
+#: ../../configuration/service/dhcp-server.rst:315
 msgid "pop-server"
 msgstr "pop-server"
 
@@ -20619,8 +19781,8 @@ msgstr "prefix-list, distribute-list"
 msgid "pseudo-ethernet"
 msgstr "pseudo-ethernet"
 
-#: ../../configuration/service/dhcp-server.rst:371
-#: ../../configuration/service/dhcp-server.rst:373
+#: ../../configuration/service/dhcp-server.rst:338
+#: ../../configuration/service/dhcp-server.rst:340
 msgid "range"
 msgstr "range"
 
@@ -20636,7 +19798,7 @@ msgstr "reset commands"
 msgid "retrans-timer"
 msgstr "retrans-timer"
 
-#: ../../configuration/service/dhcp-server.rst:358
+#: ../../configuration/service/dhcp-server.rst:325
 msgid "rfc3442-static-route, windows-static-route"
 msgstr "rfc3442-static-route, windows-static-route"
 
@@ -20644,18 +19806,22 @@ msgstr "rfc3442-static-route, windows-static-route"
 msgid "rfc3768-compatibility"
 msgstr "rfc3768-compatibility"
 
-#: ../../configuration/vpn/site2site_ipsec.rst:273
+#: ../../configuration/vpn/site2site_ipsec.rst:277
 msgid "right local_ip: 172.18.202.10 # right side WAN IP"
 msgstr "right local_ip: 172.18.202.10 # right side WAN IP"
 
-#: ../../configuration/vpn/site2site_ipsec.rst:165
+#: ../../configuration/vpn/site2site_ipsec.rst:169
 msgid "right local_ip: `203.0.113.2` # remote office side WAN IP"
 msgstr "right local_ip: `203.0.113.2` # remote office side WAN IP"
 
-#: ../../configuration/vpn/site2site_ipsec.rst:164
+#: ../../configuration/vpn/site2site_ipsec.rst:168
 msgid "right subnet: `10.0.0.0/24` site2,remote office side"
 msgstr "right subnet: `10.0.0.0/24` site2,remote office side"
 
+#: ../../configuration/system/frr.rst:37
+msgid "ripd"
+msgstr "ripd"
+
 #: ../../configuration/highavailability/index.rst:349
 msgid "round-robin"
 msgstr "round-robin"
@@ -20665,7 +19831,7 @@ msgstr "round-robin"
 msgid "route-map"
 msgstr "route-map"
 
-#: ../../configuration/service/dhcp-server.rst:283
+#: ../../configuration/service/dhcp-server.rst:250
 msgid "routers"
 msgstr "routers"
 
@@ -20682,7 +19848,7 @@ msgstr "sFlow is a technology that enables monitoring of network traffic by send
 msgid "security"
 msgstr "security"
 
-#: ../../configuration/service/dhcp-server.rst:316
+#: ../../configuration/service/dhcp-server.rst:283
 msgid "server-identifier"
 msgstr "server-identifier"
 
@@ -20694,8 +19860,8 @@ msgstr "server example"
 msgid "set a destination and/or source address. Accepted input:"
 msgstr "set a destination and/or source address. Accepted input:"
 
-#: ../../configuration/nat/nat44.rst:729
-#: ../../configuration/nat/nat44.rst:734
+#: ../../configuration/nat/nat44.rst:751
+#: ../../configuration/nat/nat44.rst:756
 msgid "sha256 Hashes"
 msgstr "sha256 Hashes"
 
@@ -20703,7 +19869,7 @@ msgstr "sha256 Hashes"
 msgid "show commands"
 msgstr "show commands"
 
-#: ../../configuration/service/dhcp-server.rst:322
+#: ../../configuration/service/dhcp-server.rst:289
 msgid "siaddr"
 msgstr "siaddr"
 
@@ -20711,8 +19877,8 @@ msgstr "siaddr"
 msgid "slow: Request partner to transmit LACPDUs every 30 seconds"
 msgstr "slow: Request partner to transmit LACPDUs every 30 seconds"
 
-#: ../../configuration/service/dhcp-server.rst:341
-#: ../../configuration/service/dhcp-server.rst:343
+#: ../../configuration/service/dhcp-server.rst:308
+#: ../../configuration/service/dhcp-server.rst:310
 msgid "smtp-server"
 msgstr "smtp-server"
 
@@ -20732,40 +19898,21 @@ msgstr "spoke01-spoke04"
 msgid "spoke05"
 msgstr "spoke05"
 
-#: ../../configuration/service/dhcp-server.rst:386
+#: ../../configuration/service/dhcp-server.rst:353
 msgid "static-mapping"
 msgstr "static-mapping"
 
-#: ../../configuration/service/dhcp-server.rst:356
+#: ../../configuration/service/dhcp-server.rst:323
 msgid "static-route"
 msgstr "static-route"
 
-#: ../../_include/interface-ip.txt:182
-#: ../../_include/interface-ip.txt:182
-#: ../../_include/interface-ip.txt:182
-#: ../../_include/interface-ip.txt:182
-#: ../../_include/interface-ip.txt:182
-#: ../../_include/interface-ip.txt:182
-#: ../../_include/interface-ip.txt:182
-#: ../../_include/interface-ip.txt:182
-#: ../../_include/interface-ip.txt:182
-#: ../../_include/interface-ip.txt:182
 #: ../../configuration/interfaces/pppoe.rst:233
-#: ../../_include/interface-ip.txt:182
-#: ../../_include/interface-ip.txt:182
 #: ../../configuration/interfaces/sstp-client.rst:105
 #: ../../_include/interface-ip.txt:182
-#: ../../_include/interface-ip.txt:182
-#: ../../_include/interface-ip.txt:182
-#: ../../_include/interface-ip.txt:182
-#: ../../_include/interface-ip.txt:182
-#: ../../_include/interface-ip.txt:182
-#: ../../_include/interface-ip.txt:182
-#: ../../_include/interface-ip.txt:182
 msgid "strict: Each incoming packet is tested against the FIB and if the interface is not the best reverse path the packet check will fail. By default failed packets are discarded."
 msgstr "strict: Each incoming packet is tested against the FIB and if the interface is not the best reverse path the packet check will fail. By default failed packets are discarded."
 
-#: ../../configuration/service/dhcp-server.rst:271
+#: ../../configuration/service/dhcp-server.rst:238
 msgid "subnet-mask"
 msgstr "subnet-mask"
 
@@ -20781,8 +19928,8 @@ msgstr "tail"
 msgid "tc_ is a powerful tool for Traffic Control found at the Linux kernel. However, its configuration is often considered a cumbersome task. Fortunately, VyOS eases the job through its CLI, while using ``tc`` as backend."
 msgstr "tc_ is a powerful tool for Traffic Control found at the Linux kernel. However, its configuration is often considered a cumbersome task. Fortunately, VyOS eases the job through its CLI, while using ``tc`` as backend."
 
-#: ../../configuration/service/dhcp-server.rst:326
-#: ../../configuration/service/dhcp-server.rst:328
+#: ../../configuration/service/dhcp-server.rst:293
+#: ../../configuration/service/dhcp-server.rst:295
 msgid "tftp-server-name"
 msgstr "tftp-server-name"
 
@@ -20791,16 +19938,16 @@ msgstr "tftp-server-name"
 msgid "this option allows to configure prefix-sid on SR. The ‘no-php-flag’ means NO Penultimate Hop Popping that allows SR node to request to its neighbor to not pop the label. The ‘explicit-null’ flag allows SR node to request to its neighbor to send IP packet with the EXPLICIT-NULL label. The ‘n-flag-clear’ option can be used to explicitly clear the Node flag that is set by default for Prefix-SIDs associated to loopback addresses. This option is necessary to configure Anycast-SIDs."
 msgstr "this option allows to configure prefix-sid on SR. The ‘no-php-flag’ means NO Penultimate Hop Popping that allows SR node to request to its neighbor to not pop the label. The ‘explicit-null’ flag allows SR node to request to its neighbor to send IP packet with the EXPLICIT-NULL label. The ‘n-flag-clear’ option can be used to explicitly clear the Node flag that is set by default for Prefix-SIDs associated to loopback addresses. This option is necessary to configure Anycast-SIDs."
 
-#: ../../configuration/service/dhcp-server.rst:275
-#: ../../configuration/service/dhcp-server.rst:277
+#: ../../configuration/service/dhcp-server.rst:242
+#: ../../configuration/service/dhcp-server.rst:244
 msgid "time-offset"
 msgstr "time-offset"
 
-#: ../../configuration/service/dhcp-server.rst:286
+#: ../../configuration/service/dhcp-server.rst:253
 msgid "time-server"
 msgstr "time-server"
 
-#: ../../configuration/service/dhcp-server.rst:288
+#: ../../configuration/service/dhcp-server.rst:255
 msgid "time-servers"
 msgstr "time-servers"
 
@@ -20861,7 +20008,7 @@ msgstr "weighted-round-robin"
 msgid "while a *byte* is written as a single **b**."
 msgstr "while a *byte* is written as a single **b**."
 
-#: ../../configuration/service/dhcp-server.rst:311
+#: ../../configuration/service/dhcp-server.rst:278
 msgid "wins-server"
 msgstr "wins-server"
 
@@ -20877,14 +20024,18 @@ msgstr "wireless"
 msgid "with :cfgcmd:`set system acceleration qat` on both systems the bandwidth increases."
 msgstr "with :cfgcmd:`set system acceleration qat` on both systems the bandwidth increases."
 
-#: ../../configuration/service/dhcp-server.rst:361
+#: ../../configuration/service/dhcp-server.rst:328
 msgid "wpad-url"
 msgstr "wpad-url"
 
-#: ../../configuration/service/dhcp-server.rst:363
+#: ../../configuration/service/dhcp-server.rst:330
 msgid "wpad-url, wpad-url code 252 = text"
 msgstr "wpad-url, wpad-url code 252 = text"
 
 #: ../../configuration/service/router-advert.rst:23
 msgid "wwan"
 msgstr "wwan"
+
+#: ../../configuration/system/frr.rst:38
+msgid "zebra"
+msgstr "zebra"
diff --git a/docs/_locale/de/contributing.pot b/docs/_locale/de/contributing.pot
index f9195a6f..5f9d0337 100644
--- a/docs/_locale/de/contributing.pot
+++ b/docs/_locale/de/contributing.pot
@@ -80,8 +80,8 @@ msgstr "Eine einzelne, kurze Zusammenfassung des Commits (empfohlen 50 Zeichen o
 msgid "Abbreviations and acronyms **must** be capitalized."
 msgstr "Abkürzungen und Akronyme **müssen** groß geschrieben werden."
 
-#: ../../contributing/build-vyos.rst:403
-#: ../../contributing/build-vyos.rst:591
+#: ../../contributing/build-vyos.rst:443
+#: ../../contributing/build-vyos.rst:631
 msgid "Accel-PPP"
 msgstr "Accel-PPP"
 
@@ -93,7 +93,7 @@ msgstr "Auch Akronyme **müssen** groß geschrieben werden, um sie optisch von n
 msgid "Add file to Git index using ``git add myfile``, or for a whole directory: ``git add somedir/*``"
 msgstr "Hinzufügen einer Datei zum Git-Index mit ``git add myfile``, oder für ein ganzes Verzeichnis: ``git add somedir/*``"
 
-#: ../../contributing/testing.rst:99
+#: ../../contributing/testing.rst:100
 msgid "Add one or more IP addresses"
 msgstr "Eine oder mehrere IP-Adressen hinzufügen"
 
@@ -101,17 +101,17 @@ msgstr "Eine oder mehrere IP-Adressen hinzufügen"
 msgid "Address"
 msgstr "Adresse"
 
-#: ../../contributing/build-vyos.rst:800
+#: ../../contributing/build-vyos.rst:840
 msgid "After a minute or two you will find the generated DEB packages next to the vyos-1x source directory:"
 msgstr "Nach ein oder zwei Minuten finden Sie die generierten DEB-Pakete neben dem vyos-1x Quellverzeichnis:"
 
-#: ../../contributing/build-vyos.rst:627
-#: ../../contributing/build-vyos.rst:656
-#: ../../contributing/build-vyos.rst:691
+#: ../../contributing/build-vyos.rst:667
+#: ../../contributing/build-vyos.rst:696
+#: ../../contributing/build-vyos.rst:731
 msgid "After compiling the packages you will find yourself the newly generated `*.deb` binaries in ``vyos-build/packages/linux-kernel`` from which you can copy them to the ``vyos-build/packages`` folder for inclusion during the ISO build."
 msgstr "Nach dem Kompilieren der Pakete finden Sie die neu erzeugten `*.deb`-Binärdateien in ``vyos-build/packages/linux-kernel``, von wo aus sie in den ``vyos-build/packages``-Ordner kopiert werden können, um sie während der ISO-Erstellung einzubinden."
 
-#: ../../contributing/testing.rst:50
+#: ../../contributing/testing.rst:51
 msgid "After its first boot into the newly installed system the main Smoketest script is executed, it can be found here: `/usr/bin/vyos-smoketest`"
 msgstr "Nach dem ersten Start des neu installierten Systems wird das Smoketest-Hauptskript ausgeführt, das hier zu finden ist: `/usr/bin/vyos-smoketest`"
 
@@ -147,23 +147,23 @@ msgstr "Verwenden Sie immer die Option ``-x`` für den Befehl ``git cherry-pick`
 msgid "Another advantage is testability of the code. Mocking the entire config subsystem is hard, while constructing an internal representation by hand is way simpler."
 msgstr "Ein weiterer Vorteil ist die Testbarkeit des Codes. Das Mocking des gesamten Konfigurations-Subsystems ist schwierig, während die Konstruktion einer internen Darstellung von Hand viel einfacher ist."
 
-#: ../../contributing/build-vyos.rst:702
+#: ../../contributing/build-vyos.rst:742
 msgid "Any \"modified\" package may refer to an altered version of e.g. vyos-1x package that you would like to test before filing a pull request on GitHub."
 msgstr "Jedes \"modifizierte\" Paket kann sich auf eine geänderte Version von z.B. des vyos-1x Pakets beziehen, das Sie testen möchten, bevor Sie einen Pull Request auf GitHub stellen."
 
-#: ../../contributing/build-vyos.rst:831
+#: ../../contributing/build-vyos.rst:871
 msgid "Any packages in the packages directory will be added to the iso during build, replacing the upstream ones. Make sure you delete them (both the source directories and built deb packages) if you want to build an iso from purely upstream packages."
 msgstr "Alle Pakete im Paketverzeichnis werden während des Builds zur iso hinzugefügt und ersetzen die Upstream-Pakete. Stellen Sie sicher, dass Sie diese löschen (sowohl die Quellverzeichnisse als auch die erstellten deb-Pakete), wenn Sie eine Iso aus reinen Upstream-Paketen erstellen wollen."
 
-#: ../../contributing/testing.rst:56
+#: ../../contributing/testing.rst:57
 msgid "As Smoketests will alter the system configuration and you are logged in remote you may loose your connection to the system."
 msgstr "Da Smoketests die Systemkonfiguration ändern und Sie aus der Ferne eingeloggt sind, kann es sein, dass Sie die Verbindung zum System verlieren."
 
-#: ../../contributing/testing.rst:12
+#: ../../contributing/testing.rst:13
 msgid "As the VyOS documentation is not only for users but also for the developers - and we keep no secret documentation - this section describes how the automated testing works."
 msgstr "Da die VyOS-Dokumentation nicht nur für die Benutzer, sondern auch für die Entwickler gedacht ist - und wir keine geheime Dokumentation führen - wird in diesem Abschnitt beschrieben, wie das automatische Testen funktioniert."
 
-#: ../../contributing/build-vyos.rst:777
+#: ../../contributing/build-vyos.rst:817
 msgid "Assume we want to build the vyos-1x package on our own and modify it to our needs. We first need to clone the repository from GitHub."
 msgstr "Nehmen wir an, wir wollen das vyos-1x Paket selbst erstellen und es an unsere Bedürfnisse anpassen. Zuerst müssen wir das Repository von GitHub klonen."
 
@@ -215,15 +215,15 @@ msgstr "Startzeitpunkt"
 msgid "Bug Report/Issue"
 msgstr "Fehlerbericht/Ereignis"
 
-#: ../../contributing/build-vyos.rst:785
+#: ../../contributing/build-vyos.rst:825
 msgid "Build"
 msgstr "Erstellen"
 
-#: ../../contributing/build-vyos.rst:60
+#: ../../contributing/build-vyos.rst:122
 msgid "Build Container"
 msgstr "Container bauen"
 
-#: ../../contributing/build-vyos.rst:182
+#: ../../contributing/build-vyos.rst:215
 msgid "Build ISO"
 msgstr "ISO erstellen"
 
@@ -231,31 +231,31 @@ msgstr "ISO erstellen"
 msgid "Build VyOS"
 msgstr "VyOS erstellen"
 
-#: ../../contributing/build-vyos.rst:85
+#: ../../contributing/build-vyos.rst:147
 msgid "Build from source"
 msgstr "Aus dem Quellcode erstellen"
 
-#: ../../contributing/build-vyos.rst:582
+#: ../../contributing/build-vyos.rst:622
 msgid "Building Out-Of-Tree Modules"
 msgstr "Erstellen von Out-Of-Tree-Modulen"
 
-#: ../../contributing/build-vyos.rst:435
+#: ../../contributing/build-vyos.rst:475
 msgid "Building The Kernel"
 msgstr "Den Kernel bauen"
 
-#: ../../contributing/build-vyos.rst:246
+#: ../../contributing/build-vyos.rst:286
 msgid "Building VyOS on Windows WSL2 with Docker integrated into WSL2 will work like a charm. No problems are known so far!"
 msgstr "Die Erstellung von VyOS auf Windows WSL2 mit Docker, das in WSL2 integriert ist, funktioniert problemlos. Bislang sind keine Probleme bekannt!"
 
-#: ../../contributing/build-vyos.rst:705
+#: ../../contributing/build-vyos.rst:745
 msgid "Building an ISO with any customized package is in no way different than building a regular (customized or not) ISO image. Simply place your modified `*.deb` package inside the `packages` folder within `vyos-build`. The build process will then pickup your custom package and integrate it into your ISO."
 msgstr "Die Erstellung eines ISO-Images mit einem angepassten Paket unterscheidet sich in keiner Weise von der Erstellung eines regulären ISO-Images (angepasst oder nicht). Legen Sie einfach Ihr modifiziertes `*.deb`-Paket in den Ordner `packages` innerhalb von `vyos-build`. Der Build-Prozess wird dann Ihr angepasstes Paket aufnehmen und in Ihr ISO integrieren."
 
-#: ../../contributing/build-vyos.rst:584
+#: ../../contributing/build-vyos.rst:624
 msgid "Building the kernel is one part, but now you also need to build the required out-of-tree modules so everything is lined up and the ABIs match. To do so, you can again take a look at ``vyos-build/packages/linux-kernel/Jenkinsfile`` to see all of the required modules and their selected versions. We will show you how to build all the current required modules."
 msgstr "Den Kernel zu bauen ist ein Teil, aber jetzt müssen Sie auch die benötigten Out-of-Tree-Module bauen, damit alles zusammenpasst und die ABIs übereinstimmen. Um dies zu tun, können Sie wieder einen Blick auf ``vyos-build/packages/linux-kernel/Jenkinsfile`` werfen, um alle benötigten Module und ihre ausgewählten Versionen zu sehen. Wir werden Ihnen zeigen, wie Sie alle aktuell benötigten Module bauen können."
 
-#: ../../contributing/build-vyos.rst:475
+#: ../../contributing/build-vyos.rst:515
 msgid "Building the kernel will take some time depending on the speed and quantity of your CPU/cores and disk speed. Expect 20 minutes (or even longer) on lower end hardware."
 msgstr "Die Erstellung des Kernels wird einige Zeit in Anspruch nehmen, abhängig von der Geschwindigkeit und Anzahl Ihrer CPU/Kerne und der Festplattengeschwindigkeit. Rechnen Sie mit 20 Minuten (oder sogar länger) auf weniger leistungsfähiger Hardware."
 
@@ -275,7 +275,7 @@ msgstr "C++ Backend-Code"
 msgid "Capitalization and punctuation"
 msgstr "Großschreibung und Zeichensetzung"
 
-#: ../../contributing/build-vyos.rst:448
+#: ../../contributing/build-vyos.rst:488
 msgid "Check out the required kernel version - see ``vyos-build/data/defaults.json`` file (example uses kernel 4.19.146):"
 msgstr "Überprüfen Sie die benötigte Kernelversion - siehe ``vyos-build/data/defaults.json`` Datei (das Beispiel verwendet Kernel 4.19.146):"
 
@@ -283,7 +283,7 @@ msgstr "Überprüfen Sie die benötigte Kernelversion - siehe ``vyos-build/data/
 msgid "Clone: ``git clone https://github.com/<user>/vyos-1x.git``"
 msgstr "Klonen: ``git clone https://github.com/<user>/vyos-1x.git``"
 
-#: ../../contributing/build-vyos.rst:441
+#: ../../contributing/build-vyos.rst:481
 msgid "Clone the kernel source to `vyos-build/packages/linux-kernel/`:"
 msgstr "Klonen Sie den Kernel-Quellcode nach `vyos-build/packages/linux-kernel/`:"
 
@@ -299,7 +299,7 @@ msgstr "Befehlsdefinitionen sind rein deklarativ und können keine Logik enthalt
 msgid "Commit the changes by calling ``git commit``. Please use a meaningful commit headline (read above) and don't forget to reference the Phabricator_ ID."
 msgstr "Übertragen Sie die Änderungen durch den Aufruf von ``git commit``. Bitte verwenden Sie eine aussagekräftige Commit-Überschrift (siehe oben) und vergessen Sie nicht, die Phabricator_ ID anzugeben."
 
-#: ../../contributing/testing.rst:151
+#: ../../contributing/testing.rst:152
 msgid "Config Load Tests"
 msgstr "Last Tests der Konfiguration"
 
@@ -323,11 +323,11 @@ msgstr "Ziehen Sie die documentation_ zu Rate, um sicherzustellen, dass Sie Ihr
 msgid "Continuous Integration"
 msgstr "Continuous Integration"
 
-#: ../../contributing/build-vyos.rst:255
+#: ../../contributing/build-vyos.rst:295
 msgid "Customize"
 msgstr "Anpassen"
 
-#: ../../contributing/testing.rst:100
+#: ../../contributing/testing.rst:101
 msgid "DHCP client and DHCPv6 prefix delegation"
 msgstr "DHCP-Client und DHCPv6-Präfix-Delegation"
 
@@ -335,19 +335,31 @@ msgstr "DHCP-Client und DHCPv6-Präfix-Delegation"
 msgid "DMVPN patches are added by this commit: https://github.com/vyos/vyos-strongswan/commit/1cf12b0f2f921bfc51affa3b81226"
 msgstr "DMVPN-Patches werden durch diesen Commit hinzugefügt: https://github.com/vyos/vyos-strongswan/commit/1cf12b0f2f921bfc51affa3b81226"
 
-#: ../../contributing/build-vyos.rst:713
+#: ../../contributing/build-vyos.rst:753
 msgid "Debian APT is not very verbose when it comes to errors. If your ISO build breaks for whatever reason and you suspect it's a problem with APT dependencies or installation you can add this small patch which increases the APT verbosity during ISO build."
 msgstr "Debian APT ist nicht sehr ausführlich, wenn es um Fehler geht. Wenn Ihre ISO-Erstellung aus irgendeinem Grund fehlschlägt und Sie vermuten, dass es ein Problem mit APT-Abhängigkeiten oder der Installation ist, können Sie diesen kleinen Patch hinzufügen, der die Ausführlichkeit von APT während der ISO-Erstellung erhöht."
 
+#: ../../contributing/build-vyos.rst:42
+msgid "Debian Bookworm for VyOS 1.4 (sagitta)"
+msgstr "Debian Bookworm for VyOS 1.4 (sagitta)"
+
+#: ../../contributing/build-vyos.rst:43
+msgid "Debian Bookworm for the upcoming VyOS 1.5/circinus/current (subject to change) - aka the rolling release"
+msgstr "Debian Bookworm for the upcoming VyOS 1.5/circinus/current (subject to change) - aka the rolling release"
+
 #: ../../contributing/build-vyos.rst:154
 msgid "Debian Bullseye for VyOS 1.4 (sagitta, current) - aka the rolling release"
 msgstr "Debian Bullseye für VyOS 1.4 (sagitta, current) - auch bekannt als rolling release"
 
-#: ../../contributing/build-vyos.rst:153
+#: ../../contributing/build-vyos.rst:154
+msgid "Debian Bullseye for VyOS 1.4 (sagitta)"
+msgstr "Debian Bullseye for VyOS 1.4 (sagitta)"
+
+#: ../../contributing/build-vyos.rst:41
 msgid "Debian Buster for VyOS 1.3 (equuleus)"
 msgstr "Debian Buster für VyOS 1.3 (equuleus)"
 
-#: ../../contributing/build-vyos.rst:152
+#: ../../contributing/build-vyos.rst:40
 msgid "Debian Jessie for VyOS 1.2 (crux)"
 msgstr "Debian Jessie für VyOS 1.2 (Kernstück)"
 
@@ -379,15 +391,15 @@ msgstr "Entwicklung"
 msgid "Do not add angle brackets around the format, they will be inserted automatically"
 msgstr "Fügen Sie keine spitzen Klammern um das Format hinzu, sie werden automatisch eingefügt."
 
-#: ../../contributing/build-vyos.rst:33
+#: ../../contributing/build-vyos.rst:83
 msgid "Docker"
 msgstr "Docker"
 
-#: ../../contributing/build-vyos.rst:73
+#: ../../contributing/build-vyos.rst:135
 msgid "Dockerhub"
 msgstr "Dockerhub"
 
-#: ../../contributing/build-vyos.rst:50
+#: ../../contributing/build-vyos.rst:112
 msgid "Doing so grants privileges equivalent to the ``root`` user! It is recommended to remove the non-root user from the ``docker`` group after building the VyOS ISO. See also `Docker as non-root`_."
 msgstr "Dadurch erhält er die gleichen Rechte wie der Benutzer ``root``! Es wird empfohlen, den Nicht-Root-Benutzer aus der ``docker``-Gruppe zu entfernen, nachdem das VyOS-ISO erstellt wurde. Siehe auch `Docker als non-root`_."
 
@@ -395,6 +407,10 @@ msgstr "Dadurch erhält er die gleichen Rechte wie der Benutzer ``root``! Es wir
 msgid "Due to issues in the upstream version that sometimes set interfaces down, a modified version is used."
 msgstr "Aufgrund von Problemen in der Upstream-Version, die manchmal zum Ausfall von Schnittstellen führten, wird eine modifizierte Version verwendet."
 
+#: ../../contributing/build-vyos.rst:87
+msgid "Due to the updated version of Docker, the following examples may become invalid."
+msgstr "Due to the updated version of Docker, the following examples may become invalid."
+
 #: ../../contributing/debugging.rst:172
 msgid "During the migration and extensive rewrite of functionality from Perl into Python a significant increase in the overall system boottime was noticed. The system boot time can be analysed and a graph can be generated in the end which shows in detail who called whom during the system startup phase."
 msgstr "Während der Migration und des umfangreichen Umschreibens von Funktionalität von Perl nach Python wurde eine deutliche Erhöhung der gesamten Systemstartzeit festgestellt. Die Systemstartzeit kann analysiert werden, und am Ende kann ein Diagramm erstellt werden, das im Detail zeigt, wer wen während der Systemstartphase aufgerufen hat."
@@ -403,7 +419,7 @@ msgstr "Während der Migration und des umfangreichen Umschreibens von Funktional
 msgid "Each module is build on demand if a new commit on the branch in question is found. After a successful run the resulting Debian Package(s) will be deployed to our Debian repository which is used during build time. It is located here: http://dev.packages.vyos.net/repositories/."
 msgstr "Jedes Modul wird bei Bedarf gebaut, wenn ein neuer Commit für den betreffenden Zweig gefunden wird. Nach einem erfolgreichen Lauf werden die resultierenden Debian-Pakete in unserem Debian-Repository bereitgestellt, das während der Build-Zeit verwendet wird. Es befindet sich hier: http://dev.packages.vyos.net/repositories/."
 
-#: ../../contributing/build-vyos.rst:407
+#: ../../contributing/build-vyos.rst:447
 msgid "Each of those modules holds a dependency on the kernel version and if you are lucky enough to receive an ISO build error which sounds like:"
 msgstr "Jedes dieser Module ist von der Kernel-Version abhängig, und wenn Sie das Glück haben, einen ISO-Build-Fehler zu erhalten, der sich wie folgt anhört:"
 
@@ -420,7 +436,7 @@ msgid "Every change set must be consistent (self containing)! Do not fix multipl
 msgstr "Jeder Änderungssatz muss konsistent (in sich geschlossen) sein! Beheben Sie nicht mehrere Fehler in einem einzigen Commit. Wenn Sie bereits an mehreren Fehlerkorrekturen in derselben Datei gearbeitet haben, verwenden Sie `git add --patch`, um nur die Teile, die sich auf das eine Problem beziehen, in Ihren nächsten Commit aufzunehmen."
 
 #: ../../contributing/development.rst:412
-#: ../../contributing/testing.rst:65
+#: ../../contributing/testing.rst:66
 msgid "Example:"
 msgstr "Beispiel:"
 
@@ -453,11 +469,11 @@ msgstr "FRR"
 msgid "Feature Request"
 msgstr "Feature Anfrage"
 
-#: ../../contributing/build-vyos.rst:560
+#: ../../contributing/build-vyos.rst:600
 msgid "Firmware"
 msgstr "Firmware"
 
-#: ../../contributing/build-vyos.rst:593
+#: ../../contributing/build-vyos.rst:633
 msgid "First, clone the source code and check out the appropriate version by running:"
 msgstr "Klonen Sie zunächst den Quellcode und auschecken Sie die entsprechende Version aus:"
 
@@ -485,7 +501,7 @@ msgstr "Zum Beispiel kann ``/tmp/vyos.ifconfig.debug`` erstellt werden, um das D
 msgid "For example running, ``export VYOS_IFCONFIG_DEBUG=\"\"`` on your vbash, will have the same effect as ``touch /tmp/vyos.ifconfig.debug``."
 msgstr "Wenn Sie zum Beispiel ``export VYOS_IFCONFIG_DEBUG=\"\"`` in Ihrer vbash ausführen, hat das den gleichen Effekt wie ``touch /tmp/vyos.ifconfig.debug``."
 
-#: ../../contributing/build-vyos.rst:170
+#: ../../contributing/build-vyos.rst:72
 msgid "For the packages required, you can refer to the ``docker/Dockerfile`` file in the repository_. The ``./build-vyos-image`` script will also warn you if any dependencies are missing."
 msgstr "Die erforderlichen Pakete finden Sie in der Datei ``docker/Dockerfile`` im repository_. Das Skript ``./build-vyos-image`` wird Sie auch warnen, wenn irgendwelche Abhängigkeiten fehlen."
 
@@ -534,7 +550,7 @@ msgstr "Gut: PPPoE, IPsec"
 msgid "Good: RADIUS (as in remote authentication for dial-in user services)"
 msgstr "Gut: RADIUS (as in remote authentication for dial-in user services)"
 
-#: ../../contributing/build-vyos.rst:244
+#: ../../contributing/build-vyos.rst:284
 msgid "Good luck!"
 msgstr "Viel Glück!"
 
@@ -562,11 +578,11 @@ msgstr "Schrecklich: \"frobnication algorithm.\""
 msgid "How can we reproduce this Bug?"
 msgstr "Wie können wir diesen Fehler reproduzieren?"
 
-#: ../../contributing/testing.rst:102
+#: ../../contributing/testing.rst:103
 msgid "IP and IPv6 options"
 msgstr "IP- und IPv6-Optionen"
 
-#: ../../contributing/build-vyos.rst:308
+#: ../../contributing/build-vyos.rst:348
 msgid "ISO Build Issues"
 msgstr "ISO Build-Probleme"
 
@@ -590,11 +606,11 @@ msgstr "Falls zutreffend, sollte ein Verweis auf einen vorhergehenden Commit gem
 msgid "If there is no Phabricator_ reference in the commits of your pull request, we have to ask you to amend the commit message. Otherwise we will have to reject it."
 msgstr "Wenn in den Commits Ihres Pull-Requests keine Phabricator_ Referenz vorhanden ist, müssen wir Sie bitten, die Commit-Nachricht zu ändern. Andernfalls müssen wir sie ablehnen."
 
-#: ../../contributing/build-vyos.rst:699
+#: ../../contributing/build-vyos.rst:739
 msgid "If you are brave enough to build yourself an ISO image containing any modified package from our GitHub organisation - this is the place to be."
 msgstr "Wenn Sie mutig genug sind, sich ein ISO-Image zu erstellen, das ein beliebiges modifiziertes Paket aus unserer GitHub-Organisation enthält, sind Sie hier genau richtig."
 
-#: ../../contributing/build-vyos.rst:562
+#: ../../contributing/build-vyos.rst:602
 msgid "If you upgrade your kernel or include new drivers you may need new firmware. Build a new ``vyos-linux-firmware`` package with the included helper scripts."
 msgstr "Wenn Sie Ihren Kernel aktualisieren oder neue Treiber einbinden, benötigen Sie möglicherweise eine neue Firmware. Erstellen Sie ein neues ``vyos-linux-firmware`` Paket mit den enthaltenen Hilfsskripten."
 
@@ -622,7 +638,7 @@ msgstr "In order to retrieve the debug output on the command-line you need to di
 msgid "In some contexts, the first line is treated as the subject of an email and the rest of the text as the body. The blank line separating the summary from the body is critical (unless you omit the body entirely); tools like rebase can get confused if you run the two together."
 msgstr "In some contexts, the first line is treated as the subject of an email and the rest of the text as the body. The blank line separating the summary from the body is critical (unless you omit the body entirely); tools like rebase can get confused if you run the two together."
 
-#: ../../contributing/build-vyos.rst:554
+#: ../../contributing/build-vyos.rst:594
 msgid "In the end you will be presented with the kernel binary packages which you can then use in your custom ISO build process, by placing all the `*.deb` files in the vyos-build/packages folder where they will be used automatically when building VyOS as documented above."
 msgstr "In the end you will be presented with the kernel binary packages which you can then use in your custom ISO build process, by placing all the `*.deb` files in the vyos-build/packages folder where they will be used automatically when building VyOS as documented above."
 
@@ -638,7 +654,7 @@ msgstr "Ausgabe einbeziehen"
 msgid "Insert the following statement right before the section where you want to investigate a problem (e.g. a statement you see in a backtrace): ``import pdb; pdb.set_trace()`` Optionally you can surrounded this statement by an ``if`` which only triggers under the condition you are interested in."
 msgstr "Insert the following statement right before the section where you want to investigate a problem (e.g. a statement you see in a backtrace): ``import pdb; pdb.set_trace()`` Optionally you can surrounded this statement by an ``if`` which only triggers under the condition you are interested in."
 
-#: ../../contributing/build-vyos.rst:810
+#: ../../contributing/build-vyos.rst:850
 msgid "Install"
 msgstr "Installieren"
 
@@ -646,7 +662,7 @@ msgstr "Installieren"
 msgid "Install https://pypi.org/project/stdeb/"
 msgstr "Install https://pypi.org/project/stdeb/"
 
-#: ../../contributing/build-vyos.rst:35
+#: ../../contributing/build-vyos.rst:85
 msgid "Installing Docker_ and prerequisites:"
 msgstr "Installing Docker_ and prerequisites:"
 
@@ -654,23 +670,23 @@ msgstr "Installing Docker_ and prerequisites:"
 msgid "Instead of supplying all those XML nodes multiple times there are now include files with predefined features. Brief overview:"
 msgstr "Instead of supplying all those XML nodes multiple times there are now include files with predefined features. Brief overview:"
 
-#: ../../contributing/build-vyos.rst:632
+#: ../../contributing/build-vyos.rst:672
 msgid "Intel NIC"
 msgstr "Intel NIC"
 
-#: ../../contributing/build-vyos.rst:404
+#: ../../contributing/build-vyos.rst:444
 msgid "Intel NIC drivers"
 msgstr "Intel NIC drivers"
 
-#: ../../contributing/build-vyos.rst:661
+#: ../../contributing/build-vyos.rst:701
 msgid "Intel QAT"
 msgstr "Intel QAT"
 
-#: ../../contributing/build-vyos.rst:405
+#: ../../contributing/build-vyos.rst:445
 msgid "Inter QAT"
 msgstr "Inter QAT"
 
-#: ../../contributing/testing.rst:90
+#: ../../contributing/testing.rst:91
 msgid "Interface based tests"
 msgstr "Interface based tests"
 
@@ -690,11 +706,11 @@ msgstr "It's an Ada program and requires GNAT and gprbuild for building, depende
 msgid "It is also possible to set up the debugging using environment variables. In that case, the name will be (in uppercase) VYOS_FEATURE_DEBUG."
 msgstr "It is also possible to set up the debugging using environment variables. In that case, the name will be (in uppercase) VYOS_FEATURE_DEBUG."
 
-#: ../../contributing/testing.rst:17
+#: ../../contributing/testing.rst:18
 msgid "Jenkins CI"
 msgstr "Jenkins CI"
 
-#: ../../contributing/build-vyos.rst:816
+#: ../../contributing/build-vyos.rst:856
 msgid "Just install using the following commands:"
 msgstr "Just install using the following commands:"
 
@@ -710,7 +726,7 @@ msgstr "Keepalived normally isn't updated to newer feature releases between Debi
 msgid "Kernel"
 msgstr "Kernel"
 
-#: ../../contributing/build-vyos.rst:787
+#: ../../contributing/build-vyos.rst:827
 msgid "Launch Docker container and build package"
 msgstr "Launch Docker container and build package"
 
@@ -734,7 +750,7 @@ msgstr "Like any other project we have some small guidelines about our source co
 msgid "Limits:"
 msgstr "Limits:"
 
-#: ../../contributing/build-vyos.rst:390
+#: ../../contributing/build-vyos.rst:430
 msgid "Linux Kernel"
 msgstr "Linux Kernel"
 
@@ -742,7 +758,7 @@ msgstr "Linux Kernel"
 msgid "Live System"
 msgstr "Live System"
 
-#: ../../contributing/testing.rst:101
+#: ../../contributing/testing.rst:102
 msgid "MTU size"
 msgstr "MTU size"
 
@@ -750,11 +766,11 @@ msgstr "MTU size"
 msgid "Make your changes and save them. Do the following for all changes files to record them in your created Git commit:"
 msgstr "Make your changes and save them. Do the following for all changes files to record them in your created Git commit:"
 
-#: ../../contributing/testing.rst:60
+#: ../../contributing/testing.rst:61
 msgid "Manual Smoketest Run"
 msgstr "Manual Smoketest Run"
 
-#: ../../contributing/testing.rst:168
+#: ../../contributing/testing.rst:169
 msgid "Manual config load test"
 msgstr "Manual config load test"
 
@@ -770,7 +786,7 @@ msgstr "Migrating old CLI"
 msgid "Move default values to scripts"
 msgstr "Move default values to scripts"
 
-#: ../../contributing/build-vyos.rst:147
+#: ../../contributing/build-vyos.rst:35
 msgid "Native Build"
 msgstr "Native Build"
 
@@ -807,23 +823,23 @@ msgstr "None"
 msgid "Notes"
 msgstr "Notes"
 
-#: ../../contributing/build-vyos.rst:199
+#: ../../contributing/build-vyos.rst:236
 msgid "Now a fresh build of the VyOS ISO can begin. Change directory to the ``vyos-build`` directory and run:"
 msgstr "Now a fresh build of the VyOS ISO can begin. Change directory to the ``vyos-build`` directory and run:"
 
-#: ../../contributing/build-vyos.rst:184
+#: ../../contributing/build-vyos.rst:217
 msgid "Now as you are aware of the prerequisites we can continue and build our own ISO from source. For this we have to fetch the latest source code from GitHub. Please note as this will differ for both `current` and `crux`."
 msgstr "Now as you are aware of the prerequisites we can continue and build our own ISO from source. For this we have to fetch the latest source code from GitHub. Please note as this will differ for both `current` and `crux`."
 
-#: ../../contributing/build-vyos.rst:384
+#: ../../contributing/build-vyos.rst:424
 msgid "Now it's time to fix the package mirror and rerun the last step until the package installation succeeds again!"
 msgstr "Now it's time to fix the package mirror and rerun the last step until the package installation succeeds again!"
 
-#: ../../contributing/build-vyos.rst:469
+#: ../../contributing/build-vyos.rst:509
 msgid "Now we can use the helper script ``build-kernel.sh`` which does all the necessary voodoo by applying required patches from the `vyos-build/packages/linux-kernel/patches` folder, copying our kernel configuration ``x86_64_vyos_defconfig`` to the right location, and finally building the Debian packages."
 msgstr "Now we can use the helper script ``build-kernel.sh`` which does all the necessary voodoo by applying required patches from the `vyos-build/packages/linux-kernel/patches` folder, copying our kernel configuration ``x86_64_vyos_defconfig`` to the right location, and finally building the Debian packages."
 
-#: ../../contributing/build-vyos.rst:133
+#: ../../contributing/build-vyos.rst:199
 msgid "Now you are prepared with two new aliases ``vybld`` and ``vybld_crux`` to spawn your development containers in your current working directory."
 msgstr "Now you are prepared with two new aliases ``vybld`` and ``vybld_crux`` to spawn your development containers in your current working directory."
 
@@ -831,7 +847,7 @@ msgstr "Now you are prepared with two new aliases ``vybld`` and ``vybld_crux`` t
 msgid "Old concept/syntax"
 msgstr "Old concept/syntax"
 
-#: ../../contributing/testing.rst:62
+#: ../../contributing/testing.rst:63
 msgid "On the other hand - as each test is contain in its own file - one can always execute a single Smoketest by hand by simply running the Python test scripts."
 msgstr "On the other hand - as each test is contain in its own file - one can always execute a single Smoketest by hand by simply running the Python test scripts."
 
@@ -843,7 +859,7 @@ msgstr "Once you have the required dependencies installed, you may proceed with
 msgid "Once you run ``show xyz`` and your condition is triggered you should be dropped into the python debugger:"
 msgstr "Once you run ``show xyz`` and your condition is triggered you should be dropped into the python debugger:"
 
-#: ../../contributing/testing.rst:170
+#: ../../contributing/testing.rst:171
 msgid "One is not bound to load all configurations one after another but can also load individual test configurations on his own."
 msgstr "One is not bound to load all configurations one after another but can also load individual test configurations on his own."
 
@@ -851,6 +867,10 @@ msgstr "One is not bound to load all configurations one after another but can al
 msgid "One of the major advantages introduced in VyOS 1.3 is an autmated test framework. When assembling an ISO image multiple things can go wrong badly and publishing a faulty ISO makes no sense. The user is disappointed by the quality of the image and the developers get flodded with bug reports over and over again."
 msgstr "One of the major advantages introduced in VyOS 1.3 is an autmated test framework. When assembling an ISO image multiple things can go wrong badly and publishing a faulty ISO makes no sense. The user is disappointed by the quality of the image and the developers get flodded with bug reports over and over again."
 
+#: ../../contributing/testing.rst:7
+msgid "One of the major advantages introduced in VyOS 1.3 is an automated test framework. When assembling an ISO image multiple things can go wrong badly and publishing a faulty ISO makes no sense. The user is disappointed by the quality of the image and the developers get flodded with bug reports over and over again."
+msgstr "One of the major advantages introduced in VyOS 1.3 is an automated test framework. When assembling an ISO image multiple things can go wrong badly and publishing a faulty ISO makes no sense. The user is disappointed by the quality of the image and the developers get flodded with bug reports over and over again."
+
 #: ../../contributing/development.rst:665
 msgid "Only applicable to leaf nodes"
 msgstr "Only applicable to leaf nodes"
@@ -863,7 +883,7 @@ msgstr "Other packages (e.g. vyos-1x) add dependencies to the ISO build procedur
 msgid "Our StrongSWAN build differs from the upstream:"
 msgstr "Our StrongSWAN build differs from the upstream:"
 
-#: ../../contributing/testing.rst:19
+#: ../../contributing/testing.rst:20
 msgid "Our `VyOS CI`_ system is based on Jenkins and builds all our required packages for VyOS 1.2 to 1.4. In addition to the package build, there is the vyos-build Job which builds and tests the VyOS ISO image which is published after a successfull test drive."
 msgstr "Our `VyOS CI`_ system is based on Jenkins and builds all our required packages for VyOS 1.2 to 1.4. In addition to the package build, there is the vyos-build Job which builds and tests the VyOS ISO image which is published after a successfull test drive."
 
@@ -875,12 +895,12 @@ msgstr "Our code is split into several modules. VyOS is composed of multiple ind
 msgid "Our op mode scripts use the python-vici module, which is not included in Debian's build, and isn't quite easy to integrate in that build. For this reason we debianize that module by hand now, using this procedure:"
 msgstr "Our op mode scripts use the python-vici module, which is not included in Debian's build, and isn't quite easy to integrate in that build. For this reason we debianize that module by hand now, using this procedure:"
 
-#: ../../contributing/testing.rst:92
+#: ../../contributing/testing.rst:93
 msgid "Our smoketests not only test daemons and serives, but also check if what we configure for an interface works. Thus there is a common base classed named: ``base_interfaces_test.py`` which holds all the common code that an interface supports and is tested."
 msgstr "Our smoketests not only test daemons and serives, but also check if what we configure for an interface works. Thus there is a common base classed named: ``base_interfaces_test.py`` which holds all the common code that an interface supports and is tested."
 
-#: ../../contributing/build-vyos.rst:697
-#: ../../contributing/build-vyos.rst:766
+#: ../../contributing/build-vyos.rst:737
+#: ../../contributing/build-vyos.rst:806
 msgid "Packages"
 msgstr "Packages"
 
@@ -904,11 +924,11 @@ msgstr "Please submit your patches using the well-known GitHub pull-request agai
 msgid "Please use the following template as good starting point when developing new modules or even rewrite a whole bunch of code in the new style XML/Pyhon interface."
 msgstr "Please use the following template as good starting point when developing new modules or even rewrite a whole bunch of code in the new style XML/Pyhon interface."
 
-#: ../../contributing/testing.rst:103
+#: ../../contributing/testing.rst:104
 msgid "Port description"
 msgstr "Port description"
 
-#: ../../contributing/testing.rst:104
+#: ../../contributing/testing.rst:105
 msgid "Port disable"
 msgstr "Port disable"
 
@@ -952,7 +972,7 @@ msgstr "Python 3 **shall** be used. How long can we keep Python 2 alive anyway?
 msgid "Python (or any other language, for that matter) does not provide automatic protection from bad design, so we need to also devise design guidelines and follow them to keep the system extensible and maintainable."
 msgstr "Python (or any other language, for that matter) does not provide automatic protection from bad design, so we need to also devise design guidelines and follow them to keep the system extensible and maintainable."
 
-#: ../../contributing/build-vyos.rst:745
+#: ../../contributing/build-vyos.rst:785
 msgid "QEMU"
 msgstr "QEMU"
 
@@ -968,16 +988,16 @@ msgstr "Recent versions use the ``vyos.frr`` framework. The Python class is loca
 msgid "Report a Bug"
 msgstr "Report a Bug"
 
-#: ../../contributing/build-vyos.rst:747
+#: ../../contributing/build-vyos.rst:787
 msgid "Run the following command after building the ISO image."
 msgstr "Run the following command after building the ISO image."
 
-#: ../../contributing/build-vyos.rst:756
+#: ../../contributing/build-vyos.rst:796
 msgid "Run the following command after building the QEMU image."
 msgstr "Run the following command after building the QEMU image."
 
-#: ../../contributing/build-vyos.rst:637
-#: ../../contributing/build-vyos.rst:666
+#: ../../contributing/build-vyos.rst:677
+#: ../../contributing/build-vyos.rst:706
 msgid "Simply use our wrapper script to build all of the driver modules."
 msgstr "Simply use our wrapper script to build all of the driver modules."
 
@@ -985,19 +1005,19 @@ msgstr "Simply use our wrapper script to build all of the driver modules."
 msgid "Since VyOS has switched to Debian (11) Bullseye in its ``current`` branch, you will require individual container for `current`, `equuleus` and `crux` builds."
 msgstr "Since VyOS has switched to Debian (11) Bullseye in its ``current`` branch, you will require individual container for `current`, `equuleus` and `crux` builds."
 
-#: ../../contributing/testing.rst:29
+#: ../../contributing/testing.rst:30
 msgid "Smoketests"
 msgstr "Smoketests"
 
-#: ../../contributing/testing.rst:31
+#: ../../contributing/testing.rst:32
 msgid "Smoketests executes predefined VyOS CLI commands and checks if the desired daemon/service configuration is rendert - that is how to put it \"short\"."
 msgstr "Smoketests executes predefined VyOS CLI commands and checks if the desired daemon/service configuration is rendert - that is how to put it \"short\"."
 
-#: ../../contributing/testing.rst:44
+#: ../../contributing/testing.rst:45
 msgid "So if you plan to build your own custom ISO image and wan't to make use of our smoketests, ensure that you have the `vyos-1x-smoketest` package installed."
 msgstr "So if you plan to build your own custom ISO image and wan't to make use of our smoketests, ensure that you have the `vyos-1x-smoketest` package installed."
 
-#: ../../contributing/build-vyos.rst:136
+#: ../../contributing/build-vyos.rst:202
 msgid "Some VyOS packages (namely vyos-1x) come with build-time tests which verify some of the internal library calls that they work as expected. Those tests are carried out through the Python Unittest module. If you want to build the ``vyos-1x`` package (which is our main development package) you need to start your Docker container using the following argument: ``--sysctl net.ipv6.conf.lo.disable_ipv6=0``, otherwise those tests will fail."
 msgstr "Some VyOS packages (namely vyos-1x) come with build-time tests which verify some of the internal library calls that they work as expected. Those tests are carried out through the Python Unittest module. If you want to build the ``vyos-1x`` package (which is our main development package) you need to start your Docker container using the following argument: ``--sysctl net.ipv6.conf.lo.disable_ipv6=0``, otherwise those tests will fail."
 
@@ -1005,7 +1025,7 @@ msgstr "Some VyOS packages (namely vyos-1x) come with build-time tests which ver
 msgid "Some abbreviations are traditionally written in mixed case. Generally, if it contains words \"over\" or \"version\", the letter **should** be lowercase. If there's an accepted spelling (especially if defined by an RFC or another standard), it **must** be followed."
 msgstr "Some abbreviations are traditionally written in mixed case. Generally, if it contains words \"over\" or \"version\", the letter **should** be lowercase. If there's an accepted spelling (especially if defined by an RFC or another standard), it **must** be followed."
 
-#: ../../contributing/testing.rst:201
+#: ../../contributing/testing.rst:202
 msgid "Some of the configurations have preconditions which need to be met. Those most likely include generation of crypographic keys before the config can be applied - you will get a commit error otherwise. If you are interested how those preconditions are fulfilled check the vyos-build_ repository and the ``scripts/check-qemu-install`` file."
 msgstr "Some of the configurations have preconditions which need to be met. Those most likely include generation of crypographic keys before the config can be applied - you will get a commit error otherwise. If you are interested how those preconditions are fulfilled check the vyos-build_ repository and the ``scripts/check-qemu-install`` file."
 
@@ -1013,7 +1033,7 @@ msgstr "Some of the configurations have preconditions which need to be met. Thos
 msgid "Sometimes it might be useful to debug Python code interactively on the live system rather than a IDE. This can be achieved using pdb."
 msgstr "Sometimes it might be useful to debug Python code interactively on the live system rather than a IDE. This can be achieved using pdb."
 
-#: ../../contributing/build-vyos.rst:229
+#: ../../contributing/build-vyos.rst:269
 msgid "Start the build:"
 msgstr "Start the build:"
 
@@ -1057,15 +1077,15 @@ msgstr "Text generation"
 msgid "The CLI parser used in VyOS is a mix of bash, bash-completion helper and the C++ backend library [vyatta-cfg](https://github.com/vyos/vyatta-cfg). This section is a reference of common CLI commands and the respective entry point in the C/C++ code."
 msgstr "The CLI parser used in VyOS is a mix of bash, bash-completion helper and the C++ backend library [vyatta-cfg](https://github.com/vyos/vyatta-cfg). This section is a reference of common CLI commands and the respective entry point in the C/C++ code."
 
-#: ../../contributing/build-vyos.rst:634
+#: ../../contributing/build-vyos.rst:674
 msgid "The Intel NIC drivers do not come from a Git repository, instead we just fetch the tarballs from our mirror and compile them."
 msgstr "The Intel NIC drivers do not come from a Git repository, instead we just fetch the tarballs from our mirror and compile them."
 
-#: ../../contributing/build-vyos.rst:662
+#: ../../contributing/build-vyos.rst:702
 msgid "The Intel QAT (Quick Assist Technology) drivers do not come from a Git repository, instead we just fetch the tarballs from 01.org, Intel's open-source website."
 msgstr "The Intel QAT (Quick Assist Technology) drivers do not come from a Git repository, instead we just fetch the tarballs from 01.org, Intel's open-source website."
 
-#: ../../contributing/build-vyos.rst:392
+#: ../../contributing/build-vyos.rst:432
 msgid "The Linux kernel used by VyOS is heavily tied to the ISO build process. The file ``data/defaults.json`` hosts a JSON definition of the kernel version used ``kernel_version`` and the ``kernel_flavor`` of the kernel which represents the kernel's LOCAL_VERSION. Both together form the kernel version variable in the system:"
 msgstr "The Linux kernel used by VyOS is heavily tied to the ISO build process. The file ``data/defaults.json`` hosts a JSON definition of the kernel version used ``kernel_version`` and the ``kernel_flavor`` of the kernel which represents the kernel's LOCAL_VERSION. Both together form the kernel version variable in the system:"
 
@@ -1089,7 +1109,7 @@ msgstr "The ``generate()`` function generates config files for system components
 msgid "The ``get_config()`` function must convert the VyOS config to an abstract, internal representation. No other function is allowed to call the ``vyos.config. Config`` object method directly. The rationale for it is that when config reads are mixed with other logic, it's very hard to change the config syntax since you need to weed out every occurrence of the old syntax. If syntax-specific code is confined to a single function, the rest of the code can be left untouched as long as the internal representation remains compatible."
 msgstr "The ``get_config()`` function must convert the VyOS config to an abstract, internal representation. No other function is allowed to call the ``vyos.config. Config`` object method directly. The rationale for it is that when config reads are mixed with other logic, it's very hard to change the config syntax since you need to weed out every occurrence of the old syntax. If syntax-specific code is confined to a single function, the rest of the code can be left untouched as long as the internal representation remains compatible."
 
-#: ../../contributing/testing.rst:47
+#: ../../contributing/testing.rst:48
 msgid "The ``make test`` command from the vyos-build_ repository will launch a new QEmu instance and the ISO image is first installed to the virtual harddisk."
 msgstr "The ``make test`` command from the vyos-build_ repository will launch a new QEmu instance and the ISO image is first installed to the virtual harddisk."
 
@@ -1101,19 +1121,19 @@ msgstr "The ``verify()`` function takes your internal representation of the conf
 msgid "The bash (or better vbash) completion in VyOS is defined in *templates*. Templates are text files (called ``node.def``) stored in a directory tree. The directory names define the command names, and template files define the command behaviour. Before VyOS 1.2 (crux) this files were created by hand. After a complex redesign process_ the new style template are automatically generated from a XML input file."
 msgstr "The bash (or better vbash) completion in VyOS is defined in *templates*. Templates are text files (called ``node.def``) stored in a directory tree. The directory names define the command names, and template files define the command behaviour. Before VyOS 1.2 (crux) this files were created by hand. After a complex redesign process_ the new style template are automatically generated from a XML input file."
 
-#: ../../contributing/build-vyos.rst:54
+#: ../../contributing/build-vyos.rst:116
 msgid "The build process needs to be built on a local file system, building on SMB or NFS shares will result in the container failing to build properly! VirtualBox Drive Share is also not an option as block device operations are not implemented and the drive is always mounted as \"nodev\""
 msgstr "The build process needs to be built on a local file system, building on SMB or NFS shares will result in the container failing to build properly! VirtualBox Drive Share is also not an option as block device operations are not implemented and the drive is always mounted as \"nodev\""
 
-#: ../../contributing/testing.rst:158
+#: ../../contributing/testing.rst:159
 msgid "The configurations are all derived from production systems and can not only act as a testcase but also as reference if one wants to enable a certain feature. The configurations can be found here: https://github.com/vyos/vyos-1x/tree/current/smoketest/configs"
 msgstr "The configurations are all derived from production systems and can not only act as a testcase but also as reference if one wants to enable a certain feature. The configurations can be found here: https://github.com/vyos/vyos-1x/tree/current/smoketest/configs"
 
-#: ../../contributing/build-vyos.rst:87
+#: ../../contributing/build-vyos.rst:149
 msgid "The container can also be built directly from source:"
 msgstr "The container can also be built directly from source:"
 
-#: ../../contributing/build-vyos.rst:62
+#: ../../contributing/build-vyos.rst:124
 msgid "The container can be built by hand or by fetching the pre-built one from DockerHub. Using the pre-built containers from the `VyOS DockerHub organisation`_ will ensure that the container is always up-to-date. A rebuild is triggered once the container changes (please note this will take 2-3 hours after pushing to the vyos-build repository)."
 msgstr "The container can be built by hand or by fetching the pre-built one from DockerHub. Using the pre-built containers from the `VyOS DockerHub organisation`_ will ensure that the container is always up-to-date. A rebuild is triggered once the container changes (please note this will take 2-3 hours after pushing to the vyos-build repository)."
 
@@ -1121,11 +1141,11 @@ msgstr "The container can be built by hand or by fetching the pre-built one from
 msgid "The default template processor for VyOS code is Jinja2_."
 msgstr "The default template processor for VyOS code is Jinja2_."
 
-#: ../../contributing/build-vyos.rst:773
+#: ../../contributing/build-vyos.rst:813
 msgid "The easiest way to compile your package is with the above mentioned :ref:`build_docker` container, it includes all required dependencies for all VyOS related packages."
 msgstr "The easiest way to compile your package is with the above mentioned :ref:`build_docker` container, it includes all required dependencies for all VyOS related packages."
 
-#: ../../contributing/testing.rst:163
+#: ../../contributing/testing.rst:164
 msgid "The entire test is controlled by the main wrapper script ``/usr/bin/vyos-configtest`` which behaves in the same way as the main smoketest script. It scans the folder for potential configuration files and issues a ``load`` command one after another."
 msgstr "The entire test is controlled by the main wrapper script ``/usr/bin/vyos-configtest`` which behaves in the same way as the main smoketest script. It scans the folder for potential configuration files and issues a ``load`` command one after another."
 
@@ -1137,6 +1157,10 @@ msgstr "The file can be placed in ``/tmp`` for one time debugging (as the file w
 msgid "The first word of every help string **must** be capitalized. There **must not** be a period at the end of help strings."
 msgstr "The first word of every help string **must** be capitalized. There **must not** be a period at the end of help strings."
 
+#: ../../contributing/build-vyos.rst:26
+msgid "The following includes the build process for VyOS 1.2 to the latest version."
+msgstr "The following includes the build process for VyOS 1.2 to the latest version."
+
 #: ../../contributing/development.rst:71
 msgid "The format should be and is inspired by: https://git-scm.com/book/ch5-2.html It is also worth reading https://chris.beams.io/posts/git-commit/"
 msgstr "The format should be and is inspired by: https://git-scm.com/book/ch5-2.html It is also worth reading https://chris.beams.io/posts/git-commit/"
@@ -1149,11 +1173,11 @@ msgstr "The great thing about schemas is not only that people can know the compl
 msgid "The information is used in three ways:"
 msgstr "The information is used in three ways:"
 
-#: ../../contributing/build-vyos.rst:437
+#: ../../contributing/build-vyos.rst:477
 msgid "The kernel build is quite easy, most of the required steps can be found in the ``vyos-build/packages/linux-kernel/Jenkinsfile`` but we will walk you through it."
 msgstr "The kernel build is quite easy, most of the required steps can be found in the ``vyos-build/packages/linux-kernel/Jenkinsfile`` but we will walk you through it."
 
-#: ../../contributing/build-vyos.rst:425
+#: ../../contributing/build-vyos.rst:465
 msgid "The most obvious reasons could be:"
 msgstr "The most obvious reasons could be:"
 
@@ -1161,7 +1185,7 @@ msgstr "The most obvious reasons could be:"
 msgid "The original repo is at https://github.com/dmbaturin/hvinfo"
 msgstr "The original repo is at https://github.com/dmbaturin/hvinfo"
 
-#: ../../contributing/testing.rst:153
+#: ../../contributing/testing.rst:154
 msgid "The other part of our tests are called \"config load tests\". The config load tests will load - one after another - arbitrary configuration files to test if the configuration migration scripts work as designed and that a given set of functionality still can be loaded with a fresh VyOS ISO image."
 msgstr "The other part of our tests are called \"config load tests\". The config load tests will load - one after another - arbitrary configuration files to test if the configuration migration scripts work as designed and that a given set of functionality still can be loaded with a fresh VyOS ISO image."
 
@@ -1181,7 +1205,7 @@ msgstr "The reason is that the configuration migration backend is rewritten and
 msgid "The repository that contains all the ISO build scripts is: https://github.com/vyos/vyos-build"
 msgstr "The repository that contains all the ISO build scripts is: https://github.com/vyos/vyos-build"
 
-#: ../../contributing/testing.rst:53
+#: ../../contributing/testing.rst:54
 msgid "The script only searches for executable \"test-cases\" under ``/usr/libexec/vyos/tests/smoke/cli/`` and executes them one by one."
 msgstr "The script only searches for executable \"test-cases\" under ``/usr/libexec/vyos/tests/smoke/cli/`` and executes them one by one."
 
@@ -1205,7 +1229,7 @@ msgstr "The switch to the Python programming language for new code is not merely
 msgid "The system startup can be debugged (like loading in the configuration file from ``/config/config.boot``. This can be achieve by extending the Kernel command-line in the bootloader."
 msgstr "The system startup can be debugged (like loading in the configuration file from ``/config/config.boot``. This can be achieve by extending the Kernel command-line in the bootloader."
 
-#: ../../contributing/build-vyos.rst:310
+#: ../../contributing/build-vyos.rst:350
 msgid "There are (rare) situations where building an ISO image is not possible at all due to a broken package feed in the background. APT is not very good at reporting the root cause of the issue. Your ISO build will likely fail with a more or less similar looking error message:"
 msgstr "There are (rare) situations where building an ISO image is not possible at all due to a broken package feed in the background. APT is not very good at reporting the root cause of the issue. Your ISO build will likely fail with a more or less similar looking error message:"
 
@@ -1221,7 +1245,7 @@ msgstr "There are extensions to e.g. VIM (xmllint) which will help you to get yo
 msgid "There are two flags available to aid in debugging configuration scripts. Since configuration loading issues will manifest during boot, the flags are passed as kernel boot parameters."
 msgstr "There are two flags available to aid in debugging configuration scripts. Since configuration loading issues will manifest during boot, the flags are passed as kernel boot parameters."
 
-#: ../../contributing/build-vyos.rst:257
+#: ../../contributing/build-vyos.rst:297
 msgid "This ISO can be customized with the following list of configure options. The full and current list can be generated with ``./build-vyos-image --help``:"
 msgstr "This ISO can be customized with the following list of configure options. The full and current list can be generated with ``./build-vyos-image --help``:"
 
@@ -1249,31 +1273,35 @@ msgstr "This package doesn't exist in Debian. A debianized fork is kept at https
 msgid "This package doesn't exist in Debian. A debianized fork is kept at https://github.com/vyos/udp-broadcast-relay"
 msgstr "This package doesn't exist in Debian. A debianized fork is kept at https://github.com/vyos/udp-broadcast-relay"
 
-#: ../../contributing/build-vyos.rst:572
+#: ../../contributing/build-vyos.rst:612
 msgid "This tries to automatically detect which blobs are needed based on which drivers were built. If it fails to find the correct files you can add them manually to ``vyos-build/packages/linux-kernel/build-linux-firmware.sh``:"
 msgstr "This tries to automatically detect which blobs are needed based on which drivers were built. If it fails to find the correct files you can add them manually to ``vyos-build/packages/linux-kernel/build-linux-firmware.sh``:"
 
-#: ../../contributing/build-vyos.rst:26
+#: ../../contributing/build-vyos.rst:76
+msgid "This will guide you through the process of building a VyOS ISO using Docker. This process has been tested on clean installs of Debian Bullseye (11) and Bookworm (12)."
+msgstr "This will guide you through the process of building a VyOS ISO using Docker. This process has been tested on clean installs of Debian Bullseye (11) and Bookworm (12)."
+
+#: ../../contributing/build-vyos.rst:28
 msgid "This will guide you through the process of building a VyOS ISO using Docker_. This process has been tested on clean installs of Debian Jessie, Stretch, and Buster."
 msgstr "This will guide you through the process of building a VyOS ISO using Docker_. This process has been tested on clean installs of Debian Jessie, Stretch, and Buster."
 
-#: ../../contributing/testing.rst:147
+#: ../../contributing/testing.rst:148
 msgid "This will limit the `bond` interface test to only make use of `eth1` and `eth2` as member ports."
 msgstr "This will limit the `bond` interface test to only make use of `eth1` and `eth2` as member ports."
 
-#: ../../contributing/testing.rst:97
+#: ../../contributing/testing.rst:98
 msgid "Those common tests consists out of:"
 msgstr "Those common tests consists out of:"
 
-#: ../../contributing/build-vyos.rst:107
+#: ../../contributing/build-vyos.rst:173
 msgid "Tips and Tricks"
 msgstr "Tips and Tricks"
 
-#: ../../contributing/build-vyos.rst:46
+#: ../../contributing/build-vyos.rst:108
 msgid "To be able to use Docker_ without ``sudo``, the current non-root user must be added to the ``docker`` group by calling: ``sudo usermod -aG docker yourusername``."
 msgstr "To be able to use Docker_ without ``sudo``, the current non-root user must be added to the ``docker`` group by calling: ``sudo usermod -aG docker yourusername``."
 
-#: ../../contributing/build-vyos.rst:149
+#: ../../contributing/build-vyos.rst:37
 msgid "To build VyOS natively you require a properly configured build host with the following Debian versions installed:"
 msgstr "To build VyOS natively you require a properly configured build host with the following Debian versions installed:"
 
@@ -1285,7 +1313,7 @@ msgstr "To build our modules we utilize a CI/CD Pipeline script. Each and every
 msgid "To debug issues in priorities or to see what's going on in the background you can use the ``/opt/vyatta/sbin/priority.pl`` script which lists to you the execution order of the scripts."
 msgstr "To debug issues in priorities or to see what's going on in the background you can use the ``/opt/vyatta/sbin/priority.pl`` script which lists to you the execution order of the scripts."
 
-#: ../../contributing/build-vyos.rst:333
+#: ../../contributing/build-vyos.rst:373
 msgid "To debug the build process and gain additional information of what could be the root cause, you need to use `chroot` to change into the build directry. This is explained in the following step by step procedure:"
 msgstr "To debug the build process and gain additional information of what could be the root cause, you need to use `chroot` to change into the build directry. This is explained in the following step by step procedure:"
 
@@ -1305,19 +1333,19 @@ msgstr "To ensure uniform look and feel, and improve readability, we should foll
 msgid "To make this approach work, every change must be associated with a task number (prefixed with **T**) and a component. If there is no bug report/feature request for the changes you are going to make, you have to create a Phabricator_ task first. Once there is an entry in Phabricator_, you should reference its id in your commit message, as shown below:"
 msgstr "To make this approach work, every change must be associated with a task number (prefixed with **T**) and a component. If there is no bug report/feature request for the changes you are going to make, you have to create a Phabricator_ task first. Once there is an entry in Phabricator_, you should reference its id in your commit message, as shown below:"
 
-#: ../../contributing/build-vyos.rst:75
+#: ../../contributing/build-vyos.rst:137
 msgid "To manually download the container from DockerHub, run:"
 msgstr "To manually download the container from DockerHub, run:"
 
-#: ../../contributing/build-vyos.rst:156
+#: ../../contributing/build-vyos.rst:46
 msgid "To start, clone the repository to your local machine:"
 msgstr "To start, clone the repository to your local machine:"
 
-#: ../../contributing/build-vyos.rst:812
+#: ../../contributing/build-vyos.rst:852
 msgid "To take your newly created package on a test drive you can simply SCP it to a running VyOS instance and install the new `*.deb` package over the current running one."
 msgstr "To take your newly created package on a test drive you can simply SCP it to a running VyOS instance and install the new `*.deb` package over the current running one."
 
-#: ../../contributing/build-vyos.rst:711
+#: ../../contributing/build-vyos.rst:751
 msgid "Troubleshooting"
 msgstr "Troubleshooting"
 
@@ -1357,11 +1385,11 @@ msgstr "Useful commands are:"
 msgid "VIF (incl. VIF-S/VIF-C)"
 msgstr "VIF (incl. VIF-S/VIF-C)"
 
-#: ../../contributing/testing.rst:105
+#: ../../contributing/testing.rst:106
 msgid "VLANs (QinQ and regular 802.1q)"
 msgstr "VLANs (QinQ and regular 802.1q)"
 
-#: ../../contributing/build-vyos.rst:754
+#: ../../contributing/build-vyos.rst:794
 msgid "VMware"
 msgstr "VMware"
 
@@ -1373,7 +1401,7 @@ msgstr "Verbs, when they are necessary, **should** be in their infinitive form."
 msgid "Verbs **should** be avoided. If a verb can be omitted, omit it."
 msgstr "Verbs **should** be avoided. If a verb can be omitted, omit it."
 
-#: ../../contributing/build-vyos.rst:742
+#: ../../contributing/build-vyos.rst:782
 msgid "Virtualization Platforms"
 msgstr "Virtualization Platforms"
 
@@ -1381,7 +1409,11 @@ msgstr "Virtualization Platforms"
 msgid "VyOS CLI is all about priorities. Every CLI node has a corresponding ``node.def`` file and possibly an attached script that is executed when the node is present. Nodes can have a priority, and on system bootup - or any other ``commit`` to the config all scripts are executed from lowest to higest priority. This is good as this gives a deterministic behavior."
 msgstr "VyOS CLI is all about priorities. Every CLI node has a corresponding ``node.def`` file and possibly an attached script that is executed when the node is present. Nodes can have a priority, and on system bootup - or any other ``commit`` to the config all scripts are executed from lowest to higest priority. This is good as this gives a deterministic behavior."
 
-#: ../../contributing/build-vyos.rst:768
+#: ../../contributing/build-vyos.rst:168
+msgid "VyOS has switched to Debian (12) Bookworm in its ``current`` branch, Due to software version updates, it is recommended to use the official Docker Hub image to build VyOS ISO."
+msgstr "VyOS has switched to Debian (12) Bookworm in its ``current`` branch, Due to software version updates, it is recommended to use the official Docker Hub image to build VyOS ISO."
+
+#: ../../contributing/build-vyos.rst:808
 msgid "VyOS itself comes with a bunch of packages that are specific to our system and thus cannot be found in any Debian mirror. Those packages can be found at the `VyOS GitHub project`_ in their source format can easily be compiled into a custom Debian (`*.deb`) package."
 msgstr "VyOS itself comes with a bunch of packages that are specific to our system and thus cannot be found in any Debian mirror. Those packages can be found at the `VyOS GitHub project`_ in their source format can easily be compiled into a custom Debian (`*.deb`) package."
 
@@ -1389,19 +1421,19 @@ msgstr "VyOS itself comes with a bunch of packages that are specific to our syst
 msgid "VyOS makes use of Jenkins_ as our Continuous Integration (CI) service. Our `VyOS CI`_ server is publicly accessible here: https://ci.vyos.net. You can get a brief overview of all required components shipped in a VyOS ISO."
 msgstr "VyOS makes use of Jenkins_ as our Continuous Integration (CI) service. Our `VyOS CI`_ server is publicly accessible here: https://ci.vyos.net. You can get a brief overview of all required components shipped in a VyOS ISO."
 
-#: ../../contributing/build-vyos.rst:600
+#: ../../contributing/build-vyos.rst:640
 msgid "We again make use of a helper script and some patches to make the build work. Just run the following command:"
 msgstr "We again make use of a helper script and some patches to make the build work. Just run the following command:"
 
-#: ../../contributing/testing.rst:24
+#: ../../contributing/testing.rst:25
 msgid "We differentiate in two independent tests, which are both run in parallel by two separate QEmu instances which are launched via ``make test`` and ``make testc`` from within the vyos-build_ repository."
 msgstr "We differentiate in two independent tests, which are both run in parallel by two separate QEmu instances which are launched via ``make test`` and ``make testc`` from within the vyos-build_ repository."
 
-#: ../../contributing/build-vyos.rst:349
+#: ../../contributing/build-vyos.rst:389
 msgid "We now are free to run any command we would like to use for debugging, e.g. re-installing the failed package after updating the repository."
 msgstr "We now are free to run any command we would like to use for debugging, e.g. re-installing the failed package after updating the repository."
 
-#: ../../contributing/build-vyos.rst:341
+#: ../../contributing/build-vyos.rst:381
 msgid "We now need to mount some required, volatile filesystems"
 msgstr "We now need to mount some required, volatile filesystems"
 
@@ -1425,7 +1457,7 @@ msgstr "What was the configuration prior to the change?"
 msgid "What were you attempting to achieve?"
 msgstr "What were you attempting to achieve?"
 
-#: ../../contributing/testing.rst:34
+#: ../../contributing/testing.rst:35
 msgid "When and ISO image is assembled by the `VyOS CI`_, the ``BUILD_SMOKETEST`` parameter is enabled by default, which will extend the ISO configuration line with the following packages:"
 msgstr "When and ISO image is assembled by the `VyOS CI`_, the ``BUILD_SMOKETEST`` parameter is enabled by default, which will extend the ISO configuration line with the following packages:"
 
@@ -1437,7 +1469,7 @@ msgstr "When having trouble compiling your own ISO image or debugging Jenkins is
 msgid "When modifying the source code, remember these rules of the legacy elimination campaign:"
 msgstr "When modifying the source code, remember these rules of the legacy elimination campaign:"
 
-#: ../../contributing/build-vyos.rst:241
+#: ../../contributing/build-vyos.rst:281
 msgid "When the build is successful, the resulting iso can be found inside the ``build`` directory as ``live-image-[architecture].hybrid.iso``."
 msgstr "When the build is successful, the resulting iso can be found inside the ``build`` directory as ``live-image-[architecture].hybrid.iso``."
 
@@ -1449,7 +1481,7 @@ msgstr "When writing a new configuration migrator it may happen that you see an
 msgid "When you are able to verify that it is actually a bug, spend some time to document how to reproduce the issue. This documentation can be invaluable."
 msgstr "When you are able to verify that it is actually a bug, spend some time to document how to reproduce the issue. This documentation can be invaluable."
 
-#: ../../contributing/testing.rst:108
+#: ../../contributing/testing.rst:109
 msgid "When you are working on interface configuration and you also wan't to test if the Smoketests pass you would normally loose the remote SSH connection to your :abbr:`DUT (Device Under Test)`. To handle this issue, some of the interface based tests can be called with an environment variable beforehand to limit the number of interfaces used in the test. By default all interface e.g. all Ethernet interfaces are used."
 msgstr "When you are working on interface configuration and you also wan't to test if the Smoketests pass you would normally loose the remote SSH connection to your :abbr:`DUT (Device Under Test)`. To handle this issue, some of the interface based tests can be called with an environment variable beforehand to limit the number of interfaces used in the test. By default all interface e.g. all Ethernet interfaces are used."
 
@@ -1490,11 +1522,11 @@ msgstr "XML interface definition files use the `xml.in` file extension which was
 msgid "XML interface definitions for VyOS come with a RelaxNG schema and are located in the vyos-1x_ module. This schema is a slightly modified schema from VyConf_ alias VyOS 2.0 So VyOS 1.2.x interface definitions will be reusable in Nextgen VyOS Versions with very minimal changes."
 msgstr "XML interface definitions for VyOS come with a RelaxNG schema and are located in the vyos-1x_ module. This schema is a slightly modified schema from VyConf_ alias VyOS 2.0 So VyOS 1.2.x interface definitions will be reusable in Nextgen VyOS Versions with very minimal changes."
 
-#: ../../contributing/build-vyos.rst:827
+#: ../../contributing/build-vyos.rst:867
 msgid "You can also place the generated `*.deb` into your ISO build environment to include it in a custom iso, see :ref:`build_custom_packages` for more information."
 msgstr "You can also place the generated `*.deb` into your ISO build environment to include it in a custom iso, see :ref:`build_custom_packages` for more information."
 
-#: ../../contributing/build-vyos.rst:109
+#: ../../contributing/build-vyos.rst:175
 msgid "You can create yourself some handy Bash aliases to always launch the latest - per release train (`current` or `crux`) - container. Add the following to your ``.bash_aliases`` file:"
 msgstr "You can create yourself some handy Bash aliases to always launch the latest - per release train (`current` or `crux`) - container. Add the following to your ``.bash_aliases`` file:"
 
@@ -1506,7 +1538,7 @@ msgstr "You can type ``help`` to get an overview of the available commands, and
 msgid "You have an idea of how to make VyOS better or you are in need of a specific feature which all users of VyOS would benefit from? To send a feature request please search Phabricator_ if there is already a request pending. You can enhance it or if you don't find one, create a new one by use the quick link in the left side under the specific project."
 msgstr "You have an idea of how to make VyOS better or you are in need of a specific feature which all users of VyOS would benefit from? To send a feature request please search Phabricator_ if there is already a request pending. You can enhance it or if you don't find one, create a new one by use the quick link in the left side under the specific project."
 
-#: ../../contributing/build-vyos.rst:430
+#: ../../contributing/build-vyos.rst:470
 msgid "You have your own custom kernel `*.deb` packages in the `packages` folder but neglected to create all required out-of tree modules like Accel-PPP, Intel QAT or Intel NIC drivers"
 msgstr "You have your own custom kernel `*.deb` packages in the `packages` folder but neglected to create all required out-of tree modules like Accel-PPP, Intel QAT or Intel NIC drivers"
 
@@ -1526,7 +1558,7 @@ msgstr "You then can proceed with cloning your fork or add a new remote to your
 msgid "Your configuration script or operation mode script which is also written in Python3 should have a line break on 80 characters. This seems to be a bit odd nowadays but as some people also work remotely or program using vi(m) this is a fair good standard which I hope we can rely on."
 msgstr "Your configuration script or operation mode script which is also written in Python3 should have a line break on 80 characters. This seems to be a bit odd nowadays but as some people also work remotely or program using vi(m) this is a fair good standard which I hope we can rely on."
 
-#: ../../contributing/testing.rst:106
+#: ../../contributing/testing.rst:107
 msgid "..."
 msgstr "..."
 
@@ -1582,7 +1614,7 @@ msgstr "``log`` - In some rare cases, it may be useful to see what the OS is doi
 msgid "``set``"
 msgstr "``set``"
 
-#: ../../contributing/build-vyos.rst:427
+#: ../../contributing/build-vyos.rst:467
 msgid "``vyos-build`` repo is outdated, please ``git pull`` to update to the latest release kernel version from us."
 msgstr "``vyos-build`` repo is outdated, please ``git pull`` to update to the latest release kernel version from us."
 
diff --git a/docs/_locale/de/index.pot b/docs/_locale/de/index.pot
index 7c2896bd..85da659d 100644
--- a/docs/_locale/de/index.pot
+++ b/docs/_locale/de/index.pot
@@ -12,23 +12,23 @@ msgstr ""
 msgid "Add missing parts or improve the :ref:`Documentation<documentation:Write Documentation>`."
 msgstr "Add missing parts or improve the :ref:`Documentation<documentation:Write Documentation>`."
 
-#: ../../index.rst:70
+#: ../../index.rst:72
 msgid "Adminguide"
 msgstr "Adminguide"
 
-#: ../../index.rst:31
+#: ../../index.rst:33
 msgid "Automate"
 msgstr "Automate"
 
-#: ../../index.rst:23
+#: ../../index.rst:25
 msgid "Configuration and Operation"
 msgstr "Configuration and Operation"
 
-#: ../../index.rst:44
+#: ../../index.rst:46
 msgid "Contribute and Community"
 msgstr "Contribute and Community"
 
-#: ../../index.rst:83
+#: ../../index.rst:85
 msgid "Development"
 msgstr "Development"
 
@@ -36,31 +36,31 @@ msgstr "Development"
 msgid "Discuss in `Slack <https://slack.vyos.io/>`_ or the `Forum <https://forum.vyos.io>`_."
 msgstr "Discuss in `Slack <https://slack.vyos.io/>`_ or the `Forum <https://forum.vyos.io>`_."
 
-#: ../../index.rst:38
+#: ../../index.rst:40
 msgid "Examples"
 msgstr "Examples"
 
-#: ../../index.rst:61
+#: ../../index.rst:63
 msgid "First Steps"
 msgstr "First Steps"
 
-#: ../../index.rst:11
+#: ../../index.rst:12
 msgid "Get / Build VyOS"
 msgstr "Get / Build VyOS"
 
-#: ../../index.rst:40
+#: ../../index.rst:42
 msgid "Get some inspiration from the :ref:`Configuration Blueprints<configexamples/index:Configuration Blueprints>` to build your infrastructure."
 msgstr "Get some inspiration from the :ref:`Configuration Blueprints<configexamples/index:Configuration Blueprints>` to build your infrastructure."
 
-#: ../../index.rst:16
+#: ../../index.rst:18
 msgid "Install VyOS"
 msgstr "Install VyOS"
 
-#: ../../index.rst:33
+#: ../../index.rst:35
 msgid "Integrate VyOS in your automation Workflow with :ref:`Ansible<vyos-ansible>`, have your own :ref:`local scripts<command-scripting>`, or configure VyOS with the :ref:`HTTPS-API<vyosapi>`."
 msgstr "Integrate VyOS in your automation Workflow with :ref:`Ansible<vyos-ansible>`, have your own :ref:`local scripts<command-scripting>`, or configure VyOS with the :ref:`HTTPS-API<vyosapi>`."
 
-#: ../../index.rst:96
+#: ../../index.rst:98
 msgid "Misc"
 msgstr "Misc"
 
@@ -68,11 +68,11 @@ msgstr "Misc"
 msgid "Or you can pick up a `Task <https://vyos.dev/>`_ and fix the :ref:`code<contributing/development:development>`."
 msgstr "Or you can pick up a `Task <https://vyos.dev/>`_ and fix the :ref:`code<contributing/development:development>`."
 
-#: ../../index.rst:13
+#: ../../index.rst:15
 msgid "Quickly :ref:`Build<contributing/build-vyos:build vyos>` your own Image or take a look at how to :ref:`download<installation/install:download>` a free or supported version."
 msgstr "Quickly :ref:`Build<contributing/build-vyos:build vyos>` your own Image or take a look at how to :ref:`download<installation/install:download>` a free or supported version."
 
-#: ../../index.rst:18
+#: ../../index.rst:20
 msgid "Read about how to install VyOS on :ref:`Bare Metal<installation/install:installation>` or in a :ref:`Virtual Environment<installation/virtual/index:running vyos in virtual environments>` and how to use an image with the usual :ref:`cloud<installation/cloud/index:running VyOS in Cloud Environments>` providers"
 msgstr "Read about how to install VyOS on :ref:`Bare Metal<installation/install:installation>` or in a :ref:`Virtual Environment<installation/virtual/index:running vyos in virtual environments>` and how to use an image with the usual :ref:`cloud<installation/cloud/index:running VyOS in Cloud Environments>` providers"
 
@@ -80,7 +80,7 @@ msgstr "Read about how to install VyOS on :ref:`Bare Metal<installation/install:
 msgid "There are many ways to contribute to the project."
 msgstr "There are many ways to contribute to the project."
 
-#: ../../index.rst:25
+#: ../../index.rst:27
 msgid "Use the :ref:`Quickstart Guide<quick-start:Quick Start>`, to have a fast overview. Or go deeper and set up :ref:`advanced routing<configuration/protocols/index:protocols>`, :ref:`VRFs<configuration/vrf/index:vrf>`, or :ref:`VPNs<configuration/vpn/index:vpn>` for example."
 msgstr "Use the :ref:`Quickstart Guide<quick-start:Quick Start>`, to have a fast overview. Or go deeper and set up :ref:`advanced routing<configuration/protocols/index:protocols>`, :ref:`VRFs<configuration/vrf/index:vrf>`, or :ref:`VPNs<configuration/vpn/index:vpn>` for example."
 
diff --git a/docs/_locale/de/installation.pot b/docs/_locale/de/installation.pot
index 55dbd7c8..6adeb7fe 100644
--- a/docs/_locale/de/installation.pot
+++ b/docs/_locale/de/installation.pot
@@ -28,7 +28,7 @@ msgstr "**Delete the VM** from the GNS3 project."
 msgid "**Early Production Access**"
 msgstr "**Early Production Access**"
 
-#: ../../installation/install.rst:538
+#: ../../installation/install.rst:541
 msgid "**First** run a web server - you can use a simple one like `Python's SimpleHTTPServer`_ and start serving the `filesystem.squashfs` file. The file can be found inside the `/live` directory of the extracted contents of the ISO file."
 msgstr "**First** run a web server - you can use a simple one like `Python's SimpleHTTPServer`_ and start serving the `filesystem.squashfs` file. The file can be found inside the `/live` directory of the extracted contents of the ISO file."
 
@@ -56,7 +56,7 @@ msgstr "**Release Candidate**"
 msgid "**Requirements**"
 msgstr "**Requirements**"
 
-#: ../../installation/install.rst:543
+#: ../../installation/install.rst:546
 msgid "**Second**, edit the configuration file of the :ref:`install_from_tftp` so that it shows the correct URL at ``fetch=http://<address_of_your_HTTP_server>/filesystem.squashfs``."
 msgstr "**Second**, edit the configuration file of the :ref:`install_from_tftp` so that it shows the correct URL at ``fetch=http://<address_of_your_HTTP_server>/filesystem.squashfs``."
 
@@ -128,37 +128,35 @@ msgstr "4 Gigabit Ethernet channels using Intel i211AT NICs"
 msgid "AMD Embedded G series GX-412TC, 1 GHz quad Jaguar core with 64 bit and AES-NI support, 32K data + 32K instruction cache per core, shared 2MB L2 cache."
 msgstr "AMD Embedded G series GX-412TC, 1 GHz quad Jaguar core with 64 bit and AES-NI support, 32K data + 32K instruction cache per core, shared 2MB L2 cache."
 
-#: ../../installation/vyos-on-baremetal.rst:None
+#: ../../installation/vyos-on-baremetal.rst:-1
 msgid "APU4 custom VyOS powder coat"
 msgstr "APU4 custom VyOS powder coat"
 
-#: ../../installation/vyos-on-baremetal.rst:None
-#: ../../installation/vyos-on-baremetal.rst:None
+#: ../../installation/vyos-on-baremetal.rst:-1
 msgid "APU4 desktop back"
 msgstr "APU4 desktop back"
 
-#: ../../installation/vyos-on-baremetal.rst:None
-#: ../../installation/vyos-on-baremetal.rst:None
+#: ../../installation/vyos-on-baremetal.rst:-1
 msgid "APU4 desktop closed"
 msgstr "APU4 desktop closed"
 
-#: ../../installation/vyos-on-baremetal.rst:None
+#: ../../installation/vyos-on-baremetal.rst:-1
 msgid "APU4 rack closed"
 msgstr "APU4 rack closed"
 
-#: ../../installation/vyos-on-baremetal.rst:None
+#: ../../installation/vyos-on-baremetal.rst:-1
 msgid "APU4 rack front"
 msgstr "APU4 rack front"
 
-#: ../../installation/vyos-on-baremetal.rst:None
+#: ../../installation/vyos-on-baremetal.rst:-1
 msgid "APU4 rack module #1"
 msgstr "APU4 rack module #1"
 
-#: ../../installation/vyos-on-baremetal.rst:None
+#: ../../installation/vyos-on-baremetal.rst:-1
 msgid "APU4 rack module #2"
 msgstr "APU4 rack module #2"
 
-#: ../../installation/vyos-on-baremetal.rst:None
+#: ../../installation/vyos-on-baremetal.rst:-1
 msgid "APU4 rack module #3 with PSU"
 msgstr "APU4 rack module #3 with PSU"
 
@@ -166,7 +164,7 @@ msgstr "APU4 rack module #3 with PSU"
 msgid "A VyOS installation image (.iso file). You can find how to get it on the :ref:`installation` page"
 msgstr "A VyOS installation image (.iso file). You can find how to get it on the :ref:`installation` page"
 
-#: ../../installation/install.rst:487
+#: ../../installation/install.rst:490
 msgid "A directory named pxelinux.cfg which must contain the configuration file. We will use the configuration_ file shown below, which we named default_."
 msgstr "A directory named pxelinux.cfg which must contain the configuration file. We will use the configuration_ file shown below, which we named default_."
 
@@ -234,7 +232,7 @@ msgstr "After installation - exit from the console using the key combination ``C
 msgid "After installation has completed, remove the installation iso using the GUI or ``qm set 200 --ide2 none``."
 msgstr "After installation has completed, remove the installation iso using the GUI or ``qm set 200 --ide2 none``."
 
-#: ../../installation/update.rst:81
+#: ../../installation/update.rst:88
 msgid "After reboot you might want to verify the version you are running with the :opcmd:`show version` command."
 msgstr "After reboot you might want to verify the version you are running with the :opcmd:`show version` command."
 
@@ -262,7 +260,7 @@ msgstr "An IP address"
 msgid "An external RS232 serial port is available, internally a GPIO header as well. It does have Realtek based audio on board for some reason, but you can disable that. Booting works on both USB2 and USB3 ports. Switching between serial BIOS mode and HDMI BIOS mode depends on what is connected at startup; it goes into serial mode if you disconnect HDMI and plug in serial, in all other cases it's HDMI mode."
 msgstr "An external RS232 serial port is available, internally a GPIO header as well. It does have Realtek based audio on board for some reason, but you can disable that. Booting works on both USB2 and USB3 ports. Switching between serial BIOS mode and HDMI BIOS mode depends on what is connected at startup; it goes into serial mode if you disconnect HDMI and plug in serial, in all other cases it's HDMI mode."
 
-#: ../../installation/install.rst:551
+#: ../../installation/install.rst:554
 msgid "And **third**, restart the TFTP service. If you are using VyOS as your TFTP Server, you can restart the service with ``sudo service tftpd-hpa restart``."
 msgstr "And **third**, restart the TFTP service. If you are using VyOS as your TFTP Server, you can restart the service with ``sudo service tftpd-hpa restart``."
 
@@ -338,7 +336,7 @@ msgstr "Being again at the **Preferences** window, having **Qemu VMs** selected
 msgid "Bits per second : 9600"
 msgstr "Bits per second : 9600"
 
-#: ../../installation/install.rst:580
+#: ../../installation/install.rst:583
 msgid "Black screen on install"
 msgstr "Black screen on install"
 
@@ -358,39 +356,39 @@ msgstr "Building from source"
 msgid "CLI"
 msgstr "CLI"
 
-#: ../../installation/vyos-on-baremetal.rst:None
+#: ../../installation/vyos-on-baremetal.rst:-1
 msgid "CSE-505-203B Back"
 msgstr "CSE-505-203B Back"
 
-#: ../../installation/vyos-on-baremetal.rst:None
+#: ../../installation/vyos-on-baremetal.rst:-1
 msgid "CSE-505-203B Front"
 msgstr "CSE-505-203B Front"
 
-#: ../../installation/vyos-on-baremetal.rst:None
+#: ../../installation/vyos-on-baremetal.rst:-1
 msgid "CSE-505-203B Open 1"
 msgstr "CSE-505-203B Open 1"
 
-#: ../../installation/vyos-on-baremetal.rst:None
+#: ../../installation/vyos-on-baremetal.rst:-1
 msgid "CSE-505-203B Open 2"
 msgstr "CSE-505-203B Open 2"
 
-#: ../../installation/vyos-on-baremetal.rst:None
+#: ../../installation/vyos-on-baremetal.rst:-1
 msgid "CSE-505-203B Open 3"
 msgstr "CSE-505-203B Open 3"
 
-#: ../../installation/vyos-on-baremetal.rst:None
+#: ../../installation/vyos-on-baremetal.rst:-1
 msgid "CSE-505-203B w/ 10GE Open"
 msgstr "CSE-505-203B w/ 10GE Open"
 
-#: ../../installation/vyos-on-baremetal.rst:None
+#: ../../installation/vyos-on-baremetal.rst:-1
 msgid "CSE-505-203B w/ 10GE Open 1"
 msgstr "CSE-505-203B w/ 10GE Open 1"
 
-#: ../../installation/vyos-on-baremetal.rst:None
+#: ../../installation/vyos-on-baremetal.rst:-1
 msgid "CSE-505-203B w/ 10GE Open 2"
 msgstr "CSE-505-203B w/ 10GE Open 2"
 
-#: ../../installation/vyos-on-baremetal.rst:None
+#: ../../installation/vyos-on-baremetal.rst:-1
 msgid "CSE-505-203B w/ 10GE Open 3"
 msgstr "CSE-505-203B w/ 10GE Open 3"
 
@@ -455,7 +453,7 @@ msgstr "Click to ``Instances`` and ``Launch Instance``"
 msgid "Click to your new vm and find out your Public IP address."
 msgstr "Click to your new vm and find out your Public IP address."
 
-#: ../../installation/install.rst:562
+#: ../../installation/install.rst:565
 msgid "Client Boot"
 msgstr "Client Boot"
 
@@ -491,7 +489,7 @@ msgstr "Configure Security Group. It's recommended that you configure ssh access
 msgid "Configure a DHCP server to provide the client with:"
 msgstr "Configure a DHCP server to provide the client with:"
 
-#: ../../installation/install.rst:476
+#: ../../installation/install.rst:479
 msgid "Configure a TFTP server so that it serves the following:"
 msgstr "Configure a TFTP server so that it serves the following:"
 
@@ -525,11 +523,8 @@ msgid "Connect to the instance by SSH key."
 msgstr "Connect to the instance by SSH key."
 
 #: ../../installation/cloud/index.rst:7
-#: ../../installation/cloud/index.rst:7
-#: ../../installation/index.rst:7
 #: ../../installation/index.rst:7
 #: ../../installation/virtual/index.rst:5
-#: ../../installation/virtual/index.rst:5
 msgid "Content"
 msgstr "Content"
 
@@ -649,7 +644,7 @@ msgstr "Disable XHCI"
 msgid "Disk size"
 msgstr "Disk size"
 
-#: ../../installation/install.rst:547
+#: ../../installation/install.rst:550
 msgid "Do not change the name of the *filesystem.squashfs* file. If you are working with different versions, you can create different directories instead."
 msgstr "Do not change the name of the *filesystem.squashfs* file. If you are working with different versions, you can create different directories instead."
 
@@ -727,15 +722,10 @@ msgid "Every version is contained in its own squashfs image that is mounted in a
 msgstr "Every version is contained in its own squashfs image that is mounted in a union filesystem together with a directory for mutable data such as configurations, keys, or custom scripts."
 
 #: ../../installation/install.rst:17
-#: ../../installation/install.rst:17
-#: ../../installation/install.rst:21
 #: ../../installation/install.rst:21
 #: ../../installation/install.rst:25
-#: ../../installation/install.rst:25
-#: ../../installation/install.rst:29
 #: ../../installation/install.rst:29
 #: ../../installation/install.rst:33
-#: ../../installation/install.rst:33
 #: ../../installation/install.rst:37
 msgid "Everyone"
 msgstr "Everyone"
@@ -752,11 +742,11 @@ msgstr "Example"
 msgid "Example:"
 msgstr "Example:"
 
-#: ../../installation/install.rst:519
+#: ../../installation/install.rst:522
 msgid "Example of simple (no menu) configuration file:"
 msgstr "Example of simple (no menu) configuration file:"
 
-#: ../../installation/install.rst:499
+#: ../../installation/install.rst:502
 msgid "Example of the contents of the TFTP server:"
 msgstr "Example of the contents of the TFTP server:"
 
@@ -768,7 +758,7 @@ msgstr "Extension Modules"
 msgid "Files *pxelinux.0* and *ldlinux.c32* `from the Syslinux distribution <https://kernel.org/pub/linux/utils/boot/syslinux/>`_"
 msgstr "Files *pxelinux.0* and *ldlinux.c32* `from the Syslinux distribution <https://kernel.org/pub/linux/utils/boot/syslinux/>`_"
 
-#: ../../installation/install.rst:564
+#: ../../installation/install.rst:567
 msgid "Finally, turn on your PXE-enabled client or clients. They will automatically get an IP address from the DHCP server and start booting into VyOS live from the files automatically taken from the TFTP and HTTP servers."
 msgstr "Finally, turn on your PXE-enabled client or clients. They will automatically get an IP address from the DHCP server and start booting into VyOS live from the files automatically taken from the TFTP and HTTP servers."
 
@@ -816,7 +806,7 @@ msgstr "Future releases of VyOS will break the direct upgrade path from Vyatta c
 msgid "GPG verification"
 msgstr "GPG verification"
 
-#: ../../installation/install.rst:582
+#: ../../installation/install.rst:585
 msgid "GRUB attempts to redirect all output to a serial port for ease of installation on headless hosts. This appears to cause an hard lockup on some hardware that lacks a serial port, with the result being a black screen after selecting the `Live system` option from the installation image."
 msgstr "GRUB attempts to redirect all output to a serial port for ease of installation on headless hosts. This appears to cause an hard lockup on some hardware that lacks a serial port, with the result being a black screen after selecting the `Live system` option from the installation image."
 
@@ -964,7 +954,7 @@ msgstr "In the **General settings** tab of your **QEMU VM template configuration
 msgid "In the **Network** tab,  set **0** as the number of adapters, set the **Name format** to **eth{0}** and the **Type** to **Paravirtualized Network I/O (virtio-net-pci)**."
 msgstr "In the **Network** tab,  set **0** as the number of adapters, set the **Name format** to **eth{0}** and the **Type** to **Paravirtualized Network I/O (virtio-net-pci)**."
 
-#: ../../installation/install.rst:491
+#: ../../installation/install.rst:494
 msgid "In the example we configured our existent VyOS as the TFTP server too:"
 msgstr "In the example we configured our existent VyOS as the TFTP server too:"
 
@@ -985,7 +975,7 @@ msgstr "Installation"
 msgid "Installation and Image Management"
 msgstr "Installation and Image Management"
 
-#: ../../installation/install.rst:594
+#: ../../installation/install.rst:597
 msgid "Installation can then continue as outlined above."
 msgstr "Installation can then continue as outlined above."
 
@@ -1021,7 +1011,7 @@ msgstr "It is advised that VyOS routers are configured in a resource group with
 msgid "Its installed size (complete with libsodium) is less than that of GPG binary alone (not including libgcrypt and some other libs, which I think we only use for GPG). Since it uses elliptic curves, it gets away with much smaller keys, and it doesn't include as much metadata to begin with."
 msgstr "Its installed size (complete with libsodium) is less than that of GPG binary alone (not including libgcrypt and some other libs, which I think we only use for GPG). Since it uses elliptic curves, it gets away with much smaller keys, and it doesn't include as much metadata to begin with."
 
-#: ../../installation/install.rst:575
+#: ../../installation/install.rst:578
 msgid "Known Issues"
 msgstr "Known Issues"
 
@@ -1057,7 +1047,7 @@ msgstr "Live installation"
 msgid "Log into the VyOS live system (use the default credentials: vyos, vyos)"
 msgstr "Log into the VyOS live system (use the default credentials: vyos, vyos)"
 
-#: ../../installation/install.rst:555
+#: ../../installation/install.rst:558
 msgid "Make sure the available directories and files in both TFTP and HTTP server have the right permissions to be accessed from the booting clients."
 msgstr "Make sure the available directories and files in both TFTP and HTTP server have the right permissions to be accessed from the booting clients."
 
@@ -1138,7 +1128,7 @@ msgstr "Once ``dd`` has finished, pull the USB drive out and plug it into the po
 msgid "Once booted into the live system, type ``install image`` into the command line and follow the prompts to install VyOS to the virtual drive."
 msgstr "Once booted into the live system, type ``install image`` into the command line and follow the prompts to install VyOS to the virtual drive."
 
-#: ../../installation/install.rst:569
+#: ../../installation/install.rst:572
 msgid "Once finished you will be able to proceed with the ``install image`` command as in a regular VyOS installation."
 msgstr "Once finished you will be able to proceed with the ``install image`` command as in a regular VyOS installation."
 
@@ -1462,11 +1452,11 @@ msgstr "Stayed in this stage. This is because the KVM console is chosen as the d
 msgid "Step 1: DHCP"
 msgstr "Step 1: DHCP"
 
-#: ../../installation/install.rst:474
+#: ../../installation/install.rst:477
 msgid "Step 2: TFTP"
 msgstr "Step 2: TFTP"
 
-#: ../../installation/install.rst:531
+#: ../../installation/install.rst:534
 msgid "Step 3: HTTP"
 msgstr "Step 3: HTTP"
 
@@ -1498,11 +1488,11 @@ msgstr "The *VyOS-hda.qcow2* file now contains a working VyOS image and can be u
 msgid "The *bootfile name* (DHCP option 67), which is *pxelinux.0*"
 msgstr "The *bootfile name* (DHCP option 67), which is *pxelinux.0*"
 
-#: ../../installation/install.rst:479
+#: ../../installation/install.rst:482
 msgid "The *ldlinux.c32* file from the Syslinux distribution"
 msgstr "The *ldlinux.c32* file from the Syslinux distribution"
 
-#: ../../installation/install.rst:478
+#: ../../installation/install.rst:481
 msgid "The *pxelinux.0* file from the Syslinux distribution"
 msgstr "The *pxelinux.0* file from the Syslinux distribution"
 
@@ -1582,7 +1572,7 @@ msgstr "The image will be loaded and the last lines you will get will be:"
 msgid "The import can be verified with:"
 msgstr "The import can be verified with:"
 
-#: ../../installation/install.rst:483
+#: ../../installation/install.rst:486
 msgid "The initial ramdisk of the VyOS ISO you want to deploy. That is the *initrd.img* file inside the */live* directory of the extracted contents from the ISO file. Do not use an empty (0 bytes) initrd.img file you might find, the correct file may have a longer name."
 msgstr "The initial ramdisk of the VyOS ISO you want to deploy. That is the *initrd.img* file inside the */live* directory of the extracted contents from the ISO file. Do not use an empty (0 bytes) initrd.img file you might find, the correct file may have a longer name."
 
@@ -1590,7 +1580,7 @@ msgstr "The initial ramdisk of the VyOS ISO you want to deploy. That is the *ini
 msgid "The install on this Q355G4 box is pretty much plug and play. The port numbering the OS does might differ from the labels on the outside, but the UEFI firmware has a port blink test built in with MAC addresses so you can very quickly identify which is which. MAC labels are on the inside as well, and this test can be done from VyOS or plain Linux too. Default settings in the UEFI will make it boot, but depending on your installation wishes (i.e. storage type, boot type, console type) you might want to adjust them. This Qotom company seems to be the real OEM/ODM for many other relabelling companies like Protectli."
 msgstr "The install on this Q355G4 box is pretty much plug and play. The port numbering the OS does might differ from the labels on the outside, but the UEFI firmware has a port blink test built in with MAC addresses so you can very quickly identify which is which. MAC labels are on the inside as well, and this test can be done from VyOS or plain Linux too. Default settings in the UEFI will make it boot, but depending on your installation wishes (i.e. storage type, boot type, console type) you might want to adjust them. This Qotom company seems to be the real OEM/ODM for many other relabelling companies like Protectli."
 
-#: ../../installation/install.rst:480
+#: ../../installation/install.rst:483
 msgid "The kernel of the VyOS software you want to deploy. That is the *vmlinuz* file inside the */live* directory of the extracted contents from the ISO file."
 msgstr "The kernel of the VyOS software you want to deploy. That is the *vmlinuz* file inside the */live* directory of the extracted contents from the ISO file."
 
@@ -1598,7 +1588,7 @@ msgstr "The kernel of the VyOS software you want to deploy. That is the *vmlinuz
 msgid "The minimum system requirements are 1024 MiB RAM and 2 GiB storage. Depending on your use, you might need additional RAM and CPU resources e.g. when having multiple BGP full tables in your system."
 msgstr "The minimum system requirements are 1024 MiB RAM and 2 GiB storage. Depending on your use, you might need additional RAM and CPU resources e.g. when having multiple BGP full tables in your system."
 
-#: ../../installation/update.rst:76
+#: ../../installation/update.rst:83
 msgid "The most up-do-date Rolling Release for AMD64 can be accessed using the following URL:"
 msgstr "The most up-do-date Rolling Release for AMD64 can be accessed using the following URL:"
 
@@ -1618,7 +1608,7 @@ msgstr "The system is fully operational."
 msgid "The virt-manager application is a desktop user interface for managing virtual machines through libvirt. On the linux open :abbr:`VMM (Virtual Machine Manager)`."
 msgstr "The virt-manager application is a desktop user interface for managing virtual machines through libvirt. On the linux open :abbr:`VMM (Virtual Machine Manager)`."
 
-#: ../../installation/install.rst:587
+#: ../../installation/install.rst:590
 msgid "The workaround is to type `e` when the boot menu appears and edit the GRUB boot options.  Specifically, remove the:"
 msgstr "The workaround is to type `e` when the boot menu appears and edit the GRUB boot options.  Specifically, remove the:"
 
@@ -1663,7 +1653,7 @@ msgstr "This guide was developed using an APU4C4 board with the following specs:
 msgid "This guide will provide the necessary steps for installing and setting up VyOS on GNS3."
 msgstr "This guide will provide the necessary steps for installing and setting up VyOS on GNS3."
 
-#: ../../installation/install.rst:577
+#: ../../installation/install.rst:580
 msgid "This is a list of known issues that can arise during installation."
 msgstr "This is a list of known issues that can arise during installation."
 
@@ -1695,6 +1685,10 @@ msgstr "To turn the template into a working VyOS machine, further steps are nece
 msgid "To use Amazon CloudWatch Agent, configure it within the Amazon SSM Parameter Store. If you don't have a configuration yet, do :ref:`configuration_creation`."
 msgstr "To use Amazon CloudWatch Agent, configure it within the Amazon SSM Parameter Store. If you don't have a configuration yet, do :ref:`configuration_creation`."
 
+#: ../../installation/update.rst:81
+msgid "To use the `latest` option the \"system update-check url\" must be configured."
+msgstr "To use the `latest` option the \"system update-check url\" must be configured."
+
 #: ../../installation/install.rst:248
 msgid "To verify a VyOS image starting off with VyOS 1.3.0-rc6 you can run:"
 msgstr "To verify a VyOS image starting off with VyOS 1.3.0-rc6 you can run:"
@@ -1827,7 +1821,7 @@ msgstr "Wait until you get the outcome (bytes copied). Be patient, in some compu
 msgid "Warning the interface labels on my device are backwards; the left-most \"LAN4\" port is eth0 and the right-most \"LAN1\" port is eth3."
 msgstr "Warning the interface labels on my device are backwards; the left-most \"LAN4\" port is eth0 and the right-most \"LAN1\" port is eth3."
 
-#: ../../installation/install.rst:533
+#: ../../installation/install.rst:536
 msgid "We also need to provide the *filesystem.squashfs* file. That is a heavy file and TFTP is slow, so you could send it through HTTP to speed up the transfer. That is how it is done in our example, you can find that in the configuration file above."
 msgstr "We also need to provide the *filesystem.squashfs* file. That is a heavy file and TFTP is slow, so you could send it through HTTP to speed up the transfer. That is how it is done in our example, you can find that in the configuration file above."
 
@@ -1879,6 +1873,10 @@ msgstr "You can go back to your Vyatta install using the ``set system image defa
 msgid "You can now proceed with a regular image installation as described in :ref:`installation`."
 msgstr "You can now proceed with a regular image installation as described in :ref:`installation`."
 
+#: ../../installation/update.rst:75
+msgid "You can use ``latest`` option. It loads the latest available Rolling release."
+msgstr "You can use ``latest`` option. It loads the latest available Rolling release."
+
 #: ../../installation/migrate-from-vyatta.rst:28
 msgid "You just use ``add system image``, as if it was a new VC release (see :ref:`update_vyos` for additional information). The only thing you want to do is to verify the new images digital signature. You will have to add the public key manually once as it is not shipped the first time."
 msgstr "You just use ``add system image``, as if it was a new VC release (see :ref:`update_vyos` for additional information). The only thing you want to do is to verify the new images digital signature. You will have to add the public key manually once as it is not shipped the first time."
@@ -1923,7 +1921,7 @@ msgstr "`Manufacturer product page <http://www.inctel.com.cn/product/detail/338.
 msgid "``gpg --recv-keys FD220285A0FE6D7E``"
 msgstr "``gpg --recv-keys FD220285A0FE6D7E``"
 
-#: ../../installation/install.rst:590
+#: ../../installation/install.rst:593
 msgid "`console=ttyS0,115200`"
 msgstr "`console=ttyS0,115200`"
 
@@ -1955,7 +1953,7 @@ msgstr "https://muralidba.blogspot.com/2018/03/how-does-linux-out-of-memory-oom-
 msgid "https://pgp.mit.edu/pks/lookup?op=get&search=0xFD220285A0FE6D7E"
 msgstr "https://pgp.mit.edu/pks/lookup?op=get&search=0xFD220285A0FE6D7E"
 
-#: ../../installation/update.rst:79
+#: ../../installation/update.rst:86
 msgid "https://vyos.net/get/nightly-builds/"
 msgstr "https://vyos.net/get/nightly-builds/"
 
@@ -1971,6 +1969,6 @@ msgstr "https://www.oracle.com/cloud/"
 msgid "ly-builds/releases/download/1.4-rolling-202308240020/vyos-1.4-rolling-202308240020-amd64.iso"
 msgstr "ly-builds/releases/download/1.4-rolling-202308240020/vyos-1.4-rolling-202308240020-amd64.iso"
 
-#: ../../installation/install.rst:592
+#: ../../installation/install.rst:595
 msgid "option, and type CTRL-X to boot."
 msgstr "option, and type CTRL-X to boot."
diff --git a/docs/_locale/de/quick-start.pot b/docs/_locale/de/quick-start.pot
index 1b44e87e..90903260 100644
--- a/docs/_locale/de/quick-start.pot
+++ b/docs/_locale/de/quick-start.pot
@@ -8,19 +8,19 @@ msgstr ""
 "Language: de\n"
 "Plural-Forms: nplurals=2; plural=(n==1) ? 0 : 1;\n"
 
-#: ../../quick-start.rst:178
+#: ../../quick-start.rst:189
 msgid "A default action of ``return``, which returns the packet back to the original chain if no action is taken."
 msgstr "A default action of ``return``, which returns the packet back to the original chain if no action is taken."
 
-#: ../../quick-start.rst:124
+#: ../../quick-start.rst:125
 msgid "A new firewall structure—which uses the ``nftables`` backend, rather than ``iptables``—is available on all installations starting from VyOS ``1.4-rolling-202308040557``. The firewall supports creation of distinct, interlinked chains for each `Netfilter hook <https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks>`_ and allows for more granular control over the packet filtering process."
 msgstr "A new firewall structure—which uses the ``nftables`` backend, rather than ``iptables``—is available on all installations starting from VyOS ``1.4-rolling-202308040557``. The firewall supports creation of distinct, interlinked chains for each `Netfilter hook <https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks>`_ and allows for more granular control over the packet filtering process."
 
-#: ../../quick-start.rst:180
+#: ../../quick-start.rst:191
 msgid "A rule to ``accept`` packets from established and related connections."
 msgstr "A rule to ``accept`` packets from established and related connections."
 
-#: ../../quick-start.rst:181
+#: ../../quick-start.rst:192
 msgid "A rule to ``drop`` packets from invalid connections."
 msgstr "A rule to ``drop`` packets from invalid connections."
 
@@ -40,27 +40,31 @@ msgstr "After switching to :ref:`quick-start-configuration-mode` issue the follo
 msgid "After switching to :ref:`quick-start-configuration-mode` issue the following commands:"
 msgstr "After switching to :ref:`quick-start-configuration-mode` issue the following commands:"
 
-#: ../../quick-start.rst:301
+#: ../../quick-start.rst:311
 msgid "Allow Access to Services"
 msgstr "Allow Access to Services"
 
-#: ../../quick-start.rst:257
+#: ../../quick-start.rst:267
 msgid "Allow Management Access"
 msgstr "Allow Management Access"
 
-#: ../../quick-start.rst:208
+#: ../../quick-start.rst:202
 msgid "Alternatively, instead of configuring the ``CONN_FILTER`` chain described above, you can take the more traditional stateful connection filtering approach by creating rules on each hook's chain:"
 msgstr "Alternatively, instead of configuring the ``CONN_FILTER`` chain described above, you can take the more traditional stateful connection filtering approach by creating rules on each hook's chain:"
 
+#: ../../quick-start.rst:219
+msgid "Alternatively, you can take the more traditional stateful connection filtering approach by creating rules on each base hook's chain:"
+msgstr "Alternatively, you can take the more traditional stateful connection filtering approach by creating rules on each base hook's chain:"
+
 #: ../../quick-start.rst:167
 msgid "Apply the firewall policies:"
 msgstr "Apply the firewall policies:"
 
-#: ../../quick-start.rst:367
+#: ../../quick-start.rst:377
 msgid "As above, commit your changes, save the configuration, and exit configuration mode:"
 msgstr "As above, commit your changes, save the configuration, and exit configuration mode:"
 
-#: ../../quick-start.rst:227
+#: ../../quick-start.rst:237
 msgid "Block Incoming Traffic"
 msgstr "Block Incoming Traffic"
 
@@ -76,7 +80,7 @@ msgstr "By default, VyOS is in operational mode, and the command prompt displays
 msgid "Commit and Save"
 msgstr "Commit and Save"
 
-#: ../../quick-start.rst:327
+#: ../../quick-start.rst:337
 msgid "Commit changes, save the configuration, and exit configuration mode:"
 msgstr "Commit changes, save the configuration, and exit configuration mode:"
 
@@ -84,19 +88,19 @@ msgstr "Commit changes, save the configuration, and exit configuration mode:"
 msgid "Configuration Mode"
 msgstr "Configuration Mode"
 
-#: ../../quick-start.rst:143
+#: ../../quick-start.rst:138
 msgid "Configure Firewall Groups"
 msgstr "Configure Firewall Groups"
 
-#: ../../quick-start.rst:162
+#: ../../quick-start.rst:157
 msgid "Configure Stateful Packet Filtering"
 msgstr "Configure Stateful Packet Filtering"
 
-#: ../../quick-start.rst:271
+#: ../../quick-start.rst:281
 msgid "Configure a rule on the ``input`` hook filter to jump to the ``VyOS_MANAGEMENT`` chain when new connections are addressed to port 22 (SSH) on the router itself:"
 msgstr "Configure a rule on the ``input`` hook filter to jump to the ``VyOS_MANAGEMENT`` chain when new connections are addressed to port 22 (SSH) on the router itself:"
 
-#: ../../quick-start.rst:233
+#: ../../quick-start.rst:243
 msgid "Create a new chain (``OUTSIDE-IN``) which will drop all traffic that is not explicity allowed at some point in the chain. Then, we can jump to that chain from the ``forward`` hook when traffic is coming from the ``WAN`` interface group and is addressed to our local network."
 msgstr "Create a new chain (``OUTSIDE-IN``) which will drop all traffic that is not explicity allowed at some point in the chain. Then, we can jump to that chain from the ``forward`` hook when traffic is coming from the ``WAN`` interface group and is addressed to our local network."
 
@@ -120,35 +124,35 @@ msgstr "DHCP leases will hold for one day (86400 seconds)"
 msgid "Documentation for most of the new firewall CLI can be found in the :ref:`firewall` chapter.The legacy firewall is still available for versions before ``1.4-rolling-202308040557`` and can be found in the :ref:`firewall-legacy` chapter. The examples in this section use the new configuration."
 msgstr "Documentation for most of the new firewall CLI can be found in the :ref:`firewall` chapter.The legacy firewall is still available for versions before ``1.4-rolling-202308040557`` and can be found in the :ref:`firewall-legacy` chapter. The examples in this section use the new configuration."
 
-#: ../../quick-start.rst:341
+#: ../../quick-start.rst:351
 msgid "Especially if you are allowing SSH remote access from the outside/WAN interface, there are a few additional configuration steps that should be taken."
 msgstr "Especially if you are allowing SSH remote access from the outside/WAN interface, there are a few additional configuration steps that should be taken."
 
-#: ../../quick-start.rst:281
+#: ../../quick-start.rst:291
 msgid "Finally, configure the ``VyOS_MANAGEMENT`` chain to accept connection from the ``LAN`` interface group while limiting requests coming from the ``WAN`` interface group to 4 per minute:"
 msgstr "Finally, configure the ``VyOS_MANAGEMENT`` chain to accept connection from the ``LAN`` interface group while limiting requests coming from the ``WAN`` interface group to 4 per minute:"
 
-#: ../../quick-start.rst:357
+#: ../../quick-start.rst:367
 msgid "Finally, try and SSH into the VyOS install as your new user. Once you have confirmed that your new user can access your router without a password, delete the original ``vyos`` user and completely disable password authentication for :ref:`ssh`:"
 msgstr "Finally, try and SSH into the VyOS install as your new user. Once you have confirmed that your new user can access your router without a password, delete the original ``vyos`` user and completely disable password authentication for :ref:`ssh`:"
 
-#: ../../quick-start.rst:319
+#: ../../quick-start.rst:329
 msgid "Finally, we can now configure access to the services running on this router, allowing all connections coming from localhost:"
 msgstr "Finally, we can now configure access to the services running on this router, allowing all connections coming from localhost:"
 
-#: ../../quick-start.rst:122
+#: ../../quick-start.rst:123
 msgid "Firewall"
 msgstr "Firewall"
 
-#: ../../quick-start.rst:263
+#: ../../quick-start.rst:273
 msgid "First, create a new dedicated chain (``VyOS_MANAGEMENT``) for management access, which returns to the parent chain if no action is taken. Add a rule to accept traffic from the ``LAN`` interface group:"
 msgstr "First, create a new dedicated chain (``VyOS_MANAGEMENT``) for management access, which returns to the parent chain if no action is taken. Add a rule to accept traffic from the ``LAN`` interface group:"
 
-#: ../../quick-start.rst:339
+#: ../../quick-start.rst:349
 msgid "Hardening"
 msgstr "Hardening"
 
-#: ../../quick-start.rst:303
+#: ../../quick-start.rst:313
 msgid "Here we're allowing the router to respond to pings. Then, we can allow access to the DNS recursor we configured earlier, accepting traffic bound for port 53 from all hosts on the ``NET-INSIDE-v4`` network:"
 msgstr "Here we're allowing the router to respond to pings. Then, we can allow access to the DNS recursor we configured earlier, accepting traffic bound for port 53 from all hosts on the ``NET-INSIDE-v4`` network:"
 
@@ -156,7 +160,11 @@ msgstr "Here we're allowing the router to respond to pings. Then, we can allow a
 msgid "If you wanted to enable SSH access to your firewall from the outside/WAN interface, you could create some additional rules to allow that kind of traffic."
 msgstr "If you wanted to enable SSH access to your firewall from the outside/WAN interface, you could create some additional rules to allow that kind of traffic."
 
-#: ../../quick-start.rst:150
+#: ../../quick-start.rst:145
+msgid "In this case, we will create two interface groups — a ``WAN`` group for our interfaces connected to the public internet and a ``LAN`` group for the interfaces connected to our internal network. Additionally, we will create a network group, ``NET-INSIDE-v4``, that contains our internal subnet."
+msgstr "In this case, we will create two interface groups — a ``WAN`` group for our interfaces connected to the public internet and a ``LAN`` group for the interfaces connected to our internal network. Additionally, we will create a network group, ``NET-INSIDE-v4``, that contains our internal subnet."
+
+#: ../../quick-start.rst:144
 msgid "In this case, we will create two interface groups—a ``WAN`` group for our interfaces connected to the public internet and a ``LAN`` group for the interfaces connected to our internal network. Additionally, we will create a network group, ``NET-INSIDE-v4``, that contains our internal subnet."
 msgstr "In this case, we will create two interface groups—a ``WAN`` group for our interfaces connected to the public internet and a ``LAN`` group for the interfaces connected to our internal network. Additionally, we will create a network group, ``NET-INSIDE-v4``, that contains our internal subnet."
 
@@ -164,11 +172,15 @@ msgstr "In this case, we will create two interface groups—a ``WAN`` group for
 msgid "Interface Configuration"
 msgstr "Interface Configuration"
 
-#: ../../quick-start.rst:109
+#: ../../quick-start.rst:170
+msgid "Most installations would choose this option, and will contain:"
+msgstr "Most installations would choose this option, and will contain:"
+
+#: ../../quick-start.rst:110
 msgid "NAT"
 msgstr "NAT"
 
-#: ../../quick-start.rst:229
+#: ../../quick-start.rst:239
 msgid "Now that we have configured stateful connection filtering to allow traffic from established and related connections, we can block all other incoming traffic addressed to our local network."
 msgstr "Now that we have configured stateful connection filtering to allow traffic from established and related connections, we can block all other incoming traffic addressed to our local network."
 
@@ -180,19 +192,31 @@ msgstr "Once your configuration works as expected, you can save it permanently b
 msgid "Only hosts from your internal/LAN network can use the DNS recursor"
 msgstr "Only hosts from your internal/LAN network can use the DNS recursor"
 
-#: ../../quick-start.rst:168
+#: ../../quick-start.rst:162
 msgid "Option 1: Common Chain"
 msgstr "Option 1: Common Chain"
 
-#: ../../quick-start.rst:206
+#: ../../quick-start.rst:163
+msgid "Option 1: Global State Policies"
+msgstr "Option 1: Global State Policies"
+
+#: ../../quick-start.rst:179
+msgid "Option 2: Common/Custom Chain"
+msgstr "Option 2: Common/Custom Chain"
+
+#: ../../quick-start.rst:200
 msgid "Option 2: Per-Hook Chain"
 msgstr "Option 2: Per-Hook Chain"
 
+#: ../../quick-start.rst:217
+msgid "Option 3: Per-Hook Chain"
+msgstr "Option 3: Per-Hook Chain"
+
 #: ../../quick-start.rst:5
 msgid "Quick Start"
 msgstr "Quick Start"
 
-#: ../../quick-start.rst:344
+#: ../../quick-start.rst:354
 msgid "Replace the default ``vyos`` system user:"
 msgstr "Replace the default ``vyos`` system user:"
 
@@ -204,7 +228,7 @@ msgstr "Replace the default `vyos` system user:"
 msgid "SSH Management"
 msgstr "SSH Management"
 
-#: ../../quick-start.rst:350
+#: ../../quick-start.rst:360
 msgid "Set up :ref:`ssh_key_based_authentication`:"
 msgstr "Set up :ref:`ssh_key_based_authentication`:"
 
@@ -216,7 +240,7 @@ msgstr "The address range `192.168.0.2/24 - 192.168.0.8/24` will be reserved for
 msgid "The address range ``192.168.0.2/24 - 192.168.0.8/24`` will be reserved for static assignments"
 msgstr "The address range ``192.168.0.2/24 - 192.168.0.8/24`` will be reserved for static assignments"
 
-#: ../../quick-start.rst:176
+#: ../../quick-start.rst:187
 msgid "The chain we will create is called ``CONN_FILTER`` and has three rules:"
 msgstr "The chain we will create is called ``CONN_FILTER`` and has three rules:"
 
@@ -228,7 +252,7 @@ msgstr "The default gateway and DNS recursor address will be `192.168.0.1/24`"
 msgid "The default gateway and DNS recursor address will be ``192.168.0.1/24``"
 msgstr "The default gateway and DNS recursor address will be ``192.168.0.1/24``"
 
-#: ../../quick-start.rst:137
+#: ../../quick-start.rst:132
 msgid "The firewall begins with the base ``filter`` tables you define for each of the ``forward``, ``input``, and ``output`` Netfiter hooks. Each of these tables is populated with rules that are processed in order and can jump to other chains for more granular filtering."
 msgstr "The firewall begins with the base ``filter`` tables you define for each of the ``forward``, ``input``, and ``output`` Netfiter hooks. Each of these tables is populated with rules that are processed in order and can jump to other chains for more granular filtering."
 
@@ -236,11 +260,11 @@ msgstr "The firewall begins with the base ``filter`` tables you define for each
 msgid "The following settings will configure DHCP and DNS services on your internal/LAN network, where VyOS will act as the default gateway and DNS server."
 msgstr "The following settings will configure DHCP and DNS services on your internal/LAN network, where VyOS will act as the default gateway and DNS server."
 
-#: ../../quick-start.rst:111
+#: ../../quick-start.rst:112
 msgid "The following settings will configure :ref:`source-nat` rules for our internal/LAN network, allowing hosts to communicate through the outside/WAN network via IP masquerade."
 msgstr "The following settings will configure :ref:`source-nat` rules for our internal/LAN network, allowing hosts to communicate through the outside/WAN network via IP masquerade."
 
-#: ../../quick-start.rst:194
+#: ../../quick-start.rst:205
 msgid "Then, we can jump to the common chain from both the ``forward`` and ``input`` hooks as the first filtering rule in the respective chains:"
 msgstr "Then, we can jump to the common chain from both the ``forward`` and ``input`` hooks as the first filtering rule in the respective chains:"
 
@@ -260,31 +284,39 @@ msgstr "This chapter will guide you on how to get up to speed quickly using your
 msgid "This configuration creates a proper stateful firewall that blocks all traffic which was not initiated from the internal/LAN side first."
 msgstr "This configuration creates a proper stateful firewall that blocks all traffic which was not initiated from the internal/LAN side first."
 
-#: ../../quick-start.rst:145
+#: ../../quick-start.rst:140
 msgid "To make firewall configuration easier, we can create groups of interfaces, networks, addresses, ports, and domains that describe different parts of our network. We can then use them for filtering within our firewall rulesets, allowing for more concise and readable configuration."
 msgstr "To make firewall configuration easier, we can create groups of interfaces, networks, addresses, ports, and domains that describe different parts of our network. We can then use them for filtering within our firewall rulesets, allowing for more concise and readable configuration."
 
+#: ../../quick-start.rst:164
+msgid "Using options defined in ``set firewall global-options state-policy``, state policy rules that applies for both IPv4 and IPv6 are created. These global state policies also applies for all traffic that passes through the router (transit) and for traffic originated/destinated to/from the router itself, and will be avaluated before any other rule defined in the firewall."
+msgstr "Using options defined in ``set firewall global-options state-policy``, state policy rules that applies for both IPv4 and IPv6 are created. These global state policies also applies for all traffic that passes through the router (transit) and for traffic originated/destinated to/from the router itself, and will be avaluated before any other rule defined in the firewall."
+
 #: ../../quick-start.rst:90
 msgid "VyOS will serve as a full DNS recursor, replacing the need to utilize Google, Cloudflare, or other public DNS servers (which is good for privacy)"
 msgstr "VyOS will serve as a full DNS recursor, replacing the need to utilize Google, Cloudflare, or other public DNS servers (which is good for privacy)"
 
-#: ../../quick-start.rst:170
+#: ../../quick-start.rst:181
 msgid "We can create a common chain for stateful connection filtering of multiple interfaces (or multiple netfilter hooks on one interface). Those individual chains can then jump to the common chain for stateful connection filtering, returning to the original chain for further rule processing if no action is taken on the packet."
 msgstr "We can create a common chain for stateful connection filtering of multiple interfaces (or multiple netfilter hooks on one interface). Those individual chains can then jump to the common chain for stateful connection filtering, returning to the original chain for further rule processing if no action is taken on the packet."
 
-#: ../../quick-start.rst:259
+#: ../../quick-start.rst:269
 msgid "We can now configure access to the router itself, allowing SSH access from the inside/LAN network and rate limiting SSH access from the outside/WAN network."
 msgstr "We can now configure access to the router itself, allowing SSH access from the inside/LAN network and rate limiting SSH access from the outside/WAN network."
 
-#: ../../quick-start.rst:247
+#: ../../quick-start.rst:257
 msgid "We should also block all traffic destinated to the router itself that isn't explicitly allowed at some point in the chain for the ``input`` hook. As we've already configured stateful packet filtering above, we only need to set the default action to ``drop``:"
 msgstr "We should also block all traffic destinated to the router itself that isn't explicitly allowed at some point in the chain for the ``input`` hook. As we've already configured stateful packet filtering above, we only need to set the default action to ``drop``:"
 
-#: ../../quick-start.rst:164
+#: ../../quick-start.rst:159
+msgid "With the new firewall structure, we have have a lot of flexibility in how we group and order our rules, as shown by the three alternative approaches below."
+msgstr "With the new firewall structure, we have have a lot of flexibility in how we group and order our rules, as shown by the three alternative approaches below."
+
+#: ../../quick-start.rst:158
 msgid "With the new firewall structure, we have have a lot of flexibility in how we group and order our rules, as shown by the two alternative approaches below."
 msgstr "With the new firewall structure, we have have a lot of flexibility in how we group and order our rules, as shown by the two alternative approaches below."
 
-#: ../../quick-start.rst:379
+#: ../../quick-start.rst:389
 msgid "You now should have a simple yet secure and functioning router to experiment with further. Enjoy!"
 msgstr "You now should have a simple yet secure and functioning router to experiment with further. Enjoy!"
 
-- 
cgit v1.2.3