From 0ed155b05523c755a9eb777c49a3a0fd4b56149e Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Mon, 25 Dec 2023 09:14:05 +0100 Subject: snmp: T5855: migrate "set service lldp snmp enable" to "set service lldp snmp" --- docs/configuration/service/lldp.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'docs/configuration/service') diff --git a/docs/configuration/service/lldp.rst b/docs/configuration/service/lldp.rst index aa357211..12a9e0b6 100644 --- a/docs/configuration/service/lldp.rst +++ b/docs/configuration/service/lldp.rst @@ -54,7 +54,7 @@ Configuration Disable transmit of LLDP frames on given ``. Useful to exclude certain interfaces from LLDP when ``all`` have been enabled. -.. cfgcmd:: set service lldp snmp enable +.. cfgcmd:: set service lldp snmp Enable SNMP queries of the LLDP database -- cgit v1.2.3 From 0893ca769b1796d2d61dc26a0c0c13d1eda56f5e Mon Sep 17 00:00:00 2001 From: Nicolas Fort Date: Wed, 27 Dec 2023 06:52:57 -0300 Subject: dhcp-server: update docs for op-mode command --- docs/configuration/firewall/global-options.rst | 2 +- docs/configuration/service/dhcp-server.rst | 34 ++++++++++++++++++++++---- 2 files changed, 30 insertions(+), 6 deletions(-) (limited to 'docs/configuration/service') diff --git a/docs/configuration/firewall/global-options.rst b/docs/configuration/firewall/global-options.rst index 455e530b..b3f311aa 100644 --- a/docs/configuration/firewall/global-options.rst +++ b/docs/configuration/firewall/global-options.rst @@ -1,4 +1,4 @@ -:lastproofread: 2023-12-026 +:lastproofread: 2023-12-26 .. _firewall-global-options-configuration: diff --git a/docs/configuration/service/dhcp-server.rst b/docs/configuration/service/dhcp-server.rst index b5b12a5b..0cc10feb 100644 --- a/docs/configuration/service/dhcp-server.rst +++ b/docs/configuration/service/dhcp-server.rst @@ -549,18 +549,43 @@ Operation Mode .. code-block:: none vyos@vyos:~$ show dhcp server leases - IP address Hardware address State Lease start Lease expiration Remaining Pool Hostname - -------------- ------------------ ------- ------------------- ------------------- ---------- ----------- --------- - 192.0.2.104 00:53:01:dd:ee:ff active 2019/12/05 14:24:23 2019/12/06 02:24:23 6:05:35 dhcpexample test1 - 192.0.2.115 00:53:01:ae:af:bf active 2019/12/05 18:02:37 2019/12/06 06:02:37 9:43:49 dhcpexample test2 + IP Address MAC address State Lease start Lease expiration Remaining Pool Hostname Origin + -------------- ----------------- ------- ------------------- ------------------- ----------- -------- ---------- -------- + 192.168.11.134 00:50:79:66:68:09 active 2023/11/29 09:51:05 2023/11/29 10:21:05 0:24:10 LAN VPCS1 local + 192.168.11.133 50:00:00:06:00:00 active 2023/11/29 09:51:38 2023/11/29 10:21:38 0:24:43 LAN VYOS-6 local + 10.11.11.108 50:00:00:05:00:00 active 2023/11/29 09:51:43 2023/11/29 10:21:43 0:24:48 VIF-1001 VYOS5 local + 192.168.11.135 00:50:79:66:68:07 active 2023/11/29 09:55:16 2023/11/29 09:59:16 0:02:21 remote + vyos@vyos:~$ .. hint:: Static mappings aren't shown. To show all states, use ``show dhcp server leases state all``. +.. opcmd:: show dhcp server leases origin [local | remote] + + Show statuses of all active leases granted by local (this server) or + remote (failover server): + +.. code-block:: none + + vyos@vyos:~$ show dhcp server leases origin remote + IP Address MAC address State Lease start Lease expiration Remaining Pool Hostname Origin + -------------- ----------------- ------- ------------------- ------------------- ----------- -------- ---------- -------- + 192.168.11.135 00:50:79:66:68:07 active 2023/11/29 09:55:16 2023/11/29 09:59:16 0:02:21 remote + vyos@vyos:~$ + .. opcmd:: show dhcp server leases pool Show only leases in the specified pool. +.. code-block:: none + + vyos@vyos:~$ show dhcp server leases pool LAN + IP Address MAC address State Lease start Lease expiration Remaining Pool Hostname Origin + -------------- ----------------- ------- ------------------- ------------------- ----------- ------ ---------- -------- + 192.168.11.134 00:50:79:66:68:09 active 2023/11/29 09:51:05 2023/11/29 10:21:05 0:23:55 LAN VPCS1 local + 192.168.11.133 50:00:00:06:00:00 active 2023/11/29 09:51:38 2023/11/29 10:21:38 0:24:28 LAN VYOS-6 local + vyos@vyos:~$ + .. opcmd:: show dhcp server leases sort Sort the output by the specified key. Possible keys: ip, hardware_address, @@ -572,7 +597,6 @@ Operation Mode free, expired, released, abandoned, reset, backup (default = active) - *********** IPv6 server *********** -- cgit v1.2.3 From 9ca5e9dd89eabda161d974e7359ab2716fe56464 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Sat, 6 Jan 2024 20:54:08 +0100 Subject: dns: T5900: add dont-throttle-netmasks and serve-stale-extensions powerdns features --- docs/configuration/service/dns.rst | 25 +++++++++++++++++++------ 1 file changed, 19 insertions(+), 6 deletions(-) (limited to 'docs/configuration/service') diff --git a/docs/configuration/service/dns.rst b/docs/configuration/service/dns.rst index 2caeb22d..7624d309 100644 --- a/docs/configuration/service/dns.rst +++ b/docs/configuration/service/dns.rst @@ -143,6 +143,19 @@ avoid being tracked by the provider of your upstream DNS server. 168.192.in-addr.arpa, 16-31.172.in-addr.arpa, which enabling upstream DNS server(s) to be used for reverse lookups of these zones. +.. cfgcmd:: set service dns forwarding serve-stale-extension <0-65535> + + Maximum number of times an expired record’s TTL is extended by 30s when + serving stale. Extension only occurs if a record cannot be refreshed. A + value of 0 means the Serve Stale mechanism is not used. To allow records + becoming stale to be served for an hour, use a value of 120. + +.. cfgcmd:: set service dns forwarding exclude-throttle-address + + When an authoritative server does not answer a query or sends a reply the + recursor does not like, it is throttled. Any servers matching the supplied + netmasks will never be throttled. + Example ======= @@ -381,12 +394,12 @@ By default, ddclient_ will update a dynamic dns record using the IP address directly attached to the interface. If your VyOS instance is behind NAT, your record will be updated to point to your internal IP. -Above, command syntax isn noted to configure dynamic dns on a specific interface. -It is possible to overlook the additional address option, web, when completeing -those commands. ddclient_ has another way to determine the WAN IP address, using -a web-based url to determine the external IP. Each of the commands above will -need to be modified to use 'web' as the 'interface' specified if this functionality -is to be utilized. +Above, command syntax isn noted to configure dynamic dns on a specific interface. +It is possible to overlook the additional address option, web, when completeing +those commands. ddclient_ has another way to determine the WAN IP address, using +a web-based url to determine the external IP. Each of the commands above will +need to be modified to use 'web' as the 'interface' specified if this functionality +is to be utilized. This functionality is controlled by adding the following configuration: -- cgit v1.2.3 From 8628ad46eb25d5e165cf2e03f52c2b7c7bc7b6ca Mon Sep 17 00:00:00 2001 From: Bubun Das Date: Mon, 8 Jan 2024 23:48:19 +0530 Subject: Update monitoring.rst Updated docs for influxdb --- docs/configuration/service/monitoring.rst | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) (limited to 'docs/configuration/service') diff --git a/docs/configuration/service/monitoring.rst b/docs/configuration/service/monitoring.rst index 0aa93e71..245af067 100644 --- a/docs/configuration/service/monitoring.rst +++ b/docs/configuration/service/monitoring.rst @@ -109,11 +109,11 @@ Monitoring functionality with ``telegraf`` and ``InfluxDB 2`` is provided. Telegraf is the open source server agent to help you collect metrics, events and logs from your routers. -.. cfgcmd:: set service monitoring telegraf authentication organization +.. cfgcmd:: set service monitoring telegraf influxdb authentication organization Authentication organization name -.. cfgcmd:: set service monitoring telegraf authentication token +.. cfgcmd:: set service monitoring telegraf influxdb authentication token Authentication token @@ -121,11 +121,11 @@ and logs from your routers. Remote ``InfluxDB`` bucket name -.. cfgcmd:: set service monitoring port +.. cfgcmd:: set service monitoring telegraf influxdb port Remote port -.. cfgcmd:: set service monitoring telegraf url +.. cfgcmd:: set service monitoring telegraf influxdb url Remote URL @@ -138,12 +138,11 @@ An example of a configuration that sends ``telegraf`` metrics to remote .. code-block:: none - set service monitoring telegraf authentication organization 'vyos' - set service monitoring telegraf authentication token 'ZAml9Uy5wrhA...==' - set service monitoring telegraf bucket 'bucket_vyos' - set service monitoring telegraf port '8086' - set service monitoring telegraf source 'all' - set service monitoring telegraf url 'http://r1.influxdb2.local' + set service monitoring telegraf influxdb authentication organization 'vyos' + set service monitoring telegraf influxdb authentication token 'ZAml9Uy5wrhA...==' + set service monitoring telegraf influxdb bucket 'bucket_vyos' + set service monitoring telegraf influxdb port '8086' + set service monitoring telegraf influxdb url 'http://r1.influxdb2.local' .. _azure-data-explorer: https://github.com/influxdata/telegraf/tree/master/plugins/outputs/azure_data_explorer .. _prometheus-client: https://github.com/influxdata/telegraf/tree/master/plugins/outputs/prometheus_client -- cgit v1.2.3 From cecc0f3c32afb455ddb006b35faf343877061443 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Mon, 8 Jan 2024 21:29:11 +0100 Subject: https: add latest CLI changes --- docs/configuration/service/https.rst | 78 +++++++++++++++++------------------- 1 file changed, 37 insertions(+), 41 deletions(-) (limited to 'docs/configuration/service') diff --git a/docs/configuration/service/https.rst b/docs/configuration/service/https.rst index eb2e30eb..973c5355 100644 --- a/docs/configuration/service/https.rst +++ b/docs/configuration/service/https.rst @@ -1,7 +1,7 @@ .. _http-api: ######## -HTTP-API +HTTP API ######## VyOS provide an HTTP API. You can use it to execute op-mode commands, @@ -13,75 +13,71 @@ Please take a look at the :ref:`vyosapi` page for an detailed how-to. Configuration ************* -.. cfgcmd:: set service https api keys id key +.. cfgcmd:: set service https allow-client address
- Set a named api key. Every key has the same, full permissions - on the system. + Only allow certain IP addresses or prefixes to access the https + webserver. -.. cfgcmd:: set service https api debug +.. cfgcmd:: set service https certificates ca-certificate - To enable debug messages. Available via :opcmd:`show log` or - :opcmd:`monitor log` + Use CA certificate from PKI subsystem -.. cfgcmd:: set service https api strict +.. cfgcmd:: set service https certificates certificate - Enforce strict path checking + Use certificate from PKI subsystem -.. cfgcmd:: set service https virtual-host listen-address - +.. cfgcmd:: set service https certificates dh-params - Address to listen for HTTPS requests + Use :abbr:`DH (Diffie–Hellman)` parameters from PKI subsystem. + Must be at least 2048 bits in length. -.. cfgcmd:: set service https virtual-host port <1-65535> +.. cfgcmd:: set service https listen-address
- Port to listen for HTTPS requests; default 443 + Webserver should only listen on specified IP address -.. cfgcmd:: set service https virtual-host server-name +.. cfgcmd:: set service https port - Server names for virtual hosts it can be exact, wildcard or regex. + Webserver should listen on specified port. -.. cfgcmd:: set service https api-restrict virtual-host + Default: 443 - By default, nginx exposes the local API on all virtual servers. - Use this to restrict nginx to one or more virtual hosts. +.. cfgcmd:: set service https enable-http-redirect -.. cfgcmd:: set service https certificates certbot domain-name + Enable automatic redirect from http to https. - Domain name(s) for which to obtain certificate +.. cfgcmd:: set service https tls-version <1.2 | 1.3> -.. cfgcmd:: set service https certificates certbot email + Select TLS version used. - Email address to associate with certificate + This defaults to both 1.2 and 1.3. -.. cfgcmd:: set service https certificates system-generated-certificate +.. cfgcmd:: set service https vrf - Use an automatically generated self-signed certificate + Start Webserver in given VRF. -.. cfgcmd:: set service https certificates system-generated-certificate - lifetime +API +=== - Lifetime in days; default is 365 +.. cfgcmd:: set service https api keys id key + Set a named api key. Every key has the same, full permissions + on the system. -********************* -Example Configuration -********************* +.. cfgcmd:: set service https api debug -Set an API-KEY is the minimal configuration to get a working API Endpoint. + To enable debug messages. Available via :opcmd:`show log` or + :opcmd:`monitor log` -.. code-block:: none +.. cfgcmd:: set service https api strict - set service https api keys id MY-HTTPS-API-ID key MY-HTTPS-API-PLAINTEXT-KEY + Enforce strict path checking +********************* +Example Configuration +********************* -To use this full configuration we asume a public accessible hostname. +Set an API-KEY is the minimal configuration to get a working API Endpoint. .. code-block:: none set service https api keys id MY-HTTPS-API-ID key MY-HTTPS-API-PLAINTEXT-KEY - set service https certificates certbot domain-name rtr01.example.com - set service https certificates certbot email mail@example.com - set service https virtual-host rtr01 listen-address 198.51.100.2 - set service https virtual-host rtr01 port 11443 - set service https virtual-host rtr01 server-name rtr01.example.com - set service https api-restrict virtual-host rtr01 -- cgit v1.2.3 From ad7eaafed56898ddc0377d37efa57f6339d8ef9f Mon Sep 17 00:00:00 2001 From: sarthurdev <965089+sarthurdev@users.noreply.github.com> Date: Wed, 10 Jan 2024 12:53:01 +0100 Subject: dhcp: T3316: Update documentation for Kea implementation --- .../_include/dhcp-server.conf | 2 +- docs/configuration/service/dhcp-server.rst | 131 ++------------------- docs/installation/install.rst | 8 +- docs/quick-start.rst | 6 +- 4 files changed, 20 insertions(+), 127 deletions(-) (limited to 'docs/configuration/service') diff --git a/docs/configexamples/autotest/DHCPRelay_through_GRE/_include/dhcp-server.conf b/docs/configexamples/autotest/DHCPRelay_through_GRE/_include/dhcp-server.conf index 9c4b612a..a3a7f27e 100644 --- a/docs/configexamples/autotest/DHCPRelay_through_GRE/_include/dhcp-server.conf +++ b/docs/configexamples/autotest/DHCPRelay_through_GRE/_include/dhcp-server.conf @@ -8,6 +8,6 @@ set protocols static route 10.0.10.0/24 next-hop 10.0.20.254 set protocols static route 192.168.0.0/24 next-hop 127.16.0.2 set service dhcp-server listen-address '172.16.0.1' set service dhcp-server shared-network-name DHCPTun100 authoritative -set service dhcp-server shared-network-name DHCPTun100 subnet 192.168.0.0/24 default-router '192.168.0.254' +set service dhcp-server shared-network-name DHCPTun100 subnet 192.168.0.0/24 option default-router '192.168.0.254' set service dhcp-server shared-network-name DHCPTun100 subnet 192.168.0.0/24 range 0 start '192.168.0.30' set service dhcp-server shared-network-name DHCPTun100 subnet 192.168.0.0/24 range 0 stop '192.168.0.30' \ No newline at end of file diff --git a/docs/configuration/service/dhcp-server.rst b/docs/configuration/service/dhcp-server.rst index 0cc10feb..e20fc251 100644 --- a/docs/configuration/service/dhcp-server.rst +++ b/docs/configuration/service/dhcp-server.rst @@ -4,7 +4,7 @@ DHCP Server ########### -VyOS uses ISC DHCP server for both IPv4 and IPv6 address assignment. +VyOS uses Kea DHCP server for both IPv4 and IPv6 address assignment. *********** IPv4 server @@ -26,12 +26,7 @@ Configuration Create DNS record per client lease, by adding clients to /etc/hosts file. Entry will have format: `_.` -.. cfgcmd:: set service dhcp-server host-decl-name - - Will drop `_` from client DNS record, using only the - host declaration name and domain: `.` - -.. cfgcmd:: set service dhcp-server shared-network-name domain-name +.. cfgcmd:: set service dhcp-server shared-network-name option domain-name The domain-name parameter should be the domain name that will be appended to the client's hostname to form a fully-qualified domain-name (FQDN) (DHCP @@ -40,7 +35,7 @@ Configuration This is the configuration parameter for the entire shared network definition. All subnets will inherit this configuration item if not specified locally. -.. cfgcmd:: set service dhcp-server shared-network-name domain-search +.. cfgcmd:: set service dhcp-server shared-network-name option domain-search The domain-name parameter should be the domain name used when completing DNS request where no full FQDN is passed. This option can be given multiple times @@ -49,7 +44,7 @@ Configuration This is the configuration parameter for the entire shared network definition. All subnets will inherit this configuration item if not specified locally. -.. cfgcmd:: set service dhcp-server shared-network-name name-server
+.. cfgcmd:: set service dhcp-server shared-network-name option name-server
Inform client that the DNS server can be found at `
`. @@ -58,21 +53,6 @@ Configuration Multiple DNS servers can be defined. -.. cfgcmd:: set service dhcp-server shared-network-name ping-check - - When the DHCP server is considering dynamically allocating an IP address to a - client, it first sends an ICMP Echo request (a ping) to the address being - assigned. It waits for a second, and if no ICMP Echo response has been heard, - it assigns the address. - - If a response is heard, the lease is abandoned, and the server does not - respond to the client. The lease will remain abandoned for a minimum of - abandon-lease-time seconds (defaults to 24 hours). - - If there are no free addresses but there are abandoned IP addresses, the - DHCP server will attempt to reclaim an abandoned IP address regardless of the - value of abandon-lease-time. - .. cfgcmd:: set service dhcp-server listen-address
This configuration parameter lets the DHCP server to listen for DHCP @@ -91,14 +71,14 @@ Individual Client Subnet network. .. cfgcmd:: set service dhcp-server shared-network-name subnet - default-router
+ option default-router
This is a configuration parameter for the ``, saying that as part of the response, tell the client that the default gateway can be reached at `
`. .. cfgcmd:: set service dhcp-server shared-network-name subnet - name-server
+ option name-server
This is a configuration parameter for the subnet, saying that as part of the response, tell the client that the DNS server can be found at `
`. @@ -133,40 +113,19 @@ Individual Client Subnet This option can be specified multiple times. .. cfgcmd:: set service dhcp-server shared-network-name subnet - domain-name + option domain-name The domain-name parameter should be the domain name that will be appended to the client's hostname to form a fully-qualified domain-name (FQDN) (DHCP Option 015). .. cfgcmd:: set service dhcp-server shared-network-name subnet - domain-search + option domain-search The domain-name parameter should be the domain name used when completing DNS request where no full FQDN is passed. This option can be given multiple times if you need multiple search domains (DHCP Option 119). -.. cfgcmd:: set service dhcp-server shared-network-name subnet - ping-check - - When the DHCP server is considering dynamically allocating an IP address to a - client, it first sends an ICMP Echo request (a ping) to the address being - assigned. It waits for a second, and if no ICMP Echo response has been heard, - it assigns the address. - - If a response is heard, the lease is abandoned, and the server does not - respond to the client. The lease will remain abandoned for a minimum of - abandon-lease-time seconds (defaults to 24 hours). - - If a there are no free addresses but there are abandoned IP addresses, the - DHCP server will attempt to reclaim an abandoned IP address regardless of the - value of abandon-lease-time. - -.. cfgcmd:: set service dhcp-server shared-network-name subnet - enable-failover - - Enable DHCP failover configuration for this address pool. - Failover -------- @@ -391,32 +350,6 @@ Options Multi: can be specified multiple times. -Raw Parameters -============== - -Raw parameters can be passed to shared-network-name, subnet and static-mapping: - -.. code-block:: none - - set service dhcp-server shared-network-name shared-network-parameters - Additional shared-network parameters for DHCP server. - set service dhcp-server shared-network-name subnet subnet-parameters - Additional subnet parameters for DHCP server. - set service dhcp-server shared-network-name subnet static-mapping static-mapping-parameters - Additional static-mapping parameters for DHCP server. - Will be placed inside the "host" block of the mapping. - -These parameters are passed as-is to isc-dhcp's dhcpd.conf under the -configuration node they are defined in. They are not validated so an error in -the raw parameters won't be caught by vyos's scripts and will cause dhcpd to -fail to start. Always verify that the parameters are correct before committing -the configuration. Refer to isc-dhcp's dhcpd.conf manual for more information: -https://kb.isc.org/docs/isc-dhcp-44-manual-pages-dhcpdconf - -Quotes can be used inside parameter values by replacing all quote characters -with the string ``"``. They will be replaced with literal quote characters -when generating dhcpd.conf. - Example ======= @@ -439,12 +372,11 @@ Common configuration, valid for both primary and secondary node. .. code-block:: none - set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 default-router '192.0.2.254' - set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 name-server '192.0.2.254' - set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 domain-name 'vyos.net' + set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 option default-router '192.0.2.254' + set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 option name-server '192.0.2.254' + set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 option domain-name 'vyos.net' set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 range 0 start '192.0.2.10' set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 range 0 stop '192.0.2.250' - set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 enable-failover **Primary** @@ -467,47 +399,6 @@ Common configuration, valid for both primary and secondary node. .. _dhcp-server:v4_example_raw: -Raw Parameters --------------- - -* Override static-mapping's name-server with a custom one that will be sent only - to this host. -* An option that takes a quoted string is set by replacing all quote characters - with the string ``"`` inside the static-mapping-parameters value. - The resulting line in dhcpd.conf will be - ``option pxelinux.configfile "pxelinux.cfg/01-00-15-17-44-2d-aa";``. - - -.. code-block:: none - - set service dhcp-server shared-network-name dhcpexample subnet 192.0.2.0/24 static-mapping example static-mapping-parameters "option domain-name-servers 192.0.2.11, 192.0.2.12;" - set service dhcp-server shared-network-name dhcpexample subnet 192.0.2.0/24 static-mapping example static-mapping-parameters "option pxelinux.configfile "pxelinux.cfg/01-00-15-17-44-2d-aa";" - -Option 43 for UniFI -------------------- - -* These parameters need to be part of the DHCP global options. - They stay unchanged. - - -.. code-block:: none - - set service dhcp-server global-parameters 'option space ubnt;' - set service dhcp-server global-parameters 'option ubnt.unifi-address code 1 = ip-address;' - set service dhcp-server global-parameters 'class "ubnt" {' - set service dhcp-server global-parameters 'match if substring (option vendor-class-identifier, 0, 4) = "ubnt";' - set service dhcp-server global-parameters 'option vendor-class-identifier "ubnt";' - set service dhcp-server global-parameters 'vendor-option-space ubnt;' - set service dhcp-server global-parameters '}' - -* Now we add the option to the scope, adapt to your setup - - -.. code-block:: none - - set service dhcp-server shared-network-name example-scope subnet 10.1.1.0/24 subnet-parameters 'option ubnt.unifi-address 172.16.1.10;' - - Operation Mode ============== diff --git a/docs/installation/install.rst b/docs/installation/install.rst index 2bbce8ee..bf0f11fe 100644 --- a/docs/installation/install.rst +++ b/docs/installation/install.rst @@ -458,9 +458,11 @@ In this example we configured an existent VyOS as the DHCP server: vyos@vyos# show service dhcp-server shared-network-name mydhcp { subnet 192.168.1.0/24 { - bootfile-name pxelinux.0 - bootfile-server 192.168.1.50 - default-router 192.168.1.50 + option { + bootfile-name pxelinux.0 + bootfile-server 192.168.1.50 + default-router 192.168.1.50 + } range 0 { start 192.168.1.70 stop 192.168.1.100 diff --git a/docs/quick-start.rst b/docs/quick-start.rst index c8bb3f04..44ff99ff 100644 --- a/docs/quick-start.rst +++ b/docs/quick-start.rst @@ -93,9 +93,9 @@ DNS server. .. code-block:: none - set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 default-router '192.168.0.1' - set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 name-server '192.168.0.1' - set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 domain-name 'vyos.net' + set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 option default-router '192.168.0.1' + set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 option name-server '192.168.0.1' + set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 option domain-name 'vyos.net' set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 lease '86400' set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 range 0 start '192.168.0.9' set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 range 0 stop '192.168.0.254' -- cgit v1.2.3 From 3864aa6aafd592e5d8b93dbede9004ccbf001e88 Mon Sep 17 00:00:00 2001 From: sarthurdev <965089+sarthurdev@users.noreply.github.com> Date: Thu, 11 Jan 2024 02:12:07 +0100 Subject: dhcp: dhcpv6: T3316: Update documentation for inclusion of `subnet-id` --- .../DHCPRelay_through_GRE/_include/dhcp-server.conf | 3 ++- docs/configuration/service/dhcp-server.rst | 17 +++++++++++++++++ docs/installation/install.rst | 1 + docs/quick-start.rst | 1 + 4 files changed, 21 insertions(+), 1 deletion(-) (limited to 'docs/configuration/service') diff --git a/docs/configexamples/autotest/DHCPRelay_through_GRE/_include/dhcp-server.conf b/docs/configexamples/autotest/DHCPRelay_through_GRE/_include/dhcp-server.conf index a3a7f27e..20c8dd10 100644 --- a/docs/configexamples/autotest/DHCPRelay_through_GRE/_include/dhcp-server.conf +++ b/docs/configexamples/autotest/DHCPRelay_through_GRE/_include/dhcp-server.conf @@ -10,4 +10,5 @@ set service dhcp-server listen-address '172.16.0.1' set service dhcp-server shared-network-name DHCPTun100 authoritative set service dhcp-server shared-network-name DHCPTun100 subnet 192.168.0.0/24 option default-router '192.168.0.254' set service dhcp-server shared-network-name DHCPTun100 subnet 192.168.0.0/24 range 0 start '192.168.0.30' -set service dhcp-server shared-network-name DHCPTun100 subnet 192.168.0.0/24 range 0 stop '192.168.0.30' \ No newline at end of file +set service dhcp-server shared-network-name DHCPTun100 subnet 192.168.0.0/24 range 0 stop '192.168.0.30' +set service dhcp-server shared-network-name DHCPTun100 subnet 192.168.0.0/24 subnet-id '1' \ No newline at end of file diff --git a/docs/configuration/service/dhcp-server.rst b/docs/configuration/service/dhcp-server.rst index e20fc251..c51a0aff 100644 --- a/docs/configuration/service/dhcp-server.rst +++ b/docs/configuration/service/dhcp-server.rst @@ -70,6 +70,12 @@ Individual Client Subnet any device trying to request an IP address that is not valid for this network. +.. cfgcmd:: set service dhcp-server shared-network-name subnet + subnet-id + + This configuration parameter is required and must be unique to each subnet. + It is required to map subnets to lease file entries. + .. cfgcmd:: set service dhcp-server shared-network-name subnet option default-router
@@ -197,6 +203,7 @@ inside the subnet definition but can be outside of the range statement. .. code-block:: none + set service dhcp-server shared-network-name 'NET1' subnet 192.168.1.0/24 subnet-id 1 set service dhcp-server shared-network-name 'NET1' subnet 192.168.1.0/24 static-mapping client1 ip-address 192.168.1.100 set service dhcp-server shared-network-name 'NET1' subnet 192.168.1.0/24 static-mapping client1 mac-address aa:bb:11:22:33:00 @@ -210,6 +217,7 @@ The configuration will look as follows: ip-address 192.168.1.100 mac-address aa:bb:11:22:33:00 } + subnet-id 1 } Options @@ -377,6 +385,7 @@ Common configuration, valid for both primary and secondary node. set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 option domain-name 'vyos.net' set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 range 0 start '192.0.2.10' set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 range 0 stop '192.0.2.250' + set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 subnet-id '1' **Primary** @@ -505,6 +514,12 @@ Configuration Clients receiving advertise messages from multiple servers choose the server with the highest preference value. The range for this value is ``0...255``. +.. cfgcmd:: set service dhcpv6-server shared-network-name subnet + subnet-id + + This configuration parameter is required and must be unique to each subnet. + It is required to map subnets to lease file entries. + .. cfgcmd:: set service dhcpv6-server shared-network-name subnet lease-time {default | maximum | minimum} @@ -581,6 +596,7 @@ server. The following example describes a common scenario. set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 address-range start 2001:db8::100 stop 2001:db8::199 set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 name-server 2001:db8::ffff + set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 subnet-id 1 The configuration will look as follows: @@ -595,6 +611,7 @@ The configuration will look as follows: } } name-server 2001:db8::ffff + subnet-id 1 } } diff --git a/docs/installation/install.rst b/docs/installation/install.rst index bf0f11fe..17bccfbd 100644 --- a/docs/installation/install.rst +++ b/docs/installation/install.rst @@ -467,6 +467,7 @@ In this example we configured an existent VyOS as the DHCP server: start 192.168.1.70 stop 192.168.1.100 } + subnet-id 1 } } diff --git a/docs/quick-start.rst b/docs/quick-start.rst index 44ff99ff..05e278ad 100644 --- a/docs/quick-start.rst +++ b/docs/quick-start.rst @@ -99,6 +99,7 @@ DNS server. set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 lease '86400' set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 range 0 start '192.168.0.9' set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 range 0 stop '192.168.0.254' + set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 subnet-id '1' set service dns forwarding cache-size '0' set service dns forwarding listen-address '192.168.0.1' -- cgit v1.2.3 From 3b50e4600a2db1abaff3d4049bd6627a272b00dc Mon Sep 17 00:00:00 2001 From: sarthurdev <965089+sarthurdev@users.noreply.github.com> Date: Sat, 13 Jan 2024 00:53:52 +0100 Subject: Update syntax for Kea option change --- docs/configuration/service/dhcp-server.rst | 28 +++++++++++++++------------- 1 file changed, 15 insertions(+), 13 deletions(-) (limited to 'docs/configuration/service') diff --git a/docs/configuration/service/dhcp-server.rst b/docs/configuration/service/dhcp-server.rst index c51a0aff..b99e5baa 100644 --- a/docs/configuration/service/dhcp-server.rst +++ b/docs/configuration/service/dhcp-server.rst @@ -528,35 +528,35 @@ Configuration values need to be supplied in seconds. .. cfgcmd:: set service dhcpv6-server shared-network-name subnet - nis-domain + option nis-domain A :abbr:`NIS (Network Information Service)` domain can be set to be used for DHCPv6 clients. .. cfgcmd:: set service dhcpv6-server shared-network-name subnet - nisplus-domain + option nisplus-domain The procedure to specify a :abbr:`NIS+ (Network Information Service Plus)` domain is similar to the NIS domain one: .. cfgcmd:: set service dhcpv6-server shared-network-name subnet - nis-server
+ option nis-server
Specify a NIS server address for DHCPv6 clients. .. cfgcmd:: set service dhcpv6-server shared-network-name subnet - nisplus-server
+ option nisplus-server
Specify a NIS+ server address for DHCPv6 clients. .. cfgcmd:: set service dhcpv6-server shared-network-name subnet - sip-server
+ option sip-server
Specify a :abbr:`SIP (Session Initiation Protocol)` server by IPv6 address of Fully Qualified Domain Name for all DHCPv6 clients. .. cfgcmd:: set service dhcpv6-server shared-network-name subnet - sntp-server-address
+ option sntp-server-address
A SNTP server address can be specified for DHCPv6 clients. @@ -594,8 +594,9 @@ server. The following example describes a common scenario. .. code-block:: none - set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 address-range start 2001:db8::100 stop 2001:db8::199 - set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 name-server 2001:db8::ffff + set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 range 1 start 2001:db8::100 stop 2001:db8::199 + set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 range 1 stop 2001:db8::199 + set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 option name-server 2001:db8::ffff set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 subnet-id 1 The configuration will look as follows: @@ -605,12 +606,13 @@ The configuration will look as follows: show service dhcpv6-server shared-network-name NET1 { subnet 2001:db8::/64 { - address-range { - start 2001:db8::100 { - stop 2001:db8::199 - } + range 1 { + start 2001:db8::100 + stop 2001:db8::199 + } + option { + name-server 2001:db8::ffff } - name-server 2001:db8::ffff subnet-id 1 } } -- cgit v1.2.3 From e6ade0470d59cf0ed45101f525e80d575f3a08d4 Mon Sep 17 00:00:00 2001 From: sarthurdev <965089+sarthurdev@users.noreply.github.com> Date: Sun, 14 Jan 2024 17:40:18 +0100 Subject: dhcp: T3316: Update documentation for changes in PR vyos/vyos-1x#2650 --- docs/configuration/service/dhcp-server.rst | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) (limited to 'docs/configuration/service') diff --git a/docs/configuration/service/dhcp-server.rst b/docs/configuration/service/dhcp-server.rst index b99e5baa..6813d2c0 100644 --- a/docs/configuration/service/dhcp-server.rst +++ b/docs/configuration/service/dhcp-server.rst @@ -178,11 +178,17 @@ MAC address of the station and your desired IP address. The address must be inside the subnet definition but can be outside of the range statement. .. cfgcmd:: set service dhcp-server shared-network-name subnet - static-mapping mac-address
+ static-mapping mac
Create a new DHCP static mapping named `` which is valid for the host identified by its MAC `
`. +.. cfgcmd:: set service dhcp-server shared-network-name subnet + static-mapping duid + + Create a new DHCP static mapping named `` which is valid for + the host identified by its DHCP unique identifier (DUID) ``. + .. cfgcmd:: set service dhcp-server shared-network-name subnet static-mapping ip-address
@@ -205,7 +211,7 @@ inside the subnet definition but can be outside of the range statement. set service dhcp-server shared-network-name 'NET1' subnet 192.168.1.0/24 subnet-id 1 set service dhcp-server shared-network-name 'NET1' subnet 192.168.1.0/24 static-mapping client1 ip-address 192.168.1.100 - set service dhcp-server shared-network-name 'NET1' subnet 192.168.1.0/24 static-mapping client1 mac-address aa:bb:11:22:33:00 + set service dhcp-server shared-network-name 'NET1' subnet 192.168.1.0/24 static-mapping client1 mac aa:bb:11:22:33:00 The configuration will look as follows: @@ -215,7 +221,7 @@ The configuration will look as follows: subnet 192.168.1.0/24 { static-mapping client1 { ip-address 192.168.1.100 - mac-address aa:bb:11:22:33:00 + mac aa:bb:11:22:33:00 } subnet-id 1 } @@ -641,7 +647,7 @@ be created. The following example explains the process. set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 static-mapping client1 ipv6-address 2001:db8::101 set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 static-mapping client1 ipv6-prefix 2001:db8:0:101::/64 - set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 static-mapping client1 identifier 00:01:00:01:12:34:56:78:aa:bb:cc:dd:ee:ff + set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 static-mapping client1 duid 00:01:00:01:12:34:56:78:aa:bb:cc:dd:ee:ff The configuration will look as follows: @@ -652,7 +658,7 @@ The configuration will look as follows: show service dhcpv6-server shared-network-name NET1 subnet 2001:db8::/64 { static-mapping client1 { - identifier 00:01:00:01:12:34:56:78:aa:bb:cc:dd:ee:ff + duid 00:01:00:01:12:34:56:78:aa:bb:cc:dd:ee:ff ipv6-address 2001:db8::101 ipv6-prefix 2001:db8:0:101::/64 } -- cgit v1.2.3 From f5b79621d0c841ee9a596543a05ad1acc9130c1d Mon Sep 17 00:00:00 2001 From: aapostoliuk Date: Fri, 19 Jan 2024 13:38:40 +0200 Subject: Changed IPv6 pool documentation in accel-ppp services Changed IPv6 pool documentation in accel-ppp services to named IPv6 pools. https://vyos.dev/T5865 --- docs/configuration/service/ipoe-server.rst | 10 ++++++---- docs/configuration/service/pppoe-server.rst | 25 +++++++++++++++++-------- docs/configuration/vpn/sstp.rst | 12 +++++++++--- 3 files changed, 32 insertions(+), 15 deletions(-) (limited to 'docs/configuration/service') diff --git a/docs/configuration/service/ipoe-server.rst b/docs/configuration/service/ipoe-server.rst index c219a063..ed4ade1a 100644 --- a/docs/configuration/service/ipoe-server.rst +++ b/docs/configuration/service/ipoe-server.rst @@ -72,8 +72,9 @@ IPv6 DNS addresses are optional. set service ipoe-server authentication interface eth3 mac 08:00:27:2F:D8:06 set service ipoe-server authentication mode 'local' - set service ipoe-server client-ipv6-pool delegate '2001:db8:1::/48' delegation-prefix '56' - set service ipoe-server client-ipv6-pool prefix '2001:db8::/48' mask '64' + set service ipoe-server client-ipv6-pool IPv6-POOL delegate '2001:db8:1::/48' delegation-prefix '56' + set service ipoe-server client-ipv6-pool IPv6-POOL prefix '2001:db8::/48' mask '64' + set service ipoe-server default-ipv6-pool IPv6-POOL set service ipoe-server name-server '2001:db8::' set service ipoe-server name-server '2001:db8:aaa::' set service ipoe-server name-server '2001:db8:bbb::' @@ -171,8 +172,9 @@ Server configuration set service ipoe-server authentication interface eth1.51 mac 00:0c:29:b7:49:a7 rate-limit upload '50000' set service ipoe-server authentication mode 'local' - set service ipoe-server client-ipv6-pool delegate 2001:db8:ffff::/48 delegation-prefix '56' - set service ipoe-server client-ipv6-pool prefix 2001:db8:fffe::/48 mask '64' + set service ipoe-server client-ipv6-pool IPv6-POOL delegate 2001:db8:ffff::/48 delegation-prefix '56' + set service ipoe-server client-ipv6-pool IPv6-POOL prefix 2001:db8:fffe::/48 mask '64' + set service ipoe-server default-ipv6-pool IPv6-POOL set service ipoe-server interface eth1.50 client-subnet '100.64.50.0/24' set service ipoe-server interface eth1.50 mode 'l2' set service ipoe-server interface eth1.51 client-subnet '100.64.51.0/24' diff --git a/docs/configuration/service/pppoe-server.rst b/docs/configuration/service/pppoe-server.rst index a230d9fe..56fcb968 100644 --- a/docs/configuration/service/pppoe-server.rst +++ b/docs/configuration/service/pppoe-server.rst @@ -266,11 +266,11 @@ other servers. Last command says that this PPPoE server can serve only IPv6 ---- -IPv6 client's prefix assignment -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +IPv6 client's prefix +^^^^^^^^^^^^^^^^^^^^ -.. cfgcmd:: set service pppoe-server client-ipv6-pool prefix
- mask +.. cfgcmd:: set service pppoe-server client-ipv6-pool + prefix
mask Use this comand to set the IPv6 address pool from which a PPPoE client will get an IPv6 prefix of your defined length (mask) to @@ -281,8 +281,8 @@ IPv6 client's prefix assignment IPv6 Prefix Delegation ^^^^^^^^^^^^^^^^^^^^^^ -.. cfgcmd:: set service pppoe-server client-ipv6-pool delegate
- delegation-prefix +.. cfgcmd:: set service pppoe-server client-ipv6-pool + delegate
delegation-prefix Use this command to configure DHCPv6 Prefix Delegation (RFC3633). You will have to set your IPv6 pool and the length of the delegation @@ -291,6 +291,14 @@ IPv6 Prefix Delegation delegation prefix can be set from 32 to 64 bit long. +IPv6 default client's pool assignment +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +.. cfgcmd:: set service pppoe-server default-ipv6-pool + + Use this command to define default IPv6 address pool name. + + Maintenance mode ================ @@ -374,8 +382,9 @@ The example below covers a dual-stack configuration via pppoe-server. set service pppoe-server authentication mode 'local' set service pppoe-server client-ip-pool IP-POOL range '192.168.0.1/24' set service pppoe-server default-pool 'IP-POOL' - set service pppoe-server client-ipv6-pool delegate '2001:db8:8003::/48' delegation-prefix '56' - set service pppoe-server client-ipv6-pool prefix '2001:db8:8002::/48' mask '64' + set service pppoe-server client-ipv6-pool IPv6-POOL delegate '2001:db8:8003::/48' delegation-prefix '56' + set service pppoe-server client-ipv6-pool IPV6-POOL prefix '2001:db8:8002::/48' mask '64' + set service pppoe-server default-ipv6-pool IPv6-POOL set service pppoe-server ppp-options ipv6 allow set service pppoe-server name-server '10.1.1.1' set service pppoe-server name-server '2001:db8:4860::8888' diff --git a/docs/configuration/vpn/sstp.rst b/docs/configuration/vpn/sstp.rst index d9bb4353..2c5cef6d 100644 --- a/docs/configuration/vpn/sstp.rst +++ b/docs/configuration/vpn/sstp.rst @@ -132,7 +132,8 @@ Configuration Use this command to define default address pool name. -.. cfgcmd:: set vpn sstp client-ipv6-pool prefix
mask +.. cfgcmd:: set vpn sstp client-ipv6-pool prefix
+ mask Use this comand to set the IPv6 address pool from which an SSTP client will get an IPv6 prefix of your defined length (mask) to terminate the @@ -140,8 +141,8 @@ Configuration bit long, the default value is 64. -.. cfgcmd:: set vpn sstp client-ipv6-pool delegate
delegation-prefix - +.. cfgcmd:: set vpn sstp client-ipv6-pool delegate
+ delegation-prefix Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on SSTP. You will have to set your IPv6 pool and the length of the @@ -150,6 +151,11 @@ Configuration delegation prefix can be set from 32 to 64 bit long. +.. cfgcmd:: set vpn sstp default-ipv6-pool + + Use this command to define default IPv6 address pool name. + + .. cfgcmd:: set vpn sstp name-server
Connected client should use `
` as their DNS server. This -- cgit v1.2.3 From 2443622964b476bfbcf88b05322fd27b55406fad Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Sun, 21 Jan 2024 20:48:33 +0100 Subject: ntp: T5692: add support to configure leap second behavior --- docs/configuration/service/ntp.rst | 31 ++++++++++++++++++++++++++++++- 1 file changed, 30 insertions(+), 1 deletion(-) (limited to 'docs/configuration/service') diff --git a/docs/configuration/service/ntp.rst b/docs/configuration/service/ntp.rst index 08be047c..e7ee392b 100644 --- a/docs/configuration/service/ntp.rst +++ b/docs/configuration/service/ntp.rst @@ -81,4 +81,33 @@ Configuration .. cfgcmd:: set service ntp vrf - Specify name of the :abbr:`VRF (Virtual Routing and Forwarding)` instance. + Specify name of the :abbr:`VRF (Virtual Routing and Forwarding)` instance. + +.. cfgcmd:: set service ntp leap-second [ignore|smear|system|timezone] + + Define how to handle leaf-seonds. + + * `ignore`: No correction is applied to the clock for the leap second. The + clock will be corrected later in normal operation when new measurements are + made and the estimated offset includes the one second error. + + * `smear`: When smearing a leap second, the leap status is suppressed on the + server and the served time is corrected slowly by slewing instead of + stepping. The clients do not need any special configuration as they do not + know there is any leap second and they follow the server time which + eventually brings them back to UTC. Care must be taken to ensure they use + only NTP servers which smear the leap second in exactly the same way for + synchronisation. + + * `system`: When inserting a leap second, the kernel steps the system clock + backwards by one second when the clock gets to 00:00:00 UTC. When deleting + a leap second, it steps forward by one second when the clock gets to + 23:59:59 UTC. + + * `timezone`: This directive specifies a timezone in the system timezone + database which chronyd can use to determine when will the next leap second + occur and what is the current offset between TAI and UTC. It will + periodically check if 23:59:59 and 23:59:60 are valid times in the + timezone. This normally works with the right/UTC timezone which is the + default + -- cgit v1.2.3 From 57cdbe065b89ec38a779ddb7530cda3ac240caf2 Mon Sep 17 00:00:00 2001 From: Nicolas Fort Date: Tue, 23 Jan 2024 06:57:42 -0300 Subject: Adding first documentation regarding IDS and FastNetMon. Also a brief configuration example is provided. --- docs/configuration/service/ids.rst | 179 +++++++++++++++++++++++++++++++++++ docs/configuration/service/index.rst | 4 +- 2 files changed, 182 insertions(+), 1 deletion(-) create mode 100644 docs/configuration/service/ids.rst (limited to 'docs/configuration/service') diff --git a/docs/configuration/service/ids.rst b/docs/configuration/service/ids.rst new file mode 100644 index 00000000..3e508d50 --- /dev/null +++ b/docs/configuration/service/ids.rst @@ -0,0 +1,179 @@ +.. _ids: + +############### +DDoS Protection +############### + +********** +FastNetMon +********** + +FastNetMon is a high-performance DDoS detector/sensor built on top of multiple +packet capture engines: NetFlow, IPFIX, sFlow, AF_PACKET (port mirror). It can +detect hosts in the deployed network sending or receiving large volumes of +traffic, packets/bytes/flows per second and perform a configurable action to +handle that event, such as calling a custom script. + +VyOS includes the FastNetMon Community Edition. + +Configuration +============= + +.. cfgcmd:: set service ids ddos-protection alert-script + + Configure alert script that will be executed when an attack is detected. + +.. cfgcmd:: set service ids ddos-protection ban-time <1-4294967294> + + Configure how long an IP (attacker) should be kept in blocked state. + Default value is 1900. + +.. cfgcmd:: set service ids ddos-protection direction [in | out] + + Configure direction for processing traffic. + +.. cfgcmd:: set service ids ddos-protection exclude-network +.. cfgcmd:: set service ids ddos-protection exlude-network + + Specify IPv4 and/or IPv6 networks which are going to be excluded. + +.. cfgcmd:: set service ids ddos-protection listen-interface + + Configure listen interface for mirroring traffic. + +.. cfgcmd:: set service ids ddos-protection mode [mirror | sflow] + + Configure traffic capture mode. + +.. cfgcmd:: set service ids ddos-protection network +.. cfgcmd:: set service ids ddos-protection network + + Specify IPv4 and/or IPv6 networks that should be protected/monitored. + +.. cfgcmd:: set service ids ddos-protection sflow listen-address + + Configure local IPv4 address to listen for sflow. + +.. cfgcmd:: set service ids ddos-protection sflow port <1-65535> + + Configure port number to be used for sflow conection. Default port is 6343. + +.. cfgcmd:: set service ids ddos-protection threshold general + [fps | mbps | pps] <0-4294967294> + + Configure general threshold parameters. + +.. cfgcmd:: set service ids ddos-protection threshold icmp + [fps | mbps | pps] <0-4294967294> + + Configure ICMP threshold parameters. + +.. cfgcmd:: set service ids ddos-protection threshold tcp + [fps | mbps | pps] <0-4294967294> + + Configure TCP threshold parameters + +.. cfgcmd:: set service ids ddos-protection threshold udp + [fps | mbps | pps] <0-4294967294> + + Configure UDP threshold parameters + +Example +======= + +A configuration example can be found in this section. +In this simplified scenario, main things to be considered are: + + * Network to be protected: 192.0.2.0/24 (public IPs use by + customers) + + * **ban-time** and **threshold**: these values are kept very low in order + to easily identify and generate and attack. + + * Direction: **in** and **out**. Protect public network from external + attacks, and identify internal attacks towards internet. + + * Interface **eth0** used to connect to upstream. + +Since we are analyzing attacks to and from our internal network, two types +of attacks can be identified, and differents actions are needed: + + * External attack: an attack from the internet towards an internal IP + is identify. In this case, all connections towards such IP will be + blocked + + * Internal attack: an attack from the internal network (generated by a + customer) towards the internet is identify. In this case, all connections + from this particular IP/Customer will be blocked. + + +So, firewall configuration needed for this setup: + +.. code-block:: none + + set firewall group address-group FNMS-DST-Block + set firewall group address-group FNMS-SRC-Block + + set firewall ipv4 forward filter rule 10 action 'drop' + set firewall ipv4 forward filter rule 10 description 'FNMS - block destination' + set firewall ipv4 forward filter rule 10 destination group address-group 'FNMS-DST-Block' + + set firewall ipv4 forward filter rule 20 action 'drop' + set firewall ipv4 forward filter rule 20 description 'FNMS - Block source' + set firewall ipv4 forward filter rule 20 source group address-group 'FNMS-SRC-Block' + +Then, FastNetMon configuration: + +.. code-block:: none + + set service ids ddos-protection alert-script '/config/scripts/fnm-alert.sh' + set service ids ddos-protection ban-time '10' + set service ids ddos-protection direction 'in' + set service ids ddos-protection direction 'out' + set service ids ddos-protection listen-interface 'eth0' + set service ids ddos-protection mode 'mirror' + set service ids ddos-protection network '192.0.2.0/24' + set service ids ddos-protection threshold general pps '100' + +And content of the script: + +.. code-block:: none + + #!/bin/bash + + # alert-script is called twice. + # When an attack occurs, the program calls a bash script twice: + # 1st time when threshold exceed + # 2nd when we collect 100 packets for detailed audit of what happened. + + # Do nothing if “attack_details” is passed as an argument + if [ "${4}" == "attack_details" ]; then + # Do nothing + exit + fi + # Arguments: + ip=$1 + direction=$2 + pps_rate=$3 + action=$4 + + logger -t FNMS "** Start - Running alert script **" + + if [ "${direction}" == "incoming" ] ; then + group="FNMS-DST-Block" + origin="external" + else + group="FNMS-SRC-Block" + origin="internal" + fi + + if [ "${action}" == "ban" ] ; then + logger -t FNMS "Attack detected for IP ${ip} and ${direction} direction from ${origin} network. Need to block IP address." + logger -t FNMS "Adding IP address ${ip} to firewall group ${group}." + sudo nft add element ip vyos_filter A_${group} { ${ip} } + else + logger -t FNMS "Timeout for IP ${ip}, removing it from group ${group}." + sudo nft delete element ip vyos_filter A_${group} { ${ip} } + fi + logger -t FNMS "** End - Running alert script **" + exit diff --git a/docs/configuration/service/index.rst b/docs/configuration/service/index.rst index 1195348f..56ce55eb 100644 --- a/docs/configuration/service/index.rst +++ b/docs/configuration/service/index.rst @@ -13,7 +13,9 @@ Service dhcp-relay dhcp-server dns + eventhandler https + ids ipoe-server lldp mdns @@ -26,4 +28,4 @@ Service ssh tftp-server webproxy - eventhandler + -- cgit v1.2.3 From ce0b62678f791a18dcc58defc209fbe71b868fca Mon Sep 17 00:00:00 2001 From: khramshinr Date: Tue, 30 Jan 2024 21:02:23 +0700 Subject: dns forwarding: T5687: Implement ECS settings for PowerDNS recursor --- docs/configuration/service/dns.rst | 14 ++++++++++++++ 1 file changed, 14 insertions(+) (limited to 'docs/configuration/service') diff --git a/docs/configuration/service/dns.rst b/docs/configuration/service/dns.rst index 7624d309..e430dc73 100644 --- a/docs/configuration/service/dns.rst +++ b/docs/configuration/service/dns.rst @@ -156,6 +156,20 @@ avoid being tracked by the provider of your upstream DNS server. recursor does not like, it is throttled. Any servers matching the supplied netmasks will never be throttled. +.. cfgcmd:: set service dns forwarding options ecs-add-for
+ + The requestor netmask for which the requestor IP Address should be used as the + EDNS Client Subnet for outgoing queries. + +.. cfgcmd:: set service dns forwarding options ecs-ipv4-bits + + Number of bits of client IPv4 address to pass when sending EDNS Client Subnet + address information. + +.. cfgcmd:: set service dns forwarding options edns-subnet-allow-list + + The netmask or domain that EDNS Client Subnet should be enabled for in outgoing queries. + Example ======= -- cgit v1.2.3 From f4ca88a7b02865f6a7edb7cc73d526d78da6456e Mon Sep 17 00:00:00 2001 From: aapostoliuk Date: Fri, 23 Feb 2024 15:27:44 +0200 Subject: Rewritten the PPPoE server documentation Fully rewritten PPPoE server documentation. --- docs/configuration/service/pppoe-server.rst | 534 ++++++++++++++++++++-------- 1 file changed, 393 insertions(+), 141 deletions(-) (limited to 'docs/configuration/service') diff --git a/docs/configuration/service/pppoe-server.rst b/docs/configuration/service/pppoe-server.rst index 56fcb968..04113666 100644 --- a/docs/configuration/service/pppoe-server.rst +++ b/docs/configuration/service/pppoe-server.rst @@ -13,13 +13,20 @@ be used with local authentication or a connected RADIUS server. changes/commits will restart the ppp daemon and will reset existing PPPoE connections from connected users, in order to become effective. -Configuration -============= +************************ +Configuring PPPoE Server +************************ +.. code-block:: none -First steps ------------ - + set service pppoe-server access-concentrator PPPoE-Server + set service pppoe-server authentication mode local + set service pppoe-server authentication local-users username test password 'test' + set service pppoe-server client-ip-pool PPPOE-POOL range 192.168.255.2-192.168.255.254 + set service pppoe-server default-pool 'PPPOE-POOL' + set service pppoe-server outside-address 192.0.2.2 + set service pppoe-server gateway-address 192.168.255.1 + set service pppoe-server interface eth0 .. cfgcmd:: set service pppoe-server access-concentrator @@ -28,14 +35,30 @@ First steps .. cfgcmd:: set service pppoe-server authentication mode - Use this command to define whether your PPPoE clients will locally - authenticate in your VyOS system or in RADIUS server. + Set authentication backend. The configured authentication backend is used + for all queries. + + * **radius**: All authentication queries are handled by a configured RADIUS + server. + * **local**: All authentication queries are handled locally. + * **noauth**: Authentication disabled. .. cfgcmd:: set service pppoe-server authentication local-users username password - Use this command to configure the username and the password of a - locally configured user. + Create `` for local authentication on this system. The users password + will be set to ``. + +.. cfgcmd:: set service pppoe-server client-ip-pool range + + Use this command to define the first IP address of a pool of + addresses to be given to pppoe clients. If notation ``x.x.x.x-x.x.x.x``, + it must be within a /24 subnet. If notation ``x.x.x.x/x`` is + used there is possibility to set host/netmask. + +.. cfgcmd:: set service pppoe-server default-pool + + Use this command to define default address pool name. .. cfgcmd:: set service pppoe-server interface @@ -44,124 +67,170 @@ First steps .. cfgcmd:: set service pppoe-server gateway-address
- Use this command to configure the local gateway IP address. + Specifies single `` IP address to be used as local address of PPP + interfaces. -.. cfgcmd:: set service pppoe-server name-server
- Use this command to set the IPv4 or IPv6 address of every Doman Name - Server you want to configure. They will be propagated to PPPoE - clients. +********************************* +Configuring RADIUS authentication +********************************* +To enable RADIUS based authentication, the authentication mode needs to be +changed within the configuration. Previous settings like the local users, still +exists within the configuration, however they are not used if the mode has been +changed from local to radius. Once changed back to local, it will use all local +accounts again. -Client Address Pools --------------------- +.. code-block:: none -To automatically assign the client an IP address as tunnel endpoint, a -client IP pool is needed. The source can be either RADIUS or a -named pool. There is possibility to create multiple named pools. -Each named pool can include only one address range. To use multiple -address ranges configure ``next-pool`` option. + set service pppoe-server authentication mode radius +.. cfgcmd:: set service pppoe-server authentication radius server key -**Client IP address via IP range definition** + Configure RADIUS `` and its required shared `` for + communicating with the RADIUS server. -.. cfgcmd:: set service pppoe-server client-ip-pool range +Since the RADIUS server would be a single point of failure, multiple RADIUS +servers can be setup and will be used subsequentially. +For example: - Use this command to define the IP address range to be given - to PPPoE clients. If notation ``x.x.x.x-x.x.x.x``, - it must be within a /24 subnet. If notation ``x.x.x.x/x`` is - used there is possibility to set host/netmask. +.. code-block:: none -.. cfgcmd:: set service pppoe-server client-ip-pool next-pool + set service pppoe-server authentication radius server 10.0.0.1 key 'foo' + set service pppoe-server authentication radius server 10.0.0.2 key 'foo' - Use this command to define the next address pool name. +.. note:: Some RADIUS severs use an access control list which allows or denies + queries, make sure to add your VyOS router to the allowed client list. -.. cfgcmd:: set service pppoe-server default-pool +RADIUS source address +===================== - Use this command to define default address pool name. +If you are using OSPF as IGP, always the closest interface connected to the +RADIUS server is used. With VyOS 1.2 you can bind all outgoing RADIUS requests +to a single source IP e.g. the loopback interface. -.. code-block:: none +.. cfgcmd:: set service pppoe-server authentication radius source-address
- set service pppoe-server client-ip-pool IP-POOL next-pool 'IP-POOL2' - set service pppoe-server client-ip-pool IP-POOL range '10.0.10.5/24' - set service pppoe-server client-ip-pool IP-POOL2 range '10.0.0.10-10.0.0.12' - set service pppoe-server default-pool 'IP-POOL' + Source IPv4 address used in all RADIUS server queires. +.. note:: The ``source-address`` must be configured on one of VyOS interface. + Best practice would be a loopback or dummy interface. -**RADIUS based IP pools (Framed-IP-Address)** +RADIUS advanced options +======================= -To use a radius server, you need to switch to authentication mode RADIUS -and then configure it. +.. cfgcmd:: set service pppoe-server authentication radius server port -.. cfgcmd:: set service pppoe-server authentication radius server
- key + Configure RADIUS `` and its required port for authentication requests. - Use this command to configure the IP address and the shared secret - key of your RADIUS server. You can have multiple RADIUS servers - configured if you wish to achieve redundancy. +.. cfgcmd:: set service pppoe-server authentication radius server fail-time